oss-fuzz is an online fuzzing service run by Google. They test daily the code base and run fuzzying over it, maintaining a list of open and closed bugs.
As example you can see one of the poppler issues i fixed at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9382 Everything is done automatically by a bot, except my "This is fixed by" comment, but that's just there for historical reasons, it's not really needed. Found bugs are sent to a list of trusted address and kept private for 90 days, then if not fixed then they become public. Fixed bugs become public 30 days after being fixed. I have made a qimage fuzzer that uses libpng test files as seed corpus. You can find it at https://github.com/albert-astals-cid-kdab/oss-fuzz Adding support for Qt is "relatively simple" see https://github.com/albert-astals-cid-kdab/oss-fuzz/commit/2df60c7af6619b8a6a44b1cd679bf356e6e6ed3f I made a local test run of the undefined sanitizer and it found https://paste.kde.org/prkox41mx in a few seconds, so "it works" If you want to test it locally you can do python infra/helper.py build_fuzzers --sanitizer undefined qt python infra/helper.py run_fuzzer qt qimage_fuzzer for the undefined sanitizer and python infra/helper.py build_fuzzers --sanitizer address qt python infra/helper.py run_fuzzer qt qimage_fuzzer Unfortunately I have not been able to compile with the memory sanitizer enabled yet. The most important thing before submitting this upstream is changing the list of trusted addresses the private bugs get sent to. To have something written i've used my email address but i guess at least i should add eirik.aavitsl...@qt.io (listed as QImage maintainer) there too? Anyone else? I am not sure how the email address thing works, but i think they need to be "google account" activated, whatever that means, so we can't use secur...@qt-project.org. On poppler i'm using my @gmail.com address and not my @kde.org address since it was just easier. Comments? Cheers, Albert -- Albert Astals Cid | albert.astals....@kdab.com | Software Engineer Klarälvdalens Datakonsult AB, a KDAB Group company Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322) KDAB - The Qt, C++ and OpenGL Experts _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development