From 249cd2c7669f9dc9f49e96756b6683744213ee08 Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Fri, 21 Feb 2020 17:51:38 +0100
Subject: fix oob flip_bit in mopt code

---
 src/afl-fuzz-one.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 18376556..078843f0 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -3714,7 +3714,7 @@ pacemaker_fuzzing:
 
             case 1:
               if (temp_len < 2) break;
-              temp_len_puppet = UR(temp_len << 3);
+              temp_len_puppet = UR((temp_len << 3) -1);
               FLIP_BIT(out_buf, temp_len_puppet);
               FLIP_BIT(out_buf, temp_len_puppet + 1);
               MOpt_globals.cycles_v2[STAGE_FLIP2] += 1;
@@ -3722,7 +3722,7 @@ pacemaker_fuzzing:
 
             case 2:
               if (temp_len < 2) break;
-              temp_len_puppet = UR(temp_len << 3);
+              temp_len_puppet = UR((temp_len << 3) -3);
               FLIP_BIT(out_buf, temp_len_puppet);
               FLIP_BIT(out_buf, temp_len_puppet + 1);
               FLIP_BIT(out_buf, temp_len_puppet + 2);
-- 
cgit 1.4.1