A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. The introduced check was incorrect, as it took into account the size of the pointer, not the structure. This vulnerability affects both kernel and userland.
This issue was originally intended to be addressed as part of FreeBSD-SA-24:09.libnv, but due to a logic issue, this issue was not properly addressed.
