From 664462dd78705a80efc40fd74766e4af4093aef6 Mon Sep 17 00:00:00 2001
From: "Aaron K. Clark" <cryptojones@owasp.org>
Date: Tue, 26 May 2026 00:25:37 -0500
Subject: [PATCH] chore(oss-fuzz): sync in-tree staging files with upstream PR
 #15545
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The OSS-Fuzz upstream PR (google/oss-fuzz#15545) needed Apache 2.0
license headers on Dockerfile and build.sh per `dpebot`'s header-check
bot — that's the convention for everything under projects/ in the
google/oss-fuzz repo. The bot only flagged build.sh, but the
Dockerfile needs one too (sampled aiohttp / vlc / curl all carry the
same Apache + 80-# separator on both files).

This PR brings the three in-tree staging files at .github/oss-fuzz/
to byte-equivalence with what's now in the upstream PR branch, so a
future contributor can `cp` either direction without a diff-and-fix
step.

Concrete changes:

  - Dockerfile: prepended the standard Google LLC Apache 2.0 header
    + 80-# separator block. The "build container for the GayHydra
    decompiler harnesses" comment moves below the separator.
  - build.sh: same header treatment, after the `#!/bin/bash -eu`
    shebang.
  - project.yaml: replaced the in-tree-specific "To go live: copy
    this file" preamble (which doesn't make sense once at upstream)
    with the contextual comment that's in the upstream copy. The
    "what gets copied where" guidance moves to the new README.md.
  - README.md (new): describes the staging directory's purpose, links
    to OSS_FUZZ.md and to the upstream destination, and records the
    sync workflow so the next person editing in either location keeps
    them aligned.

Upstream PR #15545 status: header-check now passes, cla/google passes,
check-changes passes; the build / zizmor / trial-build jobs are
skipped while the PR is still in draft.

Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/oss-fuzz/Dockerfile   | 17 ++++++++++++++++-
 .github/oss-fuzz/README.md    | 25 +++++++++++++++++++++++++
 .github/oss-fuzz/build.sh     | 17 ++++++++++++++++-
 .github/oss-fuzz/project.yaml | 12 +++++++-----
 4 files changed, 64 insertions(+), 7 deletions(-)
 create mode 100644 .github/oss-fuzz/README.md

diff --git a/.github/oss-fuzz/Dockerfile b/.github/oss-fuzz/Dockerfile
index 5c673787d39..cf6aff150c7 100644
--- a/.github/oss-fuzz/Dockerfile
+++ b/.github/oss-fuzz/Dockerfile
@@ -1,5 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
 # OSS-Fuzz build container for the GayHydra decompiler harnesses.
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md.
 
 FROM gcr.io/oss-fuzz-base/base-builder
 
diff --git a/.github/oss-fuzz/README.md b/.github/oss-fuzz/README.md
new file mode 100644
index 00000000000..dff821cc943
--- /dev/null
+++ b/.github/oss-fuzz/README.md
@@ -0,0 +1,25 @@
+# `.github/oss-fuzz/` — staging directory for OSS-Fuzz upstream submission
+
+This directory holds the three files that get copied verbatim to
+`projects/ghidra-decompiler/` in [google/oss-fuzz](https://github.com/google/oss-fuzz):
+
+- [`project.yaml`](project.yaml) — OSS-Fuzz manifest (contacts, sanitizers, engines)
+- [`Dockerfile`](Dockerfile) — build container definition
+- [`build.sh`](build.sh) — harness build script
+
+See [`docs/security/OSS_FUZZ.md`](../../docs/security/OSS_FUZZ.md) for the
+broader integration plan and the in-tree harness sources at
+`Ghidra/Features/Decompiler/src/decompile/cpp/fuzz/`.
+
+## Sync workflow
+
+Files here are kept byte-identical with their upstream counterparts at
+[`google/oss-fuzz/projects/ghidra-decompiler/`](https://github.com/google/oss-fuzz/tree/master/projects/ghidra-decompiler).
+Editing in either location requires copying to the other in the same
+sweep so the two don't drift.
+
+The Google-style `Copyright YYYY Google LLC` Apache 2.0 header on
+`Dockerfile` and `build.sh` is the OSS-Fuzz convention for everything
+under `projects/` — `dpebot`'s `header-check` bot enforces it on every
+PR to google/oss-fuzz. Carrying the same header in-tree keeps the
+`cp`-to-upstream operation a one-step sync rather than a diff-and-fix.
diff --git a/.github/oss-fuzz/build.sh b/.github/oss-fuzz/build.sh
index f9ed200ccbd..6ef92344c47 100644
--- a/.github/oss-fuzz/build.sh
+++ b/.github/oss-fuzz/build.sh
@@ -1,6 +1,21 @@
 #!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
 # OSS-Fuzz build script for the GayHydra decompiler harnesses.
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md.
 
 CPP_DIR="$SRC/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp"
 FUZZ_DIR="$CPP_DIR/fuzz"
diff --git a/.github/oss-fuzz/project.yaml b/.github/oss-fuzz/project.yaml
index 6971e225586..843ad8ca738 100644
--- a/.github/oss-fuzz/project.yaml
+++ b/.github/oss-fuzz/project.yaml
@@ -1,9 +1,11 @@
-# OSS-Fuzz project manifest.
+# OSS-Fuzz project manifest for GayHydra, a maintained fork of NSA's
+# Ghidra reverse engineering platform. Fuzzes the decompiler's C++
+# parsers (XML + PackedDecode) — first thing user-controlled input
+# hits, historically the source of OOB-read CVEs in Ghidra's
+# decompiler core.
 #
-# To go live: copy this file (plus Dockerfile and build.sh in this
-# directory) to projects/ghidra-decompiler/ in google/oss-fuzz.
-#
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md
+# for the in-tree harness sources and rationale.
 
 homepage: "https://codeberg.org/CryptoJones/GayHydra"
 main_repo: "https://codeberg.org/CryptoJones/GayHydra"