Skip Menu |

This queue is for tickets about the Params-Validate CPAN distribution.

Report information
The Basics
Id: 74777
Status: resolved
Priority: 0/
Queue: Params-Validate
People
Owner: Nobody in particular
Requestors: voegelas [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.03
Fixed in: 1.05

History Show all quoted text
  Wed Feb 08 06:29:41 2012 voegelas [...] cpan.org - Ticket created
Subject: GCC complains about "croak(SvPV_nolen(buffer))" when compiling Params/Validate/XS.xs with -Werror=format-security
When Params::Validate's XS module is compiled with -Werror=format-security (as described in http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/105559), the build fails with the following error message: lib/Params/Validate/XS.xs: In function 'validate_named_depends': lib/Params/Validate/XS.xs:1005:29: error: format not a string literal and no format arguments [-Werror=format-security] GCC complains about this function call: croak(SvPV_nolen(buffer)); I don't know if "buffer" could contain format specifiers but passing "%s" as the format string should be safer and makes GCC happy: croak("%s", SvPV_nolen(buffer));
Subject: lib_Params_Validate_XS_xs.diff.txt
--- lib/Params/Validate/XS.xs 2012-02-08 10:08:42.000000000 +0100 +++ lib/Params/Validate/XS.xs.orig 2012-02-06 23:45:04.000000000 +0100 @@ -1002,7 +1002,7 @@ sv_catpv(buffer, "' does not exist in spec: "); sv_catsv(buffer, depend_name); - croak("%s", SvPV_nolen(buffer)); + croak(SvPV_nolen(buffer)); } /* if we got here, the spec was correct. we just * need to issue a regular validation failure
  Wed Feb 08 13:02:19 2012 voegelas [...] cpan.org - Subject changed from 'GCC complains about "croak(SvPV_nolen(buffer))" when compiling Params/Validate/XS.xs with -Werror=format-security' to 'compiling with -Werror=format-security fails'
  Wed Feb 08 15:12:15 2012 autarch [...] urth.org - Correspondence added
Subject: Re: [rt.cpan.org #74777] GCC complains about "croak(SvPV_nolen(buffer))" when compiling Params/Validate/XS.xs with -Werror=format-security
Date: Wed, 8 Feb 2012 14:12:06 -0600 (CST)
To: Andreas Voegele via RT <bug-Params-Validate [...] rt.cpan.org>
From: Dave Rolsky <autarch [...] urth.org>
On Wed, 8 Feb 2012, Andreas Voegele via RT wrote: Show quoted text
> When Params::Validate's XS module is compiled with > -Werror=format-security (as described in > http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/105559), the > build fails with the following error message: > > lib/Params/Validate/XS.xs: In function 'validate_named_depends': > lib/Params/Validate/XS.xs:1005:29: error: format not a string literal > and no format arguments [-Werror=format-security]
I can't replicate this when passing the same flag to my gcc (4.5.2). Is this a new warning, or one that's been eliminated in my version of gcc? -dave /*============================================================ http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) ============================================================*/
  Wed Feb 08 15:12:16 2012 The RT System itself - Status changed from 'new' to 'open'
  Wed Feb 08 16:12:56 2012 voegelas [...] cpan.org - Correspondence added
Am Mi 08. Feb 2012, 15:12:15, autarch@urth.org schrieb: Show quoted text
> On Wed, 8 Feb 2012, Andreas Voegele via RT wrote: >
> > When Params::Validate's XS module is compiled with > > -Werror=format-security (as described in > > http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/105559), the > > build fails with the following error message: > > > > lib/Params/Validate/XS.xs: In function 'validate_named_depends': > > lib/Params/Validate/XS.xs:1005:29: error: format not a string literal > > and no format arguments [-Werror=format-security]
> > I can't replicate this when passing the same flag to my gcc (4.5.2). Is > this a new warning, or one that's been eliminated in my version of gcc?
Hm, both gcc 4.6 on my Slackware Linux box as well as 4.2 under OpenBSD support "-Werror=format-security". But actually that compiler option is not that important. I've attached a program that demonstrates the problem. The program segfaults unless the patch that I sent earlier is applied. croak() must never be called with user-supplied data as a format string. See the CAVEATS section in L<http://www.openbsd.org/cgi-bin/man.cgi?query=printf#end> for an explanation. That comment also applies to Perl's croak() function.
Subject: crash_params_validate.pl
use strict; use warnings; use Params::Validate qw(:all); sub foo { validate( @_, { a => { type => SCALAR, depends => [ '%s%s%s' ] }, } ); } foo({a => 1});
  Wed Feb 08 22:52:24 2012 autarch [...] urth.org - Correspondence added
Subject: Re: [rt.cpan.org #74777] compiling with -Werror=format-security fails
Date: Wed, 8 Feb 2012 21:52:14 -0600 (CST)
To: Andreas Voegele via RT <bug-Params-Validate [...] rt.cpan.org>
From: Dave Rolsky <autarch [...] urth.org>
On Wed, 8 Feb 2012, Andreas Voegele via RT wrote: Show quoted text
> But actually that compiler option is not that important. I've attached a > program that demonstrates the problem. The program segfaults unless the > patch that I sent earlier is applied. croak() must never be called with > user-supplied data as a format string. See the CAVEATS section in > L<http://www.openbsd.org/cgi-bin/man.cgi?query=printf#end> for an > explanation. That comment also applies to Perl's croak() function.
This doesn't crash my system, but the fix certainly makes sense. -dave /*============================================================ http://VegGuide.org http://blog.urth.org Your guide to all that's veg House Absolute(ly Pointless) ============================================================*/
  Fri Feb 10 12:43:26 2012 DROLSKY [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Feb 10 12:43:27 2012 DROLSKY [...] cpan.org - Fixed in 1.05 added