fix laf string transform crash

author: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
committer: vanhauser-thc <vh@thc.org> 2021-03-05 10:05:43 +0100
commit: 3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree: 7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/compare-transform-pass.so.cc
parent: a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download: afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index a85522a2..3ecba4e6 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -316,7 +316,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
               uint64_t len = ilen->getZExtValue();
               // if len is zero this is a pointless call but allow real
               // implementation to worry about that
-              if (!len) continue;
+              if (len < 2) continue;
 
               if (isMemcmp) {
 
@@ -420,8 +420,15 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
 
     }
 
+    if (TmpConstStr.length() < 2 ||
+        (TmpConstStr.length() == 2 && !TmpConstStr[1])) {
+
+      continue;
+
+    }
+
     // add null termination character implicit in c strings
-    if (TmpConstStr[TmpConstStr.length() - 1] != 0) {
+    if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) {
 
       TmpConstStr.append("\0", 1);
author	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
committer	vanhauser-thc <vh@thc.org>	2021-03-05 10:05:43 +0100
commit	3342aa751d8e9102449e1739b38a25c40ab18e81 (patch)
tree	7afcfab5751461d5bc0bceec07c9b0d98155e118 /instrumentation/compare-transform-pass.so.cc
parent	a2f40aa285faa75e78ac1ffffe8d79e2ac1a40da (diff)
download	afl++-3342aa751d8e9102449e1739b38a25c40ab18e81.tar.gz