diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en

index 20d1e5a..e1ec8d0 100644

--- a/docs/manual/mod/core.html.en

+++ b/docs/manual/mod/core.html.en

@@ -2935,12 +2935,19 @@ from the client

 Status:Core

 Module:core

-    
Limit (in bytes) on maximum size of an XML-based request

-    body. A value of 0 will disable any checking.

+    
Limit (in bytes) on the maximum size of an XML-based request

+    body. A value of 0 will apply a hard limit (depending on

+    32bit vs 64bit system) allowing for XML escaping within the bounds of

+    the system addressable memory, but it exists for compatibility only

+    and is not recommended since it does not account for memory consumed

+    elsewhere or concurrent requests, which might result in an overall

+    system out-of-memory.

+    

     
Example:

-    
LimitXMLRequestBody 0

+    
# Limit of 1 MiB

+    LimitXMLRequestBody 1073741824

diff --git a/server/core.c b/server/core.c

index e32613d..8abfa65 100644

--- a/server/core.c

+++ b/server/core.c

@@ -70,6 +70,8 @@

 /* LimitXMLRequestBody handling */

 #define AP_LIMIT_UNSET                  ((long) -1)

 #define AP_DEFAULT_LIMIT_XML_BODY       ((apr_size_t)1000000)

+/* Hard limit for ap_escape_html2() */

+#define AP_MAX_LIMIT_XML_BODY           ((apr_size_t)(APR_SIZE_MAX / 6 - 1))

 #define AP_MIN_SENDFILE_BYTES           (256)

@@ -3689,6 +3691,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_,

     if (conf->limit_xml_body < 0)

         return "LimitXMLRequestBody requires a non-negative integer.";

+    /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */

+    if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)

+        return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "

+                            "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);

+

     return NULL;

 }

@@ -3777,6 +3784,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r)

     conf = ap_get_core_module_config(r->per_dir_config);

     if (conf->limit_xml_body == AP_LIMIT_UNSET)

         return AP_DEFAULT_LIMIT_XML_BODY;

+    if (conf->limit_xml_body == 0)

+        return AP_MAX_LIMIT_XML_BODY;

     return (apr_size_t)conf->limit_xml_body;

 }

diff --git a/server/util.c b/server/util.c

index 2a5dd04..eefdafa 100644

--- a/server/util.c

+++ b/server/util.c

@@ -2037,11 +2037,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer)

 AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)

 {

-    int i, j;

+    apr_size_t i, j;

     char *x;

     /* first, count the number of extra characters */

-    for (i = 0, j = 0; s[i] != '\0'; i++)

+    for (i = 0, j = 0; s[i] != '\0'; i++) {

+        if (i + j > APR_SIZE_MAX - 6) {

+            abort();

+        }

         if (s[i] == '<' || s[i] == '>')

             j += 3;

         else if (s[i] == '&')

@@ -2050,6 +2053,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)

             j += 5;

         else if (toasc && !apr_isascii(s[i]))

             j += 5;

+    }

     if (j == 0)

         return apr_pstrmemdup(p, s, i);

diff --git a/server/util_xml.c b/server/util_xml.c

index 4845194..22806fa 100644

--- a/server/util_xml.c

+++ b/server/util_xml.c

@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc)

             }

             total_read += len;

-            if (limit_xml_body && total_read > limit_xml_body) {

+            if (total_read > limit_xml_body) {

                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)

                               "XML request body is larger than the configured "

                               "limit of %lu", (unsigned long)limit_xml_body);