diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c
--- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx	2024-08-14 14:22:48.733407808 +0200
+++ openssl-3.2.2/crypto/rsa/rsa_oaep.c	2024-08-14 14:23:32.994483135 +0200
@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
 
     mdlen = EVP_MD_get_size(md);
 
-    if (tlen <= 0 || flen <= 0)
+    if (tlen <= 0 || flen <= 0 || mdlen <= 0)
         return -1;
     /*
      * |num| is the length of the modulus; |flen| is the length of the
diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c
--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx	2024-08-14 14:14:13.144850097 +0200
+++ openssl-3.2.2/crypto/x509/pcy_tree.c	2024-08-14 14:14:53.213826481 +0200
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 
     *ptree = NULL;
 
+    if (n < 0)
+        return X509_PCY_TREE_INTERNAL;
     /* Can't do anything with just a trust anchor */
     if (n == 0)
         return X509_PCY_TREE_EMPTY;