From 9275b099544f82881ee6e6abae902f42fa5d3e43 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sun, 6 May 2001 19:07:24 +0000
Subject: [PATCH] Add a bit of hardening

---
 libraries/liblber/decode.c | 9 ++++++++-
 libraries/liblber/io.c     | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/libraries/liblber/decode.c b/libraries/liblber/decode.c
index 5459b8d675..2d864abae2 100644
--- a/libraries/liblber/decode.c
+++ b/libraries/liblber/decode.c
@@ -137,6 +137,11 @@ ber_skip_tag( BerElement *ber, ber_len_t *len )
 		*len = lc;
 	}
 
+	/* BER element should have enough data left */
+	if( *len > ber_pvt_ber_remaining( ber ) ) {
+		return LBER_DEFAULT;
+	}
+
 	return tag;
 }
 
@@ -252,7 +257,9 @@ ber_get_stringb(
 	if ( (tag = ber_skip_tag( ber, &datalen )) == LBER_DEFAULT ) {
 		return LBER_DEFAULT;
 	}
-	if ( datalen > (*len - 1) ) {
+
+	/* must fit within allocated space with termination */
+	if ( datalen >= *len ) {
 		return LBER_DEFAULT;
 	}
 
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index 36e4331104..a446f7f582 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -77,7 +77,7 @@ ber_read(
 
 	assert( BER_VALID( ber ) );
 
-	nleft = ber->ber_end - ber->ber_ptr;
+	nleft = ber_pvt_ber_remaining( ber );
 	actuallen = nleft < len ? nleft : len;
 
 	AC_MEMCPY( buf, ber->ber_ptr, actuallen );
-- 
2.39.5