On 10/3/23 17:04, Jake Garver via groups.io wrote: > Ignore old style declaration warnings in oniguruma/src/st.c. This was > already ignored for MSFT, but newer versions of clang complain as well. > > Signed-off-by: Jake Garver <j...@nvidia.com> > --- > .../Universal/RegularExpressionDxe/RegularExpressionDxe.inf | 1 + > 1 file changed, 1 insertion(+) > > diff --git > a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > index 84489c2942..0092531a67 100644 > --- a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > +++ b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > @@ -102,6 +102,7 @@ > > # Oniguruma: old style declaration in st.c > MSFT:*_*_*_CC_FLAGS = /wd4131 > + GCC:*_*_*_CC_FLAGS = -Wno-deprecated-non-prototype > > # Oniguruma: 'type cast' : truncation from 'OnigUChar *' to 'unsigned int' > MSFT:*_*_*_CC_FLAGS = /wd4305 /wd4306
Our checkout of oniguruma is at tag "v6.9.4_mark1", from February 2020. The latest upstream oniguruma release is "v6.9.9", dated 10 October 2023. I totally randomly looked at the commit history. We are missing fixes that the oniguruma project has received in response to fuzzing and CodeQL static analysis. Fixes for use-after-free (25535521ba2ea1aa74a1f65fc4a8ba55b0030719), undefined-shift fixes (too many to list here, just search the history for "undefined-shift"), various memory leak fixes, null pointer dereference fixes, and so on. In particular, commit <https://github.com/kkos/oniguruma/commit/0e766952e8fec7b8d516ce4f52f95e53b09ca4de> is called "escape compile time warnings by clang 14.0", so that patch (from August 2023) may solve the direct issue. I propose that we should upgrade our oniguruma checkout to "v6.9.9", and resolve any fallout from the update. OVMF does not include RegularExpressionDxe, so I'm not attracted to take this on myself. Can the users / owners of those platforms that do include RegularExpressionDxe research the update to "v6.9.9"? I think this should be worth your while; the recent oniguruma commit history suggests that "v6.9.4_mark1" may contain quite a few known security bugs. Note that, in general, a primary use case for regex engines is *input validation*, before further parsing happens. It's not great if the engine used for input validation contains known security bugs itself. Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110681): https://edk2.groups.io/g/devel/message/110681 Mute This Topic: https://groups.io/mt/101735690/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
