Summary: | media-gfx/exact-image _FORTIFY_SOURCE indicates presence of overflow | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Diego Elio Pettenò (RETIRED) <flameeyes> |
Component: | Current packages | Assignee: | Gentoo Graphics Project <graphics+disabled> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | hardened, hwoarang |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 259417 | ||
Attachments: |
Build log
Patch to exact-image-0.8.1.ebuild to address some QA issues build.log |
Description
Diego Elio Pettenò (RETIRED)
2010-09-30 12:58:23 UTC
Created attachment 249072 [details]
Build log
Created attachment 249258 [details, diff]
Patch to exact-image-0.8.1.ebuild to address some QA issues
This patch addresses the following problems:
- User CFLAGS/CXXFLAGS ignored!
- Unqualified CC/CXX used. This disrupts cross-compiling.
- Make commands were unconditionally hidden, so reading the build log does not show you that the build ignored your CFLAGS.
- Buffer overflow warning due to copying a string into a buffer which lacks room for the null.
- Array bounds warning due to abuse of array math to index elements.
Upstream seems to be a bit aggressive with their choice of default CXXFLAGS. They use flags that would probably get a Gentoo bug rejected as INVALID with a request to "stop ricing and try again." However, I have left that alone here. With user CXXFLAGS respected, concerned users can modify their CXXFLAGS to counter the upstream flags if needed.
I am still getting the QA warning about array bounds with your patch (In reply to comment #3) > I am still getting the QA warning about array bounds with your patch Could you be more specific? What file and line warn? Created attachment 252165 [details]
build.log
See the attached log
(In reply to comment #5) > Created an attachment (id=252165) [details] > build.log That looks like my patch was not used at all. Among the changes I made, I removed the directives that print just "C++ <filename>" and instead made it print the real command executed. I also fixed the _FORTIFY_SOURCE issue, but your build log shows that upstream bug is also present. Ok I might forgot to apply your patch. Now that I did, I still get QA warnings about the array bounds * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds (In reply to comment #7) > Ok I might forgot to apply your patch. Now that I did, I still get QA warnings > about the array bounds I lack the setup to build the entire media-gfx/exact-image package here, and cannot reproduce the warning on a trivial testcase consisting of overstepping an array using the [0][j] construct used in the original code. As far as I know, the method they use happens to work (although it is bad form). I only fixed it since I was in the area cleaning up real problems, like the _FORTIFY_SOURCE failure. Looking more closely at the proposed fix, I think I made a mistake. The lengthof construct I used is measuring the wrong value for the division operations. I suggest dropping my attempt at fixing the -Warray-overflow problem for now so as not to hold up the real fix for the _FORTIFY_SOURCE issue over a currently cosmetic warning. The array bounds issue can be revisited later. +*exact-image-0.8.1-r1 (06 Oct 2012) + + 06 Oct 2012; Pacho Ramos <pacho@gentoo.org> +exact-image-0.8.1-r1.ebuild: + Include various fixes from Kevin Pyle, bug #339248. + |