diff --git a/src/ssl.c b/src/ssl.c
index a3559d681..46a382250 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -4260,14 +4260,18 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
 
     WOLFSSL_MSG("Adding a CA");
 
-    if (cm == NULL)
+    if (cm == NULL) {
+        FreeDer(pDer);
         return BAD_FUNC_ARG;
+    }
 
 #ifdef WOLFSSL_SMALL_STACK
     cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
                                  DYNAMIC_TYPE_DCERT);
-    if (cert == NULL)
+    if (cert == NULL) {
+        FreeDer(pDer);
         return MEMORY_E;
+    }
 #endif
 
     InitDecodedCert(cert, der->buffer, der->length, cm->heap);
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index b14dda89f..6eda8490b 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -4630,11 +4630,13 @@ int wc_ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
             break;
     }
 
+#if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
     /* if async pending then return and skip done cleanup below */
     if (err == WC_PENDING_E) {
         key->state++;
         return err;
     }
+#endif
 
     /* cleanup */
 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC)
diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c
index 956b0df40..2d2c1e274 100644
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@@ -425,7 +425,8 @@ void fp_mul_d(fp_int *a, fp_digit b, fp_int *c)
    }
 
    /* zero any excess digits on the destination that we didn't write to */
-   for (; x < oldused; x++) {
+   /* also checking FP_SIZE here for static analysis */
+   for (; x < oldused && x < FP_SIZE; x++) {
       c->dp[x] = 0;
    }
    fp_clamp(c);