diff --git a/dlls/crypt32/decode.c b/dlls/crypt32/decode.c
index 02f700e1312..084b1494425 100644
--- a/dlls/crypt32/decode.c
+++ b/dlls/crypt32/decode.c
@@ -5163,6 +5163,41 @@ static BOOL CRYPT_AsnDecodeSubtree(const BYTE *pbEncoded,
     return ret;
 }
 
+static BOOL CRYPT_AsnDecodePermittedSubtree(const BYTE *pbEncoded,
+ DWORD cbEncoded, DWORD dwFlags, void *pvStructInfo, DWORD *pcbStructInfo,
+ DWORD *pcbDecoded)
+{
+    BOOL ret = TRUE;
+    struct AsnArrayDescriptor arrayDesc = { 0,
+     CRYPT_AsnDecodeSubtree, sizeof(CERT_GENERAL_SUBTREE), TRUE,
+     offsetof(CERT_GENERAL_SUBTREE, Base.u.pwszURL) };
+    DWORD bytesNeeded;
+
+    TRACE("%p, %d, %08x, %p, %d, %p\n", pbEncoded, cbEncoded, dwFlags,
+     pvStructInfo, *pcbStructInfo, pcbDecoded);
+
+    if ((ret = CRYPT_AsnDecodeArrayNoAlloc(&arrayDesc, pbEncoded, cbEncoded,
+     NULL, NULL, &bytesNeeded, pcbDecoded)))
+    {
+        bytesNeeded += MEMBERSIZE(CERT_NAME_CONSTRAINTS_INFO,
+         cPermittedSubtree, cExcludedSubtree);
+        if (!pvStructInfo)
+            *pcbStructInfo = bytesNeeded;
+        else if ((ret = CRYPT_DecodeEnsureSpace(0, NULL, pvStructInfo,
+         pcbStructInfo, bytesNeeded)))
+        {
+            CERT_NAME_CONSTRAINTS_INFO *info = (CERT_NAME_CONSTRAINTS_INFO *)
+             ((BYTE *)pvStructInfo -
+             offsetof(CERT_NAME_CONSTRAINTS_INFO, cPermittedSubtree));
+
+            ret = CRYPT_AsnDecodeArrayNoAlloc(&arrayDesc, pbEncoded, cbEncoded,
+             &info->cPermittedSubtree, info->rgPermittedSubtree, &bytesNeeded,
+             pcbDecoded);
+        }
+    }
+    return ret;
+}
+
 static BOOL CRYPT_AsnDecodeSubtreeArray(const BYTE *pbEncoded,
  DWORD cbEncoded, DWORD dwFlags, void *pvStructInfo, DWORD *pcbStructInfo,
  DWORD *pcbDecoded)
@@ -5197,7 +5232,9 @@ static BOOL WINAPI CRYPT_AsnDecodeNameConstraints(DWORD dwCertEncodingType,
         struct AsnDecodeSequenceItem items[] = {
          { ASN_CONTEXT | ASN_CONSTRUCTOR | 0,
            offsetof(CERT_NAME_CONSTRAINTS_INFO, cPermittedSubtree),
-           CRYPT_AsnDecodeSubtreeArray, sizeof(struct GenericArray), TRUE, TRUE,
+           CRYPT_AsnDecodePermittedSubtree,
+           MEMBERSIZE(CERT_NAME_CONSTRAINTS_INFO, cPermittedSubtree,
+           cExcludedSubtree), TRUE, TRUE,
            offsetof(CERT_NAME_CONSTRAINTS_INFO, rgPermittedSubtree), 0 },
          { ASN_CONTEXT | ASN_CONSTRUCTOR | 1,
            offsetof(CERT_NAME_CONSTRAINTS_INFO, cExcludedSubtree),