Add lzo

[bshastry]

This PR:

• Adds the lzo library to oss-fuzz (CC Potential new projects to integrate with OSS-Fuzz #402)
• Adds target out-of-source to seek feedback from maintainer @markus-oberhumer

CC @viniul

[jonathanmetzman]

We approve of adding this project.
Did you want feedback from @markus-oberhumer before we merged this?

[jonathanmetzman]

I think it would be nice to have another target that tried to decompress data. Right now lzo1x_decompress is not decompressing anything invalid.

[bshastry]

I agree. @markus-oberhumer What do you think of adding lzo to oss fuzz?

Would it be better to move this and future test harnesses to lzo repo? Currently this PR picks up an lzo release. Would it be better to fuzz the current development commit instead? I couldn't find a public repository for lzo unfortunately.

[jonathanmetzman]

Markus: we prefer to have fuzz targets upstream (less likely to break)

[bshastry]

@jonathanmetzman I added a decompress only target in the source branch of this PR. Looking forward to feedback.

At the moment, there is a shallow heap-buffer overrun (READ) like so for a 1 byte compressed data:

READ of size 8 at 0x6020000000d1 thread T0                                                             
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)                                           
    #0 0x5bdcce in lzo1x_decompress /src/lzo-2.10/src/lzo1x_d.ch:120:13

[bshastry]

Brainstorming here: To do this systematically, we would need to add two targets per compression method, one that compresses fuzzed data and another that decompresses it. I believe there are 10 or more compression methods in the current release version, do that would mean around 20 targets.

This is excluding other compression parameters such as the number of rounds to use etc.

Wouldn't having so many targets sit in the oss-fuzz repo lead to bit rot?

[jonathanmetzman]

Brainstorming here: To do this systematically, we would need to add two targets per compression method, one that compresses fuzzed data and another that decompresses it.

I think having these two kinds of targets are worthwhile:

decompress(compress(data))

and

decompress(data)

(decompression in the first target is controversial, since theoretically it shouldn't cover anything the second target won't, but my guess is it would be useful in practice).

I believe there are 10 or more compression methods in the current release version, do that would mean around 20 targets.

This is excluding other compression parameters such as the number of rounds to use etc.

So instead of creating one (or two) new target(s) for every method/parameter combination, you can
take some bytes from the start of data to determine which compression method to use and what the parameters will be. Sort of like this:

index = data[0] % compression_methods.length;
method = compression_methods[index]
method(data[1], size-1)

Wouldn't having so many targets sit in the oss-fuzz repo lead to bit rot?

Yes. This is probably too many.

[bshastry]

Thank you @jonathanmetzman for the discussion.

I will address these concerns on my fork and ping you back when that's ready for review.

In the meanwhile, looking forward to hearing from Markus.

[bshastry]

Ping back from Berlin :-)

@markus-oberhumer: What email address should I use as the primary contact in project.yaml? At the moment, it is "info at oberhumer.com" but this looks like a sales related contact end-point.

[googlebot]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.

[bshastry]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.

@viniul I think you need to sign the Google CLA :-)

[viniul]

I'll make sure to sign it :)

[jonathanmetzman]

ping.
@viniul are you still planning on signing the cla?

[viniul]

@jonathanmetzman Sorry, I did not have the time to look into it yet. Planning on signing it this weekend.

[viniul]

@jonathanmetzman I have filled out and submitted the Google CLA.

[jonathanmetzman]

In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

@bshastry can you comment again so that I can see if the bot updates the status?
Some of the docs imply that the status won't be updated because the pull request has multiple authors, but I guess we will find out.

[bshastry]

Bot do you think?

[Dor1s]

Yeah, we need to make sure that CLA is signed for each email from the following:

$ git log -n 13 | egrep -i author | uniq
Author: Bhargava Shastry <bshastry@sect.tu-berlin.de>
Author: Vincent Ulitzsch <vincent.ulitzsch@live.de>
Author: Vincent Ulitzsch <vincent@srlabs.de>
Author: Bhargava Shastry <bshastry@sect.tu-berlin.de>
Author: Vincent Ulitzsch <vincent@srlabs.de>
Author: Bhargava Shastry <bshastry@sect.tu-berlin.de>

or you can try to squash the commits and upload a separate PR / force update this one.

[viniul]

Hey @Dor1s - I signed the Google CLA for the emails I used for the commits. I think @bshastry signed his already - so we should be good to go. Can you confirm?

[bshastry]

Just a check on the cla.

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

[Dor1s]

@viniul @bshastry thank you! Now I have to figure out how to set that cla label to yes.

[Dor1s]

Ok, as per some documentation I've found, @googlebot is not going to change the status here, and we can merge after getting the consent from all authors. Given that we have only two authors here (with a couple different git emails), I think we have a consent from everyone. Merging.