On 21 April 2017 at 02:06, Kurt Schwehr <[hidden email]> wrote:
> The Google security team is interested in having GDAL join the OSS-Fuzz -
> Continuous Fuzzing for Open Source Software project:
> https://github.com/google/oss-fuzz >
> If folks are interested, I've got a few fuzzers that we can start with that
> we can copy from gdal-autotest2.
I think it's an interesting project GDAL should be part of.
I'm interested. What is your plan, where help is needed?
p.s. I see OSS-Fuzz is going to add new fuzing engines in future.
Perhaps Dr Memory/Dr Fuzz, already used by Chromium AFAIK,
will be considered too. AFAIU it comes with built-in fuzzer
and supports Windows.
> I'm interested. What is your plan, where help is needed?
I don't actually have a plan :)
I've been using an internal to Google interface to drive fuzzing so far and have yet to look at what it takes to drive OSS-Fuzz. So someone looking at what we need to do to trigger the fuzzing would be great.
We just need to get a local version of WrapUnique and autotest2::VsiMemTempWrappe, or something equivalent, or be explicit about the cleanup.
Agreed that more fuzzing engines would be nice, but I think we are still at the point where we can find bugs faster than we can fix them. I've got a stack of HFA issues and I hit my first GeoJSON bug with the first couple minutes of fuzzing starting with an empty corpus on a single core. A comparison data point... kakadu was 43 issues found in approx a week of fuzzing with 1k cores.