diff --git a/src/pk.c b/src/pk.c
index bfc039e5d0..f4761a7418 100644
--- a/src/pk.c
+++ b/src/pk.c
@@ -6911,9 +6911,15 @@ static int pem_write_data(const char *name, const char *header,
     int headerLen;
     char* pem = NULL;
     word32 pemLen;
-    word32 derLen = (word32)len;
+    word32 derLen;
     byte* p;
 
+    /* Reject lengths that would wrap the PEM size calculation below. */
+    if ((len < 0) || ((word32)len >= (WOLFSSL_MAX_32BIT / 4))) {
+        return BAD_FUNC_ARG;
+    }
+    derLen = (word32)len;
+
     nameLen = (int)XSTRLEN(name);
     headerLen = (int)XSTRLEN(header);
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index e84d252931..4e8e0a1482 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -2461,8 +2461,8 @@ int GetLength_ex(const byte* input, word32* inOutIdx, int* len, word32 maxIdx,
     *len = 0;
 
     /* Check there is at least one byte available containing length information.
-     */
-    if ((idx + 1) > maxIdx) {
+     * Use >= to avoid a word32 wrap when idx is near UINT_MAX. */
+    if (idx >= maxIdx) {
         WOLFSSL_MSG("GetLength - bad index on input");
         return BUFFER_E;
     }
@@ -2495,7 +2495,7 @@ int GetLength_ex(const byte* input, word32* inOutIdx, int* len, word32 maxIdx,
         }
 
         /* Check the number of bytes required are available. */
-        if ((idx + (word32)bytes) > maxIdx) {
+        if ((word32)bytes > (maxIdx - idx)) {
             WOLFSSL_MSG("GetLength - bad long length");
             return BUFFER_E;
         }
@@ -2520,7 +2520,7 @@ int GetLength_ex(const byte* input, word32* inOutIdx, int* len, word32 maxIdx,
     }
 
     /* When requested, check the buffer has at least length bytes left. */
-    if (check && ((idx + length) > maxIdx)) {
+    if (check && (length > (maxIdx - idx))) {
         WOLFSSL_MSG("GetLength - value exceeds buffer length");
         return BUFFER_E;
     }
diff --git a/wolfcrypt/src/coding.c b/wolfcrypt/src/coding.c
index b3f804fcf0..80be73fe56 100644
--- a/wolfcrypt/src/coding.c
+++ b/wolfcrypt/src/coding.c
@@ -483,6 +483,10 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
     if (in == NULL && inLen > 0)
         return BAD_FUNC_ARG;
 
+    /* Reject lengths that would wrap the encoded-size calculation below. */
+    if (inLen >= (WOLFSSL_MAX_32BIT / 4))
+        return BAD_FUNC_ARG;
+
     outSz = (inLen + 3 - 1) / 3 * 4;
     addSz = (outSz + BASE64_LINE_SZ - 1) / BASE64_LINE_SZ;  /* new lines */
 
diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c
index 65789c41c7..de943ac12a 100644
--- a/wolfcrypt/src/integer.c
+++ b/wolfcrypt/src/integer.c
@@ -762,11 +762,20 @@ int mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c)
   int     res;
   int     digits_needed;
 
+  if (c < 0) {
+      return MP_VAL;
+  }
+
   while (c > 0 && b[0] == 0) {
       c--;
       b++;
   }
 
+  /* reject sizes where the bit count would overflow an int */
+  if (c > (WOLFSSL_MAX_32BIT - (DIGIT_BIT - 1)) / CHAR_BIT) {
+      return MP_VAL;
+  }
+
   digits_needed = ((c * CHAR_BIT) + DIGIT_BIT - 1) / DIGIT_BIT;
 
   /* make sure there are enough digits available */