From 3a7a8704eeca4fccf9629552574c5aac5f0f2271 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 22 Nov 2021 13:27:56 +0100 Subject: better string length counting --- instrumentation/afl-compiler-rt.o.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 7c628fcd..ef1d9300 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1892,9 +1892,10 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; if (unlikely(!len)) return; - int len1 = MIN(31, strlen(ptr1) + 1); - int len2 = MIN(31, strlen(ptr2) + 1); - int l = MIN(MAX(len1, len2), 31); + int len1 = strnlen(ptr1, 30) + 1; + int len2 = strnlen(ptr2, 30) + 1; + int l = MAX(len1, len2); + if (l < 3) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); @@ -1937,9 +1938,10 @@ void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { // fprintf(stderr, "RTN1 %p %p\n", ptr1, ptr2); if (likely(!__afl_cmp_map)) return; if (unlikely(!ptr1 || !ptr2)) return; - int len1 = MIN(31, strlen(ptr1) + 1); - int len2 = MIN(31, strlen(ptr2) + 1); - int l = MIN(MAX(len1, len2), 31); + int len1 = strnlen(ptr1, 30) + 1; + int len2 = strnlen(ptr2, 30) + 1; + int l = MAX(len1, len2); + if (l < 3) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); -- cgit 1.4.1 From 6f9a98c4a97e8e261fc52891d61f0b0c145b6364 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 22 Nov 2021 14:38:43 +0100 Subject: better string length counting --- instrumentation/afl-compiler-rt.o.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'instrumentation/afl-compiler-rt.o.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index ef1d9300..5d198ada 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1892,10 +1892,13 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN1 %p %p %u\n", ptr1, ptr2, len); if (likely(!__afl_cmp_map)) return; if (unlikely(!len)) return; - int len1 = strnlen(ptr1, 30) + 1; - int len2 = strnlen(ptr2, 30) + 1; + int len0 = MIN(len, 31); + int len1 = strnlen(ptr1, len0); + if (len1 < 31) len1 = area_is_valid(ptr1, len1 + 1); + int len2 = strnlen(ptr2, len0); + if (len2 < 31) len2 = area_is_valid(ptr1, len2 + 1); int l = MAX(len1, len2); - if (l < 3) return; + if (l < 2) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); -- cgit 1.4.1