[BUG] HIGH: DIMACS max-flow reader uses file contents as scanf format string

[gkorland]

Summary

Severity: HIGH
Category: Format string bug / parser logic failure
Location: experimental/utility/LAGraph_DIMACSMaxFlowRead.c lines 84, 99, 125

Trigger

Any valid DIMACS max-flow file, e.g.:

p max 2 1
n 1 s
a 1 2 10

Root Cause

The parser calls scanf(buff, ...) where buff is a line read from the file. scanf reads from stdin and treats buff as the format string, not as the source of data. There are three distinct issues:

1. Line 84: scanf(buff, "p max %" PRIu64 " %" PRIu64, &n_nodes, &n_edges) — buff is used as the format string; should be sscanf.
2. Line 99: Passes which instead of &which for the %c conversion → undefined behavior.
3. Line 125: Declares w as GrB_Index (uint64_t) but uses %d/PRId32 format specifier → type mismatch UB.

// Line 84 — WRONG: buff is used as a format string, reads from stdin
int result = scanf(buff, "p max %" PRIu64 " %" PRIu64, &n_nodes, &n_edges);

// Should be:
int result = sscanf(buff, "p max %" PRIu64 " %" PRIu64, &n_nodes, &n_edges);

Proof / Trace

1. fgets reads "p max 2 1\n" into buff.
2. Line 84 calls scanf("p max 2 1\n", ...) — no conversion specifiers in buff, so zero values are assigned.
3. result != 2, so every valid DIMACS file is rejected.
4. If buff happens to contain % characters (valid in DIMACS comments), it controls the format string and causes undefined behavior.

Impact

The parser is completely non-functional for all valid DIMACS input. Files containing % in comment lines trigger format-string undefined behavior.

Suggested Fix

Replace all three scanf calls with sscanf. Fix the missing & on the which argument at line 99. Use a correctly-typed temporary for the parsed weight on line 125.