Bug #96346 for XML-DifferenceMarkup: Fails to build with g++ -Werror=format-security

Mon Jun 09 11:05:37 2014 ppisar [...] redhat.com - Ticket created

Subject:

Fails to build with g++ -Werror=format-security

The 1.04 code fails to build with GCC and -Werror=format-security option on i686 platform, e.g.: perl-libxml-sax.c: In function 'void PSaxStartPrefix(PmmSAXVectorPtr, const xmlChar*, const xmlChar*, SV*)': perl-libxml-sax.c:208:31: error: format not a string literal and no format arguments [-Werror=format-security] croak(SvPV(ERRSV, n_a)); This is due old bundled XML-LibXML code. There are two similar issues in the DifferenceMarkup.xs code. Attached patch fixes all the issues. However in general, I recommend to stop bundling XML-LibXML code (e.g. to drop the perl-libxml-*.c files and do XSLoader::load('XML::LibXML'). -- Petr

Subject:

XML-DifferenceMarkup-1.04-Fix-format-security-warnings.patch

From f9b571cf8b768c04d56a365500a6580781ca4248 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Mon, 9 Jun 2014 16:35:16 +0200 Subject: [PATCH] Fix format-security warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit g++ -Werror=format-security bails out in i686 with: perl-libxml-sax.c: In function 'void PSaxStartPrefix(PmmSAXVectorPtr, const xmlChar*, const xmlChar*, SV*)': perl-libxml-sax.c:208:31: error: format not a string literal and no format arguments [-Werror=format-security] croak(SvPV(ERRSV, n_a)); This perl-libxml-sax.c change is back-ported from XML-LibXML's commit: changeset: 809:bd868e3ee419 user: pajas@9ae0c189-cd1f-4510-a509-f4891f5cf20d date: Thu Sep 24 08:36:11 2009 +0000 summary: - documented new parser option API Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- DifferenceMarkup.xs | 4 +-- perl-libxml-sax.c | 73 ++++++++++++++++++----------------------------------- 2 files changed, 27 insertions(+), 50 deletions(-) diff --git a/DifferenceMarkup.xs b/DifferenceMarkup.xs index 2ddbaa8..6724e21 100644 --- a/DifferenceMarkup.xs +++ b/DifferenceMarkup.xs @@ -50,7 +50,7 @@ _make_diff(de1, de2) { std::string msg("XML::DifferenceMarkup diff: "); msg += x; - croak(msg.c_str()); + croak("%s", msg.c_str()); } RETVAL = PmmNodeToSv(reinterpret_cast<xmlNodePtr>(rv), 0); @@ -83,7 +83,7 @@ _merge_diff(src_doc, diff_elem) { std::string msg("XML::DifferenceMarkup merge: "); msg += x; - croak(msg.c_str()); + croak("%s", msg.c_str()); } RETVAL = PmmNodeToSv(reinterpret_cast<xmlNodePtr>(rv), 0); diff --git a/perl-libxml-sax.c b/perl-libxml-sax.c index 9a56c2d..e120422 100644 --- a/perl-libxml-sax.c +++ b/perl-libxml-sax.c @@ -22,6 +22,15 @@ extern "C" { #include <libxml/entities.h> #include <libxml/xmlerror.h> +/* + * auxiliary macro to serve as an croak(NULL) + * unlike croak(NULL), this version does not produce + * a warning (see the perlapi for the meaning of croak(NULL)) + * + */ + +#define croak_obj Perl_croak(aTHX_ NULL) + #ifdef __cplusplus } #endif @@ -203,9 +212,7 @@ PSaxStartPrefix( PmmSAXVectorPtr sax, const xmlChar * prefix, perl_call_method( "start_prefix_mapping", G_SCALAR | G_EVAL ); sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; LEAVE ; @@ -248,9 +255,7 @@ PSaxEndPrefix( PmmSAXVectorPtr sax, const xmlChar * prefix, perl_call_method( "end_prefix_mapping", G_SCALAR | G_EVAL ); sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -602,9 +607,7 @@ PSaxStartDocument(void * ctx) count = perl_call_method( "start_document", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } SPAGAIN; @@ -637,9 +640,7 @@ PSaxStartDocument(void * ctx) count = perl_call_method( "xml_decl", G_SCALAR | G_EVAL ); sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -668,9 +669,7 @@ PSaxEndDocument(void * ctx) count = perl_call_pv( "XML::LibXML::_SAXParser::end_document", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -720,9 +719,7 @@ PSaxStartElement(void *ctx, const xmlChar * name, const xmlChar** attr) sv_2mortal(rv) ; if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -760,9 +757,7 @@ PSaxEndElement(void *ctx, const xmlChar * name) { sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -810,9 +805,7 @@ PSaxCharacters(void *ctx, const xmlChar * ch, int len) { sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -854,9 +847,7 @@ PSaxComment(void *ctx, const xmlChar * ch) { sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -893,9 +884,7 @@ PSaxCDATABlock(void *ctx, const xmlChar * ch, int len) { PUTBACK; count = perl_call_method( "start_cdata", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } SPAGAIN; @@ -909,9 +898,7 @@ PSaxCDATABlock(void *ctx, const xmlChar * ch, int len) { count = perl_call_method( "characters", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } SPAGAIN; @@ -924,9 +911,7 @@ PSaxCDATABlock(void *ctx, const xmlChar * ch, int len) { sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -970,9 +955,7 @@ PSaxProcessingInstruction( void * ctx, const xmlChar * target, const xmlChar * d sv_2mortal(rv); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -1018,9 +1001,7 @@ PmmSaxWarning(void * ctx, const char * msg, ...) perl_call_pv( "XML::LibXML::_SAXParser::warning", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -1061,9 +1042,7 @@ PmmSaxError(void * ctx, const char * msg, ...) PUTBACK; perl_call_pv( "XML::LibXML::_SAXParser::error", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; @@ -1102,9 +1081,7 @@ PmmSaxFatalError(void * ctx, const char * msg, ...) PUTBACK; perl_call_pv( "XML::LibXML::_SAXParser::fatal_error", G_SCALAR | G_EVAL ); if (SvTRUE(ERRSV)) { - STRLEN n_a; - POPs; - croak(SvPV(ERRSV, n_a)); + croak_obj; } FREETMPS ; -- 1.9.3

Mon Jun 09 14:05:43 2014 vbarta [...] mangrove.cz - Taken

Sun Jun 15 11:17:56 2014 vbarta [...] mangrove.cz - Correspondence added

Switched bundled LibXML code to sources from XML-LibXML-2.0116 (lightly edited to compile as C++ and not require/support multi-threading), which do not have the reported problem; fixed calls to croak in DifferenceMarkup.xs. Admittedly duplicating LibXML code isn't ideal, but adding XSLoader::load('XML::LibXML'); to DifferenceMarkup.pm doesn't make the required LibXML functions available - probably they aren't exported in the first place. Short of rewriting diffmark in Perl, I don't see how to simplify the integration of XML::DifferenceMarkup dependencies, but I'm open to suggestions.

Sun Jun 15 11:17:57 2014 The RT System itself - Status changed from 'new' to 'open'

Sun Jun 15 11:17:57 2014 vbarta [...] mangrove.cz - Status changed from 'open' to 'resolved'

Sun Jun 15 11:17:58 2014 vbarta [...] mangrove.cz - Fixed in 1.05 added