Integrate fuzzer

[tdsmith]

Some questions:

• Is this a good place to put the fuzzer targets and build scripts?
• It's nice to have a place to manually put reproducers for discovered bugs, so storing at least part of the corpus explicitly in the repository is useful. OTOH, the AFL gif and bmp corpuses are together about 1300 files and 7mb, which is unwieldy. Maybe I should go back to just fetching the AFL corpus from the web in the oss-fuzz Dockerfile and merging them in during the build. What do you think?
• Should this be more refined before it's merged or is it okay to work on it piecemeal?

cf #426

[tdsmith]

These are the matching changes on the oss-fuzz side; https://github.com/google/oss-fuzz/compare/master...tdsmith:libgd-integration?expand=1

[vapier]

i'd prefer fuzzers/ just to match examples/ and tests/

is this corpus something you built up or just fetched from somewhere else ? if it's an existing project that maintains inputs, fetching & unpacking an archive is fine.

for pending commits, just squash them together rather than add files and then modify/shuffle things in follow up changes

should add a fuzzers/README.md to document things

[tdsmith]

Sorry for the delay! I made these changes.

[tdsmith]

Hi @vapier; is this a good place to merge, or would you like to see some additional progress? Compared to what's running now, this PR adds some additional corpora and mutes stderr, which should already help improve oss-fuzz's efficiency a little.

[pierrejoye]

It would be great to have that in the github actions, thoughts?

[pierrejoye]

I think we should merge, and add missing ones (all codecs are keys).

I see that libgd is already on ossfuzz, not sure what that means. I need to sit down reading their docs, how we can have that as part of the CI etc. :)

[vapier]

change the , to :

[vapier]

there should be a comment block at the top here explaining a bit more about this file and its runtime. it seems to make assumptions about certain vars being set ahead of time and it's not clear at all what all those are.

[vapier]

isn't the source dir already guaranteed to be the cwd ? afterall, the script just ran ./bootstrap.sh above.

[vapier]

you should run this script through shellcheck and fix the issues it finds

[vapier]

is this URL guaranteed to be stable ?

shouldn't this be https:// ?

[vapier]

really should avoid relying on ls for anything. since you really only care if the zip exists, test for that instead.

[vapier]

GD doesn't use an Apache license. let's avoid adding yet another one to the project if possible.

[pierrejoye]

Here are some details:

https://google.github.io/oss-fuzz/getting-started/new-project-guide/#prerequisites

We are already covered there (I did not check the report here). This PR and the other follows google's recommendation to have these configs on our side.

I can see a few tweaks are needed and also to add more arch. Then we could run them daily on master or whatever branch we like to.

[vapier]

Here are some details:

implicit docs aren't really docs. they need to be linked from the relevant files so people can find them easily.

[pierrejoye]

I know, only foi, I think I will dig into it anyway, many options or tools not setup. :)

…

On Thu, Aug 26, 2021, 7:43 PM Mike Frysinger ***@***.***> wrote: Here are some details: implicit docs aren't really docs. they need to be linked from the relevant files so people can find them easily. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#427 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACE6KBBVPPYIMOWBFTYUPLT6YZGVANCNFSM4ENXSDSA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .