Looks like a possible RFC 2616 MUST violation. Note that Apache origin server does not seem to have this problem. See attached trace(s) for details and ways to reproduce the violation mentioned above. Test case IDs in the trace link to human-oriented test case description and RFC quotes, if available.
Created attachment 4450 [details] test case trace
Created attachment 7346 [details] Fix in ap_set_byterange() in modules\http\http_protocol.c
Attached patch validates the range values and ignores the range header if syntactically invalid. Range header is ignored if last-byte-pos is less than first-byte-pos in a byte-range-spec. Fix in ap_set_byterange() in modules\http\Http_protocol.c
With the patch in attachment 7346 [details], Apache passes all test cases in this test clause.
I'm going through the bug db to make sure patches are findable. Please see http://httpd.apache.org/dev/patches.html
Can some one look at this patch and commit if found ok. This would help us close one of the open PRs on RFC 2616 violations.
Has never been fixed in 2.0.x, but the byterange_filter, new in 2.2.x, does appear to implement these checks. Is it worth making the fix back in 2.0.x? If so, please re-open; otherwise calling this one fixed.