Open mgeisler opened 11 months ago
Note that this can be worked on in parallel to #57 and #65.
When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of pulldown-cmark
. I checked the version from master
of pulldown-cmark
and see that the issue does not trigger there.
Once pulldown-cmark
releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the old pulldown-cmark
tag. How should those be handled? Is it OK to just wait for a new release of the dependency?
When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of
pulldown-cmark
. I checked the version frommaster
ofpulldown-cmark
and see that the issue does not trigger there.
Cool, thanks for checking this! They might not know about it in the upstream repository, so we should let them know so they can create a new release.
Once
pulldown-cmark
releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the oldpulldown-cmark
tag. How should those be handled?
I'm not super sure how to handle this, actually. From my own projects, I seem to remember that you get a mail about any fuzz errors found. I hope it will cluster errors so that a known problem will send just one mail :slightly_smiling_face:
Is it OK to just wait for a new release of the dependency?
Yeah, we can wait for pulldown-cmark
to be fixed before we look into this. Are you okay with being assigned to this bug since you now have all the relevant context?
Sure, you can assign the bug to me.
Instead of running fuzzers for a short amount of time on every PR, we should see if we can get added to OSS-Fuzz.