CVE apply: nanopb/maply_pb_decode.c has invalid free() with oneof

[hucarxiao]

Version
latest

What is the security issue or vulnerability?
/nanopb/pb_decode.c
In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field.

start from 1189 line:
pb_release_single_field(&old_field);

return true;

Security issue or vulnerability information
description: https://nvd.nist.gov/vuln/detail/CVE-2021-21401

commit:nanopb/nanopb@e2f0ccf

Could you apply for another new CVE and fix it?

Fix invalid free() with oneof (nanopb/nanopb#647)
Nanopb would call free() or realloc() on an invalid
(attacker controlled) pointer value when all the following
conditions are true:

PB_ENABLE_MALLOC is defined at the compile time
Message definition contains an oneof field, and the oneof
contains at least one pointer type field and at least one
non-pointer type field.
Data being decoded first contains a non-pointer value for
the oneof field, and later contains an overwriting pointer
value.
Depending on message layout, the bug may not be exploitable in all
cases, but it is known to be exploitable at least with string and
bytes fields. Actual security impact will also depend on the heap
implementation used.

[sjg-wdw]

Interesting. Are you a WhirlyGlobe user?