diff -up mod_auth_openidc-2.4.9.4/src/util.c.orig mod_auth_openidc-2.4.9.4/src/util.c
--- mod_auth_openidc-2.4.9.4/src/util.c.orig	2024-02-29 17:54:55.939797412 +0100
+++ mod_auth_openidc-2.4.9.4/src/util.c	2024-02-29 18:01:12.042842605 +0100
@@ -1270,25 +1270,24 @@ static char* oidc_util_get_chunk_cookie_
  */
 char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
 		int chunkSize) {
-	char *cookieValue = NULL;
-	char *chunkValue = NULL;
-	int i = 0;
-	if (chunkSize == 0) {
-		cookieValue = oidc_util_get_cookie(r, cookieName);
-	} else {
-		int chunkCount = oidc_util_get_chunked_count(r, cookieName);
-		if (chunkCount > 0) {
-			cookieValue = "";
-			for (i = 0; i < chunkCount; i++) {
-				chunkValue = oidc_util_get_cookie(r,
-						oidc_util_get_chunk_cookie_name(r, cookieName, i));
-				if (chunkValue != NULL)
-					cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue,
-							chunkValue);
-			}
-		} else {
-			cookieValue = oidc_util_get_cookie(r, cookieName);
+	char *cookieValue = NULL, *chunkValue = NULL;
+	int chunkCount = 0, i = 0;
+	if (chunkSize == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	chunkCount = oidc_util_get_chunked_count(r, cookieName);
+	if (chunkCount == 0)
+		return oidc_util_get_cookie(r, cookieName);
+	if ((chunkCount < 0) || (chunkCount > 99)) {
+		oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
+		return NULL;
+	}
+	for (i = 0; i < chunkCount; i++) {
+		chunkValue = oidc_util_get_cookie(r, oidc_util_get_chunk_cookie_name(r, cookieName, i));
+		if (chunkValue == NULL) {
+			oidc_warn(r, "could not find chunk %d; aborting", i);
+			break;
 		}
+		cookieValue = apr_psprintf(r->pool, "%s%s", cookieValue ? cookieValue : "", chunkValue);
 	}
 	return cookieValue;
 }