diff --git a/tests/api.c b/tests/api.c
index 47a8843bb..b3571bc54 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -5046,13 +5046,9 @@ static void test_wolfSSL_PKCS8(void)
     AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
                 WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
 #else
-#ifdef OPENSSL_EXTRA
-    AssertIntGT((bytes = wc_KeyPemToDer(buffer, bytes, der,
-        (word32)sizeof(der), NULL)), 0);
-#else
+    /* if HAVE_ECC is not defined then BEGIN EC PRIVATE KEY is not found */
     AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der,
         (word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER);
-#endif
 #endif /* HAVE_ECC */
 
     wolfSSL_CTX_free(ctx);
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 58a726fe3..142cdf440 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10434,8 +10434,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
     #endif
 #endif
 #ifdef OPENSSL_EXTRA
-    char        beginBuf[PEM_LINE_LEN];
-    char        endBuf[PEM_LINE_LEN];
+    char        beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */
+    char        endBuf[PEM_LINE_LEN + 1];   /* add 1 for null terminator */
 #endif
 
     WOLFSSL_ENTER("PemToDer");
@@ -10506,7 +10506,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
                             XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0) {
                 headerEnd--;
             }
-            if (XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX,
+            if (headerEnd <= (char*)buff ||
+                    XSTRNCMP(headerEnd, BEGIN_PRIV_KEY_PREFIX,
                     XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
                     beginEnd - headerEnd > PEM_LINE_LEN) {
                 WOLFSSL_MSG("Couldn't find PEM header");