winrtinstaller: added patch file to be used when building nsis

diff --git a/windowsRuntimeInstaller/NSIS_Security.patch b/windowsRuntimeInstaller/NSIS_Security.patch
new file mode 100644 (file)
index 0000000..87bf7e6
--- /dev/null
+++ b/windowsRuntimeInstaller/NSIS_Security.patch
@@ -0,0 +1,47 @@
+diff --git a/nsis-3.0b3-src/SCons/Config/ms b/nsis-3.0b3-src/SCons/Config/ms
+index 32d3d33..d2c4d25 100644
+--- a/nsis-3.0b3-src/SCons/Config/ms
++++ b/nsis-3.0b3-src/SCons/Config/ms
+@@ -16,7 +16,7 @@ def entry(x,u):
+ 
+ defenv['ENTRY_FLAG'] = entry
+ defenv['MAP_FLAG'] = '/map'
+-defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB'
++#defenv['NODEFLIBS_FLAG'] = '/NODEFAULTLIB'
+ defenv['C_FLAG'] = '/TC'
+ defenv['CPP_FLAG'] = '/TP'
+ defenv['CPP_REQUIRES_STDLIB'] = 0
+@@ -29,7 +29,7 @@ defenv['STDCALL'] = '__stdcall'
+ msvs_version = float(defenv['MSVS_VERSION'].replace('Exp',''))
+ if msvs_version >= 8.0:
+       defenv['EXCEPTION_FLAG'] = '/EHsc'
+-      defenv.Append(CCFLAGS = ['/GS-'])
++      defenv.Append(CCFLAGS = ['/GS'])
+       defenv.Append(CPPDEFINES = ['_CRT_SECURE_NO_WARNINGS', '_CRT_NONSTDC_NO_WARNINGS', '_CRT_SECURE_NO_DEPRECATE', '_CRT_NON_CONFORMING_SWPRINTFS'])
+       defenv['MSVCRT_FLAG'] = '/MT' # Avoid msvcr?0.dll dependency
+ else:
+@@ -143,9 +143,9 @@ stub_env.Append(CCFLAGS = ['/Fa${TARGET}.lst'])    # listing file name
+ stub_env.Append(LINKFLAGS = ['$NODEFLIBS_FLAG'])   # no default libraries
+ stub_env.Append(LINKFLAGS = ['$MAP_FLAG'])         # generate map file
+ 
+-if msvs_version >= 10.0:
+-      # no relocations that our resource editor ignores
+-      stub_env.Append(LINKFLAGS = ['/FIXED'])
++#if msvs_version >= 10.0:
++#     # no relocations that our resource editor ignores
++#     stub_env.Append(LINKFLAGS = ['/FIXED'])
+ 
+ stub_uenv = stub_env.Clone()
+ stub_uenv.Append(CPPDEFINES = ['_UNICODE', 'UNICODE'])
+diff --git a/nsis-3.0b3-src/Source/exehead/Main.c b/nsis-3.0b3-src/Source/exehead/Main.c
+index eb231e7..e4642ce 100644
+--- a/nsis-3.0b3-src/Source/exehead/Main.c
++++ b/nsis-3.0b3-src/Source/exehead/Main.c
+@@ -84,6 +84,7 @@ void *g_SHGetFolderPath;
+ NSIS_ENTRYPOINT_GUINOCRT
+ EXTERN_C void NSISWinMainNOCRT()
+ {
++  __security_init_cookie();
+   int ret = 0;
+   const TCHAR *m_Err = _LANG_ERRORWRITINGTEMP;
+ 

diff --git a/windowsRuntimeInstaller/README.txt b/windowsRuntimeInstaller/README.txt
index d9d48c8..02dce10 100644 (file)
--- a/windowsRuntimeInstaller/README.txt
+++ b/windowsRuntimeInstaller/README.txt
@@ -12,36 +12,35 @@ To build the Vulkan Runtime Installer:
 \r
    1a. Note that the NSIS binary version available at\r
        http://nsis.sourceforge.net/Download is not built with\r
-       NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set, so you may have\r
-       to build NSIS from source with these flags set.  The source for\r
-       NSIS 3.0.b3 is available from\r
+       NSIS_CONFIG_LOG=yes and NSIS_MAX_STRLEN=8192 set. Also, changes to need\r
+       to be made to NSIS to increase the security of the Runtime Installer.\r
+\r
+       The source for NSIS 3.0.b3 can be downloaded from\r
        https://sourceforge.net/projects/nsis/files/NSIS%203%20Pre-release/3.0b3/nsis-3.0b3-src.tar.bz2/download\r
 \r
        Instructions for building NSIS are available at\r
        http://nsis//sourceforge.net/Docs/AppendixG.html.\r
 \r
-       To increase the security of the Runtime Installer - specifically\r
-       enabling buffer overrun security checks and enabling address space\r
-       layout randomization (ASLR), these changes should be made to the NSIS source file\r
-       nsis-3.0b3-src/SCons/Config/ms:\r
+       The security changes to NSIS involve adding the /DYMANICBASE and /GS options\r
+       to the NSIS compile/link steps, so that the Runtime Installer and Uninstaller\r
+       are built with address space layout randomization and buffer overrun checks.\r
 \r
-           - comment out the line enabling the /FIXED linker option\r
-           - change the line that sets the /GS- compile option to instead set the /GS compile option\r
-           - comment out the line that sets the NODEFLIBS_FLAG to /NODEFAULTLIB\r
+       The security changes to NSIS can be made by applying the patch in the\r
+       NSIS_Security.patch file in this folder.\r
 \r
-       The command to build NSIS from source:\r
+       After you have applied the security patch, build NSIS with this command:\r
 \r
            scons SKIPUTILS="NSIS Menu","MakeLangId" UNICODE=yes \\r
                  ZLIB_W32=<path_to_zlib>\zlib-1.2.7-win32-x86 NSIS_MAX_STRLEN=8192 \\r
                  NSIS_CONFIG_LOG=yes NSIS_CONFIG_LOG_TIMESTAMP=yes \\r
                  APPEND_CCFLAGS="/DYNAMICBASE /Zi" APPEND_LINKFLAGS="/DYNAMICBASE \\r
                  /DEBUG /OPT:REF /OPT:ICF" SKIPDOC=all dist-zip\r
-       \r
+\r
        This will create a zip file in the nsis-3.0.b3-src directory.  Unpack\r
        the zip file anywhere on your system. The resulting tree will contain a\r
-       Plugins directory. Install the NSIS AccessControl plugin in this\r
-       directory. Add the Bin directory to your PATH enviroment variable so that\r
-       the CreateInstaller.sh script below will use your custom-built version of\r
+       Plugins directory. Install the NSIS AccessControl plugin in this directory.\r
+       Add the Bin directory to your PATH enviroment variable so that the\r
+       CreateInstaller.sh step below will use your custom-built version of\r
        NSIS.\r
 \r
        Before using NSIS and creating the installer, make sure that all shared\r