From c5396a14672b479a7b9fe44144e5e099f9bbca31 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 30 Jul 2024 11:42:31 -0500 Subject: [PATCH 01/16] Add -Wformat=2 compiler option to NODIST default --- configure | 39 +++++++++++++++++++++++++++++++++++++++ configure.ac | 1 + 2 files changed, 40 insertions(+) diff --git a/configure b/configure index 39ab48fa4e2526..4c352f11d976e8 100755 --- a/configure +++ b/configure @@ -9769,6 +9769,45 @@ then : else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wtrampolines not supported" >&5 printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} +fi + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wformat=2" >&5 +printf %s "checking whether C compiler accepts -Wformat=2... " >&6; } +if test ${ax_cv_check_cflags__Werror__Wformat_2+y} +then : + printf %s "(cached) " >&6 +else $as_nop + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wformat=2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main (void) +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO" +then : + ax_cv_check_cflags__Werror__Wformat_2=yes +else $as_nop + ax_cv_check_cflags__Werror__Wformat_2=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror__Wformat_2" >&5 +printf "%s\n" "$ax_cv_check_cflags__Werror__Wformat_2" >&6; } +if test "x$ax_cv_check_cflags__Werror__Wformat_2" = xyes +then : + CFLAGS_NODIST="$CFLAGS_NODIST -Wformat=2" +else $as_nop + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wformat=2 not supported" >&5 +printf "%s\n" "$as_me: WARNING: -Wformat=2 not supported" >&2;} fi fi diff --git a/configure.ac b/configure.ac index 62ed812991fc4e..2c04112f61454b 100644 --- a/configure.ac +++ b/configure.ac @@ -2510,6 +2510,7 @@ if test "$disable_safety" = "no" then AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS_NODIST="$CFLAGS_NODIST -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wtrampolines], [CFLAGS_NODIST="$CFLAGS_NODIST -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) + AX_CHECK_COMPILE_FLAG([-Wformat=2], [CFLAGS_NODIST="$CFLAGS_NODIST -Wformat=2"], [AC_MSG_WARN([-Wformat=2 not supported])], [-Werror]) fi AC_MSG_CHECKING([for --enable-slower-safety]) From 19437ef4315394e7788f2197109ed5cfad694138 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 30 Jul 2024 12:09:21 -0500 Subject: [PATCH 02/16] Add -Wformat to NODIST --- configure | 24 ++++++++++++------------ configure.ac | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/configure b/configure index 4c352f11d976e8..1f91df256c04e0 100755 --- a/configure +++ b/configure @@ -9771,15 +9771,15 @@ else $as_nop printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;} fi - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wformat=2" >&5 -printf %s "checking whether C compiler accepts -Wformat=2... " >&6; } -if test ${ax_cv_check_cflags__Werror__Wformat_2+y} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wformat -Wformat=2" >&5 +printf %s "checking whether C compiler accepts -Wformat -Wformat=2... " >&6; } +if test ${ax_cv_check_cflags__Werror__Wformat__Wformat_2+y} then : printf %s "(cached) " >&6 else $as_nop ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -Werror -Wformat=2" + CFLAGS="$CFLAGS -Werror -Wformat -Wformat=2" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -9793,21 +9793,21 @@ main (void) _ACEOF if ac_fn_c_try_compile "$LINENO" then : - ax_cv_check_cflags__Werror__Wformat_2=yes + ax_cv_check_cflags__Werror__Wformat__Wformat_2=yes else $as_nop - ax_cv_check_cflags__Werror__Wformat_2=no + ax_cv_check_cflags__Werror__Wformat__Wformat_2=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext CFLAGS=$ax_check_save_flags fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror__Wformat_2" >&5 -printf "%s\n" "$ax_cv_check_cflags__Werror__Wformat_2" >&6; } -if test "x$ax_cv_check_cflags__Werror__Wformat_2" = xyes +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror__Wformat__Wformat_2" >&5 +printf "%s\n" "$ax_cv_check_cflags__Werror__Wformat__Wformat_2" >&6; } +if test "x$ax_cv_check_cflags__Werror__Wformat__Wformat_2" = xyes then : - CFLAGS_NODIST="$CFLAGS_NODIST -Wformat=2" + CFLAGS_NODIST="$CFLAGS_NODIST -Wformat -Wformat=2" else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wformat=2 not supported" >&5 -printf "%s\n" "$as_me: WARNING: -Wformat=2 not supported" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wformat and -Wformat=2 not supported" >&5 +printf "%s\n" "$as_me: WARNING: -Wformat and -Wformat=2 not supported" >&2;} fi fi diff --git a/configure.ac b/configure.ac index 2c04112f61454b..baa6c4a1ecd1d6 100644 --- a/configure.ac +++ b/configure.ac @@ -2510,7 +2510,7 @@ if test "$disable_safety" = "no" then AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS_NODIST="$CFLAGS_NODIST -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror]) AX_CHECK_COMPILE_FLAG([-Wtrampolines], [CFLAGS_NODIST="$CFLAGS_NODIST -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror]) - AX_CHECK_COMPILE_FLAG([-Wformat=2], [CFLAGS_NODIST="$CFLAGS_NODIST -Wformat=2"], [AC_MSG_WARN([-Wformat=2 not supported])], [-Werror]) + AX_CHECK_COMPILE_FLAG([-Wformat -Wformat=2], [CFLAGS_NODIST="$CFLAGS_NODIST -Wformat -Wformat=2"], [AC_MSG_WARN([-Wformat and -Wformat=2 not supported])], [-Werror]) fi AC_MSG_CHECKING([for --enable-slower-safety]) From cba84fe49549a97254428d8449941841fb4faef8 Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 17:34:49 +0000 Subject: [PATCH 03/16] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst diff --git a/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst new file mode 100644 index 00000000000000..ec7f247d677f72 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst @@ -0,0 +1 @@ +Add -Wformat=2 to NODIST build flags to warn about potential vulnerabilities related to format strings. From 178bcc6e00d2358480132bed73da848dcff0cb1f Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 30 Jul 2024 13:13:31 -0500 Subject: [PATCH 04/16] Add fail on warning regression option to ubuntu builds --- .github/workflows/reusable-ubuntu.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index c6289a74e9a5f6..4b6f90d36e5996 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -80,7 +80,7 @@ jobs: working-directory: ${{ env.CPYTHON_BUILDDIR }} run: make pythoninfo - name: Check compiler warnings - run: python Tools/build/check_warnings.py --compiler-output-file-path=${{ env.CPYTHON_BUILDDIR }}/compiler_output.txt --warning-ignore-file-path ${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu + run: python Tools/build/check_warnings.py --compiler-output-file-path=${{ env.CPYTHON_BUILDDIR }}/compiler_output.txt --warning-ignore-file-path ${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu --fail-on-regression - name: Remount sources writable for tests # some tests write to srcdir, lack of pyc files slows down testing run: sudo mount $CPYTHON_RO_SRCDIR -oremount,rw From 3bc76ca4189611b7a90e7ed9ef322b3d807827fd Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Mon, 5 Aug 2024 16:59:24 -0500 Subject: [PATCH 05/16] Add warning ignores to code with nonliteral format strings --- Objects/unicodeobject.c | 7 +++++++ Python/getversion.c | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index ffb879a68745b1..11d27a8ada9385 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2851,6 +2851,12 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, default: fmt = formats[sizemod]; break; } int issigned = (*f == 'd' || *f == 'i'); + // Format strings for sprintf are selected from constant arrays of + // constant strings, and the variable used to index into the arrays + // is only assigned known constant values. Ignore warnings related + // to the format string not being a string literal. + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wformat-nonliteral" switch (sizemod) { case F_LONG: len = issigned ? @@ -2881,6 +2887,7 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, sprintf(buffer, fmt, va_arg(*vargs, unsigned int)); break; } + #pragma GCC diagnostic pop assert(len >= 0); int sign = (buffer[0] == '-'); diff --git a/Python/getversion.c b/Python/getversion.c index 226b2f999a6bfd..9d32ff4d7e9c47 100644 --- a/Python/getversion.c +++ b/Python/getversion.c @@ -19,8 +19,13 @@ void _Py_InitVersion(void) #else const char *buildinfo_format = "%.80s (%.80s) %.80s"; #endif + // The format string is defined above and is observably safe. + // Ignore warnings related to non-literal format strings. + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wformat-nonliteral" PyOS_snprintf(version, sizeof(version), buildinfo_format, PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); + #pragma GCC diagnostic pop } const char * From c4b8cf9d602429456a390b71a8cc2ae799a84953 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Mon, 5 Aug 2024 17:46:14 -0500 Subject: [PATCH 06/16] Limit pragmas to gcc/clang --- Objects/unicodeobject.c | 4 ++++ Python/getversion.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 11d27a8ada9385..2dfaa702d65392 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2855,8 +2855,10 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, // constant strings, and the variable used to index into the arrays // is only assigned known constant values. Ignore warnings related // to the format string not being a string literal. + #if defined(__GNUC__) || defined(__clang__) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wformat-nonliteral" + #endif switch (sizemod) { case F_LONG: len = issigned ? @@ -2887,7 +2889,9 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, sprintf(buffer, fmt, va_arg(*vargs, unsigned int)); break; } + #if defined(__GNUC__) || defined(__clang__) #pragma GCC diagnostic pop + #endif assert(len >= 0); int sign = (buffer[0] == '-'); diff --git a/Python/getversion.c b/Python/getversion.c index 9d32ff4d7e9c47..b04cb369067ad3 100644 --- a/Python/getversion.c +++ b/Python/getversion.c @@ -21,11 +21,15 @@ void _Py_InitVersion(void) #endif // The format string is defined above and is observably safe. // Ignore warnings related to non-literal format strings. + #if defined(__GNUC__) && !defined(__clang__) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wformat-nonliteral" + #endif PyOS_snprintf(version, sizeof(version), buildinfo_format, PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); + #if defined(__GNUC__) && !defined(__clang__) #pragma GCC diagnostic pop + #endif } const char * From 8cff32e4df708d99f0b6048e919b074dd4c87d24 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Wed, 7 Aug 2024 13:35:45 -0500 Subject: [PATCH 07/16] Refactor version _Py_InitVersion to use format string literals --- Python/getversion.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/Python/getversion.c b/Python/getversion.c index b04cb369067ad3..0c4207fa353a66 100644 --- a/Python/getversion.c +++ b/Python/getversion.c @@ -15,21 +15,12 @@ void _Py_InitVersion(void) } initialized = 1; #ifdef Py_GIL_DISABLED - const char *buildinfo_format = "%.80s experimental free-threading build (%.80s) %.80s"; + PyOS_snprintf(version, sizeof(version), "%.80s experimental free-threading build (%.80s) %.80s", + PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); #else - const char *buildinfo_format = "%.80s (%.80s) %.80s"; -#endif - // The format string is defined above and is observably safe. - // Ignore warnings related to non-literal format strings. - #if defined(__GNUC__) && !defined(__clang__) - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wformat-nonliteral" - #endif - PyOS_snprintf(version, sizeof(version), buildinfo_format, + PyOS_snprintf(version, sizeof(version), "%.80s (%.80s) %.80s", PY_VERSION, Py_GetBuildInfo(), Py_GetCompiler()); - #if defined(__GNUC__) && !defined(__clang__) - #pragma GCC diagnostic pop - #endif +#endif } const char * From a3b0c46790c5ddf451b4f8326f314d3370db84cb Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Wed, 18 Sep 2024 01:41:27 -0500 Subject: [PATCH 08/16] Create pyport preprocessor macro for ignoring format nonliterals --- Include/pyport.h | 5 +++++ Objects/unicodeobject.c | 10 +++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Include/pyport.h b/Include/pyport.h index 2b6bd4c21110e5..ba9c8adf63205e 100644 --- a/Include/pyport.h +++ b/Include/pyport.h @@ -288,12 +288,16 @@ extern "C" { #define _Py_COMP_DIAG_PUSH _Pragma("clang diagnostic push") #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS \ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") +#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL \ + _Pragma("clang diagnostic ignored \"-Wformat-nonliteral\"") #define _Py_COMP_DIAG_POP _Pragma("clang diagnostic pop") #elif defined(__GNUC__) \ && ((__GNUC__ >= 5) || (__GNUC__ == 4) && (__GNUC_MINOR__ >= 6)) #define _Py_COMP_DIAG_PUSH _Pragma("GCC diagnostic push") #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS \ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") +#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL \ + _Pragma("GCC diagnostic ignored \"-Wformat-nonliteral\"") #define _Py_COMP_DIAG_POP _Pragma("GCC diagnostic pop") #elif defined(_MSC_VER) #define _Py_COMP_DIAG_PUSH __pragma(warning(push)) @@ -302,6 +306,7 @@ extern "C" { #else #define _Py_COMP_DIAG_PUSH #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS +#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL #define _Py_COMP_DIAG_POP #endif diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 59371dade80dfa..b956d0f4e44b9d 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2855,10 +2855,8 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, // constant strings, and the variable used to index into the arrays // is only assigned known constant values. Ignore warnings related // to the format string not being a string literal. - #if defined(__GNUC__) || defined(__clang__) - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wformat-nonliteral" - #endif + _Py_COMP_DIAG_PUSH + _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL switch (sizemod) { case F_LONG: len = issigned ? @@ -2889,9 +2887,7 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, sprintf(buffer, fmt, va_arg(*vargs, unsigned int)); break; } - #if defined(__GNUC__) || defined(__clang__) - #pragma GCC diagnostic pop - #endif + _Py_COMP_DIAG_POP assert(len >= 0); int sign = (buffer[0] == '-'); From fa528623a3b3dc06a563ce583d6ed7fa2b1a877b Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Wed, 18 Sep 2024 01:51:50 -0500 Subject: [PATCH 09/16] Add MSVC boilerplate macro for ignoring format nonliteral --- Include/pyport.h | 1 + 1 file changed, 1 insertion(+) diff --git a/Include/pyport.h b/Include/pyport.h index ba9c8adf63205e..f355b71f3bd287 100644 --- a/Include/pyport.h +++ b/Include/pyport.h @@ -302,6 +302,7 @@ extern "C" { #elif defined(_MSC_VER) #define _Py_COMP_DIAG_PUSH __pragma(warning(push)) #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS __pragma(warning(disable: 4996)) +#define _Py_COMP_DIAG_IGNORE_DEPR_DECLS #define _Py_COMP_DIAG_POP __pragma(warning(pop)) #else #define _Py_COMP_DIAG_PUSH From 6cd1defd9e3f1eeb7d66b1cbddb966349e1cb504 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Wed, 18 Sep 2024 01:53:19 -0500 Subject: [PATCH 10/16] Add nonliteral macro --- Include/pyport.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Include/pyport.h b/Include/pyport.h index f355b71f3bd287..1de166cab4bef0 100644 --- a/Include/pyport.h +++ b/Include/pyport.h @@ -302,7 +302,7 @@ extern "C" { #elif defined(_MSC_VER) #define _Py_COMP_DIAG_PUSH __pragma(warning(push)) #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS __pragma(warning(disable: 4996)) -#define _Py_COMP_DIAG_IGNORE_DEPR_DECLS +#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL #define _Py_COMP_DIAG_POP __pragma(warning(pop)) #else #define _Py_COMP_DIAG_PUSH From 9806f8882f60e5edd1655fbb6a4952fafcb34373 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Mon, 30 Sep 2024 14:47:55 -0500 Subject: [PATCH 11/16] Merge main --- Objects/unicodeobject.c | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 94e2bfc75637cb..d6a3cffabef181 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2863,23 +2863,6 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, case 'o': case 'u': case 'x': case 'X': { char buffer[MAX_INTMAX_CHARS]; -<<<<<<< HEAD - const char *fmt = NULL; - switch (*f) { - case 'o': fmt = formats_o[sizemod]; break; - case 'u': fmt = formats_u[sizemod]; break; - case 'x': fmt = formats_x[sizemod]; break; - case 'X': fmt = formats_X[sizemod]; break; - default: fmt = formats[sizemod]; break; - } - int issigned = (*f == 'd' || *f == 'i'); - // Format strings for sprintf are selected from constant arrays of - // constant strings, and the variable used to index into the arrays - // is only assigned known constant values. Ignore warnings related - // to the format string not being a string literal. - _Py_COMP_DIAG_PUSH - _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL -======= // Fill buffer using sprinf, with one of many possible format // strings, like "%llX" for `long long` in hexadecimal. @@ -2906,7 +2889,6 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, } // Outer switch to handle all the sizes/types ->>>>>>> main switch (sizemod) { case F_LONG: DO_SPRINTS("l", long, unsigned long); break; case F_LONGLONG: DO_SPRINTS("ll", long long, unsigned long long); break; @@ -2915,13 +2897,10 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, case F_INTMAX: DO_SPRINTS("j", intmax_t, uintmax_t); break; default: DO_SPRINTS("", int, unsigned int); break; } -<<<<<<< HEAD - _Py_COMP_DIAG_POP -======= + #undef SPRINT #undef DO_SPRINTS ->>>>>>> main assert(len >= 0); int sign = (buffer[0] == '-'); @@ -2933,13 +2912,9 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, precision = width - sign; } - Py_ssize_t spacepad = Py_MAX(width - precision - sign, 0); - Py_ssize_t zeropad = Py_MAX(precision - len, 0); - if (_PyUnicodeWriter_Prepare(writer, width, 127) == -1) return NULL; - if (spacepad && !(flags & F_LJUST)) { if (PyUnicode_Fill(writer->buffer, writer->pos, spacepad, ' ') == -1) return NULL; writer->pos += spacepad; From 88fbc656e83a158beeb0d7892c915be38c84b998 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Mon, 30 Sep 2024 14:57:48 -0500 Subject: [PATCH 12/16] Pull unicodeobject changes --- Objects/unicodeobject.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index d6a3cffabef181..0f502ccdaf5767 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2897,7 +2897,6 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, case F_INTMAX: DO_SPRINTS("j", intmax_t, uintmax_t); break; default: DO_SPRINTS("", int, unsigned int); break; } - #undef SPRINT #undef DO_SPRINTS @@ -2912,9 +2911,13 @@ unicode_fromformat_arg(_PyUnicodeWriter *writer, precision = width - sign; } + Py_ssize_t spacepad = Py_MAX(width - precision - sign, 0); + Py_ssize_t zeropad = Py_MAX(precision - len, 0); + if (_PyUnicodeWriter_Prepare(writer, width, 127) == -1) return NULL; + if (spacepad && !(flags & F_LJUST)) { if (PyUnicode_Fill(writer->buffer, writer->pos, spacepad, ' ') == -1) return NULL; writer->pos += spacepad; From 304aed1bbfee6ca603b0993214b835e87377b2ec Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 8 Oct 2024 13:45:31 -0500 Subject: [PATCH 13/16] Update macos warningignore for new warnings --- Tools/build/.warningignore_macos | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Tools/build/.warningignore_macos b/Tools/build/.warningignore_macos index e72309229cc60f..b2fe7c3fd1a3cf 100644 --- a/Tools/build/.warningignore_macos +++ b/Tools/build/.warningignore_macos @@ -3,7 +3,13 @@ # Keep lines sorted lexicographically to help avoid merge conflicts. # Format example: # /path/to/file (number of warnings in file) +Modules/_ctypes/_ctypes_test.c 1 +Modules/_ctypes/callbacks.c 1 Modules/expat/siphash.h 7 Modules/expat/xmlparse.c 8 Modules/expat/xmltok.c 3 Modules/expat/xmltok_impl.c 26 +Objects/mimalloc * +Python/pylifecycle.c 1 +Python/sysmodule.c 1 +Python/tracemalloc.c 1 \ No newline at end of file From 5afb8d814a4ca735e647abe83a37c3fecfbd368d Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 8 Oct 2024 14:38:08 -0500 Subject: [PATCH 14/16] Fix mimalloc directory warning ignore --- Tools/build/.warningignore_macos | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/build/.warningignore_macos b/Tools/build/.warningignore_macos index b2fe7c3fd1a3cf..a3a8cdf73cda57 100644 --- a/Tools/build/.warningignore_macos +++ b/Tools/build/.warningignore_macos @@ -9,7 +9,7 @@ Modules/expat/siphash.h 7 Modules/expat/xmlparse.c 8 Modules/expat/xmltok.c 3 Modules/expat/xmltok_impl.c 26 -Objects/mimalloc * +Objects/mimalloc/ * Python/pylifecycle.c 1 Python/sysmodule.c 1 Python/tracemalloc.c 1 \ No newline at end of file From 1e664f6e93c2fa79d5e96c3a6599127ddce0d09c Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 8 Oct 2024 15:11:17 -0500 Subject: [PATCH 15/16] Revert pyport --- Include/pyport.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Include/pyport.h b/Include/pyport.h index 1de166cab4bef0..2b6bd4c21110e5 100644 --- a/Include/pyport.h +++ b/Include/pyport.h @@ -288,26 +288,20 @@ extern "C" { #define _Py_COMP_DIAG_PUSH _Pragma("clang diagnostic push") #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS \ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") -#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL \ - _Pragma("clang diagnostic ignored \"-Wformat-nonliteral\"") #define _Py_COMP_DIAG_POP _Pragma("clang diagnostic pop") #elif defined(__GNUC__) \ && ((__GNUC__ >= 5) || (__GNUC__ == 4) && (__GNUC_MINOR__ >= 6)) #define _Py_COMP_DIAG_PUSH _Pragma("GCC diagnostic push") #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS \ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") -#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL \ - _Pragma("GCC diagnostic ignored \"-Wformat-nonliteral\"") #define _Py_COMP_DIAG_POP _Pragma("GCC diagnostic pop") #elif defined(_MSC_VER) #define _Py_COMP_DIAG_PUSH __pragma(warning(push)) #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS __pragma(warning(disable: 4996)) -#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL #define _Py_COMP_DIAG_POP __pragma(warning(pop)) #else #define _Py_COMP_DIAG_PUSH #define _Py_COMP_DIAG_IGNORE_DEPR_DECLS -#define _Py_COMP_DIAG_IGNORE_FORMAT_NONLITERAL #define _Py_COMP_DIAG_POP #endif From 1b4089b1679d1adb7e6d000c2c5b37fa2fcc9bde Mon Sep 17 00:00:00 2001 From: "Erlend E. Aasland" Date: Tue, 15 Oct 2024 00:32:24 +0200 Subject: [PATCH 16/16] Formatting nit --- .../Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst index ec7f247d677f72..2efc88ec22171d 100644 --- a/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst +++ b/Misc/NEWS.d/next/Security/2024-07-30-17-34-47.gh-issue-112301.8J8WhZ.rst @@ -1 +1 @@ -Add -Wformat=2 to NODIST build flags to warn about potential vulnerabilities related to format strings. +Add ``-Wformat=2`` to ``NODIST`` build flags to warn about potential vulnerabilities related to format strings.