Why would you imagine that? The bug is that what password you provide doesn't matter.

That wasn't how I read it.

It sounds like they were casting the result of a memcmp to a char. A char only has a range of -128 to 127. The resulting overflow means that an arbitrary password hash has a 1/255 chance of landing on 0, but you still have to try a bunch to hit one.

This is incorrect. You do not need to try a different password each time.

The password is combined with a random value on each attempt, the hash will change each time.

memcmp will probably return always the same value for the same parameters, which may not trigger the error. Trying different values may yield a value whose mod is 0.