[vlc-devel] Fuzzing VLC

Adam Korczynski Adam at Adalogics.com
Mon Apr 12 19:48:35 UTC 2021

Dear VLC developers,

This is Adam<https://twitter.com/AdamKorcz4> from Ada Logics<https://adalogics.com/>. I work on securing critical open source software and have been looking on setting up fuzzing for VLC.

I will have time over the next months to work more on fuzzing VLC, and I am reaching out to discuss the interest from your side.

I have taken the first step in setting up continuous fuzzing for VLC through OSS-fuzz: https://github.com/google/oss-fuzz/pull/5598. The integration includes all build files to build VLC in the OSS-fuzz environment, and I have added a simple fuzzer as a working prototype.

I would be happy to improve upon this first step and write more fuzzers. There are a number of more critical parts to fuzz, and it should be possible with the current state of VLC's build system to cover more critical parts of the code base than the current fuzzer does. I have looked into the possibilities for a week or so until now, and until now it looks like I can check all the boxes for a productive integration into OSS-fuzz.

To begin with it is totally fine to host all fuzzers on the OSS-fuzz repository which would allow for a completely non-intrusive initial setup, however as the setup is improved, I would love to work a little closer with maintainers to increase coverage and modify VLC for improved fuzzability. The latter mainly refers to easing fuzz-blockers like asserts and exits in the code base. These do not have to be removed completely, but when building VLC for fuzzing it is prefered. Ultimately it would be great to host the fuzzers on VLC's own repository, but again - this is not a required first step.

>From your side I expect absolutely no required involvement for 1-2 months. There might be a few false positive reports, but I will be sure to close these. If anyone would like to be more involved, I would be happy to work together, but this is not necessary for me to progress.

To get started with fuzzing VLC continuously, all that is needed is a maintainers email in the initial integration above and perhaps a "LGTM" in the PR on the OSS-fuzz side.

Let me know what you think of my proposal. I know that fuzzing has yielded results previously for VLC.

Kind regards,
Adam Korczynski
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20210412/d10a4d08/attachment.html>

More information about the vlc-devel mailing list