diff --git a/src/ssl.c b/src/ssl.c
index f8d5b31fd..5a5383765 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -16843,10 +16843,16 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509)
             }
 
             sigSz = (int)x509->sig.length;
-            sig = (unsigned char*)XMALLOC(sigSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-            if (sig == NULL || sigSz <= 0) {
+            if (sigSz <= 0) {
+                /* if sigSz invalid return here to avoid overhead of malloc */
                 return WOLFSSL_FAILURE;
             }
+
+            sig = (unsigned char*)XMALLOC(sigSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+            if (sig == NULL) {
+                return WOLFSSL_FAILURE;
+            }
+
             if (wolfSSL_X509_get_signature(x509, sig, &sigSz) <= 0) {
                 XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 return WOLFSSL_FAILURE;