diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index dfe9817a7..7f8484128 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -20112,6 +20112,12 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         /* Parse the X509 certificate. */
         ret = GetASN_Items(x509CertASN, dataASN, x509CertASN_Length, 1,
                            cert->source, &cert->srcIdx, cert->maxIdx);
+#ifdef WOLFSSL_CLANG_TIDY
+        /* work around clang-tidy false positive re cert->source. */
+        if ((ret == 0) && (cert->source == NULL)) {
+            ret = ASN_PARSE_E;
+        }
+#endif
     }
     /* Check version is valid/supported - can't be negative. */
     if ((ret == 0) && (version > MAX_X509_VERSION)) {
@@ -20304,7 +20310,7 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
                                         KEYID_SIZE) == 0);
         }
         if (stopAtPubKey) {
-            ret = pubKeyOffset;
+            ret = (int)pubKeyOffset;
         }
     }
 
diff --git a/wolfssl/wolfcrypt/sp_int.h b/wolfssl/wolfcrypt/sp_int.h
index 033e85f85..d96c7480e 100644
--- a/wolfssl/wolfcrypt/sp_int.h
+++ b/wolfssl/wolfcrypt/sp_int.h
@@ -764,7 +764,7 @@ typedef struct sp_ecc_ctx {
  * Must have at least one digit.
  */
 #define MP_INT_SIZEOF(cnt)                                              \
-    (sizeof(sp_int) - (SP_INT_DIGITS - (((cnt) == 0) ? 1 : (cnt))) *    \
+    (sizeof(sp_int_minimal) + (((cnt) <= 1) ? 0 : ((cnt) - 1)) *        \
      sizeof(sp_int_digit))
 /* The address of the next sp_int after one with 'cnt' digits. */
 #define MP_INT_NEXT(t, cnt) \