Skip to content

Enable BufferSecurityCheck for native DLLs to resolve BinSkim BA2007#3404

Merged
mattleibow merged 2 commits intomainfrom
fix/binskim-ba2007-buffer-security-check
Nov 4, 2025
Merged

Enable BufferSecurityCheck for native DLLs to resolve BinSkim BA2007#3404
mattleibow merged 2 commits intomainfrom
fix/binskim-ba2007-buffer-security-check

Conversation

@Aguilex
Copy link
Contributor

@Aguilex Aguilex commented Nov 4, 2025

This change enables the /GS (Buffer Security Check) compiler flag for three native libraries to resolve BinSkim error BA2007:

  • libHarfBuzzSharp.dll: Added BufferSecurityCheck=true to all configurations in the vcxproj file, including creating the missing Debug|ARM64 ItemDefinitionGroup
  • libEGL.dll and libGLESv2.dll: Added /GS flag to extra_cflags in the ANGLE GN build configuration

The /GS flag enables compile-time buffer overrun detection, which is an important security feature that helps prevent stack-based buffer overflow attacks.

Why

The /GS flag enables compile-time buffer overrun detection, which is an important security feature that helps prevent stack-based buffer overflow attacks. This resolves the BinSkim BA2007 security compliance error.

Testing

After rebuilding the native libraries with these changes, they should pass BinSkim analysis for the BA2007 check.

Bugs Fixed

  • Fixes ~20 BinSkim bugs in AzDO.

API Changes

None.

Behavioral Changes

None.

Required skia PR

None.

PR Checklist

  • Has tests (if omitted, state reason in description)
  • Rebased on top of main at time of PR
  • Merged related skia PRs
  • Changes adhere to coding standard
  • Updated documentation

@Aguilex
Enable BufferSecurityCheck for native DLLs to resolve BinSkim BA2007
8d40ea4 
This change enables the /GS (Buffer Security Check) compiler flag for three native libraries to resolve BinSkim error BA2007:

- libHarfBuzzSharp.dll: Added BufferSecurityCheck=true to all configurations in the vcxproj file, including creating the missing Debug|ARM64 ItemDefinitionGroup
- libEGL.dll and libGLESv2.dll: Added /GS flag to extra_cflags in the ANGLE GN build configuration

The /GS flag enables compile-time buffer overrun detection, which is an important security feature that helps prevent stack-based buffer overflow attacks.
@github-actions
Copy link

github-actions bot commented Nov 4, 2025

Triage Summary

Labels will be applied to indicate the affected areas related to security compliance in libHarfBuzzSharp and the platforms involved (Windows Classic and Windows UWP).

This issue does not appear to be a regression, as there are no mentions of compatibility issues with previous versions or performance degradation.

Detailed Summary and Actions

Summary of the triage:

  • The issue pertains to enabling a compiler flag for the native DLL related to libHarfBuzzSharp, addressing a security compliance error.
  • It affects applications running on Microsoft Windows using Win32 APIs and also impacts Universal Windows Platform (UWP) applications.
  • The focus is primarily on security and compliance; however, the available labels pertain to performance, compatibility, and reliability, which are not directly aligned with the issue's primary concern.

Summary of the actions that will be performed:

Action Item Description
Apply Label area/libHarfBuzzSharp.native The issue pertains to enabling a compiler flag for the native DLL related to 'libHarfBuzzSharp'.
Apply Label os/Windows-Classic The issue involves native DLLs relevant for applications running on Microsoft Windows using Win32 APIs.
Apply Label os/Windows-Universal-UWP The change affects UWP applications on Windows due to the enablement of a compiler flag for native libraries.

Additional remarks:

  • The focus on security and compliance regarding buffer overrun detection does not directly align with the available labels related to performance and compatibility.
  • There were no significant concerns raised about compatibility with previous versions or any performance issues reported.

This entire triage process was automated by AI and mistakes may have been made. Please let us know so we can continue to improve.

@github-actions github-actions bot added area/libHarfBuzzSharp.native os/Windows-Classic Issues running on Microsoft Windows using Win32 APIs (Windows.Forms or WPF) os/Windows-Universal-UWP labels Nov 4, 2025
@Aguilex Aguilex requested a review from mattleibow November 4, 2025 14:49
mattleibow
mattleibow reviewed Nov 4, 2025
View reviewed changes
Copilot AI mentioned this pull request Nov 4, 2025
Merged
Copy link
Contributor

Copilot AI commented Nov 4, 2025

@mattleibow I've opened a new pull request, #3405, to work on those changes. Once the pull request is ready, I'll request review from you.

@mattleibow
Merge duplicate Debug|Win32 ItemDefinitionGroup in libHarfBuzzSharp.v…
5b6911a 
…cxproj (#3405)

* Initial plan

* Merge duplicate Debug|Win32 sections in libHarfBuzzSharp.vcxproj

Co-authored-by: mattleibow <1096616+mattleibow@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mattleibow <1096616+mattleibow@users.noreply.github.com>
@mattleibow mattleibow merged commit e62d083 into main Nov 4, 2025
1 of 2 checks passed
@mattleibow mattleibow deleted the fix/binskim-ba2007-buffer-security-check branch November 4, 2025 17:19
@mattleibow mattleibow mentioned this pull request Feb 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattleibow mattleibow mattleibow approved these changes

Assignees

No one assigned

Labels

area/libHarfBuzzSharp.native os/Windows-Classic Issues running on Microsoft Windows using Win32 APIs (Windows.Forms or WPF) os/Windows-Universal-UWP

Projects

SkiaSharp Backlog
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aguilex @mattleibow