diff options
| author | van Hauser <vh@thc.org> | 2021-12-31 17:04:01 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-31 17:04:01 +0100 |
| commit | b8e61da8ab63a49a89988110c2e154267767d43a (patch) | |
| tree | 20b534be9222b08aae294378fc23818c7c4c5dce | |
| parent | cda84594cccf3f6d2d674d4eb99d449d205fa4ab (diff) | |
| parent | 53fa7037550c1f26adde2526605a82e190a02188 (diff) | |
| download | afl++-b8e61da8ab63a49a89988110c2e154267767d43a.tar.gz | |
Merge pull request #1238 from AFLplusplus/more_havoc
more havoc
| m--------- | qemu_mode/qemuafl | 0 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 101 |
2 files changed, 95 insertions, 6 deletions
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl -Subproject ce65a7349e7156e052b37a660422cad8346764d +Subproject 8809a2b2ebf089d3427dd8f6a0044bcc2e13b38 diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 426a6507..34711940 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2002,7 +2002,7 @@ havoc_stage: /* We essentially just do several thousand runs (depending on perf_score) where we take the input file and make random stacked tweaks. */ -#define MAX_HAVOC_ENTRY 59 /* 55 to 60 */ +#define MAX_HAVOC_ENTRY 64 #define MUTATE_ASCII_DICT 64 u32 r_max, r; @@ -2506,12 +2506,101 @@ havoc_stage: } - // increase from 4 up to 8? - case 52 ... MAX_HAVOC_ENTRY: { + case 52: { - /* Delete bytes. We're making this a bit more likely - than insertion (the next option) in hopes of keeping - files reasonably small. */ + /* Increase byte by 1. */ + +#ifdef INTROSPECTION + snprintf(afl->m_tmp, sizeof(afl->m_tmp), " ADDBYTE_"); + strcat(afl->mutation, afl->m_tmp); +#endif + out_buf[rand_below(afl, temp_len)]++; + break; + + } + + case 53: { + + /* Decrease byte by 1. */ + +#ifdef INTROSPECTION + snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SUBBYTE_"); + strcat(afl->mutation, afl->m_tmp); +#endif + out_buf[rand_below(afl, temp_len)]++; + break; + + } + + case 54: { + + /* Flip byte. */ + +#ifdef INTROSPECTION + snprintf(afl->m_tmp, sizeof(afl->m_tmp), " FLIP8_"); + strcat(afl->mutation, afl->m_tmp); +#endif + out_buf[rand_below(afl, temp_len)] ^= 0xff; + break; + + } + + case 55 ... 56: { + + if (temp_len < 4) { break; } + + /* Switch bytes. */ + + u32 to_end, switch_to, switch_len, switch_from; + switch_from = rand_below(afl, temp_len); + do { + + switch_to = rand_below(afl, temp_len); + + } while (switch_from == switch_to); + + if (switch_from < switch_to) { + + switch_len = switch_to - switch_from; + to_end = temp_len - switch_to; + + } else { + + switch_len = switch_from - switch_to; + to_end = temp_len - switch_from; + + } + + switch_len = choose_block_len(afl, MIN(switch_len, to_end)); + +#ifdef INTROSPECTION + snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SWITCH-%s-%u-%u-%u", + "switch", switch_from, switch_to, switch_len); + strcat(afl->mutation, afl->m_tmp); +#endif + u8 *new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch), switch_len); + if (unlikely(!new_buf)) { PFATAL("alloc"); } + + /* Backup */ + + memcpy(new_buf, out_buf + switch_from, switch_len); + + /* Switch 1 */ + + memcpy(out_buf + switch_from, out_buf + switch_to, switch_len); + + /* Switch 2 */ + + memcpy(out_buf + switch_to, new_buf, switch_len); + + break; + + } + + // MAX_HAVOC_ENTRY = 64 + case 57 ... MAX_HAVOC_ENTRY: { + + /* Delete bytes. */ if (temp_len < 2) { break; } |