diff --git a/src/common.cpp b/src/common.cpp
index 541d976bc..8be857c3a 100644
--- a/src/common.cpp
+++ b/src/common.cpp
@@ -1877,7 +1877,9 @@ bool valid_var_name(const wchar_t *str) {
 bool valid_func_name(const wcstring &str) {
     if (str.empty()) return false;
     if (str.at(0) == L'-') return false;
+    // A function name needs to be a valid path, so no / and no NULL.
     if (str.find_first_of(L'/') != wcstring::npos) return false;
+    if (str.find_first_of(L'\0') != wcstring::npos) return false;
     return true;
 }
 
diff --git a/src/path.cpp b/src/path.cpp
index 59e2abd6d..2f5e14fe3 100644
--- a/src/path.cpp
+++ b/src/path.cpp
@@ -38,6 +38,10 @@ const wcstring_list_t dflt_pathsv({L"/bin", L"/usr/bin", PREFIX L"/bin"});
 
 static bool path_get_path_core(const wcstring &cmd, wcstring *out_path,
                                const maybe_t<env_var_t> &bin_path_var) {
+    // Unix paths can't include a NULL-byte, that's the separator.
+    // If we let this through, we'd end up checking up to the NULL,
+    // so we'd get the wrong path.
+    if (cmd.find(L'\0') != wcstring::npos) return false;
     // If the command has a slash, it must be an absolute or relative path and thus we don't bother
     // looking for a matching command.
     if (cmd.find(L'/') != wcstring::npos) {