diff options
| author | van Hauser <vh@thc.org> | 2020-08-10 13:03:59 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-08-10 13:03:59 +0200 |
| commit | 9c953ab51ff22b2fc3e1b73e6563211e7676b62e (patch) | |
| tree | 7c945162e2f8a6eec1bca944308866f521c8f33f | |
| parent | f181a8307b9544a24e2c737e748e9ff34e8620e1 (diff) | |
| download | afl++-9c953ab51ff22b2fc3e1b73e6563211e7676b62e.tar.gz | |
memory grab at startup to prevent crashes
| -rw-r--r-- | src/afl-fuzz-one.c | 18 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 11 |
2 files changed, 20 insertions, 9 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index c664f281..75687703 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -564,7 +564,7 @@ u8 fuzz_one_original(afl_state_t *afl) { single byte anyway, so it wouldn't give us any performance or memory usage benefits. */ - out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096); + out_buf = ck_maybe_grow(BUF_PARAMS(out), len); afl->subseq_tmouts = 0; @@ -1637,7 +1637,7 @@ skip_interest: orig_hit_cnt = new_hit_cnt; - ex_tmp = ck_maybe_grow(BUF_PARAMS(ex), len + MAX_DICT_FILE + 4096); + ex_tmp = ck_maybe_grow(BUF_PARAMS(ex), len + MAX_DICT_FILE); for (i = 0; i <= (u32)len; ++i) { @@ -1811,7 +1811,7 @@ custom_mutator_stage: fd = open(target->fname, O_RDONLY); if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", target->fname); } - new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), target->len + 4096); + new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); @@ -1986,7 +1986,7 @@ havoc_stage: temp_len = new_len; if (out_buf != custom_havoc_buf) { - ck_maybe_grow(BUF_PARAMS(out), temp_len + 4096); + ck_maybe_grow(BUF_PARAMS(out), temp_len); memcpy(out_buf, custom_havoc_buf, temp_len); } @@ -2235,7 +2235,7 @@ havoc_stage: clone_to = rand_below(afl, temp_len); new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - temp_len + clone_len + 4096); + temp_len + clone_len); /* Head */ @@ -2402,7 +2402,7 @@ havoc_stage: if (temp_len + extra_len >= MAX_FILE) { break; } out_buf = - ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len + 4096); + ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); /* Tail */ memmove(out_buf + insert_at + extra_len, out_buf + insert_at, @@ -2498,7 +2498,7 @@ havoc_stage: clone_to = rand_below(afl, temp_len); u8 *temp_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), - temp_len + clone_len + 4096); + temp_len + clone_len); /* Head */ @@ -2533,7 +2533,7 @@ havoc_stage: /* out_buf might have been mangled a bit, so let's restore it to its original size and shape. */ - out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096); + out_buf = ck_maybe_grow(BUF_PARAMS(out), len); temp_len = len; memcpy(out_buf, in_buf, len); @@ -2660,7 +2660,7 @@ retry_splicing: swap_bufs(BUF_PARAMS(in), BUF_PARAMS(in_scratch)); in_buf = new_buf; - out_buf = ck_maybe_grow(BUF_PARAMS(out), len + 4096); + out_buf = ck_maybe_grow(BUF_PARAMS(out), len); memcpy(out_buf, in_buf, len); goto custom_mutator_stage; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2b9af94c..5cdd0292 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1305,6 +1305,17 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Taint forkserver successfully started"); +#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size + u8 *tmp1 = ck_maybe_grow(BUF_PARAMS(eff), MAX_FILE + 4096); + u8 *tmp2 = ck_maybe_grow(BUF_PARAMS(ex), MAX_FILE + 4096); + u8 *tmp3 = ck_maybe_grow(BUF_PARAMS(in_scratch), MAX_FILE + 4096); + u8 *tmp4 = ck_maybe_grow(BUF_PARAMS(out), MAX_FILE + 4096); + u8 *tmp5 = ck_maybe_grow(BUF_PARAMS(out_scratch), MAX_FILE + 4096); +#undef BUF_PARAMS + + if (!tmp1 || !tmp2 || !tmp3 || !tmp4 || !tmp5) + FATAL("memory issues. me hungry, feed me!"); + } perform_dry_run(afl); |