diff --git a/src/document/html/internal.h b/src/document/html/internal.h
index a28aeb93..89a56df1 100644
--- a/src/document/html/internal.h
+++ b/src/document/html/internal.h
@@ -66,7 +66,8 @@ struct html_context {
* state-machine. */
int was_li;
- int quote_level; /* Nesting level of tags. */
+ unsigned int quote_level; /* Nesting level of tags. See @html_quote
+ * for why this is unsigned. */
unsigned int was_br:1;
unsigned int was_xmp:1;
diff --git a/src/document/html/parser/general.c b/src/document/html/parser/general.c
index 1184bf2b..33fe08c0 100644
--- a/src/document/html/parser/general.c
+++ b/src/document/html/parser/general.c
@@ -104,6 +104,14 @@ void
html_quote(struct html_context *html_context, unsigned char *a,
unsigned char *xxx3, unsigned char *xxx4, unsigned char **xxx5)
{
+ /* An HTML document containing extremely many repetitions of
+ * "" could cause @html_context->quote_level to overflow.
+ * Because it is unsigned, it then wraps around to zero, and
+ * we don't get a negative array index here. If the document
+ * then tries to close the quotes with "
", @html_quote_close
+ * won't let the quote level wrap back, so it will render the
+ * quotes incorrectly, but such a document probably doesn't
+ * make sense anyway. */
unsigned char *q = quote_char[html_context->quote_level++ % 2];
put_chrs(html_context, q, 1);