Add the project to OSS-Fuzz

[mgeisler]

Instead of running fuzzers for a short amount of time on every PR, we should see if we can get added to OSS-Fuzz.

[mgeisler]

Note that this can be worked on in parallel to #57 and #65.

[kdarkhan]

When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of pulldown-cmark. I checked the version from master of pulldown-cmark and see that the issue does not trigger there.

Once pulldown-cmark releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the old pulldown-cmark tag. How should those be handled? Is it OK to just wait for a new release of the dependency?

[mgeisler]

When running the fuzz tests locally for longer time, I was able to trigger a panic which is caused by the parser of pulldown-cmark. I checked the version from master of pulldown-cmark and see that the issue does not trigger there.

Cool, thanks for checking this! They might not know about it in the upstream repository, so we should let them know so they can create a new release.

Once pulldown-cmark releases a new version/tag, I know the issue will be fixed. Now, if I will add the project to OSS-Fuzz, it will probably show those issues caused by the old pulldown-cmark tag. How should those be handled?

I'm not super sure how to handle this, actually. From my own projects, I seem to remember that you get a mail about any fuzz errors found. I hope it will cluster errors so that a known problem will send just one mail :slightly_smiling_face:

Is it OK to just wait for a new release of the dependency?

Yeah, we can wait for pulldown-cmark to be fixed before we look into this. Are you okay with being assigned to this bug since you now have all the relevant context?

[kdarkhan]

Sure, you can assign the bug to me.