Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
4 Feb 2020
3 Feb 2020
How to fix?
nanopb to version 1.30905.0 or higher.
nanopb is a plain-C implementation of Google's Protocol Buffers data format.
Affected versions of this package are vulnerable to Out-of-bounds Read. It might call
free() on a pointer value that comes from uninitialized memory, with the following conditions:
- It is compiled with
- the message to be decoded contains a repeated string, bytes or message field
realloc()runs out of memory when expanding the array
Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases.