<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"Sans Serif";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Okay Even sold me on this and convinced me it's not as much work as I'm expecting it to be.  I guess I'll step forward.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I'll submit a request to OSS fuzz hopefully this weekend for the continuous integration service and pull in Even's setup.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I'll also commit the memory leak fix that Even found and provided a patch for.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Even did you by chance see anything funny with Kmeans?  That cunit thing is driving me nuts cause it fails 25% of the time on windows (more on 32-bit runs)with some crash.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>There's probably something amiss there.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Regina<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> postgis-devel [mailto:postgis-devel-bounces@lists.osgeo.org] <b>On Behalf Of </b>Paul Ramsey<br><b>Sent:</b> Tuesday, July 04, 2017 5:38 PM<br><b>To:</b> PostGIS Development Discussion <postgis-devel@lists.osgeo.org><br><b>Subject:</b> Re: [postgis-devel] PostGIS (actually liblwgeom) integration with oss-fuzz<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:.5in'>This seems very cool but also very involved and complicated :) <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>I think everyone is concomitantly afraid to step forward and pick it up. It's got it all: external services, big chains of dependencies, docker :) <br>I think everyone is a little afraid to pick it up, lest they own it.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>P.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:.5in'>On Sun, Jul 2, 2017 at 12:07 PM, Even Rouault <<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Hi,<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>I've prototyped an integration of liblwgeom from PostGIS repository with oss-fuzz.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Quoting <a href="https://github.com/google/oss-fuzz/" target="_blank">https://github.com/google/oss-fuzz/</a> ,<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>"""<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Fuzz testing is a well-known technique for uncovering various kinds of programming errors in software.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Many of these detectable errors (e.g. buffer overflow) can have serious security implications.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>We successfully deployed guided in-process fuzzing of Chrome components and found hundreds of<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>security vulnerabilities and stability bugs. We now want to share the experience and the<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>service with the open source community.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>In cooperation with the Core Infrastructure Initiative, OSS-Fuzz aims to make common<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>open source software more secure and stable by combining modern fuzzing techniques<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>and scalable distributed execution.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>""""<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>GDAL and proj.4 have joined oss-fuzz, for a few weeks and this is really efficient. I've fixed between 300 and 400 bugs in GDAL...<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>So I just gave it a try with PostGIS, concentrating on liblwgeom, since it builds nicely in oss-fuzz environment<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>(plain "make" in top repository fails in oss-fuzz from some reason I haven't investigated)<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>As an example, I've created 2 fuzzers, one for lwgeom_from_wkb() and the other one for lwgeom_from_wkt().<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>More could be done, based on those examples. Left as an exercice to other developers.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Integration of a software with oss-fuzz is made of 2 parts:<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>- fuzzer entry points must be in the project repository : <a href="https://github.com/rouault/postgis/tree/ossfuzz/fuzzers" target="_blank">https://github.com/rouault/postgis/tree/ossfuzz/fuzzers</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>- a metadata file (project.yaml), a Dockerfile (download needed packages & PostGIS source code) and<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>a "bootstrap" build.sh script must be integrated in OSS-Fuzz own repo too :<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/oss-fuzz/tree/postgis/projects/postgis" target="_blank">https://github.com/rouault/oss-fuzz/tree/postgis/projects/postgis</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>For now, I've done this in my own postgis and ossz-fuzz git forks as you can see, but ultimately if the<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>project agrees we should merge this into their respective official repos.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>But pending that, you can already try this stuff locally<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>{{{<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Make sure you have Docker installed<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>git clone --branch postgis <a href="https://github.com/rouault/oss-fuzz" target="_blank">https://github.com/rouault/oss-fuzz</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>cd oss-fuzz<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Build the Docker image:<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>python infra/helper.py build_image postgis<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Build PostGIS and the fuzzer programs with the address sanitizer<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>python infra/helper.py build_fuzzers --sanitizer address postgis<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Run one of the fuzzer (you can try with wkt_import_fuzzer too)<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>python infra/helper.py run_fuzzer postgis wkb_import_fuzzer<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>}}}<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>My local experiments show that lwgeom_from_wkt() seems to be rather robust,<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>but lwgeom_from_wkb() has a few bugs. For the record, I found and fixed (in my fork) this memory leak<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>(memory leak = leak in a case where lw_error() is not called) in<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d" target="_blank">https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>There's also a heap buffer overflow it just detected in<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>ptarray_from_wkb_state /src/postgis/liblwgeom/lwin_wkb.c:367<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>So if the community is interested in a closer integration in OSS Fuzz, next steps are :<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>1) someone with PostGIS commit rights merges <a href="https://github.com/rouault/postgis/commit/0181a28ab01764b4e6d11a5d2ffe7edce96498c6" target="_blank">https://github.com/rouault/postgis/commit/0181a28ab01764b4e6d11a5d2ffe7edce96498c6</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>into PostGIS SVN (as well as the bug fix <a href="https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d" target="_blank">https://github.com/rouault/postgis/commit/cf179396b719223653eee56a01189339e0abcc0d</a> while you are it)<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>2) interested core PostGIS developers give me a @<a href="http://gmail.com" target="_blank">gmail.com</a> email, so I add it in<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/project.yaml" target="_blank">https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/project.yaml</a> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>This way they will then have access to the bug reports that are embargoed for<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>90 days (or 30 days after OSS Fuzz has found them to be fixed)<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>3) I then modify <a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile" target="_blank">https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile</a> to<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>point to PostGIS official github mirror instead of my fork<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>4) I then submit a pull request to <a href="https://github.com/google/oss-fuzz/" target="_blank">https://github.com/google/oss-fuzz/</a> with my<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/oss-fuzz" target="_blank">https://github.com/rouault/oss-fuzz</a> postgis branch . They may accept or not the application, but I guess they will accept.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>If they don't, you can also play with it locally as I showed above. And this is strongly recommended<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>to do so when adding a new fuzzer for example.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>5) once the project is accepted, monitor <a href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=postgis" target="_blank">https://bugs.chromium.org/p/oss-fuzz/issues/list?q=postgis</a> and fix the bugs !<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>6) add more fuzzers. Hint: in PostGIS "fuzzers" directory, "make dummyfuzzers" to check that your fuzzer builds.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Note: I don't volunteer to fix all bugs that will be found. I have already enough to do with GDAL... I wouldn't<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>mind if someone wants to be the declared maintainer in oss-fuzz projects/postgis/project.yaml and projects/postgis/Dockerfile<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Note 2: if you look closely at <a href="https://github.com/rouault/postgis/blob/ossfuzz/fuzzers/wkb_import_fuzzer.cpp" target="_blank">https://github.com/rouault/postgis/blob/ossfuzz/fuzzers/wkb_import_fuzzer.cpp</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>you will notice that it is a bit messy since it stubs GEOS and geod_ symbols. This is due to the fact<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>that OSS-Fuzz requires that the fuzzer programs are completely statically linked, and Ubuntu doesn't ship<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>with static builds of geos (actually just libgeos.a but no libgeos_c.a) as far as I can see.<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>All this could be improved by adding a download of GEOS source code in<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile" target="_blank">https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/Dockerfile</a> and building it manually in<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/build.sh" target="_blank">https://github.com/rouault/oss-fuzz/blob/postgis/projects/postgis/build.sh</a><o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Thoughts ?<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Even<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'> <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>-- <o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'>Spatialys - Geospatial professional services<o:p></o:p></span></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt'><span style='font-size:9.0pt;font-family:"Sans Serif",serif'><a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a><o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:.5in'><br>_______________________________________________<br>postgis-devel mailing list<br><a href="mailto:postgis-devel@lists.osgeo.org">postgis-devel@lists.osgeo.org</a><br><a href="https://lists.osgeo.org/mailman/listinfo/postgis-devel" target="_blank">https://lists.osgeo.org/mailman/listinfo/postgis-devel</a><o:p></o:p></p></blockquote></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div></div></div></body></html>