undefined | Better HN

0 pointsmetzmanj1y ago0 comments

>Woha, is this legit or some sort of scam on Google in some way?:

I work on OSS-Fuzz.

As far as I can tell, the author's PRs do not compromise OSS-Fuzz in any way.

OSS-Fuzz doesn't trust user code for this very reason.

0 comments

It looks more like they disabled a feature of oss-fuzz that would've caught the exploit, no?

That's what people are saying though I haven't had the chance to look into this myself.

Fuzzing isn't really the best tool for catching bugs the maintainer intentionally inserted though.

It's more likely that fuzzing would blow up on new code and they wanted an excuse to remove it.

After all, if it hadn't had a performance regression (someone could submit a PR fixing whatever slowed it down, heh) it still wouldn't be known.

j / k navigate · click thread line to collapse