Re: Upstreaming a fuzzer for xerces and integration into oss-fuzz

["Cantor, Scott" <ca...@osu.edu>]

> Bhargava Shastry (in CC) and I have written a fuzzer for xerces. This
> fuzzer has already found a bug [0] and we expect it to greatly improve
> the security of xerces.

That isn't a given, as I already said. Finding dozens of bugs that nobody has enough knowledge of the code to fix could leave it in an untenable state. That isn't inherently the wrong outcome, I'm just pointing out that the risk of that does exist.

> We would like to send you a PR that upstreams that fuzzer and then integrate xerces into oss-fuzz. Where can we send
> you a PR for that fuzzer?

I don't know what all that means in terms of what changes to the code or project are involved, but major patches can be submitted to JIRA, as long as they are done with an appropriate license or with an Apache contribution agreement noted.

Whether they could be supported or incorporated just depends on what they are. I know nothing about fuzzing beyond the basic concept, so I don't know whether this is a feasible suggestion given the limited resources.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org