Commit 4a1a222f authored Apr 04, 2026 by Lily Ballard

vim: enable fortify when using clang

Our vim derivations have been disabling fortify for 10 years, due to a
crash at the time that had yet to be fixed upstream. The vim configure
script tries to strip out any `_FORTIFY_SOURCE` definition provided by
the caller in favor of setting `-D_FORTIFY_SOURCE=1` itself and cites a
crash introduced in gcc 4.0 as the reason, but our MacVim package has
been running with fortify enabled without any known issues. After
testing it seems that compiling vim with clang works just fine with
fortify, but compiling it with gcc detects a buffer overflow and aborts.

We do still need to disable `strictflexarrays1` though, as vim's
`ufunc_S` struct ends with a `uf_name[4]` field that is treated as a
flexible array with a minimum length of 4.

parent c85d1f07

pkgs/applications/editors/vim/common.nix

+6 −2

Original line number	Diff line number	Diff line
		{ lib, fetchFromGitHub }:
		{
		lib,
		fetchFromGitHub,
		stdenv,
		}:
		rec {
		version = "9.2.0106";

		@@ -17,7 +21,7 @@ rec {
		enableParallelBuilding = true;
		enableParallelInstalling = false;

		hardeningDisable = [ "fortify" ];
		hardeningDisable = if stdenv.cc.isClang then [ "strictflexarrays1" ] else [ "fortify" ];

		# Use man from $PATH; escape sequences are still problematic.
		postPatch = ''

pkgs/applications/editors/vim/default.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -17,7 +17,7 @@
		}:

		let
		common = callPackage ./common.nix { };
		common = callPackage ./common.nix { inherit stdenv; };
		in
		stdenv.mkDerivation {
		pname = "vim";

pkgs/applications/editors/vim/full.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -81,7 +81,7 @@ let
		endif
		'';

		common = callPackage ./common.nix { };
		common = callPackage ./common.nix { inherit stdenv; };

		in
		stdenv.mkDerivation {