m-ab-s / media-autobuild_suite

This Windows Batchscript helps setup a Mingw-w64 compiler environment for building ffmpeg and other media tools under Windows.
GNU General Public License v3.0
1.54k stars 267 forks source link

add custom CFLAGS etc due to a recent issue #2426

Open hydra3333 opened 1 year ago

hydra3333 commented 1 year ago

Hello. Is there some way we can (optionally) add flags to the ffmpeg build, as well as to individual dependency builds ? I know a couple of dependencies refuse to build with -fstack-protector-all and/or -D_FORTIFY_SOURCE=2.

Something like

CFLAGS   = " -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "
CXXFLAGS = " -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "
CPPFLAGS = " -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "
LDFLAGS  = " -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "

The reason is: I recently used a derivative of deadsix27's build system however a combination of mingw64 git head and ubuntu 22.04.2 with that combination of safety flags resulted in the exe always yielding

ffmpeg.exe -h
*** stack smashing detected ***:  terminated

which is unusual to say the very least, so something is badly amiss there.
Fresh ubunbtu, fresh mingw, etc, see https://trac.ffmpeg.org/ticket/10329

I'd like to see what happens with a MABS ffmpeg built with those safety flags.

I know at least ffmpeg configure has these ... but where to define them ...

--extra-cflags=
--extra-cxxflags=
--extra-ldflags=
hydra3333 commented 1 year ago

Ah, MABS works OK with a roughie hacked-up test.

How satisfying, yet strange for the other build system which used to work fine - until the latest ubuntu 22.04.2 broke mingw64 tagged version 10 (it used to work) and it all went downhill from there.

ffmpeg -h
ffmpeg version N-110402-ge3143703e9 Copyright (c) 2000-2023 the FFmpeg developers
  built with gcc 12.2.0 (Rev10, Built by MSYS2 project)
  configuration:  --pkg-config=pkgconf --cc='ccache gcc' --cxx='ccache g++' --ld='ccache g++' --extra-cxxflags=-fpermissive --extra-cflags=-Wno-int-conversion --disable-autodetect --enable-nvenc --enable-ffnvcodec --enable-nvdec --enable-cuda-llvm --disable-debug --enable-libfdk-aac --enable-gpl --extra-cflags='" -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "' --extra-cxxflags='" -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "' --extra-ldflags='" -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "' --enable-schannel --extra-cflags=' -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp ' --extra-cxxflags=' -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp ' --extra-ldflags=' -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp ' --enable-nonfree

Given that experience, I'd like to build as much as possible with -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp as I'm not hugely concerned about the performance impact given the "safety" angle.

hydra3333 commented 1 year ago

Issued also confirmed using WSL's ubuntu 22.04.2

Biswa96 commented 1 year ago

CFLAGS = " -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp "

Those compiler flags are for security reason.

ffmpeg.exe -h stack smashing detected : terminated

That error means there is some buffer overflow. Disabling that compiler flag would negate that security measure. Debug the program and try to fix the issue.

hydra3333 commented 1 year ago

cough.
ffmpeg -h does not usually generate that error. cross-compiled with the build system under ubuntu 22.04.1 worked fine. Not so as outline above when "upgraded". issue narrowed to ubuntu 22.04.2 in combination with mingw64 git head. not ffmpeg.

there are a LOT of third party dependencies ... which "should" all be compiled with these safety features, nowadays.

hydra3333 commented 1 year ago

Would it be fair to suggest that -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp goes in this code block in media-autobuild_suite.bat for each of CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS ?

    echo.CPPFLAGS="-D_FORTIFY_SOURCE=0 -D__USE_MINGW_ANSI_STDIO=1"
    if %CC%==clang (
        echo.CFLAGS="-mtune=generic -O2 -pipe"
    ) else (
        echo.CFLAGS="-mthreads -mtune=generic -O2 -pipe"
    )
    echo.CXXFLAGS="${CFLAGS}"
    if %CC%==clang (
        echo.LDFLAGS="-pipe -static-libgcc --start-no-unused-arguments -static-libstdc++ --end-no-unused-arguments"
    ) else (
        echo.LDFLAGS="-pipe -static-libgcc -static-libstdc++"
    )

I'm nor sure whether doing so makes the options propagated into those flags every time when building every product and dependency.

hydra3333 commented 1 year ago

Please, would it be possible to update MABS to allow -fstack-protector-all -D_FORTIFY_SOURCE=2 -lssp everywhere perhaps as an option ? Such a change is a 'good thing'.