[FFmpeg-devel] [OSS-Fuzz] Have you considered enabling memory sanitizer?

Sun Jul 14 22:55:41 EEST 2024

On Sat, Jul 13, 2024 at 11:12:40PM +0200, Kacper Michajlow wrote:
> On Thu, 27 Jun 2024 at 02:50, Kacper Michajlow <kasper93 at gmail.com> wrote:
> >
> > On Thu, 27 Jun 2024 at 00:45, Michael Niedermayer
> > <michael at niedermayer.cc> wrote:
> > >
> > > On Wed, Jun 26, 2024 at 09:07:42PM +0200, Kacper Michajlow wrote:
> > > > Hi,
> > > >
> > > > Like in the topic. I think it would be useful to enable MSAN on
> > > > OSS-Fuzz. We get some tiny issues and it would be probably good to
> > > > have them tracked upstream. All infra is here, so enabling it is as
> > > > simple as adding it to the project.yaml. Except libbz2.so and libz.so
> > > > would have to be built inline instead, looking at the build.sh, they
> > > > are prebuilt. The rest should just work (TM), but needs to be tested.
> > > > You can set an "experimental' flag to have it not create issues on
> > > > monorail, initially.
> > >
> > > I assumed ossfuzz would enable all sanitizers by default
> >
> > They do not do that by default, because MSAN requires all dependencies
> > to be instrumented too. See
> > https://google.github.io/oss-fuzz/getting-started/new-project-guide/#sanitizers
> >
> > Looking at build.sh for ffmpeg, it should be fine to enable it.
> > Obviously I have not tested everything, but I was running some tests
> > locally with MSAN and also tested it with mpv oss-fuzz builds where we
> > build ffmpeg too with MSAN.
> >
> > - Kacper
> 
> I've sent a PR to enable MSAN and a few other build improvements.
> Please take a look https://github.com/google/oss-fuzz/pull/12211
> 

> Also, would it be ok to add myself to auto_ccs for ffmpeg? Mostly to
> monitor what issues are reported upstream, as we get some reports in
> mpv fuzzing and I never know if I should report it upstream (ffmpeg)
> or it is already found by first-party fuzzing and I shouldn't make
> more noise.

you are welcome to submit bug reports, you are welcome to submit bug fixes
if you find issues in FFmpeg.

If someones work in FFmpeg or rather FFmpeg benefits from someone having
access to the reports, then (s)he should receive access. This seems not
to apply here

Also i expect the number of outstanding ossfuzz issues to decrease now
after the bulk of coverity issues has been dealt with

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240714/318ad029/attachment.sig>