Enable BufferSecurityCheck for native DLLs to resolve BinSkim BA2007 (#3404)

Aguilex · Copilot · mattleibow · web-flow · commit e62d08388b86 · 2025-11-04T19:19:38.000+02:00
* Enable BufferSecurityCheck for native DLLs to resolve BinSkim BA2007 This change enables the /GS (Buffer Security Check) compiler flag for three native libraries to resolve BinSkim error BA2007: - libHarfBuzzSharp.dll: Added BufferSecurityCheck=true to all configurations in the vcxproj file, including creating the missing Debug|ARM64 ItemDefinitionGroup - libEGL.dll and libGLESv2.dll: Added /GS flag to extra_cflags in the ANGLE GN build configuration The /GS flag enables compile-time buffer overrun detection, which is an important security feature that helps prevent stack-based buffer overflow attacks. * Merge duplicate Debug|Win32 ItemDefinitionGroup in libHarfBuzzSharp.vcxproj (#3405) * Initial plan * Merge duplicate Debug|Win32 sections in libHarfBuzzSharp.vcxproj Co-authored-by: mattleibow <1096616+mattleibow@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mattleibow <1096616+mattleibow@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: mattleibow <1096616+mattleibow@users.noreply.github.com>
diff --git a/native/windows/libHarfBuzzSharp/libHarfBuzzSharp.vcxproj b/native/windows/libHarfBuzzSharp/libHarfBuzzSharp.vcxproj
@@ -146,6 +146,7 @@
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <ObjectFileName>$(IntDir)</ObjectFileName>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -164,6 +165,7 @@
       <DisableSpecificWarnings>4267;4244</DisableSpecificWarnings>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -182,6 +184,7 @@
       <DisableSpecificWarnings>4267;4244</DisableSpecificWarnings>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -202,6 +205,7 @@
       <DisableSpecificWarnings>4267;4244</DisableSpecificWarnings>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -224,6 +228,7 @@
       <DisableSpecificWarnings>4267;4244</DisableSpecificWarnings>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -246,6 +251,7 @@
       <DisableSpecificWarnings>4267;4244</DisableSpecificWarnings>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <ControlFlowGuard>Guard</ControlFlowGuard>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
diff --git a/native/winui-angle/build.cake b/native/winui-angle/build.cake
@@ -123,7 +123,7 @@ Task("ANGLE")
                 $"angle_enable_wgpu=false " +
                 $"angle_enable_gl_desktop_backend=false " +
                 $"angle_enable_vulkan=false " +
-                $"extra_cflags=[ '/guard:cf' ] " +
+                $"extra_cflags=[ '/guard:cf', '/GS' ] " +
                 $"extra_ldflags=[ '/guard:cf' ]");
 
             RunNinja(ANGLE_PATH, $"out/winui{suffix}/{arch}", target);
