diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs
index 8fca66fa17c..d84b0766f36 100644
--- a/library/std/src/io/mod.rs
+++ b/library/std/src/io/mod.rs
@@ -578,8 +578,13 @@ where
     F: FnOnce(&mut [u8]) -> Result<usize>,
 {
     let n = read(cursor.ensure_init().init_mut())?;
+    assert!(
+        n <= cursor.capacity(),
+        "read should not return more bytes than there is capacity for in the read buffer"
+    );
     unsafe {
-        // SAFETY: we initialised using `ensure_init` so there is no uninit data to advance to.
+        // SAFETY: we initialised using `ensure_init` so there is no uninit data to advance to
+        // and we have checked that the read amount is not over capacity (see #120603)
         cursor.advance(n);
     }
     Ok(())
diff --git a/library/std/src/io/tests.rs b/library/std/src/io/tests.rs
index bda5b721adc..c0179f7f227 100644
--- a/library/std/src/io/tests.rs
+++ b/library/std/src/io/tests.rs
@@ -652,3 +652,19 @@ fn bench_take_read_buf(b: &mut test::Bencher) {
         [255; 128].take(64).read_buf(buf.unfilled()).unwrap();
     });
 }
+
+// Issue #120603
+#[test]
+#[should_panic = "read should not return more bytes than there is capacity for in the read buffer"]
+fn read_buf_broken_read() {
+    struct MalformedRead;
+
+    impl Read for MalformedRead {
+        fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+            // broken length calculation
+            Ok(buf.len() + 1)
+        }
+    }
+
+    BufReader::new(MalformedRead).read(&mut [0; 4]).unwrap();
+}