diff --git a/src/internal.c b/src/internal.c
index b07df2b2e..677f7b05b 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -5120,14 +5120,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz);
     ssl->cbioFlag = ctx->cbioFlag;
 
-    if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
-                           sizeof(WOLFSSL_X509_VERIFY_PARAM),
-                           ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
-        WOLFSSL_MSG("ssl->param memory error");
-        return MEMORY_E;
-    }
-    XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
-
 #endif
 
     InitCiphers(ssl);
@@ -5154,6 +5146,16 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
         XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
 #endif
 
+#ifdef OPENSSL_EXTRA
+    if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
+                           sizeof(WOLFSSL_X509_VERIFY_PARAM),
+                           ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
+        WOLFSSL_MSG("ssl->param memory error");
+        return MEMORY_E;
+    }
+    XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+#endif
+
 #ifdef SINGLE_THREADED
         if (ctx->suites == NULL)
 #endif
@@ -9128,24 +9130,26 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
         }
 
     #if defined(OPENSSL_EXTRA)
-        if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
-                            sizeof(WOLFSSL_X509_VERIFY_PARAM),
-                            ssl->heap, DYNAMIC_TYPE_OPENSSL)) != NULL) {
-            XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+        store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
+                        sizeof(WOLFSSL_X509_VERIFY_PARAM),
+                        ssl->heap, DYNAMIC_TYPE_OPENSSL);
+        if (store->param == NULL) {
+            return MEMORY_E;
+        }
+        XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+        /* Overwrite with non-default param values in SSL */
+        if (ssl->param) {
+            if (ssl->param->check_time)
+                store->param->check_time = ssl->param->check_time;
 
-            /* Overwrite with non-default param values in SSL */
-            if (ssl->param) {
-                if (ssl->param->check_time)
-                    store->param->check_time = ssl->param->check_time;
+            if (ssl->param->flags)
+                store->param->flags = ssl->param->flags;
 
-                if (ssl->param->flags)
-                    store->param->flags = ssl->param->flags;
+            if (ssl->param->hostName[0])
+                XMEMCPY(store->param->hostName, ssl->param->hostName,
+                        WOLFSSL_HOST_NAME_MAX);
 
-                if (ssl->param->hostName[0])
-                    XMEMCPY(store->param->hostName, ssl->param->hostName,
-                            WOLFSSL_HOST_NAME_MAX);
-            }
-         }
+        }
     #endif /* defined(OPENSSL_EXTRA) */
     #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/
     #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
diff --git a/src/ssl.c b/src/ssl.c
index 33bc2166c..d956e2ebb 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -36420,7 +36420,7 @@ void wolfSSL_PKCS7_free(PKCS7* pkcs7)
 }
 void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7)
 {
-    wolfSSL_PKCS7_free((PKCS7*)p7);
+    wolfSSL_PKCS7_free(p7);
     return;
 }
 PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len)
@@ -36588,6 +36588,9 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7)
     if (bio == NULL || p7 == NULL)
         return WOLFSSL_FAILURE;
 
+    XMEMSET(outputHead, 0, outputHeadSz);
+    XMEMSET(outputFoot, 0, outputFootSz);
+
     hashType = wc_OidGetHash(p7->hashOID);
     hashSz = wc_HashGetDigestSize(hashType);
     if (hashSz > WC_MAX_DIGEST_SIZE)
@@ -36602,8 +36605,9 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7)
             return WOLFSSL_FAILURE;
     };
 
-    wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz,
-                        outputHead, &outputHeadSz, outputFoot, &outputFootSz);
+    if ((wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz,
+        outputHead, &outputHeadSz, outputFoot, &outputFootSz)) != 0)
+        return WOLFSSL_FAILURE;
 
     outputSz = outputHeadSz + p7->contentSz + outputFootSz;
     output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/tests/api.c b/tests/api.c
index 1a43302ed..7cc0d1471 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -23695,10 +23695,10 @@ static void test_wolfSSL_PKCS7_SIGNED_new(void)
 static void test_wolfSSL_PEM_write_bio_PKCS7(void)
 {
 #if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM)
-    PKCS7* pkcs7;
-    BIO* bio;
+    PKCS7* pkcs7 = NULL;
+    BIO* bio = NULL;
     const byte* cert_buf = NULL;
-    int ret;
+    int ret = 0;
     WC_RNG rng;
     const byte data[] = { /* Hello World */
         0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,