diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index c69eabfa9..8d368ed9c 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -436,6 +436,8 @@ rsa_private_key2SPKI(hx509_context context,
     memset(spki, 0, sizeof(*spki));
 
     len = i2d_RSAPublicKey(private_key->private_key.rsa, NULL);
+    if (len < 0)
+	return -1;
 
     spki->subjectPublicKey.data = malloc(len);
     if (spki->subjectPublicKey.data == NULL) {
diff --git a/lib/hx509/file.c b/lib/hx509/file.c
index 0090b035b..cd45af3ae 100644
--- a/lib/hx509/file.c
+++ b/lib/hx509/file.c
@@ -343,12 +343,14 @@ _hx509_erase_file(hx509_context context, const char *fn)
     if (ret == -1 && errno == ENOENT)
         return 0;
     if (ret == -1) {
-        hx509_set_error_string(context, 0, ret, "hx509_certs_destroy: "
-                               "stat of \"%s\": %s", fn, strerror(ret));
+        hx509_set_error_string(context, 0, errno, "hx509_certs_destroy: "
+                               "stat of \"%s\": %s", fn, strerror(errno));
         return errno;
     }
 
     fd = open(fn, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
+    if (fd < 0)
+	return errno;
     rk_cloexec(fd);
     if (ret == -1 && errno == ENOENT)
         return 0;
diff --git a/lib/krb5/store_stdio.c b/lib/krb5/store_stdio.c
index 80323e1d8..dddaa9245 100644
--- a/lib/krb5/store_stdio.c
+++ b/lib/krb5/store_stdio.c
@@ -137,6 +137,8 @@ stdio_trunc(krb5_storage * sp, off_t offset)
     if (fflush(F(sp)) == EOF)
         return errno;
     tmpoff = ftello(F(sp));
+    if (tmpoff < 0)
+	return errno;
     if (tmpoff > offset)
 	tmpoff = offset;
     if (ftruncate(fileno(F(sp)), offset) == -1)