diff --git a/netwerk/mime/nsMIMEHeaderParamImpl.cpp b/netwerk/mime/nsMIMEHeaderParamImpl.cpp
index 9a26e0bb384..78d560b78e0 100644
--- a/netwerk/mime/nsMIMEHeaderParamImpl.cpp
+++ b/netwerk/mime/nsMIMEHeaderParamImpl.cpp
@@ -308,7 +308,10 @@ nsMIMEHeaderParamImpl::DoParameterInternal(const char *aHeaderValue,
         else if (*valueEnd == '"')
           break;
       }
-      str = valueEnd + 1;
+      str = valueEnd;
+      // *valueEnd != null means that *valueEnd is quote character.
+      if (*valueEnd)
+        str++;
     }
 
     // See if this is the simplest case (case A above),
diff --git a/netwerk/test/unit/test_MIME_params.js b/netwerk/test/unit/test_MIME_params.js
index 2554b24a300..e30fe290f4d 100644
--- a/netwerk/test/unit/test_MIME_params.js
+++ b/netwerk/test/unit/test_MIME_params.js
@@ -296,6 +296,11 @@ var tests = [
 
   ["attachment; filename*=\"a%20b\"", 
    "attachment", "a b"],
+
+  // Bug 717121: crash nsMIMEHeaderParamImpl::DoParameterInternal
+
+  ["attachment; filename=\"", 
+   "attachment", ""], 
 ];
 
 function do_tests(whichRFC)