aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-cc.c2
-rw-r--r--src/afl-common.c22
-rw-r--r--src/afl-fuzz-bitmap.c7
-rw-r--r--src/afl-fuzz-one.c2
-rw-r--r--src/afl-fuzz-python.c93
-rw-r--r--src/afl-fuzz-run.c6
-rw-r--r--src/afl-fuzz-state.c27
-rw-r--r--src/afl-fuzz-stats.c2
-rw-r--r--src/afl-fuzz.c6
9 files changed, 137 insertions, 30 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 2667ae28..4a56169f 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -396,7 +396,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang",
LLVM_BINDIR);
else
- snprintf(llvm_fullpath, sizeof(llvm_fullpath), CLANG_BIN);
+ snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s", CLANG_BIN);
alt_cc = llvm_fullpath;
}
diff --git a/src/afl-common.c b/src/afl-common.c
index eca7d272..7f482e7d 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -25,8 +25,12 @@
#include <stdlib.h>
#include <stdio.h>
-#define _GNU_SOURCE
-#define __USE_GNU
+#ifndef _GNU_SOURCE
+ #define _GNU_SOURCE
+#endif
+#ifndef __USE_GNU
+ #define __USE_GNU
+#endif
#include <string.h>
#include <strings.h>
#include <math.h>
@@ -715,17 +719,23 @@ char *get_afl_env(char *env) {
char *val;
- if ((val = getenv(env)) != NULL) {
+ if ((val = getenv(env))) {
- if (!be_quiet) {
+ if (*val) {
+
+ if (!be_quiet) {
+
+ OKF("Enabled environment variable %s with value %s", env, val);
+
+ }
- OKF("Loaded environment variable %s with value %s", env, val);
+ return val;
}
}
- return val;
+ return NULL;
}
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 26e70d81..089f7bb5 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -720,7 +720,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
}
- if (unlikely(!afl->saved_crashes)) { write_crash_readme(afl); }
+ if (unlikely(!afl->saved_crashes) &&
+ (afl->afl_env.afl_no_crash_readme != 1)) {
+
+ write_crash_readme(afl);
+
+ }
#ifndef SIMPLE_FILES
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 19f41ebe..ef80524f 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -2585,7 +2585,7 @@ havoc_stage:
snprintf(afl->m_tmp, sizeof(afl->m_tmp), " SUBBYTE_");
strcat(afl->mutation, afl->m_tmp);
#endif
- out_buf[rand_below(afl, temp_len)]++;
+ out_buf[rand_below(afl, temp_len)]--;
break;
}
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index 65501c8c..0231d2cd 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -28,6 +28,36 @@
/* Python stuff */
#ifdef USE_PYTHON
+// Tries to cast a python bytearray or bytes to a char ptr
+static inline bool py_bytes(PyObject *py_value, /* out */ char **bytes,
+ /* out */ size_t *size) {
+
+ if (!py_value) { return false; }
+
+ *bytes = PyByteArray_AsString(py_value);
+ if (*bytes) {
+
+ // we got a bytearray
+ *size = PyByteArray_Size(py_value);
+
+ } else {
+
+ *bytes = PyBytes_AsString(py_value);
+ if (!*bytes) {
+
+ // No valid type returned.
+ return false;
+
+ }
+
+ *size = PyBytes_Size(py_value);
+
+ }
+
+ return true;
+
+}
+
static void *unsupported(afl_state_t *afl, unsigned int seed) {
(void)afl;
@@ -93,12 +123,22 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf,
if (py_value != NULL) {
- mutated_size = PyByteArray_Size(py_value);
+ char *bytes;
+ if (!py_bytes(py_value, &bytes, &mutated_size)) {
+
+ FATAL("Python mutator fuzz() should return a bytearray or bytes");
+
+ }
+
+ if (mutated_size) {
+
+ *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size);
+ if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+
+ memcpy(*out_buf, bytes, mutated_size);
- *out_buf = afl_realloc(BUF_PARAMS(fuzz), mutated_size);
- if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+ }
- memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value);
return mutated_size;
@@ -625,7 +665,7 @@ s32 post_trim_py(void *py_mutator, u8 success) {
size_t trim_py(void *py_mutator, u8 **out_buf) {
PyObject *py_args, *py_value;
- size_t ret;
+ size_t trimmed_size;
py_args = PyTuple_New(0);
py_value = PyObject_CallObject(
@@ -634,10 +674,21 @@ size_t trim_py(void *py_mutator, u8 **out_buf) {
if (py_value != NULL) {
- ret = PyByteArray_Size(py_value);
- *out_buf = afl_realloc(BUF_PARAMS(trim), ret);
- if (unlikely(!*out_buf)) { PFATAL("alloc"); }
- memcpy(*out_buf, PyByteArray_AsString(py_value), ret);
+ char *bytes;
+ if (!py_bytes(py_value, &bytes, &trimmed_size)) {
+
+ FATAL("Python mutator fuzz() should return a bytearray");
+
+ }
+
+ if (trimmed_size) {
+
+ *out_buf = afl_realloc(BUF_PARAMS(trim), trimmed_size);
+ if (unlikely(!*out_buf)) { PFATAL("alloc"); }
+ memcpy(*out_buf, bytes, trimmed_size);
+
+ }
+
Py_DECREF(py_value);
} else {
@@ -647,7 +698,7 @@ size_t trim_py(void *py_mutator, u8 **out_buf) {
}
- return ret;
+ return trimmed_size;
}
@@ -692,7 +743,13 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size,
if (py_value != NULL) {
- mutated_size = PyByteArray_Size(py_value);
+ char *bytes;
+ if (!py_bytes(py_value, &bytes, &mutated_size)) {
+
+ FATAL("Python mutator fuzz() should return a bytearray");
+
+ }
+
if (mutated_size <= buf_size) {
/* We reuse the input buf here. */
@@ -706,7 +763,7 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size,
}
- memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
+ if (mutated_size) { memcpy(*out_buf, bytes, mutated_size); }
Py_DECREF(py_value);
return mutated_size;
@@ -762,7 +819,17 @@ const char *introspection_py(void *py_mutator) {
} else {
- return PyByteArray_AsString(py_value);
+ char * ret;
+ size_t len;
+ if (!py_bytes(py_value, &ret, &len)) {
+
+ FATAL(
+ "Python mutator introspection call returned illegal type (expected "
+ "bytes or bytearray)");
+
+ }
+
+ return ret;
}
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 09e773f0..5703a66a 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -130,11 +130,7 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
}
- if (new_mem != *mem) {
-
- *mem = new_mem;
-
- }
+ if (new_mem != *mem) { *mem = new_mem; }
/* everything as planned. use the potentially new data. */
afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size);
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 98217438..cc4138ae 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -101,6 +101,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->stats_update_freq = 1;
afl->stats_avg_exec = 0;
afl->skip_deterministic = 1;
+ afl->sync_time = SYNC_TIME;
afl->cmplog_lvl = 2;
afl->min_length = 1;
afl->max_length = MAX_FILE;
@@ -509,6 +510,14 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_pizza_mode =
atoi((u8 *)get_afl_env(afl_environment_variables[i]));
+
+ } else if (!strncmp(env, "AFL_NO_CRASH_README",
+
+ afl_environment_variable_len)) {
+
+ afl->afl_env.afl_no_crash_readme =
+ atoi((u8 *)get_afl_env(afl_environment_variables[i]));
+
if (afl->afl_env.afl_pizza_mode == 0) {
afl->afl_env.afl_pizza_mode = 1;
@@ -519,6 +528,24 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
}
+ } else if (!strncmp(env, "AFL_SYNC_TIME",
+
+ afl_environment_variable_len)) {
+
+ int time = atoi((u8 *)get_afl_env(afl_environment_variables[i]));
+ if (time > 0) {
+
+ afl->sync_time = time * (60 * 1000LL);
+
+ } else {
+
+ WARNF(
+ "incorrect value for AFL_SYNC_TIME environment variable, "
+ "used default value %lld instead.",
+ afl->sync_time / 60 / 1000);
+
+ }
+
}
} else {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 5b237748..3e034b83 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -59,7 +59,7 @@ void write_setup_file(afl_state_t *afl, u32 argc, char **argv) {
if (i) fprintf(f, " ");
#ifdef __ANDROID__
- if (memchr(argv[i], '\'', sizeof(argv[i]))) {
+ if (memchr(argv[i], '\'', strlen(argv[i]))) {
#else
if (index(argv[i], '\'')) {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index c5ab364a..b23cef37 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -295,6 +295,8 @@ static void usage(u8 *argv0, int more_help) {
"AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n"
" Supported formats are: 'dogstatsd', 'librato',\n"
" 'signalfx' and 'influxdb'\n"
+ "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n"
+ "AFL_NO_CRASH_README: do not create a README in the crashes directory\n"
"AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
"AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"
"AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n"
@@ -2511,7 +2513,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (unlikely(afl->is_main_node)) {
if (unlikely(get_cur_time() >
- (SYNC_TIME >> 1) + afl->last_sync_time)) {
+ (afl->sync_time >> 1) + afl->last_sync_time)) {
if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) {
@@ -2523,7 +2525,7 @@ int main(int argc, char **argv_orig, char **envp) {
} else {
- if (unlikely(get_cur_time() > SYNC_TIME + afl->last_sync_time)) {
+ if (unlikely(get_cur_time() > afl->sync_time + afl->last_sync_time)) {
if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); }
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-16 13:44:45 +0000