OpenSSL Heartbeat Code

OpenSSL heartbeat bug patch (CVE-2014-0160):<p><a href="https://github.com/openssl/openssl/commit/731f431497f463f3a2a97236fe0187b11c44aead" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;openssl&#x2F;openssl&#x2F;commit&#x2F;731f431497f463f3a2...</a><p>&gt; A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.<p>Previous discussion: <a href="https://news.ycombinator.com/item?id=7557825" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7557825</a>

Can someone explain which part of the code contains the bug and why it is a bug?

<a href="https://github.com/openssl/openssl/commit/bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3?resubmit#commitcomment-5945571" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;openssl&#x2F;openssl&#x2F;commit&#x2F;bd6941cfaa31ee8a3f...</a><p>Amelek is being a bit harsh or just plain wrong; I learned a few days ago that checking malloc&#x27;s return value means almost nothing:<p><a href="https://news.ycombinator.com/item?id=7541585" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7541585</a>