diff --git a/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856 b/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856
new file mode 100644
index 00000000..c279a765
--- /dev/null
+++ b/fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856
@@ -0,0 +1 @@
+#/*url( */   url()
\ No newline at end of file
diff --git a/src/css-url.c b/src/css-url.c
index 9c851bd3..c4f77613 100644
--- a/src/css-url.c
+++ b/src/css-url.c
@@ -83,8 +83,9 @@ get_uri_string (const char *at, int *pos, int *length)
 
   *pos += 4;
   *length -= 5; /* url() */
+
   /* skip leading space */
-  while (isspace (at[*pos]))
+  while (*length > 0 && isspace (at[*pos]))
     {
       (*pos)++;
       if (--(*length) == 0)
@@ -92,17 +93,21 @@ get_uri_string (const char *at, int *pos, int *length)
     }
 
   /* skip trailing space */
-  while (isspace (at[*pos + *length - 1]))
+  while (*length > 0 && isspace (at[*pos + *length - 1]))
     {
       (*length)--;
     }
+
   /* trim off quotes */
-  if (at[*pos] == '\'' || at[*pos] == '"')
+  if (*length >= 2 && (at[*pos] == '\'' || at[*pos] == '"'))
     {
       (*pos)++;
       *length -= 2;
     }
 
+  if (*length <= 0)
+    return NULL;
+
   return xstrndup (at + *pos, *length);
 }