unicornafl: fix malloc of size 0 (#2010)

* bugfix: free a chunk with a size of 0, it will cause 1 byte oob. Malloc does not check the size. Generally, malloc(0) should return 0 but there will return two pages. Free will use is_buffer_in_chunk to check whether the address is in the chunk. At that time, the chunk.data_addr == total_size . Free pass address and "1" to is_buffer_in_chunk. So cause 1 byte out-of-bound. * typo
author: Resery <50428593+Resery@users.noreply.github.com> 2024-02-21 05:42:55 -0600
committer: GitHub <noreply@github.com> 2024-02-21 12:42:55 +0100
commit: 340d6aa97cd8fa18e8c7650ac9067e1b2688e8bb (patch)
tree: cb942c11d768d382ced957983591eb8f9887db0e
parent: 5ae4a7ae023e7acdefc95cc9ec899763e6e4f69f (diff)
download: afl++-340d6aa97cd8fa18e8c7650ac9067e1b2688e8bb.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/unicorn_mode/helper_scripts/unicorn_loader.py b/unicorn_mode/helper_scripts/unicorn_loader.py
index cef39f7e..d0995f83 100644
--- a/unicorn_mode/helper_scripts/unicorn_loader.py
+++ b/unicorn_mode/helper_scripts/unicorn_loader.py
@@ -101,6 +101,10 @@ class UnicornSimpleHeap(object):
         #    - Allocate at least 1 4k page of memory to make Unicorn happy
         #    - Add guard pages at the start and end of the region
         total_chunk_size = UNICORN_PAGE_SIZE + ALIGN_PAGE_UP(size) + UNICORN_PAGE_SIZE
+
+        if size == 0:
+            return 0
+        
         # Gross but efficient way to find space for the chunk:
         chunk = None
         for addr in range(self.HEAP_MIN_ADDR, self.HEAP_MAX_ADDR, UNICORN_PAGE_SIZE):
author	Resery <50428593+Resery@users.noreply.github.com>	2024-02-21 05:42:55 -0600
committer	GitHub <noreply@github.com>	2024-02-21 12:42:55 +0100
commit	340d6aa97cd8fa18e8c7650ac9067e1b2688e8bb (patch)
tree	cb942c11d768d382ced957983591eb8f9887db0e
parent	5ae4a7ae023e7acdefc95cc9ec899763e6e4f69f (diff)
download	afl++-340d6aa97cd8fa18e8c7650ac9067e1b2688e8bb.tar.gz