Skip to content

render: avoid overflow on BorderStyle=4 img allocation #27

render: avoid overflow on BorderStyle=4 img allocation

render: avoid overflow on BorderStyle=4 img allocation #27

Workflow file for this run

name: GitHub CI
on:
push:
branches: [master, ci, coverity_scan]
pull_request:
jobs:
build:
runs-on: ${{ matrix.os }}
name: build(${{ matrix.msystem || matrix.docker_image || matrix.os }},
${{ matrix.cc }}${{ matrix.api && ', ' }}${{ matrix.api }})
strategy:
fail-fast: false
matrix:
include:
# Enable distcheck for one build
- os: ubuntu-latest
cc: gcc
do_distc: yes
# Run Coverity on a clang build; Coverity's gcc causes issues
- os: ubuntu-latest
cc: clang
do_coverity: yes
# Add a tcc build
- os: ubuntu-latest
cc: tcc
ld: tcc
# Add docker-build on Alpine
- os: ubuntu-latest
cc: gcc
docker_image: alpine:latest
shell: '/tmp/docker_shell {0}'
art_reg_skip: 'font_nonunicode'
# Add docker-build with minimum version of dependencies
- os: ubuntu-latest
cc: gcc
docker_image: oldlibs
docker_pullprefix: 'ghcr.io/theoneric/libass-containers/'
shell: '/tmp/docker_shell {0}'
# Crash Tests detect (false?) leaks in Fontconfig, and
# various regression test fail, assumed due to older deps
skip_tests: yes
# MacOS build
- os: macos-latest
cc: clang
# Add a Windows build (MinGW-gcc via MSYS2) with no extras
- os: windows-2019
msystem: MINGW32
cc: gcc
api: desktop
shell: 'msys2 {0}'
# Add a best-effort build for UWP apps for Microsoft Store
- os: windows-2019
msystem: UCRT64
cc: gcc
api: app
extra_cflags: -DWINAPI_FAMILY=WINAPI_FAMILY_APP -specs=/tmp/windowsapp.specs
shell: 'msys2 {0}'
defaults:
run:
shell: ${{ matrix.shell || 'bash' }}
env:
ART_SAMPLES: ext_art-samples
steps:
- name: checkout code
uses: actions/checkout@v3
- name: download test samples
uses: actions/checkout@v3
with:
repository: libass/libass-tests
path: ${{ env.ART_SAMPLES }}
- name: Start Docker
if: matrix.docker_image
shell: bash
run: |
# Note: Many containers default to the root user
docker pull "${{ matrix.docker_pullprefix }}${{ matrix.docker_image }}"
docker create --name dockerciimage \
-v "/home/runner/work:/home/runner/work" --workdir "$PWD" \
--entrypoint "tail" \
"${{ matrix.docker_pullprefix }}${{ matrix.docker_image }}" \
"-f" "/dev/null"
docker start dockerciimage
# Create a proxy-shell for Docker containers
# Scripts for each step and the output file are inside the mounted
# directories, but some environment variable must be forwarded.
echo '#!/bin/sh
set -eu
if [ "$#" -ne 1 ] ; then
echo "Usage: $0 <script file>"
exit 1
fi
exec /usr/bin/docker exec \
--env GITHUB_OUTPUT --env GITHUB_ENV --env GITHUB_PATH --env GITHUB_STATE \
dockerciimage sh -e "$1"
' > /tmp/docker_shell
chmod a+x /tmp/docker_shell
- name: Setup MSys2
uses: msys2/setup-msys2@v2
if: matrix.msystem
with:
msystem: ${{ matrix.msystem }}
update: false
- name: install deps
run: |
case "${{ matrix.docker_image || matrix.os }}" in
macos-*)
#brew update
brew install autoconf automake libtool nasm pkg-config \
harfbuzz freetype fribidi fontconfig
;;
windows-*)
pre="$MINGW_PACKAGE_PREFIX"
pacman --noconfirm -S \
automake autoconf libtool nasm make \
$pre-pkg-config $pre-gcc \
$pre-fribidi $pre-freetype $pre-harfbuzz $pre-fontconfig \
$pre-libpng
;;
alpine:*)
apk add nasm ${{ matrix.cc }} musl-dev \
make automake autoconf libtool pkgconf \
fontconfig-dev freetype-dev fribidi-dev harfbuzz-dev \
libpng-dev
;;
oldlibs)
: # Everything is preinstalled
;;
*)
sudo apt-get update #&& sudo apt-get upgrade
ubver="$(apt-cache search libubsan | awk '/^libubsan[0-9]* / {print substr($1, 9)}' | sort -rn | head -n1)"
asver="$(apt-cache search libasan | awk '/^libasan[0-9]* / {print substr($1, 8)}' | sort -rn | head -n1)"
sudo apt-get install -y --no-install-recommends \
autoconf automake make libtool \
libfontconfig1-dev libfreetype6-dev libfribidi-dev \
libharfbuzz-dev nasm ${{ matrix.cc }} \
libpng-dev libubsan"$ubver" libasan"$asver"
;;
esac
- name: Determine Sanitizer Flags
id: sanitizer
run: |
aflags="-fsanitize=address"
uflags="-fsanitize=undefined -fsanitize=float-cast-overflow"
if [ "${{ startsWith(matrix.cc, 'clang') }}" = "true" ] ; then
# Clang's UBSAN exits with code zero even if issues were found
# This options will instead force an SIGILL, but remove a report being printed
# see https://reviews.llvm.org/D35085
uflags="$uflags -fsanitize-undefined-trap-on-error"
fi
# UBSAN: Alpine and MSys2 doesn't ship the UBSAN library,
# but when SIGILL'ing the lib is not needed
# ASAN: Not supported with musl and in Windows
case "${{ matrix.docker_image || matrix.os }}" in
alpine*|windows-*)
flags="$uflags -fsanitize-undefined-trap-on-error" ;;
*)
flags="$aflags $uflags" ;;
esac
if [ -n "$flags" ] ; then
flags="$flags -fno-sanitize-recover=all"
fi
if [ "${{ matrix.cc }}" = "tcc" ] || [ "${{ matrix.skip_tests }}" = "yes" ] ; then
flags=""
fi
echo "SANFLAGS=$flags"
echo "flags=${flags}" >> $GITHUB_OUTPUT
- name: Customize compiler
if: matrix.api == 'app' && matrix.cc == 'gcc'
run: >
gcc -dumpspecs
| sed 's/-lmsvcrt/-lucrtapp/g; s/-lkernel32/-lwindowsapp/g;
s/-ladvapi32//g; s/-lshell32//g; s/-luser32//g'
> /tmp/windowsapp.specs
- name: configure
run: |
export CC="${{ matrix.cc }}\
${{ matrix.extra_cflags && ' ' }}${{ matrix.extra_cflags }}\
${{ steps.sanitizer.outputs.flags && ' ' }}${{ steps.sanitizer.outputs.flags }}"
export LD="${{ matrix.ld }}"
export ART_SAMPLES="${{ env.ART_SAMPLES }}"
./autogen.sh
./configure --enable-compare --enable-fuzz
- name: distcheck
if: matrix.do_distc == 'yes'
run: make -j 2 distcheck
- name: compile
run: make -j 2
- name: ensure internal functions are namespaced
if: startsWith(matrix.os, 'ubuntu-')
run: |
test -f libass/.libs/libass.a || (echo "Static lib is missing!"; exit 1)
set +e
list="$(nm libass/.libs/libass.a | grep ' T ' | grep -v ' ass_')"
case "$?" in
1)
: # All good
;;
0)
echo "There are non-namespaced functions! Prefix them with 'ass_'."
echo "$list"
exit 1
;;
*)
echo "Internal grep error occured!"
echo "$list"
exit 2
;;
esac
- name: run tests
if: matrix.skip_tests != 'yes'
run: |
ART_REG_SKIP="${{ matrix.art_reg_skip }}" make -j 1 check
- name: Coverity scan
if: >
matrix.do_coverity == 'yes'
&& github.repository == 'libass/libass'
&& github.event_name != 'pull_request'
env:
COVERITY_SCAN_TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
PROJECT_NAME: libass/libass
NOTIFY_EMAIL: [email protected]
TOOL_URL: https://scan.coverity.com/download/
UPLOAD_URL: https://scan.coverity.com/builds?project=libass%2Flibass
SCAN_URL: https://scan.coverity.com
RES_DIR: cov-int
run: |
exit_code=0
echo "Running Coverity ..."
# Remove previous build output
make clean
# The upstream script is borked and always exits with 1 even on success
# To get meaningful success/error status we're using our own script
# but we still want to be informed about upstream script changes
if curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh \
| shasum -a 256 \
| grep -Eq '^234d71b4a5257a79559e66dd3ba5765576d2af4845da83af4975b77b14ab536b '
then
: remote unchanged
else
echo "Coverity's travis script changed!"
exit_code=1
fi
# Check if we are within quoata
quota_res="$(curl -s --form project="$PROJECT_NAME" \
--form token="$COVERITY_SCAN_TOKEN" \
"$SCAN_URL"/api/upload_permitted)"
if [ "$?" -ne 0 ] || [ "x$quota_res" = "xAccess denied" ] ; then
echo "Coverity denied access or did not respond!"
exit 1
elif echo "$quota_res" | grep -Eq 'upload_permitted": *true' ; then
echo "Within Coverity quota."
else
echo "Exceeding Coverity quota! Try again later."
echo "$quota_res" | grep -Eo 'next_upload_permitted_at":[^,}]*'
exit 0
fi
# Download cov tool and make it available
wget -nv "$TOOL_URL""$(uname)" \
--post-data "project=$PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" \
-O cov-analysis-tool.tar.gz
mkdir cov-analysis-tool
tar xzf cov-analysis-tool.tar.gz --strip 1 -C cov-analysis-tool
export PATH="$(pwd)/cov-analysis-tool/bin:$PATH"
# Coverity Build
echo "Starting Coverity build..."
#mkdir "$RES_DIR" # already done by cov-build
COVERITY_UNSUPPORTED=1 cov-build --dir "$RES_DIR" make -j 2
cov-import-scm --dir "$RES_DIR" --scm git --log "$RES_DIR/scm_log.txt" 2>&1
# Submit results to Coverity's server
tar czf libass.tar.gz "$RES_DIR"
upstat="$(curl --silent --write-out "\n%{http_code}\n" \
--form project="PROJECT_NAME" \
--form token="$COVERITY_SCAN_TOKEN" \
--form email="$NOTIFY_EMAIL" \
--form [email protected] \
--form version="${{ github.sha }}" \
--form description="GitHubActions CI build" \
"$UPLOAD_URL")"
if [ "$?" -ne 0 ] ; then
echo "Upload failed (curl error)"
exit_code=1
elif echo "$upstat" | tail -n 1 | grep -Eq '^2[0-9]{2}$' ; then
echo "Upload successful."
else
echo "Upload failed (server error)"
exit_code=1
fi
echo "$upstat" | head
exit $exit_code
- name: Stop Docker
if: matrix.docker_image
shell: bash
run: |
docker rm --force dockerciimage