diff --git a/src/internal.c b/src/internal.c
index e4701b8bf..d41c0aba0 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10537,7 +10537,9 @@ int SendCertificate(WOLFSSL* ssl)
 
             sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
                                   handshake, 1, 0);
-            XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+            if (inputSz > 0)
+                XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
 
             if (sendSz < 0)
                 return sendSz;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d5b99a0b0..14df5f7ea 100755
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -1963,6 +1963,14 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
             return ASN_PARSE_E;
         }
 
+        if (length > MAX_IV_SIZE) {
+#ifdef WOLFSSL_SMALL_STACK
+            XFREE(salt,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+            return ASN_PARSE_E;
+        }
+
         XMEMCPY(cbcIv, &input[inOutIdx], length);
         inOutIdx += length;
     }