diff --git a/library/x509.c b/library/x509.c
index 380fec237..1826f1d7b 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -361,6 +361,8 @@ static int x509_get_attr_type_value( unsigned char **p,
             MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
         return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
 
+    end = *p + len;
+
     if( ( end - *p ) < 1 )
         return( MBEDTLS_ERR_X509_INVALID_NAME +
                 MBEDTLS_ERR_ASN1_OUT_OF_DATA );
@@ -394,6 +396,12 @@ static int x509_get_attr_type_value( unsigned char **p,
     val->p = *p;
     *p += val->len;
 
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
     cur->next = NULL;
 
     return( 0 );
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 8450f87e0..64fac0e0c 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -103,6 +103,9 @@ static int x509_get_crl_ext( unsigned char **p,
 {
     int ret;
 
+    if( *p == end )
+        return( 0 );
+
     /*
      * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
      *                              -- if present, version MUST be v2
@@ -115,6 +118,8 @@ static int x509_get_crl_ext( unsigned char **p,
         return( ret );
     }
 
+    end = ext->p + ext->len;
+
     while( *p < end )
     {
         /*
diff --git a/library/x509_crt.c b/library/x509_crt.c
index dfd22f6e5..0287b5b86 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -891,6 +891,9 @@ static int x509_get_crt_ext( unsigned char **p,
     size_t len;
     unsigned char *end_ext_data, *end_ext_octet;
 
+    if( *p == end )
+        return( 0 );
+
     if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
     {
         if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
@@ -899,6 +902,7 @@ static int x509_get_crt_ext( unsigned char **p,
         return( ret );
     }
 
+    end = crt->v3_ext.p + crt->v3_ext.len;
     while( *p < end )
     {
         /*
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index b12a68d38..5cefb960c 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1096,7 +1096,7 @@ x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d01010b050030043
 
 X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010b05003006310430003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010b05003006310430003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
 X509 Certificate ASN1 (TBSCertificate, issuer no oid data)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
@@ -1112,7 +1112,7 @@ x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d01010b050030073
 
 X509 Certificate ASN1 (TBSCertificate, issuer, no full following string)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d01010b0500300d310b3009060013045465737400":"":MBEDTLS_ERR_X509_INVALID_NAME+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d01010b0500300d310b3009060013045465737400":"":MBEDTLS_ERR_X509_INVALID_NAME+MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
 X509 Certificate ASN1 (TBSCertificate, valid issuer, no validity)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
@@ -1264,7 +1264,7 @@ x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d040
 
 X509 Certificate ASN1 (SubjectAltName repeated)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C
-x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa340303e301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS
 
 X509 Certificate ASN1 (ExtKeyUsage repeated)
 depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C