CVE-2014-3467 (the DECR_LEN changes were omitted, since too intrusive
               to backport for little impact) 

Author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 

Upstream commits:
ff3b5c68cc32e30d19edbbc3a962b2266029f3cc
0e80d79db71747644394fe3472dad28cd3e7b00b
51612fca32dda445056ca9a7533bae258acd3ecb
 
--- libtasn1-3-2.13.orig/lib/decoding.c
+++ libtasn1-3-2.13/lib/decoding.c
@@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *d
       /* Long form */
       punt = 1;
       ris = 0;
-      while (punt <= der_len && der[punt] & 128)
+      while (punt < der_len && der[punt] & 128)
 	{
 	  last = ris;
 
@@ -258,9 +258,11 @@ _asn1_get_time_der (const unsigned char
 
   if (der_len <= 0 || str == NULL)
     return ASN1_DER_ERROR;
+
   str_len = asn1_get_length_der (der, der_len, &len_len);
-  if (str_len < 0 || str_size < str_len)
+  if (str_len <= 0 || str_size < str_len)
     return ASN1_DER_ERROR;
+
   memcpy (str, der + len_len, str_len);
   str[str_len] = 0;
   *ret_len = str_len + len_len;
@@ -285,7 +287,7 @@ _asn1_get_objectid_der (const unsigned c
     return ASN1_GENERIC_ERROR;
   len = asn1_get_length_der (der, der_len, &len_len);
 
-  if (len < 0 || len > der_len || len_len > der_len)
+  if (len <= 0 || len + len_len > der_len)
     return ASN1_DER_ERROR;
 
   val1 = der[len_len] / 40;
@@ -762,7 +764,7 @@ _asn1_get_indefinite_length_string (cons
 
   while (1)
     {
-      if ((*len) < counter)
+      if (counter+1 >= *len)
 	return ASN1_DER_ERROR;
 
       if ((der[counter] == 0) && (der[counter + 1] == 0))