[Security report]: Patch for CVE-2020-26243 & CVE-2020-5235 found in reused component nanopb by using V1SCAN #6312
Description
Contact me:
weitingcai2020@gmail.com
References:
Github Security Advisory for CVE-2020-26243
NVD description
Commit for CVE-2020-26243
Patch suggestion:
Replace the code at lines 406-415 with the following code:
if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&
*(pb_size_t*)iter->pSize != iter->pos->tag)
{
/* We memset to zero so that any callbacks are set to NULL.
* This is because the callbacks might otherwise have values
* from some other union field. */
memset(iter->pData, 0, iter->pos->data_size);
pb_message_set_to_defaults((const pb_field_t*)iter->pos->ptr, iter->pData);
}
*(pb_size_t*)iter->pSize = iter->pos->tag;
return func(stream, iter->pos, iter->pData);
Github Security Advisory for CVE-2020-5235
NVD description
Commit for CVE-2020-5235
Patch suggestion:
Replace the code at lines 658-662 with the following code:
if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1)))
return false;
pItem = *(char**)iter->pData + iter->pos->data_size * (*size);
(*size)++;