From aa4b84f9a23d108519786958146854ce213af56d Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Mon, 9 Mar 2026 10:58:36 -0500
Subject: [PATCH 1/2] wolfcrypt/src/evp_pk.c: fix benign nullPointer in
 d2i_make_pkey() reported by cppcheck-2.20.0.

---
 wolfcrypt/src/evp_pk.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/wolfcrypt/src/evp_pk.c b/wolfcrypt/src/evp_pk.c
index d5f4911b026..bf0b3cf6af1 100644
--- a/wolfcrypt/src/evp_pk.c
+++ b/wolfcrypt/src/evp_pk.c
@@ -67,14 +67,19 @@ static int d2i_make_pkey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem,
 
     /* Set the size and allocate memory for key data to be copied into. */
     pkey->pkey_sz = (int)memSz;
-    pkey->pkey.ptr = (char*)XMALLOC((size_t)memSz, NULL,
-        priv ? DYNAMIC_TYPE_PRIVATE_KEY : DYNAMIC_TYPE_PUBLIC_KEY);
-    if (pkey->pkey.ptr == NULL) {
-        ret = 0;
+    if (memSz > 0) {
+        pkey->pkey.ptr = (char*)XMALLOC((size_t)memSz, NULL,
+            priv ? DYNAMIC_TYPE_PRIVATE_KEY : DYNAMIC_TYPE_PUBLIC_KEY);
+        if (pkey->pkey.ptr == NULL) {
+            ret = 0;
+        }
+        if (ret == 1) {
+            /* Copy in key data. */
+            XMEMCPY(pkey->pkey.ptr, mem, memSz);
+        }
     }
     if (ret == 1) {
-        /* Copy in key data, set key type passed in and return object. */
-        XMEMCPY(pkey->pkey.ptr, mem, memSz);
+        /* Set key type passed in and return object. */
         pkey->type = type;
         *out = pkey;
     }

From 5bb8b3f8031a11995d7835379203e38cf0a6bd4f Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Mon, 9 Mar 2026 10:59:50 -0500
Subject: [PATCH 2/2] src/pk_ec.c: in wolfSSL_ECDSA_SIG_new(), mitigate
 false-positive nullPointerOutOfMemory by returning immediately if initial
 XMALLOC() fails.

---
 src/pk_ec.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/src/pk_ec.c b/src/pk_ec.c
index 8acd8433c7f..2a44ca55de7 100644
--- a/src/pk_ec.c
+++ b/src/pk_ec.c
@@ -4898,18 +4898,16 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void)
         DYNAMIC_TYPE_ECC);
     if (sig == NULL) {
         WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA signature failure");
-        err = 1;
+        return NULL;
     }
 
-    if (!err) {
-        /* Set s to NULL in case of error. */
-        sig->s = NULL;
-        /* Allocate BN into r. */
-        sig->r = wolfSSL_BN_new();
-        if (sig->r == NULL) {
-            WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure");
-            err = 1;
-        }
+    /* Set s to NULL in case of error. */
+    sig->s = NULL;
+    /* Allocate BN into r. */
+    sig->r = wolfSSL_BN_new();
+    if (sig->r == NULL) {
+        WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure");
+        err = 1;
     }
     if (!err) {
         /* Allocate BN into s. */
@@ -4920,7 +4918,7 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void)
         }
     }
 
-    if (err && (sig != NULL)) {
+    if (err) {
         /* Dispose of allocated memory. */
         wolfSSL_ECDSA_SIG_free(sig);
         sig = NULL;