Subject: [boost] Boost multiprecision differential fuzzer running on Google's oss-fuzz
From: Guido Vranken (guidovranken_at_[hidden])
Date: 2018-05-25 15:55:38
I built a bignum differential fuzzer  that has been running on
Google's oss-fuzz service  for a while. It performs the same
mathematical operations (addition, subtraction, multiplication,
modular exponentation, etc) across multiple bignum libraries (eg.
OpenSSL + Boost multiprecision), compares their results and crashes if
they don't match. This effort has so far found a couple of (minor)
bugs in OpenSSL and Go.
As soon as a mismatch is found, oss-fuzz will send a notification
e-mail to the developers of the various bignum libraries so the bug
can be examined and resolved. At which e-mail address(es) do the
developers of Boost wish to receive these notifications? Please bear
in mind that the notifications will contain potentially
security-sensitive information so the recipient may not be a public
mailing list. Currently, a potential bug is found only every couple of
weeks, so recipients do not have to worry about a lot of incoming
If you wish to write comments to the fuzzer's private bug tracker, the
e-mail you specify must be linked to a Google account.
To all others who are reading this, please feel welcome to submit pull
requests to the Boost multiprecision module of my fuzzer  if these
modifications increase the scope (code coverage) and probability of
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk