diff --git a/ChangeLog b/ChangeLog
index 406fc5b..84be080 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,15 @@
 Version 1.6.18
 *******************************************************************************
 
+2012-04-11 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
+
+	Avoid access violation after parser_parse_chunky_headers call.
+
+	In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
+	by membuffer_delete call. Therefore if we save the pointer to
+	parser->msg.entity.buf before calling membuffer_delete, it will
+	induce access to released memory.
+
 2012-04-06 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
 
 	Remove possibility of access violation.
diff --git a/upnp/src/genlib/net/http/httpparser.c b/upnp/src/genlib/net/http/httpparser.c
index 05ec861..430fd83 100644
--- a/upnp/src/genlib/net/http/httpparser.c
+++ b/upnp/src/genlib/net/http/httpparser.c
@@ -1682,14 +1682,14 @@ parser_parse_chunky_headers( INOUT http_parser_t * parser )
         /* finally, done with the whole msg */
         parser->position = POS_COMPLETE;
 
-        /* save entity start ptr as the very last thing to do */
-        parser->msg.entity.buf = parser->msg.msg.buf +
-            parser->entity_start_position;
-
         membuffer_delete( &parser->msg.msg, save_pos,
                           ( parser->scanner.cursor - save_pos ) );
         parser->scanner.cursor = save_pos;
 
+        /* save entity start ptr as the very last thing to do */
+        parser->msg.entity.buf = parser->msg.msg.buf +
+            parser->entity_start_position;
+
         return PARSE_SUCCESS;
     } else {
         return status;