diff --git a/src/reader.rs b/src/reader.rs
index 94053a9a..ee340f2b 100644
--- a/src/reader.rs
+++ b/src/reader.rs
@@ -268,13 +268,16 @@ impl<B: BufRead> Reader<B> {
 
     /// reads `BytesElement` starting with a `!`,
     /// return `Comment`, `CData` or `DocType` event
+    ///
+    /// Note: depending on the start of the Event, we may need to read more 
+    /// data, thus we need a mutable buffer
     fn read_bang<'a, 'b>(
         &'a mut self,
         buf_start: usize,
         buf: &'b mut Vec<u8>,
     ) -> Result<Event<'b>> {
         let len = buf.len();
-        if len >= 3 && &buf[buf_start + 1..buf_start + 3] == b"--" {
+        if len >= buf_start + 3 && &buf[buf_start + 1..buf_start + 3] == b"--" {
             let mut len = buf.len();
             while len < 5 || &buf[len - 2..] != b"--" {
                 buf.push(b'>');
@@ -301,7 +304,7 @@ impl<B: BufRead> Reader<B> {
             Ok(Event::Comment(
                 BytesText::borrowed(&buf[buf_start + 3..len - 2]),
             ))
-        } else if len >= 8 {
+        } else if len >= buf_start + 8 {
             match &buf[buf_start + 1..buf_start + 8] {
                 b"[CDATA[" => {
                     let mut len = buf.len();
diff --git a/tests/test.rs b/tests/test.rs
index 5c1d0c12..3aaf4987 100644
--- a/tests/test.rs
+++ b/tests/test.rs
@@ -342,3 +342,20 @@ fn fuzz_53() {
         }
     }
 }
+
+#[test]
+fn test_issue94() {
+    let data = br#"<Run>
+<!B>
+</Run>"#;
+    let mut reader = Reader::from_reader(&data[..]);
+    reader.trim_text(true);
+    let mut buf = vec![];
+    loop {
+        match reader.read_event(&mut buf) {
+            Ok(quick_xml::events::Event::Eof) | Err(..) => break,
+            _ => buf.clear(),
+        }
+        buf.clear();
+    }
+}