Trophy case?

Question

Trophy case?

Ekleog opened this issue 2 years ago · 6 comments

Ekleog commented 2 years ago

Hey!

I just incidentally found a panic inside chrono, while fuzzing my web server: chronotope/chrono#941

So I'm wondering if you'd want to introduce a trophy case to cargo-bolero, similar to the one cargo-fuzz has? :)

Answer 1 · 2023-01-22T19:03:46.000Z

(sorry for misclicking and creating the issue without any contents, this is now fixed)

Answer 2 · 2023-01-22T19:58:02.000Z

And a follow-up commit to my own code, which even after the chrono fix was still panicking on certain remote user input (so it was a DoS): Ekleog/risuto@9c23cc8

Answer 3 · 2023-01-24T20:32:32.000Z

I think I would prefer adding to https://github.com/rust-fuzz/trophy-case and just specifying the engine used and bolero. Something like:

libfuzzer + [bolero](https://camshaft.github.io/bolero/)

Answer 4 · 2023-01-24T20:33:35.000Z

Nice find, BTW!

Answer 5 · 2023-01-27T23:21:16.000Z

Sounds good to me! I'll submit there. Just so I don't forget about it, another one in my code this time, though related to lack of a proper API from chrono: chronotope/chrono#948 / the panic DoS fix at Ekleog/risuto@1a43970 (turns out Havana has timezone shifts that make midnight an invalid time on some dates)

Answer 6 · 2023-01-28T21:28:59.000Z

Ok, I've opened rust-fuzz/trophy-case#121 ; and can now close this :)