libcss: add oss-fuzz support for libcss

[boxerab]

Libcss is a lightweight, open-source CSS parsing and selection library from the NetSurf project. It processes CSS inputs, handling parsing, preprocessing (e.g., ::cue, ID selectors), and style selection via libcss APIs. Fuzzing libcss is critical due to its exposure to untrusted CSS inputs in multimedia pipelines, where malformed stylesheets could trigger crashes, memory corruption, or undefined behavior. Adding this fuzzer to OSS-Fuzz enhances security by testing the parser against random inputs, covering key functions like css_stylesheet_append_data and css_select_style, and detecting potential vulnerabilities in real-world use cases.

The fuzzer, css_parse_fuzzer.cc, targets the core parsing logic from gstcssparse.c and uses Meson for building libcss and its submodules (libwapcaplet, libparserutils).

[github-actions]

boxerab is integrating a new project:
- Main repo: https://gitlab.collabora.com/libcss/libcss.git
- Criticality score: N/A

[DavidKorczynski]

Are you a maintainer of this project? When I look at https://gitlab.collabora.com/libcss/libcss it doesn't seem to match the official one here: https://www.netsurf-browser.org/projects/libcss/ -- the git in the official is different and the git logs have divergence as well.

Who are some of the critical users of this project?

[DavidKorczynski]

see my above comment

[boxerab]

Hi David, I have asked the maintainers about adding libcss to oss-fuzz on the netsurf forum, but they have not responded and do not seem interested.

My repo is almost identical to the netsurf repo except I have added meson build support - the netsurf libcss will not build independently.

I would like to use libcss in another project, GStreamer, and GStreamer maintainers want to have some confidence in code security, so that is why I am submitting the code to oss-fuzz. Any security issues I fix will be submitted back to netsurf libcss as PRs.

Here is GStreamer merge request