Add comprehensive OSS-Fuzz integration #20511
Conversation
This commit adds 16 fuzz targets covering all major attack surfaces: **Image Decoders:** - jpeg_image: JPEG decoder (jpg.js) - jbig2_image: JBIG2 binary image decoder - jpx_image: JPEG2000 decoder **Stream Decoders:** - flate_stream: Zlib/Deflate decompression - ccitt_stream: CCITT fax decoder (Group 3/4) - lzw_stream: LZW decompression **Font Parsers:** - cff_parser: Compact Font Format parser - type1_parser: Type1 PostScript font parser - cmap_parser: Character map parser **Core Parsing:** - pdf_parser: Full PDF document parsing pipeline - crypto: RC4, AES-128, AES-256 ciphers and hashes - colorspace: Colorspace and ICC profile parsing **XFA/XML:** - xfa_parser: XFA form parsing - xml_parser: XML/XMP metadata parsing - formcalc_parser: FormCalc script language parser - ps_parser: PostScript calculator functions Each fuzzer includes: - Format-specific dictionary for guided fuzzing - Seed corpus with minimal valid samples - Input size limits to prevent resource exhaustion - Proper error handling (only re-throws OOM/stack overflow) Also includes OSS-Fuzz configuration files (Dockerfile, build.sh, project.yaml) with support for multiple sanitizers (ASan, UBSan) and fuzzing engines (libfuzzer, AFL++, honggfuzz).
Add 183 additional corpus samples including: - PDFs with annotations, fonts, XFA forms, and patterns - CCITT, JBIG2, JPX, and LZW stream samples - Colorspace test samples - CFF and Type1 font samples - FormCalc and PostScript function samples - XML/XMP metadata samples - Coverage runner script for testing This expands coverage from ~36% to ~39% statement coverage with 74% branch coverage across 202 test samples.
1. Remove --sync flag from all fuzzer compilations - All fuzzers use async functions that return Promises - Jazzer.js handles async fuzzers correctly without --sync - Prevents shallow fuzzing and uncaught promise rejections 2. Update repository URLs to upstream mozilla/pdf.js - Dockerfile: Clone from mozilla/pdf.js instead of fork - project.yaml: Point homepage and main_repo to upstream
| npm install | ||
|
|
||
| # Install Jazzer.js for fuzzing | ||
| npm install --save-dev @jazzer.js/core |
There was a problem hiding this comment.
We used to have OSS-Fuzz integration before, but removed it in #19307 because, among other reasons, this library is deprecated so we really don't want to rely on that as it brings all kinds of maintenance problems (see https://www.npmjs.com/package/@jazzer.js/core).
Moreover, we had limited to no visibility on the output of the fuzzers because they were ran in a different (the OSS-Fuzz) repository, and keeping cross-repository builds working was a bit difficult because we cannot easily verify that changes made here keep the builds at OSS-Fuzz working.
In short, how will this PR address the original concerns that led to the removal of the fuzzers?
|
I never have been convinced that fuzzing js code is so useful.
especially when I read something like that ^^. So we'd be happy to accept such a PR, but we really need to have a strong evidence that it's useful. As mentioned by @timvandermeij, we already tried in the past and we never had any feedback. |
3 participants
Summary
This PR adds a comprehensive fuzzing infrastructure for OSS-Fuzz integration, covering all major attack surfaces in pdf.js.
What's included
16 fuzz targets covering:
Format-specific dictionaries for guided fuzzing
Seed corpus with 202 test samples
OSS-Fuzz configuration (Dockerfile, build.sh, project.yaml)
Proper async handling for Jazzer.js compatibility
Coverage
Initial corpus testing shows:
Testing
All 16 fuzzers tested and passing:
OSS-Fuzz Configuration
lib-legacyfor Node.js/CommonJS compatibilityTest plan