On 10/29/19, 11:51 AM, "Vincent Ulitzsch" <vincent.ulitz...@gmail.com> wrote:
> We were wondering if an integration to oss-fuzz[1] would be interesting > for xerces-c? It falls into the category of "don't ask questions you don't want the answers to". It will likely lead to the discovery of many vulnerabilities, some possibly difficult or impossible to fix based on the remaining knowledge of the code and the resources available. > This would allow parts of xerces' codebase to be continuously fuzzed, which > would probably result in the detection of security bugs early on in the > development process. There is no active development. There have been build process changes of late, but nothing else really of note. > If you are interested, we would be happy to help with writing the fuzzers. s/help/do the work, then I'm happy to see it happen, but I have no knowledge of, nor time to, work on such a thing. -- Scott
