OSS-Fuzz integration

[alsophian]

Hello!

I'm an application security engineer at Google who contributes to Google's fuzzing efforts. I've written a simple fuzzer for QCBOR based on the ComprehensiveInputRecurser test in qcbor_decode_tests.c, and I'd like to know if you're interested in adding it directly to the QCBOR repository. Once it's in this repository, I can integrate it with OSS-Fuzz so that you automatically receive bugs that our fuzzers find -- all you'll need is an e-mail address associated with a Google account (here's why).

Please let me know if you're interested, and if so, how'd you prefer to add the file to this repository. The fuzzer itself is less than 20 lines long, but does require special CFLAGS to build

[laurencelundblade]

Hi,

Yes, I'm very interested in this. I definitely want QCBOR fuzzed on a regular basis.

I've tried to keep QCBOR very neat, portable and easy to build and integrate. For this reason, the main regression test I run is not part of the automated build system. Instead it is in a separate repository: https://github.com/laurencelundblade/qdv. I run the tests in qdv manually before each merge.

I'm not sure how your fuzzer would integrate. Maybe you could make a PR so I could see?

Thank you very much!!

LL

[alsophian]

Aha, I hadn't realized that you kept the regression tests in a different repository. I'm happy to put the fuzzer into the qdv repository instead; we just want to ensure that the fuzzer lives with the rest of the project's tests (instead of in the OSS-Fuzz repository where it could fall out of sync with the project).

I'll try integrating the fuzzer into the qvd repository. Is https://github.com/laurencelundblade/qdv/blob/master/b.sh the top-level script you use for regression testing?