--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1296,7 +1296,7 @@
 	 packet checked to be as long as rdlen implies in prove_non_existence() */
       
       /* check that the first typemap is complete. */
-      if (rdlen < 2 || rdlen < p[1] + 2)
+      if (rdlen < 2 || p[1] == 0 || p[1] > 32 || rdlen < p[1] + 2)
 	return DNSSEC_FAIL_BADPACKET;
 
       /* RFC 6672 5.3.4.1. */
@@ -1336,7 +1336,7 @@
 	  
 	  while (rdlen > 0)
 	    {
-	      if (rdlen < 2 || rdlen < p[1] + 2)
+	      if (rdlen < 2 || p[1] == 0 || p[1] > 32 || rdlen < p[1] + 2)
 		return DNSSEC_FAIL_BADPACKET;
 	      
 	      if (p[0] == type >> 8)
@@ -1348,8 +1348,8 @@
 		  break; /* finished checking */
 		}
 	      
-	      rdlen -= p[1];
-	      p +=  p[1];
+	      rdlen -= p[1] + 2;
+	      p +=  p[1] + 2;
 	    }
 	  
 	  return 0;
@@ -1480,7 +1480,7 @@
 		rdlen -= p - psave;
 
 		/* check that the first typemap is complete. */
-		if (rdlen < 2 || rdlen < p[1] + 2)
+		if (rdlen < 2 || p[1] == 0 || p[1] > 32 || rdlen < p[1] + 2)
 		  return DNSSEC_FAIL_BADPACKET;
 		
 		if (p[0] == 0 && p[1] >= 1)
@@ -1503,7 +1503,7 @@
 
 		while (rdlen > 0)
 		  {
-		    if (rdlen < 2 || rdlen < p[1] + 2)
+		    if (rdlen < 2 || p[1] == 0 || p[1] > 32 || rdlen < p[1] + 2)
 		      return DNSSEC_FAIL_BADPACKET;
 
 		    if (p[0] == type >> 8)
@@ -1515,8 +1515,8 @@
 			break; /* finished checking */
 		      }
 		    
-		    rdlen -= p[1];
-		    p +=  p[1];
+		    rdlen -= p[1] + 2;
+		    p +=  p[1] + 2;
 		  }
 		
 		return 1;