Add vgmstream

[Sheri98]

What is vgmstream

vgmstream is a C/C++ library for decoding ~447 streamed audio formats used in video games. It is the back end for the foobar2000 vgmstream component, the audacious plugin, the XMPlay plugin, and the standalone vgmstream-cli and vgmstream123 tools. Each demuxer in src/meta/* is an independent format parser that consumes untrusted bytes from a file.

Why fuzz vgmstream

• 447 independent demuxers, all reachable through a single dispatch entry point (init_vgmstream).
• All input is untrusted: every demuxer reads bytes straight from a file the user provides (e.g. via foobar2000 / audacious / XMPlay).
• No prior fuzzing coverage: vgmstream is not currently in OSS-Fuzz and has no published CVEs.
• Active upstream maintainer with GHSA enabled and a SECURITY.md that invites private vulnerability reports.
• Cross-platform C/C++, builds cleanly on Ubuntu with CMake. No GPU, no kernel, no exotic toolchain.

Coverage

Measured with llvm-cov (clang-18, ASan + libFuzzer instrumentation, 320-file mutated corpus from a 60-minute campaign):

Scope	Functions	Lines	Branches
Whole library	25.33%	7.83%	4.47%
src/meta/ (parser surface)	50.55%	11.00%	5.56%

The harness enters 50% of all parser functions in src/meta/ from a single dispatch call. Line coverage is moderate because each parser bails early on unrecognized magic bytes. Sustained fuzzing on OSS-Fuzz infrastructure will drive depth significantly as the corpus evolves to bypass those initial checks.

What this PR adds

projects/vgmstream/
├── Dockerfile                       # base-builder + cmake deps
├── build.sh                         # static libvgmstream.a + harness link
├── project.yaml                     # ASan + UBSan, libFuzzer/AFL/honggfuzz
├── vgmstream_fuzz_bnk.c             # libFuzzer harness (format-agnostic dispatch)
├── vgmstream_fuzz_bnk.dict          # 160-entry dictionary (BNK magics, codec enums, format tokens)
└── vgmstream_fuzz_bnk_seedgen.py    # build-time seed corpus generator

Harness design

vgmstream_fuzz_bnk.c writes the fuzzer-supplied buffer to a tmp file in /dev/shm, calls init_vgmstream(), and frees. init_vgmstream() walks the full demuxer dispatch table internally, so a single harness exercises every parser in the library. Per-iteration cost is one mkstemp + one tmpfs write + one dispatch + one close + one unlink. No real disk I/O.

The _bnk suffix reflects the seed corpus and dictionary bias toward Sony PS BNK headers (the format family with the highest manually-verified bug density). The harness itself is format-agnostic.

Sanitizer config

Initial PR ships with ASan + UBSan. MSan is held back because vgmstream depends on uninstrumented libc calls (fread, memcpy, iconv). Happy to add it in a follow-up if preferred.

Optional codec backends

The build deliberately disables libmpg123 / libvorbis / FFmpeg / libg7221 / libg719 / libcelt / libspeex / libatrac9. The parser surface in src/meta/* is fully reachable without them. Re-enabling them is a one-line build.sh change for a follow-up PR.

Author

• Shravan Kumar Sheri
• GitHub: @Sheri98
• Contact: shravankumarsheri39@gmail.com

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

Sheri98 is integrating a new project:
- Main repo: https://github.com/vgmstream/vgmstream.git
- Criticality score: 0.45063