diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c
index ba8475cc5..b0ec13989 100644
--- a/apache2/persist_dbm.c
+++ b/apache2/persist_dbm.c
@@ -61,7 +61,10 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob
         }
 
         blob_offset += 2;
-        if (blob_offset + var->name_len > blob_size) return NULL;
+        /* Need name_len bytes for the name body plus 2 more for the value_len header.
+         * name_len == 0 is already handled by the early break above, so no zero-check
+         * is required at this point. */
+        if (blob_offset + var->name_len + 2 > blob_size) return NULL;
         var->name = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->name_len - 1);
         blob_offset += var->name_len;
         var->name_len--;
@@ -69,7 +72,7 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob
         var->value_len = (blob[blob_offset] << 8) + blob[blob_offset + 1];
         blob_offset += 2;
 
-        if (blob_offset + var->value_len > blob_size) return NULL;
+        if (var->value_len < 1 || blob_offset + var->value_len > blob_size) return NULL;
         var->value = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->value_len - 1);
         blob_offset += var->value_len;
         var->value_len--;