diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 50 | ||||
| -rw-r--r-- | src/afl-as.c | 24 | ||||
| -rw-r--r-- | src/afl-common.c | 44 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 1 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 76 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 4 | ||||
| -rw-r--r-- | src/afl-fuzz-extras.c | 58 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 156 | ||||
| -rw-r--r-- | src/afl-fuzz-misc.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 24 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 218 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 28 | ||||
| -rw-r--r-- | src/afl-fuzz-redqueen.c | 78 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 74 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 14 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 34 | ||||
| -rw-r--r-- | src/afl-gcc.c | 48 | ||||
| -rw-r--r-- | src/afl-gotcpu.c | 4 | ||||
| -rw-r--r-- | src/afl-showmap.c | 60 | ||||
| -rw-r--r-- | src/afl-tmin.c | 54 |
21 files changed, 528 insertions, 531 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 7d78ffc8..3a392da4 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -57,13 +57,13 @@ static s32 child_pid; /* PID of the tested program */ -u8* trace_bits; /* SHM with instrumentation bitmap */ +u8 *trace_bits; /* SHM with instrumentation bitmap */ static u8 *in_file, /* Analyzer input test case */ *prog_in, /* Targeted program input file */ *doc_path; /* Path to docs */ -static u8* in_data; /* Input data for analysis */ +static u8 *in_data; /* Input data for analysis */ static u32 in_len, /* Input data length */ orig_cksum, /* Original checksum */ @@ -84,7 +84,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */ static u8 qemu_mode; -static u8* target_path; +static u8 *target_path; /* Constants used for describing byte behavior. */ @@ -114,7 +114,7 @@ static u8 count_class_lookup[256] = { }; -static void classify_counts(u8* mem) { +static void classify_counts(u8 *mem) { u32 i = MAP_SIZE; @@ -144,7 +144,7 @@ static void classify_counts(u8* mem) { static inline u8 anything_set(void) { - u32* ptr = (u32*)trace_bits; + u32 *ptr = (u32 *)trace_bits; u32 i = (MAP_SIZE >> 2); while (i--) @@ -189,7 +189,7 @@ static void read_initial_file(void) { /* Write output file. */ -static s32 write_to_file(u8* path, u8* mem, u32 len) { +static s32 write_to_file(u8 *path, u8 *mem, u32 len) { s32 ret; @@ -219,7 +219,7 @@ static void handle_timeout(int sig) { /* Execute target application. Returns exec checksum, or 0 if program times out. */ -static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { +static u32 run_target(char **argv, u8 *mem, u32 len, u8 first_run) { static struct itimerval it; int status = 0; @@ -243,7 +243,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || dup2(dev_null_fd, 1) < 0 || dup2(dev_null_fd, 2) < 0) { - *(u32*)trace_bits = EXEC_FAIL_SIG; + *(u32 *)trace_bits = EXEC_FAIL_SIG; PFATAL("dup2() failed"); } @@ -272,7 +272,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { execv(target_path, argv); - *(u32*)trace_bits = EXEC_FAIL_SIG; + *(u32 *)trace_bits = EXEC_FAIL_SIG; exit(0); } @@ -299,7 +299,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32*)trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); classify_counts(trace_bits); @@ -378,7 +378,7 @@ static void show_legend(void) { /* Interpret and report a pattern in the input file. */ -static void dump_hex(u8* buf, u32 len, u8* b_data) { +static void dump_hex(u8 *buf, u32 len, u8 *b_data) { u32 i; @@ -409,7 +409,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) { case 2: { - u16 val = *(u16*)(in_data + i); + u16 val = *(u16 *)(in_data + i); /* Small integers may be length fields. */ @@ -435,7 +435,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) { case 4: { - u32 val = *(u32*)(in_data + i); + u32 val = *(u32 *)(in_data + i); /* Small integers may be length fields. */ @@ -544,12 +544,12 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) { /* Actually analyze! */ -static void analyze(char** argv) { +static void analyze(char **argv) { u32 i; u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0; - u8* b_data = ck_alloc(in_len + 1); + u8 *b_data = ck_alloc(in_len + 1); u8 seq_byte = 0; b_data[in_len] = 0xff; /* Intentional terminator. */ @@ -651,14 +651,14 @@ static void handle_stop_sig(int sig) { static void set_up_environment(void) { - u8* x; + u8 *x; dev_null_fd = open("/dev/null", O_RDWR); if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); if (!prog_in) { - u8* use_dir = "."; + u8 *use_dir = "."; if (access(use_dir, R_OK | W_OK | X_OK)) { @@ -715,9 +715,9 @@ static void set_up_environment(void) { if (qemu_mode) { - u8* qemu_preload = getenv("QEMU_SET_ENV"); - u8* afl_preload = getenv("AFL_PRELOAD"); - u8* buf; + u8 *qemu_preload = getenv("QEMU_SET_ENV"); + u8 *afl_preload = getenv("AFL_PRELOAD"); + u8 *buf; s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { @@ -779,7 +779,7 @@ static void setup_signal_handlers(void) { /* Display usage hints. */ -static void usage(u8* argv0) { +static void usage(u8 *argv0) { SAYF( "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" @@ -822,9 +822,9 @@ static void usage(u8* argv0) { /* Find binary. */ -static void find_binary(u8* fname) { +static void find_binary(u8 *fname) { - u8* env_path = 0; + u8 *env_path = 0; struct stat st; if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { @@ -877,11 +877,11 @@ static void find_binary(u8* fname) { /* Main entry point */ -int main(int argc, char** argv, char** envp) { +int main(int argc, char **argv, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char** use_argv; + char **use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff --git a/src/afl-as.c b/src/afl-as.c index a89b8636..d0b61ac1 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -53,10 +53,10 @@ #include <sys/wait.h> #include <sys/time.h> -static u8** as_params; /* Parameters passed to the real 'as' */ +static u8 **as_params; /* Parameters passed to the real 'as' */ -static u8* input_file; /* Originally specified input file */ -static u8* modified_file; /* Instrumented file for the real 'as' */ +static u8 *input_file; /* Originally specified input file */ +static u8 *modified_file; /* Instrumented file for the real 'as' */ static u8 be_quiet, /* Quiet mode (no stderr output) */ clang_mode, /* Running in clang mode? */ @@ -89,7 +89,7 @@ static u8 use_64bit = 0; is always the last parameter passed by GCC, so we exploit this property to keep the code simple. */ -static void edit_params(int argc, char** argv) { +static void edit_params(int argc, char **argv) { u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS"); u32 i; @@ -130,9 +130,9 @@ static void edit_params(int argc, char** argv) { if (!tmp_dir) tmp_dir = getenv("TMP"); if (!tmp_dir) tmp_dir = "/tmp"; - as_params = ck_alloc((argc + 32) * sizeof(u8*)); + as_params = ck_alloc((argc + 32) * sizeof(u8 *)); - as_params[0] = afl_as ? afl_as : (u8*)"as"; + as_params[0] = afl_as ? afl_as : (u8 *)"as"; as_params[argc] = 0; @@ -234,8 +234,8 @@ static void add_instrumentation(void) { static u8 line[MAX_LINE]; - FILE* inf; - FILE* outf; + FILE *inf; + FILE *outf; s32 outfd; u32 ins_lines = 0; @@ -244,7 +244,7 @@ static void add_instrumentation(void) { #ifdef __APPLE__ - u8* colon_pos; + u8 *colon_pos; #endif /* __APPLE__ */ @@ -498,12 +498,12 @@ static void add_instrumentation(void) { /* Main entry point */ -int main(int argc, char** argv) { +int main(int argc, char **argv) { s32 pid; u32 rand_seed; int status; - u8* inst_ratio_str = getenv("AFL_INST_RATIO"); + u8 *inst_ratio_str = getenv("AFL_INST_RATIO"); struct timeval tv; struct timezone tz; @@ -590,7 +590,7 @@ int main(int argc, char** argv) { if (!(pid = fork())) { - execvp(as_params[0], (char**)as_params); + execvp(as_params[0], (char **)as_params); FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]); } diff --git a/src/afl-common.c b/src/afl-common.c index e25162c2..71041875 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -38,16 +38,16 @@ extern u8 be_quiet; -void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) { +void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) { u32 i = 0; #ifdef __GLIBC__ - u8* cwd = getcwd(NULL, 0); /* non portable glibc extension */ + u8 *cwd = getcwd(NULL, 0); /* non portable glibc extension */ #else - u8* cwd; - char* buf; + u8 *cwd; + char *buf; long size = pathconf(".", _PC_PATH_MAX); - if ((buf = (char*)malloc((size_t)size)) != NULL) { + if ((buf = (char *)malloc((size_t)size)) != NULL) { cwd = getcwd(buf, (size_t)size); /* portable version */ ck_free(buf); @@ -67,7 +67,7 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) { while (argv[i]) { - u8* aa_loc = strstr(argv[i], "@@"); + u8 *aa_loc = strstr(argv[i], "@@"); if (aa_loc) { @@ -111,11 +111,11 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) { /* duplicate the system argv so that we can edit (and free!) it later */ -char** argv_cpy_dup(int argc, char** argv) { +char **argv_cpy_dup(int argc, char **argv) { u32 i = 0; - char** ret = ck_alloc((argc + 1) * sizeof(char*)); + char **ret = ck_alloc((argc + 1) * sizeof(char *)); for (i = 0; i < argc; i++) { @@ -132,7 +132,7 @@ char** argv_cpy_dup(int argc, char** argv) { /* frees all args in the given argv, previously created by argv_cpy_dup */ -void argv_cpy_free(char** argv) { +void argv_cpy_free(char **argv) { u32 i = 0; while (argv[i]) { @@ -148,12 +148,12 @@ void argv_cpy_free(char** argv) { /* Rewrite argv for QEMU. */ -char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { +char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 * tmp, *cp = NULL, *rsl, *own_copy; + char **new_argv = ck_alloc(sizeof(char *) * (argc + 4)); + u8 *tmp, *cp = NULL, *rsl, *own_copy; - memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc); + memcpy(new_argv + 3, argv + 1, (int)(sizeof(char *)) * argc); new_argv[2] = *target_path_p; new_argv[1] = "--"; @@ -226,12 +226,12 @@ char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { /* Rewrite argv for Wine+QEMU. */ -char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { +char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { - char** new_argv = ck_alloc(sizeof(char*) * (argc + 3)); - u8 * tmp, *cp = NULL, *rsl, *own_copy; + char **new_argv = ck_alloc(sizeof(char *) * (argc + 3)); + u8 *tmp, *cp = NULL, *rsl, *own_copy; - memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc); + memcpy(new_argv + 2, argv + 1, (int)(sizeof(char *)) * argc); new_argv[1] = *target_path_p; @@ -285,7 +285,7 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { ck_free(own_copy); - u8* ncp = BIN_PATH "/afl-qemu-trace"; + u8 *ncp = BIN_PATH "/afl-qemu-trace"; if (!access(ncp, X_OK)) { @@ -322,10 +322,10 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { } -void check_environment_vars(char** envp) { +void check_environment_vars(char **envp) { int index = 0, found = 0; - char* env; + char *env; while ((env = envp[index++]) != NULL) { if (strncmp(env, "ALF_", 4) == 0) { @@ -358,9 +358,9 @@ void check_environment_vars(char** envp) { } -char* get_afl_env(char* env) { +char *get_afl_env(char *env) { - char* val; + char *val; if ((val = getenv(env)) != NULL) if (!be_quiet) diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 70bb4cfd..083f1966 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -331,6 +331,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { rlen = read(fsrv->fsrv_st_fd, &status, 4); } + } else { rlen = read(fsrv->fsrv_st_fd, &status, 4); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 47040fb8..96772032 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -29,9 +29,9 @@ -B option, to focus a separate fuzzing session on a particular interesting input without rediscovering all the others. */ -void write_bitmap(afl_state_t* afl) { +void write_bitmap(afl_state_t *afl) { - u8* fname; + u8 *fname; s32 fd; if (!afl->bitmap_changed) return; @@ -51,7 +51,7 @@ void write_bitmap(afl_state_t* afl) { /* Read bitmap from file. This is for the -B option again. */ -void read_bitmap(afl_state_t* afl, u8* fname) { +void read_bitmap(afl_state_t *afl, u8 *fname) { s32 fd = open(fname, O_RDONLY); @@ -71,19 +71,19 @@ void read_bitmap(afl_state_t* afl, u8* fname) { This function is called after every exec() on a fairly large buffer, so it needs to be fast. We do this in 32-bit and 64-bit flavors. */ -u8 has_new_bits(afl_state_t* afl, u8* virgin_map) { +u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #ifdef WORD_SIZE_64 - u64* current = (u64*)afl->fsrv.trace_bits; - u64* virgin = (u64*)virgin_map; + u64 *current = (u64 *)afl->fsrv.trace_bits; + u64 *virgin = (u64 *)virgin_map; u32 i = (MAP_SIZE >> 3); #else - u32* current = (u32*)afl->fsrv.trace_bits; - u32* virgin = (u32*)virgin_map; + u32 *current = (u32 *)afl->fsrv.trace_bits; + u32 *virgin = (u32 *)virgin_map; u32 i = (MAP_SIZE >> 2); @@ -101,8 +101,8 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) { if (likely(ret < 2)) { - u8* cur = (u8*)current; - u8* vir = (u8*)virgin; + u8 *cur = (u8 *)current; + u8 *vir = (u8 *)virgin; /* Looks like we have not found any new bytes yet; see if any non-zero bytes in current[] are pristine in virgin[]. */ @@ -147,9 +147,9 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) { /* Count the number of bits set in the provided bitmap. Used for the status screen several times every second, does not have to be fast. */ -u32 count_bits(u8* mem) { +u32 count_bits(u8 *mem) { - u32* ptr = (u32*)mem; + u32 *ptr = (u32 *)mem; u32 i = (MAP_SIZE >> 2); u32 ret = 0; @@ -183,9 +183,9 @@ u32 count_bits(u8* mem) { mostly to update the status screen or calibrate and examine confirmed new paths. */ -u32 count_bytes(u8* mem) { +u32 count_bytes(u8 *mem) { - u32* ptr = (u32*)mem; + u32 *ptr = (u32 *)mem; u32 i = (MAP_SIZE >> 2); u32 ret = 0; @@ -208,9 +208,9 @@ u32 count_bytes(u8* mem) { /* Count the number of non-255 bytes set in the bitmap. Used strictly for the status screen, several calls per second or so. */ -u32 count_non_255_bytes(u8* mem) { +u32 count_non_255_bytes(u8 *mem) { - u32* ptr = (u32*)mem; + u32 *ptr = (u32 *)mem; u32 i = (MAP_SIZE >> 2); u32 ret = 0; @@ -246,7 +246,7 @@ const u8 simplify_lookup[256] = { #ifdef WORD_SIZE_64 -void simplify_trace(u64* mem) { +void simplify_trace(u64 *mem) { u32 i = MAP_SIZE >> 3; @@ -256,7 +256,7 @@ void simplify_trace(u64* mem) { if (unlikely(*mem)) { - u8* mem8 = (u8*)mem; + u8 *mem8 = (u8 *)mem; mem8[0] = simplify_lookup[mem8[0]]; mem8[1] = simplify_lookup[mem8[1]]; @@ -279,7 +279,7 @@ void simplify_trace(u64* mem) { #else -void simplify_trace(u32* mem) { +void simplify_trace(u32 *mem) { u32 i = MAP_SIZE >> 2; @@ -289,7 +289,7 @@ void simplify_trace(u32* mem) { if (unlikely(*mem)) { - u8* mem8 = (u8*)mem; + u8 *mem8 = (u8 *)mem; mem8[0] = simplify_lookup[mem8[0]]; mem8[1] = simplify_lookup[mem8[1]]; @@ -341,7 +341,7 @@ void init_count_class16(void) { #ifdef WORD_SIZE_64 -void classify_counts(u64* mem) { +void classify_counts(u64 *mem) { u32 i = MAP_SIZE >> 3; @@ -351,7 +351,7 @@ void classify_counts(u64* mem) { if (unlikely(*mem)) { - u16* mem16 = (u16*)mem; + u16 *mem16 = (u16 *)mem; mem16[0] = count_class_lookup16[mem16[0]]; mem16[1] = count_class_lookup16[mem16[1]]; @@ -368,7 +368,7 @@ void classify_counts(u64* mem) { #else -void classify_counts(u32* mem) { +void classify_counts(u32 *mem) { u32 i = MAP_SIZE >> 2; @@ -378,7 +378,7 @@ void classify_counts(u32* mem) { if (unlikely(*mem)) { - u16* mem16 = (u16*)mem; + u16 *mem16 = (u16 *)mem; mem16[0] = count_class_lookup16[mem16[0]]; mem16[1] = count_class_lookup16[mem16[1]]; @@ -397,7 +397,7 @@ void classify_counts(u32* mem) { count information here. This is called only sporadically, for some new paths. */ -void minimize_bits(u8* dst, u8* src) { +void minimize_bits(u8 *dst, u8 *src) { u32 i = 0; @@ -415,9 +415,9 @@ void minimize_bits(u8* dst, u8* src) { /* Construct a file name for a new test case, capturing the operation that led to its discovery. Uses a static buffer. */ -u8* describe_op(afl_state_t* afl, u8 hnb) { +u8 *describe_op(afl_state_t *afl, u8 hnb) { - u8* ret = afl->describe_op_buf_256; + u8 *ret = afl->describe_op_buf_256; if (afl->syncing_party) { @@ -459,11 +459,11 @@ u8* describe_op(afl_state_t* afl, u8 hnb) { /* Write a message accompanying the crash directory :-) */ -static void write_crash_readme(afl_state_t* afl) { +static void write_crash_readme(afl_state_t *afl) { - u8* fn = alloc_printf("%s/crashes/README.txt", afl->out_dir); - s32 fd; - FILE* f; + u8 *fn = alloc_printf("%s/crashes/README.txt", afl->out_dir); + s32 fd; + FILE *f; fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); @@ -511,11 +511,11 @@ static void write_crash_readme(afl_state_t* afl) { save or queue the input test case for further analysis if so. Returns 1 if entry is saved, 0 otherwise. */ -u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) { +u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (len == 0) return 0; - u8* fn = ""; + u8 *fn = ""; u8 hnb; s32 fd; u8 keeping = 0, res; @@ -523,7 +523,7 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) { /* Update path frequency. */ u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); - struct queue_entry* q = afl->queue; + struct queue_entry *q = afl->queue; while (q) { if (q->exec_cksum == cksum) { @@ -603,9 +603,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) { if (!afl->dumb_mode) { #ifdef WORD_SIZE_64 - simplify_trace((u64*)afl->fsrv.trace_bits); + simplify_trace((u64 *)afl->fsrv.trace_bits); #else - simplify_trace((u32*)afl->fsrv.trace_bits); + simplify_trace((u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ if (!has_new_bits(afl, afl->virgin_tmout)) return keeping; @@ -666,9 +666,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) { if (!afl->dumb_mode) { #ifdef WORD_SIZE_64 - simplify_trace((u64*)afl->fsrv.trace_bits); + simplify_trace((u64 *)afl->fsrv.trace_bits); #else - simplify_trace((u32*)afl->fsrv.trace_bits); + simplify_trace((u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ if (!has_new_bits(afl, afl->virgin_crash)) return keeping; diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 6e9f603b..d74f4536 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -190,7 +190,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { timeout.tv_sec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) / 1000); timeout.tv_usec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; - int sret = select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); + int sret = + select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); if (sret == 0) { @@ -201,6 +202,7 @@ void init_cmplog_forkserver(afl_state_t *afl) { rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); } + } else { rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index ce7e5780..5cad29ec 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -27,17 +27,19 @@ /* Helper function for load_extras. */ -static int compare_extras_len(const void* p1, const void* p2) { +static int compare_extras_len(const void *p1, const void *p2) { - struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2; + struct extra_data *e1 = (struct extra_data *)p1, + *e2 = (struct extra_data *)p2; return e1->len - e2->len; } -static int compare_extras_use_d(const void* p1, const void* p2) { +static int compare_extras_use_d(const void *p1, const void *p2) { - struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2; + struct extra_data *e1 = (struct extra_data *)p1, + *e2 = (struct extra_data *)p2; return e2->hit_cnt - e1->hit_cnt; @@ -45,13 +47,13 @@ static int compare_extras_use_d(const void* p1, const void* p2) { /* Read extras from a file, sort by size. */ -void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len, +void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, u32 dict_level) { - FILE* f; - u8 buf[MAX_LINE]; - u8* lptr; - u32 cur_line = 0; + FILE *f; + u8 buf[MAX_LINE]; + u8 *lptr; + u32 cur_line = 0; f = fopen(fname, "r"); @@ -128,7 +130,7 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len, while (*lptr) { - char* hexdigits = "0123456789abcdef"; + char *hexdigits = "0123456789abcdef"; switch (*lptr) { @@ -184,12 +186,12 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len, /* Read extras from the extras directory and sort them by size. */ -void load_extras(afl_state_t* afl, u8* dir) { +void load_extras(afl_state_t *afl, u8 *dir) { - DIR* d; - struct dirent* de; - u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; - u8* x; + DIR *d; + struct dirent *de; + u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; + u8 *x; /* If the name ends with @, extract level and continue. */ @@ -222,8 +224,8 @@ void load_extras(afl_state_t* afl, u8* dir) { while ((de = readdir(d))) { struct stat st; - u8* fn = alloc_printf("%s/%s", dir, de->d_name); - s32 fd; + u8 *fn = alloc_printf("%s/%s", dir, de->d_name); + s32 fd; if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); @@ -285,7 +287,7 @@ check_and_sort: /* Helper function for maybe_add_auto(afl, ) */ -static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { +static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) { while (len--) if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; @@ -295,7 +297,7 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { /* Maybe add automatic extra. */ -void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) { +void maybe_add_auto(afl_state_t *afl, u8 *mem, u32 len) { u32 i; @@ -317,8 +319,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) { i = sizeof(interesting_16) >> 1; while (i--) - if (*((u16*)mem) == interesting_16[i] || - *((u16*)mem) == SWAP16(interesting_16[i])) + if (*((u16 *)mem) == interesting_16[i] || + *((u16 *)mem) == SWAP16(interesting_16[i])) return; } @@ -328,8 +330,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) { i = sizeof(interesting_32) >> 2; while (i--) - if (*((u32*)mem) == interesting_32[i] || - *((u32*)mem) == SWAP32(interesting_32[i])) + if (*((u32 *)mem) == interesting_32[i] || + *((u32 *)mem) == SWAP32(interesting_32[i])) return; } @@ -402,7 +404,7 @@ sort_a_extras: /* Save automatically generated extras. */ -void save_auto(afl_state_t* afl) { +void save_auto(afl_state_t *afl) { u32 i; @@ -411,7 +413,7 @@ void save_auto(afl_state_t* afl) { for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) { - u8* fn = + u8 *fn = alloc_printf("%s/queue/.state/auto_extras/auto_%06u", afl->out_dir, i); s32 fd; @@ -430,14 +432,14 @@ void save_auto(afl_state_t* afl) { /* Load automatically generated extras. */ -void load_auto(afl_state_t* afl) { +void load_auto(afl_state_t *afl) { u32 i; for (i = 0; i < USE_AUTO_EXTRAS; ++i) { u8 tmp[MAX_AUTO_EXTRA + 1]; - u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i); + u8 *fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i); s32 fd, len; fd = open(fn, O_RDONLY, 0600); @@ -474,7 +476,7 @@ void load_auto(afl_state_t* afl) { /* Destroy extras. */ -void destroy_extras(afl_state_t* afl) { +void destroy_extras(afl_state_t *afl) { u32 i; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e7652e87..16049bb5 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -30,12 +30,12 @@ /* Build a list of processes bound to specific cores. Returns -1 if nothing can be found. Assumes an upper bound of 4k CPUs. */ -void bind_to_free_cpu(afl_state_t* afl) { +void bind_to_free_cpu(afl_state_t *afl) { #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; #elif defined(__NetBSD__) - cpuset_t* c; + cpuset_t *c; #endif u8 cpu_used[4096] = {0}; @@ -51,8 +51,8 @@ void bind_to_free_cpu(afl_state_t* afl) { } #if defined(__linux__) - DIR* d; - struct dirent* de; + DIR *d; + struct dirent *de; d = opendir("/proc"); if (!d) { @@ -76,8 +76,8 @@ void bind_to_free_cpu(afl_state_t* afl) { while ((de = readdir(d))) { - u8* fn; - FILE* f; + u8 *fn; + FILE *f; u8 tmp[MAX_LINE]; u8 has_vmsize = 0; @@ -118,7 +118,7 @@ void bind_to_free_cpu(afl_state_t* afl) { closedir(d); #elif defined(__FreeBSD__) || defined(__DragonFly__) - struct kinfo_proc* procs; + struct kinfo_proc *procs; size_t nprocs; size_t proccount; int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL}; @@ -151,7 +151,7 @@ void bind_to_free_cpu(afl_state_t* afl) { ck_free(procs); #elif defined(__NetBSD__) - struct kinfo_proc2* procs; + struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; int s_name[] = { @@ -272,11 +272,11 @@ cpuset_destroy(c); /* Load postprocessor, if available. */ -void setup_post(afl_state_t* afl) { +void setup_post(afl_state_t *afl) { - void* dh; - u8* fn = get_afl_env("AFL_POST_LIBRARY"); - u32 tlen = 6; + void *dh; + u8 *fn = get_afl_env("AFL_POST_LIBRARY"); + u32 tlen = 6; if (!fn) return; @@ -298,14 +298,14 @@ void setup_post(afl_state_t* afl) { /* Shuffle an array of pointers. Might be slightly biased. */ -static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) { +static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { u32 i; for (i = 0; i < cnt - 2; ++i) { u32 j = i + UR(afl, cnt - i); - void* s = ptrs[i]; + void *s = ptrs[i]; ptrs[i] = ptrs[j]; ptrs[j] = s; @@ -316,12 +316,12 @@ static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) { /* Read all testcases from the input directory, then queue them for testing. Called at startup. */ -void read_testcases(afl_state_t* afl) { +void read_testcases(afl_state_t *afl) { - struct dirent** nl; - s32 nl_cnt; - u32 i; - u8* fn1; + struct dirent **nl; + s32 nl_cnt; + u32 i; + u8 *fn1; /* Auto-detect non-in-place resumption attempts. */ @@ -359,7 +359,7 @@ void read_testcases(afl_state_t* afl) { if (afl->shuffle_queue && nl_cnt > 1) { ACTF("Shuffling queue..."); - shuffle_ptrs(afl, (void**)nl, nl_cnt); + shuffle_ptrs(afl, (void **)nl, nl_cnt); } @@ -367,8 +367,8 @@ void read_testcases(afl_state_t* afl) { struct stat st; - u8* fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name); - u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir, + u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name); + u8 *dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir, nl[i]->d_name); u8 passed_det = 0; @@ -428,7 +428,7 @@ void read_testcases(afl_state_t* afl) { /* Examine map coverage. Called once, for first test case. */ -static void check_map_coverage(afl_state_t* afl) { +static void check_map_coverage(afl_state_t *afl) { u32 i; @@ -444,19 +444,19 @@ static void check_map_coverage(afl_state_t* afl) { /* Perform dry run of all test cases to confirm that the app is working as expected. This is done only for the initial inputs, and only once. */ -void perform_dry_run(afl_state_t* afl) { +void perform_dry_run(afl_state_t *afl) { - struct queue_entry* q = afl->queue; - u32 cal_failures = 0; - u8* skip_crashes = get_afl_env("AFL_SKIP_CRASHES"); + struct queue_entry *q = afl->queue; + u32 cal_failures = 0; + u8 *skip_crashes = get_afl_env("AFL_SKIP_CRASHES"); while (q) { - u8* use_mem; + u8 *use_mem; u8 res; s32 fd; - u8* fn = strrchr(q->fname, '/') + 1; + u8 *fn = strrchr(q->fname, '/') + 1; ACTF("Attempting dry run with '%s'...", fn); @@ -673,11 +673,11 @@ void perform_dry_run(afl_state_t* afl) { /* Helper function: link() if possible, copy otherwise. */ -static void link_or_copy(u8* old_path, u8* new_path) { +static void link_or_copy(u8 *old_path, u8 *new_path) { s32 i = link(old_path, new_path); s32 sfd, dfd; - u8* tmp; + u8 *tmp; if (!i) return; @@ -703,9 +703,9 @@ static void link_or_copy(u8* old_path, u8* new_path) { /* Create hard links for input test cases in the output directory, choosing good names and pivoting accordingly. */ -void pivot_inputs(afl_state_t* afl) { +void pivot_inputs(afl_state_t *afl) { - struct queue_entry* q = afl->queue; + struct queue_entry *q = afl->queue; u32 id = 0; ACTF("Creating hard links for all input files..."); @@ -727,7 +727,7 @@ void pivot_inputs(afl_state_t* afl) { if (!strncmp(rsl, CASE_PREFIX, 3) && sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) { - u8* src_str; + u8 *src_str; u32 src_id; afl->resuming_fuzz = 1; @@ -740,7 +740,7 @@ void pivot_inputs(afl_state_t* afl) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { - struct queue_entry* s = afl->queue; + struct queue_entry *s = afl->queue; while (src_id-- && s) s = s->next; if (s) q->depth = s->depth + 1; @@ -756,7 +756,7 @@ void pivot_inputs(afl_state_t* afl) { #ifndef SIMPLE_FILES - u8* use_name = strstr(rsl, ",orig:"); + u8 *use_name = strstr(rsl, ",orig:"); if (use_name) use_name += 6; @@ -795,7 +795,7 @@ void pivot_inputs(afl_state_t* afl) { /* When resuming, try to find the queue position to start from. This makes sense only when resuming, and when we can find the original fuzzer_stats. */ -u32 find_start_position(afl_state_t* afl) { +u32 find_start_position(afl_state_t *afl) { static u8 tmp[4096]; /* Ought to be enough for anybody. */ @@ -832,7 +832,7 @@ u32 find_start_position(afl_state_t* afl) { -t given, we don't want to keep auto-scaling the timeout over and over again to prevent it from growing due to random flukes. */ -void find_timeout(afl_state_t* afl) { +void find_timeout(afl_state_t *afl) { static u8 tmp[4096]; /* Ought to be enough for anybody. */ @@ -870,10 +870,10 @@ void find_timeout(afl_state_t* afl) { /* A helper function for handle_existing_out_dir(), deleting all prefixed files in a directory. */ -static u8 delete_files(u8* path, u8* prefix) { +static u8 delete_files(u8 *path, u8 *prefix) { - DIR* d; - struct dirent* d_ent; + DIR *d; + struct dirent *d_ent; d = opendir(path); @@ -884,7 +884,7 @@ static u8 delete_files(u8* path, u8* prefix) { if (d_ent->d_name[0] != '.' && (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { - u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); + u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name); if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); ck_free(fname); @@ -919,7 +919,7 @@ double get_runnable_processes(void) { computed in funny ways and sometimes don't reflect extremely short-lived processes well. */ - FILE* f = fopen("/proc/stat", "r"); + FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; u32 val = 0; @@ -954,9 +954,9 @@ double get_runnable_processes(void) { /* Delete the temporary directory used for in-place session resume. */ -void nuke_resume_dir(afl_state_t* afl) { +void nuke_resume_dir(afl_state_t *afl) { - u8* fn; + u8 *fn; fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir); if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; @@ -994,10 +994,10 @@ dir_cleanup_failed: is not currently running, and if the last run time isn't too great. Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */ -static void handle_existing_out_dir(afl_state_t* afl) { +static void handle_existing_out_dir(afl_state_t *afl) { - FILE* f; - u8* fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); + FILE *f; + u8 *fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); /* See if the output directory is locked. If yes, bail out. If not, create a lock that will persist for the lifetime of the process @@ -1084,7 +1084,7 @@ static void handle_existing_out_dir(afl_state_t* afl) { if (afl->in_place_resume) { - u8* orig_q = alloc_printf("%s/queue", afl->out_dir); + u8 *orig_q = alloc_printf("%s/queue", afl->out_dir); afl->in_dir = alloc_printf("%s/_resume", afl->out_dir); @@ -1161,17 +1161,17 @@ static void handle_existing_out_dir(afl_state_t* afl) { if (afl->in_place_resume && rmdir(fn)) { time_t cur_t = time(0); - struct tm* t = localtime(&cur_t); + struct tm *t = localtime(&cur_t); #ifndef SIMPLE_FILES - u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, + u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); #else - u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, + u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); @@ -1192,17 +1192,17 @@ static void handle_existing_out_dir(afl_state_t* afl) { if (afl->in_place_resume && rmdir(fn)) { time_t cur_t = time(0); - struct tm* t = localtime(&cur_t); + struct tm *t = localtime(&cur_t); #ifndef SIMPLE_FILES - u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, + u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); #else - u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, + u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); @@ -1278,9 +1278,9 @@ dir_cleanup_failed: /* Prepare output directories and fds. */ -void setup_dirs_fds(afl_state_t* afl) { +void setup_dirs_fds(afl_state_t *afl) { - u8* tmp; + u8 *tmp; s32 fd; ACTF("Setting up output directories..."); @@ -1402,13 +1402,13 @@ void setup_dirs_fds(afl_state_t* afl) { } -void setup_cmdline_file(afl_state_t* afl, char** argv) { +void setup_cmdline_file(afl_state_t *afl, char **argv) { - u8* tmp; + u8 *tmp; s32 fd; u32 i = 0; - FILE* cmdline_file = NULL; + FILE *cmdline_file = NULL; /* Store the command line to reproduce our findings */ tmp = alloc_printf("%s/cmdline", afl->out_dir); @@ -1432,9 +1432,9 @@ void setup_cmdline_file(afl_state_t* afl, char** argv) { /* Setup the output file for fuzzed data, if not using -f. */ -void setup_stdio_file(afl_state_t* afl) { +void setup_stdio_file(afl_state_t *afl) { - u8* fn; + u8 *fn; if (afl->file_extension) { fn = alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension); @@ -1531,10 +1531,10 @@ void check_crash_handling(void) { /* Check CPU governor. */ -void check_cpu_governor(afl_state_t* afl) { +void check_cpu_governor(afl_state_t *afl) { #ifdef __linux__ - FILE* f; + FILE *f; u8 tmp[128]; u64 min = 0, max = 0; @@ -1654,7 +1654,7 @@ void check_cpu_governor(afl_state_t* afl) { /* Count the number of logical CPU cores. */ -void get_core_count(afl_state_t* afl) { +void get_core_count(afl_state_t *afl) { #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ defined(__DragonFly__) @@ -1684,7 +1684,7 @@ void get_core_count(afl_state_t* afl) { #else - FILE* f = fopen("/proc/stat", "r"); + FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; if (!f) return; @@ -1742,9 +1742,9 @@ void get_core_count(afl_state_t* afl) { /* Validate and fix up afl->out_dir and sync_dir when using -S. */ -void fix_up_sync(afl_state_t* afl) { +void fix_up_sync(afl_state_t *afl) { - u8* x = afl->sync_id; + u8 *x = afl->sync_id; if (afl->dumb_mode) FATAL("-S / -M and -n are mutually exclusive"); @@ -1793,7 +1793,7 @@ static void handle_resize(int sig) { void check_asan_opts(void) { - u8* x = get_afl_env("ASAN_OPTIONS"); + u8 *x = get_afl_env("ASAN_OPTIONS"); if (x) { @@ -1849,13 +1849,13 @@ static void handle_skipreq(int sig) { isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ -void check_binary(afl_state_t* afl, u8* fname) { +void check_binary(afl_state_t *afl, u8 *fname) { - u8* env_path = 0; + u8 *env_path = 0; struct stat st; s32 fd; - u8* f_data; + u8 *f_data; u32 f_len = 0; ACTF("Validating target binary..."); @@ -2042,7 +2042,7 @@ void check_binary(afl_state_t* afl, u8* fname) { /* Trim and possibly create a banner for the run. */ -void fix_up_banner(afl_state_t* afl, u8* name) { +void fix_up_banner(afl_state_t *afl, u8 *name) { if (!afl->use_banner) { @@ -2052,7 +2052,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) { } else { - u8* trim = strrchr(name, '/'); + u8 *trim = strrchr(name, '/'); if (!trim) afl->use_banner = name; else @@ -2064,7 +2064,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) { if (strlen(afl->use_banner) > 32) { - u8* tmp = ck_alloc(36); + u8 *tmp = ck_alloc(36); sprintf(tmp, "%.32s...", afl->use_banner); afl->use_banner = tmp; @@ -2074,7 +2074,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) { /* Check if we're on TTY. */ -void check_if_tty(afl_state_t* afl) { +void check_if_tty(afl_state_t *afl) { struct winsize ws; @@ -2148,10 +2148,10 @@ void setup_signal_handlers(void) { /* Make a copy of the current command line. */ -void save_cmdline(afl_state_t* afl, u32 argc, char** argv) { +void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { u32 len = 1, i; - u8* buf; + u8 *buf; for (i = 0; i < argc; ++i) len += strlen(argv[i]) + 1; diff --git a/src/afl-fuzz-misc.c b/src/afl-fuzz-misc.c index 0da0cb0a..29e8bd82 100644 --- a/src/afl-fuzz-misc.c +++ b/src/afl-fuzz-misc.c @@ -29,7 +29,7 @@ returned should be five characters or less for all the integers we reasonably expect to see. */ -u8* DI(u64 val) { +u8 *DI(u64 val) { static u8 tmp[12][16]; static u8 cur; @@ -90,7 +90,7 @@ u8* DI(u64 val) { /* Describe float. Similar to the above, except with a single static buffer. */ -u8* DF(double val) { +u8 *DF(double val) { static u8 tmp[16]; @@ -114,7 +114,7 @@ u8* DF(double val) { /* Describe integer as memory size. */ -u8* DMS(u64 val) { +u8 *DMS(u64 val) { static u8 tmp[12][16]; static u8 cur; @@ -164,7 +164,7 @@ u8* DMS(u64 val) { /* Describe time delta. Returns one static buffer, 34 chars of less. */ -u8* DTD(u64 cur_ms, u64 event_ms) { +u8 *DTD(u64 cur_ms, u64 event_ms) { static u8 tmp[64]; u64 delta; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 02d7661e..159b40c3 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -25,15 +25,15 @@ #include "afl-fuzz.h" -void load_custom_mutator(afl_state_t*, const char*); +void load_custom_mutator(afl_state_t *, const char *); #ifdef USE_PYTHON -void load_custom_mutator_py(afl_state_t*, const char*); +void load_custom_mutator_py(afl_state_t *, const char *); #endif -void setup_custom_mutator(afl_state_t* afl) { +void setup_custom_mutator(afl_state_t *afl) { /* Try mutator library first */ - u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); + u8 *fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); if (fn) { @@ -51,7 +51,7 @@ void setup_custom_mutator(afl_state_t* afl) { /* Try Python module */ #ifdef USE_PYTHON - u8* module_name = getenv("AFL_PYTHON_MODULE"); + u8 *module_name = getenv("AFL_PYTHON_MODULE"); if (module_name) { @@ -75,7 +75,7 @@ void setup_custom_mutator(afl_state_t* afl) { } -void destroy_custom_mutator(afl_state_t* afl) { +void destroy_custom_mutator(afl_state_t *afl) { if (afl->mutator) { @@ -96,9 +96,9 @@ void destroy_custom_mutator(afl_state_t* afl) { } -void load_custom_mutator(afl_state_t* afl, const char* fn) { +void load_custom_mutator(afl_state_t *afl, const char *fn) { - void* dh; + void *dh; afl->mutator = ck_alloc(sizeof(struct custom_mutator)); afl->mutator->name = fn; @@ -190,7 +190,7 @@ void load_custom_mutator(afl_state_t* afl, const char* fn) { } -u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) { +u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { static u8 tmp[64]; static u8 clean_trace[MAP_SIZE]; @@ -216,7 +216,7 @@ u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) { u32 cksum; - u8* retbuf = NULL; + u8 *retbuf = NULL; size_t retlen = 0; afl->mutator->afl_custom_trim(afl, &retbuf, &retlen); @@ -312,9 +312,9 @@ abort_trimming: } #ifdef USE_PYTHON -void load_custom_mutator_py(afl_state_t* afl, const char* module_name) { +void load_custom_mutator_py(afl_state_t *afl, const char *module_name) { - PyObject** py_functions = afl->py_functions; + PyObject **py_functions = afl->py_functions; afl->mutator = ck_alloc(sizeof(struct custom_mutator)); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index aefcb231..8e88693c 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -27,7 +27,7 @@ /* MOpt */ -int select_algorithm(afl_state_t* afl) { +int select_algorithm(afl_state_t *afl) { int i_puppet, j_puppet; @@ -62,7 +62,7 @@ int select_algorithm(afl_state_t* afl) { /* Helper to choose random block len for block operations in fuzz_one(). Doesn't return zero, provided that max_len is > 0. */ -static u32 choose_block_len(afl_state_t* afl, u32 limit) { +static u32 choose_block_len(afl_state_t *afl, u32 limit) { u32 min_value, max_value; u32 rlim = MIN(afl->queue_cycle, 3); @@ -305,7 +305,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { /* Helper function to compare buffers; returns first and last differing offset. We use this to find reasonable locations for splicing two files. */ -static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { +static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) { s32 f_loc = -1; s32 l_loc = -1; @@ -335,7 +335,7 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { function is a tad too long... returns 0 if fuzzed successfully, 1 if skipped or bailed out. */ -u8 fuzz_one_original(afl_state_t* afl) { +u8 fuzz_one_original(afl_state_t *afl) { s32 len, fd, temp_len, i, j; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; @@ -538,7 +538,7 @@ u8 fuzz_one_original(afl_state_t* afl) { #define FLIP_BIT(_ar, _b) \ do { \ \ - u8* _arf = (u8*)(_ar); \ + u8 *_arf = (u8 *)(_ar); \ u32 _bf = (_b); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ \ @@ -820,12 +820,12 @@ u8 fuzz_one_original(afl_state_t* afl) { afl->stage_cur_byte = i; - *(u16*)(out_buf + i) ^= 0xFFFF; + *(u16 *)(out_buf + i) ^= 0xFFFF; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; - *(u16*)(out_buf + i) ^= 0xFFFF; + *(u16 *)(out_buf + i) ^= 0xFFFF; } @@ -858,12 +858,12 @@ u8 fuzz_one_original(afl_state_t* afl) { afl->stage_cur_byte = i; - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; } @@ -963,7 +963,7 @@ skip_bitflip: for (i = 0; i < len - 1; ++i) { - u16 orig = *(u16*)(out_buf + i); + u16 orig = *(u16 *)(out_buf + i); /* Let's consult the effector map... */ @@ -992,7 +992,7 @@ skip_bitflip: if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { afl->stage_cur_val = j; - *(u16*)(out_buf + i) = orig + j; + *(u16 *)(out_buf + i) = orig + j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1004,7 +1004,7 @@ skip_bitflip: if ((orig & 0xff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; - *(u16*)(out_buf + i) = orig - j; + *(u16 *)(out_buf + i) = orig - j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1020,7 +1020,7 @@ skip_bitflip: if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { afl->stage_cur_val = j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1032,7 +1032,7 @@ skip_bitflip: if ((orig >> 8) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1041,7 +1041,7 @@ skip_bitflip: --afl->stage_max; - *(u16*)(out_buf + i) = orig; + *(u16 *)(out_buf + i) = orig; } @@ -1065,7 +1065,7 @@ skip_bitflip: for (i = 0; i < len - 3; ++i) { - u32 orig = *(u32*)(out_buf + i); + u32 orig = *(u32 *)(out_buf + i); /* Let's consult the effector map... */ @@ -1093,7 +1093,7 @@ skip_bitflip: if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { afl->stage_cur_val = j; - *(u32*)(out_buf + i) = orig + j; + *(u32 *)(out_buf + i) = orig + j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1105,7 +1105,7 @@ skip_bitflip: if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; - *(u32*)(out_buf + i) = orig - j; + *(u32 *)(out_buf + i) = orig - j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1121,7 +1121,7 @@ skip_bitflip: if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { afl->stage_cur_val = j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1133,7 +1133,7 @@ skip_bitflip: if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); + *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1142,7 +1142,7 @@ skip_bitflip: --afl->stage_max; - *(u32*)(out_buf + i) = orig; + *(u32 *)(out_buf + i) = orig; } @@ -1227,7 +1227,7 @@ skip_arith: for (i = 0; i < len - 1; ++i) { - u16 orig = *(u16*)(out_buf + i); + u16 orig = *(u16 *)(out_buf + i); /* Let's consult the effector map... */ @@ -1253,7 +1253,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_LE; - *(u16*)(out_buf + i) = interesting_16[j]; + *(u16 *)(out_buf + i) = interesting_16[j]; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1269,7 +1269,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; - *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); + *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1279,7 +1279,7 @@ skip_arith: } - *(u16*)(out_buf + i) = orig; + *(u16 *)(out_buf + i) = orig; } @@ -1301,7 +1301,7 @@ skip_arith: for (i = 0; i < len - 3; i++) { - u32 orig = *(u32*)(out_buf + i); + u32 orig = *(u32 *)(out_buf + i); /* Let's consult the effector map... */ @@ -1328,7 +1328,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_LE; - *(u32*)(out_buf + i) = interesting_32[j]; + *(u32 *)(out_buf + i) = interesting_32[j]; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1344,7 +1344,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; - *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); + *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -1354,7 +1354,7 @@ skip_arith: } - *(u32*)(out_buf + i) = orig; + *(u32 *)(out_buf + i) = orig; } @@ -1565,9 +1565,9 @@ custom_mutator_stage: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - struct queue_entry* target; - u32 tid; - u8* new_buf; + struct queue_entry *target; + u32 tid; + u8 *new_buf; retry_external_pick: /* Pick a random other queue entry for passing to external API */ @@ -1751,12 +1751,12 @@ havoc_stage: if (UR(afl, 2)) { - *(u16*)(out_buf + UR(afl, temp_len - 1)) = + *(u16 *)(out_buf + UR(afl, temp_len - 1)) = interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; } else { - *(u16*)(out_buf + UR(afl, temp_len - 1)) = + *(u16 *)(out_buf + UR(afl, temp_len - 1)) = SWAP16(interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); } @@ -1771,12 +1771,12 @@ havoc_stage: if (UR(afl, 2)) { - *(u32*)(out_buf + UR(afl, temp_len - 3)) = + *(u32 *)(out_buf + UR(afl, temp_len - 3)) = interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; } else { - *(u32*)(out_buf + UR(afl, temp_len - 3)) = + *(u32 *)(out_buf + UR(afl, temp_len - 3)) = SWAP32(interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); } @@ -1807,15 +1807,15 @@ havoc_stage: u32 pos = UR(afl, temp_len - 1); - *(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 1); u16 num = 1 + UR(afl, ARITH_MAX); - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + *(u16 *)(out_buf + pos) = + SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num); } @@ -1831,15 +1831,15 @@ havoc_stage: u32 pos = UR(afl, temp_len - 1); - *(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 1); u16 num = 1 + UR(afl, ARITH_MAX); - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + *(u16 *)(out_buf + pos) = + SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num); } @@ -1855,15 +1855,15 @@ havoc_stage: u32 pos = UR(afl, temp_len - 3); - *(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 3); u32 num = 1 + UR(afl, ARITH_MAX); - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + *(u32 *)(out_buf + pos) = + SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num); } @@ -1879,15 +1879,15 @@ havoc_stage: u32 pos = UR(afl, temp_len - 3); - *(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 3); u32 num = 1 + UR(afl, ARITH_MAX); - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + *(u32 *)(out_buf + pos) = + SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num); } @@ -1935,7 +1935,7 @@ havoc_stage: u8 actually_clone = UR(afl, 4); u32 clone_from, clone_to, clone_len; - u8* new_buf; + u8 *new_buf; if (actually_clone) { @@ -2051,7 +2051,7 @@ havoc_stage: case 16: { u32 use_extra, extra_len, insert_at = UR(afl, temp_len + 1); - u8* new_buf; + u8 *new_buf; /* Insert an extra. Do the same dice-rolling stuff as for the previous case. */ @@ -2162,10 +2162,10 @@ retry_splicing: if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES && afl->queued_paths > 1 && afl->queue_cur->len > 1) { - struct queue_entry* target; - u32 tid, split_at; - u8* new_buf; - s32 f_diff, l_diff; + struct queue_entry *target; + u32 tid, split_at; + u8 *new_buf; + s32 f_diff, l_diff; /* First of all, if we've modified in_buf for havoc, let's clean that up... */ @@ -2275,12 +2275,12 @@ radamsa_stage: orig_hit_cnt = afl->queued_paths + afl->unique_crashes; /* Read the additional testcase into a new buffer. */ - u8* save_buf = ck_alloc_nozero(len); + u8 *save_buf = ck_alloc_nozero(len); memcpy(save_buf, out_buf, len); u32 max_len = len + choose_block_len(afl, HAVOC_BLK_XL); - u8* new_buf = ck_alloc_nozero(max_len); - u8* tmp_buf; + u8 *new_buf = ck_alloc_nozero(max_len); + u8 *tmp_buf; for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { @@ -2352,7 +2352,7 @@ abandon_entry: } /* MOpt mode */ -u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) { +u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!MOpt_globals.is_pilot_mode) { @@ -2544,7 +2544,7 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) { #define FLIP_BIT(_ar, _b) \ do { \ \ - u8* _arf = (u8*)(_ar); \ + u8 *_arf = (u8 *)(_ar); \ u32 _bf = (_b); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ \ @@ -2826,12 +2826,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) { afl->stage_cur_byte = i; - *(u16*)(out_buf + i) ^= 0xFFFF; + *(u16 *)(out_buf + i) ^= 0xFFFF; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; - *(u16*)(out_buf + i) ^= 0xFFFF; + *(u16 *)(out_buf + i) ^= 0xFFFF; } /* for i = 0; i < len */ @@ -2864,12 +2864,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) { afl->stage_cur_byte = i; - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + i) ^= 0xFFFFFFFF; } /* for i = 0; i < len - 3 */ @@ -2969,7 +2969,7 @@ skip_bitflip: for (i = 0; i < len - 1; ++i) { - u16 orig = *(u16*)(out_buf + i); + u16 orig = *(u16 *)(out_buf + i); /* Let's consult the effector map... */ @@ -2998,7 +2998,7 @@ skip_bitflip: if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { afl->stage_cur_val = j; - *(u16*)(out_buf + i) = orig + j; + *(u16 *)(out_buf + i) = orig + j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3010,7 +3010,7 @@ skip_bitflip: if ((orig & 0xff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; - *(u16*)(out_buf + i) = orig - j; + *(u16 *)(out_buf + i) = orig - j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3026,7 +3026,7 @@ skip_bitflip: if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { afl->stage_cur_val = j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3038,7 +3038,7 @@ skip_bitflip: if ((orig >> 8) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3047,7 +3047,7 @@ skip_bitflip: --afl->stage_max; - *(u16*)(out_buf + i) = orig; + *(u16 *)(out_buf + i) = orig; } @@ -3071,7 +3071,7 @@ skip_bitflip: for (i = 0; i < len - 3; ++i) { - u32 orig = *(u32*)(out_buf + i); + u32 orig = *(u32 *)(out_buf + i); /* Let's consult the effector map... */ @@ -3099,7 +3099,7 @@ skip_bitflip: if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { afl->stage_cur_val = j; - *(u32*)(out_buf + i) = orig + j; + *(u32 *)(out_buf + i) = orig + j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3111,7 +3111,7 @@ skip_bitflip: if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { afl->stage_cur_val = -j; - *(u32*)(out_buf + i) = orig - j; + *(u32 *)(out_buf + i) = orig - j; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3127,7 +3127,7 @@ skip_bitflip: if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { afl->stage_cur_val = j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3139,7 +3139,7 @@ skip_bitflip: if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { afl->stage_cur_val = -j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); + *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3148,7 +3148,7 @@ skip_bitflip: --afl->stage_max; - *(u32*)(out_buf + i) = orig; + *(u32 *)(out_buf + i) = orig; } @@ -3233,7 +3233,7 @@ skip_arith: for (i = 0; i < len - 1; ++i) { - u16 orig = *(u16*)(out_buf + i); + u16 orig = *(u16 *)(out_buf + i); /* Let's consult the effector map... */ @@ -3259,7 +3259,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_LE; - *(u16*)(out_buf + i) = interesting_16[j]; + *(u16 *)(out_buf + i) = interesting_16[j]; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3275,7 +3275,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; - *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); + *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3285,7 +3285,7 @@ skip_arith: } - *(u16*)(out_buf + i) = orig; + *(u16 *)(out_buf + i) = orig; } /* for i = 0; i < len - 1 */ @@ -3307,7 +3307,7 @@ skip_arith: for (i = 0; i < len - 3; ++i) { - u32 orig = *(u32*)(out_buf + i); + u32 orig = *(u32 *)(out_buf + i); /* Let's consult the effector map... */ @@ -3334,7 +3334,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_LE; - *(u32*)(out_buf + i) = interesting_32[j]; + *(u32 *)(out_buf + i) = interesting_32[j]; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3350,7 +3350,7 @@ skip_arith: afl->stage_val_type = STAGE_VAL_BE; - *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); + *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]); if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; ++afl->stage_cur; @@ -3360,7 +3360,7 @@ skip_arith: } - *(u32*)(out_buf + i) = orig; + *(u32 *)(out_buf + i) = orig; } /* for i = 0; i < len - 3 */ @@ -3688,13 +3688,13 @@ pacemaker_fuzzing: case 4: if (temp_len < 8) break; - *(u16*)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF; + *(u16 *)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF; MOpt_globals.cycles_v2[STAGE_FLIP16] += 1; break; case 5: if (temp_len < 8) break; - *(u32*)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF; MOpt_globals.cycles_v2[STAGE_FLIP32] += 1; break; @@ -3710,14 +3710,14 @@ pacemaker_fuzzing: if (UR(afl, 2)) { u32 pos = UR(afl, temp_len - 1); - *(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 1); u16 num = 1 + UR(afl, ARITH_MAX); - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + *(u16 *)(out_buf + pos) = + SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num); } @@ -3725,14 +3725,14 @@ pacemaker_fuzzing: if (UR(afl, 2)) { u32 pos = UR(afl, temp_len - 1); - *(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 1); u16 num = 1 + UR(afl, ARITH_MAX); - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + *(u16 *)(out_buf + pos) = + SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num); } @@ -3745,14 +3745,14 @@ pacemaker_fuzzing: if (UR(afl, 2)) { u32 pos = UR(afl, temp_len - 3); - *(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 3); u32 num = 1 + UR(afl, ARITH_MAX); - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + *(u32 *)(out_buf + pos) = + SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num); } @@ -3761,14 +3761,14 @@ pacemaker_fuzzing: if (UR(afl, 2)) { u32 pos = UR(afl, temp_len - 3); - *(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); } else { u32 pos = UR(afl, temp_len - 3); u32 num = 1 + UR(afl, ARITH_MAX); - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + *(u32 *)(out_buf + pos) = + SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num); } @@ -3788,12 +3788,12 @@ pacemaker_fuzzing: if (temp_len < 8) break; if (UR(afl, 2)) { - *(u16*)(out_buf + UR(afl, temp_len - 1)) = + *(u16 *)(out_buf + UR(afl, temp_len - 1)) = interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; } else { - *(u16*)(out_buf + UR(afl, temp_len - 1)) = SWAP16( + *(u16 *)(out_buf + UR(afl, temp_len - 1)) = SWAP16( interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); } @@ -3808,12 +3808,12 @@ pacemaker_fuzzing: if (UR(afl, 2)) { - *(u32*)(out_buf + UR(afl, temp_len - 3)) = + *(u32 *)(out_buf + UR(afl, temp_len - 3)) = interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; } else { - *(u32*)(out_buf + UR(afl, temp_len - 3)) = SWAP32( + *(u32 *)(out_buf + UR(afl, temp_len - 3)) = SWAP32( interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); } @@ -3865,7 +3865,7 @@ pacemaker_fuzzing: u8 actually_clone = UR(afl, 4); u32 clone_from, clone_to, clone_len; - u8* new_buf; + u8 *new_buf; if (actually_clone) { @@ -4020,9 +4020,9 @@ pacemaker_fuzzing: if (afl->use_splicing && splice_cycle++ < afl->SPLICE_CYCLES_puppet && afl->queued_paths > 1 && afl->queue_cur->len > 1) { - struct queue_entry* target; + struct queue_entry *target; u32 tid, split_at; - u8* new_buf; + u8 * new_buf; s32 f_diff, l_diff; /* First of all, if we've modified in_buf for havoc, let's clean that @@ -4268,19 +4268,19 @@ pacemaker_fuzzing: #undef FLIP_BIT -u8 core_fuzzing(afl_state_t* afl) { +u8 core_fuzzing(afl_state_t *afl) { return mopt_common_fuzzing(afl, afl->mopt_globals_core); } -u8 pilot_fuzzing(afl_state_t* afl) { +u8 pilot_fuzzing(afl_state_t *afl) { return mopt_common_fuzzing(afl, afl->mopt_globals_pilot); } -void pso_updating(afl_state_t* afl) { +void pso_updating(afl_state_t *afl) { afl->g_now += 1; if (afl->g_now > afl->g_max) afl->g_now = 0; @@ -4358,14 +4358,14 @@ void pso_updating(afl_state_t* afl) { to fuzz_one_original. All documentation references to fuzz_one therefore mean fuzz_one_original */ -u8 fuzz_one(afl_state_t* afl) { +u8 fuzz_one(afl_state_t *afl) { int key_val_lv = 0; #ifdef _AFL_DOCUMENT_MUTATIONS if (afl->do_document == 0) { - char* fn = alloc_printf("%s/mutations", afl->out_dir); + char *fn = alloc_printf("%s/mutations", afl->out_dir); if (fn) { afl->do_document = mkdir(fn, 0700); // if it exists we do not care diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 595c1ed0..cc565860 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -43,7 +43,7 @@ int init_py_module(afl_state_t *afl, u8 *module_name) { afl->py_module = PyImport_Import(py_name); Py_DECREF(py_name); - PyObject * py_module = afl->py_module; + PyObject *py_module = afl->py_module; PyObject **py_functions = afl->py_functions; if (afl->py_module != NULL) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 988f1ace..37d18a2d 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -28,9 +28,9 @@ .state file to avoid repeating deterministic fuzzing when resuming aborted scans. */ -void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) { +void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) { - u8* fn = strrchr(q->fname, '/'); + u8 *fn = strrchr(q->fname, '/'); s32 fd; fn = alloc_printf("%s/queue/.state/deterministic_done/%s", afl->out_dir, @@ -49,7 +49,7 @@ void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) { /* Mark as variable. Create symlinks if possible to make it easier to examine the files. */ -void mark_as_variable(afl_state_t* afl, struct queue_entry* q) { +void mark_as_variable(afl_state_t *afl, struct queue_entry *q) { u8 *fn = strrchr(q->fname, '/') + 1, *ldest; @@ -74,9 +74,9 @@ void mark_as_variable(afl_state_t* afl, struct queue_entry* q) { /* Mark / unmark as redundant (edge-only). This is not used for restoring state, but may be useful for post-processing datasets. */ -void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) { +void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) { - u8* fn; + u8 *fn; if (state == q->fs_redundant) return; @@ -105,9 +105,9 @@ void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) { /* Append new test case to the queue. */ -void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) { +void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { - struct queue_entry* q = ck_alloc(sizeof(struct queue_entry)); + struct queue_entry *q = ck_alloc(sizeof(struct queue_entry)); q->fname = fname; q->len = len; @@ -142,7 +142,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) { if (afl->mutator && afl->mutator->afl_custom_queue_new_entry) { - u8* fname_orig = NULL; + u8 *fname_orig = NULL; /* At the initialization stage, queue_cur is NULL */ if (afl->queue_cur) fname_orig = afl->queue_cur->fname; @@ -155,7 +155,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) { /* Destroy the entire queue. */ -void destroy_queue(afl_state_t* afl) { +void destroy_queue(afl_state_t *afl) { struct queue_entry *q = afl->queue, *n; @@ -182,7 +182,7 @@ void destroy_queue(afl_state_t* afl) { previous contender, or if the contender has a more favorable speed x size factor. */ -void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) { +void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u32 i; u64 fav_factor = q->exec_us * q->len; @@ -251,9 +251,9 @@ void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) { until the next run. The favored entries are given more air time during all fuzzing steps. */ -void cull_queue(afl_state_t* afl) { +void cull_queue(afl_state_t *afl) { - struct queue_entry* q; + struct queue_entry *q; static u8 temp_v[MAP_SIZE >> 3]; u32 i; @@ -312,7 +312,7 @@ void cull_queue(afl_state_t* afl) { A helper function for fuzz_one(). Maybe some of these constants should go into config.h. */ -u32 calculate_score(afl_state_t* afl, struct queue_entry* q) { +u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles; u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries; @@ -405,7 +405,7 @@ u32 calculate_score(afl_state_t* afl, struct queue_entry* q) { fuzz_total = 0; n_paths = 0; - struct queue_entry* queue_it = afl->queue; + struct queue_entry *queue_it = afl->queue; while (queue_it) { fuzz_total += queue_it->n_fuzz; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index e012c4c3..c910e75e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -33,13 +33,13 @@ struct range { u32 start; u32 end; - struct range* next; + struct range *next; }; -struct range* add_range(struct range* ranges, u32 start, u32 end) { +struct range *add_range(struct range *ranges, u32 start, u32 end) { - struct range* r = ck_alloc_nozero(sizeof(struct range)); + struct range *r = ck_alloc_nozero(sizeof(struct range)); r->start = start; r->end = end; r->next = ranges; @@ -47,12 +47,12 @@ struct range* add_range(struct range* ranges, u32 start, u32 end) { } -struct range* pop_biggest_range(struct range** ranges) { +struct range *pop_biggest_range(struct range **ranges) { - struct range* r = *ranges; - struct range* prev = NULL; - struct range* rmax = NULL; - struct range* prev_rmax = NULL; + struct range *r = *ranges; + struct range *prev = NULL; + struct range *rmax = NULL; + struct range *prev_rmax = NULL; u32 max_size = 0; while (r) { @@ -84,7 +84,7 @@ struct range* pop_biggest_range(struct range** ranges) { } -static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) { +static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) { if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1; @@ -93,7 +93,7 @@ static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) { } -static void rand_replace(afl_state_t* afl, u8* buf, u32 len) { +static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) { u32 i; for (i = 0; i < len; ++i) @@ -101,10 +101,10 @@ static void rand_replace(afl_state_t* afl, u8* buf, u32 len) { } -static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) { +static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { - struct range* ranges = add_range(NULL, 0, len); - u8* backup = ck_alloc_nozero(len); + struct range *ranges = add_range(NULL, 0, len); + u8 * backup = ck_alloc_nozero(len); u8 needs_write = 0; @@ -115,7 +115,7 @@ static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) { afl->stage_short = "colorization"; afl->stage_max = 1000; - struct range* rng; + struct range *rng; afl->stage_cur = 0; while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { @@ -205,7 +205,7 @@ checksum_fail: ///// Input to State replacement -static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) { +static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { u64 orig_hit_cnt, new_hit_cnt; @@ -224,13 +224,13 @@ static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) { } -static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h, - u64 pattern, u64 repl, u32 idx, u8* orig_buf, - u8* buf, u32 len, u8 do_reverse, u8* status) { +static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u64 pattern, u64 repl, u32 idx, u8 *orig_buf, + u8 *buf, u32 len, u8 do_reverse, u8 *status) { - u64* buf_64 = (u64*)&buf[idx]; - u32* buf_32 = (u32*)&buf[idx]; - u16* buf_16 = (u16*)&buf[idx]; + u64 *buf_64 = (u64 *)&buf[idx]; + u32 *buf_32 = (u32 *)&buf[idx]; + u16 *buf_16 = (u16 *)&buf[idx]; // u8* buf_8 = &buf[idx]; // u64* o_buf_64 = (u64*)&orig_buf[idx]; // u32* o_buf_32 = (u32*)&orig_buf[idx]; @@ -313,9 +313,9 @@ static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h, } -static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) { +static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) { - u8* b = (u8*)&v; + u8 *b = (u8 *)&v; u32 k; u8 cons_ff = 0, cons_0 = 0; @@ -332,7 +332,7 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) { } - maybe_add_auto(afl, (u8*)&v, shape); + maybe_add_auto(afl, (u8 *)&v, shape); u64 rev; switch (shape) { @@ -340,24 +340,24 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) { case 1: break; case 2: rev = SWAP16((u16)v); - maybe_add_auto(afl, (u8*)&rev, shape); + maybe_add_auto(afl, (u8 *)&rev, shape); break; case 4: rev = SWAP32((u32)v); - maybe_add_auto(afl, (u8*)&rev, shape); + maybe_add_auto(afl, (u8 *)&rev, shape); break; case 8: rev = SWAP64(v); - maybe_add_auto(afl, (u8*)&rev, shape); + maybe_add_auto(afl, (u8 *)&rev, shape); break; } } -static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { +static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { - struct cmp_header* h = &afl->shm.cmp_map->headers[key]; + struct cmp_header *h = &afl->shm.cmp_map->headers[key]; u32 i, j, idx; u32 loggeds = h->hits; @@ -369,7 +369,7 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { for (i = 0; i < loggeds; ++i) { - struct cmp_operands* o = &afl->shm.cmp_map->log[key][i]; + struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; // opt not in the paper for (j = 0; j < i; ++j) @@ -414,9 +414,9 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { } -static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h, - u8* pattern, u8* repl, u32 idx, u8* orig_buf, - u8* buf, u32 len, u8* status) { +static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u8 *pattern, u8 *repl, u32 idx, u8 *orig_buf, + u8 *buf, u32 len, u8 *status) { u32 i; u32 its_len = MIN(32, len - idx); @@ -440,9 +440,9 @@ static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h, } -static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { +static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { - struct cmp_header* h = &afl->shm.cmp_map->headers[key]; + struct cmp_header *h = &afl->shm.cmp_map->headers[key]; u32 i, j, idx; u32 loggeds = h->hits; @@ -454,12 +454,12 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { for (i = 0; i < loggeds; ++i) { - struct cmpfn_operands* o = - &((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[i]; + struct cmpfn_operands *o = + &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; // opt not in the paper for (j = 0; j < i; ++j) - if (!memcmp(&((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[j], o, + if (!memcmp(&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[j], o, sizeof(struct cmpfn_operands))) goto rtn_fuzz_next_iter; @@ -503,7 +503,7 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { ///// Input to State stage // afl->queue_cur->exec_cksum -u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len, +u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 exec_cksum) { u8 r = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 28abad65..527782e4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -32,12 +32,12 @@ void timeout_handle(union sigval timer_data) { - pid_t child_pid = timer_data.sival_int; + pid_t child_pid = timer_data.sival_int; if (child_pid > 0) kill(child_pid, SIGKILL); } -u8 run_target(afl_state_t* afl, u32 timeout) { +u8 run_target(afl_state_t *afl, u32 timeout) { // static struct itimerval it; struct sigevent timer_signal_event; @@ -146,7 +146,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) { /* Use a distinctive bitmap value to tell the parent about execv() falling through. */ - *(u32*)afl->fsrv.trace_bits = EXEC_FAIL_SIG; + *(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG; exit(0); } @@ -181,11 +181,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) { timer_signal_event.sigev_value.sival_int = afl->fsrv.child_pid; timer_status = timer_create(CLOCK_MONOTONIC, &timer_signal_event, &timer); - if (timer_status == -1) { - - FATAL("Failed to create Timer"); - - } + if (timer_status == -1) { FATAL("Failed to create Timer"); } timer_period.it_value.tv_sec = (timeout / 1000); timer_period.it_value.tv_nsec = (timeout % 1000) * 1000000; @@ -203,13 +199,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) { } else { - FATAL("Failed to set the timer to the given timeout"); + FATAL("Failed to set the timer to the given timeout"); } } - /* The SIGALRM handler simply kills the afl->fsrv.child_pid and sets * afl->fsrv.child_timed_out. */ @@ -221,6 +216,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) { PFATAL("waitpid() failed"); } + } else { s32 res; @@ -261,11 +257,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) { timer_period.it_value.tv_nsec / 1000000); if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; - if (exec_ms >= timeout) { - - afl->fsrv.child_timed_out = 1; - - } + if (exec_ms >= timeout) { afl->fsrv.child_timed_out = 1; } timer_period.it_value.tv_sec = 0; timer_period.it_value.tv_nsec = 0; @@ -289,12 +281,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) { MEM_BARRIER(); - tb4 = *(u32*)afl->fsrv.trace_bits; + tb4 = *(u32 *)afl->fsrv.trace_bits; #ifdef WORD_SIZE_64 - classify_counts((u64*)afl->fsrv.trace_bits); + classify_counts((u64 *)afl->fsrv.trace_bits); #else - classify_counts((u32*)afl->fsrv.trace_bits); + classify_counts((u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ prev_timed_out = afl->fsrv.child_timed_out; @@ -327,9 +319,9 @@ u8 run_target(afl_state_t* afl, u32 timeout) { return FAULT_NONE; - handle_stop_soon: - timer_delete(timer); - return 0; +handle_stop_soon: + timer_delete(timer); + return 0; } @@ -337,13 +329,13 @@ u8 run_target(afl_state_t* afl, u32 timeout) { old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is rewound and truncated. */ -void write_to_testcase(afl_state_t* afl, void* mem, u32 len) { +void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { s32 fd = afl->fsrv.out_fd; #ifdef _AFL_DOCUMENT_MUTATIONS s32 doc_fd; - char* fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir, + char *fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir, afl->document_counter++, describe_op(0)); if (fn != NULL) { @@ -382,7 +374,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) { if (afl->mutator && afl->mutator->afl_custom_pre_save) { - u8* new_data; + u8 *new_data; size_t new_size = afl->mutator->afl_custom_pre_save(afl, mem, len, &new_data); ck_write(fd, new_data, new_size, afl->fsrv.out_file); @@ -407,7 +399,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) { /* The same, but with an adjustable gap. Used for trimming. */ -static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at, +static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, u32 skip_len) { s32 fd = afl->fsrv.out_fd; @@ -434,7 +426,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at, if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file); - u8* memu8 = mem; + u8 *memu8 = mem; if (tail_len) ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file); @@ -453,7 +445,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at, to warn about flaky or otherwise problematic test cases early on; and when new paths are discovered to detect variable behavior and so on. */ -u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem, +u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { static u8 first_trace[MAP_SIZE]; @@ -465,7 +457,7 @@ u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem, s32 old_sc = afl->stage_cur, old_sm = afl->stage_max; u32 use_tmout = afl->fsrv.exec_tmout; - u8* old_sn = afl->stage_name; + u8 *old_sn = afl->stage_name; /* Be a bit more generous about timeouts when resuming sessions, or when trying to calibrate already-added finds. This helps avoid trouble due @@ -612,11 +604,11 @@ abort_calibration: /* Grab interesting test cases from other fuzzers. */ -void sync_fuzzers(afl_state_t* afl) { +void sync_fuzzers(afl_state_t *afl) { - DIR* sd; - struct dirent* sd_ent; - u32 sync_cnt = 0; + DIR *sd; + struct dirent *sd_ent; + u32 sync_cnt = 0; sd = opendir(afl->sync_dir); if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir); @@ -631,10 +623,10 @@ void sync_fuzzers(afl_state_t* afl) { static u8 stage_tmp[128]; - DIR* qd; - struct dirent* qd_ent; - u8 * qd_path, *qd_synced_path; - u32 min_accept = 0, next_min_accept; + DIR *qd; + struct dirent *qd_ent; + u8 *qd_path, *qd_synced_path; + u32 min_accept = 0, next_min_accept; s32 id_fd; @@ -679,8 +671,8 @@ void sync_fuzzers(afl_state_t* afl) { while ((qd_ent = readdir(qd))) { - u8* path; - s32 fd; + u8 *path; + s32 fd; struct stat st; if (qd_ent->d_name[0] == '.' || @@ -713,7 +705,7 @@ void sync_fuzzers(afl_state_t* afl) { if (st.st_size && st.st_size <= MAX_FILE) { u8 fault; - u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); @@ -760,7 +752,7 @@ void sync_fuzzers(afl_state_t* afl) { trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of file size, to keep the stage short and sweet. */ -u8 trim_case(afl_state_t* afl, struct queue_entry* q, u8* in_buf) { +u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { /* Custom mutator trimmer */ if (afl->mutator && afl->mutator->afl_custom_trim) @@ -896,7 +888,7 @@ abort_trimming: error conditions, returning 1 if it's time to bail out. This is a helper function for fuzz_one(). */ -u8 common_fuzz_stuff(afl_state_t* afl, u8* out_buf, u32 len) { +u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index f2f6efb9..e03018a1 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -347,9 +347,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -429,9 +429,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", DTD(cur_ms, afl->last_hang_time), tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -460,9 +460,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -533,7 +533,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3483f02c..2082633f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -27,7 +27,7 @@ u8 be_quiet = 0; -static u8* get_libradamsa_path(u8* own_loc) { +static u8 *get_libradamsa_path(u8 *own_loc) { u8 *tmp, *cp, *rsl, *own_copy; @@ -84,7 +84,7 @@ static u8* get_libradamsa_path(u8* own_loc) { /* Display usage hints. */ -static void usage(afl_state_t* afl, u8* argv0, int more_help) { +static void usage(afl_state_t *afl, u8 *argv0, int more_help) { SAYF( "\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" @@ -198,7 +198,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) { #ifdef USE_PYTHON SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", - (char*)PYTHON_VERSION); + (char *)PYTHON_VERSION); #endif SAYF("For additional help please consult %s/README.md\n\n", doc_path); @@ -210,7 +210,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) { #ifndef AFL_LIB -static int stricmp(char const* a, char const* b) { +static int stricmp(char const *a, char const *b) { for (;; ++a, ++b) { @@ -224,22 +224,22 @@ static int stricmp(char const* a, char const* b) { /* Main entry point */ -int main(int argc, char** argv_orig, char** envp) { +int main(int argc, char **argv_orig, char **envp) { s32 opt; u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0; - u8* extras_dir = 0; + u8 * extras_dir = 0; u8 mem_limit_given = 0; u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE"); - char** use_argv; + char **use_argv; struct timeval tv; struct timezone tz; - char** argv = argv_cpy_dup(argc, argv_orig); + char **argv = argv_cpy_dup(argc, argv_orig); - afl_state_t* afl = calloc(1, sizeof(afl_state_t)); + afl_state_t *afl = calloc(1, sizeof(afl_state_t)); if (!afl) { FATAL("Could not create afl state"); } afl_state_init(afl); @@ -248,7 +248,7 @@ int main(int argc, char** argv_orig, char** envp) { SAYF(cCYA "afl-fuzz" VERSION cRST " based on afl by Michal Zalewski and a big online community\n"); - doc_path = access(DOC_PATH, F_OK) ? (u8*)"docs" : doc_path; + doc_path = access(DOC_PATH, F_OK) ? (u8 *)"docs" : doc_path; gettimeofday(&tv, &tz); afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); @@ -337,7 +337,7 @@ int main(int argc, char** argv_orig, char** envp) { case 'M': { /* master sync ID */ - u8* c; + u8 *c; if (afl->sync_id) FATAL("Multiple -S or -M options not supported"); afl->sync_id = ck_strdup(optarg); @@ -696,8 +696,8 @@ int main(int argc, char** argv_orig, char** envp) { OKF("Using Radamsa add-on"); - u8* libradamsa_path = get_libradamsa_path(argv[0]); - void* handle = dlopen(libradamsa_path, RTLD_NOW); + u8 * libradamsa_path = get_libradamsa_path(argv[0]); + void *handle = dlopen(libradamsa_path, RTLD_NOW); ck_free(libradamsa_path); if (!handle) FATAL("Failed to dlopen() libradamsa"); @@ -794,9 +794,9 @@ int main(int argc, char** argv_orig, char** envp) { if (afl->qemu_mode) { - u8* qemu_preload = getenv("QEMU_SET_ENV"); - u8* afl_preload = getenv("AFL_PRELOAD"); - u8* buf; + u8 *qemu_preload = getenv("QEMU_SET_ENV"); + u8 *afl_preload = getenv("AFL_PRELOAD"); + u8 *buf; s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { @@ -926,7 +926,7 @@ int main(int argc, char** argv_orig, char** envp) { u32 i = optind + 1; while (argv[i]) { - u8* aa_loc = strstr(argv[i], "@@"); + u8 *aa_loc = strstr(argv[i], "@@"); if (aa_loc && !afl->fsrv.out_file) { diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 033c1eea..bb3baf56 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -48,18 +48,18 @@ #include <stdlib.h> #include <string.h> -static u8* as_path; /* Path to the AFL 'as' wrapper */ -static u8** cc_params; /* Parameters passed to the real CC */ -static u32 cc_par_cnt = 1; /* Param count, including argv0 */ -static u8 be_quiet, /* Quiet mode */ +static u8 *as_path; /* Path to the AFL 'as' wrapper */ +static u8 **cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 be_quiet, /* Quiet mode */ clang_mode; /* Invoked as afl-clang*? */ /* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived from argv[0]. If that fails, abort. */ -static void find_as(u8* argv0) { +static void find_as(u8 *argv0) { - u8* afl_path = getenv("AFL_PATH"); + u8 *afl_path = getenv("AFL_PATH"); u8 *slash, *tmp; if (afl_path) { @@ -82,7 +82,7 @@ static void find_as(u8* argv0) { if (slash) { - u8* dir; + u8 *dir; *slash = 0; dir = ck_strdup(argv0); @@ -116,16 +116,16 @@ static void find_as(u8* argv0) { /* Copy argv to cc_params, making the necessary edits. */ -static void edit_params(u32 argc, char** argv) { +static void edit_params(u32 argc, char **argv) { u8 fortify_set = 0, asan_set = 0; - u8* name; + u8 *name; #if defined(__FreeBSD__) && defined(WORD_SIZE_64) u8 m32_set = 0; #endif - cc_params = ck_alloc((argc + 128) * sizeof(u8*)); + cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); name = strrchr(argv[0], '/'); if (!name) @@ -141,13 +141,13 @@ static void edit_params(u32 argc, char** argv) { if (!strcmp(name, "afl-clang++")) { - u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; + u8 *alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"clang++"; } else { - u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; + u8 *alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8 *)"clang"; } @@ -186,18 +186,18 @@ static void edit_params(u32 argc, char** argv) { if (!strcmp(name, "afl-g++")) { - u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + u8 *alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"g++"; } else if (!strcmp(name, "afl-gcj")) { - u8* alt_cc = getenv("AFL_GCJ"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; + u8 *alt_cc = getenv("AFL_GCJ"); + cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcj"; } else { - u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; + u8 *alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcc"; } @@ -207,7 +207,7 @@ static void edit_params(u32 argc, char** argv) { while (--argc) { - u8* cur = *(++argv); + u8 *cur = *(++argv); if (!strncmp(cur, "-B", 2)) { @@ -340,9 +340,9 @@ static void edit_params(u32 argc, char** argv) { /* Main entry point */ -int main(int argc, char** argv) { +int main(int argc, char **argv) { - char* env_info = + char *env_info = "Environment variables used by afl-gcc:\n" "AFL_CC: path to the C compiler to use\n" "AFL_CXX: path to the C++ compiler to use\n" @@ -415,7 +415,7 @@ int main(int argc, char** argv) { edit_params(argc, argv); - execvp(cc_params[0], (char**)cc_params); + execvp(cc_params[0], (char **)cc_params); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 31455b66..70ed4dbc 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -129,7 +129,7 @@ repeat_loop: /* Do the benchmark thing. */ -int main(int argc, char** argv) { +int main(int argc, char **argv) { if (argc > 1) { @@ -165,7 +165,7 @@ int main(int argc, char** argv) { CPU_ZERO(&c); CPU_SET(i, &c); #elif defined(__NetBSD__) - cpuset_t* c; + cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3122ab04..acddbbc7 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -61,13 +61,13 @@ u8 be_quiet; -char* stdin_file; /* stdin file */ +char *stdin_file; /* stdin file */ u8 *in_dir, /* input folder */ *doc_path, /* Path to docs */ *at_file = NULL; /* Substitution string for @@ */ -static u8* in_data; /* Input data */ +static u8 *in_data; /* Input data */ static u32 total, highest; /* tuple content information */ @@ -111,7 +111,7 @@ static const u8 count_class_binary[256] = { }; -static void classify_counts(u8* mem, const u8* map) { +static void classify_counts(u8 *mem, const u8 *map) { u32 i = MAP_SIZE; @@ -147,7 +147,7 @@ static void at_exit_handler(void) { /* Write results. */ -static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) { +static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { s32 fd; u32 i, ret = 0; @@ -183,7 +183,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) { } else { - FILE* f = fdopen(fd, "w"); + FILE *f = fdopen(fd, "w"); if (!f) PFATAL("fdopen() failed"); @@ -218,7 +218,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) { /* Write results. */ -static u32 write_results(afl_forkserver_t* fsrv) { +static u32 write_results(afl_forkserver_t *fsrv) { return write_results_to_file(fsrv, fsrv->out_file); @@ -226,7 +226,7 @@ static u32 write_results(afl_forkserver_t* fsrv) { /* Write output file. */ -static s32 write_to_file(u8* path, u8* mem, u32 len) { +static s32 write_to_file(u8 *path, u8 *mem, u32 len) { s32 ret; @@ -248,7 +248,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) { is unlinked and a new one is created. Otherwise, out_fd is rewound and truncated. */ -static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) { +static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { lseek(fsrv->out_fd, 0, SEEK_SET); ck_write(fsrv->out_fd, mem, len, fsrv->out_file); @@ -260,7 +260,7 @@ static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) { /* Execute target application. Returns 0 if the changes are a dud, or 1 if they should be kept. */ -static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem, +static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { static struct itimerval it; @@ -321,7 +321,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem, /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); classify_counts(fsrv->trace_bits, @@ -356,7 +356,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem, /* Read initial file. */ -u32 read_file(u8* in_file) { +u32 read_file(u8 *in_file) { struct stat st; s32 fd = open(in_file, O_RDONLY); @@ -381,7 +381,7 @@ u32 read_file(u8* in_file) { /* Execute target application. */ -static void run_target(afl_forkserver_t* fsrv, char** argv) { +static void run_target(afl_forkserver_t *fsrv, char **argv) { static struct itimerval it; int status = 0; @@ -404,7 +404,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) { if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) { - *(u32*)fsrv->trace_bits = EXEC_FAIL_SIG; + *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; PFATAL("Descriptor initialization failed"); } @@ -442,7 +442,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) { execv(fsrv->target_path, argv); - *(u32*)fsrv->trace_bits = EXEC_FAIL_SIG; + *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG; exit(0); } @@ -470,7 +470,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) { /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); classify_counts(fsrv->trace_bits, @@ -525,9 +525,9 @@ static void set_up_environment(void) { if (qemu_mode) { - u8* qemu_preload = getenv("QEMU_SET_ENV"); - u8* afl_preload = getenv("AFL_PRELOAD"); - u8* buf; + u8 *qemu_preload = getenv("QEMU_SET_ENV"); + u8 *afl_preload = getenv("AFL_PRELOAD"); + u8 *buf; s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { @@ -597,7 +597,7 @@ static void show_banner(void) { /* Display usage hints. */ -static void usage(u8* argv0) { +static void usage(u8 *argv0) { show_banner(); @@ -647,9 +647,9 @@ static void usage(u8* argv0) { /* Find binary. */ -static void find_binary(afl_forkserver_t* fsrv, u8* fname) { +static void find_binary(afl_forkserver_t *fsrv, u8 *fname) { - u8* env_path = 0; + u8 *env_path = 0; struct stat st; if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { @@ -703,19 +703,19 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) { /* Main entry point */ -int main(int argc, char** argv_orig, char** envp) { +int main(int argc, char **argv_orig, char **envp) { // TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ s32 opt, i; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u32 tcnt = 0; - char** use_argv; + char **use_argv; - char** argv = argv_cpy_dup(argc, argv_orig); + char **argv = argv_cpy_dup(argc, argv_orig); afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t* fsrv = &fsrv_var; + afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; @@ -929,10 +929,10 @@ int main(int argc, char** argv_orig, char** envp) { if (in_dir) { - DIR * dir_in, *dir_out; - struct dirent* dir_ent; - int done = 0; - u8 infile[4096], outfile[4096]; + DIR *dir_in, *dir_out; + struct dirent *dir_ent; + int done = 0; + u8 infile[4096], outfile[4096]; #if !defined(DT_REG) struct stat statbuf; #endif @@ -946,7 +946,7 @@ int main(int argc, char** argv_orig, char** envp) { if (mkdir(fsrv->out_file, 0700)) PFATAL("cannot create output directory %s", fsrv->out_file); - u8* use_dir = "."; + u8 *use_dir = "."; if (access(use_dir, R_OK | W_OK | X_OK)) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 65cc00ce..17e9af5a 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -58,13 +58,13 @@ #include <sys/types.h> #include <sys/resource.h> -static u8* mask_bitmap; /* Mask for trace bits (-B) */ +static u8 *mask_bitmap; /* Mask for trace bits (-B) */ u8 *in_file, /* Minimizer input test case */ *output_file, /* Minimizer output file */ *doc_path; /* Path to docs */ -static u8* in_data; /* Input data for trimming */ +static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ orig_cksum, /* Original checksum */ @@ -105,7 +105,7 @@ static const u8 count_class_lookup[256] = { }; -static void classify_counts(u8* mem) { +static void classify_counts(u8 *mem) { u32 i = MAP_SIZE; @@ -133,7 +133,7 @@ static void classify_counts(u8* mem) { /* Apply mask to classified bitmap (if set). */ -static void apply_mask(u32* mem, u32* mask) { +static void apply_mask(u32 *mem, u32 *mask) { u32 i = (MAP_SIZE >> 2); @@ -151,9 +151,9 @@ static void apply_mask(u32* mem, u32* mask) { /* See if any bytes are set in the bitmap. */ -static inline u8 anything_set(afl_forkserver_t* fsrv) { +static inline u8 anything_set(afl_forkserver_t *fsrv) { - u32* ptr = (u32*)fsrv->trace_bits; + u32 *ptr = (u32 *)fsrv->trace_bits; u32 i = (MAP_SIZE >> 2); while (i--) @@ -196,7 +196,7 @@ static void read_initial_file(void) { /* Write output file. */ -static s32 write_to_file(u8* path, u8* mem, u32 len) { +static s32 write_to_file(u8 *path, u8 *mem, u32 len) { s32 ret; @@ -218,7 +218,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) { is unlinked and a new one is created. Otherwise, out_fd is rewound and truncated. */ -static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) { +static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { s32 fd = fsrv->out_fd; @@ -395,7 +395,7 @@ static void init_forkserver(char **argv) { /* Execute target application. Returns 0 if the changes are a dud, or 1 if they should be kept. */ -static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len, +static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { static struct itimerval it; @@ -460,13 +460,13 @@ static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len, /* Clean up bitmap, analyze exit condition, etc. */ - if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) + if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); if (!hang_mode) { classify_counts(fsrv->trace_bits); - apply_mask((u32*)fsrv->trace_bits, (u32*)mask_bitmap); + apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); } @@ -565,11 +565,11 @@ static u32 next_p2(u32 val) { /* Actually minimize! */ -static void minimize(afl_forkserver_t* fsrv, char** argv) { +static void minimize(afl_forkserver_t *fsrv, char **argv) { static u32 alpha_map[256]; - u8* tmp_buf = ck_alloc_nozero(in_len); + u8 *tmp_buf = ck_alloc_nozero(in_len); u32 orig_len = in_len, stage_o_len; u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0; @@ -835,16 +835,16 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(afl_forkserver_t* fsrv) { +static void set_up_environment(afl_forkserver_t *fsrv) { - u8* x; + u8 *x; fsrv->dev_null_fd = open("/dev/null", O_RDWR); if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null"); if (!fsrv->out_file) { - u8* use_dir = "."; + u8 *use_dir = "."; if (access(use_dir, R_OK | W_OK | X_OK)) { @@ -907,9 +907,9 @@ static void set_up_environment(afl_forkserver_t* fsrv) { if (qemu_mode) { - u8* qemu_preload = getenv("QEMU_SET_ENV"); - u8* afl_preload = getenv("AFL_PRELOAD"); - u8* buf; + u8 *qemu_preload = getenv("QEMU_SET_ENV"); + u8 *afl_preload = getenv("AFL_PRELOAD"); + u8 *buf; s32 i, afl_preload_size = strlen(afl_preload); for (i = 0; i < afl_preload_size; ++i) { @@ -971,7 +971,7 @@ static void setup_signal_handlers(void) { /* Display usage hints. */ -static void usage(u8* argv0) { +static void usage(u8 *argv0) { SAYF( "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" @@ -1018,9 +1018,9 @@ static void usage(u8* argv0) { /* Find binary. */ -static void find_binary(afl_forkserver_t* fsrv, u8* fname) { +static void find_binary(afl_forkserver_t *fsrv, u8 *fname) { - u8* env_path = 0; + u8 * env_path = 0; struct stat st; if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { @@ -1074,7 +1074,7 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) { /* Read mask bitmap from file. This is for the -B option. */ -static void read_bitmap(u8* fname) { +static void read_bitmap(u8 *fname) { s32 fd = open(fname, O_RDONLY); @@ -1088,16 +1088,16 @@ static void read_bitmap(u8* fname) { /* Main entry point */ -int main(int argc, char** argv_orig, char** envp) { +int main(int argc, char **argv_orig, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char** use_argv; + char **use_argv; - char** argv = argv_cpy_dup(argc, argv_orig); + char **argv = argv_cpy_dup(argc, argv_orig); afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t* fsrv = &fsrv_var; + afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; |