[Development] Qt in Google's OSS-Fuzz

Milian Wolff milian.wolff at kdab.com
Mon Dec 5 14:11:08 CET 2016


On Sunday, December 4, 2016 10:28:16 PM CET Peter Hartmann wrote:
> Hello,
> 
> after Google announced their continuous fuzzing approach some days ago
> (see [1]), I tried to make Qt work with it and the fuzzing testcases I
> have written the last weeks ([2]).
> 
> If people agree, we could try going forward with putting Qt onto
> OSS-Fuzz as well. I am almost there with setting it up ([3]), and once
> this is done I don't expect a lot of maintenance.
> 
> The fuzzing test cases ([2]) could be hosted as a Qt playground project
> instead of github if desired.
> 
> As a side note, this platform already contains libraries that Qt uses,
> e.g. OpenSSL, zlib, harfbuzz, ICU and others.

I'd like to see that happen, more testing is always a win. But we will need to 
learn from the coverity lessons:

- make sure from the start that multiple people in the qt community know how 
to update the tests (and qt version), and access the results
- make sure that qt security list gets notified about potential securitiy 
issues found therein

Peppe (CC'ed) has also just recently looked into fuzzing, he probably has 
something to add.

Cheers
-- 
Milian Wolff | milian.wolff at kdab.com | Software Engineer
KDAB (Deutschland) GmbH&Co KG, a KDAB Group company
Tel: +49-30-521325470
KDAB - The Qt Experts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5903 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/development/attachments/20161205/33853998/attachment.bin>


More information about the Development mailing list