Well ok. I agree that the interface for Ns_HtuuDecode is not the best, but the problem that you're talking about doesn't exist in the patched version of ParseAuth. It's always going to allocate enough bytes for the decoding. I also think you're correct in stating that the Ns_HtuuDecode routine was meant to be called in a loop that processed the input buffer a chunk at a time. This code was probably cut and pasted from something else, and the prospect of a buffer overflow was overlooked.
As you mentioned, the malloc logic should be modified to limit the size of a malloc,so that some wiley hax0r doesn't crash your server by sending you a large authentication header.
The ParseAuth and Ns_HtuuDecode routines could definitely use a little work.