Skip to content

Submit spdf to OSS-Fuzz for continuous coverage #4

Description

@Fanaperana

Goal

Get spdf continuously fuzzed on Google's OSS-Fuzz infrastructure. Free compute, CVE coordination, regression corpus that grows over time.

Prerequisites

  • Crate published on crates.io (v0.2.0-alpha.1 or later).
  • cargo fuzz harness in-tree (fuzz/fuzz_targets/parse_pdf.rs).
  • At least one seed corpus committed.
  • Upstream acceptance criteria: active maintainer, security contact, real-world users.

Tasks

  • Fork google/oss-fuzz, add projects/spdf/{Dockerfile,build.sh,project.yaml} per the docs.
  • project.yaml: list Fanaperana + any co-maintainer emails as primary contacts; auto_ccs for security@…
  • Dockerfile: base on gcr.io/oss-fuzz-base/base-builder-rust, git clone https://github.com/Fanaperana/spdf, install libtesseract-dev libleptonica-dev and clang for pdfium's tesseract/bindgen deps.
  • build.sh: cd $SRC/spdf/fuzz && cargo +nightly fuzz build -O && cp target/*/release/parse_pdf $OUT/.
  • Seed corpus: tar the committed fuzz/corpus/parse_pdf/ and drop at $OUT/parse_pdf_seed_corpus.zip.
  • Submit PR to google/oss-fuzz, address review, wait for onboarding.
  • After acceptance, link https://oss-fuzz.com/dashboard?project=spdf in README + SECURITY.md.

Acceptance

  • PR merged upstream.
  • At least one ClusterFuzz build goes green for spdf.
  • README gets an "Continuously fuzzed by OSS-Fuzz" badge.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthardeningAdversarial PDF / crash / resource hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions