diff options
| author | mchesser <michael.chesser@adelaide.edu.au> | 2022-03-07 14:39:36 +1030 |
|---|---|---|
| committer | mchesser <michael.chesser@adelaide.edu.au> | 2022-03-07 15:26:54 +1030 |
| commit | 2a00f32666a847b7babb160bb7c27db59cec9561 (patch) | |
| tree | ca93691474f2809d28bd79e19e7c151c96143a8e /src/afl-fuzz-redqueen.c | |
| parent | c2229b506e045bba1864e8b2f8140c8dc6e83a4d (diff) | |
| download | afl++-2a00f32666a847b7babb160bb7c27db59cec9561.tar.gz | |
Fix buffer overrun in `rtn_extended_encoding`
`idx + i` can range from `0` to `buf.len`, but the memcpy may try and write to offsets from `idx + i` to `idx + 2 * i`.
Diffstat (limited to 'src/afl-fuzz-redqueen.c')
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 66df5c6f..2f32ef1e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2323,7 +2323,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } // fprintf(stderr, "RTN ATTEMPT fromhex %u result %u\n", fromhex, // *status); - memcpy(buf + idx + i, save + i, i + 1 + off); + memcpy(buf + idx, save, i + 1 + off); } |