The old code does not do boundary check so any paths longer than
PATH_MAX can cause buffer overflow. Replace it with strbuf to handle
paths of arbitrary length.

The OS may reject if the path is too long though. But in that case we
report the cause (e.g. name too long) and usually move on to checking
out the next entry.

Signed-off-by: Nguyễn Thái Ngọc Duy <>
 v2 does two strbuf_add() instead of one hard-to-read strbuf_addf()

 entry.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/entry.c b/entry.c
index acc892f..fbb4863 100644
--- a/entry.c
+++ b/entry.c
@@ -237,16 +237,19 @@ static int check_path(const char *path, int len, struct 
stat *st, int skiplen)
 int checkout_entry(struct cache_entry *ce,
                   const struct checkout *state, char *topath)
-       static char path[PATH_MAX + 1];
+       static struct strbuf path_buf = STRBUF_INIT;
+       char *path;
        struct stat st;
-       int len = state->base_dir_len;
+       int len;
        if (topath)
                return write_entry(ce, topath, state, 1);
-       memcpy(path, state->base_dir, len);
-       strcpy(path + len, ce->name);
-       len += ce_namelen(ce);
+       strbuf_reset(&path_buf);
+       strbuf_add(&path_buf, state->base_dir, state->base_dir_len);
+       strbuf_add(&path_buf, ce->name, ce_namelen(ce));
+       path = path_buf.buf;
+       len = path_buf.len;
        if (!check_path(path, len, &st, state->base_dir_len)) {
                unsigned changed = ce_match_stat(ce, &st, 

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to
More majordomo info at

Reply via email to