apache
OSS-Fuzz Integration Request
Background
Following the recent CVE-2025-47436 heap buffer overflow vulnerability discovery and fix, I would like to propose integrating Apache ORC with the OSS-Fuzz project to help identify potential security vulnerabilities earlier through continuous fuzzing.
Apache Projects Already Using OSS-Fuzz
Many Apache Software Foundation projects are already integrated with OSS-Fuzz, including:
- apache-axis2
- apache-commons-bcel
- apache-commons-beanutils
- apache-commons-cli
- apache-commons-codec
- apache-commons-collections
- apache-commons-compress
- apache-commons-configuration
- apache-commons-csv
- apache-commons-fileupload
- apache-commons-geometry
- apache-commons-imaging
- apache-commons-io
- apache-commons-jxpath
- apache-commons-lang
- apache-commons-logging
- apache-commons-math
- apache-commons-net
- apache-commons-text
- apache-commons-validator
- apache-cxf
- apache-doris
- apache-felix-dev
- apache-httpd
- apache-logging-log4cxx
- apache-poi
Integration
I would prepare a pull request that adds:
- Fuzzing harness to the Apache ORC repository
- Integration configuration for the OSS-Fuzz project
- Build scripts and related components
This proposal was previously discussed via email with @dongjoon-hyun, who suggested opening this issue for formal documentation before proceeding with the integration work.
I'm seeking formal approval from the Apache ORC PMC to proceed with the OSS-Fuzz integration. Once approved, I'll prepare the necessary pull requests for both the ORC and OSS-Fuzz repositories.
Thanks a lot!
