IngoMeyer441
commented
3 days ago Thanks for the PR!
Which hardening flags did you use? It would be interesting to add those to our CI debug builds.
Open yuyichao opened 3 days ago
IngoMeyer441
commented
3 days ago Thanks for the PR!
Which hardening flags did you use? It would be interesting to add those to our CI debug builds.
yuyichao
commented
3 days ago It was the option that's enabled by default on ArchLinux. I believe it's -D_FORTIFY_SOURCE=3. You can find snprintf in the list at https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html, among other functions.
IngoMeyer441
commented
3 days ago Ok, great thanks. I already pushed your commit to our CI, it will be automatically mirrored to GitHub in the next minutes. Hopefully, GitHub detects that your commit was already merged in.
yuyichao
commented
3 days ago (And to be clear, if you want to add new options to the CI, by "fail" I meant a runtime failure. The build itself was successful but trying to generate a pdf will fail)
IngoMeyer441
commented
3 days ago Ok, thanks for clarification. I added -D_FORTIFY_SOURCE=3 along with other flags from the OpenSSF recommendations to our Debug CI build. Now, our tests should catch the runtime errors caused by the checks.
The current limit of 17 is wrong since it is not the length of the buffer with the offset
j. This causes a hardened build to fail.