diff --git a/lib/cookie.c b/lib/cookie.c
index 837caaab384466756138df88b886224390176bcd..6dc9142edf8393f05b8a8dedfad886830f5968ba 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -316,7 +316,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
   }
 
   /* convert /hoge/ to /hoge */
-  if(len && new_path[len - 1] == '/') {
+  if(len > 1 && new_path[len - 1] == '/') {
     new_path[len - 1] = 0x0;
   }
 
@@ -1075,7 +1075,7 @@ Curl_cookie_add(struct Curl_easy *data,
          clist->spath && co->spath && /* both have paths */
          clist->secure && !co->secure && !secure) {
         size_t cllen;
-        const char *sep;
+        const char *sep = NULL;
 
         /*
          * A non-secure cookie may not overlay an existing secure cookie.
@@ -1084,8 +1084,9 @@ Curl_cookie_add(struct Curl_easy *data,
          * "/loginhelper" is ok.
          */
 
-        sep = strchr(clist->spath + 1, '/');
-
+        DEBUGASSERT(clist->spath[0]);
+        if(clist->spath[0])
+          sep = strchr(clist->spath + 1, '/');
         if(sep)
           cllen = sep - clist->spath;
         else