libusb versions prior to 1.0.30 contain a one-byte out-of-bounds read vulnerability in the parse_iad_array() function within descriptor.c. The flaw occurs when processing malformed USB Interface Association Descriptors (IADs) where the bLength field equals the remaining buffer size minus one. This causes an incorrect bounds check that uses the original buffer size rather than the remaining size, permittin [truncated]
libusb versions prior to 1.0.30 contain a NULL pointer dereference vulnerability in the `parse_interface()` function. The flaw occurs when a malformed USB configuration descriptor claims `bNumEndpoints > 0` but is followed by a class-specific descriptor with a `bLength` exceeding the remaining buffer size. This causes early return from `parse_interface()` without allocating the endpoint array, leaving a N [truncated]