diff -up memcached-1.4.15/items.c.CVE-2016-8704_8705_8706 memcached-1.4.15/items.c
--- memcached-1.4.15/items.c.CVE-2016-8704_8705_8706	2016-11-07 11:14:13.099196427 +0100
+++ memcached-1.4.15/items.c	2016-11-07 11:14:13.104196443 +0100
@@ -91,6 +91,9 @@ item *do_item_alloc(char *key, const siz
     uint8_t nsuffix;
     item *it = NULL;
     char suffix[40];
+    if (nbytes < 2 || nkey < 0)
+        return 0;
+
     size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix);
     if (settings.use_cas) {
         ntotal += sizeof(uint64_t);
diff -up memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706 memcached-1.4.15/memcached.c
--- memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706	2016-11-07 11:14:13.103196439 +0100
+++ memcached-1.4.15/memcached.c	2016-11-07 11:14:13.105196446 +0100
@@ -1790,10 +1790,16 @@ static bool authenticated(conn *c) {
 static void dispatch_bin_command(conn *c) {
     int protocol_error = 0;
 
-    int extlen = c->binary_header.request.extlen;
-    int keylen = c->binary_header.request.keylen;
+    uint8_t extlen = c->binary_header.request.extlen;
+    uint16_t keylen = c->binary_header.request.keylen;
     uint32_t bodylen = c->binary_header.request.bodylen;
 
+    if (keylen > bodylen || keylen + extlen > bodylen) {
+        write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, 0);
+        c->write_and_go = conn_closing;
+        return;
+    }
+
     if (settings.sasl && !authenticated(c)) {
         write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, 0);
         c->write_and_go = conn_closing;