diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c

--- a/lib/util/secasn1d.c

+++ b/lib/util/secasn1d.c

@@ -946,31 +946,116 @@ sec_asn1d_parse_more_length (sec_asn1d_s

     }

     if (state->pending == 0)

 	state->place = afterLength;

     return count;

 }

+/*

+ * Helper function for sec_asn1d_prepare_for_contents.

+ * Checks that a value representing a number of bytes consumed can be

+ * subtracted from a remaining length. If so, returns PR_TRUE.

+ * Otherwise, sets the error SEC_ERROR_BAD_DER, indicates that there was a

+ * decoding error in the given SEC_ASN1DecoderContext, and returns PR_FALSE.

+ */

+static PRBool

+sec_asn1d_check_and_subtract_length (unsigned long *remaining,

+                                     unsigned long consumed,

+                                     SEC_ASN1DecoderContext *cx)

+{

+    PORT_Assert(remaining);

+    PORT_Assert(cx);

+    if (!remaining || !cx) {

+        PORT_SetError (SEC_ERROR_INVALID_ARGS);

+        cx->status = decodeError;

+        return PR_FALSE;

+    }

+    if (*remaining < consumed) {

+        PORT_SetError (SEC_ERROR_BAD_DER);

+        cx->status = decodeError;

+        return PR_FALSE;

+    }

+    *remaining -= consumed;

+    return PR_TRUE;

+}

 static void

 sec_asn1d_prepare_for_contents (sec_asn1d_state *state)

 {

     SECItem *item;

     PLArenaPool *poolp;

     unsigned long alloc_len;

+    sec_asn1d_state *parent;

 #ifdef DEBUG_ASN1D_STATES

     {

         printf("Found Length %d %s\n", state->contents_length,

                state->indefinite ? "indefinite" : "");

     }

 #endif

+    /**

+     * The maximum length for a child element should be constrained to the

+     * length remaining in the first definite length element in the ancestor

+     * stack. If there is no definite length element in the ancestor stack,

+     * there's nothing to constrain the length of the child, so there's no

+     * further processing necessary.

+     *

+     * It's necessary to walk the ancestor stack, because it's possible to have

+     * definite length children that are part of an indefinite length element,

+     * which is itself part of an indefinite length element, and which is

+     * ultimately part of a definite length element. A simple example of this

+     * would be the handling of constructed OCTET STRINGs in BER encoding.

+     *

+     * This algorithm finds the first definite length element in the ancestor

+     * stack, if any, and if so, ensures that the length of the child element

+     * is consistent with the number of bytes remaining in the constraining

+     * ancestor element (that is, after accounting for any other sibling

+     * elements that may have been read).

+     *

+     * It's slightly complicated by the need to account both for integer

+     * underflow and overflow, as well as ensure that for indefinite length

+     * encodings, there's also enough space for the End-of-Contents (EOC)

+     * octets (Tag = 0x00, Length = 0x00, or two bytes).

+     */

+

+    /* Determine the maximum length available for this element by finding the

+     * first definite length ancestor, if any. */

+    parent = sec_asn1d_get_enclosing_construct(state);

+    while (parent && parent->indefinite) {

+        parent = sec_asn1d_get_enclosing_construct(parent);

+    }

+    /* If parent is null, state is either the outermost state / at the top of

+     * the stack, or the outermost state uses indefinite length encoding. In

+     * these cases, there's nothing external to constrain this element, so

+     * there's nothing to check. */

+    if (parent) {

+        unsigned long remaining = parent->pending;

+        parent = state;

+        do {

+            if (!sec_asn1d_check_and_subtract_length(

+                     &remaining, parent->consumed, state->top) ||

+                /* If parent->indefinite is true, parent->contents_length is

+                 * zero and this is a no-op. */

+                !sec_asn1d_check_and_subtract_length(

+                     &remaining, parent->contents_length, state->top) ||

+                /* If parent->indefinite is true, then ensure there is enough

+                 * space for an EOC tag of 2 bytes. */

+                (parent->indefinite && !sec_asn1d_check_and_subtract_length(

+                                            &remaining, 2, state->top))) {

+                /* This element is larger than its enclosing element, which is

+                 * invalid. */

+                return;

+            }

+        } while ((parent = sec_asn1d_get_enclosing_construct(parent)) &&

+                 parent->indefinite);

+    }

+

     /*

      * XXX I cannot decide if this allocation should exclude the case

      *     where state->endofcontents is true -- figure it out!

      */

     if (state->allocate) {

 	void *dest;

 	PORT_Assert (state->dest == NULL);

@@ -1002,31 +1087,16 @@ sec_asn1d_prepare_for_contents (sec_asn1

     }

     /*

      * Remember, length may be indefinite here!  In that case,

      * both contents_length and pending will be zero.

      */

     state->pending = state->contents_length;

-    /* If this item has definite length encoding, and 

-    ** is enclosed by a definite length constructed type,

-    ** make sure it isn't longer than the remaining space in that 

-    ** constructed type.  

-    */

-    if (state->contents_length > 0) {

-	sec_asn1d_state *parent = sec_asn1d_get_enclosing_construct(state);

-	if (parent && !parent->indefinite && 

-	    state->consumed + state->contents_length > parent->pending) {

-	    PORT_SetError (SEC_ERROR_BAD_DER);

-	    state->top->status = decodeError;

-	    return;

-	}

-    }

-

     /*

      * An EXPLICIT is nothing but an outer header, which we have

      * already parsed and accepted.  Now we need to do the inner

      * header and its contents.

      */

     if (state->explicit) {

 	state->place = afterExplicit;

 	state = sec_asn1d_push_state (state->top,

@@ -1715,20 +1785,117 @@ sec_asn1d_next_substring (sec_asn1d_stat

 	    state->top->status = decodeError;

 	    return;

 	}

 	state->pending -= child_consumed;

 	if (state->pending == 0)

 	    done = PR_TRUE;

     } else {

+	PRBool preallocatedString;

+	sec_asn1d_state *temp_state;

 	PORT_Assert (state->indefinite);

 	item = (SECItem *)(child->dest);

-	if (item != NULL && item->data != NULL) {

+

+	/**

+	 * At this point, there's three states at play:

+	 *   child: The element that was just parsed

+	 *   state: The currently processed element

+	 *   'parent' (aka state->parent): The enclosing construct

+	 *      of state, or NULL if this is the top-most element.

+	 *

+	 * This state handles both substrings of a constructed string AND

+	 * child elements of items whose template type was that of

+	 * SEC_ASN1_ANY, SEC_ASN1_SAVE, SEC_ASN1_ANY_CONTENTS, SEC_ASN1_SKIP

+	 * template, as described in sec_asn1d_prepare_for_contents. For

+	 * brevity, these will be referred to as 'string' and 'any' types.

+	 *

+	 * This leads to the following possibilities:

+	 *   1: This element is an indefinite length string, part of a

+	 *      definite length string.

+	 *   2: This element is an indefinite length string, part of an

+	 *      indefinite length string.

+	 *   3: This element is an indefinite length any, part of a

+	 *      definite length any.

+	 *   4: This element is an indefinite length any, part of an

+	 *      indefinite length any.

+	 *   5: This element is an indefinite length any and does not

+	 *      meet any of the above criteria. Note that this would include

+	 *      an indefinite length string type matching an indefinite

+	 *      length any template.

+	 *

+	 * In Cases #1 and #3, the definite length 'parent' element will

+	 * have allocated state->dest based on the parent elements definite

+	 * size. During the processing of 'child', sec_asn1d_parse_leaf will

+	 * have copied the (string, any) data directly into the offset of

+	 * dest, as appropriate, so there's no need for this class to still

+	 * store the child - it's already been processed.

+	 *

+	 * In Cases #2 and #4, dest will be set to the parent element's dest,

+	 * but dest->data will not have been allocated yet, due to the

+	 * indefinite length encoding. In this situation, it's necessary to

+	 * hold onto child (and all other children) until the EOC, at which

+	 * point, it becomes possible to compute 'state's overall length. Once

+	 * 'state' has a computed length, this can then be fed to 'parent' (via

+	 * this state), and then 'parent' can similarly compute the length of

+	 * all of its children up to the EOC, which will ultimately transit to

+	 * sec_asn1d_concat_substrings, determine the overall size needed,

+	 * allocate, and copy the contents (of all of parent's children, which

+	 * would include 'state', just as 'state' will have copied all of its

+	 * children via sec_asn1d_concat_substrings)

+	 *

+	 * The final case, Case #5, will manifest in that item->data and

+	 * item->len will be NULL/0, respectively, since this element was

+	 * indefinite-length encoded. In that case, both the tag and length will

+	 * already exist in state's subitems, via sec_asn1d_record_any_header,

+	 * and so the contents (aka 'child') should be added to that list of

+	 * items to concatenate in sec_asn1d_concat_substrings once the EOC

+	 * is encountered.

+	 *

+	 * To distinguish #2/#4 from #1/#3, it's sufficient to walk the ancestor

+	 * tree. If the current type is a string type, then the enclosing

+	 * construct will be that same type (#1/#2). If the current type is an

+	 * any type, then the enclosing construct is either an any type (#3/#4)

+	 * or some other type (#5). Since this is BER, this nesting relationship

+	 * between 'state' and 'parent' may go through several levels of

+	 * constructed encoding, so continue walking the ancestor chain until a

+	 * clear determination can be made.

+	 *

+	 * The variable preallocatedString is used to indicate Case #1/#3,

+	 * indicating an in-place copy has already occurred, and Cases #2, #4,

+	 * and #5 all have the same behaviour of adding a new substring.

+	 */

+	preallocatedString = PR_FALSE;

+	temp_state = state;

+	while (temp_state && item == temp_state->dest && temp_state->indefinite) {

+	    sec_asn1d_state *parent = sec_asn1d_get_enclosing_construct(temp_state);

+	    if (!parent || parent->underlying_kind != temp_state->underlying_kind) {

+	        /* Case #5 - Either this is a top-level construct or it is part

+	         * of some other element (e.g. a SEQUENCE), in which case, a

+	         * new item should be allocated. */

+	        break;

+	    }

+	    if (!parent->indefinite) {

+	        /* Cases #1 / #3 - A definite length ancestor exists, for which

+	         * this is a substring that has already copied into dest. */

+	        preallocatedString = PR_TRUE;

+	        break;

+	    }

+	    if (!parent->substring) {

+	        /* Cases #2 / #4 - If the parent is not a substring, but is

+	         * indefinite, then there's nothing further up that may have

+	         * preallocated dest, thus child will not have already

+		 * been copied in place, therefore it's necessary to save child

+		 * as a subitem. */

+	        break;

+	    }

+	    temp_state = parent;

+	}

+	if (item != NULL && item->data != NULL && !preallocatedString) {

 	    /*

 	     * Save the string away for later concatenation.

 	     */

 	    PORT_Assert (item->data != NULL);

 	    sec_asn1d_add_to_subitems (state, item->data, item->len, PR_FALSE);

 	    /*

 	     * Clear the child item for the next round.

 	     */