Integrating with OSS-Fuzz

[Google-Autofuzz]

Greetings matio developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:

• Continuously run at scale all the fuzzers you write.
• Alert you when it finds issues.
• Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

To help you getting started, we can attach our internal fuzzer for your project that you are welcome to use directly, or to use it as a starting point.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com.

Thanks!

Tommy OSS-Fuzz Team

[tbeu]

Running the fuzzer is not a big deal, but analyzing and fixing may take a huge effort. I still have many crafted files here when I run honggfuzz 1.8 (through Cygwin) occasionally.

[Google-Autofuzz]

Running the fuzzer is not a big deal, but analyzing and fixing may take a huge effort. I still have many crafted files here when I run honggfuzz 1.8 (through Cygwin) occasionally.

What do you prefer? Shall we try to get it into OSS-Fuzz anyway or you want to wait? @tbeu

[tbeu]

If you like you can start the integration. However, I do not have a gmail address, but you can contact me via https://github.com/tbeu/matio#11-contact.

[tbeu]

@Google-Autofuzz How should I reference your created issues when providing a fix? Is is enough to reference the issue number (e.g., Issue 16833) in the commit message? Or do you want me also to edit your issues at https://bugs.chromium.org/p/oss-fuzz ?

[Google-Autofuzz]

@Google-Autofuzz How should I reference your created issues when providing a fix? Is is enough to reference the issue number (e.g., Issue 16833) in the commit message? Or do you want me also to edit your issues at https://bugs.chromium.org/p/oss-fuzz ?

Before you fix the bugs, you should try to reproduce the issues (see https://google.github.io/oss-fuzz/advanced-topics/reproducing/).

[tbeu]

Not sure how and whom should I ask there. I read the FAQs but this was not addressed.

[tbeu]

Currently the fuzzed files are all v4 MAT files. How can we create fuzzed v5 files?

[Google-Autofuzz]

OSS-Fuzz will automatically close the issues when the underlying cause is fixed upstream.

As for the version of MAT files, since the fuzzer is coverage based, if there is a way to parse v5 files via the api used by the fuzzer, odds are that they will be exercised at some point.

[tbeu]

OK.

Can we close this issue then?

[Google-Autofuzz]

Absolutely :)

Feel free to reach out if you have more questions, we're happy to help

[tbeu]

Thanks.

I noticed that the matio used for fuzzing is not built with hdf5 support. Should that be improved?

[Google-Autofuzz]

Feel free to open a pull-request to improve it :)

[tbeu]

Done.

How can I force (earlier) that a new version is built whenever I push commits? Currently it takes up to 2 days till I get the response.

[tbeu]

As for the version of MAT files, since the fuzzer is coverage based, if there is a way to parse v5 files via the api used by the fuzzer, odds are that they will be exercised at some point.

Yes, if byte 0x7d of the input file stream is 0x00 and byte 0x7e is 0x01 or 0x02. So far (after one week of running) this was not yet the case, though 16 issues on v4 MAT files have been found.

[Google-Autofuzz]

I don't understand what you mean by "How can I force (earlier) that a new version is built whenever I push commits? Currently it takes up to 2 days till I get the response."

You can add a corpus if you want to help the fuzzer discover new paths more quickly.