From 7811434ee9fc4401bd02680a2860284410740dd0 Mon Sep 17 00:00:00 2001
From: BtbN <btbn@btbn.de>
Date: Sat, 5 Sep 2020 23:58:44 +0200
Subject: [PATCH] Fortify build

---
 images/base-win64/Dockerfile                 | 7 ++++---
 scripts.d/{25-libiconv.sh => 20-libiconv.sh} | 0
 scripts.d/25-openssl.sh                      | 2 +-
 scripts.d/50-libopus.sh                      | 1 +
 4 files changed, 6 insertions(+), 4 deletions(-)
 rename scripts.d/{25-libiconv.sh => 20-libiconv.sh} (100%)

diff --git a/images/base-win64/Dockerfile b/images/base-win64/Dockerfile
index b8d6b3e..ceee66c 100644
--- a/images/base-win64/Dockerfile
+++ b/images/base-win64/Dockerfile
@@ -7,6 +7,7 @@ RUN \
     apt-get -y clean && \
     rm /usr/lib/gcc/*-w64-mingw32/*/libstdc++*.dll* && \
     rm /usr/lib/gcc/*-w64-mingw32/*/libgcc_s* && \
+    rm /usr/lib/gcc/*-w64-mingw32/*/*.dll.a && \
     rm /usr/*-w64-mingw32/lib/*.dll.a && \
     mkdir /opt/ffbuild
 
@@ -18,6 +19,6 @@ ENV FFBUILD_TARGET_FLAGS="--pkg-config=pkg-config --cross-prefix=x86_64-w64-ming
     FFBUILD_PREFIX=/opt/ffbuild \
     FFBUILD_CMAKE_TOOLCHAIN=/toolchain.cmake \
     PKG_CONFIG_LIBDIR=/opt/ffbuild/lib/pkgconfig \
-    CFLAGS="-static-libgcc -static-libstdc++ -I/opt/ffbuild/include" \
-    CXXFLAGS="-static-libgcc -static-libstdc++ -I/opt/ffbuild/include" \
-    LDFLAGS="-static-libgcc -static-libstdc++ -L/opt/ffbuild/lib"
+    CFLAGS="-static-libgcc -static-libstdc++ -I/opt/ffbuild/include -O2 -pipe -D_FORTIFY_SOURCE=2 -fstack-protector-strong" \
+    CXXFLAGS="-static-libgcc -static-libstdc++ -I/opt/ffbuild/include -O2 -pipe -D_FORTIFY_SOURCE=2 -fstack-protector-strong" \
+    LDFLAGS="-static-libgcc -static-libstdc++ -L/opt/ffbuild/lib -O2 -pipe -fstack-protector-strong"
diff --git a/scripts.d/25-libiconv.sh b/scripts.d/20-libiconv.sh
similarity index 100%
rename from scripts.d/25-libiconv.sh
rename to scripts.d/20-libiconv.sh
diff --git a/scripts.d/25-openssl.sh b/scripts.d/25-openssl.sh
index 26cd27b..30e5c14 100755
--- a/scripts.d/25-openssl.sh
+++ b/scripts.d/25-openssl.sh
@@ -38,7 +38,7 @@ ffbuild_dockerbuild() {
 
     ./Configure "${myconf[@]}" || return -1
 
-    sed -i -e "/^CFLAGS=/s|=.*|=${CFLAGS} -O2|" -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" Makefile || return -1
+    sed -i -e "/^CFLAGS=/s|=.*|=${CFLAGS}|" -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" Makefile || return -1
 
     make -j$(nproc) || return -1
     make install_sw || return -1
diff --git a/scripts.d/50-libopus.sh b/scripts.d/50-libopus.sh
index b4439a4..e94572d 100755
--- a/scripts.d/50-libopus.sh
+++ b/scripts.d/50-libopus.sh
@@ -22,6 +22,7 @@ ffbuild_dockerbuild() {
         --prefix="$FFBUILD_PREFIX"
         --disable-shared
         --enable-static
+        --disable-extra-programs
     )
 
     if [[ $TARGET == win* ]]; then