-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS-Fuzz integration #135
Comments
@sjamesr Are you interested in the integration? It wouldn't require any work on your part, you would just need to sign off on the PR I submit to the OSS-Fuzz repo. |
I think it is a good idea to integrate fuzz tests for this library. I made a short run and found a null pointer:
|
sjamesr
added a commit
to sjamesr/re2j
that referenced
this issue
Oct 8, 2021
The corresponding Go implementation relies on len(nilArray) being zero. This issue was identified by the OSS-Fuzz integration effort described in google#135.
sjamesr
added a commit
to sjamesr/re2j
that referenced
this issue
Oct 9, 2021
The corresponding Go implementation relies on len(nilArray) being zero. This issue was identified by the OSS-Fuzz integration effort described in google#135.
sjamesr
added a commit
to sjamesr/re2j
that referenced
this issue
Jun 26, 2022
The corresponding Go implementation relies on len(nilArray) being zero. This issue was identified by the OSS-Fuzz integration effort described in google#135.
sjamesr
added a commit
to sjamesr/re2j
that referenced
this issue
Jun 26, 2022
The corresponding Go implementation relies on len(nilArray) being zero. This issue was identified by the OSS-Fuzz integration effort described in google#135.
sjamesr
added a commit
that referenced
this issue
Jun 27, 2022
The corresponding Go implementation relies on len(nilArray) being zero. This issue was identified by the OSS-Fuzz integration effort described in #135.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OSS-Fuzz now offers support for fuzzing Java projects with Jazzer. If you are interested, I could set up re2j in OSS-Fuzz.
By default, Jazzer would detect undeclared exceptions (i.e. those that are not
PatternSyntaxException
s) as well as more serious, potentially DoSable issues such asOutOfMemoryError
s. In order to come up with a good fuzz target, it would be helpful for me to get a better understanding of the security guarantees re2j intends to offer. The parent project's fuzzer could serve as a starting point for that discussion. Depending on your particular security goals, it could also make sense to perform differential fuzzing, i.e., to use a fuzzer to confirm that re2 and re2j behave identically on the common subset of their features.The text was updated successfully, but these errors were encountered: