fix laf string transform crash

author: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
committer: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
commit: 3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree: 7afcfab5751461d5bc0bceec07c9b0d98155e118
parent: a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download: afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz
5 files changed, 20 insertions, 2 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index b1c991ff..c5b275de 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -14,6 +14,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
   - afl-cc
     - fixed a crash that can occur with ASAN + CMPLOG together plus
       better support for unicode (thanks to @stbergmann for reporting!)
+    - fixed a crash in LAF transform for empty strings
     - handle erroneous setups in which multiple afl-compiler-rt are
       compiled into the target. This now also supports dlopen
       instrumented libs loaded before the forkserver and even after the
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index 849b6eef..13a5e5fd 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -849,15 +849,18 @@ bool ModuleSanitizerCoverage::instrumentModule(
               thestring = Str2;
 
             optLen = thestring.length();
+            if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
 
             if (isMemcmp || isStrncmp || isStrncasecmp) {
 
               Value *      op2 = callInst->getArgOperand(2);
               ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
               if (ilen) {
 
                 uint64_t literalLength = optLen;
                 optLen = ilen->getZExtValue();
+                if (optLen < 2) { continue; }
                 if (literalLength + 1 == optLen) {  // add null byte
                   thestring.append("\0", 1);
                   addedNull = true;
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index 885aa035..c954054b 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -521,14 +521,18 @@ bool AFLdict2filePass::runOnModule(Module &M) {
 
           optLen = thestring.length();
 
+          if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
+
           if (isMemcmp || isStrncmp || isStrncasecmp) {
 
             Value *      op2 = callInst->getArgOperand(2);
             ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
             if (ilen) {
 
               uint64_t literalLength = optLen;
               optLen = ilen->getZExtValue();
+              if (optLen < 2) { continue; }
               if (literalLength + 1 == optLen) {  // add null byte
                 thestring.append("\0", 1);
                 addedNull = true;
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index ef270a1f..50306224 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -635,15 +635,18 @@ bool AFLLTOPass::runOnModule(Module &M) {
               thestring = Str2;
 
             optLen = thestring.length();
+            if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
 
             if (isMemcmp || isStrncmp || isStrncasecmp) {
 
               Value *      op2 = callInst->getArgOperand(2);
               ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
               if (ilen) {
 
                 uint64_t literalLength = optLen;
                 optLen = ilen->getZExtValue();
+                if (optLen < 2) { continue; }
                 if (literalLength + 1 == optLen) {  // add null byte
                   thestring.append("\0", 1);
                   addedNull = true;
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index a85522a2..3ecba4e6 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -316,7 +316,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
               uint64_t len = ilen->getZExtValue();
               // if len is zero this is a pointless call but allow real
               // implementation to worry about that
-              if (!len) continue;
+              if (len < 2) continue;
 
               if (isMemcmp) {
 
@@ -420,8 +420,15 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
 
     }
 
+    if (TmpConstStr.length() < 2 ||
+        (TmpConstStr.length() == 2 && !TmpConstStr[1])) {
+
+      continue;
+
+    }
+
     // add null termination character implicit in c strings
-    if (TmpConstStr[TmpConstStr.length() - 1] != 0) {
+    if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) {
 
       TmpConstStr.append("\0", 1);
author	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
committer	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
commit	3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree	7afcfab5751461d5bc0bceec07c9b0d98155e118
parent	a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download	afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz