diff --git a/src/internal.c b/src/internal.c
index 5acf7bf8c..c597f9154 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8555,6 +8555,10 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
     x509->pkCurveOID = dCert->pkCurveOID;
 #endif /* HAVE_ECC */
 
+    if (ret != 0) {
+        wolfSSL_X509_free(x509);
+    }
+
     return ret;
 }
 
@@ -9366,6 +9370,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             if (args->dCert == NULL) {
                 ERROR_OUT(MEMORY_E, exit_ppc);
             }
+            XMEMSET(args->dCert, 0, sizeof(DecodedCert));
         #endif
 
             /* Advance state and proceed */
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index ce6092914..9b907711a 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -11120,12 +11120,14 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz,
             }
 
             /* decrypt encryptedContent */
-            ret = wc_PKCS7_DecryptContent(encOID, pkcs7->encryptionKey,
+            if (ret == 0) {
+                ret = wc_PKCS7_DecryptContent(encOID, pkcs7->encryptionKey,
                                   pkcs7->encryptionKeySz, tmpIv, expBlockSz,
                                   NULL, 0, NULL, 0, encryptedContent,
                                   encryptedContentSz, encryptedContent);
-            if (ret != 0) {
-                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                if (ret != 0) {
+                    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                }
             }
 
             if (ret == 0) {