diff --git a/interfaces/innerkits/code_sign_utils/include/stat_utils.h b/interfaces/innerkits/code_sign_utils/include/stat_utils.h
index 361a51b5d3b471f99e39186af0c541f6fb42ac82..263fad93f4711c941ec178d2d14e3ec38e3cbab7 100644
--- a/interfaces/innerkits/code_sign_utils/include/stat_utils.h
+++ b/interfaces/innerkits/code_sign_utils/include/stat_utils.h
@@ -17,9 +17,9 @@
 #define CODE_SIGN_STAT_UTILS_H
 
 #include <string>
+#include <unistd.h>
 #include <asm/unistd.h>
 #include <linux/stat.h>
-#include <unistd.h>
 
 namespace OHOS {
 namespace Security {
diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
index f92ab2a4b477481e5e7422357c70115ccb07e4b7..8fa22ec887eb42ef52ae005fbe6f37cf8467d4ff 100644
--- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
+++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
@@ -83,8 +83,8 @@ int32_t CodeSignUtils::EnforceCodeSignForApp(const EntryMap &entryPath,
             CS_ERR_FILE_PATH, "App file is invalid.");
 
         const std::string &signatureEntry = entryName + Constants::FSV_SIG_SUFFIX;
-        NOT_SATISFIED_RETURN(
-            std::find(signatureFileList.begin(), signatureFileList.end(), signatureEntry) != signatureFileList.end(),
+        NOT_SATISFIED_RETURN(std::find(signatureFileList.begin(), signatureFileList.end(), signatureEntry) !=
+            signatureFileList.end(),
             CS_ERR_NO_SIGNATURE, "Fail to find signature for %{public}s", entryName.c_str());
 
         std::unique_ptr<uint8_t[]> signatureBuffer = nullptr;
diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp
index 1e805c46909c089aa4ef7bbcf74daf3c9040c9b9..5acada57add6d919c5e4e4dff221ce6146ccecab 100644
--- a/test/unittest/code_sign_utils_test.cpp
+++ b/test/unittest/code_sign_utils_test.cpp
@@ -125,7 +125,7 @@ static bool ReadSignatureFromFile(const std::string &path, ByteBuffer &data)
         return false;
     }
     size_t ret = fread(data.GetBuffer(), 1, fileSize, file);
-    fclose(file);
+    (void)fclose(file);
     return ret == fileSize;
 }
 
diff --git a/test/unittest/multi_thread_local_sign_test.cpp b/test/unittest/multi_thread_local_sign_test.cpp
index 673087a291894ad8b4a345079422af7258e3c552..d00be680343e55514595425072cfa85f39a28a80 100644
--- a/test/unittest/multi_thread_local_sign_test.cpp
+++ b/test/unittest/multi_thread_local_sign_test.cpp
@@ -33,7 +33,6 @@ using namespace testing::mt;
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-
 static constexpr uint32_t MULTI_THREAD_NUM = 10;
 static constexpr int64_t BUFFER_SIZE = 1024;
 static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/multi_thread/";
diff --git a/utils/src/signer_info.cpp b/utils/src/signer_info.cpp
index dc497b7e3d8bcf486ff2fa6f5a06497a7ec163ba..869d16f0c2d9b2c7637485488e4f33d12a4dcd44 100644
--- a/utils/src/signer_info.cpp
+++ b/utils/src/signer_info.cpp
@@ -24,6 +24,7 @@ namespace OHOS {
 namespace Security {
 namespace CodeSign {
 static constexpr int INVALID_SIGN_ALGORITHM_NID = -1;
+static constexpr int MAX_SIGNATURE_SIZE = 1024; // 1024: max signature length
 
 bool SignerInfo::InitSignerInfo(X509 *cert, const EVP_MD *md,
     const ByteBuffer &contentData, bool carrySigningTime)
@@ -139,7 +140,7 @@ bool SignerInfo::AddSignatureInSignerInfo(const ByteBuffer &signature)
     }
     uint32_t signatureSize = signature.GetSize();
     // tmp will be free when freeing p7info_
-    if (signatureSize == 0) {
+    if (signatureSize == 0 || signatureSize > MAX_SIGNATURE_SIZE) {
         return false;
     }
     uint8_t *tmp = static_cast<uint8_t *>(malloc(signatureSize));