This strcpy will never overflow because it's copying from baked-in test data. But we would prefer to avoid strcpy entirely, as it makes it harder to audit for real security bugs. Signed-off-by: Jeff King <peff@xxxxxxxx> --- I admit that an audit could probably just avoid looking at test-* in the first place, but not all do (coverity complained about this one, for example). This sort-of applies on top of js/dirname-basename, which is in next. Textually, it's fine, but that topic is based on v2.6.5, and xsnprintf was only added in the v2.7.0 cycle. The simplest thing is probably to wait for it to graduate to master, and then apply there as a new topic (if we do v2.6.6, it's OK for it not to have this patch). I can hold and resend in a week or two if that's easier. test-path-utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-path-utils.c b/test-path-utils.c index 4ab68ac..b9ece10 100644 --- a/test-path-utils.c +++ b/test-path-utils.c @@ -55,7 +55,7 @@ static int test_function(struct test_data *data, char *(*func)(char *input), if (!data[i].from) to = func(NULL); else { - strcpy(buffer, data[i].from); + xsnprintf(buffer, sizeof(buffer), "%s", data[i].from); to = func(buffer); } if (strcmp(to, data[i].to)) { -- 2.7.0.244.g0701a9d -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html