diff --git a/libraries/liblunicode/ucstr.c b/libraries/liblunicode/ucstr.c
index 1c0b0b8009..1a84938739 100644
--- a/libraries/liblunicode/ucstr.c
+++ b/libraries/liblunicode/ucstr.c
@@ -173,7 +173,7 @@ char * UTF8normalize(
 		/* s[i] is non-ascii */
 		/* convert everything up to next ascii to ucs-4 */
 		while ( i < len ) {
-			clen = LDAP_UTF8_CHARLEN( s + i );
+			clen = LDAP_UTF8_CHARLEN2( s + i, clen );
 			if ( clen == 0 ) {
 				free( ucs );
 				free( out );
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index bf1484603d..85992cfd0a 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -471,28 +471,28 @@ UTF8StringValidate(
 
 	for( count = in->bv_len; count > 0; count-=len, u+=len ) {
 		/* get the length indicated by the first byte */
-		len = LDAP_UTF8_CHARLEN( u );
+		len = LDAP_UTF8_CHARLEN2( u, len );
 
 		/* very basic checks */
 		switch( len ) {
 			case 6:
-				if( u[5] >= 0xFE ) {
+				if( (u[5] & 0xC0) != 0x80 ) {
 					return LDAP_INVALID_SYNTAX;
 				}
 			case 5:
-				if( u[4] >= 0xFE ) {
+				if( (u[4] & 0xC0) != 0x80 ) {
 					return LDAP_INVALID_SYNTAX;
 				}
 			case 4:
-				if( u[3] >= 0xFE ) {
+				if( (u[3] & 0xC0) != 0x80 ) {
 					return LDAP_INVALID_SYNTAX;
 				}
 			case 3:
-				if( u[2] >= 0xFE ) {
+				if( (u[2] & 0xC0 )!= 0x80 ) {
 					return LDAP_INVALID_SYNTAX;
 				}
 			case 2:
-				if( u[1] >= 0xFE ) {
+				if( (u[1] & 0xC0) != 0x80 ) {
 					return LDAP_INVALID_SYNTAX;
 				}
 			case 1: