diff --git a/library/pkwrite.c b/library/pkwrite.c
index f3acec751..cc58f46e9 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -768,19 +768,19 @@ int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *key, unsigned char *bu
 
     if ((ret = mbedtls_pk_write_pubkey_der(key, output_buf,
                                            PUB_DER_MAX_BYTES)) < 0) {
-        free(output_buf);
-        return ret;
+        goto cleanup;
     }
 
     if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
                                         output_buf + PUB_DER_MAX_BYTES - ret,
                                         ret, buf, size, &olen)) != 0) {
-        free(output_buf);
-        return ret;
+        goto cleanup;
     }
 
+    ret = 0;
+cleanup:
     free(output_buf);
-    return 0;
+    return ret;
 }
 
 int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
@@ -804,8 +804,7 @@ int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf,
 #endif
 
     if ((ret = mbedtls_pk_write_key_der(key, output_buf, PRV_DER_MAX_BYTES)) < 0) {
-        free(output_buf);
-        return ret;
+        goto cleanup;
     }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -849,19 +848,20 @@ int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf,
     } else
 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
     {
-        free(output_buf);
-        return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+        ret = MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
+        goto cleanup;
     }
 
     if ((ret = mbedtls_pem_write_buffer(begin, end,
                                         output_buf + PRV_DER_MAX_BYTES - ret,
                                         ret, buf, size, &olen)) != 0) {
-        free(output_buf);
-        return ret;
+        goto cleanup;
     }
 
+    ret = 0;
+cleanup:
     free(output_buf);
-    return 0;
+    return ret;
 }
 #endif /* MBEDTLS_PEM_WRITE_C */