On Tue, 16 Jul 2024 at 14:14, Michael Niedermayer <mich...@niedermayer.cc> wrote: > > On Mon, Jul 15, 2024 at 01:32:20PM +0200, Kacper Michajlow wrote: > > On Sun, 14 Jul 2024 at 21:55, Michael Niedermayer > > <mich...@niedermayer.cc> wrote: > > > > > > On Sat, Jul 13, 2024 at 11:12:40PM +0200, Kacper Michajlow wrote: > > > > On Thu, 27 Jun 2024 at 02:50, Kacper Michajlow <kaspe...@gmail.com> > > > > wrote: > > > > > > > > > > On Thu, 27 Jun 2024 at 00:45, Michael Niedermayer > > > > > <mich...@niedermayer.cc> wrote: > > > > > > > > > > > > On Wed, Jun 26, 2024 at 09:07:42PM +0200, Kacper Michajlow wrote: > > > > > > > Hi, > > > > > > > > > > > > > > Like in the topic. I think it would be useful to enable MSAN on > > > > > > > OSS-Fuzz. We get some tiny issues and it would be probably good to > > > > > > > have them tracked upstream. All infra is here, so enabling it is > > > > > > > as > > > > > > > simple as adding it to the project.yaml. Except libbz2.so and > > > > > > > libz.so > > > > > > > would have to be built inline instead, looking at the build.sh, > > > > > > > they > > > > > > > are prebuilt. The rest should just work (TM), but needs to be > > > > > > > tested. > > > > > > > You can set an "experimental' flag to have it not create issues on > > > > > > > monorail, initially. > > > > > > > > > > > > I assumed ossfuzz would enable all sanitizers by default > > > > > > > > > > They do not do that by default, because MSAN requires all dependencies > > > > > to be instrumented too. See > > > > > https://google.github.io/oss-fuzz/getting-started/new-project-guide/#sanitizers > > > > > > > > > > Looking at build.sh for ffmpeg, it should be fine to enable it. > > > > > Obviously I have not tested everything, but I was running some tests > > > > > locally with MSAN and also tested it with mpv oss-fuzz builds where we > > > > > build ffmpeg too with MSAN. > > > > > > > > > > - Kacper > > > > > > > > I've sent a PR to enable MSAN and a few other build improvements. > > > > Please take a look https://github.com/google/oss-fuzz/pull/12211 > > > > > > > > > > > Also, would it be ok to add myself to auto_ccs for ffmpeg? Mostly to > > > > monitor what issues are reported upstream, as we get some reports in > > > > mpv fuzzing and I never know if I should report it upstream (ffmpeg) > > > > or it is already found by first-party fuzzing and I shouldn't make > > > > more noise. > > > > > > you are welcome to submit bug reports, you are welcome to submit bug fixes > > > if you find issues in FFmpeg. > > > > > > If someones work in FFmpeg or rather FFmpeg benefits from someone having > > > access to the reports, then (s)he should receive access. This seems not > > > to apply here > > > > I respect your decision. > > > However, saying that anyone's (or my) > > contribution doesn't benefit FFmpeg is a strange thing to say for an > > open source project maintainer. > > And noone made such a statement. You are reading something thats not written > there > > > > > > It's all about time. I don't get paid to do any of this, so > > duplicating issues/reports manually from one system to another, if > > they are already reported, is a monkey's job which I'm not willing to > > do. > > ok > for reference i find no mail from you to ffmpeg-security > Is it correct you never reported any of the issues you talk about > neither new nor duplciate ?
Correct, I was sending the patches for the issues instead. All related to our fuzzing results. Maybe nothing significant, but... https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240317023628.1936-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240509140211.1296-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240510014931.644-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240510020756.1135-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240511104717.231-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240602013818.1047-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240602121448.1069-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240625215030.321-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240626184440.1318-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240627004037.1336-1-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240627004037.1336-2-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240627004037.1336-3-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240627004037.1336-4-kaspe...@gmail.com/ https://patchwork.ffmpeg.org/project/ffmpeg/patch/20240710152401.1192-1-kaspe...@gmail.com/ and patch for ossfuzz itself https://github.com/google/oss-fuzz/pull/12211 > > > This time could be devoted to actually fixing the issues. I'd like > > to help, but if it is not required, I will focus on other things. > > This is the first time i remember you offering to help. > Your request previosuly: > > > > > Mostly to > > > > monitor what issues are reported upstream, as we get some reports in > > > > mpv fuzzing and I never know if I should report it upstream (ffmpeg) > > > > or it is already found by first-party fuzzing and I shouldn't make > > > > more noise. > > And to that my reply was a "no", iam not agreeing to give access to > someone who wants to mainly monitor upstream. > > Also again id like to point out we do not have an issue with duplicate > reports ATM, so we would be fixing something that has not actually happened Not everythings revolves around "you". I was trying to improve the process we could apply to make fixing those issues more streamlined for both of us. If the issue is found/reported upstream, this is totally wasted time for me to create and send a report to you about it and for you it is wasted time to read this report, while you could already see the issue or be fixing something else. Either way this is very minor process optimization and a way for me to be able to contribute more. See like I said, I will not copy/paste manually all reports, this is just not something I see like a good investment of my time. But reporting or fixing things that your fuzzing doesn't cover, is on the other hand interesting to me. Like I said, I respect your decision and that's over. No need to dvele more on it. I was just initially surprised by gatekeeping, after all ossfuzz is an external service provided to you for free and I wouldn't take it from you :) - Kacper _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
