Seems that some bugs in openjpeg can be triggered only in release mode.
More specifically, I was trying to reproduce https://github.com/uclouvain/openjpeg/issues/1228 using the OSS-Fuzz harness and I failed.
I figured out that the bug is indeed reachable by the harness, but can be uncovered only in Release mode, otherwise, an assertion error blocks it.
I guess that they use assertions only in Debug mode (WTF) and remove them in Release.
So, IMO openjpeg should be fuzzed in Release mode as the configuration used in production is the one relevant for security.
From http://www.openjpeg.org/ :
"""
OpenJPEG is an open-source JPEG 2000 codec written in C language. It has
been developed in order to promote the use of JPEG 2000, a still-image
compression standard from the Joint Photographic Experts Group (JPEG).
Since may 2015, it is officially recognized by ISO/IEC and ITU-T as a
JPEG 2000 Reference Software
"""
I submit this integration of OpenJPEG into oss-fuzz on behalf of Antonin
Descampes (@detonin), one of the project leaders. The OpenJPEG side of the
integration has already been merged into openjpeg git master per
https://github.com/uclouvain/openjpeg/issues/965 /
1a8eac6a90
DavidKorczynski