diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/afl-fuzz.h | 30 | ||||
| -rw-r--r-- | include/alloc-inl.h | 28 | ||||
| -rw-r--r-- | include/android-ashmem.h | 5 | ||||
| -rw-r--r-- | include/common.h | 2 | ||||
| -rw-r--r-- | include/config.h | 5 | ||||
| -rw-r--r-- | include/forkserver.h | 4 | ||||
| -rw-r--r-- | include/list.h | 2 | ||||
| -rw-r--r-- | include/sharedmem.h | 5 |
8 files changed, 51 insertions, 30 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 363776cb..428bfa8e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -443,11 +443,11 @@ typedef struct afl_state { fast_cal, /* Try to calibrate faster? */ disable_trim; /* Never trim in fuzz_one */ - u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + u8 *virgin_bits, /* Regions yet untouched by fuzzing */ + *virgin_tmout, /* Bits we haven't seen in tmouts */ + *virgin_crash; /* Bits we haven't seen in crashes */ - u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + u8 *var_bytes; /* Bytes that appear to be variable */ volatile u8 stop_soon, /* Ctrl-C pressed? */ clear_screen; /* Window resized? */ @@ -535,7 +535,7 @@ typedef struct afl_state { *queue_top, /* Top of the list */ *q_prev100; /* Previous 100 marker */ - struct queue_entry *top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + struct queue_entry **top_rated; /* Top entries for bitmap bytes */ struct extra_data *extras; /* Extra tokens to fuzz with */ u32 extras_cnt; /* Total number of tokens read */ @@ -584,9 +584,9 @@ typedef struct afl_state { u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; - u8 clean_trace[MAP_SIZE]; - u8 clean_trace_custom[MAP_SIZE]; - u8 first_trace[MAP_SIZE]; + u8 *clean_trace; + u8 *clean_trace_custom; + u8 *first_trace; /*needed for afl_fuzz_one */ // TODO: see which we can reuse @@ -608,6 +608,10 @@ typedef struct afl_state { u8 * ex_buf; size_t ex_size; + /* this is a fixed buffer of size map_size that can be used by any function if + * they do not call another function */ + u8 *map_tmp_buf; + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive @@ -794,7 +798,7 @@ struct custom_mutator { }; -void afl_state_init(afl_state_t *); +void afl_state_init(afl_state_t *, uint32_t map_size); void afl_state_deinit(afl_state_t *); void read_afl_environment(afl_state_t *, char **); @@ -953,7 +957,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { static inline u32 get_rand_seed(afl_state_t *afl) { - if (unlikely(afl->fixed_seed)) return (u32)afl->init_seed; + if (unlikely(afl->fixed_seed)) { return (u32)afl->init_seed; } return afl->rand_seed[0]; } @@ -964,8 +968,12 @@ static inline u32 get_rand_seed(afl_state_t *afl) { static inline u64 next_p2(u64 val) { u64 ret = 1; - while (val > ret) + while (val > ret) { + ret <<= 1; + + } + return ret; } diff --git a/include/alloc-inl.h b/include/alloc-inl.h index d16e84bb..e5547fe0 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -87,7 +87,7 @@ static inline void *DFL_ck_alloc_nozero(u32 size) { void *ret; - if (!size) return NULL; + if (!size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size); @@ -103,7 +103,7 @@ static inline void *DFL_ck_alloc(u32 size) { void *mem; - if (!size) return NULL; + if (!size) { return NULL; } mem = DFL_ck_alloc_nozero(size); return memset(mem, 0, size); @@ -115,7 +115,7 @@ static inline void *DFL_ck_alloc(u32 size) { static inline void DFL_ck_free(void *mem) { - if (!mem) return; + if (!mem) { return; } free(mem); @@ -165,7 +165,7 @@ static inline u8 *DFL_ck_strdup(u8 *str) { u8 *ret; u32 size; - if (!str) return NULL; + if (!str) { return NULL; } size = strlen((char *)str) + 1; @@ -184,7 +184,7 @@ static inline void *DFL_ck_memdup(void *mem, u32 size) { void *ret; - if (!mem || !size) return NULL; + if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size); @@ -201,7 +201,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { u8 *ret; - if (!mem || !size) return NULL; + if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); ret = malloc(size + 1); @@ -772,8 +772,12 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func, */ static inline size_t next_pow2(size_t in) { - if (in == 0 || in > (size_t)-1) + if (in == 0 || in > (size_t)-1) { + return 0; /* avoid undefined behaviour under-/overflow */ + + } + size_t out = in - 1; out |= out >> 1; out |= out >> 2; @@ -794,10 +798,10 @@ static inline size_t next_pow2(size_t in) { static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) { /* No need to realloc */ - if (likely(size_needed && *size >= size_needed)) return *buf; + if (likely(size_needed && *size >= size_needed)) { return *buf; } /* No initial size was set */ - if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE; + if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; } /* grow exponentially */ size_t next_size = next_pow2(size_needed); @@ -824,13 +828,13 @@ static inline void *ck_maybe_grow(void **buf, size_t *size, size_t size_needed) { /* Oops. found a bug? */ - if (unlikely(size_needed < 1)) FATAL("cannot grow to non-positive size"); + if (unlikely(size_needed < 1)) { FATAL("cannot grow to non-positive size"); } /* No need to realloc */ - if (likely(*size >= size_needed)) return *buf; + if (likely(*size >= size_needed)) { return *buf; } /* No initial size was set */ - if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE; + if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; } /* grow exponentially */ size_t next_size = next_pow2(size_needed); diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 3a0b9969..77914c35 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -26,6 +26,8 @@ #ifndef _ANDROID_ASHMEM_H #define _ANDROID_ASHMEM_H +#ifdef __ANDROID__ + #include <fcntl.h> #include <linux/shm.h> #include <linux/ashmem.h> @@ -38,6 +40,7 @@ #define shmdt bionic_shmdt #define shmget bionic_shmget #endif + #include <sys/shm.h> #undef shmat #undef shmctl @@ -103,5 +106,7 @@ static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { } +#endif /* __ANDROID__ */ + #endif diff --git a/include/common.h b/include/common.h index f5ace878..70ff0744 100644 --- a/include/common.h +++ b/include/common.h @@ -115,5 +115,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p); +u32 get_map_size(); + #endif diff --git a/include/config.h b/include/config.h index f0274fd3..f11ac919 100644 --- a/include/config.h +++ b/include/config.h @@ -28,7 +28,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.63d" +#define VERSION "++2.64d" /****************************************************** * * @@ -407,8 +407,7 @@ #define FS_OPT_SNAPSHOT 0x20000000 #define FS_OPT_AUTODICT 0x10000000 #define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) -#define FS_OPT_SET_MAPSIZE(x) \ - (x <= 1 || x > MAP_SIZE || x > 0x1000000 ? 0 : ((x - 1) << 1)) +#define FS_OPT_SET_MAPSIZE(x) (x <= 1 || x > 0x1000000 ? 0 : ((x - 1) << 1)) #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/forkserver.h b/include/forkserver.h index ac89b681..3c473572 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -31,6 +31,8 @@ #include <stdio.h> #include <stdbool.h> +#include "types.h" + typedef struct afl_forkserver { /* a program that includes afl-forkserver needs to define these */ @@ -61,7 +63,7 @@ typedef struct afl_forkserver { u64 total_execs; /* How often run_target was called */ u8 *out_file, /* File to fuzz, if any */ - *target_path; /* Path of the target */ + *target_path; /* Path of the target */ FILE *plot_file; /* Gnuplot output file */ diff --git a/include/list.h b/include/list.h index bb985c4f..88cbe062 100644 --- a/include/list.h +++ b/include/list.h @@ -83,7 +83,7 @@ static inline void list_append(list_t *list, void *el) { element_t *el_box = NULL; PRE_ALLOC(el_box, list->element_prealloc_buf, LIST_PREALLOC_SIZE, list->element_prealloc_count); - if (!el_box) FATAL("failed to allocate list element"); + if (!el_box) { FATAL("failed to allocate list element"); } el_box->data = el; el_box->next = head; el_box->prev = head->prev; diff --git a/include/sharedmem.h b/include/sharedmem.h index 57ab6cf0..066a9904 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -28,6 +28,8 @@ #ifndef __AFL_SHAREDMEM_H #define __AFL_SHAREDMEM_H +#include "types.h" + typedef struct sharedmem { // extern unsigned char *trace_bits; @@ -44,8 +46,7 @@ typedef struct sharedmem { u8 *map; /* shared memory region */ - size_t size_alloc; /* actual allocated size */ - size_t size_used; /* in use by shmem app */ + size_t map_size; /* actual allocated size */ int cmplog_mode; struct cmp_map *cmp_map; |