diff --git a/libraries/liblber/decode.c b/libraries/liblber/decode.c index b687e75cc8..3e956804b5 100644 --- a/libraries/liblber/decode.c +++ b/libraries/liblber/decode.c @@ -143,13 +143,14 @@ ber_skip_tag( BerElement *ber, ber_len_t *len ) { ber_tag_t tag; unsigned char lc; - ber_len_t i, noctets; - unsigned char netlen[sizeof(ber_len_t)]; + char *save; assert( ber != NULL ); assert( len != NULL ); assert( LBER_VALID( ber ) ); + save = ber->ber_ptr; + /* * Any ber element looks like this: tag length contents. * Assuming everything's ok, we return the tag byte (we @@ -182,6 +183,9 @@ ber_skip_tag( BerElement *ber, ber_len_t *len ) } if ( lc & 0x80U ) { + ber_len_t i, noctets; + unsigned char netlen[sizeof(ber_len_t)]; + noctets = (lc & 0x7fU); if ( noctets > sizeof(ber_len_t) ) { @@ -202,7 +206,7 @@ ber_skip_tag( BerElement *ber, ber_len_t *len ) } /* BER element should have enough data left */ - if( *len > (ber_len_t) ber_pvt_ber_remaining( ber ) ) { + if( *len > (ber_len_t) (ber_pvt_ber_remaining( ber ) + ber->ber_ptr - save) ) { return LBER_DEFAULT; } ber->ber_tag = *(unsigned char *)ber->ber_ptr;