In `client_send_params` in `lib/ext/pre_shared_key.c`, there is the following code: ```c client_hello.data = extdata->data+sizeof(mbuffer_st); client_hello.size = extdata->length-sizeof(mbuffer_st); ... ret = _gnutls_buffer_append_prefix(extdata, 16, binders_len); /* (1) */ ... ret = compute_psk_binder(session, prf_res, ... &client_hello, ...); /* (2) */ ``` At (1) `realloc` may be called on `extdata->data`, and that results in `client_hello.data` being no longer valid at (2). The attached [patch](/uploads/2b37ab664ec9577898ddf81283a4e77a/str.c.diff) can be used to expose the invalid read by modifying `gnutls_buffer` allocators to always taking a simpler strategy of memory allocation.