diff --git a/src/internal.c b/src/internal.c
index 3a71bcbf1..af4b2cebd 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -6597,7 +6597,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
             ret = MEMORY_E;
     }
 
-    if (dCert->signature != NULL && dCert->sigLength != 0) {
+    if (dCert->signature != NULL && dCert->sigLength != 0 &&
+            dCert->sigLength <= MAX_ENCODED_SIG_SZ) {
         x509->sig.buffer = (byte*)XMALLOC(
                           dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE);
         if (x509->sig.buffer == NULL) {
@@ -7158,8 +7159,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
         #endif
                 }
-                else if (ret == ASN_PARSE_E) {
-                    WOLFSSL_MSG("Got Peer cert ASN PARSE ERROR, fatal");
+                else if (ret == ASN_PARSE_E || ret == BUFFER_E) {
+                    WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
                     fatal = 1;
                 }
                 else {
@@ -7257,8 +7258,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             #endif /* HAVE_OCSP || HAVE_CRL */
 
             #ifdef KEEP_PEER_CERT
-                {
-                    /* set X509 format for peer cert even if fatal */
+                if (fatal == 0) {
+                    /* set X509 format for peer cert */
                     int copyRet = CopyDecodedToX509(&ssl->peerCert,
                                                                 args->dCert);
                     if (copyRet == MEMORY_E)
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 70dc76bb2..ad8431444 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -986,6 +986,17 @@ static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
     if (GetLength(input, &idx, &length, maxIdx) < 0)
         return ASN_PARSE_E;
 
+    /* extra sanity check that length is greater than 0 */
+    if (length <= 0) {
+        WOLFSSL_MSG("Error length was 0 in CheckBitString");
+        return BUFFER_E;
+    }
+
+    if (idx + 1 > maxIdx) {
+        WOLFSSL_MSG("Attempted buffer read larger than input buffer");
+        return BUFFER_E;
+    }
+
     b = input[idx];
     if (zeroBits && b != 0x00)
         return ASN_EXPECT_0_E;
@@ -998,7 +1009,7 @@ static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
             return ASN_PARSE_E;
     }
     idx++;
-    length--;
+    length--; /* length has been checked for greater than 0 */
 
     *inOutIdx = idx;
     if (len != NULL)