diff --git a/ChangeLog b/ChangeLog
index 7f86a2d3b17938e0df1d986c069a381dd19e1fb4..1ae5c90b769d1518924e0008aa1cc62cb4e7ece0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-02-07  Niels Möller  <nisse@lysator.liu.se>
+
+	* base64-decode.c (base64_decode_update): Use *dst_length for
+	output only. Don't require callers to pass a sane value.
+	* base16-decode.c (base16_decode_update): Likewise.
+
 2014-02-06  Niels Möller  <nisse@lysator.liu.se>
 
 	* NEWS: List _set_key incompatibilities.
diff --git a/base16-decode.c b/base16-decode.c
index 4dc8abd41aef670d67ec944062d4a25c55912c37..4e4a517c2bdbd7c8ffcfb01d7f725ca2430e5c22 100644
--- a/base16-decode.c
+++ b/base16-decode.c
@@ -101,8 +101,6 @@ base16_decode_update(struct base16_decode_ctx *ctx,
   size_t done;
   size_t i;
 
-  assert(*dst_length >= BASE16_DECODE_LENGTH(src_length));
-  
   for (i = done = 0; i<src_length; i++)
     switch(base16_decode_single(ctx, dst + done, src[i]))
       {
diff --git a/base16.h b/base16.h
index 5642293006bd583c94dbe0c99a99bd245afdb4a3..510e9f6ade9db93d85b1177eb86d5e5aca5b01d7 100644
--- a/base16.h
+++ b/base16.h
@@ -81,13 +81,9 @@ base16_decode_single(struct base16_decode_ctx *ctx,
 		     uint8_t src);
 
 /* Returns 1 on success, 0 on error. DST should point to an area of
- * size at least BASE16_DECODE_LENGTH(length), and for sanity
- * checking, *DST_LENGTH should be initialized to the size of that
- * area before the call. *DST_LENGTH is updated to the amount of
- * decoded output. */
+ * size at least BASE16_DECODE_LENGTH(length). The amount of data
+ * generated is returned in *DST_LENGTH. */
 
-/* Currently results in an assertion failure if *DST_LENGTH is
- * too small. FIXME: Return some error instead? */
 int
 base16_decode_update(struct base16_decode_ctx *ctx,
 		     size_t *dst_length,
diff --git a/base64-decode.c b/base64-decode.c
index c7c739afe5a315fa7f3fb55d5a630c0105974184..2c1ec7dfb394637affc722005d75954e0b5dc573 100644
--- a/base64-decode.c
+++ b/base64-decode.c
@@ -122,8 +122,6 @@ base64_decode_update(struct base64_decode_ctx *ctx,
   size_t done;
   size_t i;
 
-  assert(*dst_length >= BASE64_DECODE_LENGTH(src_length));
-  
   for (i = 0, done = 0; i<src_length; i++)
     switch(base64_decode_single(ctx, dst + done, src[i]))
       {
diff --git a/base64.h b/base64.h
index 94ed52ae2af8a89d7a5c3bcbb4628caf3c3e47ab..af4454c5ee9743f044d135994db14c32d4019b31 100644
--- a/base64.h
+++ b/base64.h
@@ -128,13 +128,8 @@ base64_decode_single(struct base64_decode_ctx *ctx,
 		     uint8_t src);
 
 /* Returns 1 on success, 0 on error. DST should point to an area of
- * size at least BASE64_DECODE_LENGTH(length), and for sanity
- * checking, *DST_LENGTH should be initialized to the size of that
- * area before the call. *DST_LENGTH is updated to the amount of
- * decoded output. */
-
-/* Currently results in an assertion failure if *DST_LENGTH is
- * too small. FIXME: Return some error instead? */
+ * size at least BASE64_DECODE_LENGTH(length). The amount of data
+ * generated is returned in *DST_LENGTH. */
 int
 base64_decode_update(struct base64_decode_ctx *ctx,
 		     size_t *dst_length,