sz3
OSS-Fuzz Integration Inquiry
Hello!
I have integrated a few open-sourced projects into OSS-Fuzz, a program sponsored by Google to provide continuous fuzz-testing of impactful open-sourced projects, and am wondering if libcimbar's maintainers would approve me undertaking the work to develop a harness to fuzz-test this library and integrate it into OSS-Fuzz.
If you would like more details on what OSS-Fuzz is and what this work would entail, more details can be found here.
All I would need to get started is an email to set as the primary contact. This email will be granted access to ClusterFuzz and to crash reports.
Thank you for your consideration and I look forward to working with you all!
Hi. "maintainers" would be me, I'm the guy, "of course I know him he's me", etc etc
I'll have to look into this more. I'm all for doing fuzz testing on the code base, but I don't have the cycles to dig into it immediately.
But off the top of my head:
- there are two primary code paths, encoding and decoding.
- Of those, the decoding path has always seemed much more interesting from a security perspective. There are two plausible entry points:
- the RGB buffer passed to the code. Right now there's not a clean C interface for this, but that should change in the next few months
- the post-openCV data buffers passed to libcorrect and then wirehair. i.e. pay less attention to the opencv step
- ... I think fuzzing libcorrect+wirehair might be interesting/useful in its own way, but for the purposes of this project I'd be inclined to beat on it at the top (RGB) level
@sz3 Thanks for the response! I could handle looking into it - no need to eat any of your cycles!. However, I appreciate the recommended starting points. All I would need from you (besides a point of contact email to get access to the bug reports) would be the eventual PR review.
Realizing now that I never provided an email -- sz at recv.cc will work (it's also the one in the git logs)