Re: BUG #8540: Avoid sscanf buffer overflow

On Sat, Oct 19, 2013 at 09:49:05PM +0000, jackie.qq.chang@gmail.com wrote:
> The following bug has been logged on the website:
>
> Bug reference:      8540
> Logged by:          Jackie Chang
> Email address:      jackie.qq.chang@gmail.com
> PostgreSQL version: 9.3.1
> Operating system:   Any
> Description:
>
> sscanf can set the maximum length of string read. If such a number is not
> provided, it's vulnerable to buffer overflow.

I have looked at your patch and I wasn't happy to be adding a hard-coded
constant based on a macro definition.  What I did do with the attached,
applied patch is to remove the use of sscanf in pg_upgrade, and add a C
comment in pg_dump explaining why the scanf can't overflow.  I didn't
see increasing the xlog.c length as useful.

For pg_dump it would be nice from a sanity perspective if we could do:

    sscanf(str, "%" CppAsString2(MAXPGPATH-1) "s\n", ...

but there is no way to string-ify a macro while also computing it during
preprocessing.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +