diff --git a/firmware/bdb/host.c b/firmware/bdb/host.c
index 68a628031a..62b2c41078 100644
--- a/firmware/bdb/host.c
+++ b/firmware/bdb/host.c
@@ -123,6 +123,7 @@ struct bdb_key *bdb_create_key(const char *filename,
 	} else {
 		fprintf(stderr, "%s: bad key size from %s\n",
 			__func__, filename);
+		free(kdata);
 		return NULL;
 	}
 	key_size += kdata_size;
diff --git a/firmware/lib/gpt_misc.c b/firmware/lib/gpt_misc.c
index c9b71701c1..3957cb8936 100644
--- a/firmware/lib/gpt_misc.c
+++ b/firmware/lib/gpt_misc.c
@@ -123,13 +123,20 @@ int AllocAndReadGptData(VbExDiskHandle_t disk_handle, GptData *gptdata)
 int WriteAndFreeGptData(VbExDiskHandle_t disk_handle, GptData *gptdata)
 {
 	int skip_primary = 0;
-	GptHeader *header = (GptHeader *)gptdata->primary_header;
-	uint64_t entries_bytes =
-				(uint64_t)header->number_of_entries
-				* header->size_of_entry;
-	uint64_t entries_sectors = entries_bytes / gptdata->sector_bytes;
+	GptHeader *header;
+	uint64_t entries_bytes, entries_sectors;
 	int ret = 1;
 
+	header = (GptHeader *)gptdata->primary_header;
+	if (!header)
+		header = (GptHeader *)gptdata->secondary_header;
+	if (!header)
+		return 1;  /* No headers at all, so nothing to write */
+
+	entries_bytes = (uint64_t)header->number_of_entries
+			* header->size_of_entry;
+	entries_sectors = entries_bytes / gptdata->sector_bytes;
+
 	/*
 	 * TODO(namnguyen): Preserve padding between primary GPT header and
 	 * its entries.
diff --git a/firmware/lib/tpm_lite/tlcl.c b/firmware/lib/tpm_lite/tlcl.c
index bf2d27f99c..789443142e 100644
--- a/firmware/lib/tpm_lite/tlcl.c
+++ b/firmware/lib/tpm_lite/tlcl.c
@@ -223,6 +223,8 @@ uint32_t TlclRead(uint32_t index, void* data, uint32_t length) {
   if (result == TPM_SUCCESS && length > 0) {
     uint8_t* nv_read_cursor = response + kTpmResponseHeaderLength;
     FromTpmUint32(nv_read_cursor, &result_length);
+    if (result_length > length)
+      result_length = length;  /* Truncate to fit buffer */
     nv_read_cursor += sizeof(uint32_t);
     Memcpy(data, nv_read_cursor, result_length);
   }
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 90703a9018..4aa2fbdc1a 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -1081,6 +1081,22 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
 	VbExNvStorageRead(vnc.raw);
 	VbNvSetup(&vnc);
 
+	/* Fill in params for calls to LoadKernel() */
+	Memset(&p, 0, sizeof(p));
+	p.shared_data_blob = cparams->shared_data_blob;
+	p.shared_data_size = cparams->shared_data_size;
+	p.gbb_data = cparams->gbb_data;
+	p.gbb_size = cparams->gbb_size;
+	p.fwmp = &fwmp;
+	p.nv_context = &vnc;
+
+	/*
+	 * This could be set to NULL, in which case the vboot header
+	 * information about the load address and size will be used.
+	 */
+	p.kernel_buffer = kparams->kernel_buffer;
+	p.kernel_buffer_size = kparams->kernel_buffer_size;
+
 	/* Clear output params in case we fail */
 	kparams->disk_handle = NULL;
 	kparams->partition_number = 0;
@@ -1169,22 +1185,7 @@ VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams,
 		}
 	}
 
-	/* Fill in params for calls to LoadKernel() */
-	Memset(&p, 0, sizeof(p));
-	p.shared_data_blob = cparams->shared_data_blob;
-	p.shared_data_size = cparams->shared_data_size;
-	p.gbb_data = cparams->gbb_data;
-	p.gbb_size = cparams->gbb_size;
-	p.fwmp = &fwmp;
-
-	/*
-	 * This could be set to NULL, in which case the vboot header
-	 * information about the load address and size will be used.
-	 */
-	p.kernel_buffer = kparams->kernel_buffer;
-	p.kernel_buffer_size = kparams->kernel_buffer_size;
-
-	p.nv_context = &vnc;
+	/* Set up boot flags */
 	p.boot_flags = 0;
 	if (shared->flags & VBSD_BOOT_DEV_SWITCH_ON)
 		p.boot_flags |= BOOT_FLAG_DEVELOPER;
diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index 3535952f3b..4992915114 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -419,14 +419,14 @@ int VerifyVmlinuzInsideKBlob(uint64_t kblob, uint64_t kblob_size,
 
 uint64_t VbSharedDataReserve(VbSharedDataHeader *header, uint64_t size)
 {
-	uint64_t offs = header->data_used;
-
-	VBDEBUG(("VbSharedDataReserve %d bytes at %d\n", (int)size, (int)offs));
-
 	if (!header || size > header->data_size - header->data_used) {
 		VBDEBUG(("VbSharedData buffer out of space.\n"));
 		return 0;  /* Not initialized, or not enough space left. */
 	}
+
+	uint64_t offs = header->data_used;
+	VBDEBUG(("VbSharedDataReserve %d bytes at %d\n", (int)size, (int)offs));
+
 	header->data_used += size;
 	return offs;
 }
diff --git a/firmware/stub/vboot_api_stub_init.c b/firmware/stub/vboot_api_stub_init.c
index 34387837d7..214387a2d8 100644
--- a/firmware/stub/vboot_api_stub_init.c
+++ b/firmware/stub/vboot_api_stub_init.c
@@ -24,7 +24,7 @@ static char fmtbuf[MAX_FMT+1];
 static const char *fixfmt(const char *format)
 {
 	int i;
-	for(i=0; i<MAX_FMT && format[i]; i++) {
+	for(i=0; i<sizeof(fmtbuf)-1 && format[i]; i++) {
 		fmtbuf[i] = format[i];
 		if(format[i] == '%' && format[i+1] == 'L') {
 			fmtbuf[i+1] = 'l';