VLC Media Player and Fuzz testing
Software bugs and vulnerabilities can be difficult to detect and slow to find even when actively searched for by developers and users who usually look for superficial functional and visual bugs.
In a large software especially those written in middle level languages like C/C++, security bugs and vulnerabilities can often be used to comprise the whole system. Mainly because memory management is left to the programmers of the individual software.
One alternative to human Q&A testing is to use automated software testing techniques like Fuzzing where random, invalid or unexpected data is provided as input to a computer program.
Fuzzing is often more cost-effective than systematic testing techniques1. High profile CVE’s such as Heartbleed in April 2014 and Shellshock in September 2014 could have easily been found with fuzzing2 3.
Media processing is always a complex task and usually contain lots of security and stability issues, take Stagefright or FFmpeg and a thousand fixes, for example.
Fuzzing VLC, the most popular desktop and mobile media player should now seem like a no-brainer.
Indeed, this was one of the project ideas and my proposal to VideoLAN for Fuzz testing VLC as part of GSoC 2017. VideoLAN accepted my proposal and invited me to their office in Paris for a “GSoC conference” to discuss and help setting up the project and get me started.