Commit f514ef97 authored by Jeff King's avatar Jeff King Committed by Junio C Hamano

verify_absent: allow filenames longer than PATH_MAX

When unpack-trees wants to know whether a path will
overwrite anything in the working tree, we use lstat() to
see if there is anything there. But if we are going to write
"foo/bar", we can't just lstat("foo/bar"); we need to look
for leading prefixes (e.g., "foo"). So we use the lstat cache
to find the length of the leading prefix, and copy the
filename up to that length into a temporary buffer (since
the original name is const, we cannot just stick a NUL in

The copy we make goes into a PATH_MAX-sized buffer, which
will overflow if the prefix is longer than PATH_MAX. How
this happens is a little tricky, since in theory PATH_MAX is
the biggest path we will have read from the filesystem. But
this can happen if:

  - the compiled-in PATH_MAX does not accurately reflect
    what the filesystem is capable of

  - the leading prefix is not _quite_ what is on disk; it
    contains the next element from the name we are checking.
    So if we want to write "aaa/bbb/ccc/ddd" and "aaa/bbb"
    exists, the prefix of interest is "aaa/bbb/ccc". If
    "aaa/bbb" approaches PATH_MAX, then "ccc" can overflow

So this can be triggered, but it's hard to do. In
particular, you cannot just "git clone" a bogus repo. The
verify_absent checks happen before unpack-trees writes
anything to the filesystem, so there are never any leading
prefixes during the initial checkout, and the bug doesn't
trigger. And by definition, these files are larger than
PATH_MAX, so writing them will fail, and clone will
complain (though it may write a partial path, which will
cause a subsequent "git checkout" to hit the bug).

We can fix it by creating the temporary path on the heap.
The extra malloc overhead is not important, as we are
already making at least one stat() call (and probably more
for the prefix discovery).
Signed-off-by: default avatarJeff King <>
Signed-off-by: default avatarJunio C Hamano <>
parent fdf96a20
......@@ -1432,15 +1432,18 @@ static int verify_absent_1(const struct cache_entry *ce,
if (!len)
return 0;
else if (len > 0) {
char path[PATH_MAX + 1];
memcpy(path, ce->name, len);
path[len] = 0;
char *path;
int ret;
path = xmemdupz(ce->name, len);
if (lstat(path, &st))
return error("cannot stat '%s': %s", path,
ret = error("cannot stat '%s': %s", path,
return check_ok_to_remove(path, len, DT_UNKNOWN, NULL, &st,
error_type, o);
ret = check_ok_to_remove(path, len, DT_UNKNOWN, NULL,
&st, error_type, o);
return ret;
} else if (lstat(ce->name, &st)) {
if (errno != ENOENT)
return error("cannot stat '%s': %s", ce->name,
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment