OSS-Fuzz Integration #1029

ennamarie19 · 2023-11-04T20:19:37Z

Hello,
This is a follow-on from my Issue regarding OSS-Fuzz integration. This PR introduces the source for the fuzzer. I would greatly appreciate it being merged in!

I will continue monitoring OSS-Fuzz for bugs and fix any I can in future PRs. John McNamara also has access to the OSS-Fuzz dashboard to review any security-relevant crashes that may come up.

Please let me know if anything else is needed.

Thank you!

jmcnamara · 2023-11-04T22:05:24Z

Thanks.

Could you move it under the dev directory in the XlsxWriter source directory, i.e., dev/fuzzing.

If possible could you squash the commits into one. If not I can do it merge.

Also,could you explain how this will work in practice. Will I be able to find/verify issues locally or does it rely on OSS-Fuzz?

ennamarie19 · 2023-11-05T18:30:33Z

@jmcnamara I will move it over right now.

I will also look into squashing my commits.

As for finding the issues, a nightly build of a Dockerized instance of the project is run on Google's ClusterFuzz server and will report any bugs to you via the email listed in the project.yaml in the OSSFuzz repo. PRs can then be made to resolve the errors and, once merged, the bugs would be marked as fixed after a few days of the bug not re-appearing during fuzz-testing

ennamarie19 · 2023-11-05T18:40:56Z

@jmcnamara Ready for review!

jmcnamara · 2023-11-05T19:11:59Z

PRs can then be made to resolve the errors and, once merged, the bugs would be marked as fixed after a few days of the bug not re-appearing during fuzz-testing

Sounds good.