diff --git a/CHANGES b/CHANGES
index 04619a6c37..33efb23ab0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
-1464.	[bug]		Preserve "out of zone" data for outgoing zone 
+1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
+			failed to check that trailing bits were zero allowing
+			some invalid base64 strings to be accepted.  [RT #5397]
+
+1464.	[bug]		Preserve "out of zone" data for outgoing zone
 			transfers. [RT #5192]
 
 1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index 183e822fe1..a35c719e46 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.23 2001/03/22 00:07:04 bwelling Exp $ */
+/* $Id: base64.c,v 1.23.2.1 2003/05/15 06:34:24 marka Exp $ */
 
 #include <config.h>
 
@@ -126,6 +126,17 @@ base64_decode_char(base64_decode_ctx_t *ctx, int c) {
 			return (ISC_R_BADBASE64);
 		if (ctx->val[2] == 64 && ctx->val[3] != 64)
 			return (ISC_R_BADBASE64);
+		/*
+		 * Check that bits that should be zero are.
+		 */
+		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
+			return (ISC_R_BADBASE64);
+		/*
+		 * We don't need to test for ctx->val[2] != 64 as
+		 * the bottom two bits of 64 are zero.
+		 */
+		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
+			return (ISC_R_BADBASE64);
 		n = (ctx->val[2] == 64) ? 1 :
 			(ctx->val[3] == 64) ? 2 : 3;
 		if (n != 3) {