--- lighttpd-1.5/src/mod_proxy_backend_http.c	2009-12-31 17:30:11.000000000 +0800
+++ patch/src/mod_proxy_backend_http.c	2010-01-02 15:07:49.000000000 +0800
@@ -144,13 +144,17 @@
 				in->bytes_out += (offset - c->offset);
 				c->offset = offset;
 			}
+
+			if (offset >= (int)c->mem->used - 1)
+			{
+				break;
+			}
+
 			if (!(ch == ' ' || ch == '\r' || ch == ';')) {
-				if (ch == '\0') {
-					/* get next chunk from queue */
-					break;
-				}
 				/* protocol error.  bad http-chunk len */
-				return HANDLER_ERROR;
+				ERROR("bad http-chunk len, invalid char[%x]", ch);
+				sess->recv->is_closed = 1;
+				return HANDLER_FINISHED;
 			}
 			data->chunk_len = strtol(BUF_STR(data->buf), &err, 16);
 			data->chunk_offset = 0;
@@ -205,7 +209,7 @@
 				c->offset++;
 				in->bytes_out++;
 			}
-			if(ch != '\n') {
+			if(c->mem->used > 0 && ch != '\n') {
 				/* get next chunk from queue */
 				break;
 			}
@@ -217,7 +221,7 @@
 			protocol_state_data_reset(data);
 			break;
 		}
-		if((size_t)(c->offset) == c->mem->used - 1) {
+		if(c->mem->used > 0 && (size_t)(c->offset) == c->mem->used - 1) {
 			c = c->next;
 		}
 	}