The results are in. About 5 billion fuzz cases, a few 10 hours streams, and we found 6 unique bugs in OpenBSD ctags. All with an absolutely garbage fuzzer. Some were pretty tricky (uninit stack use, global overflows), but vecemu was able to detect em!

https://twitter.com/gamozolabs/status/1229379329248784385

https://gist.github.com/gamozolabs/ac79a6d755e44d71f5bf0659a0848265

#security #ctags #fuzzing