From 5acfa524cb4a36d32136be217731b86bc92ec56e Mon Sep 17 00:00:00 2001
From: Maksim Shabunin <maksim.shabunin@gmail.com>
Date: Mon, 6 May 2019 19:23:27 +0300
Subject: [PATCH] Added support for Clang build hardening (including Apple)

---
 cmake/OpenCVCompilerDefenses.cmake | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmake/OpenCVCompilerDefenses.cmake b/cmake/OpenCVCompilerDefenses.cmake
index c4563ff0c1..62029ea38b 100644
--- a/cmake/OpenCVCompilerDefenses.cmake
+++ b/cmake/OpenCVCompilerDefenses.cmake
@@ -5,7 +5,7 @@
 # - https://wiki.debian.org/Hardening
 # - https://wiki.gentoo.org/wiki/Hardened/Toolchain
 # - https://docs.microsoft.com/en-us/cpp/build/reference/sdl-enable-additional-security-checks
-
+# - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html
 
 set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "")
 
@@ -44,6 +44,12 @@ if(MSVC)
   if(NOT X86_64)
     set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "${OPENCV_LINKER_DEFENSES_FLAGS_COMMON} /safeseh")
   endif()
+elseif(CV_CLANG)
+  ocv_add_defense_compiler_flag("-fstack-protector-strong")
+  ocv_add_defense_compiler_flag_release("-D_FORTIFY_SOURCE=2")
+  if (NOT APPLE)
+    set(OPENCV_LINKER_DEFENSES_FLAGS_COMMON "${OPENCV_LINKER_DEFENSES_FLAGS_COMMON} -z noexecstack -z relro -z now" )
+  endif()
 elseif(CV_GCC)
   if(CMAKE_CXX_COMPILER_VERSION VERSION_LESS "4.9")
     ocv_add_defense_compiler_flag("-fstack-protector")