search

pnggroup / libpng

LIBPNG: Portable Network Graphics support, official libpng repository
http://libpng.sf.net
Other
1.3k stars 629 forks source link

Revive the oss-fuzz integration #450

Open thealberto opened 1 year ago

thealberto commented 1 year ago

Hi @ctruta , @jbowler ,

thanks to the issue #424 we have noticed that the oss-fuzz support is a little bit of date and user might not find super easy to start with it. I worked a bit on a atm private fuzzer for libpng which achieves a better coverage.

It seems a good moment where you could help me to understand if you would be interested to receive PR that would improve the oss-fuzz overall coverage.

If so, how would you do it? Multilple fuzzer for different parts or something else?

Thanks

jbowler commented 1 year ago

The fuzzer needs to be fixed first. We know #424 is a fuzzer bug and, given the nature of the bug, it seems very likely that other memory init bugs reported before could be other instances of #424.

oss-fuzz needs a maintainer; it's currently broken and #424 needs a fix otherwise the bugs are just a waste of time.

thealberto commented 1 year ago

Hi @jbowler , I worked on a fix for the fuzzer. I can see that now the structure isn't probably the ideal one but we can talk about it and decide together.

An example of the fuzzer with the same reproducer:

➜  oss-fuzz git:(master) ✗ sudo python3 infra/helper.py reproduce libpng-alberto libpng_read_fuzzer ../oss/issue424/reproducer
INFO:root:Running: docker run --rm --privileged --platform linux/amd64 -i -v /home/alberto/progetti/oss-fuzz/build/out/libpng-alberto:/out -v /home/alberto/progetti/oss/issue424/reproducer:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce libpng_read_fuzzer -runs=100.
+ FUZZER=libpng_read_fuzzer
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer libpng_read_fuzzer -runs=100 /testcase
/out/libpng_read_fuzzer -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase -dict=png.dict < /dev/null
Dictionary: 28 entries
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1520525039
INFO: Loaded 1 modules   (6360 inline 8-bit counters): 6360 [0x71df48, 0x71f820), 
INFO: Loaded 1 PC tables (6360 PCs): 6360 [0x6b3558,0x6cc2d8), 
/out/libpng_read_fuzzer: Running 1 inputs 100 time(s) each.
Running: /testcase
Executed /testcase in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***
➜  oss-fuzz git:(master) ✗

Can you try this fuzzer?

I even more confident to say that #424 is a false positive because of the broken fuzzer from our end.

Let me know what you think..