Re: Unbounded %s in sscanf

Daniel Gustafsson <daniel(at)yesql(dot)se> writes:
> I took another look at this today, and propose to push the attached. The
> pg_dump fix goes all the way back to 9.6 whereas the pg_basebackup fix is from
> 11 and onwards. The adjacent shadowed variable bug in pg_dump is also present
> since 9.6.
> Thoughts?

Generally +1, though I wonder if it'd be prudent to deal with the
shadowed-variable bug by renaming *both* variables. "fname" is
clearly too generic in a function that deals with multiple file
names.

Another thing that is nibbling at the back of my mind is that one
reason we started to use src/port/snprintf.c all the time is that
glibc's *printf functions behave in a very unfriendly fashion when
asked to print text that they think is invalidly encoded, but only
if the format involves an explicit field width spec. I wonder if
we're opening ourselves to similar problems if we start to use
field widths with *scanf. In principle, I think the input text
always ought to be ASCII in these cases, so that there's no hazard.
But is there an interesting security aspect here? That is, if someone
can inject a maliciously-crafted file containing non-ASCII data, what
kind of misbehavior could ensue? It might be that sscanf would just
report failure and we'd give up, which would be fine. But if a
stack overrun could be triggered that way, it'd not be fine.

regards, tom lane