It looks like someone found a screw sticking out, and having a hammer handy, decided to bash
it flat. As you'd expect in security software, the result was disastrous.
Something, somewhere, calls this function with potentially uninitialised data (or perhaps, a
dodgy piece of analysis software only thinks it is unintialised because it can't find the
initialiser). Maybe it's actually a test routine. Maybe it's one uninitialised byte caused by
an off-by-one error somewhere. Either way it's irrelevant to this function. Rather than find
and fix that minor mistake, someone with Debian checkin privileges "fixed" it by removing
critical code from this function, silencing the warning and disabling Debian's security.
I guess the Debian Security people will need to re-assess who gets to modify critical packages
like this. It's one thing to trust that someone isn't going to deliberately sabotage a package
(they could just as easily add malware to GNOME Games as to OpenSSL) and quite another to
trust that they know what they're doing modifying complicated software like this to try to
"fix" security problems.