You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer. Even though this is not always an indication of a security problem it might even be. So please check this out ASAP. By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0. Thanks, Your friendly neighborhood tinderboxer
Created attachment 249072 [details] Build log
Created attachment 249258 [details, diff] Patch to exact-image-0.8.1.ebuild to address some QA issues This patch addresses the following problems: - User CFLAGS/CXXFLAGS ignored! - Unqualified CC/CXX used. This disrupts cross-compiling. - Make commands were unconditionally hidden, so reading the build log does not show you that the build ignored your CFLAGS. - Buffer overflow warning due to copying a string into a buffer which lacks room for the null. - Array bounds warning due to abuse of array math to index elements. Upstream seems to be a bit aggressive with their choice of default CXXFLAGS. They use flags that would probably get a Gentoo bug rejected as INVALID with a request to "stop ricing and try again." However, I have left that alone here. With user CXXFLAGS respected, concerned users can modify their CXXFLAGS to counter the upstream flags if needed.
I am still getting the QA warning about array bounds with your patch
(In reply to comment #3) > I am still getting the QA warning about array bounds with your patch Could you be more specific? What file and line warn?
Created attachment 252165 [details] build.log See the attached log
(In reply to comment #5) > Created an attachment (id=252165) [details] > build.log That looks like my patch was not used at all. Among the changes I made, I removed the directives that print just "C++ <filename>" and instead made it print the real command executed. I also fixed the _FORTIFY_SOURCE issue, but your build log shows that upstream bug is also present.
Ok I might forgot to apply your patch. Now that I did, I still get QA warnings about the array bounds * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds * codecs/dcraw.h:6469:96: warning: array subscript is above array bounds
(In reply to comment #7) > Ok I might forgot to apply your patch. Now that I did, I still get QA warnings > about the array bounds I lack the setup to build the entire media-gfx/exact-image package here, and cannot reproduce the warning on a trivial testcase consisting of overstepping an array using the [0][j] construct used in the original code. As far as I know, the method they use happens to work (although it is bad form). I only fixed it since I was in the area cleaning up real problems, like the _FORTIFY_SOURCE failure. Looking more closely at the proposed fix, I think I made a mistake. The lengthof construct I used is measuring the wrong value for the division operations. I suggest dropping my attempt at fixing the -Warray-overflow problem for now so as not to hold up the real fix for the _FORTIFY_SOURCE issue over a currently cosmetic warning. The array bounds issue can be revisited later.
+*exact-image-0.8.1-r1 (06 Oct 2012) + + 06 Oct 2012; Pacho Ramos <pacho@gentoo.org> +exact-image-0.8.1-r1.ebuild: + Include various fixes from Kevin Pyle, bug #339248. +