dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.
dn_indicates_v3_cert() does this:
len = ASN1_STRING_to_UTF8(&s, str);
if (len < 0) {
return 0;
}
r = fast_memneq(s + len - 4, ".net", 4);
Note that if the len < 4, we read bytes from a malloc header, which isn't a good thing at all.
In practice, I don't think this should cause crashes or security failures, unless somebody is using a very weird malloc, or unless somebody has a hardened installation that detects this kind of invalid check.
Still, this is a must-fix.