On Sat, Oct 19, 2013 at 09:49:05PM +0000, jackie.qq.chang@gmail.com wrote:
> The following bug has been logged on the website:
>
> Bug reference: 8540
> Logged by: Jackie Chang
> Email address: jackie.qq.chang@gmail.com
> PostgreSQL version: 9.3.1
> Operating system: Any
> Description:
>
> sscanf can set the maximum length of string read. If such a number is not
> provided, it's vulnerable to buffer overflow.
I have looked at your patch and I wasn't happy to be adding a hard-coded
constant based on a macro definition. What I did do with the attached,
applied patch is to remove the use of sscanf in pg_upgrade, and add a C
comment in pg_dump explaining why the scanf can't overflow. I didn't
see increasing the xlog.c length as useful.
For pg_dump it would be nice from a sanity perspective if we could do:
sscanf(str, "%" CppAsString2(MAXPGPATH-1) "s\n", ...
but there is no way to string-ify a macro while also computing it during
preprocessing.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +