diff --git a/src/ssl.c b/src/ssl.c
index 9a6fe2bf4..abd77cb15 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1004,16 +1004,23 @@ int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen)
     WOLFSSL_EchConfig* workingConfig = NULL;
     byte* outputStart = output;
     word32 totalLen = 2;
-    word32 workingOutputLen;
+    word32 workingOutputLen = 0;
 
-    if (configs == NULL || outputLen == NULL || *outputLen < totalLen)
+    if (configs == NULL || outputLen == NULL ||
+            (output != NULL && *outputLen < totalLen)) {
         return BAD_FUNC_ARG;
+    }
 
-    workingOutputLen = *outputLen - totalLen;
 
     /* skip over total length which we fill in later */
-    if (output != NULL)
+    if (output != NULL) {
+        workingOutputLen = *outputLen - totalLen;
         output += 2;
+    }
+    else {
+        /* caller getting the size only, set current 2 byte length size */
+        *outputLen = totalLen;
+    }
 
     workingConfig = configs;
 
diff --git a/src/x509.c b/src/x509.c
index 62e3774f4..eda280e73 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -6554,8 +6554,7 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
         return WOLFSSL_FAILURE;
     }
 
-    buf = (char*)XMALLOC(MAX_WIDTH-4-indent, x509->heap,
-                         DYNAMIC_TYPE_TMP_BUFFER);
+    buf = (char*)XMALLOC(MAX_WIDTH, x509->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (buf == NULL) {
         return WOLFSSL_FAILURE;
     }