diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c
index 9e9ef2d094..b93d8d5b0b 100644
--- a/src/ssl_asn1.c
+++ b/src/ssl_asn1.c
@@ -247,6 +247,11 @@ static int wolfssl_i2d_asn1_item(void** item, int type, byte* buf)
             len = 0;
     }
 
+    if (len < 0) {
+        len = 0; /* wolfSSL_i2d_ASN1_INTEGER can return a value less than 0
+                  * on error */
+    }
+
     return len;
 }
 
diff --git a/tests/api.c b/tests/api.c
index e7083fa657..2e23ea1fb1 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -65656,7 +65656,7 @@ static int test_EccSigFailure_cm(void)
     size_t cert_sz = 0;
 
     ExpectIntEQ(load_file(server_cert, &cert_buf, &cert_sz), 0);
-    if (cert_buf != NULL) {
+    if (cert_buf != NULL && cert_sz > 0) {
         /* corrupt DER - invert last byte, which is signature */
         cert_buf[cert_sz-1] = ~cert_buf[cert_sz-1];
 
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
index 8add13fad0..42949fc432 100644
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@@ -3283,6 +3283,8 @@ int wolfSSL_EVP_PKEY_bits(const WOLFSSL_EVP_PKEY *pkey)
     if (pkey == NULL) return 0;
     WOLFSSL_ENTER("wolfSSL_EVP_PKEY_bits");
     if ((bytes = wolfSSL_EVP_PKEY_size((WOLFSSL_EVP_PKEY*)pkey)) ==0) return 0;
+    if (bytes < 0)
+        return 0;
     return bytes*8;
 }