From 5e10f660e80abab73b334322bdea29a28d43bf53 Mon Sep 17 00:00:00 2001 From: h1994st Date: Sat, 18 Jul 2020 02:16:04 -0400 Subject: Allow the fuzzer to write empty buffer (i.e., len == 0) to the file --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 2a1664e2..f1da9c65 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -109,7 +109,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { }); - if (unlikely(!new_buf && (new_size <= 0))) { + if (unlikely(!new_buf && (new_size < 0))) { FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); -- cgit 1.4.1 From 67d2e6319bed90c06cf54b5d9a7a4bae51df317d Mon Sep 17 00:00:00 2001 From: h1994st Date: Sat, 18 Jul 2020 23:20:32 -0400 Subject: Skip the empty test case generated by the custom trimming --- src/afl-fuzz-mutators.c | 11 +++++++++++ src/afl-fuzz-run.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 9fc77ffe..f6b36843 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -286,6 +286,15 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, "Trimmed data returned by custom mutator is larger than original " "data"); + } else if (unlikely(retlen == 0)) { + + /* Do not run the empty test case on the target. To keep the custom + trimming function running, we simply treat the empty test case as an + unsuccessful trimming and skip it, instead of aborting the trimming. */ + + ++afl->trim_execs; + goto unsuccessful_trimming; + } write_to_testcase(afl, retbuf, retlen); @@ -325,6 +334,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else { +unsuccessful_trimming: + /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = mutator->afl_custom_post_trim(mutator->data, 0); if (unlikely(afl->stage_cur < 0)) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f1da9c65..2a1664e2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -109,7 +109,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { }); - if (unlikely(!new_buf && (new_size < 0))) { + if (unlikely(!new_buf && (new_size <= 0))) { FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); -- cgit 1.4.1 From 6c163910eec79058bdaf3a358e75d579da1f9112 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 20 Jul 2020 12:08:31 +0200 Subject: debug test for rng --- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index f6b36843..0fb34ab7 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -334,7 +334,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } else { -unsuccessful_trimming: + unsuccessful_trimming: /* Tell the custom mutator that the trimming was unsuccessful */ afl->stage_cur = mutator->afl_custom_post_trim(mutator->data, 0); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 872ed9ae..df2896d2 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1048,6 +1048,12 @@ int main(int argc, char **argv_orig, char **envp) { } + #ifdef RAND_TEST_VALUES + u32 counter; + for (counter = 0; counter < 100000; counter++) + printf("DEBUG: rand %06d is %u\n", counter, rand_below(afl, 65536)); + #endif + setup_custom_mutators(afl); setup_cmdline_file(afl, argv + optind); -- cgit 1.4.1