Back in design phase the code used realloc() for freeing the memory
also. However, this is not entirely portable, and therefore the finished
implementation used free() separately.
There were some remnants of the size = 0 code in the allocate_field()
code, which made it somewhat confusing. This change makes it clearer
that size = 0 is not allowed (and not used by nanopb).
The multiplication in allocate_field could potentially overflow,
leading to allocating too little memory. This could subsequently
allow an attacker to cause a write past the buffer, overwriting
other memory contents.
The attack is possible if untrusted message data is decoded using
nanopb, and the message type includes a pointer-type string or bytes
field, or a repeated numeric field. Submessage fields are not
affected.
This issue only affects systems that have been compiled with
PB_ENABLE_MALLOC enabled. Only version nanopb-0.2.7 is affected,
as prior versions do not include this functionality.
Update issue 117
Status: FixedInGit
This makes the internal logic much simpler, and also keeps the datatypes
more similar between STATIC/POINTER cases. It will still be a bit cumbersome
to use because of variable length array member. Macros PB_BYTES_ARRAY_T(n) and
PB_BYTES_ARRAY_T_ALLOCSIZE(n) have been added to make life a bit easier.
This has the drawback that it is no longer as easy to use externally allocated
byte array as input for bytes field in pointer mode. However, this is still
easy to do using callbacks, so it shouldn't be a large issue.
Apparently int32 values that are negative must be cast into int64 first
before being encoded. Because uint32 still needs to be cast to uint64,
the cases for int32 and uint32 had to be separated.
Update issue 97
Status: FixedInGit
These have been deprecated since nanopb-0.1.6 (some since 0.1.3).
Equivalent functions with better interface are available in the API.
Update issue 91
Status: FixedInGit
If you have a message that defined as empty, but attempt to decode a
message that has one or more unknown fields then pb_decode fails. The
method used to count the number of required fields counts 1 required
field because the default type of PB_LAST_FIELD is PB_HTYPE_REQUIRED.
NOTE: This change breaks backwards-compatibility by default.
If you have old callback functions, you can define PB_OLD_CALLBACK_STYLE
to retain the old behaviour.
If you want to convert your old callbacks to new signature, you need
to do the following:
1) Change decode callback argument to void **arg
and encode callback argument to void * const *arg.
2) Change any reference to arg into *arg.
The rationale for making the new behaviour the default is that it
simplifies the common case of "allocate some memory in decode callback".
Update issue 69
Status: FixedInGit
This allows replacing the C99 standard include file names with
a single system-specific file. It should provide all the necessary
system functions (typedefs, memset, memcpy, strlen).
Update issue 62
Status: FixedInGit
This is a more logical name in parallel with PB_HTYPE_REQUIRED and PB_HTYPE_OPTIONAL.
Warning: This breaks backwards-compatibility of generated .pb.c files.
You will have to regenerate the files and recompile.
This allows slight optimizations if only memory buffer support
(as opposed to stream callbacks) is wanted. On ARM difference
is -12% execution time, -4% code size when enabled.
This avoids doing 64-bit arithmetic for 32-bit varint decodings.
It does increase the code size somewhat.
Results for ARM Cortex-M3: -10% execution time, +1% code size, -2% ram usage.
In the pb_istream_from_buffer and pb_ostream_from_buffer, memcpy was
used to transfer values to the buffer. For the common case of
count = 1-10 bytes, a simple loop is faster.
Rationale: it's easy to implement the callback wrong. Doing so introduces
io errors when unknown fields are present in the input. If code is not
tested with unknown fields, these bugs can remain hidden for long time.
Added a special case for the memory buffer stream, where it gives a small
speed benefit.
Added testcase for skipping fields with test_decode2 implementation.
Update issue 37
Status: FixedInGit
This avoids double initialization when decoding nested submessages.
Fixes an issue with submessage arrays that was present in previous
version of this patch.
Update issue 28
Status: FixedInGit
