Laszlo: I agree your suggestion. We can submit a new request to update oniguruma to the latest version.
This patch avoids the warning on the current version. I think this change is OK. I would like to merge this fix first. Thanks Liming > -----邮件原件----- > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Laszlo Ersek > 发送时间: 2023年11月5日 19:33 > 收件人: devel@edk2.groups.io; j...@nvidia.com > 抄送: jian.j.w...@intel.com; gaolim...@byosoft.com.cn > 主题: Re: [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix > clang error > > On 10/3/23 17:04, Jake Garver via groups.io wrote: > > Ignore old style declaration warnings in oniguruma/src/st.c. This was > > already ignored for MSFT, but newer versions of clang complain as well. > > > > Signed-off-by: Jake Garver <j...@nvidia.com> > > --- > > .../Universal/RegularExpressionDxe/RegularExpressionDxe.inf | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git > a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > > index 84489c2942..0092531a67 100644 > > --- > a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > > +++ > b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf > > @@ -102,6 +102,7 @@ > > > > # Oniguruma: old style declaration in st.c > > MSFT:*_*_*_CC_FLAGS = /wd4131 > > + GCC:*_*_*_CC_FLAGS = -Wno-deprecated-non-prototype > > > > # Oniguruma: 'type cast' : truncation from 'OnigUChar *' to 'unsigned > int' > > MSFT:*_*_*_CC_FLAGS = /wd4305 /wd4306 > > Our checkout of oniguruma is at tag "v6.9.4_mark1", from February 2020. > > The latest upstream oniguruma release is "v6.9.9", dated 10 October 2023. > > I totally randomly looked at the commit history. We are missing fixes > that the oniguruma project has received in response to fuzzing and > CodeQL static analysis. Fixes for use-after-free > (25535521ba2ea1aa74a1f65fc4a8ba55b0030719), undefined-shift fixes (too > many to list here, just search the history for "undefined-shift"), > various memory leak fixes, null pointer dereference fixes, and so on. > > In particular, commit > <https://github.com/kkos/oniguruma/commit/0e766952e8fec7b8d516ce4f52 > f95e53b09ca4de> > is called "escape compile time warnings by clang 14.0", so that patch > (from August 2023) may solve the direct issue. > > I propose that we should upgrade our oniguruma checkout to "v6.9.9", and > resolve any fallout from the update. > > OVMF does not include RegularExpressionDxe, so I'm not attracted to take > this on myself. Can the users / owners of those platforms that do > include RegularExpressionDxe research the update to "v6.9.9"? I think > this should be worth your while; the recent oniguruma commit history > suggests that "v6.9.4_mark1" may contain quite a few known security bugs. > > Note that, in general, a primary use case for regex engines is *input > validation*, before further parsing happens. It's not great if the > engine used for input validation contains known security bugs itself. > > Laszlo > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110688): https://edk2.groups.io/g/devel/message/110688 Mute This Topic: https://groups.io/mt/102412008/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
