The following bug has been logged on the website:
Bug reference: 8540
Logged by: Jackie Chang
Email address: jackie.qq.chang@gmail.com
PostgreSQL version: 9.3.1
Operating system: Any
Description:
sscanf can set the maximum length of string read. If such a number is not
provided, it's vulnerable to buffer overflow.
Diff is:
diff --git a/contrib/pg_upgrade/option.c b/contrib/pg_upgrade/option.c
index 250aeb8..293ef1c 100644
--- a/contrib/pg_upgrade/option.c
+++ b/contrib/pg_upgrade/option.c
@@ -443,7 +443,7 @@ get_sock_dir(ClusterInfo *cluster, bool live_check)
{
cluster->sockdir = pg_malloc(MAXPGPATH);
/* strip off newline */
- sscanf(line, "%s\n", cluster->sockdir);
+ sscanf(line, "%1023s\n", cluster->sockdir);
}
}
fclose(fp);
diff --git a/src/backend/access/transam/xlog.c
b/src/backend/access/transam/xlog.c
index 06f5eb0..560230f 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -10029,7 +10029,7 @@ do_pg_stop_backup(char *labelfile, bool
waitforarchive, TimeLineID *stoptli_p)
* Read and parse the START WAL LOCATION line (this code is pretty crude,
* but we are not expecting any variability in the file format).
*/
- if (sscanf(labelfile, "START WAL LOCATION: %X/%X (file %24s)%c",
+ if (sscanf(labelfile, "START WAL LOCATION: %X/%X (file %63s)%c",
&hi, &lo, startxlogfilename,
&ch) != 4 || ch != '\n')
ereport(ERROR,
diff --git a/src/bin/pg_dump/pg_backup_directory.c
b/src/bin/pg_dump/pg_backup_directory.c
index f803186..48e0db9 100644
--- a/src/bin/pg_dump/pg_backup_directory.c
+++ b/src/bin/pg_dump/pg_backup_directory.c
@@ -452,7 +452,7 @@ _LoadBlobs(ArchiveHandle *AH, RestoreOptions *ropt)
char fname[MAXPGPATH];
char path[MAXPGPATH];
- if (sscanf(line, "%u %s\n", &oid, fname) != 2)
+ if (sscanf(line, "%u %1023s\n", &oid, fname) != 2)
exit_horribly(modulename, "invalid line in large object TOC file \"%s\":
\"%s\"\n",
fname, line);