about summary refs log tree commit diff
path: root/src/afl-fuzz-redqueen.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/afl-fuzz-redqueen.c')
-rw-r--r--src/afl-fuzz-redqueen.c42
1 files changed, 22 insertions, 20 deletions
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index cb4c78df..1ae6ab54 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -151,7 +151,8 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) {
       /* Discard if the mutations change the paths or if it is too decremental
         in speed */
       if (cksum != exec_cksum ||
-          (stop_us - start_us > 2 * afl->queue_cur->exec_us)) {
+          ((stop_us - start_us > 2 * afl->queue_cur->exec_us) &&
+           likely(!afl->fixed_seed))) {
 
         ranges = add_range(ranges, rng->start, rng->start + s / 2);
         ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end);
@@ -312,8 +313,6 @@ static unsigned long long strntoull(const char *str, size_t sz, char **end,
 
 }
 
-#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size
-
 static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
                               u64 pattern, u64 repl, u64 o_pattern, u32 idx,
                               u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse,
@@ -352,12 +351,13 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
 
   }
 
-  if (use_num && num == pattern) {
+  if (use_num && (u64)num == pattern) {
 
     size_t old_len = endptr - buf_8;
     size_t num_len = snprintf(NULL, 0, "%lld", num);
 
-    u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len);
+    u8 *new_buf = afl_realloc((void **)&afl->out_scratch_buf, len + num_len);
+    if (unlikely(!new_buf)) { PFATAL("alloc"); }
     memcpy(new_buf, buf, idx);
 
     snprintf(new_buf + idx, num_len, "%lld", num);
@@ -370,7 +370,8 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
     size_t old_len = endptr - buf_8;
     size_t num_len = snprintf(NULL, 0, "%llu", unum);
 
-    u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len);
+    u8 *new_buf = afl_realloc((void **)&afl->out_scratch_buf, len + num_len);
+    if (unlikely(!new_buf)) { PFATAL("alloc"); }
     memcpy(new_buf, buf, idx);
 
     snprintf(new_buf + idx, num_len, "%llu", unum);
@@ -499,7 +500,7 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
 
   }
 
-  maybe_add_auto((u8 *)afl, (u8 *)&v, shape);
+  maybe_add_auto(afl, (u8 *)&v, shape);
 
   u64 rev;
   switch (shape) {
@@ -508,15 +509,15 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
       break;
     case 2:
       rev = SWAP16((u16)v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
     case 4:
       rev = SWAP32((u32)v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
     case 8:
       rev = SWAP64(v);
-      maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
+      maybe_add_auto(afl, (u8 *)&rev, shape);
       break;
 
   }
@@ -659,12 +660,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
 }
 
-static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h,
-                              u8 *pattern, u8 *repl, u8 *o_pattern, u32 idx,
-                              u8 *orig_buf, u8 *buf, u32 len, u8 *status) {
+static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
+                              u8 *o_pattern, u32 idx, u8 *orig_buf, u8 *buf,
+                              u32 len, u8 *status) {
 
   u32 i;
-  u32 its_len = MIN(32, len - idx);
+  u32 its_len = MIN((u32)32, len - idx);
 
   u8 save[32];
   memcpy(save, &buf[idx], its_len);
@@ -728,7 +729,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
     for (idx = 0; idx < len && fails < 8; ++idx) {
 
-      if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx,
+      if (unlikely(rtn_extend_encoding(afl, o->v0, o->v1, orig_o->v0, idx,
                                        orig_buf, buf, len, &status))) {
 
         return 1;
@@ -745,7 +746,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
       }
 
-      if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx,
+      if (unlikely(rtn_extend_encoding(afl, o->v1, o->v0, orig_o->v1, idx,
                                        orig_buf, buf, len, &status))) {
 
         return 1;
@@ -771,8 +772,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
       if (afl->pass_stats[key].total == 0) {
 
-        maybe_add_auto((u8 *)afl, o->v0, SHAPE_BYTES(h->shape));
-        maybe_add_auto((u8 *)afl, o->v1, SHAPE_BYTES(h->shape));
+        maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape));
+        maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape));
 
       }
 
@@ -853,12 +854,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
 
     if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
 
-      afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H);
+      afl->stage_max +=
+          MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H);
 
     } else {
 
       afl->stage_max +=
-          MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_RTN_H);
+          MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H);
 
     }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-20 23:32:40 +0000