From: <gb@phonema.ea.univpm.it>

The "%c" in sscanf actually reads and writes one extra character (i.e.  2
characters insted of just one), and may thus easily overflow caller's
buffer.

Also affects 2.4 tree, even if there "%c" seems not to be used at all.