--- cgi-bin/var.c	(revision 2161)
+++ cgi-bin/var.c	(working copy)
@@ -1111,6 +1111,9 @@
 	    * Read the hex code...
 	    */
 
+            if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
+	      return (0);
+
             if (s < (value + sizeof(value) - 1))
 	    {
               data ++;