7 files changed, 28 insertions, 80 deletions
diff --git a/GNUmakefile b/GNUmakefile
index 9d98aa00..270746b4 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -503,21 +503,21 @@ code-format:
 	./.custom-format.py -i instrumentation/*.h
 	./.custom-format.py -i instrumentation/*.cc
 	./.custom-format.py -i instrumentation/*.c
+	./.custom-format.py -i *.h
+	./.custom-format.py -i *.c
 	@#./.custom-format.py -i custom_mutators/*/*.c* # destroys libfuzzer :-(
 	@#./.custom-format.py -i custom_mutators/*/*.h # destroys honggfuzz :-(
 	./.custom-format.py -i utils/*/*.c*
 	./.custom-format.py -i utils/*/*.h
 	./.custom-format.py -i test/*.c
+	./.custom-format.py -i frida_mode/src/*.c
+	./.custom-format.py -i frida_mode/include/*.h
+	-./.custom-format.py -i frida_mode/src/*/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.cc
 	./.custom-format.py -i qemu_mode/libcompcov/*.h
 	./.custom-format.py -i qemu_mode/libqasan/*.c
 	./.custom-format.py -i qemu_mode/libqasan/*.h
-	./.custom-format.py -i frida_mode/src/*.c
-	./.custom-format.py -i frida_mode/include/*.h
-	-./.custom-format.py -i frida_mode/src/*/*.c
-	./.custom-format.py -i *.h
-	./.custom-format.py -i *.c
 
 
 .PHONY: test_build
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 1114a834..282b34cf 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -41,6 +41,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
     - Removed InsTrim instrumentation as it is not as good as PCGUARD
     - Removed automatic linking with -lc++ for LTO mode
+    - Fixed a crash in llvm dict2file when a strncmp length was -1
   - utils/aflpp_driver:
     - aflpp_qemu_driver_hook fixed to work with qemu_mode
     - aflpp_driver now compiled with -fPIC
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index bc77a451..20fbb544 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -93,7 +93,9 @@ AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 ############################## ALL #############################################
 
 all: $(FRIDA_TRACE)
-	make -C $(ROOT)
+
+32:
+	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
 
 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
diff --git a/frida_mode/src/persistent/persistent_x64.c b/frida_mode/src/persistent/persistent_x64.c
index 49f1988c..aa772b7f 100644
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@@ -40,7 +40,6 @@ struct x86_64_regs {
 typedef struct x86_64_regs arch_api_regs;
 
 static arch_api_regs saved_regs = {0};
-static void *        saved_return = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -183,43 +182,11 @@ static void instrument_persitent_restore_regs(GumX86Writer *      cw,
 
 }
 
-static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) {
+static void instrument_exit(GumX86Writer *cw) {
 
-  GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        -(GUM_RED_ZONE_SIZE));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
-
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP,
-                                            GUM_RED_ZONE_SIZE + 0x10);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RAX, 0, GUM_REG_RBX);
-
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX);
-
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        (GUM_RED_ZONE_SIZE));
-
-}
-
-static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) {
-
-  GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
-                                        -(GUM_RED_ZONE_SIZE));
-
-  /* Place holder for ret */
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
-
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, saved_return_address);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RAX, GUM_REG_RAX, 0);
-
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_RSP, 0x8, GUM_REG_RAX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX);
-  gum_x86_writer_put_ret_imm(cw, GUM_RED_ZONE_SIZE);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(_exit));
+  gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_RDI, 0);
+  gum_x86_writer_put_call_reg(cw, GUM_REG_RAX);
 
 }
 
@@ -302,8 +269,7 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* Stack must be 16-byte aligned per ABI */
   instrument_persitent_save_regs(cw, &saved_regs);
 
-  /* Stash and pop the return value */
-  instrument_save_ret(cw, &saved_return);
+  /* pop the return value */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, (8));
 
   /* loop: */
@@ -329,7 +295,7 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* done: */
   gum_x86_writer_put_label(cw, done);
 
-  instrument_jump_ret(cw, &saved_return);
+  instrument_exit(cw);
 
   /* original: */
   gum_x86_writer_put_label(cw, original);
diff --git a/frida_mode/src/persistent/persistent_x86.c b/frida_mode/src/persistent/persistent_x86.c
index bd7171b9..20a3dc42 100644
--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@@ -39,7 +39,6 @@ struct x86_regs {
 typedef struct x86_regs arch_api_regs;
 
 static arch_api_regs saved_regs = {0};
-static void *        saved_return = NULL;
 
 gboolean persistent_is_supported(void) {
 
@@ -138,36 +137,12 @@ static void instrument_persitent_restore_regs(GumX86Writer *   cw,
 
 }
 
-static void instrument_save_ret(GumX86Writer *cw, void **saved_return_ptr) {
+static void instrument_exit(GumX86Writer *cw) {
 
-  GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr);
-
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
-
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x8);
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_EAX, 0, GUM_REG_EBX);
-
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX);
-
-}
-
-static void instrument_jump_ret(GumX86Writer *cw, void **saved_return_ptr) {
-
-  GumAddress saved_return_address = GUM_ADDRESS(saved_return_ptr);
-
-  /* Place holder for ret */
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
-
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, saved_return_address);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EAX, GUM_REG_EAX, 0);
-
-  gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_ESP, 0x4, GUM_REG_EAX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX);
-  gum_x86_writer_put_ret(cw);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(_exit));
+  gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_EDI, 0);
+  gum_x86_writer_put_push_reg(cw, GUM_REG_EDI);
+  gum_x86_writer_put_call_reg(cw, GUM_REG_EAX);
 
 }
 
@@ -238,8 +213,7 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* Stack must be 16-byte aligned per ABI */
   instrument_persitent_save_regs(cw, &saved_regs);
 
-  /* Stash and pop the return value */
-  instrument_save_ret(cw, &saved_return);
+  /* Pop the return value */
   gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, (4));
 
   /* loop: */
@@ -265,7 +239,7 @@ void persistent_prologue(GumStalkerOutput *output) {
   /* done: */
   gum_x86_writer_put_label(cw, done);
 
-  instrument_jump_ret(cw, &saved_return);
+  instrument_exit(cw);
 
   /* original: */
   gum_x86_writer_put_label(cw, original);
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index c954054b..e2b44b21 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -426,7 +426,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
               ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
               if (ilen) {
 
-                uint64_t literalLength = Str2.size();
+                uint64_t literalLength = Str2.length();
                 uint64_t optLength = ilen->getZExtValue();
                 if (literalLength + 1 == optLength) {
 
@@ -434,6 +434,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
 
                 }
 
+                if (optLength > Str2.length()) { optLength = Str2.length(); }
+
               }
 
               valueMap[Str1P] = new std::string(Str2);
@@ -532,6 +534,7 @@ bool AFLdict2filePass::runOnModule(Module &M) {
 
               uint64_t literalLength = optLen;
               optLen = ilen->getZExtValue();
+              if (optLen > thestring.length()) { optLen = thestring.length(); }
               if (optLen < 2) { continue; }
               if (literalLength + 1 == optLen) {  // add null byte
                 thestring.append("\0", 1);
diff --git a/qemu_mode/libqasan/libqasan.c b/qemu_mode/libqasan/libqasan.c
index 2ac0c861..d4742e3e 100644
--- a/qemu_mode/libqasan/libqasan.c
+++ b/qemu_mode/libqasan/libqasan.c
@@ -73,6 +73,8 @@ __attribute__((constructor)) void __libqasan_init() {
   if (getenv("AFL_INST_LIBS") || getenv("QASAN_HOTPACH"))
     __libqasan_hotpatch();
 
+  if (getenv("AFL_INST_LIBS") || getenv("QASAN_HOTPACH")) __libqasan_hotpatch();
+
 #ifdef DEBUG
   __qasan_debug = getenv("QASAN_DEBUG") != NULL;
 #endif