From c2229b506e045bba1864e8b2f8140c8dc6e83a4d Mon Sep 17 00:00:00 2001 From: mchesser Date: Mon, 7 Mar 2022 14:35:25 +1030 Subject: Fix off by one bounds check `is_hex` reads two bytes but caller previously only ensured that one byte was in bounds. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 1e4b1b3c..66df5c6f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2136,7 +2136,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, if ((i % 2)) { - if (len > idx + i && is_hex(orig_buf + idx + i)) { + if (len > idx + i + 1 && is_hex(orig_buf + idx + i)) { fromhex += 2; -- cgit 1.4.1 From 2a00f32666a847b7babb160bb7c27db59cec9561 Mon Sep 17 00:00:00 2001 From: mchesser Date: Mon, 7 Mar 2022 14:39:36 +1030 Subject: Fix buffer overrun in `rtn_extended_encoding` `idx + i` can range from `0` to `buf.len`, but the memcpy may try and write to offsets from `idx + i` to `idx + 2 * i`. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 66df5c6f..2f32ef1e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2323,7 +2323,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } // fprintf(stderr, "RTN ATTEMPT fromhex %u result %u\n", fromhex, // *status); - memcpy(buf + idx + i, save + i, i + 1 + off); + memcpy(buf + idx, save, i + 1 + off); } -- cgit 1.4.1