GSoC/2025/StatusReports/AzharMomin

Expanding OSS-Fuzz Integration Across KDE Libraries

This project aims to expand OSS-Fuzz integration across more KDE libraries, focusing on those that handle external inputs like file parsers and thumbnail generators, which are prone to parsing and memory bugs.

Mentors

Albert Astals Cid

Work report

Week 1:

• Migrated existing OSS-Fuzz files from the OSS-Fuzz repository to the repositories of the respective libraries
• Split KArchive fuzzer to improve its efficiency
• Added dict files to KArchive fuzzer
• Wrote the initial GSoC blog

Week 2:

• Created a fuzz target and build script for KMime fuzzer
• Set up a dict file and seed corpus for KMime fuzzer
• Submitted KMime fuzzer to OSS-Fuzz
• Created the initial fuzz target for KDE-Thumbnailers

Week 3:

• Minor patches to ECM and KIO-Extras to allow building KDE-Thumbnailers in OSS-Fuzz
• Created the initial build script and seed corpus for first KDE-Thumbnailers library (KIO-Extras)
• Added support for building the following thumbnail creators:

1. AudioCreator (Taglib)
2. SvgCreator (QtSvg)

Week 4:

• Added support for building the following thumbnail creators:

1. ComicCreator (KArchive and Unrar)
2. CursorCreator (LibXCursor)
3. EbookCreator (KArchive)
4. EXRCreator (OpenEXR)
5. JpegCreator (LibKExiv2)
6. ImageCreator (QtGui)
7. DjvuCreator (DDjVu)
8. KritaCreator (KArchive)
9. OpenDocumentCreator (KArchive)
10. TextCreator (KSyntaxHighlightingEngine)
11. WindowsExeCreator
12. WindowsImageCreator

Week 5:

• Added support for building the following thumbnail creators:

1. AppImageCreator (libappimage)

• Minor patches and fixes to the build script
• Wrote the initial fuzz target and build script for KFileMetaData
• Created seed corpus for KFileMetaData from autotests data
• Added support for building the following extractors:

1. TaglibExtractor (Taglib)
2. Exiv2Extractor (LibExiv2)
3. FFMpegExtractor (FFMpeg)
4. PopplerExtractor (Poppler)
5. PlaintextExtractor
6. POExtractor
7. XMLExtractor (QtXml and KArchive)
8. PostscriptExtractor
9. ODFExtractor (KArchive)
10. Office2007Extractor (KArchive)
11. FictionBook2Extractor (KArchive)
12. KritaExtractor (KArchive)

Week 6:

• Added support for building the following extractors:

1. OfficeExtractor (CatDoc)
2. MobipocketExtractor (QMobipocket)
3. AppImageExtractor (libappimage)
4. EpubExtractor (LibEpub)

• Fixed assertion failure issue in KMime found by fuzzing
• Submitted KIO-Extras thumbnailers fuzzer for OSS-Fuzz integration
• Fixed OSS-Fuzz AFL and coverage build failures for KFileMetaData and KIO-Extras

Week 7

• Added dict files to KIO-Extras/thumbnail fuzzers
• Removed QtTools from KArchive, KCodecs, KImageFormats, and KMime fuzzer build scripts
• Switched KFileMetaData OSS-Fuzz setup from dynamic to static linking (Recommended for OSS-Fuzz)

Week 8

• Began migrating KFileMetaData OSS-Fuzz setup to CMake (initial work)
• Performed minor cleanup in extractors and core KFileMetaData code
• Started integrating KDEGraphics-Thumbnailers into OSS-Fuzz

Week 9

• Fixed memory leak in BlenderCreator (KDEGraphics-Thumbnailers) detected by LeakSanitizer
• Migrated KMime OSS-Fuzz setup to CMake; added local testing docs
• Minor cleanup in KDESDK-Thumbnailers
• Started OSS-Fuzz integration for KDESDK-Thumbnailers

Week 10

• Migrated KArchive OSS-Fuzz setup to CMake; added local testing docs
• Migrated KCodecs OSS-Fuzz setup to CMake; added local testing docs
• Began migrating KDE-Thumbnailers OSS-Fuzz setup to CMake
  • Required cleanup in KIO and KIO-Extras to allow skipping optional components unused by fuzzers
  • Updated external .pc and .cmake files to correctly handle transitive dependencies for static builds

Week 11

• Completed KFileMetaData fuzzers CMake migration; added local build docs
  • Involved similar cleanup and fixes in multiple CMake modules/pkg-config files
• Opened MRs for OSS-Fuzz integration of KDEGraphics-Thumbnailers and KDESDK-Thumbnailers
• Started work on OSS-Fuzz integration for FFmpeg thumbnailers

Week 12

• Final cleanup and addressed MR feedback

Merge Requests

• Move fuzz target and build script into KArchive, KCodecs, and KImageFormats repositories
• Submitted KMime for OSS-Fuzz integration
• Minor ECM and KIO-Extras patches
• Submitted KIO-Extras/Thumbnail, KDEGraphics-Thumbnailers, KDESDK-Thumbnailers, and FFMpeg-Thumbs for OSS-Fuzz integration
• Fix OSS-Fuzz AFL and coverage build failures for KFileMetaData and KIO-Extras
• Fixed assertion failure issue in KMime found by fuzzing
• Remove QtTools from KArchive, KCodecs, KImageFormats, and KMime fuzzer build script
• Added dict files to KIO-Extras/thumbnail fuzzers
• Split KArchive fuzzer and add dict files
• Submitted KFileMetaData for OSS-Fuzz integration
• Fixed memory leak in BlenderCreator (KDEGraphics-Thumbnailers)
• Migrated KMime OSS-Fuzz setup to use CMake
• Migrated KDE-Thumbnailers setup to use CMake
• Added option to KIO for building only KIOCore and KIOGui

Other Pull/Merge Requests

• Respect BUILD_SHARED_LIBS in libappimage
• Fix brotli library linking order for static builds and Add missing find_dependency calls in exiv2
• Fix pkg-config linking support in poppler
• Add private dependencies to squashfuse.pc

Links to Blogs and other writing

• GSoC 2025: Expanding OSS-Fuzz Integration Across KDE Libraries
• GSoC 2025: Midterm Update
• GSoC 2025: Final Update