--- libraries/liblber/decode.c	2009/01/21 23:40:19	1.115
+++ libraries/liblber/decode.c	2009/02/10 11:44:12	1.116
@@ -1,5 +1,5 @@
 /* decode.c - ber input decoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.114 2008/08/06 11:36:53 hallvard Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.115 2009/01/21 23:40:19 kurt Exp $ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
  * Copyright 1998-2009 The OpenLDAP Foundation.
@@ -143,13 +143,14 @@ ber_skip_tag( BerElement *ber, ber_len_t
 {
 	ber_tag_t	tag;
 	unsigned char	lc;
-	ber_len_t	i, noctets;
-	unsigned char netlen[sizeof(ber_len_t)];
+	char		*save;
 
 	assert( ber != NULL );
 	assert( len != NULL );
 	assert( LBER_VALID( ber ) );
 
+	save = ber->ber_ptr;
+
 	/*
 	 * Any ber element looks like this: tag length contents.
 	 * Assuming everything's ok, we return the tag byte (we
@@ -182,6 +183,9 @@ ber_skip_tag( BerElement *ber, ber_len_t
 	}
 
 	if ( lc & 0x80U ) {
+		ber_len_t	i, noctets;
+		unsigned char netlen[sizeof(ber_len_t)];
+
 		noctets = (lc & 0x7fU);
 
 		if ( noctets > sizeof(ber_len_t) ) {
@@ -202,7 +206,7 @@ ber_skip_tag( BerElement *ber, ber_len_t
 	}
 
 	/* BER element should have enough data left */
-	if( *len > (ber_len_t) ber_pvt_ber_remaining( ber ) ) {
+	if( *len > (ber_len_t) (ber_pvt_ber_remaining( ber ) + ber->ber_ptr - save) ) {
 		return LBER_DEFAULT;
 	}
 	ber->ber_tag = *(unsigned char *)ber->ber_ptr;