Add OSS-Fuzz/ClusterFuzzLite integration for continuous security fuzzing

[Copilot]

Overview

This PR implements continuous fuzzing for the Quicer QUIC library using ClusterFuzzLite, addressing the feature request in the original issue. ClusterFuzzLite enables automated fuzz testing via GitHub Actions to discover bugs, memory errors, and security vulnerabilities before they reach production.

What's New

GitHub Actions Workflow

A new .github/workflows/clusterfuzzlite.yml workflow has been added that:

• Runs automatically on pull requests that modify C source code, fuzz targets, or build configuration
• Runs daily at 00:00 UTC for extended fuzzing sessions
• Tests with multiple sanitizers: AddressSanitizer (memory errors), UndefinedBehaviorSanitizer (undefined behavior), and MemorySanitizer (uninitialized memory)
• Integrates with GitHub Security: Uploads SARIF results for code scanning and crash artifacts for investigation

The workflow operates in three modes:

1. Code Change Mode: Runs 5-minute fuzzing sessions on each PR to catch issues early
2. Batch Mode: Daily 1-hour fuzzing sessions for deeper testing
3. Prune Mode: Minimizes the seed corpus to remove redundant test cases

Fuzz Target

The initial fuzz target (fuzz/fuzz_config.c) tests QUIC configuration handling through the msquic library:

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    // Tests configuration creation, parameter setting,
    // credential loading, and resource cleanup
    ...
}

This target exercises critical code paths including registration, configuration creation, settings application, and credential loading - all areas where malformed input could cause crashes or security issues.

Build Integration

The fuzz/build.sh script integrates with the OSS-Fuzz infrastructure:

• Builds the msquic library with appropriate flags
• Compiles fuzz targets with sanitizer instrumentation
• Links with libFuzzer for continuous fuzzing
• Copies seed corpus for initial coverage

Documentation

• fuzz/README.md: Comprehensive guide for running fuzz tests locally, understanding the infrastructure, and contributing new fuzz targets
• Updated main README: Added a fuzzing section linking to the detailed documentation

Benefits

✅ Proactive Security: Automatically discovers bugs before they reach users
✅ Continuous Testing: Runs on every code change and daily for comprehensive coverage
✅ Multiple Detection Modes: Three sanitizers catch different classes of bugs
✅ Easy to Extend: Simple process for adding new fuzz targets
✅ No Manual Intervention: Fully automated via GitHub Actions

Future Enhancements

Additional fuzz targets can be added to test:

• Connection establishment and handshake
• Stream operations (send/receive)
• TLS credential handling
• Datagram operations

References

• ClusterFuzzLite Documentation
• OSS-Fuzz Project
• libFuzzer Tutorial

Closes #[issue_number]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>quality: OSS-Fuzz check</issue_title>
<issue_description>Is your feature request related to a problem? Please describe.
Run fuzz test

Describe the solution you'd like
https://google.github.io/clusterfuzzlite/running-clusterfuzzlite/github-actions/

Describe alternatives you've considered
self-hosted

Additional context
Add any other context or screenshots about the feature request here.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #193

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[qzhuyan]

this looks fuzzing msquic not quicer, I am proposing adding a fuzzing entry in NIF so that it could run within the VM context. @copilot