CVE-2022-3602 OpenSSL punycode 4-byte stack overflow (SPOOKY-SSL)

CVE-2022-3602 — 4-byte stack buffer overflow in OpenSSL 3.0.0–3.0.6 punycode decoder used by X.509 name-constraint email verification. A malicious certificate containing an xn-- punycode label (e.g. in a SAN rfc822Name or nameConstraints email) that decodes to >512 Unicode codepoints overflows a fixed-size stack array unsigned int buf[LABEL_BUF_SIZE] (LABEL_BUF_SIZE = 512) inside ossl_a2ulabel. Reachable during normal cert verification by both clients and servers; remote pre-auth on the verify path. Paired with CVE-2022-3786 ("SPOOKY-SSL"). Bug location: crypto/punycode.c line 184 — if (written_out > max_out) return 0; should be >=. Caller ossl_a2ulabel allocates unsigned int buf[LABEL_BUF_SIZE] on the stack and passes bufsize=512.