diff --git a/NEWS b/NEWS
index d92a0c29..5473b693 100644
--- a/NEWS
+++ b/NEWS
@@ -304,6 +304,8 @@ To be released as 0.11.4.
 * critical bugs 613, 714, 961: ``assertion list_empty(form_controls)
   failed''
 * critical bug 945: don't crash if a Lua script calls e.g. error(nil)
+* critical bug 1001: don't crash if a smart URI rewrite template gets
+  too few parameters
 * major bug 956: don't reuse pointers to SpiderMonkey objects that may
   have been collected as garbage.  This fix causes bug 954.
 * CVE-2007-2027: check if the program path contains "src/" before
diff --git a/src/protocol/rewrite/rewrite.c b/src/protocol/rewrite/rewrite.c
index 15f74a63..17f238d6 100644
--- a/src/protocol/rewrite/rewrite.c
+++ b/src/protocol/rewrite/rewrite.c
@@ -289,7 +289,7 @@ rewrite_uri(unsigned char *url, struct uri *current_uri, unsigned char *arg)
 			case '8':
 			case '9':
 				value = *url - '0';
-				if (value > argc) break;
+				if (value >= argc) break;
 				encode_uri_string(&n, args[value],
 						  argslen[value], 1);
 				break;