public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "gaoliming via groups.io" <gaoliming=byosoft.com.cn@groups.io>
To: <devel@edk2.groups.io>, <lersek@redhat.com>, <jake@nvidia.com>
Cc: <jian.j.wang@intel.com>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix clang error
Date: Mon, 6 Nov 2023 08:59:28 +0800	[thread overview]
Message-ID: <005f01da104c$7eaae9a0$7c00bce0$@byosoft.com.cn> (raw)
In-Reply-To: <ae50eb7e-5474-057f-d2ce-3a12359fd8b5@redhat.com>

Laszlo:
  I agree your suggestion. We can submit a new request to update oniguruma to the latest version. 

  This patch avoids the warning on the current version. I think this change is OK. I would like to merge this fix first. 

Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Laszlo Ersek
> 发送时间: 2023年11月5日 19:33
> 收件人: devel@edk2.groups.io; jake@nvidia.com
> 抄送: jian.j.wang@intel.com; gaoliming@byosoft.com.cn
> 主题: Re: [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix
> clang error
> 
> On 10/3/23 17:04, Jake Garver via groups.io wrote:
> > Ignore old style declaration warnings in oniguruma/src/st.c.  This was
> > already ignored for MSFT, but newer versions of clang complain as well.
> >
> > Signed-off-by: Jake Garver <jake@nvidia.com>
> > ---
> >  .../Universal/RegularExpressionDxe/RegularExpressionDxe.inf      | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git
> a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > index 84489c2942..0092531a67 100644
> > ---
> a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > +++
> b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > @@ -102,6 +102,7 @@
> >
> >    # Oniguruma: old style declaration in st.c
> >    MSFT:*_*_*_CC_FLAGS = /wd4131
> > +  GCC:*_*_*_CC_FLAGS = -Wno-deprecated-non-prototype
> >
> >    # Oniguruma: 'type cast' : truncation from 'OnigUChar *' to 'unsigned
> int'
> >    MSFT:*_*_*_CC_FLAGS = /wd4305 /wd4306
> 
> Our checkout of oniguruma is at tag "v6.9.4_mark1", from February 2020.
> 
> The latest upstream oniguruma release is "v6.9.9", dated 10 October 2023.
> 
> I totally randomly looked at the commit history. We are missing fixes
> that the oniguruma project has received in response to fuzzing and
> CodeQL static analysis. Fixes for use-after-free
> (25535521ba2ea1aa74a1f65fc4a8ba55b0030719), undefined-shift fixes (too
> many to list here, just search the history for "undefined-shift"),
> various memory leak fixes, null pointer dereference fixes, and so on.
> 
> In particular, commit
> <https://github.com/kkos/oniguruma/commit/0e766952e8fec7b8d516ce4f52
> f95e53b09ca4de>
> is called "escape compile time warnings by clang 14.0", so that patch
> (from August 2023) may solve the direct issue.
> 
> I propose that we should upgrade our oniguruma checkout to "v6.9.9", and
> resolve any fallout from the update.
> 
> OVMF does not include RegularExpressionDxe, so I'm not attracted to take
> this on myself. Can the users / owners of those platforms that do
> include RegularExpressionDxe research the update to "v6.9.9"? I think
> this should be worth your while; the recent oniguruma commit history
> suggests that "v6.9.4_mark1" may contain quite a few known security bugs.
> 
> Note that, in general, a primary use case for regex engines is *input
> validation*, before further parsing happens. It's not great if the
> engine used for input validation contains known security bugs itself.
> 
> Laszlo
> 
> 
> 
> 
> 





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110688): https://edk2.groups.io/g/devel/message/110688
Mute This Topic: https://groups.io/mt/102412008/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2023-11-06  0:59 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-03 15:04 [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix clang error Jake Garver via groups.io
2023-10-23  4:27 ` Nhi Pham via groups.io
     [not found] ` <1790A21286FB1538.11247@groups.io>
2023-11-05  7:09   ` Nhi Pham via groups.io
2023-11-06  0:59     ` 回复: " gaoliming via groups.io
2023-11-05 11:32 ` Laszlo Ersek
2023-11-06  0:59   ` gaoliming via groups.io [this message]
2023-11-07 12:04     ` 回复: " Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='005f01da104c$7eaae9a0$7c00bce0$@byosoft.com.cn' \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox