diff --git a/CHANGES b/CHANGES
index 5535b4981542b4566dde18ddab3447d39f558f4c..4e1a19307889a7c227080ba351b5352ae9798919 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2319.	[bug]		Silence Coverity warnings in 
+			lib/dns/rdata/in_1/apl_42.c. [RT #174]
+
 2318.	[port]		ISC_PLATFORM_NEEDTIMESPEC missing from
 			lib/bind/config.h.in. [RT #17514]
 
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
index d09e9b0abfc31f319a1fd2e3786921cc250f38e4..f6cfe1ccabc1962132a3b5ee120567dced692ef5 100644
--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: apl_42.c,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: apl_42.c,v 1.13 2008/01/22 23:17:31 marka Exp $ */
 
 /* RFC3123 */
 
@@ -306,37 +306,88 @@ freestruct_in_apl(ARGS_FREESTRUCT) {
 
 isc_result_t
 dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
+	isc_uint32_t length;
+
+	REQUIRE(apl != NULL);
 	REQUIRE(apl->common.rdtype == 42);
 	REQUIRE(apl->common.rdclass == 1);
 	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
 
+	/*
+	 * If no APL return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	INSIST(length <= apl->apl_len);
+
 	apl->offset = 0;
-	return ((apl->apl_len != 0) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
+	isc_uint32_t length;
+
+	REQUIRE(apl != NULL);
 	REQUIRE(apl->common.rdtype == 42);
 	REQUIRE(apl->common.rdclass == 1);
 	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
 
-	if (apl->offset + 3 < apl->apl_len)
+	/*
+	 * No APL or have already reached the end return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL || apl->offset == apl->apl_len)
 		return (ISC_R_NOMORE);
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->offset < apl->apl_len);
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(length + apl->offset <= apl->apl_len);
+
 	apl->offset += apl->apl[apl->offset + 3] & 0x7f;
 	return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
 }
 
 isc_result_t
 dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
+	isc_uint32_t length;
 
+	REQUIRE(apl != NULL);
 	REQUIRE(apl->common.rdtype == 42);
 	REQUIRE(apl->common.rdclass == 1);
 	REQUIRE(ent != NULL);
 	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	REQUIRE(apl->offset <= apl->apl_len);
 
-	if (apl->offset >= apl->apl_len)
+	if (apl->offset == apl->apl_len)
 		return (ISC_R_NOMORE);
 
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(length + apl->offset <= apl->apl_len);
+
 	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
 	ent->prefix = apl->apl[apl->offset + 2];
 	ent->length = apl->apl[apl->offset + 3] & 0x7f;