diff --git a/crypto/bio/bio.c b/crypto/bio/bio.c
index 256571f9531..f7af8372ea9 100644
--- a/crypto/bio/bio.c
+++ b/crypto/bio/bio.c
@@ -305,6 +305,9 @@ int BIO_write(BIO *bio, const void *in, int inl) {
 }
 
 int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_bytes) {
+  if (written_bytes != NULL) {
+    *written_bytes = 0;
+  }
   if (bio == NULL) {
     OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
     return 0;
@@ -322,9 +325,6 @@ int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_by
     }
     return 1;
   } else {
-    if (written_bytes != NULL) {
-      *written_bytes = 0;
-    }
     return 0;
   }
 }
diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c
index ad82e5dd749..1ba1aa97b9d 100644
--- a/crypto/conf/conf.c
+++ b/crypto/conf/conf.c
@@ -484,6 +484,11 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) {
     // we now have a line with trailing \r\n removed
 
     // i is the number of bytes
+    // Ensure addition doesn't overflow and corrupt the signed buffer position
+    if (i > INT_MAX - bufnum) {
+      OPENSSL_PUT_ERROR(CONF, ERR_R_OVERFLOW);
+      goto err;
+    }
     bufnum += i;
 
     v = NULL;
diff --git a/crypto/fipsmodule/bn/bytes.c b/crypto/fipsmodule/bn/bytes.c
index e8a288ebe6c..31f7b197015 100644
--- a/crypto/fipsmodule/bn/bytes.c
+++ b/crypto/fipsmodule/bn/bytes.c
@@ -91,6 +91,7 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
     return NULL;
   }
   ret->width = (int)num_words;
+  ret->neg = 0;
 
   bn_little_endian_to_words(ret->d, ret->width, in, len);
 
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 66ead816fab..abf04b46120 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -483,7 +483,8 @@ int PEM_write(FILE *fp, const char *name, const char *header,
 
 int PEM_write_bio(BIO *bp, const char *name, const char *header,
                   const unsigned char *data, long len) {
-  int nlen, n, i, j, outl;
+  int nlen, n, outl;
+  long i, j;
   unsigned char *buf = NULL;
   EVP_ENCODE_CTX ctx;
   int reason = ERR_R_BUF_LIB;
@@ -533,7 +534,11 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
       (BIO_write(bp, "-----\n", 6) != 6)) {
     goto err;
   }
-  return i + outl;
+  if (i + outl > INT_MAX) {
+    reason = ERR_R_OVERFLOW;
+    goto err;
+  }
+  return (int)(i + outl);
 err:
   if (buf) {
     OPENSSL_free(buf);
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index e993e79f802..91321e966b8 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -138,6 +138,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
           X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL);
       if (crl->idp != NULL) {
         if (!setup_idp(crl, crl->idp)) {
+          ISSUING_DIST_POINT_free(crl->idp);
+          crl->idp = NULL;
           return 0;
         }
       } else if (i != -1) {
@@ -147,6 +149,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
       crl->akid =
           X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &i, NULL);
       if (crl->akid == NULL && i != -1) {
+        ISSUING_DIST_POINT_free(crl->idp);
+        crl->idp = NULL;
         return 0;
       }
 
@@ -169,6 +173,10 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
       }
 
       if (!crl_parse_entry_extensions(crl)) {
+        AUTHORITY_KEYID_free(crl->akid);
+        crl->akid = NULL;
+        ISSUING_DIST_POINT_free(crl->idp);
+        crl->idp = NULL;
         return 0;
       }