Continuous fuzzing of Pillow with OSS-Fuzz

[DavidKorczynski]

What did you do?

Given the popularity of Pillow I was thinking that it would be nice to set up continuous fuzzing of Pillow, by way of OSS-Fuzz. In this PR: google/oss-fuzz#4754 I have done exactly that, namely created the necessary logic from an OSS-Fuzz perspective to integrate Pillow. This includes developing initial fuzzers as well as integrating into OSS-Fuzz.

Essentially, OSS-Fuzz is a free service run by Google that performs continuous fuzzing of important open source projects. Python support was recently provided and it can also fuzz native extensions, i.e. for memory corruption errors. The only expectation of integrating into OSS-Fuzz is that bugs will be fixed. This is not a "hard" requirement in that no one enforces this and the main point is if bugs are not fixed then it is a waste of resources to run the fuzzers, which we would like to avoid.

If you would like to integrate, the only thing I need is as list of email(s) that will get access to the data produced by OSS-Fuzz, such as bug reports, coverage reports and more stats. Notice the emails affiliated with the project will be public in the OSS-Fuzz repo, as they will be part of a configuration file.

[hugovk]

This sounds similar to #3961 and google/oss-fuzz#2626.

But I see that was removed 7 days ago in google/oss-fuzz#4692:

It has never functioned properly. It's complex to get this working. I've never requested or received a reward for Pillow. I don't want to fix it now. Maybe another time.

[DavidKorczynski]

Oh that's interesting.

it is the same from a "continuous-fuzzing" perspective but it is different in that OSS-Fuzz now has proper support for Python (https://github.com/google/atheris).

However, does this mean you are happy to use the emails from the previous Pillow project? I can carry things forward if you are happy with that.

[hugovk]

Sounds good, please use the same email.

[radarhere]

google/oss-fuzz#4754 has been merged.

Is this resolved then?

[DavidKorczynski]

Ah yes - apologies for forgetting to close. Thanks for your assistance!

[hugovk]

I've created google/oss-fuzz#4846 to update the contact email, cc @aclark4life.

@aclark4life: There's nothing to update in this repo: we don't have the old address listed here, https://github.com/python-pillow/Pillow/blob/master/.github/SECURITY.md says to go via https://tidelift.com/security.

[wiredfool]

I've gotten the reports through the forward, but I'm not able to get the reproductions, so they're basically not useful.

[DavidKorczynski]

I'm not able to get the reproductions

@wiredfool could you clarify a bit? Do you mean you cannot get the inputs that trigger the crashes or do you mean that you can get the inputs but aren't able to trigger the crash using them?

[wiredfool]

I mean when following links using my signed in google account, I don't have permission to access the reproductions.

[DavidKorczynski]

and what email are you using to login?

[wiredfool]

My google account is esoroos@gmail.com

[DavidKorczynski]

The email you are using to login needs to be present in this file::
https://github.com/google/oss-fuzz/blob/master/projects/pillow/project.yaml

Either listed as primary_contact or in the auto_ccs.

This PR google/oss-fuzz#4846 updates the file linked above, so if you are using the email listed in the PR then we have to wait for the PR to be merged.

[wiredfool]

Looks like adding it in the auto_ccs would be enough.

[DavidKorczynski]

There you go: google/oss-fuzz#4848

Now wait until that one is merged and you will be able to see the reports!

[wiredfool]

Thanks.

[DavidKorczynski]

No problem!