FYI I just looked at this and I agree with Daniel and Thijs's analysis. Sloppy code, but not remotely-exploitable so I don't plan on requesting a CVE number for it.