Index: test/regress.c
===================================================================
--- test/regress.c	(revision 352)
+++ test/regress.c	(working copy)
@@ -605,6 +605,59 @@
 }
 
 void
+test_evbuffer_find(void)
+{
+	u_char* p;
+	char* test1 = "1234567890\r\n";
+	char* test2 = "1234567890\r";
+#define EVBUFFER_INITIAL_LENGTH 256
+	char test3[EVBUFFER_INITIAL_LENGTH];
+	unsigned int i;
+	struct evbuffer * buf = evbuffer_new();
+
+	/* make sure evbuffer_find doesn't match past the end of the buffer */
+	fprintf(stdout, "Testing evbuffer_find 1: ");
+	evbuffer_add(buf, (u_char*)test1, strlen(test1));
+	evbuffer_drain(buf, strlen(test1));	  
+	evbuffer_add(buf, (u_char*)test2, strlen(test2));
+	p = evbuffer_find(buf, (u_char*)"\r\n", 2);
+	if (p == NULL) {
+		fprintf(stdout, "OK\n");
+	} else {
+		fprintf(stdout, "FAILED\n");
+		exit(1);
+	}
+
+	/* drain the buffer and do another find; in r309 this would read past
+	   the allocated buffer causing a valgrind error */
+	fprintf(stdout, "Testing evbuffer_find 2: ");
+	evbuffer_drain(buf, strlen(test2));
+	for (i=0; i<EVBUFFER_INITIAL_LENGTH; ++i)
+		test3[i] = 'a';
+	test3[EVBUFFER_INITIAL_LENGTH-1] = 'x';
+	evbuffer_add(buf, (u_char*)test3, EVBUFFER_INITIAL_LENGTH);
+	p = evbuffer_find(buf, (u_char*)"xy", 2);
+	if (p == NULL) {
+		printf("OK\n");
+	} else {
+		fprintf(stdout, "FAILED\n");
+		exit(1);
+	}
+
+	/* simple test for match at end of allocated buffer */
+	fprintf(stdout, "Testing evbuffer_find 3: ");
+	p = evbuffer_find(buf, (u_char*)"ax", 2);
+	if (p != NULL && strncmp(p, "ax", 2) == 0) {
+		printf("OK\n");
+	} else {
+		fprintf(stdout, "FAILED\n");
+		exit(1);
+	}
+
+	evbuffer_free(buf);
+}
+
+void
 readcb(struct bufferevent *bev, void *arg)
 {
 	if (EVBUFFER_LENGTH(bev->input) == 8333) {
@@ -1012,6 +1065,7 @@
 	test_loopexit();
 
 	test_evbuffer();
+	test_evbuffer_find();
 	
 	test_bufferevent();
 
Index: buffer.c
===================================================================
--- buffer.c	(revision 352)
+++ buffer.c	(working copy)
@@ -435,13 +435,14 @@
 	u_char *search = buffer->buffer;
 	u_char *p;
 
-	while ((p = memchr(search, *what, remain)) != NULL) {
-		remain = buffer->off - (size_t)(search - buffer->buffer);
+	while (remain && (p = (u_char*)memchr(search, *what, remain)) != NULL) {
+		remain = buffer->off - (size_t)(p - buffer->buffer);
 		if (remain < len)
 			break;
 		if (memcmp(p, what, len) == 0)
 			return (p);
 		search = p + 1;
+		remain--;
 	}
 
 	return (NULL);