Fix heap allocation bug

- Reason: `afl->out_size` is not consistent with the actual allocation
of `afl->out_buf`. The deleted line in `src/afl-fuzz-one.c` may change
`afl->out_size`, but `afl->out_buf` is not changed

2 files changed, 8 insertions, 8 deletions

diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c
index 7d827029..ec47104d 100644
--- a/examples/custom_mutators/example.c
+++ b/examples/custom_mutators/example.c
@@ -159,13 +159,13 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
 
   uint8_t *pre_save_buf = data->pre_save_buf;
 
-  memcpy(pre_save_buf + 5, buf, buf_size);
+  memcpy(pre_save_buf, buf, buf_size);
   size_t out_buf_size = buf_size + 5;
-  pre_save_buf[0] = 'A';
-  pre_save_buf[1] = 'F';
-  pre_save_buf[2] = 'L';
-  pre_save_buf[3] = '+';
-  pre_save_buf[4] = '+';
+  pre_save_buf[buf_size + 0] = 'A';
+  pre_save_buf[buf_size + 1] = 'F';
+  pre_save_buf[buf_size + 2] = 'L';
+  pre_save_buf[buf_size + 3] = '+';
+  pre_save_buf[buf_size + 4] = '+';
 
   *out_buf = pre_save_buf;
 
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index b1bbad0a..29dd73ad 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1621,8 +1621,6 @@ custom_mutator_stage:
     if (unlikely(!mutated_buf))
       FATAL("Error in custom_fuzz. Size returned: %zd", mutated_size);
 
-    if (mutated_size > len) afl->out_size = mutated_size;
-
     if (mutated_size > 0) {
 
       if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) {
@@ -1650,6 +1648,8 @@ custom_mutator_stage:
     }
 
     out_buf = ck_maybe_grow(BUF_PARAMS(out), len);
+    // ??? (h1994st): this line may be not necessary, as we do not modify the
+    // content of "out_buf".
     memcpy(out_buf, in_buf, len);
 
   }