Unbounded %s in sscanf

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2021-06-28T13:06:37Z
Lists: pgsql-hackers

Attachments

I happened to spot the below call in src/bin/pg_basebackup/streamutil.c which
has an unbounded %s in the format.

    /* fetch xlog value and unit from the result */
    if (sscanf(PQgetvalue(res, 0, 0), "%d%s", &xlog_val, xlog_unit) != 2)

There is no risk of overflow as the unit is defined to be at most 2 characters,
but that's not explained (like how a similar %s is handled in pg_dump).  The
attached adds a small explanation in the comment to save readers time from
following the bouncing ball to make sure.

--
Daniel Gustafsson		https://vmware.com/

Commits

  1. Fix bug in TOC file error message printing

  2. Fix sscanf limits in pg_basebackup and pg_dump

  3. Fix sscanf limits in pg_dump