Add New Targeted Fuzz Drivers to Improve Coverage and Bug Discovery #14186
Description
Before describing, I want to clarify the following:
- I have already read CONTRIBUTING.md and I am aware of the contribution process.
- I have searched existing issues (both open and closed) and did not find an issue that directly discusses this specific proposal.
First, I want to thank the Google team and the maintainers for developing and operating OSS-Fuzz for the open-source community.
We have been analyzing OSS-Fuzz and prior work related to its fuzzing setup. Based on this analysis, we believe there are opportunities to further increase bug-finding effectiveness in certain projects by adding one or two additional fuzz drivers.
In particular, we have identified some code regions / APIs in these projects that are currently not being fuzzed (or not fuzzed deeply), but that appear security-critical or historically error-prone. Extending coverage in these areas with targeted fuzz drivers could expose new classes of bugs.
Question
Would a pull request that adds new fuzz drivers for these specific targets be welcome?
If yes, I can prepare a PR that:
- Introduces the new fuzz drivers,
- Explains the intended input space and coverage goals,
- Shows how they integrate with the existing build in OSS-Fuzz,
- And (if available) includes any crashes or interesting findings discovered during local fuzzing.
Please let me know if you'd prefer that I open the pull request directly in this OSS-Fuzz repository, or should I submit pull requests to the upstream projects themselves to add the new fuzz drivers there first?