[gdal-dev] Google OSS Fuzz

Kurt Schwehr schwehr at gmail.com
Sat Apr 22 14:55:31 PDT 2017


> I'm interested. What is your plan, where help is needed?

I don't actually have a plan :)

I've been using an internal to Google interface to drive fuzzing so far and
have yet to look at what it takes to drive OSS-Fuzz.  So someone looking at
what we need to do to trigger the fuzzing would be great.

The actual writing of fuzzers is pretty easy...  e.g.
https://gist.github.com/schwehr/d4d48b60ed99986ce18703262fe98758

We just need to get a local version of WrapUnique
and autotest2::VsiMemTempWrappe, or something equivalent, or be explicit
about the cleanup.

Agreed that more fuzzing engines would be nice, but I think we are still at
the point where we can find bugs faster than we can fix them.  I've got a
stack of HFA issues and I hit my first GeoJSON bug with the first couple
minutes of fuzzing starting with an empty corpus on a single core.  A
comparison data point... kakadu was 43 issues found in approx a week of
fuzzing with 1k cores.

On Sat, Apr 22, 2017 at 7:58 AM, Even Rouault <even.rouault at spatialys.com>
wrote:

> On vendredi 21 avril 2017 09:23:50 CEST Mateusz Loskot wrote:
>
> > On 21 April 2017 at 02:06, Kurt Schwehr <schwehr at gmail.com> wrote:
>
> > > The Google security team is interested in having GDAL join the
> OSS-Fuzz -
>
> > > Continuous Fuzzing for Open Source Software project:
>
> > >
>
> > > https://github.com/google/oss-fuzz
>
> > >
>
> > > If folks are interested, I've got a few fuzzers that we can start with
>
> > > that
>
> > > we can copy from gdal-autotest2.
>
> >
>
> > I think it's an interesting project GDAL should be part of.
>
>
>
> +1
>
>
>
> >
>
> > I'm interested. What is your plan, where help is needed?
>
> >
>
> > p.s. I see OSS-Fuzz is going to add new fuzing engines in future.
>
> > Perhaps Dr Memory/Dr Fuzz, already used by Chromium AFAIK,
>
> > will be considered too. AFAIU it comes with built-in fuzzer
>
> > and supports Windows.
>
> >
>
> > Best regards,
>
>
>
>
>
> --
>
> Spatialys - Geospatial professional services
>
> http://www.spatialys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20170422/cac8ed5f/attachment.html>


More information about the gdal-dev mailing list