You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Marcono1234 (Jira)" <ji...@apache.org> on 2023/10/13 01:18:00 UTC
[jira] [Updated] (IMAGING-365) Extend oss-fuzz to cover Imaging class
[ https://issues.apache.org/jira/browse/IMAGING-365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcono1234 updated IMAGING-365:
--------------------------------
Description:
Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.
What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
- {{getImageInfo(byte[])}}
- {{getImageSize(byte[])}}
- {{getMetadata(byte[])}}
- {{getXmpXml(byte[])}}
Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.
Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.
If you want I can try changing the code in oss-fuzz and creating a pull request.
was:
Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.
What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
- {{getImageInfo(byte[])}}
- {{getImageSize(byte[])}}
- {{getMetadata(byte[])}}
- {{getXmpXml(byte[])}}
Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.
Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.
If you want I can try adjusting the code in oss-fuzz.
> Extend oss-fuzz to cover Imaging class
> --------------------------------------
>
> Key: IMAGING-365
> URL: https://issues.apache.org/jira/browse/IMAGING-365
> Project: Commons Imaging
> Issue Type: Improvement
> Reporter: Marcono1234
> Priority: Minor
>
> Currently the existing fuzzer classes in https://github.com/google/oss-fuzz/tree/master/projects/apache-commons-imaging only seem to cover the {{getBufferedImage}} method of a few image parsers.
> What do you think about adding an additional fuzzer class which covers some of the methods of {{org.apache.commons.imaging.Imaging}}, for example:
> - {{getImageInfo(byte[])}}
> - {{getImageSize(byte[])}}
> - {{getMetadata(byte[])}}
> - {{getXmpXml(byte[])}}
> Unlike other methods which read the complete image, users might expect from these methods that they are safer to use and don't cause a denial of service because they 'only' extract metadata. So fuzzing them might be worth it.
> Also in general fuzzing the methods of the {{Imaging}} class would have the advantage that this covers more of the supported image formats.
> If you want I can try changing the code in oss-fuzz and creating a pull request.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)