mdbook-i18n-helpers icon indicating copy to clipboard operation
mdbook-i18n-helpers copied to clipboard

Published 20 hours ago verified publisher icon google

Add the project to OSS-Fuzz

Open mgeisler opened this issue 1 year ago • 4 comments

Instead of running fuzzers for a short amount of time on every PR, we should see if we can get added to OSS-Fuzz.

mgeisler avatar Sep 20 '23 16:09 mgeisler

Note that this can be worked on in parallel to #57 and #65.

mgeisler avatar Sep 26 '23 11:09 mgeisler

When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of pulldown-cmark. I checked the version from master of pulldown-cmark and see that the issue does not trigger there.

Once pulldown-cmark releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the old pulldown-cmark tag. How should those be handled? Is it OK to just wait for a new release of the dependency?

kdarkhan avatar Nov 01 '23 14:11 kdarkhan

When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of pulldown-cmark. I checked the version from master of pulldown-cmark and see that the issue does not trigger there.

Cool, thanks for checking this! They might not know about it in the upstream repository, so we should let them know so they can create a new release.

Once pulldown-cmark releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the old pulldown-cmark tag. How should those be handled?

I'm not super sure how to handle this, actually. From my own projects, I seem to remember that you get a mail about any fuzz errors found. I hope it will cluster errors so that a known problem will send just one mail :slightly_smiling_face:

Is it OK to just wait for a new release of the dependency?

Yeah, we can wait for pulldown-cmark to be fixed before we look into this. Are you okay with being assigned to this bug since you now have all the relevant context?

mgeisler avatar Nov 03 '23 10:11 mgeisler

Sure, you can assign the bug to me.

kdarkhan avatar Nov 06 '23 22:11 kdarkhan

The first PR that was merged defines the project definition.

I created the next PR which should enable fuzzing but after several months it has not been reviewed yet.

https://github.com/google/oss-fuzz/pull/12215

kdarkhan avatar Nov 01 '24 18:11 kdarkhan

This issue can be resolved now that the project was integrated. There were a couple of findings reported by oss-fuzz.

kdarkhan avatar Jan 28 '25 23:01 kdarkhan