diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-03-28 00:44:52 +0100 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-04-01 13:10:05 +0200 |
| commit | 5bd8aa489b9d9db4bb330a7515666ad11eab24b4 (patch) | |
| tree | 232bd053fc6d3f77bde60baef6cf2620b812ac1c | |
| parent | e71c2937de8a19cf9b3627b86894cafabcd45513 (diff) | |
| download | afl++-5bd8aa489b9d9db4bb330a7515666ad11eab24b4.tar.gz | |
fixed leak
| -rw-r--r-- | include/alloc-inl.h | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 10 |
3 files changed, 8 insertions, 5 deletions
diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 92d29c1e..ed1e0397 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -788,10 +788,12 @@ static inline void *ck_maybe_grow(void **buf, size_t *size, while (*size < size_needed) { *size *= 2; + if ((*size) < 0) FATAL("size_t overflow"); } *buf = ck_realloc(*buf, *size); + return *buf; } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 19092204..a69c3b61 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -379,6 +379,7 @@ void read_testcases(afl_state_t *afl) { if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn2, "/README.txt")) { + free(fn2); continue; } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c731ebc6..024b4665 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -430,7 +430,7 @@ u8 fuzz_one_original(afl_state_t *afl) { single byte anyway, so it wouldn't give us any performance or memory usage benefits. */ - out_buf = ck_maybe_grow((void **)&afl->out_buf, &afl->out_size, len); + out_buf = ck_maybe_grow(BUF_PARAMS(out), len); afl->subseq_tmouts = 0; @@ -1958,8 +1958,7 @@ havoc_stage: clone_to = rand_below(afl, temp_len); new_buf = - ck_maybe_grow((void **)&afl->out_scratch_buf, - &afl->out_scratch_size, temp_len + clone_len); + ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); /* Head */ @@ -1979,9 +1978,9 @@ havoc_stage: memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, temp_len - clone_to); - swap_bufs((void **)&afl->out_buf, &afl->out_size, - (void **)&afl->out_scratch_buf, &afl->out_scratch_size); + swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); out_buf = new_buf; + new_buf = NULL; temp_len += clone_len; } @@ -2108,6 +2107,7 @@ havoc_stage: swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); out_buf = new_buf; + new_buf = NULL; temp_len += extra_len; break; |