Security Vulnerability - Action Required: Out-of-bounds Read vulnerability may in your project

[Crispy-fried-chicken]

Hi,
we have detected that your project may be vulnerable to Insufficient Information in the function of decode_pointer_field in the file of lib/transport/pb_decode.c. It shares similarities to a recent CVE disclosure CVE-2020-5235 in the https://github.com/nanopb/nanopb.
The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier:CVE-2020-5235
Description: There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling free() on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-5235
Patch: nanopb/nanopb@aa9d0d1

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!