diff options
| author | van Hauser <vh@thc.org> | 2020-08-10 13:30:25 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-08-10 13:30:25 +0200 |
| commit | 8428b18d2a48cf7e995797a8b2183920aaa14f7e (patch) | |
| tree | 4db978ca2678903e3d658d200be01981e05a4a17 | |
| parent | 9c953ab51ff22b2fc3e1b73e6563211e7676b62e (diff) | |
| download | afl++-8428b18d2a48cf7e995797a8b2183920aaa14f7e.tar.gz | |
fix another segfault
| -rw-r--r-- | src/afl-fuzz-run.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 41de143c..7180d255 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -879,12 +879,13 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { s32 new_len = afl->queue_cur->len + len - afl->taint_len; if (new_len < 4) new_len = 4; + if (new_len > MAX_FILE) new_len = MAX_FILE; u8 *new_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), new_len); u32 i, taint = 0; for (i = 0; i < new_len; i++) { - if (afl->taint_map[i] || i > afl->queue_cur->len) + if (i > afl->taint_len || afl->taint_map[i] || i > afl->queue_cur->len) new_buf[i] = out_buf[taint++]; else new_buf[i] = afl->taint_src[i]; |