[mod_secdownload] fix buffer overflow in secdl_verify_mac (reported by Fortify Open Review Project)

Impact is probably low on most platforms, as it will probably overwrite
one byte of "HASH HA1" which isn't used afterwards anymore.

Reference: Fortify Open Review Project - lighttpd 1.4.39
    ID 22708159 - Buffer Overflow: Off-by-One

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3096 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -25,6 +25,7 @@ NEWS
   * [mod_cgi] kill CGI if fail to write request body
   * [mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421)
   * [mod_dirlisting] dir-listing.hide-dotfiles = "enabled" by default (fixes #1081)
+  * [mod_secdownload] fix buffer overflow in secdl_verify_mac (reported by Fortify Open Review Project)
 
 - 1.4.39 - 2016-01-02
   * [core] fix memset_s call (fixes #2698)

src/mod_secdownload.c

@@ -153,7 +153,7 @@ static int secdl_verify_mac(server *srv, plugin_config *config, const char* prot
 		{
 			li_MD5_CTX Md5Ctx;
 			HASH HA1;
-			char hexmd5[32];
+			char hexmd5[33];
 			const char *ts_str;
 			const char *rel_uri;