1diff --git a/server/apreq_parser_header.c b/server/apreq_parser_header.c 2index 19588be..7067e58 100644 3--- a/server/apreq_parser_header.c 4+++ b/server/apreq_parser_header.c 5@@ -89,7 +89,7 @@ static apr_status_t split_header_line(apreq_param_t **p, 6 if (s != APR_SUCCESS) 7 return s; 8 9- assert(nlen >= len); 10+ if (!(nlen >= len)) { return APR_EBADARG; } assert(nlen >= len); 11 end->iov_len = len; 12 nlen -= len; 13 14@@ -103,13 +103,13 @@ static apr_status_t split_header_line(apreq_param_t **p, 15 if (s != APR_SUCCESS) 16 return s; 17 18- assert(glen >= dlen); 19+ if (!(glen >= dlen)) { return APR_EBADARG; } assert(glen >= dlen); 20 glen -= dlen; 21 e = APR_BUCKET_NEXT(e); 22 } 23 24 /* copy value */ 25- assert(vlen > 0); 26+ if (!(vlen > 0)) { return APR_EBADARG; } assert(vlen > 0); 27 dest = v->data; 28 while (vlen > 0) { 29 30@@ -119,12 +119,12 @@ static apr_status_t split_header_line(apreq_param_t **p, 31 32 memcpy(dest, data, dlen); 33 dest += dlen; 34- assert(vlen >= dlen); 35+ if (!(vlen >= dlen)) { return APR_EBADARG; } assert(vlen >= dlen); 36 vlen -= dlen; 37 e = APR_BUCKET_NEXT(e); 38 } 39 40- assert(dest[-1] == '\n'); 41+ if (!(dest[-1] == '\n')) { return APR_EBADARG; } assert(dest[-1] == '\n'); 42 43 if (dest[-2] == '\r') 44 --dest; 45