diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-07-22 17:04:57 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2020-07-22 17:04:57 +0200 |
| commit | a46a733dbee6defce6770d79e8e001430e76fe18 (patch) | |
| tree | ccde8adf7f34b907bf53cfd7b457bdefaba18944 /src | |
| parent | b015e4f07aabb39e1683406704f2aae1f7dcde4a (diff) | |
| download | afl++-a46a733dbee6defce6770d79e8e001430e76fe18.tar.gz | |
fix bugs
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-one.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a0ecb7a9..69671f71 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -802,6 +802,8 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { for (u32 j = pos; j < temp_len; ++j) { if (isdigit(new_buf[j])) { + new_buf[temp_len] = 0; // should be safe thanks to the initial grow + u8* endptr; unsigned long long num = strtoull(new_buf +j, (char**)&endptr, 0); @@ -839,19 +841,20 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { size_t num_len = snprintf(NULL, 0, fmt, num); size_t old_len = endptr - (new_buf +j); if (num_len < old_len) { - memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); snprintf(new_buf +j, num_len, fmt, num); temp_len -= old_len - num_len; } else if (num_len == old_len) { snprintf(new_buf +j, num_len, fmt, num); } else { - new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len)); - memmove(new_buf +j +num_len, endptr, temp_len - (endptr - new_buf)); + new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + (num_len - old_len) + AFL_TXT_STRING_MAX_MUTATIONS +1); + memmove(new_buf +j +num_len, new_buf +j +old_len, temp_len - (j + old_len)); snprintf(new_buf +j, num_len, fmt, num); temp_len += num_len - old_len; } yes += 1; + break; } } @@ -859,7 +862,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { } } - + } if (yes == 0 || temp_len <= 0) { return 0; } @@ -867,7 +870,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) { swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); *out_buf = new_buf; *orig_temp_len = temp_len; - + return 1; } |