--- libhttpd.c
+++ libhttpd.c
@@ -1044,10 +1044,12 @@
 	}
 
     /* Decode it. */
+    memset(authinfo, 0, sizeof(authinfo));
     l = b64_decode(
 	&(hc->authorization[6]), (unsigned char*) authinfo,
 	sizeof(authinfo) - 1 );
-    authinfo[l] = '\0';
+    authinfo[sizeof(authinfo)-1] = '\0';
+
     /* Split into user and password. */
     authpass = strchr( authinfo, ':' );
     if ( authpass == (char*) 0 )