diff --git a/ChangeLog b/ChangeLog
index b459887ec..ffdb5c410 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@ Security
    * Fix potential heap corruption on Windows when
      x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
      triggered remotely. Found by Guido Vranken, Interlworks.
+   * Fix potential buffer overflow in some asn1_write_xxx() functions.
+     Cannot be triggered remotely unless you create X.509 certificates based
+     on untrusted input or write keys of untrusted origin. Found by Guido
+     Vranken, Interlworks.
 
 = mbed TLS 1.3.14 released 2015-10-06
 
diff --git a/library/asn1write.c b/library/asn1write.c
index df9442ef8..87e130e52 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -88,7 +88,7 @@ int asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
 {
     size_t len = 0;
 
-    if( *p - start < (int) size )
+    if( *p < start || (size_t)( *p - start ) < size )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size;
@@ -108,7 +108,7 @@ int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X )
     //
     len = mpi_size( X );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;
@@ -271,7 +271,7 @@ int asn1_write_bitstring( unsigned char **p, unsigned char *start,
 
     // Calculate byte length
     //
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size + 1 )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size + 1;