Cryptographic weakness on Debian systems

I didn't mean that it wasn't properly allocated.

The program is reading data returned by malloc().

Not only can you not trust it to have any specific value (or to be "random"), but it invokes
undefined behavior just like reading an uninitialized local variable.  The only stuff which is
exempt from this is global data (static), or data guaranteed to be initialized by your
environment before your program starts.

> is in the latter category, but I'd really want to see chapter and verse quoted before I
believed that the same applies to
> { char m, x[40]; m = x[20]; }
> which is the situation we're looking at in OpenSSL.

I thought we were talking about malloc()ed memory...

char *x = malloc(20);
printf("%c\n", x[10]);  /* undefined behavior */

If it's a global struct or array, then it should contain all zero bytes -- not uninitialized
at all.

I don't have a copy of the standard, but check in the list of actions which invoke undefined
behavior, in the library section.  A draft I have contains:

"- The value of the object allocated by the malloc function is used"

-Ross