From ff3c9cbd7310e1fc51b2fd7ce42aafa8c0a08a37 Mon Sep 17 00:00:00 2001
From: Raphaël Hertzog <raphael@offensive-security.com>
Date: Fri, 28 Aug 2020 18:02:18 +0200
Subject: Fix installation path of manual pages

Manual pages are stored in /usr/share/man/.
---
 qemu_mode/libcompcov/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'qemu_mode/libcompcov')

diff --git a/qemu_mode/libcompcov/Makefile b/qemu_mode/libcompcov/Makefile
index 9ed3e3fa..c2880b99 100644
--- a/qemu_mode/libcompcov/Makefile
+++ b/qemu_mode/libcompcov/Makefile
@@ -16,7 +16,7 @@
 PREFIX      ?= /usr/local
 HELPER_PATH  = $(PREFIX)/lib/afl
 DOC_PATH    ?= $(PREFIX)/share/doc/afl
-MAN_PATH    ?= $(PREFIX)/man/man8
+MAN_PATH    ?= $(PREFIX)/share/man/man8
 
 VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 
-- 
cgit 1.4.1


From 54a312a5fe7d83fcee8b420868bc918622e9b3a6 Mon Sep 17 00:00:00 2001
From: hexcoder- <heiko@hexco.de>
Date: Fri, 13 Nov 2020 00:44:08 +0100
Subject: more small fixes

---
 qemu_mode/libcompcov/pmparser.h                          |  2 +-
 qemu_mode/qemuafl                                        |  1 -
 src/afl-common.c                                         |  2 +-
 src/afl-fuzz-python.c                                    |  1 +
 .../samples/persistent/simple_target_noncrashing.c       | 16 ++++++++++------
 5 files changed, 13 insertions(+), 9 deletions(-)
 delete mode 160000 qemu_mode/qemuafl

(limited to 'qemu_mode/libcompcov')

diff --git a/qemu_mode/libcompcov/pmparser.h b/qemu_mode/libcompcov/pmparser.h
index 9421d47e..1a3d8834 100644
--- a/qemu_mode/libcompcov/pmparser.h
+++ b/qemu_mode/libcompcov/pmparser.h
@@ -108,7 +108,6 @@ void pmparser_print(procmaps_struct *map, int order);
 
 procmaps_iterator *pmparser_parse(int pid) {
 
-  procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator));
   char               maps_path[500];
   if (pid >= 0) {
 
@@ -129,6 +128,7 @@ procmaps_iterator *pmparser_parse(int pid) {
 
   }
 
+  procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator));
   int  ind = 0;
   char buf[PROCMAPS_LINE_MAX_LENGTH];
   // int c;
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
deleted file mode 160000
index d66c9e26..00000000
--- a/qemu_mode/qemuafl
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit d66c9e2654efa8939f0fe6995d11a72b98a4da3e
diff --git a/src/afl-common.c b/src/afl-common.c
index 19c9419b..8cf1a444 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -342,7 +342,7 @@ u8 *find_binary(u8 *fname) {
     if (stat(target_path, &st) || !S_ISREG(st.st_mode) ||
         !(st.st_mode & 0111) || st.st_size < 4) {
 
-      free(target_path);
+      ck_free(target_path);
       FATAL("Program '%s' not found or not executable", fname);
 
     }
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index fe16bc46..596b733e 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -214,6 +214,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
 
     PyErr_Print();
     fprintf(stderr, "Failed to load \"%s\"\n", module_name);
+    free(py);
     return NULL;
 
   }
diff --git a/unicorn_mode/samples/persistent/simple_target_noncrashing.c b/unicorn_mode/samples/persistent/simple_target_noncrashing.c
index 00764473..9257643b 100644
--- a/unicorn_mode/samples/persistent/simple_target_noncrashing.c
+++ b/unicorn_mode/samples/persistent/simple_target_noncrashing.c
@@ -10,7 +10,7 @@
  * Written by Nathan Voss <njvoss99@gmail.com>
  * Adapted by Lukas Seidel <seidel.1@campus.tu-berlin.de>
  */
-
+#include <string.h>
 
 int main(int argc, char** argv) {
   if(argc < 2){
@@ -19,15 +19,19 @@ int main(int argc, char** argv) {
 
   char *data_buf = argv[1];
 
-  if len(data_buf < 20) {
-  if (data_buf[20] != 0) {
+  if (strlen(data_buf) >= 21 && data_buf[20] != 0) {
     printf("Not crashing");
-  } else if (data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
+  } else if (strlen(data_buf) > 1
+             && data_buf[0] > 0x10 && data_buf[0] < 0x20 && data_buf[1] > data_buf[2]) {
     printf("Also not crashing with databuf[0] == %c", data_buf[0])
-  } else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) {
+  }
+#if 0
+  // not possible with argv (zero terminated strings) (hexcoder-)
+  // do not try to access data_buf[10] and beyond
+  else if (data_buf[9] == 0x00 && data_buf[10] != 0x00 && data_buf[11] == 0x00) {
     // Cause a crash if data[10] is not zero, but [9] and [11] are zero
     unsigned char invalid_read = *(unsigned char *) 0x00000000;
   }
-
+#endif
   return 0;
 }
-- 
cgit 1.4.1


From 119d7d0025ad3234007c7fbed08b6b33b892e9a5 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Fri, 13 Nov 2020 09:02:44 +0100
Subject: fix frida example debug output

---
 examples/afl_frida/afl-frida.c  | 5 +++--
 qemu_mode/libcompcov/pmparser.h | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

(limited to 'qemu_mode/libcompcov')

diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c
index 79d823f1..31bf8f25 100644
--- a/examples/afl_frida/afl-frida.c
+++ b/examples/afl_frida/afl-frida.c
@@ -504,11 +504,12 @@ int main() {
     previous_pc = 0;  // Required!
 
 #ifdef _DEBUG
-    fprintf(stderr, "CLIENT crc: %016llx len: %u\n", hash64(__afl_fuzz_ptr, *__a
+    fprintf(stderr, "CLIENT crc: %016llx len: %u\n",
+            hash64(__afl_fuzz_ptr, *__afl_fuzz_len), *__afl_fuzz_len);
     fprintf(stderr, "RECV:");
     for (int i = 0; i < *__afl_fuzz_len; i++)
       fprintf(stderr, "%02x", __afl_fuzz_ptr[i]);
-    fprintf(stderr,"\n");
+    fprintf(stderr, "\n");
 #endif
 
     // STEP 3: ensure the minimum length is present and setup the target
diff --git a/qemu_mode/libcompcov/pmparser.h b/qemu_mode/libcompcov/pmparser.h
index 1a3d8834..0eb4fb1d 100644
--- a/qemu_mode/libcompcov/pmparser.h
+++ b/qemu_mode/libcompcov/pmparser.h
@@ -108,7 +108,7 @@ void pmparser_print(procmaps_struct *map, int order);
 
 procmaps_iterator *pmparser_parse(int pid) {
 
-  char               maps_path[500];
+  char maps_path[500];
   if (pid >= 0) {
 
     sprintf(maps_path, "/proc/%d/maps", pid);
@@ -129,8 +129,8 @@ procmaps_iterator *pmparser_parse(int pid) {
   }
 
   procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator));
-  int  ind = 0;
-  char buf[PROCMAPS_LINE_MAX_LENGTH];
+  int                ind = 0;
+  char               buf[PROCMAPS_LINE_MAX_LENGTH];
   // int c;
   procmaps_struct *list_maps = NULL;
   procmaps_struct *tmp;
-- 
cgit 1.4.1


From 64e46dcefc938f6a6f6263f66d231009bb8b245c Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Fri, 12 Feb 2021 22:07:17 +0100
Subject: remvoe libcompcov 32 bits warnings

---
 qemu_mode/libcompcov/libcompcov.so.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

(limited to 'qemu_mode/libcompcov')

diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c
index 23f465a4..4fc84e62 100644
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@@ -29,6 +29,8 @@
 #include <sys/types.h>
 #include <sys/shm.h>
 #include <stdbool.h>
+#include <stdint.h>
+#include <inttypes.h>
 
 #include "types.h"
 #include "config.h"
@@ -159,14 +161,15 @@ static void __compcov_load(void) {
 
 }
 
-static void __compcov_trace(u64 cur_loc, const u8 *v0, const u8 *v1, size_t n) {
+static void __compcov_trace(uintptr_t cur_loc, const u8 *v0, const u8 *v1,
+                            size_t n) {
 
   size_t i;
 
   if (debug_fd != 1) {
 
     char debugbuf[4096];
-    snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %zu\n", cur_loc,
+    snprintf(debugbuf, sizeof(debugbuf), "0x%" PRIxPTR " %s %s %zu\n", cur_loc,
              v0 == NULL ? "(null)" : (char *)v0,
              v1 == NULL ? "(null)" : (char *)v1, n);
     write(debug_fd, debugbuf, strlen(debugbuf));
@@ -206,7 +209,7 @@ int strcmp(const char *str1, const char *str2) {
 
     if (n <= MAX_CMP_LENGTH) {
 
-      u64 cur_loc = (u64)retaddr;
+      uintptr_t cur_loc = (uintptr_t)retaddr;
       cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
       cur_loc &= MAP_SIZE - 1;
 
@@ -235,7 +238,7 @@ int strncmp(const char *str1, const char *str2, size_t len) {
 
     if (n <= MAX_CMP_LENGTH) {
 
-      u64 cur_loc = (u64)retaddr;
+      uintptr_t cur_loc = (uintptr_t)retaddr;
       cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
       cur_loc &= MAP_SIZE - 1;
 
@@ -265,7 +268,7 @@ int strcasecmp(const char *str1, const char *str2) {
 
     if (n <= MAX_CMP_LENGTH) {
 
-      u64 cur_loc = (u64)retaddr;
+      uintptr_t cur_loc = (uintptr_t)retaddr;
       cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
       cur_loc &= MAP_SIZE - 1;
 
@@ -296,7 +299,7 @@ int strncasecmp(const char *str1, const char *str2, size_t len) {
 
     if (n <= MAX_CMP_LENGTH) {
 
-      u64 cur_loc = (u64)retaddr;
+      uintptr_t cur_loc = (uintptr_t)retaddr;
       cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
       cur_loc &= MAP_SIZE - 1;
 
@@ -324,7 +327,7 @@ int memcmp(const void *mem1, const void *mem2, size_t len) {
 
     if (n <= MAX_CMP_LENGTH) {
 
-      u64 cur_loc = (u64)retaddr;
+      uintptr_t cur_loc = (uintptr_t)retaddr;
       cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
       cur_loc &= MAP_SIZE - 1;
 
-- 
cgit 1.4.1