BUG #8540: Avoid sscanf buffer overflow

Поиск
Список
Период
Сортировка
От jackie.qq.chang@gmail.com
Тема BUG #8540: Avoid sscanf buffer overflow
Дата
Msg-id E1VXeOP-0002cc-Ow@wrigleys.postgresql.org
обсуждение исходный текст
Ответы Re: BUG #8540: Avoid sscanf buffer overflow
Список pgsql-bugs
Дерево обсуждения 
The following bug has been logged on the website:

Bug reference:      8540
Logged by:          Jackie Chang
Email address:      jackie.qq.chang@gmail.com
PostgreSQL version: 9.3.1
Operating system:   Any
Description:

sscanf can set the maximum length of string read. If such a number is not
provided, it's vulnerable to buffer overflow.


Diff is:


diff --git a/contrib/pg_upgrade/option.c b/contrib/pg_upgrade/option.c
index 250aeb8..293ef1c 100644
--- a/contrib/pg_upgrade/option.c
+++ b/contrib/pg_upgrade/option.c
@@ -443,7 +443,7 @@ get_sock_dir(ClusterInfo *cluster, bool live_check)
                 {
                     cluster->sockdir = pg_malloc(MAXPGPATH);
                     /* strip off newline */
-                    sscanf(line, "%s\n", cluster->sockdir);
+                    sscanf(line, "%1023s\n", cluster->sockdir);
                 }
             }
             fclose(fp);
diff --git a/src/backend/access/transam/xlog.c
b/src/backend/access/transam/xlog.c
index 06f5eb0..560230f 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -10029,7 +10029,7 @@ do_pg_stop_backup(char *labelfile, bool
waitforarchive, TimeLineID *stoptli_p)
      * Read and parse the START WAL LOCATION line (this code is pretty crude,
      * but we are not expecting any variability in the file format).
      */
-    if (sscanf(labelfile, "START WAL LOCATION: %X/%X (file %24s)%c",
+    if (sscanf(labelfile, "START WAL LOCATION: %X/%X (file %63s)%c",
                &hi, &lo, startxlogfilename,
                &ch) != 4 || ch != '\n')
         ereport(ERROR,
diff --git a/src/bin/pg_dump/pg_backup_directory.c
b/src/bin/pg_dump/pg_backup_directory.c
index f803186..48e0db9 100644
--- a/src/bin/pg_dump/pg_backup_directory.c
+++ b/src/bin/pg_dump/pg_backup_directory.c
@@ -452,7 +452,7 @@ _LoadBlobs(ArchiveHandle *AH, RestoreOptions *ropt)
         char        fname[MAXPGPATH];
         char        path[MAXPGPATH];

-        if (sscanf(line, "%u %s\n", &oid, fname) != 2)
+        if (sscanf(line, "%u %1023s\n", &oid, fname) != 2)
             exit_horribly(modulename, "invalid line in large object TOC file \"%s\":
\"%s\"\n",
                           fname, line);

В списке pgsql-bugs по дате отправления: