
Notes on fuzzing ImageMagick and GraphicsMagick - yodon
https://alexgaynor.net/2019/feb/05/notes-fuzzing-imagemagick-graphicsmagick/
======
jrochkind1
[libvips]([https://jcupitt.github.io/libvips/](https://jcupitt.github.io/libvips/))
is a pretty amazing replacement for IM/GM -- for the overlapping
functionality, IM/GM still do some things vips doesn't, and vips will
depending on how it was compiled in some functional paths call out to IM/GM as
a dependency, too.

But for some tasks I was doing, I found that vips could accomplish the tasks I
was doing in IM in up to an _order of magnitude_ less RAM _and_ CPU time. (GM
was getting me more like 10% improvement at best).

It would be sweet if they'd add vips as a fuzzing target too.

~~~
nslocum
you linked to a fork of libvips the original is
[https://github.com/libvips/libvips](https://github.com/libvips/libvips)

~~~
jrochkind1
Oops, you're right. jcupitt is the creator and principal maintainer of
libvips, but I guess I linked to his "personal copy" git repo (which comes up
first on google!).

You linked to a git repo, I linked to docs, but here's docs with internal
links to the 'official' repo.

[https://libvips.github.io/libvips/](https://libvips.github.io/libvips/)

------
metzmanj
btw, ClusterFuzz, the infrastructure behind OSS-Fuzz was open sourced today:
[https://news.ycombinator.com/item?id=19106771](https://news.ycombinator.com/item?id=19106771)

------
s3krit
Does anyone have any good resources for someone with reverse-engineering and
security CTF experience looking to get into fuzzing?

~~~
stevekemp
"fuzzing intro", "fuzzing tutorial" will no doubt point you at suitable
content.

I started with AFL, via this piece:

[https://lwn.net/Articles/657959/](https://lwn.net/Articles/657959/)

------
jordache
is there a good GUI to IM / GM ? I like cli typically, but not in this case.
There parameters are just too verbose and obscure..

~~~
nothanksmydude
photoshop

~~~
h1d
Way overkill

