5 files changed, 115 insertions, 1 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 00d29f76..967e16fe 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -168,7 +168,9 @@ enum {
   /* 16 */ STAGE_SPLICE,
   /* 17 */ STAGE_PYTHON,
   /* 18 */ STAGE_RADAMSA,
-  /* 19 */ STAGE_CUSTOM_MUTATOR
+  /* 19 */ STAGE_CUSTOM_MUTATOR,
+  /* 20 */ STAGE_COLORIZATION,
+  /* 21 */ STAGE_ITS,
 
 };
 
@@ -450,6 +452,11 @@ extern u32                a_extras_cnt; /* Total number of tokens available */
 
 u8* (*post_handler)(u8* buf, u32* len);
 
+/* CmpLog */
+
+extern u8* cmplog_binary;
+extern s32 cmplog_forksrv_pid;
+
 /* hooks for the custom mutator function */
 /**
  * Perform custom mutations on a given input
@@ -645,6 +652,16 @@ char** get_qemu_argv(u8*, char**, int);
 char** get_wine_argv(u8*, char**, int);
 void   save_cmdline(u32, char**);
 
+/* CmpLog */
+
+void init_cmplog_forkserver(char** argv);
+u8 common_fuzz_cmplog_stuff(char** argv, u8* out_buf, u32 len);
+
+/* RedQueen */
+
+u8   input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
+                          u32 exec_cksum);
+
 /**** Inline routines ****/
 
 /* Generate a random number (from 0 to limit - 1). This may
diff --git a/include/cmplog.h b/include/cmplog.h
new file mode 100644
index 00000000..c02650ee
--- /dev/null
+++ b/include/cmplog.h
@@ -0,0 +1,76 @@
+/*
+   american fuzzy lop++ - cmplog header
+   ------------------------------------
+
+   Originally written by Michal Zalewski
+
+   Forkserver design by Jann Horn <jannhorn@googlemail.com>
+
+   Now maintained by by Marc Heuse <mh@mh-sec.de>,
+                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
+                        Andrea Fioraldi <andreafioraldi@gmail.com>
+
+   Copyright 2016, 2017 Google Inc. All rights reserved.
+   Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Shared code to handle the shared memory. This is used by the fuzzer
+   as well the other components like afl-tmin, afl-showmap, etc...
+
+ */
+
+#ifndef _AFL_CMPLOG_H
+#define _AFL_CMPLOG_H
+
+#include "config.h"
+
+#define CMP_MAP_W 65536
+#define CMP_MAP_H 256
+
+#define SHAPE_BYTES(x) (x + 1)
+
+#define CMP_TYPE_INS 0
+#define CMP_TYPE_RTN 1
+
+struct cmp_header {
+
+  unsigned hits : 20;
+
+  unsigned cnt : 20;
+  unsigned id : 16;
+
+  unsigned shape : 5;  // from 0 to 31
+  unsigned type : 1;
+
+} __attribute__((packed));
+
+struct cmp_operands {
+
+  u64 v0;
+  u64 v1;
+
+};
+
+struct cmpfn_operands {
+
+  u8 v0[32];
+  u8 v1[32];
+
+};
+
+typedef struct cmp_operands cmp_map_list[CMP_MAP_H];
+
+struct cmp_map {
+
+  struct cmp_header   headers[CMP_MAP_W];
+  struct cmp_operands log[CMP_MAP_W][CMP_MAP_H];
+
+};
+
+#endif
+
diff --git a/include/config.h b/include/config.h
index 83fcb8f9..8b8924f5 100644
--- a/include/config.h
+++ b/include/config.h
@@ -365,6 +365,10 @@
 
 #define AFL_QEMU_NOT_ZERO
 
+/* AFL RedQueen */
+
+#define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID"
+
 /* Uncomment this to use inferior block-coverage-based instrumentation. Note
    that you need to recompile the target binary for this to have any effect: */
 
diff --git a/include/sharedmem.h b/include/sharedmem.h
index 7604d64c..f92fd8be 100644
--- a/include/sharedmem.h
+++ b/include/sharedmem.h
@@ -30,5 +30,8 @@
 void setup_shm(unsigned char dumb_mode);
 void remove_shm(void);
 
+extern int cmplog_mode;
+extern struct cmp_map* cmp_map;
+
 #endif
 
diff --git a/include/types.h b/include/types.h
index 9e681e81..6aad9762 100644
--- a/include/types.h
+++ b/include/types.h
@@ -78,6 +78,20 @@ typedef int64_t s64;
                                                                      \
   })
 
+#define SWAP64(_x)                                                             \
+  ({                                                                           \
+                                                                               \
+    u64 _ret = (_x);                                                           \
+    _ret =                                                                     \
+        (_ret & 0x00000000FFFFFFFF) << 32 | (_ret & 0xFFFFFFFF00000000) >> 32; \
+    _ret =                                                                     \
+        (_ret & 0x0000FFFF0000FFFF) << 16 | (_ret & 0xFFFF0000FFFF0000) >> 16; \
+    _ret =                                                                     \
+        (_ret & 0x00FF00FF00FF00FF) << 8 | (_ret & 0xFF00FF00FF00FF00) >> 8;   \
+    _ret;                                                                      \
+                                                                               \
+  })
+
 #ifdef AFL_LLVM_PASS
 #if defined(__linux__)
 #define AFL_SR(s) (srandom(s))