Integrate with google/oss-fuzz for continuous fuzz testing

[nathaniel-brough]

Hey Yann,

I hope this message finds you well. I've been using xxHash without knowing it for some time as a third party dependency. I'd like to suggest and champion an effort to set up some basic fuzz-testing and combine it with google/oss-fuzz for continuous fuzzing. I'm fully aware that you are a busy person and I don't want to overload your review/maintenance capacity by introducing too many new ideas. Is this a bad time to discuss potential security/reliability improvements?

If your not familiar with fuzzing or google/oss-fuzz I've included a few brief notes below.

Benefits of Fuzz-Testing

• Dynamic Code Testing: Fuzz-testing challenges systems with unexpected data, aiming to identify vulnerabilities. It’s akin to an exhaustive stress-test for the code.
• Detecting Hidden Vulnerabilities: It can uncover potential weaknesses that may not be evident in routine tests.
• Continuous and Automated Testing: With tools like Google’s OSS-Fuzz, fuzz-testing can be automated, running continuously on distributed systems, ensuring daily resilience checks.

Google/oss-fuzz for Continuous Fuzzing

• Automated Fuzzing: OSS-Fuzz undertakes comprehensive fuzz-testing daily on a distributed cluster.
• Security Boost: It provides enhanced security measures free of cost, thanks to Google’s backing.
• Detailed Reporting: OSS-Fuzz offers exhaustive reports in case of detected anomalies, enabling effective action.

I’d be more than happy to lead the effort in integrating fuzz testing with the xxHash and assist in any way required.

As a proof of concept I created a super simple fuzz harness in #906.

[nathaniel-brough]

@Cyan4973 as you mentioned in #906 (comment), there was interest in integrating with oss-fuzz, I've gone ahead and started the integration work in nathaniel-brough/oss-fuzz#11.

A couple of things (in order) I'll need to complete the integration;

• Add fuzzing harness #906 to be merged.
• A gmail email address for the primary contact. This is needed for access to the oss-fuzz bug tracker and dashboard. Do you have a preferred email address for this. Keeping in mind that it'll be stored in plain text in the oss-fuzz repository.
• You to comment on the application/integration PR (that I'm yet to open) on oss-fuzz mentioning that you agree to the integration.

I should also note, that there is an application process which I can complete on your behalf, as it'll just be a PR of work that I've mostly already done. I'm reasonably confident that this project would be accepted as it's quite a popular project, but there is a non-zero chance that it'll be rejected.

[Cyan4973]

All green,
let's start the process.

[nathaniel-brough]

Easy, I've got the application process started here google/oss-fuzz#11421, that'll also serve as the initial integration.

I'll be following in the next few days with some more complete fuzz harnesses, e.g. streaming mode etc.

[Cyan4973]

Closing,
my understanding is that this is not happening.