Mercurial > hgrepos > Python2 > PyMuPDF
changeset 31:baeb8bdeff3a
Fortify sources using _FORTIFY_SOURCE=3 and also apply -fno-delete-null-pointer-checks.
See: https://github.com/ossf/wg-best-practices-os-developers/issues/659.
| author | Franz Glasner <fzglas.hg@dom66.de> |
|---|---|
| date | Sun, 21 Sep 2025 13:11:30 +0200 |
| parents | fc4555a3097b |
| children | 72c1b70d4f5c |
| files | Makefile.freebsd mupdf-source/Makerules mupdf-source/scripts/wrap/__main__.py pipcl.py setup.py |
| diffstat | 5 files changed, 27 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/Makefile.freebsd Fri Sep 19 19:59:44 2025 +0200 +++ b/Makefile.freebsd Sun Sep 21 13:11:30 2025 +0200 @@ -51,6 +51,17 @@ #CC= $(CLANG_DIR)/bin/clang #CXX= $(CLANG_DIR)/bin/clang++ +# Define _FORTIFY_SOURCE=$(FORTIFY) (if != 0, default 0) +FORTIFY?= 3 +# +# If != 0 (default 1): +# -fno-delete-null-pointer-checks +# +# Should always be done when fortifying: +# https://github.com/ossf/wg-best-practices-os-developers/issues/659 +# +EXTRA_CHECKS?= 1 + all: sdist wheel @@ -61,7 +72,7 @@ $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/cc || $(SYMLINK) $(CLANG_DIR)/bin/clang $(firstword $(PYTHON_PREFIXES))/bin/cc $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/c++ || $(SYMLINK) $(CLANG_DIR)/bin/clang++ $(firstword $(PYTHON_PREFIXES))/bin/c++ $(TEST) -e $(firstword $(PYTHON_PREFIXES))/bin/ld || $(SYMLINK) $(CLANG_DIR)/bin/ld.lld $(firstword $(PYTHON_PREFIXES))/bin/ld - PIPCL_VERBOSE=2 LIBCLANG_LIBRARY_PATH=$(LIBCLANG_LIBRARY_PATH) PYMUPDF_SETUP_MUPDF_BUILD=$(PYMUPDF_SETUP_MUPDF_BUILD) PYMUPDF_SETUP_MUPDF_TESSERACT=$(PYMUPDF_SETUP_MUPDF_TESSERACT) $(PYTHON) -m build --wheel --verbose --no-isolation + FORTIFY=$(FORTIFY) EXTRA_CHECKS=$(EXTRA_CHECKS) PIPCL_VERBOSE=2 LIBCLANG_LIBRARY_PATH=$(LIBCLANG_LIBRARY_PATH) PYMUPDF_SETUP_MUPDF_BUILD=$(PYMUPDF_SETUP_MUPDF_BUILD) PYMUPDF_SETUP_MUPDF_TESSERACT=$(PYMUPDF_SETUP_MUPDF_TESSERACT) $(PYTHON) -m build --wheel --verbose --no-isolation sdist: check
--- a/mupdf-source/Makerules Fri Sep 19 19:59:44 2025 +0200 +++ b/mupdf-source/Makerules Sun Sep 21 13:11:30 2025 +0200 @@ -105,6 +105,10 @@ CFLAGS += -ffunction-sections -fdata-sections endif +ifneq ($(EXTRA_CHECKS),0) + CFLAGS += -fno-delete-null-pointer-checks +endif + ifeq ($(OS),Darwin) LDREMOVEUNREACH := -Wl,-dead_strip SO := dylib
--- a/mupdf-source/scripts/wrap/__main__.py Fri Sep 19 19:59:44 2025 +0200 +++ b/mupdf-source/scripts/wrap/__main__.py Sun Sep 21 13:11:30 2025 +0200 @@ -1541,6 +1541,8 @@ dir_so_flags = os.path.basename( build_dirs.dir_so).split( '-') cflags = os.environ.get('XCXXFLAGS', '') + if os.environ.get('EXTRA_CHECKS', '1') != '0': + cflags += ' -fno-delete-null-pointer-checks' windows_build_type = build_dirs.windows_build_type() so_version = get_so_version( build_dirs)
--- a/pipcl.py Fri Sep 19 19:59:44 2025 +0200 +++ b/pipcl.py Sun Sep 21 13:11:30 2025 +0200 @@ -1767,6 +1767,8 @@ general_flags += ' -g' if optimise: general_flags += ' -O2 -DNDEBUG' + if os.environ.get('EXTRA_CHECKS', '1') != '0': + general_flags += ' -fno-delete-null-pointer-checks' py_limited_api3 = f'-DPy_LIMITED_API={py_limited_api2}' if py_limited_api2 else ''
--- a/setup.py Fri Sep 19 19:59:44 2025 +0200 +++ b/setup.py Sun Sep 21 13:11:30 2025 +0200 @@ -967,6 +967,10 @@ log( f'Setting XCFLAGS and XCXXFLAGS to predefine TOFU_CJK_EXT.') env_add(env, 'XCFLAGS', '-DTOFU_CJK_EXT') env_add(env, 'XCXXFLAGS', '-DTOFU_CJK_EXT') + fortify = os.environ.get('FORTIFY', '0') + if fortify != '0': + env_add(env, 'XCFLAGS', f'-D_FORTIFY_SOURCE={fortify}') + env_add(env, 'XCXXFLAGS', f'-D_FORTIFY_SOURCE={fortify}') if openbsd or freebsd: env_add(env, 'CXX', 'c++', ' ') @@ -1192,6 +1196,9 @@ debug = 'debug' in mupdf_build_dir_flags r_extra = '' defines = list() + fortify = os.environ.get('FORTIFY', '0') + if fortify != '0': + defines.append(f'_FORTIFY_SOURCE={fortify}') if windows: defines.append('FZ_DLL_CLIENT') wp = pipcl.wdev.WindowsPython()