Adds fuzz target for oss-fuzz integration

[catenacyber]

@WardF would you agree to merge this fuzz target upstream ?
cf google/oss-fuzz#5389 (comment)

[CLAassistant]

All committers have signed the CLA.

[DennisHeimbigner]

Please provide some explanation about what this is attempting to do.

[catenacyber]

Dennis, this adds a fuzz target to test netcdf, especially nc_open_mem
It will allow integration with oss-fuzz cf google/oss-fuzz#5389 and https://google.github.io/oss-fuzz/
It gets compiled if LIB_FUZZING_ENGINE environment variable is defined
For instance LIB_FUZZING_ENGINE=-fsanitize=fuzzer with clang
Is that clearer ?

[DennisHeimbigner]

ok, but I have a couple of other questions/comments:

1. This is a reference to an environment variable I assume: $ENV{LIB_FUZZING_ENGINE}. Can we instead do this as a cmake option flag?
2. Is this CMake only? Should we be adding this to Automake as well?

[catenacyber]

ok, but I have a couple of other questions/comments:

1. This is a reference to an environment variable I assume: $ENV{LIB_FUZZING_ENGINE}. Can we instead do this as a cmake option flag?

Indeed, it is an environment variable.
We can make a cmake option.
Do you want something like -DENABLE_FUZZ=ON ?
In this case, do you want to have the fuzzing driver to be set to -fsanitize=fuzzer (ie libfuzzer) by default and to the environment variable LIB_FUZZING_ENGINE if it is set ?
Oss-fuzz uses different values for LIB_FUZZING_ENGINE for libFuzzer, afl, and hongfuzz

2. Is this CMake only? Should we be adding this to Automake as well?

It can be added as well.
Does it bring additional value ?

[DennisHeimbigner]

I was thinking more about having a FINDFUZZ package for cmake.
As for Automake, we tend to use that much more than cmake for our
testing. But I can certainly use the CMAke fixes to add it to automake.

Also, is this clang/llvm specific? We use gcc as a rule.

[catenacyber]

having a FINDFUZZ package for cmake

I do not know that much about cmake...
Could you point me to some example ?

As for Automake, we tend to use that much more than cmake for our
testing.

I can also make it for automake instead of cmake...

Also, is this clang/llvm specific? We use gcc as a rule.

I think you can compile with gcc.
But if you want to have libfuzzer as a fuzzing engine, you need to compile it into a static library first

[catenacyber]

Friendly ping @DennisHeimbigner
What is the status for this ?
Do I need to do something ?

[WardF]

@catenacyber Thank you for your patience, I'm reviewing this PR this morning and will either merge or follow up. Thanks!