Add new project: raylib

raylib is a C game development library (~23K stars) with built-in
model file parsers for OBJ, IQM, GLTF, VOX, and M3D formats. All
parsers process untrusted input when users load model files in games,
modding tools, and asset pipelines.

This adds a libFuzzer harness targeting raylib's model loading
dispatch (LoadModel → LoadOBJ/LoadIQM/LoadGLTF/LoadVOX/LoadM3D)
with GPU/windowing stubs for headless fuzzing.

Sanitizers: ASan + UBSan. Engines: libFuzzer, AFL, honggfuzz.

Author: Sheri98

projects/raylib/Dockerfile

@@ -0,0 +1,28 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    cmake make && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN git clone --depth 1 https://github.com/raysan5/raylib.git $SRC/raylib
+
+COPY build.sh $SRC/
+COPY raylib_fuzz_model.c $SRC/
+COPY raylib_stubs.c $SRC/
+COPY raylib_model.dict $SRC/

projects/raylib/build.sh

@@ -0,0 +1,51 @@
+#!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+cd $SRC/raylib
+
+$CC $CFLAGS -I./src -I./src/external \
+    -DSUPPORT_TRACELOG=0 -DPLATFORM_DESKTOP -DGRAPHICS_API_OPENGL_33 \
+    -c ./src/rmodels.c -o rmodels.o
+
+$CC $CFLAGS -I./src -I./src/external \
+    -DSUPPORT_TRACELOG=0 -DPLATFORM_DESKTOP -DGRAPHICS_API_OPENGL_33 \
+    -c $SRC/raylib_stubs.c -o raylib_stubs.o
+
+$CC $CFLAGS -I./src \
+    -DRAYMATH_IMPLEMENTATION \
+    -c -x c /dev/null -include ./src/raymath.h -o raymath_impl.o 2>/dev/null || \
+    echo 'extern int raymath_dummy;' | $CC $CFLAGS -c -x c - -o raymath_impl.o
+
+$CC $CFLAGS -I./src -I./src/external \
+    -DSUPPORT_TRACELOG=0 -DPLATFORM_DESKTOP -DGRAPHICS_API_OPENGL_33 \
+    $SRC/raylib_fuzz_model.c rmodels.o raylib_stubs.o raymath_impl.o \
+    $LIB_FUZZING_ENGINE -lm -lpthread \
+    -o $OUT/raylib_fuzz_model
+
+cp $SRC/raylib_model.dict $OUT/raylib_fuzz_model.dict
+
+mkdir -p /tmp/raylib_seeds
+printf '\x00# OBJ\nv 0.0 0.0 0.0\nv 1.0 0.0 0.0\nv 0.0 1.0 0.0\nf 1 2 3\n' > /tmp/raylib_seeds/seed_obj
+printf '\x01INTERQUAKEMODEL\x00\x02\x00\x00\x00' > /tmp/raylib_seeds/seed_iqm
+dd if=/dev/zero bs=1 count=100 >> /tmp/raylib_seeds/seed_iqm 2>/dev/null
+printf '\x02{"asset":{"version":"2.0"}}' > /tmp/raylib_seeds/seed_gltf
+printf '\x04VOX \x96\x00\x00\x00' > /tmp/raylib_seeds/seed_vox
+dd if=/dev/zero bs=1 count=50 >> /tmp/raylib_seeds/seed_vox 2>/dev/null
+printf '\x053DMO' > /tmp/raylib_seeds/seed_m3d
+dd if=/dev/zero bs=1 count=50 >> /tmp/raylib_seeds/seed_m3d 2>/dev/null
+
+cd /tmp/raylib_seeds && zip -q -j $OUT/raylib_fuzz_model_seed_corpus.zip *

projects/raylib/project.yaml

@@ -0,0 +1,17 @@
+homepage: "https://github.com/raysan5/raylib"
+language: c
+primary_contact: "shravankumarsheri39@gmail.com"
+auto_ccs:
+  - "shravankumarsheri39@gmail.com"
+main_repo: "https://github.com/raysan5/raylib.git"
+file_github_issue: true
+sanitizers:
+  - address
+  - undefined
+architectures:
+  - x86_64
+fuzzing_engines:
+  - libfuzzer
+  - afl
+  - honggfuzz
+vendor_ccs: []

projects/raylib/raylib_fuzz_model.c

@@ -0,0 +1,77 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+// raylib model loader fuzzer harness
+// Targets: OBJ, IQM, GLTF, VOX, M3D parsers
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "raylib.h"
+
+static const char *extensions[] = {
+    ".obj", ".iqm", ".gltf", ".glb", ".vox", ".m3d",
+};
+#define NUM_EXTENSIONS 6
+#define MAX_INPUT_SIZE (256 * 1024)
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 2 || size > MAX_INPUT_SIZE) return 0;
+
+    int ext_idx = data[0] % NUM_EXTENSIONS;
+    const uint8_t *payload = data + 1;
+    size_t payload_size = size - 1;
+
+    char tmppath[256];
+    snprintf(tmppath, sizeof(tmppath), "/dev/shm/fuzz_raylib_%d%s",
+             getpid(), extensions[ext_idx]);
+
+    FILE *f = fopen(tmppath, "wb");
+    if (!f) return 0;
+    fwrite(payload, 1, payload_size, f);
+    fclose(f);
+
+    Model model = LoadModel(tmppath);
+
+    // Manual cleanup to avoid GPU stub issues in UnloadModel
+    if (model.meshes != NULL) {
+        for (int i = 0; i < model.meshCount; i++) {
+            RL_FREE(model.meshes[i].vertices);
+            RL_FREE(model.meshes[i].texcoords);
+            RL_FREE(model.meshes[i].texcoords2);
+            RL_FREE(model.meshes[i].normals);
+            RL_FREE(model.meshes[i].tangents);
+            RL_FREE(model.meshes[i].colors);
+            RL_FREE(model.meshes[i].indices);
+            RL_FREE(model.meshes[i].animVertices);
+            RL_FREE(model.meshes[i].animNormals);
+            RL_FREE(model.meshes[i].boneWeights);
+            RL_FREE(model.meshes[i].boneIndices);
+            RL_FREE(model.meshes[i].vboId);
+        }
+        RL_FREE(model.meshes);
+    }
+    RL_FREE(model.materials);
+    RL_FREE(model.meshMaterial);
+    RL_FREE(model.skeleton.bones);
+    RL_FREE(model.boneMatrices);
+
+    unlink(tmppath);
+    return 0;
+}

projects/raylib/raylib_model.dict

@@ -0,0 +1,57 @@
+# OBJ keywords
+"v "
+"vt "
+"vn "
+"f "
+"o "
+"g "
+"s "
+"usemtl "
+"mtllib "
+"# "
+
+# IQM magic and keywords
+"INTERQUAKEMODEL\x00"
+"\x02\x00\x00\x00"
+
+# GLTF/GLB
+"glTF"
+"{\"asset\""
+"\"version\""
+"\"2.0\""
+"\"meshes\""
+"\"accessors\""
+"\"bufferViews\""
+"\"buffers\""
+"\"nodes\""
+"\"scenes\""
+"\"materials\""
+"\"primitives\""
+"\"attributes\""
+"\"POSITION\""
+"\"NORMAL\""
+"\"TEXCOORD_0\""
+"\"indices\""
+"\"mode\""
+"\"componentType\""
+"\"count\""
+"\"type\""
+"\"VEC3\""
+"\"VEC2\""
+"\"SCALAR\""
+"\"byteOffset\""
+"\"byteLength\""
+"\"uri\""
+"\"bin\""
+
+# VOX magic
+"VOX "
+"MAIN"
+"SIZE"
+"XYZI"
+"RGBA"
+"\x96\x00\x00\x00"
+
+# M3D magic
+"3DMO"
+"\x84\xAC\xD1\x73"