This doesn't fix the problems, only removes markers alerting us to audit it.
Memory management in these files is still missing integer overflow checks,
NULL return checks, and is full of crazy abominations like:
X509_NAME *
parse_name(char *subject, long chtype, int multirdn)
{
size_t buflen = strlen(subject) + 1; /* ...
char *buf = malloc(buflen);
size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
char **ne_types = malloc(max_ne * sizeof(char *));
char **ne_values = malloc(max_ne * sizeof(char *));
int *mval = malloc(max_ne * sizeof(int));
I'm working on a more complete patch which addresses these issues too.
