From 4898db80cb7539a06e234c65aaaac85883209e38 Mon Sep 17 00:00:00 2001
From: rish9101 <rranjan@cs.iitr.ac.in>
Date: Mon, 20 Jul 2020 01:12:28 +0530
Subject: Add post-process functionality in write_with_gap

---
 src/afl-fuzz-run.c | 61 +++++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 51 insertions(+), 10 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 2a1664e2..f8317863 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -142,18 +142,58 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
   s32 fd = afl->fsrv.out_fd;
   u32 tail_len = len - skip_at - skip_len;
 
+  /* We first copy the mem into a new memory region removing the gaps
+    and then carry out any post-processing work on them. Then copy them out to
+    shared-mem or write to file */
+
+  void *mem_trimmed =
+      ck_alloc(skip_at + tail_len +
+               1);  // 1 extra size allocated to remove chance of overflow
+
+  if (skip_at) { memcpy(mem_trimmed, mem, skip_at); }
+
+  if (tail_len) {
+
+    memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len, tail_len);
+
+  }
+
+  ssize_t new_size = skip_at + tail_len;
+  void *  new_mem = mem_trimmed;
+  u8 *    new_buf = NULL;
+
+  if (unlikely(afl->custom_mutators_count)) {
+
+    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
+
+      if (el->afl_custom_post_process) {
+
+        new_size =
+            el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);
+
+      }
+
+      new_mem = new_buf;
+
+    });
+
+  }
+
   if (afl->fsrv.shmem_fuzz) {
 
-    if (skip_at) { memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); }
+    if ((new_buf)) {
+
+      memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size);
+
+    }
 
-    if (tail_len) {
+    else {
 
-      memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8 *)mem + skip_at + skip_len,
-             tail_len);
+      memcpy(afl->fsrv.shmem_fuzz, mem_trimmed, new_size);
 
     }
 
-    *afl->fsrv.shmem_fuzz_len = len - skip_len;
+    *afl->fsrv.shmem_fuzz_len = new_size;
 
 #ifdef _DEBUG
     if (afl->debug) {
@@ -197,18 +237,19 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
   }
 
-  if (skip_at) { ck_write(fd, mem, skip_at, afl->fsrv.out_file); }
+  if (new_buf) {
 
-  u8 *memu8 = mem;
-  if (tail_len) {
+    ck_write(fd, new_buf, new_size, afl->fsrv.out_file);
+
+  } else {
 
-    ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file);
+    ck_write(fd, mem_trimmed, new_size, afl->fsrv.out_file);
 
   }
 
   if (!afl->fsrv.out_file) {
 
-    if (ftruncate(fd, len - skip_len)) { PFATAL("ftruncate() failed"); }
+    if (ftruncate(fd, new_size)) { PFATAL("ftruncate() failed"); }
     lseek(fd, 0, SEEK_SET);
 
   } else {
-- 
cgit 1.4.1


From 2fa31dab60e76ee1a4b77d2d98d58e0e35455880 Mon Sep 17 00:00:00 2001
From: rish9101 <rranjan@cs.iitr.ac.in>
Date: Thu, 23 Jul 2020 23:48:26 +0530
Subject: Remove reduntant copying from write_with_gap function

---
 src/afl-fuzz-run.c | 66 +++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 20 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index f8317863..7d68083d 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -142,35 +142,55 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
   s32 fd = afl->fsrv.out_fd;
   u32 tail_len = len - skip_at - skip_len;
 
-  /* We first copy the mem into a new memory region removing the gaps
-    and then carry out any post-processing work on them. Then copy them out to
-    shared-mem or write to file */
-
-  void *mem_trimmed =
-      ck_alloc(skip_at + tail_len +
-               1);  // 1 extra size allocated to remove chance of overflow
-
-  if (skip_at) { memcpy(mem_trimmed, mem, skip_at); }
-
-  if (tail_len) {
-
-    memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len, tail_len);
-
-  }
+  /*
+  This memory is used to carry out the post_processing(if present) after copying
+  the testcase by removing the gaps
+  */
+  u8 mem_trimmed[skip_at + tail_len +
+                 1];  // 1 extra size to remove chance of overflow
 
   ssize_t new_size = skip_at + tail_len;
-  void *  new_mem = mem_trimmed;
+  void *  new_mem = mem;
   u8 *    new_buf = NULL;
 
+  bool post_process_skipped = true;
+
   if (unlikely(afl->custom_mutators_count)) {
 
+    new_mem = mem_trimmed;
+
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
 
       if (el->afl_custom_post_process) {
 
+        // We copy into the mem_trimmed only if we actually have custom mutators
+        // *with* post_processing installed
+
+        if (post_process_skipped) {
+
+          if (skip_at) { memcpy(mem_trimmed, (u8 *)mem, skip_at); }
+
+          if (tail_len) {
+
+            memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len,
+                   tail_len);
+
+          }
+
+          post_process_skipped = false;
+
+        }
+
         new_size =
             el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);
 
+        if (unlikely(!new_buf && (new_size <= 0))) {
+
+          FATAL("Custom_post_process failed (ret: %lu)",
+                (long unsigned)new_size);
+
+        }
+
       }
 
       new_mem = new_buf;
@@ -181,7 +201,9 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
   if (afl->fsrv.shmem_fuzz) {
 
-    if ((new_buf)) {
+    if (!post_process_skipped) {
+
+      // If we did post_processing, copy directly from the new_buf bufer
 
       memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size);
 
@@ -189,7 +211,9 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
     else {
 
-      memcpy(afl->fsrv.shmem_fuzz, mem_trimmed, new_size);
+      memcpy(afl->fsrv.shmem_fuzz, mem, skip_at);
+
+      memcpy(afl->fsrv.shmem_fuzz, mem + skip_at + skip_len, tail_len);
 
     }
 
@@ -237,13 +261,15 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
   }
 
-  if (new_buf) {
+  if (!post_process_skipped) {
 
     ck_write(fd, new_buf, new_size, afl->fsrv.out_file);
 
   } else {
 
-    ck_write(fd, mem_trimmed, new_size, afl->fsrv.out_file);
+    ck_write(fd, mem, skip_at, afl->fsrv.out_file);
+
+    ck_write(fd, mem + skip_at + skip_len, tail_len, afl->fsrv.out_file);
 
   }
 
-- 
cgit 1.4.1


From 565da10a8f46e9910ac5edecb1c5e68ee8c66b0d Mon Sep 17 00:00:00 2001
From: Rishi Ranjan <rishiranjan9101@gmail.com>
Date: Wed, 29 Jul 2020 01:05:05 +0530
Subject: Minor change to write_with_gap

---
 src/afl-fuzz-run.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 7d68083d..e4ddab1b 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -144,12 +144,12 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
   /*
   This memory is used to carry out the post_processing(if present) after copying
-  the testcase by removing the gaps
+  the testcase by removing the gaps. This can break though
   */
-  u8 mem_trimmed[skip_at + tail_len +
+  u8 mem_trimmed[len - skip_len +
                  1];  // 1 extra size to remove chance of overflow
 
-  ssize_t new_size = skip_at + tail_len;
+  ssize_t new_size = len - skip_len;
   void *  new_mem = mem;
   u8 *    new_buf = NULL;
 
-- 
cgit 1.4.1


From 35a448ee921158c586177ff8fe0cd82da4345f68 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 30 Jul 2020 09:20:22 +0200
Subject: enhance for custom trim buffer

---
 src/afl-fuzz-run.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 01963f8f..691d32f8 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -134,6 +134,8 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
 
 }
 
+#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size
+
 /* The same, but with an adjustable gap. Used for trimming. */
 
 static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
@@ -146,8 +148,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
   This memory is used to carry out the post_processing(if present) after copying
   the testcase by removing the gaps. This can break though
   */
-  u8 mem_trimmed[len - skip_len +
-                 1];  // 1 extra size to remove chance of overflow
+  u8 *mem_trimmed = ck_maybe_grow(BUF_PARAMS(out_scratch), len - skip_len + 1);
 
   ssize_t new_size = len - skip_len;
   void *  new_mem = mem;
@@ -286,6 +287,8 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
 
 }
 
+#undef BUF_PARAMS
+
 /* Calibrate a new test case. This is done when processing the input directory
    to warn about flaky or otherwise problematic test cases early on; and when
    new paths are discovered to detect variable behavior and so on. */
-- 
cgit 1.4.1


From fc401f1acc61b73f328a16ac10bed268134c495e Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 30 Jul 2020 11:51:13 +0200
Subject: fix post process check

---
 src/afl-fuzz-run.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 691d32f8..44d3c522 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -185,7 +185,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
         new_size =
             el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);
 
-        if (unlikely(!new_buf && (new_size <= 0))) {
+        if (unlikely(!new_buf || (new_size <= 0))) {
 
           FATAL("Custom_post_process failed (ret: %lu)",
                 (long unsigned)new_size);
-- 
cgit 1.4.1