From abdf81a20ba2ddc06a0ebdd58ee8747306fb2004 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 19 Oct 2021 12:59:50 +0200 Subject: [PATCH] Fix sscanf limits in pg_dump Make sure that the string parsing is limited by the size of the destination buffer. The buffer is bounded by MAXPGPATH, and thus the limit must be inserted via preprocessor expansion and the buffer increased by one to account for the terminator. There is no risk of overflow here, since in this case, the buffer scanned is smaller than the destination buffer. Backpatch all the way down to 9.6. Reviewed-by: Tom Lane Discussion: https://postgr.es/m/B14D3D7B-F98C-4E20-9459-C122C67647FB@yesql.se Backpatch-through: 9.6 --- src/bin/pg_dump/pg_backup_directory.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bin/pg_dump/pg_backup_directory.c b/src/bin/pg_dump/pg_backup_directory.c index acf7a485e92..27615bfa9b6 100644 --- a/src/bin/pg_dump/pg_backup_directory.c +++ b/src/bin/pg_dump/pg_backup_directory.c @@ -458,11 +458,11 @@ _LoadBlobs(ArchiveHandle *AH) /* Read the blobs TOC file line-by-line, and process each blob */ while ((cfgets(ctx->blobsTocFH, line, MAXPGPATH)) != NULL) { - char fname[MAXPGPATH]; + char fname[MAXPGPATH + 1]; char path[MAXPGPATH]; /* Can't overflow because line and fname are the same length. */ - if (sscanf(line, "%u %s\n", &oid, fname) != 2) + if (sscanf(line, "%u %" CppAsString2(MAXPGPATH) "s\n", &oid, fname) != 2) exit_horribly(modulename, "invalid line in large object TOC file \"%s\": \"%s\"\n", fname, line); -- 2.39.5