Add mediapipe project (initial OSS-Fuzz integration)

[ricaskew]

This PR adds MediaPipe (https://ai.google.dev/edge/mediapipe) to OSS-Fuzz.

Project details

• Language: C++
• Main repo: https://github.com/google-ai-edge/mediapipe
• Primary contact: mediapipe-discuss@googlegroups.com
• Sanitizers: AddressSanitizer
• Fuzzing engine: libFuzzer

What this adds

Three files under projects/mediapipe/:

• project.yaml — project metadata
• Dockerfile — installs build dependencies (python3, zip/unzip/curl/wget) and
  Bazel via Bazelisk (MediaPipe pins its Bazel version via .bazelversion)
• build.sh — builds all cc_fuzz_test targets via bazel_build_fuzz_tests with
  libc++ host flags and --define=MEDIAPIPE_DISABLE_GPU=1

Initial fuzz target

CalculatorGraphConfig parser (mediapipe/framework/fuzz/calculator_graph_config_fuzz).
Targets ParseFromArray → CalculatorGraph::Initialize. The harness and BUILD file
are in a companion PR against google-ai-edge/mediapipe.

Build notes

Two non-default build flags are required:

• --host_cxxopt=-stdlib=libc++ and --host_linkopt=-stdlib=libc++ — the OSS-Fuzz base-builder
  image's gcc-9 libstdc++ lacks C++20 required by MediaPipe's pinned
  abseil. clang-22 + libc++ in the same image supports it cleanly.
• --define=MEDIAPIPE_DISABLE_GPU=1 — MediaPipe's framework layer transitively
  depends on EGL headers (via gpu_shared_data_internal) which are not present in
  the base-builder image. This flag activates MediaPipe's built-in stub, removing
  the EGL dependency without affecting the fuzz target's coverage of the
  CalculatorGraphConfig parse surface.

Verification

Built and smoke-tested locally using helper.py build_fuzzers and helper.py
reproduce. Binary: 30MB ELF x86-64 PIE executable, ASAN-instrumented, 173,711
coverage PCs. Zero ASAN findings across five inputs × 100 iterations.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

ricaskew is integrating a new project:
- Main repo: https://github.com/google-ai-edge/mediapipe
- Criticality score: 0.48264

[ricaskew]

Companion PR: google-ai-edge/mediapipe#6288

[ricaskew]

@googlebot I signed it!

[DavidKorczynski]

Project looks good, but we need maintainer coordination and approval.

[ricaskew]

Thanks for the feedback, @DavidKorczynski. The companion PR at google-ai-edge/mediapipe#6288 is the upstream coordination surface — it adds the rules_fuzzing scaffold and the harness directly to the mediapipe repository and is awaiting mediapipe maintainer review. Once a mediapipe maintainer engages there, I can coordinate with them on the primary_contact field here and update project.yaml accordingly. Let me know if there's anything else needed on this side in the meantime.