KDE on Azhar Momin

GSoC 2025: Expanding OSS-Fuzz Integration Across KDE Libraries (Final Update)

Sat, 30 Aug 2025 20:00:00 +0530

Hello everyone, this is going to be the final blog post of my GSoC 2025 project. In this post, I will summarize the progress made during the project and discuss the future plans for expanding OSS-Fuzz integration across KDE libraries.

Quick Recap Of Progress

So far, I had integrated several KDE libraries into OSS-Fuzz, including KMime, KIO-Extras/thumbnail, and KFileMetaData (submitted for integration).

I have also moved existing projects from OSS-Fuzz repository to KDE repositories.

Progress After Midterm

After midterm, in the first half I focused on integrating new thumbnailers into OSS-Fuzz. I had already integrated KIO-Extras/thumbnail, and I continued with KDEGraphics-Thumbnailers, KDESDK-Thumbnailers, and FFMpeg-Thumbs.

After that, I mostly worked on improving the existing integration, i.e, testing the fuzzers and fixing any issues, moving to CMake based setup instead of manual compilation of the fuzzers and adding documentation for local testing of the fuzzers.

The CMake setup allowed for easier maintenance however, it wasn’t as simple as it may seem. Since OSS-Fuzz recommends using static builds, many of the libraries didn’t link to their transitive dependencies correctly for static builds. This required changes to those libraries (.pc files, .cmake files, etc) for proper static linking.

The existing setup also lacked documentation for local testing of the fuzzers. I have added documentation for almost all of the fuzzers. This will be helpful for developers to integrate new fuzzers (such as new thumbnailers or KFileMetaData extractors).

Future Plans

With the initial setup of thumbnailers and KFileMetaData, it is easy to integrate new thumbnailers and KFileMetaData extractors. Currently there are a few more thumbnailers that could be integrated into OSS-Fuzz, I plan to work on integrating them soon as well, the list is here:

Thank You

I would like to thank my mentor, Albert Astals Cid, and the KDE community for their guidance throughout this project. Their feedback was helpful in successfully expanding OSS-Fuzz integration across KDE libraries.

GSoC 2025: Expanding OSS-Fuzz Integration Across KDE Libraries (Midterm Update)

Wed, 23 Jul 2025 20:00:00 +0530

Hello everyone! Midterm evaluations are here, and I wanted to share an update on my GSoC project. Here’s what I’ve accomplished so far:

Progress So Far

Migration of Existing Fuzz Targets

The first step was migrating the existing build scripts and fuzz targets from the OSS-Fuzz repository into the respective KDE repositories. Maintaining them within the OSS-Fuzz repo added a bit of friction when making changes. Having them in KDE repos makes it easier to maintain and update them.

KArchive Fuzzer

Then I worked on KArchive fuzzer doing mainly two changes: First was to split the fuzzer into separate targets for each archive format (like zip, tar, 7z, etc.) to improve coverage. Second was to add libFuzzer dictionary files to guide the fuzzing process better. Here is an image showing the coverage after these changes:

This coverage was tested using a local corpus and it is pretty solid for just fuzzing the “reading” part. The coverage will increase on OSS-Fuzz by time as the corpus keeps growing. Splitting the fuzzer into multiple targets allows the fuzzer to focus on specific archive formats, which keeps the corpus size smaller and more efficient.

KMime Fuzzer

After that, I focused on KMime. I created a fuzz target for it, which focused on the just the MIME parsing functionality. The parsing part of KMime is critical as it handles untrusted input, such as, from emails (in KMail).

For KMime, I also added a libFuzzer-style dictionary file to help guide the fuzzing process. This helps the fuzzer generate more meaningful inputs, which can improve coverage and help the fuzzer reach deeper code paths.

KDE Thumbnailers Fuzzer

After KMime, I moved on to KDE Thumbnailers. I created a fuzzer for the thumbnailers that are used in KDE applications to generate previews of files. This is important as it handles untrusted input from various file formats, such as images, documents, etc. KDE has a lot of thumbnailers, I started with the thumbnailers in KIO-Extras repository, which includes thumbnailers for various file formats like images, videos, documents, etc.

KDE Thumbnailers were tricky to fuzz because they aren’t standalone. They depend on KIO and KIOGui, which are pretty heavy and pull in a bunch of dependencies not required for thumbnailing. Building the full KIO stack inside OSS-Fuzz would have made the build process slow and complicated.

To avoid that, I wrote a custom build script that compiles just the thumbnailer source files and their direct dependencies. That keeps the fuzzers lightweight and focused only on the thumbnailing functionality.

For these thumbnailers, I also created a dictionary file for each thumbnailer separately for the same reason as KMime.

KFileMetaData Fuzzer

At last, I worked on KFileMetaData. This library is used to extract metadata from files, such as images, videos, documents, etc. Same as KDE Thumbnailers, it handles untrusted input from various file formats, so fuzzing it is important to ensure it can handle malformed or unexpected data gracefully.

Initially, I made a single fuzzer that used Qt plugin system to load metadata extractors and ran the extractors based on content mimetype. However, this required using dynamic libraries which is not great for OSS-Fuzz integration. So I split the fuzzer into multiple targets, one for each extractor, and compiled them statically. This way, each fuzzer is focused on a specific extractor and doesn’t depend on dynamic linking.

The thumbnailers and kfilemetadata currently have the highest coverage among all the fuzzers I’ve created so far, which is great! The coverage will improve and reach closer to 100% for them as the corpus grows on OSS-Fuzz.

What’s Next

There are still many more libraries that could benefit from OSS-Fuzz integration. Here are some that I plan to work on next:

More Thumbnailers

KDE maintains a large number of thumbnailer plugins, and I intend to integrate as many of them as possible. The next ones on my list (provided by Albert Astals Cid) include:

Okular Generators & QMobipocket

QMobipocket is a library used by Okular for reading .mobi files. It parses Mobipocket documents and could benefit from fuzzing to identify edge cases and potential vulnerabilities.

Okular also includes several generators responsible for rendering various document formats. While most rely on third-party libraries, a few include custom code that has not yet been fuzzed. These components may be susceptible to bugs triggered by malformed files.

Fuzzing these generators is a bit tricky, since building the full Okular application and all its dependencies would slow down the build process and make its maintenance harder. To address this, I plan to build only the relevant generator source files and their minimal dependencies similar to the approach I used for KDE thumbnailers.

KContacts (VCard Parser)

KContacts is a KDE framework for handling contact data. It includes a VCard parser that reads .vcf files. Although the format is relatively simple, it supports multiple character encodings and codecs, making it an interesting candidate for fuzz testing.

GSoC 2025: Expanding OSS-Fuzz Integration Across KDE Libraries

Tue, 13 May 2025 20:00:00 +0530

Introduction

Hello! I’m Azhar, a Computer Science student who loves OSS projects and contributing to KDE. This summer, I’m excited to be working on the Google Summer of Code (GSoC) project at KDE Community to integrate more KDE libraries into OSS-Fuzz.

While KDE already has some libraries integrated into OSS-Fuzz, such as KArchive, KImageFormats, and KCodecs, there are many more libraries that could benefit from this integration. The goal of this project is to expand the coverage of OSS-Fuzz across KDE libraries, making them more secure and reliable.

What is OSS-Fuzz?

OSS-Fuzz is a SaaS by Google to automatically find bugs and vulnerabilities in open-source projects through fuzz testing. Fuzzing involves feeding random or unexpected data into a software to uncover vulnerabilities that might otherwise go unnoticed. OSS-Fuzz continuously runs fuzz tests on the integrated open-source projects, reporting any crashes or issues found. This helps maintainers identify and fix bugs quickly, improving the overall quality of the software.

As of May 2025, OSS-Fuzz has helped identify and fix over 13,000 vulnerabilities and 50,000 bugs across 1,000 projects.
Source: OSS-Fuzz GitHub repository

Image from OSS-Fuzz GitHub repository, licensed under Apache 2.0.

Project Goals

The main goal of this project is to integrate more KDE libraries into OSS-Fuzz. This involves:

Identifying libraries: Analyzing the existing KDE libraries and identifying those that would benefit from OSS-Fuzz integration.
Creating fuzz targets: Writing fuzz targets for the identified libraries. A fuzz target is a specific function or API that will be tested with random data.
Integrating with OSS-Fuzz: Setting up the integration with OSS-Fuzz, including creating Dockerfile and a build script.
Testing and debugging: Running the fuzz tests and debugging any issues that arise during the process.

The objective is to integrate as many as KDE libraries possible into OSS-Fuzz by the end of the GSoC period, thereby enhancing the overall security and reliability of KDE software.

Initial Libraries

The following libraries have been identified for initial integration into OSS-Fuzz:

KFileMetaData

KFileMetaData is a library for reading and writing metadata in files. It supports various file formats, including images, audio, and video files. KFileMetaData is used by Baloo for indexing purposes. This means that many files may be processed by KFileMetaData without the user’s knowledge, making it a critical library to fuzz.

KMime

KMime is a library to assist handling MIME data. It provides classes for parsing MIME messages. KMime is used by various KDE applications, including KMail. This again means that the library may process malformed or unexpected data without the user’s knowledge.

KDE-Thumbnailers

KDE has many thumbnailer libraries, such as KDE-Graphics-Thumbnailers. These libraries are used to generate thumbnails for various file formats, including images, videos, and documents. These thumbnailers are used by Dolphin/KIO to generate previews of files and can be exposed to untrusted data.

Conclusion

Integrating KDE libraries into OSS-Fuzz is an important step towards improving the security and reliability of KDE software. Expanding OSS-Fuzz coverage to more libraries will help KDE maintainers quickly identify and fix bugs before they become problems for users.