--- libraries/liblber/decode.c 2009/01/21 23:40:19 1.115 +++ libraries/liblber/decode.c 2009/02/10 11:44:12 1.116 @@ -1,5 +1,5 @@ /* decode.c - ber input decoding routines */ -/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.114 2008/08/06 11:36:53 hallvard Exp $ */ +/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.115 2009/01/21 23:40:19 kurt Exp $ */ /* This work is part of OpenLDAP Software . * * Copyright 1998-2009 The OpenLDAP Foundation. @@ -143,13 +143,14 @@ ber_skip_tag( BerElement *ber, ber_len_t { ber_tag_t tag; unsigned char lc; - ber_len_t i, noctets; - unsigned char netlen[sizeof(ber_len_t)]; + char *save; assert( ber != NULL ); assert( len != NULL ); assert( LBER_VALID( ber ) ); + save = ber->ber_ptr; + /* * Any ber element looks like this: tag length contents. * Assuming everything's ok, we return the tag byte (we @@ -182,6 +183,9 @@ ber_skip_tag( BerElement *ber, ber_len_t } if ( lc & 0x80U ) { + ber_len_t i, noctets; + unsigned char netlen[sizeof(ber_len_t)]; + noctets = (lc & 0x7fU); if ( noctets > sizeof(ber_len_t) ) { @@ -202,7 +206,7 @@ ber_skip_tag( BerElement *ber, ber_len_t } /* BER element should have enough data left */ - if( *len > (ber_len_t) ber_pvt_ber_remaining( ber ) ) { + if( *len > (ber_len_t) (ber_pvt_ber_remaining( ber ) + ber->ber_ptr - save) ) { return LBER_DEFAULT; } ber->ber_tag = *(unsigned char *)ber->ber_ptr;