fix laf string transform crash

author: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
committer: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
commit: 3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree: 7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/SanitizerCoverageLTO.so.cc
parent: a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download: afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index 849b6eef..13a5e5fd 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -849,15 +849,18 @@ bool ModuleSanitizerCoverage::instrumentModule(
               thestring = Str2;
 
             optLen = thestring.length();
+            if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
 
             if (isMemcmp || isStrncmp || isStrncasecmp) {
 
               Value *      op2 = callInst->getArgOperand(2);
               ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
               if (ilen) {
 
                 uint64_t literalLength = optLen;
                 optLen = ilen->getZExtValue();
+                if (optLen < 2) { continue; }
                 if (literalLength + 1 == optLen) {  // add null byte
                   thestring.append("\0", 1);
                   addedNull = true;
author	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
committer	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
commit	3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree	7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/SanitizerCoverageLTO.so.cc
parent	a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download	afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz