support LLVMFuzzerTestOneInput -1 return

4 files changed, 23 insertions, 7 deletions

diff --git a/docs/Changelog.md b/docs/Changelog.md
index f4fa4382..5287d038 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -7,10 +7,12 @@
   - afl-fuzz:
     - ensure temporary file descriptor is closed when not used
     - added `AFL_NO_WARN_INSTABILITY`
+    - added `AFL_FRIDA_STATS_INTERVAL`
   - afl-cc:
     - add CFI sanitizer variant to gcc targets
     - llvm 16 support (thanks to @devnexen!)
     - support llvm 15 native pcguard changes
+    - support for LLVMFuzzerTestOneInput -1 return
   - qemu_mode:
     - fix _RANGES envs to allow hyphens in the filenames
   - new custom module: autotoken, grammar free fuzzer for text inputs
diff --git a/test/test-cmplog.c b/test/test-cmplog.c
index d724ecaf..bd1b73e3 100644
--- a/test/test-cmplog.c
+++ b/test/test-cmplog.c
@@ -8,7 +8,7 @@
 
 int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) {
 
-  if (i < 30) return 0;
+  if (i < 30) return -1;
   if (buf[0] != 'A') return 0;
   if (buf[1] != 'B') return 0;
   if (buf[2] != 'C') return 0;
diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c
index 03376b6a..f08c9864 100644
--- a/utils/aflpp_driver/aflpp_driver.c
+++ b/utils/aflpp_driver/aflpp_driver.c
@@ -58,10 +58,15 @@ $AFL_HOME/afl-fuzz -i IN -o OUT ./a.out
   #include "hash.h"
 #endif
 
+// AFL++ shared memory fuzz cases
 int                   __afl_sharedmem_fuzzing = 1;
 extern unsigned int  *__afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;
 
+// AFL++ coverage map
+extern unsigned char *__afl_area_ptr;
+extern unsigned int   __afl_map_size;
+
 // libFuzzer interface is thin, so we don't include any libFuzzer headers.
 __attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *Data,
                                                  size_t         Size);
@@ -375,7 +380,13 @@ int LLVMFuzzerRunDriver(int *argcp, char ***argvp,
         }
 
         prev_length = length;
-        (void)callback(__afl_fuzz_ptr, length);
+
+        if (unlikely(callback(__afl_fuzz_ptr, length) == -1)) {
+
+          memset(__afl_area_ptr, 0, __afl_map_size);
+          __afl_area_ptr[0] = 1;
+
+        }
 
       }
 
diff --git a/utils/aflpp_driver/aflpp_driver_test.c b/utils/aflpp_driver/aflpp_driver_test.c
index 527ba57b..7cffa4a1 100644
--- a/utils/aflpp_driver/aflpp_driver_test.c
+++ b/utils/aflpp_driver/aflpp_driver_test.c
@@ -2,9 +2,9 @@
 #include <stdlib.h>
 #include <stdint.h>
 
-void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
+int __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
 
-  if (Size < 5) return;
+  if (Size < 5) return -1;
 
   if (Data[0] == 'F')
     if (Data[1] == 'A')
@@ -12,13 +12,16 @@ void __attribute__((noinline)) crashme(const uint8_t *Data, size_t Size) {
         if (Data[3] == '$')
           if (Data[4] == '$') abort();
 
+  return 0;
+
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
-  if (Size) crashme(Data, Size);
-
-  return 0;
+  if (Size)
+    return crashme(Data, Size);
+  else
+    return -1;
 
 }