There is a chance that the input string is larger than size, and on VMS,

this wasn't checked and could possibly be exploitable (slim chance, but still)