From: "gaoliming via groups.io" <gaoliming=byosoft.com.cn@groups.io>
To: <devel@edk2.groups.io>, <lersek@redhat.com>, <jake@nvidia.com>
Cc: <jian.j.wang@intel.com>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix clang error
Date: Mon, 6 Nov 2023 08:59:28 +0800 [thread overview]
Message-ID: <005f01da104c$7eaae9a0$7c00bce0$@byosoft.com.cn> (raw)
In-Reply-To: <ae50eb7e-5474-057f-d2ce-3a12359fd8b5@redhat.com>
Laszlo:
I agree your suggestion. We can submit a new request to update oniguruma to the latest version.
This patch avoids the warning on the current version. I think this change is OK. I would like to merge this fix first.
Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Laszlo Ersek
> 发送时间: 2023年11月5日 19:33
> 收件人: devel@edk2.groups.io; jake@nvidia.com
> 抄送: jian.j.wang@intel.com; gaoliming@byosoft.com.cn
> 主题: Re: [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix
> clang error
>
> On 10/3/23 17:04, Jake Garver via groups.io wrote:
> > Ignore old style declaration warnings in oniguruma/src/st.c. This was
> > already ignored for MSFT, but newer versions of clang complain as well.
> >
> > Signed-off-by: Jake Garver <jake@nvidia.com>
> > ---
> > .../Universal/RegularExpressionDxe/RegularExpressionDxe.inf | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git
> a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > index 84489c2942..0092531a67 100644
> > ---
> a/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > +++
> b/MdeModulePkg/Universal/RegularExpressionDxe/RegularExpressionDxe.inf
> > @@ -102,6 +102,7 @@
> >
> > # Oniguruma: old style declaration in st.c
> > MSFT:*_*_*_CC_FLAGS = /wd4131
> > + GCC:*_*_*_CC_FLAGS = -Wno-deprecated-non-prototype
> >
> > # Oniguruma: 'type cast' : truncation from 'OnigUChar *' to 'unsigned
> int'
> > MSFT:*_*_*_CC_FLAGS = /wd4305 /wd4306
>
> Our checkout of oniguruma is at tag "v6.9.4_mark1", from February 2020.
>
> The latest upstream oniguruma release is "v6.9.9", dated 10 October 2023.
>
> I totally randomly looked at the commit history. We are missing fixes
> that the oniguruma project has received in response to fuzzing and
> CodeQL static analysis. Fixes for use-after-free
> (25535521ba2ea1aa74a1f65fc4a8ba55b0030719), undefined-shift fixes (too
> many to list here, just search the history for "undefined-shift"),
> various memory leak fixes, null pointer dereference fixes, and so on.
>
> In particular, commit
> <https://github.com/kkos/oniguruma/commit/0e766952e8fec7b8d516ce4f52
> f95e53b09ca4de>
> is called "escape compile time warnings by clang 14.0", so that patch
> (from August 2023) may solve the direct issue.
>
> I propose that we should upgrade our oniguruma checkout to "v6.9.9", and
> resolve any fallout from the update.
>
> OVMF does not include RegularExpressionDxe, so I'm not attracted to take
> this on myself. Can the users / owners of those platforms that do
> include RegularExpressionDxe research the update to "v6.9.9"? I think
> this should be worth your while; the recent oniguruma commit history
> suggests that "v6.9.4_mark1" may contain quite a few known security bugs.
>
> Note that, in general, a primary use case for regex engines is *input
> validation*, before further parsing happens. It's not great if the
> engine used for input validation contains known security bugs itself.
>
> Laszlo
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110688): https://edk2.groups.io/g/devel/message/110688
Mute This Topic: https://groups.io/mt/102412008/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-11-06 0:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 15:04 [edk2-devel] [PATCH] MdeModulePkg/RegularExpressinoDxe: Fix clang error Jake Garver via groups.io
2023-10-23 4:27 ` Nhi Pham via groups.io
[not found] ` <1790A21286FB1538.11247@groups.io>
2023-11-05 7:09 ` Nhi Pham via groups.io
2023-11-06 0:59 ` 回复: " gaoliming via groups.io
2023-11-05 11:32 ` Laszlo Ersek
2023-11-06 0:59 ` gaoliming via groups.io [this message]
2023-11-07 12:04 ` 回复: " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='005f01da104c$7eaae9a0$7c00bce0$@byosoft.com.cn' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox