diff options
| author | Dominik Maier <domenukk@gmail.com> | 2021-04-30 13:35:24 +0200 |
|---|---|---|
| committer | Dominik Maier <domenukk@gmail.com> | 2021-04-30 13:37:59 +0200 |
| commit | e9d2f72382cab75832721d859c3e731da071435d (patch) | |
| tree | 98f84e58d0ee55d04a4e6d8c4e2ec6fe90075bd8 /src/afl-fuzz-run.c | |
| parent | 758bc770a8f2a35e1ec142f9564f2aeac3ce33bc (diff) | |
| download | afl++-e9d2f72382cab75832721d859c3e731da071435d.tar.gz | |
fixed potential double free in custom trim (#881)
Diffstat (limited to 'src/afl-fuzz-run.c')
| -rw-r--r-- | src/afl-fuzz-run.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 832f17bb..a7b071a5 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -720,7 +720,10 @@ void sync_fuzzers(afl_state_t *afl) { trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of file size, to keep the stage short and sweet. */ -u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { +u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 **in_buf_p) { + + // We need to pass pointers around, as growing testcases may need to realloc. + u8 *in_buf = *in_buf_p; u32 orig_len = q->len; @@ -734,7 +737,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (el->afl_custom_trim) { - trimmed_case = trim_case_custom(afl, q, in_buf, el); + trimmed_case = trim_case_custom(afl, q, in_buf_p, el); + in_buf = *in_buf_p; custom_trimmed = true; } |