Right now, if you pass a key that is too short, encryption will appear to work, but part of your key will be whatever garbage happened to be in memory.

If you pass a key that is too long, it will silently ignore the rest of the key. This might be a "feature" someone is relying on though, and is less obviously wrong than the former.