# HG changeset patch # User Franz Glasner # Date 1758453090 -7200 # Node ID baeb8bdeff3a2e6f756bcb54f478436e9028312a # Parent fc4555a3097bec70cf03092bd60df377297e2b7d Fortify sources using _FORTIFY_SOURCE=3 and also apply -fno-delete-null-pointer-checks. See: https://github.com/ossf/wg-best-practices-os-developers/issues/659. diff -r fc4555a3097b -r baeb8bdeff3a Makefile.freebsd --- a/Makefile.freebsd Fri Sep 19 19:59:44 2025 +0200 +++ b/Makefile.freebsd Sun Sep 21 13:11:30 2025 +0200 @@ -51,6 +51,17 @@ #CC= $(CLANG_DIR)/bin/clang #CXX= $(CLANG_DIR)/bin/clang++ +# Define _FORTIFY_SOURCE=$(FORTIFY) (if != 0, default 0) +FORTIFY?= 3 +# +# If != 0 (default 1): +# -fno-delete-null-pointer-checks +# +# Should always be done when fortifying: +# https://github.com/ossf/wg-best-practices-os-developers/issues/659 +# +EXTRA_CHECKS?= 1 + all: sdist wheel @@ -61,7 +72,7 @@ $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/cc || $(SYMLINK) $(CLANG_DIR)/bin/clang $(firstword $(PYTHON_PREFIXES))/bin/cc $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/c++ || $(SYMLINK) $(CLANG_DIR)/bin/clang++ $(firstword $(PYTHON_PREFIXES))/bin/c++ $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/ld || $(SYMLINK) $(CLANG_DIR)/bin/ld.lld $(firstword $(PYTHON_PREFIXES))/bin/ld - PIPCL_VERBOSE=2 LIBCLANG_LIBRARY_PATH=$(LIBCLANG_LIBRARY_PATH) PYMUPDF_SETUP_MUPDF_BUILD=$(PYMUPDF_SETUP_MUPDF_BUILD) PYMUPDF_SETUP_MUPDF_TESSERACT=$(PYMUPDF_SETUP_MUPDF_TESSERACT) $(PYTHON) -m build --wheel --verbose --no-isolation + FORTIFY=$(FORTIFY) EXTRA_CHECKS=$(EXTRA_CHECKS) PIPCL_VERBOSE=2 LIBCLANG_LIBRARY_PATH=$(LIBCLANG_LIBRARY_PATH) PYMUPDF_SETUP_MUPDF_BUILD=$(PYMUPDF_SETUP_MUPDF_BUILD) PYMUPDF_SETUP_MUPDF_TESSERACT=$(PYMUPDF_SETUP_MUPDF_TESSERACT) $(PYTHON) -m build --wheel --verbose --no-isolation sdist: check diff -r fc4555a3097b -r baeb8bdeff3a mupdf-source/Makerules --- a/mupdf-source/Makerules Fri Sep 19 19:59:44 2025 +0200 +++ b/mupdf-source/Makerules Sun Sep 21 13:11:30 2025 +0200 @@ -105,6 +105,10 @@ CFLAGS += -ffunction-sections -fdata-sections endif +ifneq ($(EXTRA_CHECKS),0) + CFLAGS += -fno-delete-null-pointer-checks +endif + ifeq ($(OS),Darwin) LDREMOVEUNREACH := -Wl,-dead_strip SO := dylib diff -r fc4555a3097b -r baeb8bdeff3a mupdf-source/scripts/wrap/__main__.py --- a/mupdf-source/scripts/wrap/__main__.py Fri Sep 19 19:59:44 2025 +0200 +++ b/mupdf-source/scripts/wrap/__main__.py Sun Sep 21 13:11:30 2025 +0200 @@ -1541,6 +1541,8 @@ dir_so_flags = os.path.basename( build_dirs.dir_so).split( '-') cflags = os.environ.get('XCXXFLAGS', '') + if os.environ.get('EXTRA_CHECKS', '1') != '0': + cflags += ' -fno-delete-null-pointer-checks' windows_build_type = build_dirs.windows_build_type() so_version = get_so_version( build_dirs) diff -r fc4555a3097b -r baeb8bdeff3a pipcl.py --- a/pipcl.py Fri Sep 19 19:59:44 2025 +0200 +++ b/pipcl.py Sun Sep 21 13:11:30 2025 +0200 @@ -1767,6 +1767,8 @@ general_flags += ' -g' if optimise: general_flags += ' -O2 -DNDEBUG' + if os.environ.get('EXTRA_CHECKS', '1') != '0': + general_flags += ' -fno-delete-null-pointer-checks' py_limited_api3 = f'-DPy_LIMITED_API={py_limited_api2}' if py_limited_api2 else '' diff -r fc4555a3097b -r baeb8bdeff3a setup.py --- a/setup.py Fri Sep 19 19:59:44 2025 +0200 +++ b/setup.py Sun Sep 21 13:11:30 2025 +0200 @@ -967,6 +967,10 @@ log( f'Setting XCFLAGS and XCXXFLAGS to predefine TOFU_CJK_EXT.') env_add(env, 'XCFLAGS', '-DTOFU_CJK_EXT') env_add(env, 'XCXXFLAGS', '-DTOFU_CJK_EXT') + fortify = os.environ.get('FORTIFY', '0') + if fortify != '0': + env_add(env, 'XCFLAGS', f'-D_FORTIFY_SOURCE={fortify}') + env_add(env, 'XCXXFLAGS', f'-D_FORTIFY_SOURCE={fortify}') if openbsd or freebsd: env_add(env, 'CXX', 'c++', ' ') @@ -1192,6 +1196,9 @@ debug = 'debug' in mupdf_build_dir_flags r_extra = '' defines = list() + fortify = os.environ.get('FORTIFY', '0') + if fortify != '0': + defines.append(f'_FORTIFY_SOURCE={fortify}') if windows: defines.append('FZ_DLL_CLIENT') wp = pipcl.wdev.WindowsPython()