Restrict fscanf %s in h5import (#5887)

derobins · web-flow · commit d775fa0712b8 · 2025-09-30T09:40:15.000-05:00
A couple of places in the h5import.c code use fscanf with %s to read
strings into a fixed-size buffer without restricting the number
of characters, which could lead to a stack buffer overflow.

This fix restricts the number of characters that can be read to
the size of the buffer.
diff --git a/tools/src/h5import/h5import.c b/tools/src/h5import/h5import.c
@@ -586,7 +586,7 @@ readIntegerData(FILE *strm, struct Input *in)
             switch (in->inputClass) {
                 case 0: /* TEXTIN */
                     for (i = 0; i < len; i++, in64++) {
-                        if (fscanf(strm, "%s", buffer) < 1) {
+                        if (fscanf(strm, "%255s", buffer) < 1) {
                             (void)fprintf(rawerrorstream, "%s", err1);
                             return (-1);
                         }
@@ -753,7 +753,7 @@ readUIntegerData(FILE *strm, struct Input *in)
             switch (in->inputClass) {
                 case 6: /* TEXTUIN */
                     for (i = 0; i < len; i++, in64++) {
-                        if (fscanf(strm, "%s", buffer) < 1) {
+                        if (fscanf(strm, "%255s", buffer) < 1) {
                             (void)fprintf(rawerrorstream, "%s", err1);
                             return (-1);
                         }
