diff --git a/pkgs/development/libraries/fortify-headers/default.nix b/pkgs/development/libraries/fortify-headers/default.nix index 2c24665456b7..9a728619266f 100644 --- a/pkgs/development/libraries/fortify-headers/default.nix +++ b/pkgs/development/libraries/fortify-headers/default.nix @@ -15,6 +15,10 @@ stdenv.mkDerivation { hash = "sha256-8A8JcKHIBgXpUuIP4zs3Q1yBs5jCGd5F3H2E8UN/S2g="; }; + patches = [ + ./wchar-imports-skip.patch + ]; + installPhase = '' runHook preInstall diff --git a/pkgs/development/libraries/fortify-headers/wchar-imports-skip.patch b/pkgs/development/libraries/fortify-headers/wchar-imports-skip.patch new file mode 100644 index 000000000000..255ceba9f099 --- /dev/null +++ b/pkgs/development/libraries/fortify-headers/wchar-imports-skip.patch @@ -0,0 +1,41 @@ +wchar.h: only include other headers if _FORTIFY_SOURCE is enabled + +unexpectedly including other headers can cause problems with +sensitive/brittle code, particularly with alternative compilers +(clang) which are already operating on the margins of what's +supported/expected by some projects. + +having a way to almost entirely short-circuit these headers (by +disabling _FORTIFY_SOURCE) is therefore important. + +--- a/include/fortify/wchar.h ++++ b/include/fortify/wchar.h +@@ -20,21 +20,23 @@ + #if !defined(__cplusplus) && !defined(__clang__) + __extension__ + #endif +-#include_next ++#include_next ++ ++#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 && defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 ++ + #if !defined(__cplusplus) && !defined(__clang__) + __extension__ + #endif +-#include_next ++#include_next + #if !defined(__cplusplus) && !defined(__clang__) + __extension__ + #endif +-#include_next ++#include_next + #if !defined(__cplusplus) && !defined(__clang__) + __extension__ + #endif +-#include_next ++#include_next + +-#if defined(_FORTIFY_SOURCE) && _FORTIFY_SOURCE > 0 && defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #include "fortify-headers.h" + + #ifdef __cplusplus