oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard
verified publisher icon google

Add [email protected] to `auto_ccs` for `image-png` project.

Open anforowicz opened this issue 1 year ago • 3 comments

OSS-Fuzz maintainers - can you PTAL?

Trustworthiness of this request:

  • This is a memory-safe, Rust-based project (no unsafe in png and fdeflate crates, although there is some unsafe in other dependencies). This argues that most issues discovered by fuzzing should not be security issues, merely correctness/functional issues (or at most Denial-of-Service issues when a timeout happens for some inputs).
  • I am contributing to the png project as a Chromium Security engineer, so I can hopefully claim some of the trust/karma that may be attributed to the Chromium Security team.

Motivation for this request:

  • I have recently added a new failure mode to one of image-png fuzzers (see fuzzer changes underneath https://github.com/image-rs/image-png/pull/496) and fixed a few resulting failures found by OSS-Fuzz (e.g. https://github.com/image-rs/image-png/pull/498, https://github.com/image-rs/image-png/pull/499, or https://github.com/image-rs/image-png/pull/500). I would like to monitor OSS-Fuzz for additional failures (if any) and help with investigating and/or fixing them.
  • There is one OSS-Fuzz-reported failure in another image-png fuzzer that I have trouble repro-ing: https://oss-fuzz.com/testcase-detail/5146320858316800. I hope that getting access to the full fuzzing corpus will help me repro this in a different way locally.

Disclaimer: in the long-term the ownership of png / Skia / Chromium integration may shift, but I think it still makes sense to add me for now

/cc @fintelia

anforowicz avatar Oct 02 '24 15:10 anforowicz

anforowicz is a new contributor to projects/image-png. The PR must be approved by known contributors before it can be merged. The past contributors are: fintelia, silvergasp

github-actions[bot] avatar Oct 02 '24 15:10 github-actions[bot]

@fintelia @silvergasp can I go ahead and merge?

vitorguidi avatar Oct 07 '24 17:10 vitorguidi

I don't have any objections personally. This seems reasonable to me. But I'll leave this up to @fintelia as he is the maintainer.

nathaniel-brough avatar Oct 07 '24 21:10 nathaniel-brough

Gentle ping @fintelia, could you please take look? Thanks!

DonggeLiu avatar Nov 20 '24 23:11 DonggeLiu

Sure go ahead and add anforowicz. However, I've already stated my stance on continued involvement with oss-fuzz, so after this comment I'm going to fully mute any future pings.

fintelia avatar Nov 22 '24 02:11 fintelia