Hi, This was probably more relevant for the dev list.
Thanks, Chris ----- Forwarded message from Chris Wilson <[email protected]> ----- Hi, We are using Sentry (a C/C++ static analysis tool) to analyze openssl on a nightly basis. Sentry found that an uninitialiezd variable was recently introduced in the commit 1.76 and 1.57.2.3.2.13. You can see the commit here, http://cvs.openssl.org/filediff?f=openssl/ssl/t1_enc.c&v1=1.75&v2=1.76 The import lines are, unsigned char *val; <- uninitialized variable val ... buff = OPENSSL_malloc(olen); if (buff == NULL) goto err2; <- malloc returned NULL ... err2: ... ret: if (buff != NULL) OPENSSL_free(buff); if (val != NULL) OPENSSL_free(val); <- uninitialied variable val used ... Since the variable is uninitialized, it could be non NULL, which if passed to OPENSSL_free could potentially cause a crash. A solution to this problem would be to assign val to 0. Thanks, Chris -- Chris Wilson http://vigilantsw.com/ Vigilant Software, LLC ----- End forwarded message ----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
