about summary refs log tree commit diff
path: root/src/afl-fuzz-one.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/afl-fuzz-one.c')
-rw-r--r--src/afl-fuzz-one.c90
1 files changed, 82 insertions, 8 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 8ca219b5..6ab0266d 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -480,6 +480,9 @@ u8 fuzz_one_original(char** argv) {
 
   if (perf_score == 0) goto abandon_entry;
 
+  if (use_radamsa > 1)
+    goto radamsa_stage;
+
   if (custom_mutator) {
 
     stage_short = "custom";
@@ -537,22 +540,30 @@ u8 fuzz_one_original(char** argv) {
        perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100
                          ? queue_cur->depth * 30
                          : havoc_max_mult * 100)) ||
-      queue_cur->passed_det)
+      queue_cur->passed_det) {
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
+  }
 
   /* Skip deterministic fuzzing if exec path checksum puts this out of scope
      for this master instance. */
 
-  if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1)
+  if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) {
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
+  }
 
   doing_det = 1;
 
@@ -2252,10 +2263,13 @@ retry_splicing:
     out_buf = ck_alloc_nozero(len);
     memcpy(out_buf, in_buf, len);
 
+    if (use_radamsa > 1)
+      goto radamsa_stage;
+    else
 #ifdef USE_PYTHON
-    goto python_stage;
+      goto python_stage;
 #else
-    goto havoc_stage;
+      goto havoc_stage;
 #endif
 
   }
@@ -2263,7 +2277,67 @@ retry_splicing:
 #endif                                                     /* !IGNORE_FINDS */
 
   ret_val = 0;
+  goto radamsa_stage;
+
+
+radamsa_stage:
+
+  if (!use_radamsa || !radamsa_mutate_ptr)
+    goto abandon_entry;
+  
+  stage_name = "radamsa";
+  stage_short = "radamsa";
+  stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa;
+  
+  if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN;
+  
+  orig_hit_cnt = queued_paths + unique_crashes;
+  
+  /* Read the additional testcase into a new buffer. */
+  u8 *save_buf = ck_alloc_nozero(len);
+  memcpy(save_buf, out_buf, len);
+ 
+  u32 max_len = len + choose_block_len(HAVOC_BLK_XL);
+  u8* new_buf = ck_alloc_nozero(max_len);
+  u8 *tmp_buf;
+
+  for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
+  u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed());
+
+    if (new_len) {
+     
+      temp_len = new_len;
+      tmp_buf = new_buf;
+
+    } else {
+
+      tmp_buf = save_buf; // nope but I dont care
+      temp_len = len;
+
+    }
+
+    if (common_fuzz_stuff(argv, tmp_buf, temp_len)) {
+
+      ck_free(save_buf);
+      ck_free(new_buf);
+      goto abandon_entry;
+
+    }
+  
+  }
+
+  ck_free(save_buf);
+  ck_free(new_buf);
+  
+  new_hit_cnt = queued_paths + unique_crashes;
+ 
+  stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt;
+  stage_cycles[STAGE_RADAMSA] += stage_max;
+
+  ret_val = 0;
+  goto abandon_entry;
 
+/* we are through with this queue entry - for this iteration */
 abandon_entry:
 
   splicing_with = -1;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-22 18:56:50 +0000