From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Fri, 12 Jun 2020 16:08:49 +0200
Subject: switch to faster and better hash + random

---
 src/afl-fuzz-redqueen.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/afl-fuzz-redqueen.c')

diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 7621d180..7251550c 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -89,11 +89,11 @@ static struct range *pop_biggest_range(struct range **ranges) {
 
 }
 
-static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) {
+static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) {
 
   if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
 
-  *cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
+  *cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
   return 0;
 
 }
@@ -109,7 +109,7 @@ static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) {
 
 }
 
-static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
+static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) {
 
   struct range *ranges = add_range(NULL, 0, len);
   u8 *          backup = ck_alloc_nozero(len);
@@ -137,7 +137,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
       memcpy(backup, buf + rng->start, s);
       rand_replace(afl, buf + rng->start, s);
 
-      u32 cksum;
+      u64 cksum;
       u64 start_us = get_cur_time_us();
       if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) {
 
@@ -695,7 +695,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
 
 // afl->queue_cur->exec_cksum
 u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
-                        u32 exec_cksum) {
+                        u64 exec_cksum) {
 
   u8 r = 1;
   if (afl->orig_cmp_map == NULL) {
-- 
cgit 1.4.1


From acb0a2f027c7dfcca05596ba316d56532f6dbd19 Mon Sep 17 00:00:00 2001
From: Dominik Maier <domenukk@gmail.com>
Date: Mon, 15 Jun 2020 11:07:57 +0200
Subject: fixed potential bugs

---
 src/afl-fuzz-one.c      | 16 ++++++++++------
 src/afl-fuzz-redqueen.c |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

(limited to 'src/afl-fuzz-redqueen.c')

diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index d4083c07..a247a837 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -3846,12 +3846,13 @@ pacemaker_fuzzing:
              is redundant, or if its entire span has no bytes set in the
              effector map. */
 
+          /* AFLpp: in puppet mode, eff_map is 0. */
           if ((afl->extras_cnt > MAX_DET_EXTRAS &&
                rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) ||
               afl->extras[j].len > len - i ||
               !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
-              !memchr(eff_map + EFF_APOS(i), 1,
-                      EFF_SPAN_ALEN(i, afl->extras[j].len))) {
+              (eff_map && !memchr(eff_map + EFF_APOS(i), 1,
+                      EFF_SPAN_ALEN(i, afl->extras[j].len)))) {
 
             afl->stage_max--;
             continue;
@@ -3954,11 +3955,12 @@ pacemaker_fuzzing:
           /* See the comment in the earlier code; afl->extras are sorted by
            * size. */
 
+          /* AFLpp: in puppet mode, eff_map is 0. */
           if (afl->a_extras[j].len > len - i ||
               !memcmp(afl->a_extras[j].data, out_buf + i,
                       afl->a_extras[j].len) ||
-              !memchr(eff_map + EFF_APOS(i), 1,
-                      EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
+              (eff_map && !memchr(eff_map + EFF_APOS(i), 1,
+                      EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) {
 
             afl->stage_max--;
             continue;
@@ -3984,13 +3986,15 @@ pacemaker_fuzzing:
       afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
       afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;
 
-    skip_extras_v2:
-      new_hit_cnt = afl->queued_paths + afl->unique_crashes;
+    // AFLpp: Never read: skip_extras_v2:
+      // new_hit_cnt = afl->queued_paths + afl->unique_crashes;
 
     }
 
   }
 
+skip_extras_v2:
+
   afl->stage_cur_byte = -1;
 
   /* The havoc stage mutation code is also invoked when splicing files; if the
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 7251550c..43850eb5 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -180,7 +180,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) {
   while (ranges) {
 
     rng = ranges;
-    ranges = ranges->next;
+    ranges = rng->next;
     ck_free(rng);
     rng = NULL;
 
@@ -224,7 +224,7 @@ checksum_fail:
   while (ranges) {
 
     rng = ranges;
-    ranges = ranges->next;
+    ranges = rng->next;
     ck_free(rng);
     rng = NULL;
 
-- 
cgit 1.4.1