diff options
| author | h1994st <h1994st@gmail.com> | 2020-03-30 05:21:01 -0400 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2020-04-01 13:10:07 +0200 |
| commit | 61ea39861271fd54a193a14d3adbb72c072df75f (patch) | |
| tree | 3e4f864f95b0dced8a7c9500e63c0e499d739221 /src/afl-fuzz-one.c | |
| parent | 64e1d3a975b5d4f017fabdc921cb59128db1c18a (diff) | |
| download | afl++-61ea39861271fd54a193a14d3adbb72c072df75f.tar.gz | |
Fix heap allocation bug
- Reason: `afl->out_size` is not consistent with the actual allocation of `afl->out_buf`. The deleted line in `src/afl-fuzz-one.c` may change `afl->out_size`, but `afl->out_buf` is not changed
Diffstat (limited to 'src/afl-fuzz-one.c')
| -rw-r--r-- | src/afl-fuzz-one.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index b1bbad0a..29dd73ad 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1621,8 +1621,6 @@ custom_mutator_stage: if (unlikely(!mutated_buf)) FATAL("Error in custom_fuzz. Size returned: %zd", mutated_size); - if (mutated_size > len) afl->out_size = mutated_size; - if (mutated_size > 0) { if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) { @@ -1650,6 +1648,8 @@ custom_mutator_stage: } out_buf = ck_maybe_grow(BUF_PARAMS(out), len); + // ??? (h1994st): this line may be not necessary, as we do not modify the + // content of "out_buf". memcpy(out_buf, in_buf, len); } |