about summary refs log tree commit diff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-fuzz-mutators.c16
-rw-r--r--src/afl-fuzz-one.c37
-rw-r--r--src/afl-fuzz-python.c93
3 files changed, 130 insertions, 16 deletions
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index 26eaea59..5bf257fb 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -146,6 +146,16 @@ void load_custom_mutator(const char* fn) {
         "trimming will be used.");
 
   }
+  
+  /* "afl_custom_havoc_mutation", optional */
+  mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
+  if (!mutator->afl_custom_havoc_mutation)
+    WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
+
+  /* "afl_custom_havoc_mutation", optional */
+  mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability");
+  if (!mutator->afl_custom_havoc_mutation_probability)
+    WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
 
   OKF("Custom mutator '%s' installed successfully.", fn);
 
@@ -301,6 +311,12 @@ void load_custom_mutator_py(const char* module_name) {
 
   if (py_functions[PY_FUNC_TRIM])
     mutator->afl_custom_trim = trim_py;
+  
+  if (py_functions[PY_FUNC_HAVOC_MUTATION])
+    mutator->afl_custom_havoc_mutation = havoc_mutation_py;
+  
+  if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
+    mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py;
 
   OKF("Python mutator '%s' installed successfully.", module_name);
 
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 5d00e8df..f12f4a67 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1540,11 +1540,10 @@ custom_mutator_stage:
 
   if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN;
 
-  const u32 max_seed_size = 4096 * 4096;
-  u8*       mutated_buf = ck_alloc(max_seed_size);
+  const u32 max_seed_size = MAX_FILE;
 
   orig_hit_cnt = queued_paths + unique_crashes;
-
+  
   for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
 
     struct queue_entry* target;
@@ -1589,21 +1588,17 @@ custom_mutator_stage:
     new_buf = ck_alloc_nozero(target->len);
     ck_read(fd, new_buf, target->len, target->fname);
     close(fd);
-
-    size_t mutated_size = mutator->afl_custom_fuzz(out_buf, len,
+    
+    size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len,
                                                    new_buf, target->len,
-                                                   mutated_buf, max_seed_size);
+                                                   max_seed_size);
 
     ck_free(new_buf);
 
     if (mutated_size > 0) {
 
-      out_buf = ck_realloc(out_buf, mutated_size);
-      memcpy(out_buf, mutated_buf, mutated_size);
-
       if (common_fuzz_stuff(argv, out_buf, (u32)mutated_size)) {
 
-        ck_free(mutated_buf);
         goto abandon_entry;
 
       }
@@ -1625,10 +1620,12 @@ custom_mutator_stage:
       }
 
     }
+    
+    if (mutated_size < len) out_buf = ck_realloc(out_buf, len);
+    memcpy(out_buf, in_buf, len);
 
   }
 
-  ck_free(mutated_buf);
   new_hit_cnt = queued_paths + unique_crashes;
 
   stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
@@ -1681,6 +1678,17 @@ havoc_stage:
 
   havoc_queued = queued_paths;
 
+  u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation);
+  u8 stacked_custom_prob = 6; // like one of the default mutations in havoc
+
+  if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) {
+
+    stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability();
+    if (stacked_custom_prob > 100)
+      FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100.");
+
+  }
+
   /* We essentially just do several thousand runs (depending on perf_score)
      where we take the input file and make random stacked tweaks. */
 
@@ -1691,6 +1699,13 @@ havoc_stage:
     stage_cur_val = use_stacking;
 
     for (i = 0; i < use_stacking; ++i) {
+    
+      if (stacked_custom && UR(100) < stacked_custom_prob) {
+      
+        temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len,
+                                                      MAX_FILE);
+      
+      }
 
       switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
 
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index c22e4402..32f9f6ab 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -55,6 +55,8 @@ int init_py_module(u8* module_name) {
     py_functions[PY_FUNC_POST_TRIM] =
         PyObject_GetAttrString(py_module, "post_trim");
     py_functions[PY_FUNC_TRIM] = PyObject_GetAttrString(py_module, "trim");
+    py_functions[PY_FUNC_HAVOC_MUTATION] = PyObject_GetAttrString(py_module, "havoc_mutation");
+    py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY] = PyObject_GetAttrString(py_module, "havoc_mutation_probability");
 
     for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) {
 
@@ -159,16 +161,15 @@ void init_py(unsigned int seed) {
   }
 }
 
-size_t fuzz_py(u8* buf, size_t buf_size,
-               u8* add_buf, size_t add_buf_size,
-               u8* mutated_out, size_t max_size) {
+size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
+               size_t max_size) {
 
   size_t mutated_size;
   PyObject *py_args, *py_value;
   py_args = PyTuple_New(3);
 
   /* buf */
-  py_value = PyByteArray_FromStringAndSize(buf, buf_size);
+  py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
   if (!py_value) {
 
     Py_DECREF(py_args);
@@ -211,7 +212,10 @@ size_t fuzz_py(u8* buf, size_t buf_size,
   if (py_value != NULL) {
 
     mutated_size = PyByteArray_Size(py_value);
-    memcpy(mutated_out, PyByteArray_AsString(py_value), mutated_size);
+    if (buf_size < mutated_size)
+      *buf = ck_realloc(*buf, mutated_size);
+
+    memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
     Py_DECREF(py_value);
     return mutated_size;
 
@@ -359,5 +363,84 @@ void trim_py(u8** out_buf, size_t* out_buf_size) {
 
 }
 
+size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) {
+
+  size_t mutated_size;
+  PyObject *py_args, *py_value;
+  py_args = PyTuple_New(2);
+
+  /* buf */
+  py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
+  if (!py_value) {
+
+    Py_DECREF(py_args);
+    FATAL("Failed to convert arguments");
+
+  }
+
+  PyTuple_SetItem(py_args, 0, py_value);
+
+  /* max_size */
+#if PY_MAJOR_VERSION >= 3
+  py_value = PyLong_FromLong(max_size);
+#else
+  py_value = PyInt_FromLong(max_size);
+#endif
+  if (!py_value) {
+
+    Py_DECREF(py_args);
+    FATAL("Failed to convert arguments");
+
+  }
+
+  PyTuple_SetItem(py_args, 1, py_value);
+
+  py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION], py_args);
+
+  Py_DECREF(py_args);
+
+  if (py_value != NULL) {
+
+    mutated_size = PyByteArray_Size(py_value);
+    if (buf_size < mutated_size)
+      *buf = ck_realloc(*buf, mutated_size);
+    
+    memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
+
+    Py_DECREF(py_value);
+    return mutated_size;
+
+  } else {
+
+    PyErr_Print();
+    FATAL("Call failed");
+
+  }
+
+}
+
+u8 havoc_mutation_probability_py(void) {
+
+  PyObject *py_args, *py_value;
+
+  py_args = PyTuple_New(0);
+  py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args);
+  Py_DECREF(py_args);
+
+  if (py_value != NULL) {
+
+    long prob = PyLong_AsLong(py_value);
+    Py_DECREF(py_value);
+    return (u8)prob;
+
+  } else {
+
+    PyErr_Print();
+    FATAL("Call failed");
+
+  }
+
+}
+
 #endif                                                        /* USE_PYTHON */
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 21:08:38 +0000