diff --git a/configure.ac b/configure.ac index 5e9a6ee..9c274c1 100644 --- a/configure.ac +++ b/configure.ac @@ -41,9 +41,12 @@ fi if test -n "$GCC"; then AC_DEFINE([ATTRIBUTE_UNUSED], [__attribute__ ((__unused__))], [Define to the compiler's unused pragma]) - CFLAGS="$CFLAGS -Wall -Wextra -Wformat-security -Wshadow -Wwrite-strings" + # Add -fstack-protector to CFLAGS if supported GCC_STACK_PROTECT_CC - GCC_FORTIFY_SOURCE + # Add -D_FORTIFY_SOURCE=n to CFLAGS with highest supported n + AX_ADD_FORTIFY_SOURCE + # Add options to CFLAGS that should always be supported. + CFLAGS="$CFLAGS -Wall -Wextra -Wformat-security -Wshadow -Wwrite-strings" # Uncomment the line below to compile with additional warnings enabled. # CFLAGS="$CFLAGS -pedantic -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs" else diff --git a/m4/ax_add_fortify_source.m4 b/m4/ax_add_fortify_source.m4 new file mode 100644 index 0000000..860c159 --- /dev/null +++ b/m4/ax_add_fortify_source.m4 @@ -0,0 +1,119 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_add_fortify_source.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_ADD_FORTIFY_SOURCE +# +# DESCRIPTION +# +# Check whether -D_FORTIFY_SOURCE=2 can be added to CPPFLAGS without macro +# redefinition warnings, other cpp warnings or linker. Some distributions +# (such as Ubuntu or Gentoo Linux) enable _FORTIFY_SOURCE globally in +# their compilers, leading to unnecessary warnings in the form of +# +# :0:0: error: "_FORTIFY_SOURCE" redefined [-Werror] +# : note: this is the location of the previous definition +# +# which is a problem if -Werror is enabled. This macro checks whether +# _FORTIFY_SOURCE is already defined, and if not, adds -D_FORTIFY_SOURCE=2 +# to CPPFLAGS. +# +# Newer mingw-w64 msys2 package comes with a bug in +# headers-git-7.0.0.5546.d200317d-1. It broke -D_FORTIFY_SOURCE support, +# and would need -lssp or -fstack-protector. See +# https://github.com/msys2/MINGW-packages/issues/5803. Try to actually +# link it. +# +# LICENSE +# +# Copyright (c) 2017 David Seifert +# Copyright (c) 2019, 2023 Reini Urban +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 10 + +AC_DEFUN([AX_ADD_FORTIFY_SOURCE],[ + ac_save_cflags=$CFLAGS + ac_cwerror_flag=yes + AX_CHECK_COMPILE_FLAG([-Werror],[CFLAGS="$CFLAGS -Werror"]) + ax_add_fortify_3_failed= + AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=3 to CPPFLAGS]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([], + [[ + #ifndef _FORTIFY_SOURCE + return 0; + #else + _FORTIFY_SOURCE_already_defined; + #endif + ]] + )], + AC_LINK_IFELSE([ + AC_LANG_SOURCE([[ + #define _FORTIFY_SOURCE 3 + #include + int main(void) { + char *s = " "; + strcpy(s, "x"); + return strlen(s)-1; + } + ]] + )], + [ + AC_MSG_RESULT([yes]) + CFLAGS=$ac_save_cflags + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=3" + ], [ + AC_MSG_RESULT([no]) + ax_add_fortify_3_failed=1 + ], + ), + [ + AC_MSG_RESULT([no]) + ax_add_fortify_3_failed=1 + ]) + if test -n "$ax_add_fortify_3_failed" + then + AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 to CPPFLAGS]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([], + [[ + #ifndef _FORTIFY_SOURCE + return 0; + #else + _FORTIFY_SOURCE_already_defined; + #endif + ]] + )], + AC_LINK_IFELSE([ + AC_LANG_SOURCE([[ + #define _FORTIFY_SOURCE 2 + #include + int main(void) { + char *s = " "; + strcpy(s, "x"); + return strlen(s)-1; + } + ]] + )], + [ + AC_MSG_RESULT([yes]) + CFLAGS=$ac_save_cflags + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + ], [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ], + ), + [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ]) + fi +]) diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 new file mode 100644 index 0000000..bd753b3 --- /dev/null +++ b/m4/ax_check_compile_flag.m4 @@ -0,0 +1,53 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_COMPILE_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim +# Copyright (c) 2011 Maarten Bosmans +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 6 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_VAR_IF(CACHEVAR,yes, + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/m4/gcc-fortify-source.m4 b/m4/gcc-fortify-source.m4 deleted file mode 100644 index 4fbaca7..0000000 --- a/m4/gcc-fortify-source.m4 +++ /dev/null @@ -1,30 +0,0 @@ -dnl Check whether GCC accepts -D_FORTIFY_SOURCE -dnl -dnl This was introduced in GCC 4.1 and glibc 2.4, but was present in earlier -dnl versions on redhat systems (specifically GCC 3.4.3 and above). -dnl -dnl We define the GNUC_PREREQ macro to the same definition as __GNUC_PREREQ -dnl in . We don't use __GNUC_PREREQ directly because -dnl is not present on all the operating systems that we support, e.g. OpenBSD. -dnl -AC_DEFUN([GCC_FORTIFY_SOURCE],[ - if test "X$CC" != "X"; then - AC_MSG_CHECKING([whether ${CC} accepts -D_FORTIFY_SOURCE]) - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[ - #define GNUC_PREREQ(maj, min) ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) - #if !(GNUC_PREREQ (4, 1) \ - || (defined __GNUC_RH_RELEASE__ && GNUC_PREREQ (4, 0)) \ - || (defined __GNUC_RH_RELEASE__ && GNUC_PREREQ (3, 4) \ - && __GNUC_MINOR__ == 4 \ - && (__GNUC_PATCHLEVEL__ > 2 \ - || (__GNUC_PATCHLEVEL__ == 2 && __GNUC_RH_RELEASE__ >= 8)))) - #error No FORTIFY_SOURCE support - #endif - ]])],[ - AC_MSG_RESULT(yes) - CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" - ],[ - AC_MSG_RESULT(no) - ]) - fi -])