BUG #16951: pg_restore segfaults on custom format piped from a different version of PG

The following bug has been logged on the website:

Bug reference: 16951
Logged by: Sergey Koposov
Email address: skoposov(at)ed(dot)ac(dot)uk
PostgreSQL version: 10.16
Operating system: Linux
Description:

Hi,

I have a reproducible case of segfaulting pg_restore when trying to restore
from pg_dump of a different version. Specifically at least pg_restore from
10 crashes from pg_dump 12.
I understand that this is not supported, but presumably it still shouldn't
segfault.
This was a command

pg_dump12 -n SCHEMA -Fc -U dbadmin DB | pg_restore10 -U dbadmin -h
localhost -1 -d DB

where pg_dump12 is pg_dump from 12.6 on one linux 64bit machine and
pg_restore10 is pg_restore from 10.16 on another linux 64bit machine

I attach the gdb bt full of the crash (see below). I also have a 512 byte
file that crashes pg_restore (the top 512 bytes from the pgdump). I can
share it if needed.

It is clear that some checks of the version of the archive have not been
done early enough by pg_restore leading to the segfault. I don't have time
to get to the bottom of this, but
I'm seeing that readHead() in bg_backup_archiver() has not executed the
checks
behind
if (!AH->readHeader) that would have failed.
And it also looks like the readHeader flag is set early by
_discoverArchiveFormat()
on when reading from stdin.
(but this is just my impression from a quick look at the code)

Cheers,
Sergey

#0 __strcmp_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
#1 0x00000000004098d0 in ReadToc (AH=0xe8bb60) at
pg_backup_archiver.c:2660
#2 0x000000000040f010 in InitArchiveFmt_Custom (AH=0xe8bb60)
at pg_backup_custom.c:191
#3 0x0000000000408f57 in _allocAH (FileSpec=0x0, fmt=archUnknown,
compression=0, dosync=1 '\001', mode=archModeRead,
setupWorkerPtr=0x404528 <setupRestoreWorker>) at
pg_backup_archiver.c:2400
#4 0x00000000004045d3 in OpenArchive (FileSpec=0x0, fmt=archUnknown)
at pg_backup_archiver.c:235
#5 0x0000000000403eff in main (argc=7, argv=0x7fffb0559018)
at pg_restore.c:400

#0 __strcmp_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:31
No locals.
#1 0x00000000004098d0 in ReadToc (AH=0xe8bb60) at
pg_backup_archiver.c:2660
i = 0
tmp = 0xe6d7d0 "ENCODING"
deps = 0x7fa9b5de08e0 <_IO_2_1_stdin_>
depIdx = 15127296
depSize = 0
te = 0xe91140
#2 0x000000000040f010 in InitArchiveFmt_Custom (AH=0xe8bb60)
at pg_backup_custom.c:191
ctx = 0xe8d100
#3 0x0000000000408f57 in _allocAH (FileSpec=0x0, fmt=archUnknown,
compression=0, dosync=1 '\001', mode=archModeRead,
setupWorkerPtr=0x404528 <setupRestoreWorker>) at
pg_backup_archiver.c:2400
AH = 0xe8bb60
#4 0x00000000004045d3 in OpenArchive (FileSpec=0x0, fmt=archUnknown)
at pg_backup_archiver.c:235
AH = 0xe6cf90
#5 0x0000000000403eff in main (argc=7, argv=0x7fffb0559018)
at pg_restore.c:400
opts = 0xe8b9e0
c = -1
exit_code = 32681
numWorkers = 1
AH = 0x7fa9b647667b <do_lookup_x+2011>
inputFileSpec = 0x0
disable_triggers = 0
enable_row_security = 0
if_exists = 0
no_data_for_failed_tables = 0
outputNoTablespaces = 0
use_setsessauth = 0
no_publications = 0
no_security_labels = 0
no_subscriptions = 0
strict_names = 0
cmdopts = {{name = 0x41edd8 "clean", has_arg = 0, flag = 0x0,
val = 99}, {name = 0x41edde "create", has_arg = 0, flag = 0x0,

val = 67}, {name = 0x41ede5 "data-only", has_arg = 0, flag =
0x0,
val = 97}, {name = 0x41edef "dbname", has_arg = 1, flag = 0x0,

val = 100}, {name = 0x41edf6 "exit-on-error", has_arg = 0,
flag = 0x0, val = 101}, {name = 0x41ee04 "exclude-schema",
has_arg = 1, flag = 0x0, val = 78}, {name = 0x41ee13 "file",
has_arg = 1, flag = 0x0, val = 102}, {name = 0x41ee18 "format",

has_arg = 1, flag = 0x0, val = 70}, {name = 0x41ee1f "function",

has_arg = 1, flag = 0x0, val = 80}, {name = 0x41ee28 "host",
has_arg = 1, flag = 0x0, val = 104}, {name = 0x41ee2d "index",

has_arg = 1, flag = 0x0, val = 73}, {name = 0x41ee33 "jobs",
has_arg = 1, flag = 0x0, val = 106}, {name = 0x41ee38 "list",
has_arg = 0, flag = 0x0, val = 108}, {
name = 0x41ee3d "no-privileges", has_arg = 0, flag = 0x0,
val = 120}, {name = 0x41ee4b "no-acl", has_arg = 0, flag = 0x0,

val = 120}, {name = 0x41ee52 "no-owner", has_arg = 0, flag =
0x0,
val = 79}, {name = 0x41ee5b "no-reconnect", has_arg = 0,
flag = 0x0, val = 82}, {name = 0x41ee68 "port", has_arg = 1,
flag = 0x0, val = 112}, {name = 0x41ee6d "no-password",
has_arg = 0, flag = 0x0, val = 119}, {name = 0x41ee79
"password",
has_arg = 0, flag = 0x0, val = 87}, {name = 0x41ee82 "schema",

has_arg = 1, flag = 0x0, val = 110}, {
name = 0x41ee89 "schema-only", has_arg = 0, flag = 0x0,
val = 115}, {name = 0x41ee95 "superuser", has_arg = 1, flag =
0x0,
val = 83}, {name = 0x41ee9f "table", has_arg = 1, flag = 0x0,
val = 116}, {name = 0x41eea5 "trigger", has_arg = 1, flag = 0x0,

val = 84}, {name = 0x41eead "use-list", has_arg = 1, flag = 0x0,

val = 76}, {name = 0x41eeb6 "username", has_arg = 1, flag = 0x0,

val = 85}, {name = 0x41eebf "verbose", has_arg = 0, flag = 0x0,

val = 118}, {name = 0x41eec7 "single-transaction", has_arg = 0,

flag = 0x0, val = 49}, {name = 0x41eeda "disable-triggers",
has_arg = 0, flag = 0x62c5ac <disable_triggers>, val = 1}, {
name = 0x41eeeb "enable-row-security", has_arg = 0,
flag = 0x62c5b0 <enable_row_security>, val = 1}, {
name = 0x41eeff "if-exists", has_arg = 0,
flag = 0x62c5cc <if_exists>, val = 1}, {
name = 0x41ef09 "no-data-for-failed-tables", has_arg = 0,
flag = 0x62c5b4 <no_data_for_failed_tables>, val = 1}, {
name = 0x41ef23 "no-tablespaces", has_arg = 0,
flag = 0x62c5b8 <outputNoTablespaces.7124>, val = 1}, {
name = 0x41ef32 "role", has_arg = 1, flag = 0x0, val = 2}, {
name = 0x41ef37 "section", has_arg = 1, flag = 0x0, val = 3},
{
name = 0x41ef3f "strict-names", has_arg = 0,
flag = 0x62c5d0 <strict_names>, val = 1}, {
name = 0x41ef4c "use-set-session-authorization", has_arg = 0,
flag = 0x62c5bc <use_setsessauth>, val = 1}, {
name = 0x41ef6a "no-publications", has_arg = 0,
flag = 0x62c5c0 <no_publications>, val = 1}, {
name = 0x41ef7a "no-security-labels", has_arg = 0,
flag = 0x62c5c4 <no_security_labels>, val = 1}, {
name = 0x41ef8d "no-subscriptions", has_arg = 0,
flag = 0x62c5c8 <no_subscriptions>, val = 1}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
quit
Detaching from program:
/usr0/home/skoposov_remote/postgresql-10.16/src/bin/pg_dump/pg_restore,
process 3461