diff options
| author | realmadsci <71108352+realmadsci@users.noreply.github.com> | 2021-05-06 18:14:16 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-07 00:14:16 +0200 |
| commit | 1d9a3d955cb4b1350ecad1e008b7c24c5ea3af57 (patch) | |
| tree | 7963a76c7c2069df52b30b38b0862953695131c8 /include | |
| parent | 187ca8e18b569cb3396640ac46478f8df46fbbb8 (diff) | |
| download | afl++-1d9a3d955cb4b1350ecad1e008b7c24c5ea3af57.tar.gz | |
Fix memory errors when trim causes testcase growth (#881) (#903)
* Revert "fixed potential double free in custom trim (#881)"
This reverts commit e9d2f72382cab75832721d859c3e731da071435d.
* Revert "fix custom trim for increasing data"
This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.
* Fix memory errors when trim causes testcase growth
Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.
Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.
This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...
* Fix an unlikely situation
Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.
Diffstat (limited to 'include')
| -rw-r--r-- | include/afl-fuzz.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 040d7ae9..f201782a 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1003,7 +1003,7 @@ void read_afl_environment(afl_state_t *, char **); /* Custom mutators */ void setup_custom_mutators(afl_state_t *); void destroy_custom_mutators(afl_state_t *); -u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 **in_buf, +u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf, struct custom_mutator *mutator); /* Python */ @@ -1093,7 +1093,7 @@ fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); -u8 trim_case(afl_state_t *, struct queue_entry *, u8 **); +u8 trim_case(afl_state_t *, struct queue_entry *, u8 *); u8 common_fuzz_stuff(afl_state_t *, u8 *, u32); /* Fuzz one */ |