On Tue, 2021-09-28 at 17:59 +0100, Jonathan Wakely wrote: > On Tue, 28 Sept 2021 at 17:23, Luís Ferreira <cont...@lsferreira.net> > wrote: > > > > During my fuzzing test with libfuzzer I found out that GCC is not > > part > > of OSS-Fuzz project. Would be cool to discuss here a bit more about > > fuzzing GCC codebase in order to mitigate some future > > vulnerabilities > > that may appear. I can volunteer myself to add the necessary steps > > to > > fuzz GCC on the OSS Fuzz side, but I would like to get some status > > on: > > > > - Does GCC build system support at least AFL or libfuzzer? > > - Is there any infrastructure to automatically test this? > > - How to test GCC with fuzzing, if possible > > I'd like the libstdc++ <iostream> and <regex> code to get fuzzed, and > maybe std::filesystem::path construction. I've discussed it with > people before, but none of us got around to setting it up.
My idea would be to start with libiberty mangling, since it is what I'm tackling right now. this can be further expaneded to libstdc++, if needed. Adding the infrastructure for that to automatically fuzz GCC components easily, would be desired as a first step, IMO. -- Sincerely, Luís Ferreira @ lsferreira.net
signature.asc
Description: This is a digitally signed message part
