Use Intel Standard Compiler flags

CMake/external_fastdds.cmake

@@ -60,6 +60,11 @@ function(get_fastdds)
 
     add_library(dds INTERFACE)
     target_link_libraries( dds INTERFACE fastcdr fastrtps )
+    if (MSVC)
+        target_compile_options( dds INTERFACE "/W0" )
+    elseif (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+        target_compile_options( dds INTERFACE "-w" )
+    endif()
 
     add_definitions(-DBUILD_WITH_DDS)
 

CMake/external_libcurl.cmake

@@ -1,4 +1,7 @@
 if(CHECK_FOR_UPDATES)
+
+    string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove flags
+    string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
     include(ExternalProject)
     message(STATUS "Building libcurl enabled")
 
@@ -60,4 +63,6 @@ if(CHECK_FOR_UPDATES)
         endif()
     endif()
 
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
 endif() #CHECK_FOR_UPDATES

CMake/unix_config.cmake

@@ -47,6 +47,50 @@ macro(os_set_flags)
         set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread")
     endif()
 
+
+    if (CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+        # Due to security reasons  we need to add the following flags for additional security:
+        # Debug & Release:
+        # -Wformat: Checks for format string vulnerabilities.
+        # -Wformat-security: Ensures format strings are not vulnerable to attacks.
+        # -fPIC: Generates position-independent code during the compilation phase.
+        # -fPIE: Generates position-independent executables during the compilation phase.
+        # -D_FORTIFY_SOURCE=2: Adds extra checks for buffer overflows.
+        # -fstack-protector: Adds stack protection to detect buffer overflows.
+
+        # Release only
+        # -Werror: Treats all warnings as errors.
+        # -Werror=format-security: Treats format security warnings as errors.
+        # -z noexecstack: Marks the stack as non-executable to prevent certain types of attacks.
+        # -Wl,-z,relro,-z,now: Enables read-only relocations and immediate binding for security.
+        # -fstack-protector-strong: Provides stronger stack protection than -fstack-protector.
+
+        # Linker flags
+        # -pie: Produces position-independent executables during the linking phase.
+
+        # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
+
+        set(SECURITY_COMPILER_FLAGS "-Wformat -Wformat-security -fPIC -fstack-protector -Wno-error=stringop-overflow")
+
+        string(FIND "${CMAKE_CXX_FLAGS}" "-D_FORTIFY_SOURCE" _index)
+        if (${_index} EQUAL -1) # Define D_FORTIFY_SOURCE if undefined
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -D_FORTIFY_SOURCE=2")
+        endif()
+
+        if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+            message(STATUS "Configuring for Debug build")
+        else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
+            message(STATUS "Configuring for Release build")
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} -Werror -z noexecstack -Wl,-z,relro,-z,now -fstack-protector-strong")
+        endif()
+
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+
+        set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} -pie")
+
+    endif()
+
     if(APPLE)
         set(FORCE_RSUSB_BACKEND ON)
     endif()

CMake/windows_config.cmake

@@ -40,6 +40,41 @@ macro(os_set_flags)
         set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /MP")
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP")
 
+        ###############
+        # Due to security reasons we need to add the following flags for additional security:
+        # Debug & Release:
+        # /Gy: Enables function-level linking to reduce executable size.
+        # /DYNAMICBASE: Enables Address Space Layout Randomization (ASLR) to improve security.
+        # /GS: Enables buffer security checks to prevent buffer overflows.
+
+        # Release only:
+        # /WX: Treats all warnings as errors.
+        # /sdl: Enables additional security checks.
+
+        # Release only linker flags:
+        # /LTCG (/GL): Enables Link Time Code Generation to improve performance.
+        # /NXCOMPAT: Enables Data Execution Prevention (DEP) to prevent code execution in data areas.	
+
+        # see https://readthedocs.intel.com/SecureCodingStandards/2023.Q2.0/compiler/c-cpp/ for more details
+
+        set(SECURITY_COMPILER_FLAGS "/Gy /DYNAMICBASE /GS /wd4101")
+
+        if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+            message(STATUS "Configuring for Debug build")
+        else() # Release, RelWithDebInfo, or multi configuration generator is being used (aka not specifing build type, or building with VS)
+            message(STATUS "Configuring for Release build")
+            set(SECURITY_COMPILER_FLAGS "${SECURITY_COMPILER_FLAGS} /WX /sdl") 
+        endif()
+
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+
+        if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
+            set(CMAKE_LINKER_FLAGS "${CMAKE_LINKER_FLAGS} /INCREMENTAL:NO /LTCG /NXCOMPAT") # ignoring '/INCREMENTAL' due to '/LTCG' specification
+        endif()
+
+        #################
+
         set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /bigobj /wd4819")
         set(LRS_TRY_USE_AVX true)
         add_definitions(-D_UNICODE)

CMakeLists.txt

@@ -61,11 +61,17 @@ target_link_libraries( ${LRS_TARGET} PUBLIC rsutils )
 if(BUILD_WITH_DDS)
     if (CMAKE_SYSTEM MATCHES "Windows" OR CMAKE_SYSTEM MATCHES "Linux")
 
+        string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags
+        string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+
         message(STATUS "Building with FastDDS")
         include(CMake/external_foonathan_memory.cmake)
         include(CMake/external_fastdds.cmake)
 
         target_link_libraries( ${LRS_TARGET} PRIVATE realdds )
+
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")
 
     else()
         MESSAGE(STATUS "Turning off `BUILD_WITH_DDS` as it's only supported on Windows & Linux and not on ${CMAKE_SYSTEM}")

examples/CMakeLists.txt

@@ -7,6 +7,8 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
 # View the makefile commands during build
 #set(CMAKE_VERBOSE_MAKEFILE on)
 
+string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # examples are executables so we want position indepandent executables and not libraries
+
 set( DEPENDENCIES ${LRS_TARGET} )
 if(BUILD_GRAPHICAL_EXAMPLES)
     include(${CMAKE_SOURCE_DIR}/CMake/opengl_config.cmake)
@@ -40,3 +42,5 @@ add_subdirectory(record-playback)
 add_subdirectory(motion)
 add_subdirectory(gl)
 add_subdirectory(hdr)
+
+string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")

include/librealsense2/hpp/rs_export.hpp

@@ -81,7 +81,7 @@ namespace rs2
             bool use_normals = get_option(OPTION_PLY_NORMALS) != 0;
             const auto verts = p.get_vertices();
             const auto texcoords = p.get_texture_coordinates();
-            const uint8_t* texture_data;
+            const uint8_t* texture_data = nullptr;
             if (use_texcoords) // texture might be on the gpu, get pointer to data before for-loop to avoid repeated access
                 texture_data = reinterpret_cast<const uint8_t*>(color.get_data());
             std::vector<rs2::vertex> new_verts;

src/hid-sensor.cpp

@@ -145,7 +145,7 @@ void hid_sensor::close()
         std::lock_guard< std::mutex > lock( _configure_lock );
         _configured_profiles.clear();
         _is_configured_stream.clear();
-        _is_configured_stream.resize( RS2_STREAM_COUNT );
+        _is_configured_stream.assign(RS2_STREAM_COUNT, false);
     }
     _is_opened = false;
     if( Is< librealsense::global_time_interface >( _owner ) )

src/hid/hid-device.cpp

@@ -334,7 +334,7 @@ namespace librealsense
             //we want to change the sensitivity values only in gyro, for FW version >= 5.16
             if( featureReport.reportId == REPORT_ID_GYROMETER_3D
                 && _realsense_hid_report_actual_size == sizeof( REALSENSE_HID_REPORT ) )
-                featureReport.sensitivity = sensitivity;
+                featureReport.sensitivity = static_cast<unsigned short>(sensitivity);
 
 
             res = dev->control_transfer(USB_REQUEST_CODE_SET,

src/uvc/uvc-device.cpp

@@ -177,7 +177,7 @@ namespace librealsense
                     switch(state)
                     {
                         case D0:
-                            _messenger = _usb_device->open(_info.mi);
+                            _messenger = _usb_device->open(static_cast<uint8_t>(_info.mi));
                             if (_messenger)
                             {
                                 try{
@@ -654,7 +654,7 @@ namespace librealsense
 
         void rs_uvc_device::listen_to_interrupts()
         {
-            auto ctrl_interface = _usb_device->get_interface(_info.mi);
+            auto ctrl_interface = _usb_device->get_interface(static_cast<uint8_t>(_info.mi));
             if (!ctrl_interface)
                 return;
             auto iep = ctrl_interface->first_endpoint(RS2_USB_ENDPOINT_DIRECTION_READ, RS2_USB_ENDPOINT_INTERRUPT);
@@ -856,7 +856,7 @@ namespace librealsense
                                 req,
                                 probe ? (UVC_VS_PROBE_CONTROL << 8) : (UVC_VS_COMMIT_CONTROL << 8),
                                 ctrl->bInterfaceNumber, // When requestType is directed to an interface, the driver automatically passes the interface number in the low byte of index
-                                buf, len, transferred, 0);
+                                buf, static_cast<uint32_t>(len), transferred, 0);
                     } while (sts != RS2_USB_STATUS_SUCCESS && retries++ < 5);
                 }
             }, [this](){ return !_messenger; });

src/uvc/uvc-streamer.cpp

@@ -28,7 +28,7 @@ namespace librealsense
 
             _action_dispatcher.start();
 
-            _watchdog_timeout = (1000.0 / _context.profile.fps) * 10;
+            _watchdog_timeout = static_cast<int64_t>(((1000.0 / _context.profile.fps) * 10));
 
             init();
         }

third-party/CMakeLists.txt

@@ -1,9 +1,12 @@
 string(REPLACE ${PROJECT_SOURCE_DIR}/ "" _rel_path ${CMAKE_CURRENT_LIST_DIR})
 
-include(CMake/external_json.cmake)
 
 add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/rsutils" )
 
+string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # remove security flags
+string(REPLACE "${SECURITY_COMPILER_FLAGS}" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+
+include(CMake/external_json.cmake)
 # Add additional include directories to allow file to include rosbag headers
 include(${_rel_path}/realsense-file/config.cmake)
 
@@ -18,3 +21,6 @@ if( BUILD_WITH_DDS )
     add_subdirectory( "${CMAKE_CURRENT_LIST_DIR}/realdds" )
 endif()
 
+# restore flags
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SECURITY_COMPILER_FLAGS}")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_COMPILER_FLAGS}")

third-party/rsutils/src/json.cpp

@@ -411,7 +411,7 @@ class serializer
             {
                 dump( *i, pretty_print_width, ensure_ascii, indent_step, new_indent );
                 _o.put( ',' );
-                if( need_to_indent || pretty_print_width && _line_width > pretty_print_width )
+                if( need_to_indent || (pretty_print_width && _line_width > pretty_print_width ))
                 {
                     newline();
                     _o.write( _indent_string.c_str(), new_indent );
@@ -1100,7 +1100,7 @@ class serializer
             }
         };
 
-        JSON_ASSERT(byte < utf8d.size());
+        JSON_ASSERT(static_cast<size_t>(byte) < utf8d.size());
         const std::uint8_t type = utf8d[byte];
 
         codep = (state != UTF8_ACCEPT)

tools/CMakeLists.txt

@@ -7,6 +7,8 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS 1)
 # View the makefile commands during build
 #set(CMAKE_VERBOSE_MAKEFILE on)
 
+string(REPLACE "-fPIC" "-fPIE" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") # tools are executables so we want position indepandent executables and not libraries
+
 list( APPEND DEPENDENCIES ${LRS_TARGET} tclap )
 
 if(BUILD_TOOLS)
@@ -45,3 +47,5 @@ if(BUILD_EXAMPLES)
         endif()
     endif()
 endif()
+
+string(REPLACE "-fPIE" "-fPIC" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")

wrappers/csharp/Intel.RealSense/Devices/AutoCalibratedDevice.cs

@@ -11,7 +11,7 @@ public class AutoCalibratedDevice : CalibratedDevice
         internal AutoCalibratedDevice(IntPtr dev)
             : base(dev)
         { }
-        public static AutoCalibratedDevice FromDevice(Device dev)
+        public static new AutoCalibratedDevice FromDevice(Device dev)
         {
             object error;
             if (NativeMethods.rs2_is_device_extendable_to(dev.Handle, Extension.AutoCalibratedDevice, out error) == 0)