[Security report]: Patch for CVE-2020-26243 & CVE-2020-5235 found in reused component nanopb by using V1SCAN

[ltcdCai]

Contact me:
[email protected]

References:

Github Security Advisory for CVE-2020-26243
NVD description
Commit for CVE-2020-26243

Steps to reproduce it

Patch suggestion:
Replace the code at lines 406-415 with the following code:

            if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&
                *(pb_size_t*)iter->pSize != iter->pos->tag)
            {
                /* We memset to zero so that any callbacks are set to NULL.
                 * This is because the callbacks might otherwise have values
                 * from some other union field. */
                memset(iter->pData, 0, iter->pos->data_size);
                pb_message_set_to_defaults((const pb_field_t*)iter->pos->ptr, iter->pData);
            }
            *(pb_size_t*)iter->pSize = iter->pos->tag;

            return func(stream, iter->pos, iter->pData);

Github Security Advisory for CVE-2020-5235
NVD description
Commit for CVE-2020-5235

Patch suggestion:
Replace the code at lines 658-662 with the following code:

                if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1)))
                    return false;
            
                pItem = *(char**)iter->pData + iter->pos->data_size * (*size);
                (*size)++;

[sunghan-chang]

@jylee9613 Could you check it?