about summary refs log tree commit diff
path: root/examples/custom_mutators
diff options
context:
space:
mode:
Diffstat (limited to 'examples/custom_mutators')
-rw-r--r--examples/custom_mutators/README.md3
-rw-r--r--examples/custom_mutators/example.c27
-rw-r--r--examples/custom_mutators/example.py3
-rw-r--r--examples/custom_mutators/simple_example.c74
4 files changed, 93 insertions, 14 deletions
diff --git a/examples/custom_mutators/README.md b/examples/custom_mutators/README.md
index 6fc7be6c..99fb9da3 100644
--- a/examples/custom_mutators/README.md
+++ b/examples/custom_mutators/README.md
@@ -6,6 +6,9 @@ See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information
 Note that if you compile with python3.7 you must use python3 scripts, and if
 you use python2.7 to compile python2 scripts!
 
+simple_example.c - most simplest example. generates a random sized buffer
+          filled with 'A'
+
 example.c - this is a simple example written in C and should be compiled to a
           shared library. Use make to compile it and produce libexamplemutator.so
 
diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c
index c8200b26..23add128 100644
--- a/examples/custom_mutators/example.c
+++ b/examples/custom_mutators/example.c
@@ -38,7 +38,7 @@ typedef struct my_mutator {
   BUF_VAR(u8, data);
   BUF_VAR(u8, havoc);
   BUF_VAR(u8, trim);
-  BUF_VAR(u8, pre_save);
+  BUF_VAR(u8, post_process);
 
 } my_mutator_t;
 
@@ -139,11 +139,12 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
  * @return Size of the output buffer after processing or the needed amount.
  *     A return of 0 indicates an error.
  */
-size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
-                           uint8_t **out_buf) {
+size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf,
+                               size_t buf_size, uint8_t **out_buf) {
 
-  uint8_t *pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5);
-  if (!pre_save_buf) {
+  uint8_t *post_process_buf =
+      maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5);
+  if (!post_process_buf) {
 
     perror("custom mutator realloc failed.");
     *out_buf = NULL;
@@ -151,14 +152,14 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
 
   }
 
-  memcpy(pre_save_buf + 5, buf, buf_size);
-  pre_save_buf[0] = 'A';
-  pre_save_buf[1] = 'F';
-  pre_save_buf[2] = 'L';
-  pre_save_buf[3] = '+';
-  pre_save_buf[4] = '+';
+  memcpy(post_process_buf + 5, buf, buf_size);
+  post_process_buf[0] = 'A';
+  post_process_buf[1] = 'F';
+  post_process_buf[2] = 'L';
+  post_process_buf[3] = '+';
+  post_process_buf[4] = '+';
 
-  *out_buf = pre_save_buf;
+  *out_buf = post_process_buf;
 
   return buf_size + 5;
 
@@ -364,7 +365,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data,
  */
 void afl_custom_deinit(my_mutator_t *data) {
 
-  free(data->pre_save_buf);
+  free(data->post_process_buf);
   free(data->havoc_buf);
   free(data->data_buf);
   free(data->fuzz_buf);
diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py
index 9e95eed6..cf659e5a 100644
--- a/examples/custom_mutators/example.py
+++ b/examples/custom_mutators/example.py
@@ -21,6 +21,7 @@ COMMANDS = [
     b"GET",
     b"PUT",
     b"DEL",
+    b"AAAAAAAAAAAAAAAAA",
 ]
 
 
@@ -119,7 +120,7 @@ def fuzz(buf, add_buf, max_size):
 #
 #     return next_index
 #
-# def pre_save(buf):
+# def post_process(buf):
 #     '''
 #     Called just before the execution to write the test case in the format
 #     expected by the target
diff --git a/examples/custom_mutators/simple_example.c b/examples/custom_mutators/simple_example.c
new file mode 100644
index 00000000..a351d787
--- /dev/null
+++ b/examples/custom_mutators/simple_example.c
@@ -0,0 +1,74 @@
+// This simple example just creates random buffer <= 100 filled with 'A'
+// needs -I /path/to/AFLplusplus/include
+#include "custom_mutator_helpers.h"
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#ifndef _FIXED_CHAR
+  #define 0x41
+#endif
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+  // Reused buffers:
+  BUF_VAR(u8, fuzz);
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  srand(seed);
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+
+  return data;
+
+}
+
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+                       u8 **out_buf, uint8_t *add_buf,
+                       size_t add_buf_size,  // add_buf can be NULL
+                       size_t max_size) {
+
+  int size = (rand() % 100) + 1;
+  if (size > max_size) size = max_size;
+  u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size);
+  if (!mutated_out) {
+
+    *out_buf = NULL;
+    perror("custom mutator allocation (maybe_grow)");
+    return 0;            /* afl-fuzz will very likely error out after this. */
+
+  }
+
+  memset(mutated_out, _FIXED_CHAR, size);
+
+  *out_buf = mutated_out;
+  return size;
+
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->fuzz_buf);
+  free(data);
+
+}
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-22 15:04:55 +0000