Hi Albert, Nice! Robert has been working on exactly the same thing lately. I think it would be good if you guys coordinated the effort :)
It would be ideal, if we could somehow get those mails forwarded to the security mailing list. I wonder whether we could do that with a special mail account that forwards to the security mailing list. Cheers, Lars > On 30 Aug 2018, at 20:42, Albert Astals Cid via Development > <[email protected]> wrote: > > oss-fuzz is an online fuzzing service run by Google. > > They test daily the code base and run fuzzying over it, maintaining a list of > open and closed bugs. > > As example you can see one of the poppler issues i fixed at > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382 > > Everything is done automatically by a bot, except my "This is fixed by" > comment, but that's just there for historical reasons, it's not really needed. > > Found bugs are sent to a list of trusted address and kept private for 90 > days, then if not fixed then they become public. > > Fixed bugs become public 30 days after being fixed. > > I have made a qimage fuzzer that uses libpng test files as seed corpus. > > You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz > > Adding support for Qt is "relatively simple" see > https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f > > I made a local test run of the undefined sanitizer and it found > https://paste.kde.org/prkox41mx > in a few seconds, so "it works" > > If you want to test it locally you can do > python infra/helper.py build_fuzzers --sanitizer undefined qt > python infra/helper.py run_fuzzer qt qimage_fuzzer > for the undefined sanitizer and > python infra/helper.py build_fuzzers --sanitizer address qt > python infra/helper.py run_fuzzer qt qimage_fuzzer > > Unfortunately I have not been able to compile with the memory sanitizer > enabled yet. > > The most important thing before submitting this upstream is changing the list > of trusted addresses the private bugs get sent to. > > To have something written i've used my email address but i guess at least i > should add [email protected] (listed as QImage maintainer) there too? > Anyone else? > > I am not sure how the email address thing works, but i think they need to be > "google account" activated, whatever that means, so we can't use > [email protected]. On poppler i'm using my @gmail.com address and not > my @kde.org address since it was just easier. > > Comments? > > Cheers, > Albert > > -- > Albert Astals Cid | [email protected] | Software Engineer > Klarälvdalens Datakonsult AB, a KDAB Group company > Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322) > KDAB - The Qt, C++ and OpenGL Experts > > _______________________________________________ > Development mailing list > [email protected] > http://lists.qt-project.org/mailman/listinfo/development _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
