diff --git a/dlls/crypt32/decode.c b/dlls/crypt32/decode.c
index 090ab59bc24..a16d89f8802 100644
--- a/dlls/crypt32/decode.c
+++ b/dlls/crypt32/decode.c
@@ -2990,7 +2990,13 @@ static BOOL CRYPT_AsnDecodeAltNameEntry(const BYTE *pbEncoded, DWORD cbEncoded,
         case 1: /* rfc822Name */
         case 2: /* dNSName */
         case 6: /* uniformResourceIdentifier */
-            bytesNeeded += (dataLen + 1) * sizeof(WCHAR);
+            if (memchr(pbEncoded + 1 + lenBytes, 0, dataLen))
+            {
+                SetLastError(CRYPT_E_ASN1_RULE);
+                ret = FALSE;
+            }
+            else
+                bytesNeeded += (dataLen + 1) * sizeof(WCHAR);
             break;
         case 4: /* directoryName */
         case 7: /* iPAddress */
diff --git a/dlls/crypt32/tests/encode.c b/dlls/crypt32/tests/encode.c
index 09402de4e70..a46022b7349 100644
--- a/dlls/crypt32/tests/encode.c
+++ b/dlls/crypt32/tests/encode.c
@@ -1691,7 +1691,6 @@ static void test_decodeAltName(DWORD dwEncoding)
     /* Fails on WinXP with CRYPT_E_ASN1_RULE.  I'm not too concerned about the
      * particular failure, just that it doesn't decode.
      */
-    todo_wine
     ok(!ret, "expected failure\n");
     /* An embedded bell character is allowed, however. */
     ret = pCryptDecodeObjectEx(dwEncoding, X509_ALTERNATE_NAME,
@@ -1715,7 +1714,6 @@ static void test_decodeAltName(DWORD dwEncoding)
     /* Again, fails on WinXP with CRYPT_E_ASN1_RULE.  I'm not too concerned
      * about the particular failure, just that it doesn't decode.
      */
-    todo_wine
     ok(!ret, "expected failure\n");
 }