diff --git a/src/x509.c b/src/x509.c
index 46dfd38ed43..be0bbef1b70 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -4404,6 +4404,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
     if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
         return NULL;
 
+    if (x509->derCert->length > (word32)INT_MAX) {
+        return NULL;
+    }
+
     *outSz = (int)x509->derCert->length;
     return x509->derCert->buffer;
 }
@@ -8674,7 +8678,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)
     }
 
     der = wolfSSL_X509_get_der(x509, &derSz);
-    if (der == NULL) {
+    if (der == NULL || derSz <= 0) {
         WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);
         return MEMORY_E;
     }
diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
index c6be3afc992..d878d819054 100644
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@@ -1009,7 +1009,8 @@ int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
 
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
-            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
+            (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1103,7 +1104,8 @@ int wc_SRTCP_KDF_ex(const byte* key, word32 keySz, const byte* salt, word32 salt
 
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
-            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
+            (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1194,7 +1196,7 @@ int wc_SRTP_KDF_label(const byte* key, word32 keySz, const byte* salt,
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
             (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
-            (outKey == NULL)) {
+            (outKey == NULL) || (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1267,7 +1269,7 @@ int wc_SRTCP_KDF_label(const byte* key, word32 keySz, const byte* salt,
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
             (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
-            (outKey == NULL)) {
+            (outKey == NULL) || (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }