v3-0002-Fix-sscanf-limit-in-pg_dump.patch

application/octet-stream

Filename: v3-0002-Fix-sscanf-limit-in-pg_dump.patch
Type: application/octet-stream
Part: 1
Message: Re: Unbounded %s in sscanf

Patch

Format: format-patch
Series: patch v3-0002
Subject: Fix sscanf limit in pg_dump
File+
src/bin/pg_dump/pg_backup_directory.c 2 2
From 54ba03740cd36ee8bd1a4ba1c0b4ae3bc3e19fed Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Mon, 28 Jun 2021 20:45:43 +0200
Subject: [PATCH v3 2/3] Fix sscanf limit in pg_dump

Make sure that the string parsing is limited by the size of the
destination buffer. Since the buffer is bounded by MAXPGPATH, the
limit must be inserted via preprocessor expansion and the buffer
increased by one to account for the terminator. There is no risk
of overflow here, since in this case, the buffer scanned is smaller
than the destination buffer.
---
 src/bin/pg_dump/pg_backup_directory.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/bin/pg_dump/pg_backup_directory.c b/src/bin/pg_dump/pg_backup_directory.c
index fb8c7713a5..57243c5971 100644
--- a/src/bin/pg_dump/pg_backup_directory.c
+++ b/src/bin/pg_dump/pg_backup_directory.c
@@ -449,11 +449,11 @@ _LoadBlobs(ArchiveHandle *AH)
 	/* Read the blobs TOC file line-by-line, and process each blob */
 	while ((cfgets(ctx->blobsTocFH, line, MAXPGPATH)) != NULL)
 	{
-		char		fname[MAXPGPATH];
+		char		fname[MAXPGPATH + 1];
 		char		path[MAXPGPATH];
 
 		/* Can't overflow because line and fname are the same length. */
-		if (sscanf(line, "%u %s\n", &oid, fname) != 2)
+		if (sscanf(line, "%u %" CppAsString2(MAXPGPATH) "s\n", &oid, fname) != 2)
 			fatal("invalid line in large object TOC file \"%s\": \"%s\"",
 				  fname, line);
 
-- 
2.30.1 (Apple Git-130)