fix laf string transform crash

author: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
committer: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
commit: 3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree: 7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/afl-llvm-dict2file.so.cc
parent: a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download: afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index 885aa035..c954054b 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -521,14 +521,18 @@ bool AFLdict2filePass::runOnModule(Module &M) {
 
           optLen = thestring.length();
 
+          if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
+
           if (isMemcmp || isStrncmp || isStrncasecmp) {
 
             Value *      op2 = callInst->getArgOperand(2);
             ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
             if (ilen) {
 
               uint64_t literalLength = optLen;
               optLen = ilen->getZExtValue();
+              if (optLen < 2) { continue; }
               if (literalLength + 1 == optLen) {  // add null byte
                 thestring.append("\0", 1);
                 addedNull = true;
author	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
committer	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
commit	3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree	7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/afl-llvm-dict2file.so.cc
parent	a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download	afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz