casync is a Content Addressable Data Synchronizer, a tool that combines the rsync algorithm with content addressable storage.
This projects has a single fuzz driver that compresses and decomposes a stream of random data, but only hits 10% of the project code. Many different compression options, such as XZ and LibZ are not called, and none of the utility functions are executed. The github project page lists a number of operations that could be implemented in fuzz drivers. https://github.com/systemd/casync
Guetzli is a JPEG encoder/image compression - 80% coverage, the single fuzz driver has large missing functionality for downsampling images.
preprocess_downsample.cc has a 0% coverage. It also does not look like it does JPEG encoding as jpeg_data_encoder.cc also has 0% coverage. Compare, heat map, and many miscellaneous functions are not covered.
OpenJPEG is an open-source JPEG 2000 codec written in C language. It consists of two libraries, one for implementing JPEG 2000 files and also a client/server architecture for remote browsing of JPEG 2000 images known as jpip. The project reached 52% code coverage in 2024 with 2 fuzz drivers, one fuzz driver for each library, however a more recent change has broken the code coverage details of the project.
This project is highly dependent on corpus data to exercise functionality. Important functions in j2k.c and jp2.c are not currently being covered, such as comparisons and encoding functions. A tests folder contains many operations that are not currently implemented as fuzz drivers.
Snappy is a compression tool optimized for high speeds and reasonable compression rates. 2 existing fuzz drivers for compression and decompression currently reach about 67% of the code.
Unrar is a free library for extracting rar files. A single fuzz driver reaches 58% of the code. A very recent change has broken coverage reports for this project, but older reports are still available. Browsing the full calltree shows that many commandline functions of this tool are not tested by the fuzz driver.
casync is a Content Addressable Data Synchronizer, a tool that combines the rsync algorithm with content addressable storage.
This projects has a single fuzz driver that compresses and decomposes a stream of random data, but only hits 10% of the project code. Many different compression options, such as XZ and LibZ are not called, and none of the utility functions are executed. The github project page lists a number of operations that could be implemented in fuzz drivers. https://github.com/systemd/casync
Guetzli is a JPEG encoder/image compression - 80% coverage, the single fuzz driver has large missing functionality for downsampling images.
preprocess_downsample.cc has a 0% coverage. It also does not look like it does JPEG encoding as jpeg_data_encoder.cc also has 0% coverage. Compare, heat map, and many miscellaneous functions are not covered.
OpenJPEG is an open-source JPEG 2000 codec written in C language. It consists of two libraries, one for implementing JPEG 2000 files and also a client/server architecture for remote browsing of JPEG 2000 images known as jpip. The project reached 52% code coverage in 2024 with 2 fuzz drivers, one fuzz driver for each library, however a more recent change has broken the code coverage details of the project.
This project is highly dependent on corpus data to exercise functionality. Important functions in j2k.c and jp2.c are not currently being covered, such as comparisons and encoding functions. A tests folder contains many operations that are not currently implemented as fuzz drivers.
Snappy is a compression tool optimized for high speeds and reasonable compression rates. 2 existing fuzz drivers for compression and decompression currently reach about 67% of the code.
Unrar is a free library for extracting rar files. A single fuzz driver reaches 58% of the code. A very recent change has broken coverage reports for this project, but older reports are still available. Browsing the full calltree shows that many commandline functions of this tool are not tested by the fuzz driver.
Alembic is an open framework for storing and sharing scene data that includes a C++ library, a file format, and client plugins and applications.
Alembic has only a single fuzz driver that is shown as blocked by static analysis, reaching almost no code at all. Dynamic analysis shows 10% coverage, with lots of potential for new fuzz drivers.
Apache Httpd is one of the most popular and powerful web servers. It is known for its high compatibility and stability.
Seven different fuzz drivers execute different areas of the code, but the overall code coverage seems very low. In order to fuzz the sockets directly or to fuzz the modules, additional tools or code changes are usually required. Many online articles have been written about fuzzing Web servers, but it does not look like many of those implementations have made it into OSS-Fuzz.
Args is a simple, small, flexible, single-header C++11 argument parsing library. It is similar to Python's argparse, but in C++.
A single fuzz driver hits just about half of the project code, but many features in this single-file project are not addressed. These include Validation, Match, GetDescription, Arg Parsing, etc.
GNU Aspell is a Free and Open Source spell checker.
A single fuzz driver reaches 75% of the project's code. The driver hits most of the core features of the program. Checking through the manual http://aspell.net/man-html/index.html and compare the command-line options with the uncovered functions such as "to_soundslike", dictionary functions, and so on.
The arm astc-encoder or Adaptive Scalable Texture Compression (ASTC) Encoder, astcenc, is a command-line tool for compressing and decompressing images using the ASTC texture compression standard.
The encoder has 1 fuzz driver that covers symbolic_to_physical and reaches 50% of the project coverage. A second single function symbolic_to_physical should reach the majority of the remaining code.
Boost is a very large collection of portable C++. 14 fuzz drivers currently exercise about half of the code in the project.
Browsing the code coverage report shows that some libraries have high coverage and other libraries have almost no coverage. For example, the file system fuzz driver has about 15 simple calls to file system functions, executing only about 7% of the code in the /filesystem folder, but hundreds and hundreds of addressable file system functions are completely untouched.
C-Ares is a C library for asynchronous DNS requests. It has two simple fuzz drivers, one that validates URLs, and a legacy fuzz driver that providea sample code to execute many different parsing functions. This is is not useful today since all of these parsing functions have been simplified into a single function.
Only 1/3 of the code is currently being hit by sending simple random parsing requests. Fuzz drivers designed to exercise the specific features of this library may be able to hit additional source code. https://github.com/c-ares/c-ares/blob/main/FEATURES.md
Implementing a simplified custom DNS parser also may also do a better job than sending simple random requests.
Cmark is the C reference implementation of CommonMark, a library that parses markdown into HTML, man, LaTeX, CommonMark, or XML. It has a single fuzz drivers that reaches 95% code coverage.
Elfutils is a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux.
This project has low code coverage, only three fuzz drivers, many of these utilities/libraries are not fuzzed: for example multiple disassemblers have 0% code coverage.
Exiv2 is a command line utility to manage image metadata - roughly 60% coverage from a single fuzz driver that does the basic functionality of opening reading and printing image metadata. Lots of source code files appear to have low code coverage. Documentation on https://exiv2.org/doc/index.html gives examples of many features beyond the basic "read exif data" that probably are not implemented by fuzz drivers such as:
Iptcprint is a similar example to print IPTC data. Addmoddel shows how to add, modify and delete Exif metadata. Exifcomment shows how to set the exif comment of an image. Xmpsample.cpp contains examples of how to set various types of XMP properties. For more real-world code have a look at the implementation of the different actions of the Exiv2 utility (actions.cpp).
{fmt} is an open-source formatting library providing a fast and safe alternative to C stdio and C++ iostreams.
7 fuzz drivers cover 80% of the project code, which is composed of hundreds of mostly independent functions. There are still a few uncovered functions, such as copy_fill_from, constexpr auto count(), write_codecvt, do_write, write, operator functions, and many more.
Haproxy is a high-performance software load balancer and reverse proxy for TCP and HTTP-based applications.
The existing fuzz drivers have recently broken, as indicated by the 1% total code coverage. The large number of lines of code and slow compile time indicate that this is a project that most likely difficult to fuzz.
Janus is an open source, general purpose, WebRTC server. Web Real-Time Communication is a free, open-source technology that enables real-time voice, video, and data communication between browsers and devices.
3 fuzz drivers cover 38% of the project code. The RTP fuzz driver calls a long library list of functions, but there are quite a few that are not called that have significant complexity, such as janus_rtp_skew_compensate_audio, janus_rtp_skew_compensate_video, janus_rtp_simulcasting_prepare, janus_rtp_header_update, and janus_rtp_header_extension_get_from_id. These and many more could be investigated for how they are used in practice, and probably combined into this fuzz driver or a new one.
JSON is a single file json.hpp implementation of a json parser.
With 6 drivers achieving 74% coverage, it seems to have small sections of code that could be exercised by additional fuzz drivers, or additional corpus data. For example there are untouched functions like scan_comment(), start_object()
Kamailio is used by large Internet Service Providers to provide public telephony service as a SIP Server.
It currently uses 2 fairly simple fuzz drivers with 10% total code coverage. There are many unfuzzed functions with huge unreached code complexity such as "main2" & "yyparse"
Liblouis is an open-source braille translator and back-translator.
3 existing fuzz drivers test the main functionality of the project already, translation and back translation. Only small sections of code are unreached and seem to be spread out in many small miscellaneous functions. A folder of test cases exists for this project that might provide sample code that could be useful in reaching these functions.
LIBPNG is the official library for the PNG, Portable Network Graphics, image format. For a detailed description on using libpng, read libpng-manual.txt. For examples of libpng in a program, see example.c and pngtest.c.
A single fuzz driver calls png_read_info and performs several transforms, but only reaches 50% of the code. Lots of example code in example.c and pngtest.c could be turned into new fuzz drivers.
Libsaas is a C++ port of the original Ruby Sass CSS compiler with a C API.
This project has 30% total code coverage. Currently has a single partially broken fuzz driver. There are lots of parsing functions with no code coverage. Likely to need a good CSS dictionary/corpus for effective fuzzing.
LibSodium is an easy-to-use software library for encryption, decryption, signatures, password hashing, and more.
This library has roughly 20% code coverage with only 2 fuzz drivers, exercising the encryption, decryption, and maybe hashing functions and very little else. Just implementing ED25519 key signatures as a fuzz driver should greatly increase the code coverage of the project
Libssh2 is a library implementing the SSH2 protocol. It has only 1 fuzz driver that acts as a client and reaches only 26% of the code. This library has many similarities to openssh and may be able to implement similar fuzz drivers. A tests directory also provides many unit tests that possibly could be implemented as fuzz drivers.
LibVNCServer/LibVNCClient are cross-platform C libraries that allow you to easily implement VNC server or client functionality in your program. It has a single fuzz driver that fuzzes the server code and reaches 19% of the project's code.
Many components of this library are completely untouched, such as websocket code. Roughly more than two thirds of the functions in main.c exhibit high complexity and are also not touched.
Libvpx is a free software video codec library that serves as the reference software implementation for the VP8 and VP9 video coding formats, and for AV1. It has 2 decoding fuzz drivers, one for VP8 and another for VP9 that reaches 60% of the code. The source code includes hundreds of unit tests in /test and additional code under /examples that could be turned into new fuzz drivers.
A single fuzz driver submits urls with random input to the Web server, but many other methods of fuzzing the code are possible. Access or authentication methods could be used to access the buffer functions that have uncovered complexity for example.
Miniz is a lossless, high performance data compression library in a single source file that implements the zlib (RFC 1950) and Deflate (RFC 1951) compressed data format specification standards. Miniz also contains simple to use functions for writing .PNG format image files and reading/writing/appending .ZIP format archives. It has 9 different fuzz drivers reaching 60% of the code.
A number of validation functions, validating file archives, validating archives in memory, and archive appending features are not currently tested. This project has an examples folder which might provide additional functionality not currently implemented into fuzz drivers.
Minizip-ng is a zip manipulation library written in C. It has a zipping and unzipping fuzz drivers reaching 71% code coverage. Stream functioning and encryption functionality is not well fuzzed.
Mpg123 is a Linux MPEG 1.0/2.0/2.5 audio player. Two fuzz drivers reaching 52% of the code. Most of the decoding library libmpg123.c is not fuzzed, indicating that it might benefit from a larger corpus.
Mupdf is an open source software framework written in C that implements a PDF, XPS, and EPUB parsing and rendering engine. A single fuzz driver simulates creating a PDF, and reaches 50% of the code.
This project has many verification functions that are not currently tested. Many testing scripts exist in a scripts folder in the project repository: https://git.ghostscript.com/?p=mupdf.git;a=tree
Opensips is a (Session Initiation Protocol) server, also known as a SIP proxy server, is the central hub in a VoIP system that manages and directs all SIP-based communication, including calls, messages, and video streams, between two or more participants. SIP servers have many independent functions, such as: initiation termination, call routing, authentication and encryption, load-balancing, codec negotiation, session management, and many other features. 4 current fuzz drivers only reach a few of the modules and about 13% of the code.
The PCRE2 library is a set of C functions that implement regular expression pattern matching. 9 fuzz drivers reach 70% of the code, which comprises of 96% of the cyclomatic complexity of the project.
Only a few specialty functions such as recursive arguments, shifting, and byte manipulations has the potential for increased code coverage.
Pycryptodome is a self-contained cryptographic library for Python. 8 fuzz drivers cover 80% of the code. Only a few MD5, SHA2, and endianess functions are not completely covered.
Speex is a voice codec for low bit rates. 4 fuzz drivers reach 82% of the code, and the remaining uncovered code is distributed through a large number of functions. Increasing code coverage beyond this point will probably be difficult.
Sqlite3 is an open-source relational database written in C. It has a single fuzz driver that reaches 76% of the code, by parsing random data as SQL statements.
Unreached sections of code are distributed through a wide number of functions, making targeting these areas fairly difficult. There appears to be Json parsing, file I/O, and other small miscellaneous sections with some potential.
Tmux is a terminal multiplexer written in C. A single fuzz driver reaches only 14% of the code by fuzzing the input_parse_buffer. The fuzz blockers highlighted by Fuzz Introspector show large sections of code that could be targetted by new fuzz drivers. For example: window layout, cmdq_new_state (creates a new state object that represents the context in which commands are executed within tmux), args_parse (string arguments sent to tmux's command system)
Uriparser is a fast URI parsing library written in C. It has 6 fuzz drivers reaching 81% of the code, and 93% of the cyclomatic complexity of the project. Very few functions have significant new code coverage potential.
Valijson is a C++ library for JSON Schema validation, with support for many popular parsers. It has a single fuzz driver reaching 72% of the code.
The validation_visitor.hpp shows many sections of code that are not be exercised. These include date and time matching, integer and double constraint checking, and other regex functions.
Wasm3 is a WebAssembly interpreter and the most universal WASM runtime. It has a single fuzz driver reaching 67% of the code. This fuzz driver parses and executes code, but other functionality of the project is not addressed. For example, the m3_exec source code is not well covered, suggesting that since this function handles the interpreter's execution loop and instruction handlers, a fuzz driver generating more valid instructions might exercise this code. Valid instructions that are not being executed include stack operations, arithmetic operations, memory operations, comparison operations, direct and indirect function calls.
WavPack is a WAV audio encode/decode library, command-line programs, and several plugins. It has a single fuzz driver reaching 84% of the code and 96% of the cyclomatic complexity of the project.
Woff2 is a font packaging format written in C++ designed to improve compression and file sizes of web fonts compared to the older WOFF format. It has 2 fuzz drivers reaching 87% of the code, and the few sections of unreached coverage are distributed among many functions and will be difficult to reach.
XVid is a video codec life for the mpeg-4 standard. The source code repository is no longer accessible online so it is broken on oss-fuzz, but the source code files are still available here and the project compiles and works properly. A single fuzz driver reaches 33% of the project code.
One approach would be to simply repair this project implementation in OSS-Fuzz by determining what happened in 2024 to break the project's build. The single fuzz driver only tests decoding functionality and covers up code very completely as shown by the green section in the call graph. Additional fuzz drivers could be written to address encoding features of the library, or general functionality such as metadata handling, stream management, and bitstream handling functionality.
XZ is a file compression library aiming to maximize compression ratios. It supports the .xz and .lzma formats. 4 different fuzz drivers reach 75% of the project code.
Many of the legacy lzma functions are not fuzzed, and streaming functions similarly have unreached sections.
Yara is a pattern matching tool for malware analysis. It is written primarily in C. 6 fuzz drivers reach 63% of the project code. Looking at the names of these fuzz drivers shows that they match the names of the modules of the project. One module, dex, is blocked and only covers 14% of the code, while other modules are covered between 80% to 90%. Fixing this driver might increase coverage by a thousand lines of code or so.
Another possible approach would be to create a completely different type of fuzz driver. The libyara/exec.c file contains a lot of uncovered code, and evaluating complex Boolean expressions seems to be the purpose of many of these functions.
Zlib is a general purpose data compression library. It has 10 different fuzz drivers that reach 80% of the project's code, and 87% of the project's cyclomatic complexity.
The deflate slow and deflate fast functions have some untouched sections of code.
Zopfli is a compression library written in C to achieve high compression ratios at the expense of speed. It has 2 fuzz drivers reaching 94% of the project code, and 99% of the project's cyclomatic complexity.