critical bugfix for afl-tmin

11 files changed, 29 insertions, 8 deletions

diff --git a/docs/ChangeLog b/docs/ChangeLog
index cad99c9f..3fd29e29 100644
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@@ -17,6 +17,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
 Version ++2.59d (develop):
 --------------------------
 
+  - fixed a critical bug in afl-tmin that was introduced during ++2.53d
   - added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
   - added preeny's desock_dup ld_preload library as
     ./experimental/socket_fuzzing for network fuzzing
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 39398c18..52352675 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -271,6 +271,7 @@ extern u64 mem_limit;                   /* Memory cap for child (MB)        */
 extern u8 cal_cycles,                   /* Calibration cycles defaults      */
     cal_cycles_long,                    /* Calibration cycles defaults      */
     no_unlink,                          /* do not unlink cur_input          */
+    use_stdin,                          /* use stdin for sending data       */
     debug,                              /* Debug mode                       */
     custom_only,                        /* Custom mutator only mode         */
     python_only;                        /* Python-only mode                 */
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index f71893d8..850ab99b 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -75,7 +75,7 @@ static u64 mem_limit = MEM_LIMIT;      /* Memory limit (MB)                 */
 
 static s32 dev_null_fd = -1;           /* FD to /dev/null                   */
 
-static u8 edges_only,                  /* Ignore hit counts?                */
+u8 edges_only,                         /* Ignore hit counts?                */
     use_hex_offsets,                   /* Show hex offsets?                 */
     use_stdin = 1;                     /* Use stdin for program input?      */
 
diff --git a/src/afl-as.c b/src/afl-as.c
index 8f24c16f..58ca18b7 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -208,8 +208,9 @@ static void edit_params(int argc, char** argv) {
        NSS. */
 
     if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) &&
-        strncmp(input_file, "/var/tmp/", 9) && strncmp(input_file, "/tmp/", 5)
-        && getenv("AFL_AS_FORCE_INSTRUMENT") == NULL)
+        strncmp(input_file, "/var/tmp/", 9) &&
+        strncmp(input_file, "/tmp/", 5) &&
+        getenv("AFL_AS_FORCE_INSTRUMENT") == NULL)
       pass_thru = 1;
     else if (getenv("AFL_AS_FORCE_INSTRUMENT"))
       unsetenv("AFL_AS_FORCE_INSTRUMENT");
diff --git a/src/afl-common.c b/src/afl-common.c
index ec010c2d..99d8d403 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -35,7 +35,8 @@
 #include <unistd.h>
 #endif
 
-u8* target_path;                        /* Path to target binary            */
+u8*       target_path;                  /* Path to target binary            */
+extern u8 use_stdin;
 
 void detect_file_args(char** argv, u8* prog_in) {
 
@@ -78,6 +79,8 @@ void detect_file_args(char** argv, u8* prog_in) {
       else
         aa_subst = alloc_printf("%s/%s", cwd, prog_in);
 
+      use_stdin = 0;
+
       /* Construct a replacement argv value. */
 
       *aa_loc = 0;
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 5e20e50b..6c5daa08 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -43,6 +43,8 @@
 /* a program that includes afl-forkserver needs to define these */
 extern u8  uses_asan;
 extern u8 *trace_bits;
+extern u8  use_stdin;
+
 extern s32 forksrv_pid, child_pid, fsrv_ctl_fd, fsrv_st_fd;
 extern s32 out_fd, out_dir_fd, dev_null_fd;     /* initialize these with -1 */
 #ifndef HAVE_ARC4RANDOM
@@ -211,7 +213,7 @@ void init_forkserver(char **argv) {
 
     }
 
-    if (out_file) {
+    if (!use_stdin) {
 
       dup2(dev_null_fd, 0);
 
diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c
index de716098..c731ea96 100644
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@@ -86,6 +86,7 @@ u8 cal_cycles = CAL_CYCLES,             /* Calibration cycles defaults      */
     cal_cycles_long = CAL_CYCLES_LONG,  /* Calibration cycles defaults      */
     debug,                              /* Debug mode                       */
     no_unlink,                          /* do not unlink cur_input          */
+    use_stdin = 1,                      /* use stdin for sending data       */
     custom_only,                        /* Custom mutator only mode         */
     python_only;                        /* Python-only mode                 */
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index ebc11f01..5effe0f7 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -304,6 +304,7 @@ int main(int argc, char** argv) {
 
         if (out_file) FATAL("Multiple -f options not supported");
         out_file = optarg;
+        use_stdin = 0;
         break;
 
       case 'x':                                               /* dictionary */
@@ -836,6 +837,8 @@ int main(int argc, char** argv) {
 
       if (aa_loc && !out_file) {
 
+        use_stdin = 0;
+
         if (file_extension) {
 
           out_file = alloc_printf("%s/.cur_input.%s", out_dir, file_extension);
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 94bbd421..393b3772 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -72,11 +72,12 @@ static u32 total, highest;             /* tuple content information         */
 
 static u64 mem_limit = MEM_LIMIT;      /* Memory limit (MB)                 */
 
-static u8 quiet_mode,                  /* Hide non-essential messages?      */
+u8 quiet_mode,                         /* Hide non-essential messages?      */
     edges_only,                        /* Ignore hit counts?                */
     raw_instr_output,                  /* Do not apply AFL filters          */
     cmin_mode,                         /* Generate output in afl-cmin mode? */
     binary_mode,                       /* Write output as a binary map      */
+    use_stdin = 1,                     /* use stdin - unused here           */
     keep_cores;                        /* Allow coredumps?                  */
 
 static volatile u8 stop_soon,          /* Ctrl-C pressed?                   */
@@ -535,7 +536,7 @@ int main(int argc, char** argv) {
 
   doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
 
-  while ((opt = getopt(argc, argv, "+o:m:t:A:eqZQUWbcrh")) > 0)
+  while ((opt = getopt(argc, argv, "+o:f:m:t:A:eqZQUWbcrh")) > 0)
 
     switch (opt) {
 
@@ -583,6 +584,13 @@ int main(int argc, char** argv) {
 
       break;
 
+      case 'f':  // only in here to avoid a compiler warning for use_stdin
+
+        use_stdin = 0;
+        FATAL("Option -f is not supported in afl-showmap");
+
+        break;
+
       case 't':
 
         if (timeout_given) FATAL("Multiple -t options not supported");
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index b98208f9..798b0527 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -88,7 +88,7 @@ u64 mem_limit = MEM_LIMIT;             /* Memory limit (MB)                 */
 
 s32 dev_null_fd = -1;                  /* FD to /dev/null                   */
 
-static u8 crash_mode,                  /* Crash-centric mode?               */
+u8 crash_mode,                         /* Crash-centric mode?               */
     exit_crash,                        /* Treat non-zero exit as crash?     */
     edges_only,                        /* Ignore hit counts?                */
     exact_mode,                        /* Require path match for crashes?   */
diff --git a/test-instr.c b/test-instr.c
index 161bdb8e..0b58eec0 100644
--- a/test-instr.c
+++ b/test-instr.c
@@ -27,6 +27,7 @@ int main(int argc, char** argv) {
   if (argc > 1) {
 
     buf = argv[1];
+    printf("Input %s - ", buf);
 
   } else if (read(0, buf, sizeof(buf)) < 1) {