Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

have a go with oss-fuzz #695

Open
jcupitt opened this issue Jul 25, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@jcupitt
Copy link
Member

commented Jul 25, 2017

@jcupitt

This comment has been minimized.

Copy link
Member Author

commented Jul 27, 2017

Repository with some notes and a working libFuzzer wrapper:

https://github.com/jcupitt/vips-libfuzzer

Though the first crash it finds is inside libjpeg, sigh.

@jcupitt

This comment has been minimized.

Copy link
Member Author

commented Aug 25, 2017

Update: found and fixed two issues with libvips load-jpeg-from-buffer code, it seems to run well now. I'll leave it fuzzing over the weekend.

@jcupitt

This comment has been minimized.

Copy link
Member Author

commented Aug 30, 2017

25,000 minutes of CPU time with no issues \o/

tiff and png next.

@kleisauke

This comment has been minimized.

Copy link
Member

commented Dec 10, 2017

Any success so far with OSS-Fuzz integration? I saw that tiff and png load from buffer have been added. Are there any issues found in those specific loaders?

@jcupitt

This comment has been minimized.

Copy link
Member Author

commented Dec 10, 2017

No issues found, but I should try some more. I became side-tracked with fixing up those language bindings :(

8.6 has the libjpeg fixes in.

@kaspergrubbe

This comment has been minimized.

Copy link

commented Feb 7, 2019

An integration with oss-fuzz would be really cool, I was just about to add the issue to the project, and then I noticed this issue existed.

@kaspergrubbe

This comment has been minimized.

Copy link

commented Feb 7, 2019

It also seems like Google might pay for the integration based on this blogpost here: https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

@jcupitt

This comment has been minimized.

Copy link
Member Author

commented Feb 7, 2019

Oh, interesting, thanks for the link @kaspergrubbe.

I was actually looking at this last week and it seems it's bitrotted in the last two years. It needs to all be done again following the latest guidelines. Perhaps after 8.8 is out (hopefully RSN).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.