projects/exim: add OSS-Fuzz integration for SMTP address parser

[XananasX7]

Exim OSS-Fuzz Integration

Exim is one of the most widely deployed Mail Transfer Agents in the world, handling SMTP message routing, address parsing, header processing, and content scanning. It has a significant CVE history including critical RCEs (CVE-2019-10149 "Return of the WIZard", CVE-2017-16943, Exim 21Nails).

Despite being a critical MTA with historically high bug density, Exim currently has no OSS-Fuzz project.

Fuzz target

Target	Coverage
fuzz_smtp_input	Exim's RFC 5321 address parser (parse_extract_address())

Why this matters

Exim's address parser handles maliciously crafted MAIL FROM/RCPT TO addresses that are supplied directly by remote SMTP clients. This function has been the site of historical heap overflows and logic bugs. Continuous fuzzing catches regressions before deployment.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

XananasX7 is integrating a new project:
- Main repo: https://github.com/Exim/exim
- Criticality score: 0.54055
XananasX7 is integrating a new project:
- Main repo: https://github.com/Exim/exim
- Criticality score: 0.54055
XananasX7 is integrating a new project:
- Main repo: https://github.com/Exim/exim
- Criticality score: 0.54055

[XananasX7]

I have read the CLA Document and I hereby sign the CLA

Signed-off-by: XananasX7 mehdiananas007@gmail.com

[DavidKorczynski]

#15598 (review)

[XananasX7]

Thanks for the detailed feedback @DavidKorczynski — addressing all 5 points:

1. License headers — added Apache 2.0 license headers to all Dockerfiles that were missing them. This is now fixed across all open PRs.

2. Maintainer communication — acknowledged. I have reached out (or am reaching out) to the upstream maintainers for each project to let them know about the OSS-Fuzz integration and ideally get their involvement.

3. CLA — signed via the Google CLA portal. The bot check should reflect this.

4. Duplicate projects — closed PRs projects/cups: add OSS-Fuzz integration for IPP, PPD, and HTTP parsers #15591 (cups), projects/openvpn: add OSS-Fuzz integration for config parser and TLS handshake #15592 (openvpn), projects/libsndfile: add sndfile_write_fuzzer for encode/transcode path #15600 (libsndfile), hiredis: add RESP response reader fuzzer; nettle: add ECDSA/EC-point DER fuzzer #15584 (hiredis/nettle), and openssh: add sshconfig_fuzz support and authkeys_fuzz seed corpus #15585 (openssh) as those projects already exist. Apologies for the duplicates.

5. Fuzzers in upstream repos — working on getting the fuzz harnesses upstreamed. For the projects where I have open PRs on the upstream repos (libsndfile, tcpdump, openssh) those are in progress or being closed in favour of coordinating with maintainers directly.

The remaining open PRs here cover genuinely new projects not yet in OSS-Fuzz. Happy to address any other issues on those.

[XananasX7]

Reauthored all commits with the correct email (mehdiananas007@gmail.com) matching the signed Google Individual CLA. The CLA bot should now verify successfully.

[XananasX7]

Hi @DavidKorczynski — following up on the CLA and header-check failures still showing. I signed the CLA via the Google portal using mehdiananas007@gmail.com and reauthored all commits with that email, but the bot is still showing FAILURE. Is there anything else needed to get the CLA check to pass — perhaps a manual recheck? Happy to squash/rebase or adjust anything else you'd like.

[XananasX7]

Hi @DavidKorczynski — pushed a fix addressing the remaining header-check failure. All project files that had missing or incomplete Apache 2.0 license headers have been updated:

• projects/exim/fuzz_smtp_input.c — was missing the header entirely, now has the full 13-line // Copyright 2025 Google LLC. block
• projects/exim/build.sh — was missing the license entirely, added full header after the shebang
• projects/vim/Dockerfile — had a truncated single-line license, replaced with the full block
• projects/vim/build.sh — had a truncated license missing the URL and disclaimer lines, replaced with the full block
• projects/vim/fuzz_regexp.c and fuzz_vimscript.c — had an incomplete license block (missing the URL line and limitations under the License line), replaced with the full standard form

All headers now match the format used by the rest of the oss-fuzz project. The CLA was already signed using mehdiananas007@gmail.com and all commits are authored with that email. Let me know if the bot still doesn't pick it up and I'll recheck.