In function: OpenSSLCryptoX509::loadX509Base64Bin of xsec/enc/OpenSSL/OpenSSLCryptoX509.cpp around line 166:
This buf variable is the parameter of the function:
Since the length is not provided, sbStrcpyIn calls strlen in buf which tries to find a null character, but the signature of the function (loadX509Base64Bin) takes the length as well, which suggest that the caller shouldn't need to provide a null terminated string.
A possible fix is to call sbStrncpyIn(buf, len) but it is not clear to me when m_DERX509 is used (if it is). Maybe removing this call is enough...