# HG changeset patch # User Franz Glasner # Date 1758470113 -7200 # Node ID c4daa0c83d64b6fa538c3e03d438a7ee0aaa41d1 # Parent 72c1b70d4f5c464e8cfb40cf244fe18b08958ded Apply also -fstack-clash-protection and -fstack-protector-strong for all generated binaries. Only done if EXTRA_CHECKS is not empty and not 0. diff -r 72c1b70d4f5c -r c4daa0c83d64 Makefile.freebsd --- a/Makefile.freebsd Sun Sep 21 15:10:12 2025 +0200 +++ b/Makefile.freebsd Sun Sep 21 17:55:13 2025 +0200 @@ -61,6 +61,8 @@ # https://github.com/ossf/wg-best-practices-os-developers/issues/659 # # -Werror=implicit-function-declaration +# -fstack-clash-protection +# -fstack-protector-strong # EXTRA_CHECKS?= 1 diff -r 72c1b70d4f5c -r c4daa0c83d64 mupdf-source/Makerules --- a/mupdf-source/Makerules Sun Sep 21 15:10:12 2025 +0200 +++ b/mupdf-source/Makerules Sun Sep 21 17:55:13 2025 +0200 @@ -108,6 +108,8 @@ ifneq ($(EXTRA_CHECKS),0) CFLAGS += -fno-delete-null-pointer-checks CFLAGS += -Werror=implicit-function-declaration + CFLAGS += -fstack-clash-protection + CFLAGS += -fstack-protector-strong endif ifeq ($(OS),Darwin) diff -r 72c1b70d4f5c -r c4daa0c83d64 mupdf-source/scripts/wrap/__main__.py --- a/mupdf-source/scripts/wrap/__main__.py Sun Sep 21 15:10:12 2025 +0200 +++ b/mupdf-source/scripts/wrap/__main__.py Sun Sep 21 17:55:13 2025 +0200 @@ -1544,6 +1544,8 @@ if os.environ.get('EXTRA_CHECKS', '1') != '0': cflags += ' -fno-delete-null-pointer-checks' cflags += ' -Werror=implicit-function-declaration' + cflags += ' -fstack-clash-protection' + cflags += ' -fstack-protector-strong' windows_build_type = build_dirs.windows_build_type() so_version = get_so_version( build_dirs) diff -r 72c1b70d4f5c -r c4daa0c83d64 pipcl.py --- a/pipcl.py Sun Sep 21 15:10:12 2025 +0200 +++ b/pipcl.py Sun Sep 21 17:55:13 2025 +0200 @@ -1770,6 +1770,8 @@ if os.environ.get('EXTRA_CHECKS', '1') != '0': general_flags += ' -fno-delete-null-pointer-checks' general_flags += ' -Werror=implicit-function-declaration' + general_flags += ' -fstack-clash-protection' + general_flags += ' -fstack-protector-strong' py_limited_api3 = f'-DPy_LIMITED_API={py_limited_api2}' if py_limited_api2 else ''