GNOME Bugzilla – Bug 784912
[PATCH] mdvi-lib: Fix two compilation warnings
Last modified: 2017-08-17 11:09:09 UTC
Created attachment 355525 [details] [review] mdvi-lib: Fix two compilation warnings They are: - incorrect function prototype, and - const char accessed through a char pointer.
Review of attachment 355525 [details] [review]: Can you please split this up into 2 patches? In the commit message, also include the warning message from the compiler. You should investigate git-bz to attach patches, see https://wiki.gnome.org/Git/WorkingWithPatches Should make it easier to contribute multiple patches without too much manual work :)
Created attachment 355999 [details] [review] mdvi-lib: Fix compilation warning (bad prototype)
Created attachment 356000 [details] [review] mdvi-lib: Fix compilation warning (const-correctness)
(In reply to Bastien Nocera from comment #1) > Review of attachment 355525 [details] [review] [review]: > > Can you please split this up into 2 patches? In the commit message, also > include the warning message from the compiler. Done. Note: Prompted by your mention in the other report that libgd is a separate project, I went looking for an upstream "mdvi-lib". I found this [0], which apparently hasn't been updated in 16 years. Given that, it's questionable whether it should be considered an upstream or not, but the interesting thing is that these 2 bugs are in fact fixed in that 16-years old codebase [1], so evidently Evince's import is even older! 0: https://sourceforge.net/projects/mdvi/ 1: http://mdvi.cvs.sourceforge.net/viewvc/mdvi/mdvi/lib/fontmap.c?view=annotate The bad prototype was fixed, the code for the bad pointer type is disabled. In the Git log I see that Evince has fixed a few vulnerabilities (last one in 2011); I wonder if this is why nobody has attempted to merge the two yet... > You should investigate git-bz to attach patches, see > https://wiki.gnome.org/Git/WorkingWithPatches > Should make it easier to contribute multiple patches without too much manual > work :) Thanks for the heads up, I will take a look later. Sidenote: the script seems to be available only via insecure protocols. If it's commonly used by Gnome people it would be good if a known-good mirror could be set up on something less trivially MITM'able.
Review of attachment 355999 [details] [review]: Looks fine.
Review of attachment 356000 [details] [review]: Sure.
(In reply to astian from comment #4) > (In reply to Bastien Nocera from comment #1) > > Review of attachment 355525 [details] [review] [review] [review]: > > > > Can you please split this up into 2 patches? In the commit message, also > > include the warning message from the compiler. > > Done. > > Note: Prompted by your mention in the other report that libgd is a separate > project, I went looking for an upstream "mdvi-lib". I found this [0], which > apparently hasn't been updated in 16 years. Given that, it's questionable > whether it should be considered an upstream or not, but the interesting thing > is that these 2 bugs are in fact fixed in that 16-years old codebase [1], so > evidently Evince's import is even older! > > 0: https://sourceforge.net/projects/mdvi/ > 1: > http://mdvi.cvs.sourceforge.net/viewvc/mdvi/mdvi/lib/fontmap.c?view=annotate > The bad prototype was fixed, the code for the bad pointer type is > disabled. > > In the Git log I see that Evince has fixed a few vulnerabilities (last one in > 2011); I wonder if this is why nobody has attempted to merge the two yet... I looked for the upstream, but couldn't find it. If you want to give a try to reconciling those two, that would be great! > > You should investigate git-bz to attach patches, see > > https://wiki.gnome.org/Git/WorkingWithPatches > > Should make it easier to contribute multiple patches without too much manual > > work :) > > Thanks for the heads up, I will take a look later. Sidenote: the script > seems > to be available only via insecure protocols. If it's commonly used by Gnome > people it would be good if a known-good mirror could be set up on something > less trivially MITM'able. It's also in git, and in plenty of mirrors on GitHub if you're worried.
comment #7: >> Note: Prompted by your mention in the other report that libgd is a separate >> project, I went looking for an upstream "mdvi-lib". I found this [0], which >> apparently hasn't been updated in 16 years. Given that, it's questionable >> whether it should be considered an upstream or not, but the interesting thing >> is that these 2 bugs are in fact fixed in that 16-years old codebase [1], so >> evidently Evince's import is even older! >> >> 0: https://sourceforge.net/projects/mdvi/ >> 1: >> http://mdvi.cvs.sourceforge.net/viewvc/mdvi/mdvi/lib/fontmap.c?view=annotate >> The bad prototype was fixed, the code for the bad pointer type is >> disabled. >> >> In the Git log I see that Evince has fixed a few vulnerabilities (last one in >> 2011); I wonder if this is why nobody has attempted to merge the two yet... > >I looked for the upstream, but couldn't find it. If you want to give a >try to reconciling those two, that would be great! So I took a closer look and now I see that those changes I mentioned are only in the project's CVS repository, and apparently haven't been released. The last tarball release on that site seems to be much closer to what evince is based on. So I take back my statement about the relative age of Evince's import. Given that it's unreleased code and that I know nothing about DVI, I will pass. --- Off-topic: >>> You should investigate git-bz to attach patches, see >>> https://wiki.gnome.org/Git/WorkingWithPatches >>> Should make it easier to contribute multiple patches without too much manual >>> work :) >> >> Thanks for the heads up, I will take a look later. Sidenote: the script >> seems >> to be available only via insecure protocols. If it's commonly used by Gnome >> people it would be good if a known-good mirror could be set up on something >> less trivially MITM'able. > > It's also in git, and in plenty of mirrors on GitHub if you're worried. "git://" is an insecure protocol. I suppose you meant that one could take the HEAD hash in the "git://" upstream and compare it to the HEAD hash of some "https://" github mirror, but... > and in plenty of mirrors on GitHub if you're worried. Maybe my search-fu is weak today but I can't find a single one. There are plenty of derivatives, though. The closest one is this [0], 2 commits behind. Close enough for me. 0: https://github.com/ari3s/git-bz/commits/master Still, it should be on gnome infrastructure. Though I guess Gnome concerns are probably focused elsewhere given that *the whole fscking jhbuild checkout* is (by default and unless you are careful) over an insecure channel. Thanks.
Attachment 355999 [details] pushed as 12fa68e - mdvi-lib: Fix compilation warning (bad prototype) Attachment 356000 [details] pushed as e3dccc1 - mdvi-lib: Fix compilation warning (const-correctness)