Fix sscanf limits in pg_dump

Make sure that the string parsing is limited by the size of the
destination buffer.

The buffer is bounded by MAXPGPATH, and thus the limit must be
inserted via preprocessor expansion and the buffer increased by
one to account for the terminator. There is no risk of overflow
here, since in this case, the buffer scanned is smaller than the
destination buffer.

Backpatch all the way down to 9.6.

Reviewed-by: Tom Lane
Discussion: https://postgr.es/m/B14D3D7B-F98C-4E20-9459-C122C67647FB@yesql.se
Backpatch-through: 9.6

diff --git a/src/bin/pg_dump/pg_backup_directory.c b/src/bin/pg_dump/pg_backup_directory.c
index 2b3921b43addf18fb23aab0d48acf37ef549ef7e..b4fd825a9c96737c4935045a7655e38a6626cef0 100644 (file)
--- a/src/bin/pg_dump/pg_backup_directory.c
+++ b/src/bin/pg_dump/pg_backup_directory.c
@@ -463,11 +463,11 @@ _LoadBlobs(ArchiveHandle *AH)
        /* Read the blobs TOC file line-by-line, and process each blob */
        while ((cfgets(ctx->blobsTocFH, line, MAXPGPATH)) != NULL)
        {
-               char            fname[MAXPGPATH];
+               char            fname[MAXPGPATH + 1];
                char            path[MAXPGPATH];
 
                /* Can't overflow because line and fname are the same length. */
-               if (sscanf(line, "%u %s\n", &oid, fname) != 2)
+               if (sscanf(line, "%u %" CppAsString2(MAXPGPATH) "s\n", &oid, fname) != 2)
                        exit_horribly(modulename, "invalid line in large object TOC file \"%s\": \"%s\"\n",
                                                  fname, line);