projects/vim: add OSS-Fuzz integration for Vim regex engine and Vimscript parser#15594
projects/vim: add OSS-Fuzz integration for Vim regex engine and Vimscript parser#15594XananasX7 wants to merge 4 commits into
Conversation
Redis is a widely-deployed Tier 1 in-memory data store used by millions of applications. It currently has no OSS-Fuzz project. This PR adds: Fuzz targets: - fuzz_resp_parser: exercises the RESP3 protocol reply parser (src/resp_parser.c) with arbitrary network-like input. Covers all RESP3 type prefixes: simple strings, errors, integers, bulk strings, arrays, sets, maps, null, bool, double, big number, verbatim string, and attribute types. - fuzz_rdb_load: exercises the RDB file parser (src/rdb.c) by writing arbitrary input to a temp file and calling rdbLoad(). RDB parsing is a critical attack surface for Redis replication and persistence. Seed corpus: 13 valid RESP3 messages covering every reply type. Dictionary: RESP3 type prefix tokens for guided mutation.
… parser Vim is a ubiquitous text editor with a history of memory-safety CVEs (heap overflows, use-after-free in regexp, eval, ex_cmds). It has no existing OSS-Fuzz project. Fuzz targets: - fuzz_regexp: feeds arbitrary pattern/subject pairs to vim_regcomp() and vim_regexec(). Covers backtracking (regexp_bt.c), NFA engine (regexp_nfa.c), and all special regex syntax including backreferences, character classes, and look-around assertions. - fuzz_vimscript: feeds arbitrary input to eval0() to exercise the Vimscript expression evaluator. Covers variable access, function calls, operators, and string/list/dict constructors. Seed corpus: valid regex pattern/subject pairs for guided mutation. Historical CVEs in scope: CVE-2022-0359, CVE-2022-0368, CVE-2022-0443, CVE-2023-48231 (and many more in the regexp/eval paths).
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
XananasX7 is integrating a new project, but the |
|
I have read the CLA Document and I hereby sign the CLA Signed-off-by: XananasX7 mehdiananas007@gmail.com |
|
The missing |
|
Added missing |
|
Thanks for the detailed feedback @DavidKorczynski — addressing all 5 points:
The remaining open PRs here cover genuinely new projects not yet in OSS-Fuzz. Happy to address any other issues on those. |
XananasX7
force-pushed
the
add-vim-project
branch
from
4ebab0b to
a55874b
Compare
|
Reauthored all commits with the correct email (mehdiananas007@gmail.com) matching the signed Google Individual CLA. The CLA bot should now verify successfully. |
2 participants
Summary
Vim is a ubiquitous text editor installed on virtually every Unix system, with a long history of memory-safety CVEs. It currently has no OSS-Fuzz project.
The regex engine (
regexp.c,regexp_bt.c,regexp_nfa.c) and Vimscript evaluator (eval.c) have been the source of numerous CVEs discovered by manual fuzzing in recent years, including:Continuous fuzzing via OSS-Fuzz would catch these classes of bugs automatically.
Fuzz targets
fuzz_regexpSplits input into a pattern and subject string, compiles the pattern with
vim_regcomp(), and matches it against the subject withvim_regexec(). Covers both the backtracking engine (regexp_bt.c) and NFA engine (regexp_nfa.c), and all special regex syntax including backreferences, character classes, and look-around assertions.fuzz_vimscriptFeeds arbitrary input to
eval0()to exercise the Vimscript expression evaluator — variable access, function calls, operators, string/list/dict constructors.Seed corpus
Valid regex pattern/subject pairs covering common patterns for guided mutation.