fmeum
commented
3 years ago @sjamesr Are you interested in the integration? It wouldn't require any work on your part, you would just need to sign off on the PR I submit to the OSS-Fuzz repo.
Open fmeum opened 3 years ago
fmeum
commented
3 years ago @sjamesr Are you interested in the integration? It wouldn't require any work on your part, you would just need to sign off on the PR I submit to the OSS-Fuzz repo.
schirrmacher
commented
3 years ago I think it is a good idea to integrate fuzz tests for this library. I made a short run and found a null pointer:
Pattern.compile("..|.#|..")
=> Method threw 'java.lang.NullPointerException' exception.
OSS-Fuzz now offers support for fuzzing Java projects with Jazzer. If you are interested, I could set up re2j in OSS-Fuzz.
By default, Jazzer would detect undeclared exceptions (i.e. those that are not
PatternSyntaxExceptions) as well as more serious, potentially DoSable issues such asOutOfMemoryErrors. In order to come up with a good fuzz target, it would be helpful for me to get a better understanding of the security guarantees re2j intends to offer. The parent project's fuzzer could serve as a starting point for that discussion. Depending on your particular security goals, it could also make sense to perform differential fuzzing, i.e., to use a fuzzer to confirm that re2 and re2j behave identically on the common subset of their features.