diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index cf74343657f75125305bb7770cf32b9ae9cdd076..91cd4198c7a1f9eb17d04c87c141b96dd13c2e57 100644
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -448,6 +448,7 @@ void ERR_load_RSA_strings(void);
 
 /* Reason codes. */
 #define RSA_R_ALGORITHM_MISMATCH			 100
+#define RSA_R_BAD_ARGUMENT				 149
 #define RSA_R_BAD_E_VALUE				 101
 #define RSA_R_BAD_FIXED_HEADER_DECRYPT			 102
 #define RSA_R_BAD_PAD_BYTE_COUNT			 103
diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c
index 0577fbb1ea05597f1bb9b5bb4220ed4a0821356e..a53c5f6bff69f3fb4c90f20a08c9521cf012a501 100644
--- a/crypto/rsa/rsa_err.c
+++ b/crypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -124,6 +124,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
 static ERR_STRING_DATA RSA_str_reasons[]=
 	{
 {ERR_REASON(RSA_R_ALGORITHM_MISMATCH)    ,"algorithm mismatch"},
+{ERR_REASON(RSA_R_BAD_ARGUMENT)          ,"bad argument"},
 {ERR_REASON(RSA_R_BAD_E_VALUE)           ,"bad e value"},
 {ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT),"bad fixed header decrypt"},
 {ERR_REASON(RSA_R_BAD_PAD_BYTE_COUNT)    ,"bad pad byte count"},
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 7d5b4781a30bce66542d7866c4705f7cd74c3245..2e44194bdcd0be0398f56330f3429e6fedf6c5cf 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -81,6 +81,12 @@ int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
 	EVP_MD_CTX ctx;
 	unsigned char H_[EVP_MAX_MD_SIZE];
 
+	if (Hash == NULL)
+		{
+		RSAerr(RSA_F_RSA_VERIFY_PKCS1_PSS, RSA_R_BAD_ARGUMENT);
+		goto err;
+		}
+
 	hLen = EVP_MD_size(Hash);
 	/*
 	 * Negative sLen has special meanings:
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 561ba5cf255a9aa611254bac5599c0608293c11f..330918a78aabfde2e893cf96c30f6a262d2fceae 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -412,6 +412,7 @@ printf("\n");
 
 	if (!clear)
 		{
+		/* !clear => s->read_hash != NULL => mac_size != -1 */
 		mac_size=EVP_MD_CTX_size(s->read_hash);
 
 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)