[takeda]

I suppose so, but this bug only allows to crash the application. No doubt OpenSSL is buggy, but its problem is that a lot of applications depend on it as well.

I'm hoping it will eventually reach status of bind or sendmail, they had also very bad track record, but vulnerabilities now are quite rare.

[nayuki]

The article says: "may crash due to a NULL pointer dereference". But in C, dereferencing a null pointer is undefined behavior. Crashing is only one possible outcome, and arguably the best outcome.

The compiler and optimizer is entitled to elide certain checks or simplify code under the assumption that a pointer being dereferenced should not be null, and this could lead to dangerous things.

Here's an artificial example:

  int x = 0;
  int *p;
  if (...some condition...)
      p = &x;
  else
      p = NULL;
  print(*p);

The compiler is allowed to simplify the code to:

  int x = 0;
  int *p;
  p = &x;
  print(*p);

It's because the 'else' branch must cause a null pointer dereference, so that case can be legally ignored.

[takeda]

I would imagine that if a compiler would be able to make this kind of optimization it would also be able to warn that this is an error. Also optimizers supposed to replace code with a simpler equivalent ones, in your example actually the if statement should block the optimization i.e. if there was no "if", the x would be used directly, and the pointer was ignored.

Here's the bug: https://svnweb.freebsd.org/base/releng/12.1/crypto/openssl/s...

Value NULL is generally (void *)0 (could be different on different architectures, but it supposed to point to invalid value in memory, so when that memory address is accessed it will trigger segmentation fault.