--- libraries/liblber/decode.c	2000/10/12 18:02:16	1.56
+++ libraries/liblber/decode.c	2001/07/21 21:13:05	1.61
@@ -1,5 +1,5 @@
 /* decode.c - ber input decoding routines */
-/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.55 2000/10/11 00:43:14 kurt Exp $ */
+/* $OpenLDAP: pkg/ldap/libraries/liblber/decode.c,v 1.60 2001/05/06 17:07:24 kurt Exp $ */
 /*
  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
@@ -42,7 +42,7 @@ ber_get_tag( BerElement *ber )
 	unsigned int	i;
 
 	assert( ber != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( ber_read( ber, (char *) &xbyte, 1 ) != 1 ) {
 		return LBER_DEFAULT;
@@ -85,7 +85,7 @@ ber_skip_tag( BerElement *ber, ber_len_t
 
 	assert( ber != NULL );
 	assert( len != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	/*
 	 * Any ber element looks like this: tag length contents.
@@ -109,7 +109,7 @@ ber_skip_tag( BerElement *ber, ber_len_t
 
 	/*
 	 * Next, read the length.  The first byte contains the length of
-	 * the length.  If bit 8 is set, the length is the long form,
+	 * the length.	If bit 8 is set, the length is the long form,
 	 * otherwise it's the short form.  We don't allow a length that's
 	 * greater than what we can hold in a ber_len_t.
 	 */
@@ -137,6 +137,11 @@ ber_skip_tag( BerElement *ber, ber_len_t
 		*len = lc;
 	}
 
+	/* BER element should have enough data left */
+	if( *len > ber_pvt_ber_remaining( ber ) ) {
+		return LBER_DEFAULT;
+	}
+
 	return tag;
 }
 
@@ -170,7 +175,7 @@ ber_getnint(
 
 	assert( ber != NULL );
 	assert( num != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	/*
 	 * The tag and length have already been stripped off.  We should
@@ -216,7 +221,7 @@ ber_get_int(
 	ber_len_t	len;
 
 	assert( ber != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &len )) == LBER_DEFAULT ) {
 		return LBER_DEFAULT;
@@ -247,12 +252,14 @@ ber_get_stringb(
 	ber_tag_t	tag;
 
 	assert( ber != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &datalen )) == LBER_DEFAULT ) {
 		return LBER_DEFAULT;
 	}
-	if ( datalen > (*len - 1) ) {
+
+	/* must fit within allocated space with termination */
+	if ( datalen >= *len ) {
 		return LBER_DEFAULT;
 	}
 
@@ -275,7 +282,7 @@ ber_get_stringa( BerElement *ber, char *
 	assert( ber != NULL );
 	assert( buf != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &datalen )) == LBER_DEFAULT ) {
 		*buf = NULL;
@@ -305,7 +312,7 @@ ber_get_stringal( BerElement *ber, struc
 	assert( ber != NULL );
 	assert( bv != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &len )) == LBER_DEFAULT ) {
 		*bv = NULL;
@@ -356,7 +363,7 @@ ber_get_bitstringa(
 	assert( buf != NULL );
 	assert( blen != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &datalen )) == LBER_DEFAULT ) {
 		*buf = NULL;
@@ -391,7 +398,7 @@ ber_get_null( BerElement *ber )
 	ber_tag_t	tag;
 
 	assert( ber != NULL );
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( (tag = ber_skip_tag( ber, &len )) == LBER_DEFAULT ) {
 		return LBER_DEFAULT;
@@ -415,7 +422,7 @@ ber_get_boolean(
 	assert( ber != NULL );
 	assert( boolval != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	rc = ber_get_int( ber, &longbool );
 	*boolval = longbool;
@@ -458,7 +465,7 @@ ber_next_element(
 	assert( len != NULL );
 	assert( last != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	if ( ber->ber_ptr == last ) {
 		return LBER_DEFAULT;
@@ -477,7 +484,7 @@ ber_scanf ( BerElement *ber,
 	LDAP_CONST char		*fmt_reset;
 	char		*last;
 	char		*s, **ss, ***sss;
-	struct berval 	***bv, **bvp, *bval;
+	struct berval	***bv, **bvp, *bval;
 	ber_int_t	*i;
 	int j;
 	ber_len_t	*l;
@@ -490,15 +497,18 @@ ber_scanf ( BerElement *ber,
 	assert( ber != NULL );
 	assert( fmt != NULL );
 
-	assert( BER_VALID( ber ) );
+	assert( LBER_VALID( ber ) );
 
 	fmt_reset = fmt;
 
-	LDAP_LOG( "LIBLBER", LDAP_LEVEL_ENTRY, "ber_scanf fmt (%s) ber:\n", fmt );
-
+#ifdef NEW_LOGGING
+	LDAP_LOG(( "liblber", LDAP_LEVEL_ENTRY, "ber_scanf fmt (%s) ber:\n", fmt ));
+	BER_DUMP(( "liblber", LDAP_LEVEL_DETAIL2, ber, 1 ));
+#else
 	ber_log_printf( LDAP_DEBUG_TRACE, ber->ber_debug,
 		"ber_scanf fmt (%s) ber:\n", fmt );
 	ber_log_dump( LDAP_DEBUG_BER, ber->ber_debug, ber, 1 );
+#endif
 
 	for ( rc = 0; *fmt && rc != LBER_DEFAULT; fmt++ ) {
 		/* When this is modified, remember to update
@@ -626,8 +636,13 @@ ber_scanf ( BerElement *ber,
 
 		default:
 			if( ber->ber_debug ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG(( "liblber", LDAP_LEVEL_ERR,
+					   "ber_scanf: unknown fmt %c\n", *fmt ));
+#else
 				ber_log_printf( LDAP_DEBUG_ANY, ber->ber_debug,
 					"ber_scanf: unknown fmt %c\n", *fmt );
+#endif
 			}
 			rc = LBER_DEFAULT;
 			break;
@@ -712,7 +727,7 @@ ber_scanf ( BerElement *ber,
 		case 'v':	/* sequence of strings */
 			sss = va_arg( ap, char *** );
 			if ( *sss ) {
-				for (j = 0;  (*sss)[j];  j++) {
+				for (j = 0;  (*sss)[j];	 j++) {
 					LBER_FREE( (*sss)[j] );
 					(*sss)[j] = NULL;
 				}