pborman
commented
4 years ago Thanks for looking into this.
I think I agree with the oss-fuzz folks. The Parse functions are pretty trivial and easy to visually verify (it does a length check right up front). The only call a few functions in the strings/bytes package and util.go:xtob. xtob is also easy to verify as it takes a byte and indexes into a static array of 256 bytes.
This PR adds a fuzzer for uuid.
I have setup uuid in oss-fuzz as well: https://github.com/google/oss-fuzz/pull/3825
If there is interest in completing that integration, we are in need of the email addresses of maintainers of uuid that should receive the bug reports if a bug is found.