From ac2b8ce3fb580510632eba88382555b22165e059 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Wed, 13 Aug 2014 04:59:08 +0200
Subject: [PATCH] don't check for source fortification in debug lines

Closes Debian bug #757683, reported by Matthias Klose.
---
 NEWS               | 4 +++-
 bin/blhc           | 4 +++-
 t/logs/debug-build | 8 ++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 37b8fdb..ec4abe2 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,9 @@ Version 0.XX
 - Check for -fstack-protector-strong on supported platforms (since dpkg
   1.17.11) (Debian bug #757885), reported by Markus Koschany.
 - Consider lines with -O0 or -Og debug builds and disable checks for -O2
-  (Debian bug #714628), reported by Matthias Klose.
+  (Debian bug #714628), reported by Matthias Klose. Also don't check for
+  fortification in those lines as it requires optimization (Debian bug
+  #757683), also reported by Matthias Klose.
 
 
 Version 0.04
diff --git a/bin/blhc b/bin/blhc
index be3fd3f..6817a85 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -214,7 +214,8 @@ my @def_cxxflags = (
 my @def_cppflags = ();
 my @def_cppflags_fortify = (
     '-D_FORTIFY_SOURCE=2', # must be first, see cppflags_fortify_broken()
-    # If you add another flag fix hack below (search for "Hack to fix").
+    # If you add another flag fix hack below (search for "Hack to fix") and
+    # $def_cppflags_fortify[0].
 );
 my @def_cppflags_fortify_bad = (
     # These flags may overwrite -D_FORTIFY_SOURCE=2.
@@ -1213,6 +1214,7 @@ LINE:
         # for a debug build.
         if (any_flags_used($line, @def_cflags_debug)) {
             remove_flags([\@cflags], \%flag_renames, $def_cflags[1]);
+            remove_flags([\@cppflags], \%flag_renames, $def_cppflags_fortify[0]);
         }
 
         # Check hardening flags.
diff --git a/t/logs/debug-build b/t/logs/debug-build
index a5638d0..20b495e 100644
--- a/t/logs/debug-build
+++ b/t/logs/debug-build
@@ -6,6 +6,14 @@ gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-se
 gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.c
 gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
 
+# -D_FORTIFY_SOURCE=2 requires -O2 to work, therfore ignore it for debug
+# lines.
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-a.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-b.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-c.c
+gcc -g -O0 -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -c test-d.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
 gcc -g -Og -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
-- 
2.43.2