diff --git a/CHANGES b/CHANGES
index 0a144e5b2..adcd4fce3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@
 
                                   Changelog
 
+Daniel Stenberg (10 May 2009)
+- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
+  byte in the digest code.
+
 Yang Tse (9 May 2009)
 - Removed DOS and TPF package's subdirectory Makefile.am, it was only used
   to include some files in the distribution tarball serving no other purpose.
diff --git a/lib/http_digest.c b/lib/http_digest.c
index b370891b7..7011b1947 100644
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -543,8 +543,8 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     *allocuserpwd = tmp;
   }
 
-  /* append CRLF to the userpwd header */
-  tmp = realloc(*allocuserpwd, strlen(*allocuserpwd) + 3 + 1);
+  /* append CRLF + zero (3 bytes) to the userpwd header */
+  tmp = realloc(*allocuserpwd, strlen(*allocuserpwd) + 3);
   if(!tmp)
     return CURLE_OUT_OF_MEMORY;
   strcat(tmp, "\r\n");