Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/libexec/httpd/auth-bozo.c,v
rcsdiff: /ftp/cvs/cvsroot/src/libexec/httpd/auth-bozo.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.13
retrieving revision 1.13.2.1
diff -u -p -r1.13 -r1.13.2.1
--- src/libexec/httpd/auth-bozo.c	2014/07/08 14:01:21	1.13
+++ src/libexec/httpd/auth-bozo.c	2015/01/12 10:02:29	1.13.2.1
@@ -1,4 +1,4 @@
-/*	$NetBSD: auth-bozo.c,v 1.13 2014/07/08 14:01:21 mrg Exp $	*/
+/*	$NetBSD: auth-bozo.c,v 1.13.2.1 2015/01/12 10:02:29 martin Exp $	*/
 
 /*	$eterna: auth-bozo.c,v 1.17 2011/11/18 09:21:15 mrg Exp $	*/
 
@@ -118,6 +118,13 @@ bozo_auth_check(bozo_httpreq_t *request,
 }
 
 void
+bozo_auth_init(bozo_httpreq_t *request)
+{
+	request->hr_authuser = NULL;
+	request->hr_authpass = NULL;
+}
+
+void
 bozo_auth_cleanup(bozo_httpreq_t *request)
 {
 
@@ -150,6 +157,8 @@ bozo_auth_check_headers(bozo_httpreq_t *
 			return bozo_http_error(httpd, 400, request,
 			    "bad authorization field");
 		*pass++ = '\0';
+		free(request->hr_authuser);
+		free(request->hr_authpass);
 		request->hr_authuser = bozostrdup(httpd, authbuf);
 		request->hr_authpass = bozostrdup(httpd, pass);
 		debug((httpd, DEBUG_FAT,
@@ -229,6 +238,12 @@ base64_decode(const unsigned char *in, s
 	unsigned char *cp;
 	size_t	 i;
 
+	if (ilen == 0) {
+		if (olen)
+			*out = '\0';
+		return 0;
+	}
+
 	cp = out;
 	for (i = 0; i < ilen; i += 4) {
 		if (cp + 3 > out + olen)
@@ -250,7 +265,7 @@ base64_decode(const unsigned char *in, s
 			| decodetable[in[i + 3]];
 #undef IN_CHECK
 	}
-	while (in[i - 1] == '=')
+	while (i > 0 && in[i - 1] == '=')
 		cp--,i--;
 	return (cp - out);
 }