Inolen

Name of the Vulnerable Software and Affected Versions: Nanopb versions prior to 0.4.9.1 Description: The issue arises when the compile time option PB ENABLE MALLOC is enabled, the message contains at least one field with `FT POINTER` field type, a custom stream callback is used with unknown stream length, and the `pb decode ex()` function is used with the `PB DECODE DELIMITED` flag. This could lead to a memory leak and potential denial-of-service. Recommendations: For versions prior to 0.4.9.1, update to version 0.4.9.1 to resolve the issue. As a temporary workaround, consider disabling the `pb decode ex()` function with the `PB DECODE DELIMITED` flag until a patch is available. Restrict the use of custom stream callbacks with unknown stream lengths to minimize the risk of exploitation. Avoid using the `FT POINTER` field type in messages until the issue is resolved.