diff --git a/CHANGES b/CHANGES
index dc999d25bf..27853ea18e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
+			failed to check that trailing bits were zero allowing
+			some invalid base64 strings to be accepted.  [RT #5397]
+
 1464.	[bug]		Preserve "out of zone" data for outgoing zone 
 			transfers. [RT #5192]
 
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index 7b0f591434..131b2831ae 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.25 2001/11/27 01:55:53 gson Exp $ */
+/* $Id: base64.c,v 1.26 2003/04/17 06:04:13 marka Exp $ */
 
 #include <config.h>
 
@@ -126,6 +126,17 @@ base64_decode_char(base64_decode_ctx_t *ctx, int c) {
 			return (ISC_R_BADBASE64);
 		if (ctx->val[2] == 64 && ctx->val[3] != 64)
 			return (ISC_R_BADBASE64);
+		/*
+		 * Check that bits that should be zero are.
+		 */
+		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
+			return (ISC_R_BADBASE64);
+		/*
+		 * We don't need to test for ctx->val[2] != 64 as
+		 * the bottom two bits of 64 are zero.
+		 */
+		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
+			return (ISC_R_BADBASE64);
 		n = (ctx->val[2] == 64) ? 1 :
 			(ctx->val[3] == 64) ? 2 : 3;
 		if (n != 3) {