diff options
| author | Dominik Maier <domenukk@gmail.com> | 2020-06-15 11:07:57 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-06-15 11:07:57 +0200 |
| commit | acb0a2f027c7dfcca05596ba316d56532f6dbd19 (patch) | |
| tree | f85ba29864239a4b12d830d0b82de0ba4d565930 | |
| parent | 43bbbbf4e0a0be1c1c612afa2d6aafa0cae2033a (diff) | |
| download | afl++-acb0a2f027c7dfcca05596ba316d56532f6dbd19.tar.gz | |
fixed potential bugs
| -rw-r--r-- | src/afl-fuzz-one.c | 16 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 4 |
2 files changed, 12 insertions, 8 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index d4083c07..a247a837 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3846,12 +3846,13 @@ pacemaker_fuzzing: is redundant, or if its entire span has no bytes set in the effector map. */ + /* AFLpp: in puppet mode, eff_map is 0. */ if ((afl->extras_cnt > MAX_DET_EXTRAS && rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len))) { + (eff_map && !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->extras[j].len)))) { afl->stage_max--; continue; @@ -3954,11 +3955,12 @@ pacemaker_fuzzing: /* See the comment in the earlier code; afl->extras are sorted by * size. */ + /* AFLpp: in puppet mode, eff_map is 0. */ if (afl->a_extras[j].len > len - i || !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len))) { + (eff_map && !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { afl->stage_max--; continue; @@ -3984,13 +3986,15 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - skip_extras_v2: - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + // AFLpp: Never read: skip_extras_v2: + // new_hit_cnt = afl->queued_paths + afl->unique_crashes; } } +skip_extras_v2: + afl->stage_cur_byte = -1; /* The havoc stage mutation code is also invoked when splicing files; if the diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 7251550c..43850eb5 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -180,7 +180,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { while (ranges) { rng = ranges; - ranges = ranges->next; + ranges = rng->next; ck_free(rng); rng = NULL; @@ -224,7 +224,7 @@ checksum_fail: while (ranges) { rng = ranges; - ranges = ranges->next; + ranges = rng->next; ck_free(rng); rng = NULL; |