diff --git a/library/x509_crt.c b/library/x509_crt.c
index 75ea5e604..5834a4ce9 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1445,7 +1445,11 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
     }
     else
     {
-        crt->raw.p = mbedtls_calloc( 1, buflen );
+        /* Call mbedtls_calloc with buflen + 1 in order to avoid potential
+         * return of NULL in case of length 0 certificates, which we want
+         * to cleanly fail with MBEDTLS_ERR_X509_INVALID_FORMAT in the
+         * core parsing routine, but not here. */
+        crt->raw.p = mbedtls_calloc( 1, buflen + 1 );
         if( crt->raw.p == NULL )
             return( MBEDTLS_ERR_X509_ALLOC_FAILED );
         crt->raw.len = buflen;