Add -Wformat-security to build (#53546)

sjkelly · web-flow · commit 4ab567fd2b71 · 2024-07-25T19:42:28.000+01:00
This enhances some printing security:

&gt; At present, this warns about calls to printf and scanf functions where
&gt; the format string is not a string literal and there are no format
arguments,
&gt; as in printf (foo);. This may be a security hole if the format string
came
&gt; from untrusted input and contains ‘%n’. (This is currently a subset of
what
&gt; -Wformat-nonliteral warns about, but in future warnings may be added
to
&gt; -Wformat-security that are not included in -Wformat-nonliteral.)
diff --git a/Make.inc b/Make.inc
@@ -495,7 +495,7 @@ MACOSX_VERSION_MIN := 11.0
 endif
 endif
 
-JCFLAGS_COMMON    := -std=gnu11 -pipe $(fPIC) -fno-strict-aliasing -D_FILE_OFFSET_BITS=64
+JCFLAGS_COMMON    := -std=gnu11 -pipe $(fPIC) -fno-strict-aliasing -D_FILE_OFFSET_BITS=64 -Wformat -Wformat-security
 JCFLAGS_CLANG     := $(JCFLAGS_COMMON)
 JCFLAGS_GCC       := $(JCFLAGS_COMMON) -fno-gnu-unique
 
@@ -504,7 +504,7 @@ JCPPFLAGS_COMMON  := -fasynchronous-unwind-tables
 JCPPFLAGS_CLANG   := $(JCPPFLAGS_COMMON) -mllvm -enable-tail-merge=0
 JCPPFLAGS_GCC     := $(JCPPFLAGS_COMMON) -fno-tree-tail-merge
 
-JCXXFLAGS_COMMON  := -pipe $(fPIC) -fno-rtti -std=c++17
+JCXXFLAGS_COMMON  := -pipe $(fPIC) -fno-rtti -std=c++17 -Wformat -Wformat-security
 JCXXFLAGS_CLANG   := $(JCXXFLAGS_COMMON) -pedantic
 JCXXFLAGS_GCC     := $(JCXXFLAGS_COMMON) -fno-gnu-unique
 
