The bug description
-------------------

1  The 'DecodeFcn' type is defined as:

typedef void (*DecodeFcn) PROTO ((
	BUF_TYPE b,
	void *value,
	AsnLen *bytesDecoded,
	ENV_TYPE env
));
<snacc-1.3/c-lib/inc/asn-any.h>

2  The decode function for a structure (say PhoneNumber) as generated looks like:

void DDecPhoneNumberContent PROTO ((
	BUF_TYPE b,
	AsnTag tagId0,
	AsnLen elmtLen0,
	PhoneNumber *v,
	AsnLen *bytesDecoded,
	ENV_TYPE env
));

3  AnyInfo struct is defined as:
typedef struct AnyInfo
{
  int       anyId;  /* will be a value from the AnyId enum */
  AsnOid    oid;    /* will be zero len/null if intId is valid */
  AsnInt    intId;
  unsigned int  size;  /* size of the C data type (ie as ret'd by sizeof) */
  EncodeFcn Encode;
  DecodeFcn Decode;
  FreeFcn   Free;
  PrintFcn  Print;
} AnyInfo;

4  If one does 'InstallAnyBy***' to install PhoneNumber as one any type,
   a hash table entry is created with entry->value being an (AnyInfo *)
   new variable 'a' with

   a->Decode = (DecodeFcn) DDecPhoneNumberContent;

5  Later on, in a decoding function where we have to decode into an
   AsnAny *v, we need to do:

   SetAnyTypeByI*** (v, <some oid/int>);

   For fetching the relevant AnyInfo into v->ai. Suppose we fetched
   out the info corresponding to PhoneNumber. Then we make a call to
   AsnAny decode function which looks as:

void BDecAsnAny PARAMS ((b, result, bytesDecoded, env),
    BUF_TYPE b _AND_
    AsnAny  *result _AND_
    AsnLen *bytesDecoded _AND_
    ENV_TYPE env)
{
    if ((result->ai != NULL) && (result->ai->Decode != NULL))
    {
        result->value = (void*) Asn1Alloc (result->ai->size);
        result->ai->Decode (b, result->value, bytesDecoded, env);
... ... ...
}


ANALYSIS:

As you can make out, the call

result->ai->Decode (b, result->value, bytesDecoded, env),

referring to (1) and (2), is equivalent to:

calling 'DDecPhoneNumberContent' with argument-param mapping as:
	BUF_TYPE b				<== BUF_TYPE b
	AsnTag tagId0			<== void *result->value
	AsnLen elmtLen0			<== AsnLen *bytesDecoded
	PhoneNumber *v,			<== ENV_TYPE env
	AsnLen *bytesDecoded,	<== ??
	ENV_TYPE env			<== ??

Which gives invalid values to tagId0, elmtLen0, v
and unknown values to bytesDecoded and env inside the call.

This leads to dangerous operations.