From b734bc37eb683451fb68a04466c3da8a54597fdf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 21 Nov 2000 19:01:53 +0000
Subject: [PATCH] curl_unescape() did not stop at the set length properly when
 %-codes were used

---
 lib/escape.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/escape.c b/lib/escape.c
index 048fd0f99..74d8deea8 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -100,7 +100,7 @@ char *curl_unescape(char *string, int length)
                             the "query part" where '+' should become ' '.
                             RFC 2316, section 3.10 */
   
-   while(--alloc) {
+   while(--alloc > 0) {
       in = *string;
       if(querypart && ('+' == in))
          in = ' ';
@@ -113,6 +113,7 @@ char *curl_unescape(char *string, int length)
         if(sscanf(string+1, "%02X", &hex)) {
           in = hex;
           string+=2;
+          alloc-=2;
         }
       }