In curl_version(), the code:

strcpy(ptr, LIBCURL_NAME "/" LIBCURL_VERSION );
ptr=strchr(ptr, '\0');
left -= strlen(ptr);

is supposed to add the copied length to the pointer, and subtract it
from the byte count left.

In fact, the byte count left is never updated, because strlen() measures
the string AFTER pointer update --> strlen() always returns 0.

This bug does not seem to allow an external attack, since buffer filling
is only made from internal data.

The attached patch fixes this bug.