diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index 276029f47..e5c23f15d 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -3276,9 +3276,7 @@ static void DecodeCertExtensions(DecodedCert* cert)
     byte* input = cert->extensions;
     int length;
     word32 oid;
-    byte critical;
-
-    (void)critical;
+    byte critical = 0;
 
     CYASSL_ENTER("DecodeCertExtensions");
 
@@ -3391,7 +3389,6 @@ static void DecodeCertExtensions(DecodedCert* cert)
         }
         idx += length;
     }
-    (void)critical;
 
     CYASSL_LEAVE("DecodeCertExtensions", 0);
     return;
diff --git a/src/internal.c b/src/internal.c
index 29e2724e0..1adabdd4a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -7856,8 +7856,8 @@ static void PickHashSigAlgo(CYASSL* ssl,
         /* rsa */
         if (sigAlgo == rsa_sa_algo)
         {
-            int   ret;
-            byte* out;
+            int   ret       = 0;
+            byte* out       = NULL;
             byte  doUserRsa = 0;
 
             #ifdef HAVE_PK_CALLBACKS
@@ -7919,12 +7919,13 @@ static void PickHashSigAlgo(CYASSL* ssl,
 
                 encSigSz = EncodeSignature(encodedSig, digest, digestSz, typeH);
 
-                if (encSigSz != (word32)ret || XMEMCMP(out, encodedSig,
+                if (encSigSz != (word32)ret || !out || XMEMCMP(out, encodedSig,
                                         min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0)
                     return VERIFY_SIGN_ERROR;
             }
             else { 
-                if (ret != sizeof(hash) || XMEMCMP(out, hash,sizeof(hash)) != 0)
+                if (ret != sizeof(hash) || !out || XMEMCMP(out,
+                                                       hash, sizeof(hash)) != 0)
                     return VERIFY_SIGN_ERROR;
             }
         } else