nanopb is a plain-C implementation of Google's Protocol Buffers data format.
Affected versions of this package are vulnerable to Out-of-bounds Read. It might call
free() on a pointer value that comes from uninitialized memory, with the following conditions:
- It is compiled with
- the message to be decoded contains a repeated string, bytes or message field
realloc()runs out of memory when expanding the array
Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases.
nanopb to version 1.30905.0 or higher.