Vulnerability	Vulnerable Version
H Release of Invalid Pointer or Reference nanopb is a python binding for C package nanopb. Affected versions of this package are vulnerable to Release of Invalid Pointer or Reference. Decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, and the `oneof` directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. How to fix Release of Invalid Pointer or Reference? Upgrade `nanopb` to version 0.3.9.8, 0.4.5 or higher.	[,0.3.9.8)[0.4.0,0.4.5)
H Resource Exhaustion nanopb is a python binding for C package nanopb. Affected versions of this package are vulnerable to Resource Exhaustion. Decoding a specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. How to fix Resource Exhaustion? Upgrade `nanopb` to version 0.3.9.7, 0.4.4 or higher.	[,0.3.9.7)[0.4.0,0.4.4)

Release of Invalid Pointer or Reference

nanopb is a python binding for C package nanopb.

Affected versions of this package are vulnerable to Release of Invalid Pointer or Reference. Decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.

How to fix Release of Invalid Pointer or Reference?

Upgrade nanopb to version 0.3.9.8, 0.4.5 or higher.

[,0.3.9.8)[0.4.0,0.4.5)

Resource Exhaustion

nanopb is a python binding for C package nanopb.

Affected versions of this package are vulnerable to Resource Exhaustion. Decoding a specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed.

How to fix Resource Exhaustion?

Upgrade nanopb to version 0.3.9.7, 0.4.4 or higher.

[,0.3.9.7)[0.4.0,0.4.4)

Go back to all versions of this package