You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Marcono1234 (Jira)" <ji...@apache.org> on 2023/10/13 01:18:00 UTC

[jira] [Updated] (IMAGING-365) Extend oss-fuzz to cover Imaging class

     [ https://issues.apache.org/jira/browse/IMAGING-365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marcono1234 updated IMAGING-365:
--------------------------------
    Description: 
Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.

What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
- {{getImageInfo(byte[])}}
- {{getImageSize(byte[])}}
- {{getMetadata(byte[])}}
- {{getXmpXml(byte[])}}

Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.

Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.

If you want I can try changing the code in oss-fuzz and creating a pull request.

  was:
Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.

What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
- {{getImageInfo(byte[])}}
- {{getImageSize(byte[])}}
- {{getMetadata(byte[])}}
- {{getXmpXml(byte[])}}

Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.

Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.

If you want I can try adjusting the code in oss-fuzz.


> Extend oss-fuzz to cover Imaging class
> --------------------------------------
>
>                 Key: IMAGING-365
>                 URL: https://issues.apache.org/jira/browse/IMAGING-365
>             Project: Commons Imaging
>          Issue Type: Improvement
>            Reporter: Marcono1234
>            Priority: Minor
>
> Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.
> What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
> - {{getImageInfo(byte[])}}
> - {{getImageSize(byte[])}}
> - {{getMetadata(byte[])}}
> - {{getXmpXml(byte[])}}
> Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.
> Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.
> If you want I can try changing the code in oss-fuzz and creating a pull request.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)