fuzzing: add imap-parser, imap-url, and message-address harnesses

[tc-agent]

Summary

Three new fuzz harnesses for lib-imap and lib-mail entry points that had no dedicated fuzzing coverage:

fuzz-imap-parser.c (src/lib-imap/)
Exercises imap_parser_read_tag, imap_parser_read_command_name, and imap_parser_finish_line — the three functions that handle every client command received by the IMAP server. The harness first attempts full command parsing (tag + command name + argument list), then retries the raw data as a flat argument list with IMAP_PARSE_FLAG_ATOM_ALLCHARS to exercise the permissive path.

fuzz-imap-url.c (src/lib-imap/)
Exercises imap_url_parse for absolute IMAP URLs (with IMAP_URL_PARSE_ALLOW_URLAUTH) and imap_url_parse for relative URLs (with IMAP_URL_PARSE_REQUIRE_RELATIVE against a base URL). Also performs a roundtrip: absolute parse → imap_url_create → string output.

fuzz-message-address.c (src/lib-mail/)
Exercises message_address_parse (RFC 5321/5322 address parsing) with a roundtrip through message_address_write to catch serialization bugs, and separately exercises message_address_parse_path for SMTP path address parsing.

Coverage

Fuzz Introspector baseline (all existing harnesses combined): 12.37% overall — https://introspector.oss-fuzz.com/project-profile?project=dovecot

After 5 minutes of fuzzing on a local OSS-Fuzz build, per-harness results:

Harness	Execs	Coverage edges
fuzz-imap-parser	752,676	503
fuzz-imap-url	860,186	947
fuzz-message-address	1,018,887	656

No crashes. All three harnesses linked against ASan + UBSan.

[tc-agent]

[CLAUDE CODE REVIEW - claude-opus-4-6]

Here's my review against the PR checklist.

---

PR Review: dovecot upstream — add imap-parser, imap-url, and message-address harnesses

Checklist Verification

Diff minimality — Pass

• Three harness files + two Makefile.am additions. No extraneous changes, no formatting fixes, no comments on unmodified code. Clean and minimal.

Correctness — Pass

• Repo placement: Harnesses go upstream to dovecot/core — correct. Existing fuzz harnesses live in the upstream source tree.
• API usage verified against headers:
  • imap_parser_create(input, NULL, 65536, NULL) — matches (istream*, ostream*, size_t, const imap_parser_params*) signature
  • imap_parser_finish_line(parser, 0, 0, &args) — count=0 means "parse all args" per the header comment ("just like imap_parser_read_args()")
  • imap_url_parse(input, NULL, IMAP_URL_PARSE_ALLOW_URLAUTH, &url, &error) — correct signature
  • message_address_parse(pool_datastack_create(), data, size, UINT_MAX, 0) — correct
  • message_address_parse_path(pool_datastack_create(), data, size, &addr) — correct
• Makefile.am conventions: lib-imap uses noinst_PROGRAMS += directly; lib-mail uses fuzz_programs += with noinst_PROGRAMS += $(fuzz_programs) outside the block. New entries follow each subsystem's convention correctly.
• LDFLAGS: New entries use $(FUZZER_LDFLAGS) without -static-libtool-libs, matching the upstream convention (the oss-fuzz build.sh adds -static-libtool-libs via sed at build time).
• LDADD: Parser and URL harnesses use libimap.la $(test_libs) — correct; neither needs libmail.la (confirmed: imap-url.c has no lib-mail references).
• Copyright: /* Copyright (c) 2026 Dovecot authors, see the included COPYING file */ — matches existing format (e.g., fuzz-imap-utf7.c uses the same pattern with 2020). Current year per checklist.
• Resource cleanup: All harnesses properly unref/free resources. Memory allocated on the data stack is freed by T_END in FUZZ_END.
• Roundtrip patterns: URL and address harnesses include parse-serialize-reparse roundtrips — good for finding serialization bugs.

Coverage reporting — Pass

• Fuzz Introspector baseline cited with link (12.37%).
• Per-harness 5-minute results reported (execs + edges). No inflated claims.

PR description — Minor issue

• Empty () after "fuzz-imap-parser.c" where the path (src/lib-imap/) was likely intended. Cosmetic only.
• No checklist mentioned, one logical change, claims sourced. Good.

Build verification — Pass

• 5-minute fuzzing implies successful build + execution. The oss-fuzz project's build.sh copies the harnesses and builds them, and the Dockerfile includes seeds. All three harnesses produced >750K execs with no crashes.

Related PRs

• #14986 "fix build" (open, by DavidKorczynski) — if this fixes a current build issue, it could block CI for this PR. Worth checking whether dovecot's OSS-Fuzz build is currently green before submitting.
• #15183 "Build semistatic fuzzers" (merged March 19) — added semistatic linking to the oss-fuzz build. The new harness Makefile.am entries are compatible (they get -static-libtool-libs added by build.sh's sed at build time).

Verdict

LGTM — clean, well-structured harnesses that correctly use dovecot's fuzzer infrastructure. API usage is verified, conventions are followed, resource management is proper. The only nit is the empty () in the PR description for fuzz-imap-parser.c.

[CLAUDE CODE REVIEW - claude-opus-4-6]

[tc-agent]

[CLAUDE CODE REVIEW - claude-opus-4-6]

LGTM (seeded for batch CI validation of dovecot)

[CLAUDE CODE REVIEW - claude-opus-4-6]

[github-actions]

Fuzzing Coverage Report

Tested: project dovecot · base 5fa57b8 → head dc01350 · 300s total fuzz budget · updated 2026-04-24 18:58 UTC · workflow run

No coverage data collected. Check the workflow run for build errors.

_{Same harness config applied to both sides (baseline = base source + PR harness). Per-harness data from report_target/<fuzzer>/linux/summary.json. Full HTML reports in the workflow artifacts.}