From 609f3d02651381215815eeadb7a10999c2041ffe Mon Sep 17 00:00:00 2001
From: Dominik Maier <domenukk@gmail.com>
Date: Fri, 11 Dec 2020 13:29:45 +0100
Subject: fixed gcc analyzer warnings

---
 src/afl-as.c        |  5 +++++
 src/afl-common.c    | 24 ++++++++++++++++++++++--
 src/afl-fuzz-init.c | 18 +++++++++++++-----
 src/afl-fuzz-run.c  | 12 ++++++------
 4 files changed, 46 insertions(+), 13 deletions(-)

(limited to 'src')

diff --git a/src/afl-as.c b/src/afl-as.c
index 3d6f7d5e..2171bb58 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -131,6 +131,11 @@ static void edit_params(int argc, char **argv) {
   if (!tmp_dir) { tmp_dir = "/tmp"; }
 
   as_params = ck_alloc((argc + 32) * sizeof(u8 *));
+  if (unlikely((argc + 32) < argc || !as_params)) {
+
+    FATAL("Too many parameters passed to as");
+
+  }
 
   as_params[0] = afl_as ? afl_as : (u8 *)"as";
 
diff --git a/src/afl-common.c b/src/afl-common.c
index ed0b0e53..4df22394 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -108,6 +108,7 @@ char **argv_cpy_dup(int argc, char **argv) {
   int i = 0;
 
   char **ret = ck_alloc((argc + 1) * sizeof(char *));
+  if (unlikely(!ret)) { FATAL("Amount of arguments specified is too high"); }
 
   for (i = 0; i < argc; i++) {
 
@@ -130,6 +131,7 @@ void argv_cpy_free(char **argv) {
   while (argv[i]) {
 
     ck_free(argv[i]);
+    argv[i] = NULL;
     i++;
 
   }
@@ -142,8 +144,12 @@ void argv_cpy_free(char **argv) {
 
 char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
+  if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
+
+  u8 *tmp, *cp = NULL, *rsl, *own_copy;
+
   char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
-  u8 *   tmp, *cp = NULL, *rsl, *own_copy;
+  if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
 
   memcpy(&new_argv[3], &argv[1], (int)(sizeof(char *)) * (argc - 1));
   new_argv[argc + 3] = NULL;
@@ -224,8 +230,12 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
 char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
+  if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
+
+  u8 *tmp, *cp = NULL, *rsl, *own_copy;
+
   char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
-  u8 *   tmp, *cp = NULL, *rsl, *own_copy;
+  if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
 
   memcpy(&new_argv[2], &argv[1], (int)(sizeof(char *)) * (argc - 1));
   new_argv[argc + 2] = NULL;
@@ -335,6 +345,8 @@ u8 *find_binary(u8 *fname) {
 
   struct stat st;
 
+  if (unlikely(!fname)) { FATAL("No binary supplied"); }
+
   if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
 
     target_path = ck_strdup(fname);
@@ -356,6 +368,14 @@ u8 *find_binary(u8 *fname) {
       if (delim) {
 
         cur_elem = ck_alloc(delim - env_path + 1);
+        if (unlikely(!cur_elem)) {
+
+          FATAL(
+              "Unexpected overflow when processing ENV. This should never "
+              "happend.");
+
+        }
+
         memcpy(cur_elem, env_path, delim - env_path);
         delim++;
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 6707340b..0db3a111 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -772,10 +772,17 @@ void perform_dry_run(afl_state_t *afl) {
 
   while (q) {
 
-    u8 *use_mem;
+    u8  use_mem[MAX_FILE];
     u8  res;
     s32 fd;
 
+    if (unlikely(!q->len)) {
+
+      WARNF("Skipping 0-sized entry in queue (%s)", q->fname);
+      continue;
+
+    }
+
     u8 *fn = strrchr(q->fname, '/') + 1;
 
     ACTF("Attempting dry run with '%s'...", fn);
@@ -783,9 +790,8 @@ void perform_dry_run(afl_state_t *afl) {
     fd = open(q->fname, O_RDONLY);
     if (fd < 0) { PFATAL("Unable to open '%s'", q->fname); }
 
-    use_mem = ck_alloc_nozero(q->len);
-
-    if (read(fd, use_mem, q->len) != (ssize_t)q->len) {
+    u32 read_len = MIN(q->len, (u32)MAX_FILE);
+    if (read(fd, use_mem, read_len) != (ssize_t)read_len) {
 
       FATAL("Short read from '%s'", q->fname);
 
@@ -794,7 +800,6 @@ void perform_dry_run(afl_state_t *afl) {
     close(fd);
 
     res = calibrate_case(afl, q, use_mem, 0, 1);
-    ck_free(use_mem);
 
     if (afl->stop_soon) { return; }
 
@@ -2449,6 +2454,8 @@ void setup_testcase_shmem(afl_state_t *afl) {
 
 void check_binary(afl_state_t *afl, u8 *fname) {
 
+  if (unlikely(!fname)) { FATAL("BUG: Binary name is NULL"); }
+
   u8 *        env_path = 0;
   struct stat st;
 
@@ -2477,6 +2484,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
       if (delim) {
 
         cur_elem = ck_alloc(delim - env_path + 1);
+        if (unlikely(!cur_elem)) { FATAL("Unexpected large PATH"); }
         memcpy(cur_elem, env_path, delim - env_path);
         ++delim;
 
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 5948d83a..b6603f1a 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -94,9 +94,9 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
 
   if (unlikely(afl->custom_mutators_count)) {
 
-    u8 *    new_buf = NULL;
     ssize_t new_size = len;
-    void *  new_mem = mem;
+    u8 *    new_mem = mem;
+    u8 *    new_buf = NULL;
 
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
 
@@ -152,13 +152,13 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
   if (unlikely(!mem_trimmed)) { PFATAL("alloc"); }
 
   ssize_t new_size = len - skip_len;
-  void *  new_mem = mem;
-  u8 *    new_buf = NULL;
+  u8 *    new_mem = mem;
 
   bool post_process_skipped = true;
 
   if (unlikely(afl->custom_mutators_count)) {
 
+    u8 *new_buf = NULL;
     new_mem = mem_trimmed;
 
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@@ -207,7 +207,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
       // If we did post_processing, copy directly from the new_buf bufer
 
-      memcpy(afl->fsrv.shmem_fuzz, new_buf, new_size);
+      memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
 
     }
 
@@ -265,7 +265,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
   if (!post_process_skipped) {
 
-    ck_write(fd, new_buf, new_size, afl->fsrv.out_file);
+    ck_write(fd, new_mem, new_size, afl->fsrv.out_file);
 
   } else {
 
-- 
cgit 1.4.1


From e4a113b953e0b746cffa47e24ad52f18733217bc Mon Sep 17 00:00:00 2001
From: hexcoder- <heiko@hexco.de>
Date: Sat, 12 Dec 2020 13:26:25 +0100
Subject: small fix in error handling

---
 src/afl-sharedmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 3e671df5..fe641d0d 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -205,7 +205,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
     /* map the shared memory segment to the address space of the process */
     shm->cmp_map = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED,
                         shm->cmplog_g_shm_fd, 0);
-    if (shm->map == MAP_FAILED) {
+    if (shm->cmp_map == MAP_FAILED) {
 
       close(shm->cmplog_g_shm_fd);
       shm->cmplog_g_shm_fd = -1;
-- 
cgit 1.4.1


From fd30a4184a149cfd1f45ff6de94487dbdc6dea61 Mon Sep 17 00:00:00 2001
From: hexcoder- <heiko@hexco.de>
Date: Sat, 12 Dec 2020 16:37:23 +0100
Subject: typo

---
 src/afl-fuzz-run.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index b6603f1a..c8ad14c4 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -205,7 +205,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
     if (!post_process_skipped) {
 
-      // If we did post_processing, copy directly from the new_buf bufer
+      // If we did post_processing, copy directly from the new_mem buffer
 
       memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
 
@@ -365,7 +365,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
     write_to_testcase(afl, use_mem, q->len);
 
     fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
-
+fprintf(stderr, "from fuzz_run_target() fault=%u\n", fault);
     /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
        we want to bail out quickly. */
 
-- 
cgit 1.4.1


From befb1a2f39b28dbc360d5a6937705c48768ec053 Mon Sep 17 00:00:00 2001
From: hexcoder- <heiko@hexco.de>
Date: Sat, 12 Dec 2020 16:40:13 +0100
Subject: remove stray debugging fprintf

---
 src/afl-fuzz-run.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index c8ad14c4..a97ceb89 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -365,7 +365,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
     write_to_testcase(afl, use_mem, q->len);
 
     fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
-fprintf(stderr, "from fuzz_run_target() fault=%u\n", fault);
+
     /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
        we want to bail out quickly. */
 
-- 
cgit 1.4.1


From 7382cf5f00c1ba5d926c12e3ed4ca0e14d761fcb Mon Sep 17 00:00:00 2001
From: hexcoder- <heiko@hexco.de>
Date: Sat, 12 Dec 2020 19:30:56 +0100
Subject: afl-as.c, fix compiler warnings (overflowing is UB)

---
 src/afl-as.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/afl-as.c b/src/afl-as.c
index 2171bb58..7de267a3 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -47,6 +47,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <limits.h>
 #include <ctype.h>
 #include <fcntl.h>
 
@@ -131,7 +132,7 @@ static void edit_params(int argc, char **argv) {
   if (!tmp_dir) { tmp_dir = "/tmp"; }
 
   as_params = ck_alloc((argc + 32) * sizeof(u8 *));
-  if (unlikely((argc + 32) < argc || !as_params)) {
+  if (unlikely((INT_MAX - 32) < argc || !as_params)) {
 
     FATAL("Too many parameters passed to as");
 
-- 
cgit 1.4.1


From e0ab846f7fd3e45bbf76e4ab82eef19d9aaf5494 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Tue, 15 Dec 2020 09:37:52 +0100
Subject: v3.00c

---
 README.md        |  2 +-
 include/config.h |  2 +-
 src/afl-cc.c     | 26 ++++++++++++++++++++++++--
 3 files changed, 26 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/README.md b/README.md
index dc009def..68b64ce6 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 
   ![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=stable)
 
-  Release Version: [2.68c](https://github.com/AFLplusplus/AFLplusplus/releases)
+  Release Version: [3.00c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
   Github Version: 3.00a
 
diff --git a/include/config.h b/include/config.h
index 491d8132..93249ed9 100644
--- a/include/config.h
+++ b/include/config.h
@@ -28,7 +28,7 @@
 /* Version string: */
 
 // c = release, d = volatile github dev, e = experimental branch
-#define VERSION "++3.00a"
+#define VERSION "++3.00c"
 
 /******************************************************
  *                                                    *
diff --git a/src/afl-cc.c b/src/afl-cc.c
index c43ac2c1..2aeb2178 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -69,6 +69,7 @@ enum {
   INSTRUMENT_INSTRIM = 3,
   INSTRUMENT_CFG = 3,
   INSTRUMENT_LTO = 4,
+  INSTRUMENT_LLVMNATIVE = 5,
   INSTRUMENT_OPT_CTX = 8,
   INSTRUMENT_OPT_NGRAM = 16
 
@@ -76,8 +77,9 @@ enum {
 
 char instrument_mode_string[18][18] = {
 
-    "DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "",      "", "CTX", "",
-    "",        "",        "",        "",    "",    "", "NGRAM", ""
+    "DEFAULT", "CLASSIC", "PCGUARD", "CFG", "LTO", "", "PCGUARD-NATIVE",
+    "",        "CTX",     "",        "",    "",    "", "",
+    "",        "",        "NGRAM",   ""
 
 };
 
@@ -580,6 +582,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
   #endif
 #endif
 
+      } else if (instrument_mode == INSTRUMENT_LLVMNATIVE) {
+
+#if LLVM_MAJOR >= 4
+        cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
+#else
+        FATAL("pcguard instrumentation requires llvm 4.0.1+");
+#endif
+
       } else {
 
         cc_params[cc_par_cnt++] = "-Xclang";
@@ -1162,6 +1172,18 @@ int main(int argc, char **argv, char **envp) {
 
       }
 
+      // this is a hidden option
+      if (strncasecmp(ptr, "llvmnative", strlen("llvmnative")) == 0 ||
+          strncasecmp(ptr, "llvm-native", strlen("llvm-native")) == 0) {
+
+        if (!instrument_mode || instrument_mode == INSTRUMENT_LLVMNATIVE)
+          instrument_mode = INSTRUMENT_LLVMNATIVE;
+        else
+          FATAL("main instrumentation mode already set with %s",
+                instrument_mode_string[instrument_mode]);
+
+      }
+
       if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 ||
           strncasecmp(ptr, "instrim", strlen("instrim")) == 0) {
 
-- 
cgit 1.4.1