WWW/Library/Implementation/HTParse.c |   47 +++++++++++++++++++++++-----------
 src/LYGlobalDefs.h                   |    1 +
 src/LYMain.c                         |    1 +
 3 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/WWW/Library/Implementation/HTParse.c b/WWW/Library/Implementation/HTParse.c
index c9bfbbf..b265e22 100644
--- a/WWW/Library/Implementation/HTParse.c
+++ b/WWW/Library/Implementation/HTParse.c
@@ -12,6 +12,7 @@
 #include <LYLeaks.h>
 #include <LYStrings.h>
 #include <LYCharUtils.h>
+#include <LYGlobalDefs.h>
 
 #ifdef HAVE_ALLOCA_H
 #include <alloca.h>
@@ -255,7 +256,8 @@ char *HTParse(const char *aName,
     char *result = NULL;
     char *tail = NULL;		/* a pointer to the end of the 'result' string */
     char *return_value = NULL;
-    unsigned len, len1, len2;
+    size_t len, len1, len2;
+    size_t need;
     char *name = NULL;
     char *rel = NULL;
     char *p, *q;
@@ -290,9 +292,17 @@ char *HTParse(const char *aName,
     len2 = strlen(relatedName) + 1;
     len = len1 + len2 + 8;	/* Lots of space: more than enough */
 
-    result = tail = (char *) LYalloca(len * 2 + len1 + len2);
+    need = (len * 2 + len1 + len2);
+    if (need > (size_t) max_uri_size ||
+	(int) need < (int) len1 ||
+	(int) need < (int) len2)
+	return StrAllocCopy(return_value, "");
+
+    result = tail = (char *) LYalloca(need);
     if (result == NULL) {
 	outofmem(__FILE__, "HTParse");
+
+	assert(result != NULL);
     }
     *result = '\0';
     name = result + len;
@@ -674,21 +684,28 @@ const char *HTParseAnchor(const char *aName)
 	 * keeping in mind scan() peculiarities on schemes:
 	 */
 	struct struct_parts given;
+	size_t need = ((unsigned) ((p - aName) + (int) strlen(p) + 1));
+	char *name;
 
-	char *name = (char *) LYalloca((unsigned) ((p - aName)
-						   + (int) strlen(p) + 1));
+	if (need > (size_t) max_uri_size) {
+	    p += strlen(p);
+	} else {
+	    name = (char *) LYalloca(need);
 
-	if (name == NULL) {
-	    outofmem(__FILE__, "HTParseAnchor");
-	}
-	strcpy(name, aName);
-	scan(name, &given);
-	LYalloca_free(name);
-
-	p++;			/*next to '#' */
-	if (given.anchor == NULL) {
-	    for (; *p; p++)	/*scroll to end '\0' */
-		;
+	    if (name == NULL) {
+		outofmem(__FILE__, "HTParseAnchor");
+
+		assert(name != NULL);
+	    }
+	    strcpy(name, aName);
+	    scan(name, &given);
+	    LYalloca_free(name);
+
+	    p++;		/*next to '#' */
+	    if (given.anchor == NULL) {
+		for (; *p; p++)	/*scroll to end '\0' */
+		    ;
+	    }
 	}
     }
     return p;
diff --git a/src/LYGlobalDefs.h b/src/LYGlobalDefs.h
index d0c5ab1..cc3e1e8 100644
--- a/src/LYGlobalDefs.h
+++ b/src/LYGlobalDefs.h
@@ -305,6 +305,7 @@ extern "C" {
     extern int max_cookies_buffer;
     extern int max_cookies_domain;
     extern int max_cookies_global;
+    extern int max_uri_size;
 #ifdef USE_SESSIONS
     extern short session_limit;	/* maximal entries saved/restored
 				   in session file */
diff --git a/src/LYMain.c b/src/LYMain.c
index 126a30f..0ccebe5 100644
--- a/src/LYMain.c
+++ b/src/LYMain.c
@@ -494,6 +494,7 @@ int lynx_temp_subspace = 0;	/* > 0 if we made temp-directory */
 int max_cookies_domain = 50;
 int max_cookies_global = 500;
 int max_cookies_buffer = 4096;
+int max_uri_size = 8192;
 int nlinks = 0;			/* number of links in memory */
 int outgoing_mail_charset = -1;	/* translate mail to this charset */