build: Fix HARDENING build options (#4996)

Due to typos in the option name in compiler.cmake (HARDENING vs
OIIO_HARDENING, oops), I think we were never really setting the intended
compiler flags. Fix that all up, and repair the other problems that it
revealed -- some compiler version and option combinations weren't happy
with each other, etc.

One notable change is in encode_iptc_iim_one_tag: I think I made it
safer by taking an early out for 0-sized data, and also it needed a
warning suppression when certain gcc hardening levels were used.

---------

Signed-off-by: Larry Gritz <[email protected]>

Author: lgritz

.github/workflows/ci.yml

@@ -494,7 +494,7 @@ jobs:
                             PTEX_VERSION=main
                             PUGIXML_VERSION=master
                             WEBP_VERSION=main
-                            OIIO_CMAKE_FLAGS="-DOIIO_HARDENING=2"
+                            OIIO_HARDENING=2
                             EXTRA_DEP_PACKAGES="python3.12-dev python3-numpy"
                             USE_OPENVDB=0
                             FREETYPE_VERSION=master
@@ -518,6 +518,7 @@ jobs:
                             PTEX_VERSION=v2.4.2
                             PUGIXML_VERSION=v1.14
                             WEBP_VERSION=v1.4.0
+                            OIIO_HARDENING=3
           - desc: clang18 C++17 avx2 exr3.1 ocio2.3
             nametag: linux-clang18
             runner: ubuntu-24.04

src/cmake/compiler.cmake

@@ -485,52 +485,74 @@ endif ()
 #      recommended default for optimized, shipping code.
 #  2 : enable features that trade off performance for security, recommended
 #      for debugging or deploying in security-sensitive environments.
-#  3 : enable features that have a significant performance impact, only
-#      recommended for debugging.
+#  3 : enable features that have a significant performance impact, to maximize
+#      finding bugs without regard to performance. Only recommended for
+#      debugging.
 #
 # Some documentation:
 # https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
 # https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html
 # https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros.html
 # https://libcxx.llvm.org/Hardening.html
-#
+# https://www.productive-cpp.com/hardening-cpp-programs-stack-protector/
+# https://medium.com/@simontoth/daily-bit-e-of-c-hardened-mode-of-standard-library-implementations-18be2422c372
+# https://cheatsheetseries.owasp.org/cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.html
+
 if (${CMAKE_BUILD_TYPE} STREQUAL "Debug")
-    set (${PROJ_NAME}_HARDENING_DEFAULT 3)
+    set (${PROJ_NAME}_HARDENING_DEFAULT 2)
 else ()
     set (${PROJ_NAME}_HARDENING_DEFAULT 1)
 endif ()
 set_cache (${PROJ_NAME}_HARDENING ${${PROJ_NAME}_HARDENING_DEFAULT}
            "Turn on security hardening features 0, 1, 2, 3")
 # Implementation:
-if (HARDENING GREATER_EQUAL 1)
+add_compile_definitions (${PROJ_NAME}_HARDENING_DEFAULT=${${PROJ_NAME}_HARDENING})
+if (${PROJ_NAME}_HARDENING GREATER_EQUAL 1)
+    # Enable PIE and pie to build as position-independent executables and
+    # libraries, needed for address space randomization used by some kernels.
+    set (CMAKE_POSITION_INDEPENDENT_CODE ON)
     # Features that should not detectably affect performance
     if (COMPILER_IS_GCC_OR_ANY_CLANG)
-        # Enable PIE and pie to build as position-independent executables,
-        # needed for address space randomiztion used by some kernels.
-        add_compile_options (-fPIE -pie)
-        add_link_options (-fPIE -pie)
         # Protect against stack overwrites. Is allegedly not a performance
         # tradeoff.
         add_compile_options (-fstack-protector-strong)
         add_link_options (-fstack-protector-strong)
     endif ()
     # Defining _FORTIFY_SOURCE provides buffer overflow checks in modern gcc &
     # clang with some compiler-assisted deduction of buffer lengths) for the
-    # many C functions such as memcpy, strcpy, sprintf, etc. See:
-    add_compile_definitions (_FORTIFY_SOURCE=${${PROJ_NAME}_HARDENING})
+    # many C functions such as memcpy, strcpy, sprintf, etc. But it requires
+    # optimization, so we don't do it for debug builds.
+    if ((CMAKE_COMPILER_IS_CLANG OR (GCC_VERSION VERSION_GREATER_EQUAL 14))
+         AND NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
+        add_compile_definitions (_FORTIFY_SOURCE=${${PROJ_NAME}_HARDENING})
+    endif ()
+endif ()
+if (${PROJ_NAME}_HARDENING EQUAL 1)
     # Setting _LIBCPP_HARDENING_MODE enables various hardening features in
     # clang/llvm's libc++ 18.0 and later.
-    add_compiler_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST)
-endif ()
-if (HARDENING GREATER_EQUAL 2)
+    if (OIIO_CLANG_VERSION VERSION_GREATER_EQUAL 18.0 OR OIIO_APPLE_CLANG_VERSION VERSION_GREATER_EQUAL 18.0)
+        add_compile_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST)
+    endif ()
+elseif (${PROJ_NAME}_HARDENING EQUAL 2)
     # Features that might impact performance measurably
-    add_compile_definitions (_GLIBCXX_ASSERTIONS)
-    add_compiler_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE)
-endif ()
-if (HARDENING GREATER_EQUAL 3)
+    if (GCC_VERSION VERSION_GREATER_EQUAL 14)
+        # I've had trouble turning this on in older gcc
+        add_compile_definitions (_GLIBCXX_ASSERTIONS)
+    endif ()
+    if (OIIO_CLANG_VERSION VERSION_GREATER_EQUAL 18.0 OR OIIO_APPLE_CLANG_VERSION VERSION_GREATER_EQUAL 18.0)
+        add_compile_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE)
+    endif ()
+elseif (${PROJ_NAME}_HARDENING EQUAL 3)
     # Debugging features that might impact performance significantly
-    add_compile_definitions (_GLIBCXX_DEBUG)
-    add_compiler_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG)
+    if (GCC_VERSION VERSION_GREATER_EQUAL 14)
+        # I've had trouble turning this on in older gcc
+        add_compile_definitions (_GLIBCXX_ASSERTIONS)
+        # N.B. _GLIBCXX_DEBUG changes ABI, so don't do this:
+        #   add_compile_definitions (_GLIBCXX_DEBUG)
+    endif ()
+    if (OIIO_CLANG_VERSION VERSION_GREATER_EQUAL 18.0 OR OIIO_APPLE_CLANG_VERSION VERSION_GREATER_EQUAL 18.0)
+        add_compile_definitions (_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG)
+    endif ()
 endif ()
 
 

src/libOpenImageIO/iptc.cpp

@@ -181,17 +181,21 @@ decode_iptc_iim(const void* iptc, int length, ImageSpec& spec)
 static void
 encode_iptc_iim_one_tag(int tag, string_view data, std::vector<char>& iptc)
 {
-    OIIO_DASSERT(data != nullptr);
+    if (data.size() == 0)
+        return;
+    data = data.substr(0, 0xffff);  // Truncate to prevent 16 bit overflow
+    size_t tagsize = data.size();
     iptc.push_back((char)0x1c);
     iptc.push_back((char)0x02);
     iptc.push_back((char)tag);
-    if (data.size()) {
-        int tagsize = std::min(int(data.size()),
-                               0xffff - 1);  // Prevent 16 bit overflow
-        iptc.push_back((char)(tagsize >> 8));
-        iptc.push_back((char)(tagsize & 0xff));
-        iptc.insert(iptc.end(), data.data(), data.data() + tagsize);
-    }
+    iptc.push_back((char)(tagsize >> 8));
+    iptc.push_back((char)(tagsize & 0xff));
+    OIIO_PRAGMA_WARNING_PUSH
+    OIIO_GCC_ONLY_PRAGMA(GCC diagnostic ignored "-Wstringop-overflow")
+    // Suppress what I'm sure is a false positive warning when
+    // _GLIBCXX_ASSERTIONS is enabled.
+    iptc.insert(iptc.end(), data.begin(), data.end());
+    OIIO_PRAGMA_WARNING_POP
 }
 
 
@@ -208,7 +212,7 @@ encode_iptc_iim(const ImageSpec& spec, std::vector<char>& iptc)
                 std::string allvals = p->get_string(0);
                 std::vector<std::string> tokens;
                 Strutil::split(allvals, tokens, ";");
-                for (auto& token : tokens) {
+                for (auto token : tokens) {
                     token = Strutil::strip(token);
                     if (token.size()) {
                         if (iimtag[i].maxlen && iimtag[i].maxlen < token.size())