I happened to spot the below call in src/bin/pg_basebackup/streamutil.c which has an unbounded %s in the format.
/* fetch xlog value and unit from the result */
if (sscanf(PQgetvalue(res, 0, 0), "%d%s", &xlog_val, xlog_unit) != 2)
There is no risk of overflow as the unit is defined to be at most 2 characters,
but that's not explained (like how a similar %s is handled in pg_dump). The
attached adds a small explanation in the comment to save readers time from
following the bouncing ball to make sure.
--
Daniel Gustafsson https://vmware.com/
pg_basebackup_sscanf.diff
Description: Binary data
