partially addresses an issue with ITS#5931

diff --git a/libraries/liblber/decode.c b/libraries/liblber/decode.c
index b687e75cc8856d5f39c3470331933f6e0e04cff4..3e956804b56a83e25694444ce4c91199611c0a3b 100644 (file)
--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@@ -143,13 +143,14 @@ ber_skip_tag( BerElement *ber, ber_len_t *len )
 {
        ber_tag_t       tag;
        unsigned char   lc;
-       ber_len_t       i, noctets;
-       unsigned char netlen[sizeof(ber_len_t)];
+       char            *save;
 
        assert( ber != NULL );
        assert( len != NULL );
        assert( LBER_VALID( ber ) );
 
+       save = ber->ber_ptr;
+
        /*
         * Any ber element looks like this: tag length contents.
         * Assuming everything's ok, we return the tag byte (we
@@ -182,6 +183,9 @@ ber_skip_tag( BerElement *ber, ber_len_t *len )
        }
 
        if ( lc & 0x80U ) {
+               ber_len_t       i, noctets;
+               unsigned char netlen[sizeof(ber_len_t)];
+
                noctets = (lc & 0x7fU);
 
                if ( noctets > sizeof(ber_len_t) ) {
@@ -202,7 +206,7 @@ ber_skip_tag( BerElement *ber, ber_len_t *len )
        }
 
        /* BER element should have enough data left */
-       if( *len > (ber_len_t) ber_pvt_ber_remaining( ber ) ) {
+       if( *len > (ber_len_t) (ber_pvt_ber_remaining( ber ) + ber->ber_ptr - save) ) {
                return LBER_DEFAULT;
        }
        ber->ber_tag = *(unsigned char *)ber->ber_ptr;