diff --git a/ChangeLog b/ChangeLog
index c6befa96f..7ee4050a5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@ Security
    * Fix potential invalid memory read in the server, that allows a client to
      crash it remotely (found by Caj Larsson).
 
+Bugfix
+   * Fix potential unintended sign extension in asn1_get_len() on 64-bit
+     platforms (found with Coverity Scan).
+
 = Version 1.2.13 released 2015-02-16
 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
       this will be made in the 1.2 branch at this point.
diff --git a/library/asn1parse.c b/library/asn1parse.c
index 928924ff5..636ab605c 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -62,7 +62,7 @@ int asn1_get_len( unsigned char **p,
             if( ( end - *p ) < 3 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 8 ) | (*p)[2];
+            *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
             (*p) += 3;
             break;
 
@@ -70,7 +70,8 @@ int asn1_get_len( unsigned char **p,
             if( ( end - *p ) < 4 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 16 ) | ( (*p)[2] << 8 ) | (*p)[3];
+            *len = ( (size_t)(*p)[1] << 16 ) |
+                   ( (size_t)(*p)[2] << 8  ) | (*p)[3];
             (*p) += 4;
             break;
 
@@ -78,7 +79,8 @@ int asn1_get_len( unsigned char **p,
             if( ( end - *p ) < 5 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 24 ) | ( (*p)[2] << 16 ) | ( (*p)[3] << 8 ) | (*p)[4];
+            *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
+                   ( (size_t)(*p)[3] << 8  ) |           (*p)[4];
             (*p) += 5;
             break;