Fix missed updates of alias table when INTROSPECTION is on - ~cnx/afl++

diff options

author	Takuya Shimizu <shimizu2486@gmail.com>	2024-07-10 21:39:04 +0900
committer	Takuya Shimizu <shimizu2486@gmail.com>	2024-07-10 21:39:04 +0900
commit	02f4f755263bac8a5568e5b65aba940a3e506292 (patch)
tree	64954012749db3e739f4fc3d8a8cd0734ab951eb /src/afl-fuzz-bitmap.c
parent	43f462c91b3699b66e4aa1c5703b30f5189b5618 (diff)
download	afl++-02f4f755263bac8a5568e5b65aba940a3e506292.tar.gz

Fix missed updates of alias table when INTROSPECTION is on

In src/afl-fuzz.c `prev_queued_items` is used to decide whether the alias table should be recreated through the comparison with `afl->queued_items`.
https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3103-L3117

However, this variable is also updated to `afl->queued_items` when INTROSPECTION is enabled and the `fuzz_one` appends seeds.
https://github.com/AFLplusplus/AFLplusplus/blob/43f462c91b3699b66e4aa1c5703b30f5189b5618/src/afl-fuzz.c#L3135-L3140

Due to the update of `prev_queued_items` when INTROSPECTION is on, alias table may not be recreated when it actually should be.

This can lead to potential heap buffer-overflow in `select_next_queue_entry` due to the lack of `afl_realloc` called in `create_alias_table`.

This patch fixes this bug by utilizing another variable for the INTROSPECTION part like other variables such as `prev_saved_tmouts`.

Diffstat (limited to 'src/afl-fuzz-bitmap.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: