diff options
| author | van Hauser <vh@thc.org> | 2020-10-12 04:03:42 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-10-12 04:03:42 +0200 |
| commit | d6da5605c80d65091375c08ae5389d14d671500a (patch) | |
| tree | ab71cd8878ecd20c7ecea213a15b9d425f9fe7e1 /src | |
| parent | b7e0490bcdaa7fa792a9dccfa5983e03af92730e (diff) | |
| download | afl++-d6da5605c80d65091375c08ae5389d14d671500a.tar.gz | |
fix splicing selection
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-one.c | 47 |
1 files changed, 8 insertions, 39 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 6ef728e0..fc092f8d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1712,9 +1712,9 @@ custom_mutator_stage: tid = rand_below(afl, afl->queued_paths); - } while (unlikely(tid == afl->current_entry && + } while (unlikely(tid == afl->current_entry || - afl->queue_buf[tid]->len >= 4)); + afl->queue_buf[tid]->len < 4)); target = afl->queue_buf[tid]; afl->splicing_with = tid; @@ -1872,7 +1872,7 @@ havoc_stage: u32 r_max, r; - if (unlikely(afl->expand_havoc)) { + if (unlikely(afl->expand_havoc && afl->ready_for_splicing_count > 1)) { /* add expensive havoc cases here, they are activated after a full cycle without finds happened */ @@ -2323,24 +2323,15 @@ havoc_stage: /* Overwrite bytes with a randomly selected chunk from another testcase or insert that chunk. */ - if (afl->queued_paths < 4) break; - /* Pick a random queue entry and seek to it. */ u32 tid; do tid = rand_below(afl, afl->queued_paths); - while (tid == afl->current_entry); + while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); struct queue_entry *target = afl->queue_buf[tid]; - /* Make sure that the target has a reasonable length. */ - - while (target && (target->len < 2 || target == afl->queue_cur)) - target = target->next; - - if (!target) break; - /* Read the testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); @@ -2480,7 +2471,7 @@ havoc_stage: retry_splicing: if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES && - afl->queued_paths > 1 && afl->queue_cur->len > 1) { + afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) { struct queue_entry *target; u32 tid, split_at; @@ -2503,22 +2494,11 @@ retry_splicing: tid = rand_below(afl, afl->queued_paths); - } while (tid == afl->current_entry); + } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); afl->splicing_with = tid; target = afl->queue_buf[tid]; - /* Make sure that the target has a reasonable length. */ - - while (target && (target->len < 2 || target == afl->queue_cur)) { - - target = target->next; - ++afl->splicing_with; - - } - - if (!target) { goto retry_splicing; } - /* Read the testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); @@ -4487,7 +4467,7 @@ pacemaker_fuzzing: if (afl->use_splicing && splice_cycle++ < (u32)afl->SPLICE_CYCLES_puppet && - afl->queued_paths > 1 && afl->queue_cur->len > 1) { + afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) { struct queue_entry *target; u32 tid, split_at; @@ -4511,22 +4491,11 @@ pacemaker_fuzzing: tid = rand_below(afl, afl->queued_paths); - } while (tid == afl->current_entry); + } while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4); afl->splicing_with = tid; target = afl->queue_buf[tid]; - /* Make sure that the target has a reasonable length. */ - - while (target && (target->len < 2 || target == afl->queue_cur)) { - - target = target->next; - ++afl->splicing_with; - - } - - if (!target) { goto retry_splicing_puppet; } - /* Read the testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); |