[gentoo-commits] repo/gentoo:master commit in: media-libs/libaom/, media-libs/libaom/files/

["Sam James" <sam@gentoo.org>]

commit:     63986f124e96f45645258e7934f201d71199d922
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Oct  4 18:07:35 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Oct  4 18:07:35 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63986f12

media-libs/libaom: allow _FORTIFY_SOURCE

We've had several high profile vulnerabilities in codecs recently and all
tests pass with this. Enable this rather useful mitigation.

Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../files/libaom-3.7.0-allow-fortify-source.patch  |  13 +++
 media-libs/libaom/libaom-3.7.0-r1.ebuild           | 127 +++++++++++++++++++++
 2 files changed, 140 insertions(+)

diff --git a/media-libs/libaom/files/libaom-3.7.0-allow-fortify-source.patch b/media-libs/libaom/files/libaom-3.7.0-allow-fortify-source.patch
new file mode 100644
index 000000000000..7c7697fc5dfa
--- /dev/null
+++ b/media-libs/libaom/files/libaom-3.7.0-allow-fortify-source.patch
@@ -0,0 +1,13 @@
+Fortification is an important security feature.
+--- a/build/cmake/aom_configure.cmake
++++ b/build/cmake/aom_configure.cmake
+@@ -389,9 +389,6 @@ else()
+     add_compiler_flag_if_supported("-Werror")
+   endif()
+ 
+-  if(build_type_lowercase MATCHES "rel")
+-    add_compiler_flag_if_supported("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0")
+-  endif()
+   add_compiler_flag_if_supported("-D_LARGEFILE_SOURCE")
+   add_compiler_flag_if_supported("-D_FILE_OFFSET_BITS=64")
+ endif()

diff --git a/media-libs/libaom/libaom-3.7.0-r1.ebuild b/media-libs/libaom/libaom-3.7.0-r1.ebuild
new file mode 100644
index 000000000000..d8ce8c479ebe
--- /dev/null
+++ b/media-libs/libaom/libaom-3.7.0-r1.ebuild
@@ -0,0 +1,127 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+inherit cmake-multilib python-any-r1
+
+if [[ ${PV} == *9999* ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://aomedia.googlesource.com/aom"
+else
+	# To update test data tarball, follow these steps:
+	# 1.  Clone the upstream repo and check out the relevant tag,
+	#	  or download the release tarball
+	# 2.  Regular cmake configure (options don't matter here):
+	#     cd build && cmake ..
+	# 3.  Set LIBAOM_TEST_DATA_PATH to the directory you want and
+	#     run the "make testdata" target:
+	#     LIBAOM_TEST_DATA_PATH=../libaom-3.7.0-testdata make testdata
+	#     This will download the test data from the internet.
+	# 4.  Create a tarball out of that directory.
+	#     cd .. && tar cvaf libaom-3.7.0-testdata.tar.xz libaom-3.7.0-testdata
+	SRC_URI="
+		https://storage.googleapis.com/aom-releases/${P}.tar.gz
+		test? ( https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-testdata.tar.xz )
+	"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+DESCRIPTION="Alliance for Open Media AV1 Codec SDK"
+HOMEPAGE="https://aomedia.org https://aomedia.googlesource.com/aom/"
+
+LICENSE="BSD-2"
+SLOT="0/3"
+IUSE="doc +examples test"
+IUSE="${IUSE} cpu_flags_x86_mmx cpu_flags_x86_sse cpu_flags_x86_sse2 cpu_flags_x86_sse3 cpu_flags_x86_ssse3"
+IUSE="${IUSE} cpu_flags_x86_sse4_1 cpu_flags_x86_sse4_2 cpu_flags_x86_avx cpu_flags_x86_avx2"
+IUSE="${IUSE} cpu_flags_arm_neon"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+	cpu_flags_x86_sse2? ( cpu_flags_x86_mmx )
+	cpu_flags_x86_ssse3? ( cpu_flags_x86_sse2 )
+"
+
+BDEPEND="${PYTHON_DEPS}
+	dev-lang/perl
+	abi_x86_32? ( dev-lang/yasm )
+	abi_x86_64? ( dev-lang/yasm )
+	abi_x86_x32? ( dev-lang/yasm )
+	doc? ( app-doc/doxygen )
+"
+
+# The PATENTS file is required to be distributed with this package, bug #682214
+DOCS=( PATENTS )
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.4.0-posix-c-source-ftello.patch
+	"${FILESDIR}"/${PN}-3.7.0-allow-fortify-source.patch
+)
+
+multilib_src_configure() {
+	local mycmakeargs=(
+		-DENABLE_CCACHE=OFF
+		-DENABLE_DOCS=$(multilib_native_usex doc ON OFF)
+		-DENABLE_EXAMPLES=$(multilib_native_usex examples ON OFF)
+		-DENABLE_NASM=OFF
+		-DENABLE_TESTS=$(usex test)
+		-DENABLE_TOOLS=ON
+		-DENABLE_WERROR=OFF
+
+		# Needs libjxl, currently unpackaged.
+		-DCONFIG_TUNE_BUTTERAUGLI=0
+
+		# neon support is assumed to be always enabled on arm64
+		-DENABLE_NEON=$(usex cpu_flags_arm_neon ON $(usex arm64 ON OFF))
+		# ENABLE_DSPR2 / ENABLE_MSA for mips
+		-DENABLE_MMX=$(usex cpu_flags_x86_mmx ON OFF)
+		-DENABLE_SSE=$(usex cpu_flags_x86_sse ON OFF)
+		-DENABLE_SSE2=$(usex cpu_flags_x86_sse2 ON OFF)
+		-DENABLE_SSE3=$(usex cpu_flags_x86_sse3 ON OFF)
+		-DENABLE_SSSE3=$(usex cpu_flags_x86_ssse3 ON OFF)
+		-DENABLE_SSE4_1=$(usex cpu_flags_x86_sse4_1 ON OFF)
+		-DENABLE_SSE4_2=$(usex cpu_flags_x86_sse4_2 ON OFF)
+		-DENABLE_AVX=$(usex cpu_flags_x86_avx ON OFF)
+		-DENABLE_AVX2=$(usex cpu_flags_x86_avx2 ON OFF)
+	)
+
+	# For 32-bit multilib builds, force some intrinsics on to work around
+	# bug #816027. libaom seems to do runtime detection for some targets
+	# at least, so this isn't an issue.
+	if ! multilib_is_native_abi && use amd64 ; then
+		mycmakeargs+=(
+			-DENABLE_SSE3=ON
+			-DENABLE_SSSE3=ON
+		)
+	fi
+
+	# On ARM32-on-ARM64, things end up failing if NEON is off, bug #835456
+	# Just force generic, given it's a niche situation.
+	# TODO: could try forcing armv7 or similar?
+	if use arm && ! use cpu_flags_arm_neon && [[ $(uname -p) == "aarch64" ]] ; then
+		ewarn "Forcing generic for arm32-on-arm64 build (bug #835456)"
+		mycmakeargs+=(
+			-DAOM_TARGET_CPU=generic
+		)
+	fi
+
+	cmake_src_configure
+}
+
+multilib_src_test() {
+	LIBAOM_TEST_DATA_PATH="${WORKDIR}/${P}-testdata" "${BUILD_DIR}"/test_libaom || die
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi && use doc ; then
+		local HTML_DOCS=( "${BUILD_DIR}"/docs/html/. )
+	fi
+
+	cmake_src_install
+}
+
+multilib_src_install_all() {
+	find "${ED}" -type f \( -name "*.a" -o -name "*.la" \) -delete || die
+}