fixes

4 files changed, 61 insertions, 28 deletions

diff --git a/src/afl-common.c b/src/afl-common.c
index c1302080..cefed8dc 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -471,8 +471,8 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
 
 u64 get_cur_time(void) {
 
-  static struct timeval  tv;
-  static struct timezone tz;
+  struct timeval  tv;
+  struct timezone tz;
 
   gettimeofday(&tv, &tz);
 
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 9f58d604..d273818d 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -245,6 +245,8 @@ u32 count_bytes_len(afl_state_t *afl, u8 *mem, u32 len) {
 
   (void)(afl);
 
+  if (len % 4) i++;
+
   while (i--) {
 
     u32 v = *(ptr++);
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index f4b58a9d..b56e10f8 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -125,42 +125,64 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
     if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout,
                             &afl->stop_soon) == 0) {
 
-      bytes = count_bytes_len(afl, afl->taint_fsrv.trace_bits, plen);
+      bytes = q->taint_bytes_all =
+          count_bytes_len(afl, afl->taint_fsrv.trace_bits, plen);
       if (afl->debug)
         fprintf(stderr, "Debug: tainted %u out of %u bytes\n", bytes, len);
 
-      if (bytes) {
+      /* DEBUG FIXME TODO XXX */
+      u32 i;
+      for (i = 0; i < len; i++) {
 
-        s32 i = len;
-        while (i > 0 && !afl->taint_fsrv.trace_bits[i - 1])
-          i--;
-        q->taint_bytes_highest = i;
+        if (afl->taint_fsrv.trace_bits[i] &&
+            afl->taint_fsrv.trace_bits[i] != '!')
+          FATAL("invalid taint map value %02x at pos %d",
+                afl->taint_fsrv.trace_bits[i], i);
 
       }
 
-    }
+      if (len < plen)
+        for (i = len; i < plen; i++) {
 
-    if (((bytes * 100) / len) < 90) {
+          if (afl->taint_fsrv.trace_bits[i])
+            FATAL("invalid taint map value %02x in padding at pos %d",
+                  afl->taint_fsrv.trace_bits[i], i);
 
-      // we only use the taint havoc mode if the entry has less than 90% of
-      // overall tainted bytes
-      q->taint_bytes_all = bytes;
+        }
+
+    }
+
+    // if all is tainted we do not need to write taint data away
+    if (bytes && bytes < len) {
 
       // save the bytes away
       int w = open(q->fname_taint, O_CREAT | O_WRONLY, 0644);
       if (w >= 0) {
 
-        ck_write(w, afl->taint_fsrv.trace_bits, plen, q->fname_taint);
+        ck_write(w, afl->taint_fsrv.trace_bits, len, q->fname_taint);
         close(w);
 
+        // find the highest tainted offset in the input (for trim opt)
+        s32 i = len;
+        while (i > 0 && !afl->taint_fsrv.trace_bits[i - 1])
+          i--;
+        q->taint_bytes_highest = i;
+
+        afl->taint_count++;
+
       } else {
 
         FATAL("could not create %s", q->fname_taint);
-        bytes = 0;
+        q->taint_bytes_all = bytes = 0;
 
       }
 
-      if (bytes && prev && prev->taint_bytes_all) {
+      // it is possible that there is no main taint file - if the whole file
+      // is tainted - but a .new taint file if it had new tainted bytes
+
+      // check if there is a previous queue entry and if it had taint
+      if (bytes && prev && prev->taint_bytes_all &&
+          prev->taint_bytes_all < prev->len) {
 
         // check if there are new bytes in the taint vs the previous
         int r = open(prev->fname_taint, O_RDONLY);
@@ -181,14 +203,28 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
             q->taint_bytes_new = count_bytes_len(afl, tmp, plen);
 
+            if (afl->debug)
+              fprintf(stderr, "Debug: %u new taint out of %u bytes\n", bytes,
+                      len);
+
             if (q->taint_bytes_new) {
 
               u8 *fnw = alloc_printf("%s.new", q->fname_taint);
-              int w = open(fnw, O_CREAT | O_WRONLY, 0644);
-              if (w >= 0) {
+              if (fnw) {
+
+                int w = open(fnw, O_CREAT | O_WRONLY, 0644);
+                if (w >= 0) {
+
+                  ck_write(w, tmp, plen, fnw);
+                  close(w);
 
-                ck_write(w, tmp, plen, fnw);
-                close(w);
+                } else {
+
+                  q->taint_bytes_new = 0;
+
+                }
+
+                ck_free(fnw);
 
               } else {
 
@@ -196,8 +232,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
               }
 
-              ck_free(fnw);
-
             }
 
             munmap(bufr, prev->len);
@@ -210,10 +244,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
       }
 
-    } else {
-
-      bytes = 0;
-
     }
 
     memcpy(afl->taint_fsrv.trace_bits, save, afl->fsrv.map_size);
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index aeb290bd..0cc06e12 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -116,6 +116,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
           "edges_found       : %u\n"
           "var_byte_count    : %u\n"
           "havoc_expansion   : %u\n"
+          "tainted_inputs    : %u\n"
           "afl_banner        : %s\n"
           "afl_version       : " VERSION
           "\n"
@@ -149,8 +150,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
 #else
           -1,
 #endif
-          t_bytes, afl->var_byte_count, afl->expand_havoc, afl->use_banner,
-          afl->unicorn_mode ? "unicorn" : "",
+          t_bytes, afl->var_byte_count, afl->expand_havoc, afl->taint_count,
+          afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
           afl->fsrv.qemu_mode ? "qemu " : "",
           afl->non_instrumented_mode ? " non_instrumented " : "",
           afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",