[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Guido Vranken added the comment: Hi, I've built a generic Python fuzzer and submitted it to OSS-Fuzz. It works by implementing a "def FuzzerRunOne(FuzzerInput):" function in Python in which some arbitrary code is run based on FuzzerInput, which is a bytes object. This is a more versatile

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

miss-islington added the comment: New changeset ffcc161c753a72e7c4237c1e3c433d47b020978e by Miss Islington (bot) in branch '3.8': bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255) https://github.com/python/cpython/commit/ffcc161c753a72e7c4237c1e3c433d47b020978e

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +14296 pull_request: https://github.com/python/cpython/pull/14479 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: New changeset 5cbbbd73a6acb6f96f5d6646aa7498d3dfb1706d by Gregory P. Smith (Ammar Askar) in branch 'master': bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +14295 pull_request: https://github.com/python/cpython/pull/14478 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by Ammar Askar : -- pull_requests: +14085 pull_request: https://github.com/python/cpython/pull/14255 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

miss-islington added the comment: New changeset 878227e7217f3363f9c095b7fb8c1dbdde1ec34f by Miss Islington (bot) in branch '3.8': bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991) https://github.com/python/cpython/commit/878227e7217f3363f9c095b7fb8c1dbdde1ec34f

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

miss-islington added the comment: New changeset 534136ac6790a701e24f364a9b7f1e34bf5f3ce7 by Miss Islington (bot) in branch '3.7': bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991) https://github.com/python/cpython/commit/534136ac6790a701e24f364a9b7f1e34bf5f3ce7

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: New changeset a6e190e94b47324f14e22a09200c68b722d55699 by Gregory P. Smith (Ammar Askar) in branch 'master': bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +13869 pull_request: https://github.com/python/cpython/pull/14006 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +13868 pull_request: https://github.com/python/cpython/pull/14005 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by Ammar Askar : -- pull_requests: +13854 pull_request: https://github.com/python/cpython/pull/13991 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

miss-islington added the comment: New changeset 6692d35317a45905a043dccae3940ea5d5d84352 by Miss Islington (bot) in branch '3.7': bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907) https://github.com/python/cpython/commit/6692d35317a45905a043dccae3940ea5d5d84352

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

miss-islington added the comment: New changeset 22b69da4c38042e923d633530bdafc1b5fb94928 by Miss Islington (bot) in branch '3.8': bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907) https://github.com/python/cpython/commit/22b69da4c38042e923d633530bdafc1b5fb94928

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +13788 pull_request: https://github.com/python/cpython/pull/13915 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by miss-islington : -- pull_requests: +13787 pull_request: https://github.com/python/cpython/pull/13914 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: New changeset a15a7bcaea54e1845ab2abe27e6f583294cd715b by Gregory P. Smith (Ammar Askar) in branch 'master': bpo-29505: Fix interpreter in fuzzing targets to be relocatable (GH-13907)

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Change by Ammar Askar : -- pull_requests: +13780 pull_request: https://github.com/python/cpython/pull/13907 ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

R. David Murray added the comment: Seems like it ought to be possible to use the same hooks that venv uses to make this work, but I haven't looked at the details of how those work. -- nosy: +r.david.murray ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: Oops, so it is. I can't read apparently. I'll spend my time on making more fuzz tests in the meantime. -- ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: misquote. that was me objecting to running it internally. :) i believe this is solvable, i haven't had time to spend on this part yet. -- ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: kcc strongly disagrees though. Copying latest comment: """ fwiw - I object to us running any of this internally at Google. We need to be part of the main oss-fuzz project pulling from upstream revisions. Doing this testing within our blackhole of internal

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: > i'd rather make this work in oss-fuzz on cpython. can you point me to how > oss-fuzz works and what it wants to do so i can better understand what it > needs? I don't have any details except for what's in the PR to oss-fuzz

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: i'd rather make this work in oss-fuzz on cpython. can you point me to how oss-fuzz works and what it wants to do so i can better understand what it needs? it it has an expectation that the thing being fuzzed is a single binary with no data or directory

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: So here's an interesting issue: oss-fuzz requires that the built location be movable. IOW, we build Python into $OUT, and then the $OUT directory gets moved somewhere else and the fuzz test gets run from there. This causes problems because Python can no

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Changes by Devin Jeanpierre : -- keywords: +patch pull_requests: +3434 stage: test needed -> patch review ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Changes by Devin Jeanpierre : -- pull_requests: +3412 ___ Python tracker ___ ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: Huh. I would not have predicted that. https://gcc.gnu.org/onlinedocs/cpp/Defined.html I'll send a fix. -- ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Christian Heimes added the comment: GCC complains about the patch: /home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c: In function ‘LLVMFuzzerTestOneInput’: /home/heimes/dev/python/cpython/Modules/_xxtestfuzz/fuzzer.c:109:1: warning: this use of "defined" may not be portable

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: alright, with that in, feel free to figure out the oss-fuzz configuration side and fire things up Devin. :) -- assignee: -> gregory.p.smith ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: New changeset c5bace2bf7874cf47ef56e1d8d19f79ad892eef5 by Gregory P. Smith (Devin Jeanpierre) in branch 'master': bpo-29505: Add fuzz tests for float(str), int(str), unicode(str) (#2878)

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: I think they misspoke, it's normal with fuzzing to test against master. The current draft of the code runs this git pull before building/launching any tests: git clone --depth 1 https://github.com/python/cpython.git cpython Speaking of which, I forgot

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Terry J. Reedy added the comment: As I read 583, they are planning to fuzz 3.6. Why not branch master? I think it more likely that we accidentally add a vulnerability to master then that we accidentally close one. -- ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Changes by Devin Jeanpierre : -- pull_requests: +2929 ___ Python tracker ___ ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: https://github.com/google/oss-fuzz/pull/583 is the PR to oss-fuzz to add the project. I'm working on actual tests to be submitted here. -- ___ Python tracker

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Gregory P. Smith added the comment: you can list me as a oss-fuzz contact. use my work email address. simplejson is worthy but as both it and the python standard library ship separately people use both so they both ultimately deserve fuzzing and fixing on their own so I'd add it to CPython

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Devin Jeanpierre added the comment: Aha, I found an existing issue! For adding to oss-fuzz, is there a contact email we can use that is connected to a google account? I am tempted to just put gregory.p.smith on there if not. :) I can volunteer to fuzz some interesting subset of the

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Changes by Alex Gaynor : -- nosy: +alex ___ Python tracker ___ ___ Python-bugs-list

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Terry J. Reedy added the comment: It does not appear to me that targets have to be security critical, though that is certainly a good place to start. The Chrome tests found 100s of "security vulnerabilities and stability bugs". The important thing is that there be someone willing to receive

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

Changes by Brett Cannon : -- nosy: +brett.cannon, christian.heimes ___ Python tracker ___

[issue29505] Submit the re, json, & csv modules to oss-fuzz testing

New submission from Gregory P. Smith: For reference, read https://github.com/google/oss-fuzz. We should investigate creating fuzz targets for the Python re module (_sre.c) at a minimum. There are probably other good targets as well such as _json.c and _csv.c. pickle and marshal are not