fixed potential double free in custom trim (#881)

1 files changed, 17 insertions, 6 deletions

diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index c99d9a4d..d8db8676 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -305,9 +305,13 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
 }
 
-u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
+// Custom testcase trimming.
+u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 **in_buf_p,
                     struct custom_mutator *mutator) {
 
+  // We need to pass pointers around, as growing testcases may need to realloc.
+  u8 *in_buf = *in_buf_p;
+
   u8  needs_write = 0, fault = 0;
   u32 trim_exec = 0;
   u32 orig_len = q->len;
@@ -397,14 +401,21 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
 
     if (likely(retlen && cksum == q->exec_cksum)) {
 
-      if (afl_realloc((void **)&in_buf, retlen) == NULL) {
+      // Check if we got a new retbuf and to memcpy our buf.
+      if (in_buf != retbuf) {
 
-        FATAL("can not allocate memory for trim");
+        if (afl_realloc((void **)in_buf_p, retlen) == NULL) {
 
-      }
+          FATAL("can not allocate memory for trim");
+
+        }
 
-      memcpy(in_buf, retbuf, retlen);
-      q->len = retlen;
+        in_buf = *in_buf_p;
+
+        memcpy(in_buf, retbuf, retlen);
+        q->len = retlen;
+
+      }
 
       /* Let's save a clean trace, which will be needed by
          update_bitmap_score once we're done with the trimming stuff. */