more custom mutator remodelling
diff --git a/examples/custom_mutators/custom_mutator_helpers.h b/examples/custom_mutators/custom_mutator_helpers.h
index cd3a15f..0dc00d9 100644
--- a/examples/custom_mutators/custom_mutator_helpers.h
+++ b/examples/custom_mutators/custom_mutator_helpers.h
@@ -5,8 +5,18 @@
#include "types.h"
#include <stdlib.h>
+#define INITIAL_GROWTH_SIZE (64)
+
#define RAND_BELOW(limit) (rand() % (limit))
+/* Use in a struct: creates a name_buf and a name_size variable. */
+#define BUF_VAR(type, name) \
+ type * name##_buf; \
+ size_t name##_size;
+/* this filles in `&structptr->something_buf, &structptr->something_size`. */
+#define BUF_PARAMS(struct, name) \
+ (void **)&struct->name##_buf, &struct->name##_size
+
typedef struct {
} afl_t;
@@ -267,5 +277,56 @@
}
+/* This function makes sure *size is > size_needed after call.
+ It changes buf and size in-place, if needed.
+ It will realloc *buf otherwise.
+ *size will grow exponentially as per:
+ https://blog.mozilla.org/nnethercote/2014/11/04/please-grow-your-buffers-exponentially/
+ Will return NULL if size_needed is <1 or *size is negative or malloc Failed.
+ @return For convenience, this function returns *buf. NULL on error.
+ */
+static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) {
+
+ /* Oops. found a bug? */
+ if (unlikely(size_needed < 1)) return NULL;
+
+ /* No need to realloc */
+ if (likely(*size >= size_needed)) return *buf;
+ if (unlikely(*size < 0)) return NULL;
+ /* No inital size was set */
+ if (*size == 0) *size = INITIAL_GROWTH_SIZE;
+ while (*size < size_needed) {
+
+ *size *= 2;
+ if ((*size) < 0) {
+
+ /* An overflow occurred. Fall back to size_needed */
+ *size = size_needed;
+
+ }
+
+ }
+
+ *buf = realloc(*buf, *size);
+
+ return *buf;
+
+}
+
+/* Swaps buf1 ptr and buf2 ptr, as well as their sizes */
+static inline void swap_bufs(void **buf1, size_t *size1, void **buf2,
+ size_t *size2) {
+
+ void * scratch_buf = *buf1;
+ size_t scratch_size = *size1;
+ *buf1 = *buf2;
+ *size1 = *size2;
+ *buf2 = scratch_buf;
+ *size2 = scratch_size;
+
+}
+
+#undef INITIAL_GROWTH_SIZE
+
#endif
diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c
index 4b0a461..54fc9d4 100644
--- a/examples/custom_mutators/example.c
+++ b/examples/custom_mutators/example.c
@@ -15,7 +15,6 @@
#include <stdio.h>
#define DATA_SIZE (100)
-#define INITIAL_BUF_SIZE (16384)
static const char *commands[] = {
@@ -28,9 +27,19 @@
typedef struct my_mutator {
afl_t *afl;
+
// any additional data here!
- size_t pre_save_size;
- u8 * pre_save_buf;
+ uint8_t *trim_buf;
+ size_t trim_buf_size;
+ int trimmming_steps;
+ int cur_step;
+
+ // Reused buffers:
+ BUF_VAR(u8, fuzz);
+ BUF_VAR(u8, data);
+ BUF_VAR(u8, havoc);
+ BUF_VAR(u8, trim_out);
+ BUF_VAR(u8, pre_save);
} my_mutator_t;
@@ -59,16 +68,6 @@
data->afl = afl;
- data->pre_save_buf = malloc(INITIAL_BUF_SIZE);
- if (!data->pre_save_buf) {
-
- free(data);
- return NULL;
-
- }
-
- data->pre_save_size = INITIAL_BUF_SIZE;
-
return data;
}
@@ -85,20 +84,25 @@
* @param[in] add_buf_size Size of the additional test case
* @param[in] max_size Maximum size of the mutated output. The mutation must not
* produce data larger than max_size.
- * @return Size of the mutated output.
+ * @return Size of the mutated output. Negative return will abort fuzzing.
*/
-size_t afl_custom_fuzz(my_mutator_t *data, uint8_t **buf, size_t buf_size,
- uint8_t *add_buf,
- size_t add_buf_size, // add_buf can be NULL
- size_t max_size) {
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+ u8 **out_buf, uint8_t *add_buf,
+ size_t add_buf_size, // add_buf can be NULL
+ size_t max_size) {
// Make sure that the packet size does not exceed the maximum size expected by
// the fuzzer
size_t mutated_size = DATA_SIZE <= max_size ? DATA_SIZE : max_size;
- if (mutated_size > buf_size) *buf = realloc(*buf, mutated_size);
+ // maybe_grow is optimized to be quick for reused buffers.
+ u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), mutated_size);
+ if (!mutated_out) {
- uint8_t *mutated_out = *buf;
+ perror("custom mutator allocation (maybe_grow)");
+ return -1; /* afl-fuzz will very likely error out after this. */
+
+ }
// Randomly select a command string to add as a header to the packet
memcpy(mutated_out, commands[rand() % 3], 3);
@@ -112,6 +116,7 @@
}
+ *out_buf = mutated_out;
return mutated_size;
}
@@ -137,11 +142,10 @@
if (data->pre_save_size < buf_size + 5) {
- data->pre_save_buf = realloc(data->pre_save_buf, buf_size + 5);
+ data->pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5);
if (!data->pre_save_buf) {
- perror("custom mutator realloc");
- free(data);
+ perror("custom mutator realloc failed.");
return -1;
}
@@ -164,11 +168,6 @@
}
-static uint8_t *trim_buf;
-static size_t trim_buf_size;
-static int trimmming_steps;
-static int cur_step;
-
/**
* This method is called at the start of each trimming operation and receives
* the initial buffer. It should return the amount of iteration steps possible
@@ -193,20 +192,20 @@
int afl_custom_init_trim(my_mutator_t *data, uint8_t *buf, size_t buf_size) {
// We simply trim once
- trimmming_steps = 1;
+ data->trimmming_steps = 1;
- cur_step = 0;
- trim_buf = buf;
- trim_buf_size = buf_size;
+ data->cur_step = 0;
+ data->trim_buf = buf;
+ data->trim_buf_size = buf_size;
- return trimmming_steps;
+ return data->trimmming_steps;
}
/**
* This method is called for each trimming operation. It doesn't have any
* arguments because we already have the initial buffer from init_trim and we
- * can memorize the current state in global variables. This can also save
+ * can memorize the current state in *data. This can also save
* reparsing steps for each iteration. It should return the trimmed input
* buffer, where the returned data must not exceed the initial input data in
* length. Returning anything that is larger than the original data (passed
@@ -216,19 +215,18 @@
*
* @param[in] data pointer returned in afl_custom_init for this fuzz case
* @param[out] out_buf Pointer to the buffer containing the trimmed test case.
- * External library should allocate memory for out_buf. AFL++ will release
- * the memory after saving the test case.
- * @param[out] out_buf_size Pointer to the size of the trimmed test case
+ * External library should allocate memory for out_buf.
+ * AFL++ will not release the memory after saving the test case.
+ * Keep a ref in *data.
+ * @return Pointer to the size of the trimmed test case
*/
-void afl_custom_trim(my_mutator_t *data, uint8_t **out_buf,
- size_t *out_buf_size) {
+size_t afl_custom_trim(my_mutator_t *data, uint8_t **out_buf) {
- *out_buf_size = trim_buf_size - 1;
+ size_t ret = data->trim_buf_size - 1;
- // External mutator should allocate memory for `out_buf`
- *out_buf = malloc(*out_buf_size);
+ *out_buf = maybe_grow(BUF_PARAMS(data, trim_out), ret);
// Remove the last byte of the trimming input
- memcpy(*out_buf, trim_buf, *out_buf_size);
+ memcpy(*out_buf, data->trim_buf, ret);
}
@@ -248,12 +246,12 @@
if (success) {
- ++cur_step;
- return cur_step;
+ ++data->cur_step;
+ return data->cur_step;
}
- return trimmming_steps;
+ return data->trimmming_steps;
}
@@ -264,26 +262,33 @@
* (Optional)
*
* @param[in] data pointer returned in afl_custom_init for this fuzz case
- * @param[inout] buf Pointer to the input data to be mutated and the mutated
+ * @param[in] buf Pointer to the input data to be mutated and the mutated
* output
* @param[in] buf_size Size of input data
+ * @param[out] out_buf The output buffer. buf can be reused, if the content
+ * fits.
* @param[in] max_size Maximum size of the mutated output. The mutation must
* not produce data larger than max_size.
* @return Size of the mutated output.
*/
-size_t afl_custom_havoc_mutation(my_mutator_t *data, uint8_t **buf,
- size_t buf_size, size_t max_size) {
+size_t afl_custom_havoc_mutation(my_mutator_t *data, u8 *buf, size_t buf_size,
+ u8 **out_buf, size_t max_size) {
if (buf_size == 0) {
- *buf = realloc(*buf, 1);
- **buf = rand() % 256;
+ *out_buf = maybe_grow(BUF_PARAMS(data, havoc), 1);
+ **out_buf = rand() % 256;
buf_size = 1;
+ } else {
+
+ // We reuse buf here. It's legal and faster.
+ *out_buf = buf;
+
}
size_t victim = rand() % buf_size;
- (*buf)[victim] += rand() % 10;
+ (*out_buf)[victim] += rand() % 10;
return buf_size;
@@ -346,6 +351,10 @@
void afl_custom_deinit(my_mutator_t *data) {
free(data->pre_save_buf);
+ free(data->havoc_buf);
+ free(data->data_buf);
+ free(data->fuzz_buf);
+ free(data->trim_out_buf);
free(data);
}
diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c
index 5d2685c..735aae9 100644
--- a/examples/post_library/post_library.so.c
+++ b/examples/post_library/post_library.so.c
@@ -3,6 +3,7 @@
--------------------------------------------------
Originally written by Michal Zalewski
+ Edited by Dominik Maier, 2020
Copyright 2015 Google Inc. All rights reserved.
@@ -41,22 +42,23 @@
AFL will call the afl_postprocess() function for every mutated output buffer.
From there, you have three choices:
- 1) If you don't want to modify the test case, simply return the original
- buffer pointer ('in_buf').
+ 1) If you don't want to modify the test case, simply set `*out_buf = in_buf`
+ and return the original `len`.
2) If you want to skip this test case altogether and have AFL generate a
- new one, return NULL. Use this sparingly - it's faster than running
- the target program with patently useless inputs, but still wastes CPU
- time.
+ new one, return 0 or set `*out_buf = NULL`.
+ Use this sparingly - it's faster than running the target program
+ with patently useless inputs, but still wastes CPU time.
3) If you want to modify the test case, allocate an appropriately-sized
buffer, move the data into that buffer, make the necessary changes, and
- then return the new pointer. You can update *len if necessary, too.
+ then return the new pointer as out_buf. Return an appropriate len
+ afterwards.
Note that the buffer will *not* be freed for you. To avoid memory leaks,
you need to free it or reuse it on subsequent calls (as shown below).
- *** DO NOT MODIFY THE ORIGINAL 'in_buf' BUFFER. ***
+ *** Feel free to reuse the original 'in_buf' BUFFER and return it. ***
Aight. The example below shows a simple postprocessor that tries to make
sure that all input files start with "GIF89a".
@@ -74,47 +76,83 @@
#define HEADER "GIF89a"
+typedef struct post_state {
+
+ unsigned char *buf;
+ size_t size;
+
+} post_state_t;
+
+void *afl_postprocess_init(void *afl) {
+
+ post_state_t *state = malloc(sizeof(post_state_t));
+ if (!state) {
+
+ perror("malloc");
+ return NULL;
+
+ }
+
+ state->buf = calloc(sizeof(unsigned char), 4096);
+ if (!state->buf) { return NULL; }
+
+ return state;
+
+}
+
/* The actual postprocessor routine called by afl-fuzz: */
-const unsigned char *afl_postprocess(const unsigned char *in_buf,
- unsigned int * len) {
-
- static unsigned char *saved_buf;
- unsigned char * new_buf;
+size_t afl_postprocess(post_state_t *data, unsigned char *in_buf,
+ unsigned int len, unsigned char **out_buf) {
/* Skip execution altogether for buffers shorter than 6 bytes (just to
- show how it's done). We can trust *len to be sane. */
+ show how it's done). We can trust len to be sane. */
- if (*len < strlen(HEADER)) return NULL;
+ if (len < strlen(HEADER)) return 0;
/* Do nothing for buffers that already start with the expected header. */
- if (!memcmp(in_buf, HEADER, strlen(HEADER))) return in_buf;
+ if (!memcmp(in_buf, HEADER, strlen(HEADER))) {
+
+ *out_buf = in_buf;
+ return len;
+
+ }
/* Allocate memory for new buffer, reusing previous allocation if
possible. */
- new_buf = realloc(saved_buf, *len);
+ *out_buf = realloc(data->buf, len);
/* If we're out of memory, the most graceful thing to do is to return the
original buffer and give up on modifying it. Let AFL handle OOM on its
own later on. */
- if (!new_buf) return in_buf;
- saved_buf = new_buf;
+ if (!*out_buf) {
+
+ *out_buf = in_buf;
+ return len;
+
+ }
/* Copy the original data to the new location. */
- memcpy(new_buf, in_buf, *len);
+ memcpy(*out_buf, in_buf, len);
/* Insert the new header. */
- memcpy(new_buf, HEADER, strlen(HEADER));
+ memcpy(*out_buf, HEADER, strlen(HEADER));
- /* Return modified buffer. No need to update *len in this particular case,
- as we're not changing it. */
+ /* Return the new len. It hasn't changed, so it's just len. */
- return new_buf;
+ return len;
}
+/* Gets called afterwards */
+void afl_postprocess_deinit(post_state_t *data) {
+
+ free(data->buf);
+ free(data);
+
+}
diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c
index 60ab318..8597c88 100644
--- a/examples/post_library/post_library_png.so.c
+++ b/examples/post_library/post_library_png.so.c
@@ -5,6 +5,7 @@
Originally written by Michal Zalewski
Copyright 2015 Google Inc. All rights reserved.
+ Adapted to the new API, 2020 by Dominik Maier
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -35,11 +36,32 @@
#define UP4K(_i) ((((_i) >> 12) + 1) << 12)
-const unsigned char *afl_postprocess(const unsigned char *in_buf,
- unsigned int * len) {
+typedef struct post_state {
- static unsigned char *saved_buf;
- static unsigned int saved_len;
+ unsigned char *buf;
+ size_t size;
+
+} post_state_t;
+
+void *afl_postprocess_init(void *afl) {
+
+ post_state_t *state = malloc(sizeof(post_state_t));
+ if (!state) {
+
+ perror("malloc");
+ return NULL;
+
+ }
+
+ state->buf = calloc(sizeof(unsigned char), 4096);
+ if (!state->buf) { return NULL; }
+
+ return state;
+
+}
+
+size_t afl_postprocess(post_state_t *data, const unsigned char *in_buf,
+ unsigned int len, const unsigned char **out_buf) {
unsigned char *new_buf = (unsigned char *)in_buf;
unsigned int pos = 8;
@@ -47,12 +69,17 @@
/* Don't do anything if there's not enough room for the PNG header
(8 bytes). */
- if (*len < 8) return in_buf;
+ if (len < 8) {
+
+ *out_buf = in_buf;
+ return len;
+
+ }
/* Minimum size of a zero-length PNG chunk is 12 bytes; if we
don't have that, we can bail out. */
- while (pos + 12 <= *len) {
+ while (pos + 12 <= len) {
unsigned int chunk_len, real_cksum, file_cksum;
@@ -62,7 +89,7 @@
/* Bail out if chunk size is too big or goes past EOF. */
- if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > *len) break;
+ if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > len) break;
/* Chunk checksum is calculated for chunk ID (dword) and the actual
payload. */
@@ -82,17 +109,23 @@
if (new_buf == in_buf) {
- if (*len <= saved_len) {
+ if (len <= data->size) {
- new_buf = saved_buf;
+ new_buf = data->buf;
} else {
- new_buf = realloc(saved_buf, UP4K(*len));
- if (!new_buf) return in_buf;
- saved_buf = new_buf;
- saved_len = UP4K(*len);
- memcpy(new_buf, in_buf, *len);
+ new_buf = realloc(data->buf, UP4K(len));
+ if (!new_buf) {
+
+ *out_buf = in_buf;
+ return len;
+
+ }
+
+ data->buf = new_buf;
+ data->size = UP4K(len);
+ memcpy(new_buf, in_buf, len);
}
@@ -108,7 +141,15 @@
}
- return new_buf;
+ *out_buf = new_buf;
+ return len;
}
+/* Gets called afterwards */
+void afl_postprocess_deinit(post_state_t *data) {
+
+ free(data->buf);
+ free(data);
+
+}
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 32eaf4a..5f9891b 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -293,9 +293,18 @@
void * afl_state;
void * py_data;
+ u8 * fuzz_buf;
+ size_t fuzz_size;
+
u8 * pre_save_buf;
size_t pre_save_size;
+ u8 * trim_buf;
+ size_t trim_size;
+
+ u8 * havoc_buf;
+ size_t havoc_size;
+
} py_mutator_t;
#endif
@@ -544,7 +553,11 @@
struct extra_data *a_extras; /* Automatically selected extras */
u32 a_extras_cnt; /* Total number of tokens available */
- u8 *(*post_handler)(u8 *buf, u32 *len);
+ /* afl_postprocess API */
+ void *(*post_init)(struct afl_state *afl);
+ size_t (*post_handler)(void *data, u8 *buf, u32 len, u8 **out_buf);
+ void *(*post_deinit)(void *data);
+ void *post_data;
/* CmpLog */
@@ -643,10 +656,10 @@
* @param[in] add_buf_size Size of the additional test case
* @param[in] max_size Maximum size of the mutated output. The mutation must
* not produce data larger than max_size.
- * @return Size of the mutated output.
+ * @return Size of the mutated output. Negative on error will abort exeuction.
*/
- size_t (*afl_custom_fuzz)(void *data, u8 **buf, size_t buf_size, u8 *add_buf,
- size_t add_buf_size, size_t max_size);
+ size_t (*afl_custom_fuzz)(void *data, u8 *buf, size_t buf_size, u8 **out_buf,
+ u8 *add_buf, size_t add_buf_size, size_t max_size);
/**
* A post-processing function to use right before AFL writes the test case to
@@ -704,9 +717,9 @@
* @param[out] out_buf Pointer to the buffer containing the trimmed test case.
* External library should allocate memory for out_buf. AFL++ will release
* the memory after saving the test case.
- * @param[out] out_buf_size Pointer to the size of the trimmed test case
+ * @return the size of the trimmed test case
*/
- void (*afl_custom_trim)(void *data, u8 **out_buf, size_t *out_buf_size);
+ size_t (*afl_custom_trim)(void *data, u8 **out_buf);
/**
* This method is called after each trim operation to inform you if your
@@ -728,16 +741,18 @@
*
* (Optional)
*
- * @param data pointer returned in afl_custom_init for this fuzz case
- * @param[inout] buf Pointer to the input data to be mutated and the mutated
+ * @param[in] data pointer returned in afl_custom_init for this fuzz case
+ * @param[in] buf Pointer to the input data to be mutated and the mutated
* output
* @param[in] buf_size Size of input data
+ * @param[out] out_buf The new buffer. It's legal to reuse *buf if it's <
+ * buf_size.
* @param[in] max_size Maximum size of the mutated output. The mutation must
* not produce data larger than max_size.
- * @return Size of the mutated output.
+ * @return Size of the mutated output (out_size).
*/
- size_t (*afl_custom_havoc_mutation)(void *data, u8 **buf, size_t buf_size,
- size_t max_size);
+ size_t (*afl_custom_havoc_mutation)(void *data, u8 *buf, size_t buf_size,
+ u8 **out_buf, size_t max_size);
/**
* Return the probability (in percentage) that afl_custom_havoc_mutation
@@ -803,8 +818,8 @@
size_t pre_save_py(void *, u8 *, size_t, u8 **);
u32 init_trim_py(void *, u8 *, size_t);
u32 post_trim_py(void *, u8);
-void trim_py(void *, u8 **, size_t *);
-size_t havoc_mutation_py(void *, u8 **, size_t, size_t);
+size_t trim_py(void *, u8 **);
+size_t havoc_mutation_py(void *, u8 *, size_t, u8 **, size_t);
u8 havoc_mutation_probability_py(void *);
u8 queue_get_py(void *, const u8 *);
void queue_new_entry_py(void *, const u8 *, const u8 *);
diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c
index 6c6f05a..7c39850 100644
--- a/src/afl-fuzz-cmplog.c
+++ b/src/afl-fuzz-cmplog.c
@@ -527,8 +527,13 @@
if (afl->post_handler) {
- out_buf = afl->post_handler(out_buf, &len);
- if (!out_buf || !len) return 0;
+ u8 *post_buf = NULL;
+
+ size_t post_len =
+ afl->post_handler(afl->post_data, out_buf, len, &post_buf);
+ if (!post_buf || !post_len) return 0;
+ out_buf = post_buf;
+ len = post_len;
}
diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c
index 3e573dd..1d99e1f 100644
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@@ -349,6 +349,8 @@
void afl_state_deinit(afl_state_t *afl) {
+ if (afl->post_deinit) afl->post_deinit(afl->post_data);
+
free(afl->out_buf);
free(afl->out_scratch_buf);
free(afl->eff_buf);
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index a69c3b6..fe2be4d 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -270,7 +270,9 @@
void *dh;
u8 * fn = afl->afl_env.afl_post_library;
+ u8 tbuf[6];
u32 tlen = 6;
+ strncpy(tbuf, "hello", tlen);
if (!fn) return;
@@ -281,10 +283,20 @@
afl->post_handler = dlsym(dh, "afl_postprocess");
if (!afl->post_handler) FATAL("Symbol 'afl_postprocess' not found.");
+ afl->post_init = dlsym(dh, "afl_postprocess_init");
+ if (!afl->post_init) FATAL("Symbol 'afl_postprocess_init' not found.");
+ afl->post_deinit = dlsym(dh, "afl_postprocess_deinit");
+ if (!afl->post_deinit) FATAL("Symbol 'afl_postprocess_deinit' not found.");
/* Do a quick test. It's better to segfault now than later =) */
- afl->post_handler("hello", &tlen);
+ u8 *post_buf = NULL;
+ afl->post_data = afl->post_init(afl);
+ if (!afl->post_data) FATAL("Could not initialize post handler.");
+
+ size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf);
+ if (!post_len || !post_buf)
+ SAYF("Empty return in test post handler for buf=\"hello\\0\".");
OKF("Postprocessor installed successfully.");
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index 41bc69c..0692ebb 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -7,6 +7,7 @@
Now maintained by Marc Heuse <mh@mh-sec.de>,
Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
Andrea Fioraldi <andreafioraldi@gmail.com>
+ Dominik Maier <mail@dmnk.co>
Copyright 2016, 2017 Google Inc. All rights reserved.
Copyright 2019-2020 AFLplusplus Project. All rights reserved.
@@ -192,7 +193,8 @@
/* Initialize the custom mutator */
if (afl->mutator->afl_custom_init)
- afl->mutator->data = afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF));
+ afl->mutator->data =
+ afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF));
}
@@ -218,17 +220,18 @@
while (afl->stage_cur < afl->stage_max) {
+ u8 *retbuf = NULL;
+
sprintf(afl->stage_name_buf, "ptrim %s",
u_stringify_int(val_buf, trim_exec));
u32 cksum;
- u8 * retbuf = NULL;
- size_t retlen = 0;
+ size_t retlen = afl->mutator->afl_custom_trim(afl->mutator->data, &retbuf);
- afl->mutator->afl_custom_trim(afl->mutator->data, &retbuf, &retlen);
-
- if (retlen > orig_len)
+ if (unlikely(retlen < 0 || !retbuf))
+ FATAL("custom_trim failed (ret %zd)", retlen);
+ else if (unlikely(retlen > orig_len))
FATAL(
"Trimmed data returned by custom mutator is larger than original "
"data");
@@ -238,12 +241,7 @@
fault = run_target(afl, afl->fsrv.exec_tmout);
++afl->trim_execs;
- if (afl->stop_soon || fault == FAULT_ERROR) {
-
- ck_free(retbuf);
- goto abort_trimming;
-
- }
+ if (afl->stop_soon || fault == FAULT_ERROR) { goto abort_trimming; }
cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST);
@@ -281,8 +279,6 @@
}
- ck_free(retbuf);
-
/* Since this can be slow, update the screen every now and then. */
if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl);
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 024b466..8dfafb7 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1612,15 +1612,20 @@
ck_read(fd, new_buf, target->len, target->fname);
close(fd);
- // TODO: clean up this mess.
+ u8 *mutated_buf = NULL;
+
size_t mutated_size = afl->mutator->afl_custom_fuzz(
- afl->mutator->data, &out_buf, len, new_buf, target->len, max_seed_size);
+ afl->mutator->data, out_buf, len, &mutated_buf, new_buf, target->len,
+ max_seed_size);
+
+ if (unlikely(mutated_size < 0))
+ FATAL("custom_fuzz returned %zd", mutated_size);
if (mutated_size > len) afl->out_size = mutated_size;
if (mutated_size > 0) {
- if (common_fuzz_stuff(afl, out_buf, (u32)mutated_size)) {
+ if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) {
goto abandon_entry;
@@ -1726,8 +1731,22 @@
if (stacked_custom && rand_below(afl, 100) < stacked_custom_prob) {
- temp_len = afl->mutator->afl_custom_havoc_mutation(
- afl->mutator->data, &out_buf, temp_len, MAX_FILE);
+ u8 * custom_havoc_buf = NULL;
+ size_t new_len = afl->mutator->afl_custom_havoc_mutation(
+ afl->mutator->data, out_buf, temp_len, &custom_havoc_buf, MAX_FILE);
+ if (unlikely(new_len < 0))
+ FATAL("Error in custom_havoc (return %zd)", new_len);
+ if (likely(new_len > 0 && custom_havoc_buf)) {
+
+ temp_len = new_len;
+ if (out_buf != custom_havoc_buf) {
+
+ ck_maybe_grow(BUF_PARAMS(out), temp_len);
+ memcpy(out_buf, custom_havoc_buf, temp_len);
+
+ }
+
+ }
}
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index 6fbdb67..f9f7192 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -35,15 +35,22 @@
}
-size_t fuzz_py(void *py_mutator, u8 **buf, size_t buf_size, u8 *add_buf,
- size_t add_buf_size, size_t max_size) {
+/* sorry for this makro...
+it just filles in `&py_mutator->something_buf, &py_mutator->something_size`. */
+#define BUF_PARAMS(name) \
+ (void **)&((py_mutator_t *)py_mutator)->name##_buf, \
+ &((py_mutator_t *)py_mutator)->name##_size
+
+size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf,
+ u8 *add_buf, size_t add_buf_size, size_t max_size) {
size_t mutated_size;
PyObject *py_args, *py_value;
py_args = PyTuple_New(3);
+ py_mutator_t *py = (py_mutator_t *)py_mutator;
/* buf */
- py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
+ py_value = PyByteArray_FromStringAndSize(buf, buf_size);
if (!py_value) {
Py_DECREF(py_args);
@@ -79,17 +86,17 @@
PyTuple_SetItem(py_args, 2, py_value);
- py_value = PyObject_CallObject(
- ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_FUZZ], py_args);
+ py_value = PyObject_CallObject(py->py_functions[PY_FUNC_FUZZ], py_args);
Py_DECREF(py_args);
if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value);
- if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
- memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
+ *out_buf = ck_maybe_grow(BUF_PARAMS(fuzz), mutated_size);
+
+ memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value);
return mutated_size;
@@ -364,14 +371,8 @@
py_out_buf_size = PyByteArray_Size(py_value);
- if (py_out_buf_size > py->pre_save_size) {
-
- /* Not enough space!
- Let's resize our buf */
- py->pre_save_buf = ck_realloc(py->pre_save_buf, py_out_buf_size);
- py->pre_save_size = py_out_buf_size;
-
- }
+ ck_maybe_grow((void **)&py->pre_save_buf, &py->pre_save_size,
+ py_out_buf_size);
memcpy(py->pre_save_buf, PyByteArray_AsString(py_value), py_out_buf_size);
Py_DECREF(py_value);
@@ -465,9 +466,10 @@
}
-void trim_py(void *py_mutator, u8 **out_buf, size_t *out_buf_size) {
+size_t trim_py(void *py_mutator, u8 **out_buf) {
PyObject *py_args, *py_value;
+ size_t ret;
py_args = PyTuple_New(0);
py_value = PyObject_CallObject(
@@ -476,9 +478,9 @@
if (py_value != NULL) {
- *out_buf_size = PyByteArray_Size(py_value);
- *out_buf = malloc(*out_buf_size);
- memcpy(*out_buf, PyByteArray_AsString(py_value), *out_buf_size);
+ ret = PyByteArray_Size(py_value);
+ *out_buf = ck_maybe_grow(BUF_PARAMS(trim), ret);
+ memcpy(*out_buf, PyByteArray_AsString(py_value), ret);
Py_DECREF(py_value);
} else {
@@ -488,17 +490,19 @@
}
+ return ret;
+
}
-size_t havoc_mutation_py(void *py_mutator, u8 **buf, size_t buf_size,
- size_t max_size) {
+size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size,
+ u8 **out_buf, size_t max_size) {
size_t mutated_size;
PyObject *py_args, *py_value;
py_args = PyTuple_New(2);
/* buf */
- py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
+ py_value = PyByteArray_FromStringAndSize(buf, buf_size);
if (!py_value) {
Py_DECREF(py_args);
@@ -532,9 +536,19 @@
if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value);
- if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
+ if (mutated_size <= buf_size) {
- memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
+ /* We reuse the input buf here. */
+ *out_buf = buf;
+
+ } else {
+
+ /* A new buf is needed... */
+ *out_buf = ck_maybe_grow(BUF_PARAMS(havoc), mutated_size);
+
+ }
+
+ memcpy(*out_buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value);
return mutated_size;
@@ -680,5 +694,7 @@
}
+#undef BUF_PARAMS
+
#endif /* USE_PYTHON */
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index a43bfad..9ba2c5f 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -741,8 +741,13 @@
if (afl->post_handler) {
- out_buf = afl->post_handler(out_buf, &len);
- if (!out_buf || !len) return 0;
+ u8 *post_buf = NULL;
+
+ size_t post_len =
+ afl->post_handler(afl->post_data, out_buf, len, &post_buf);
+ if (!post_buf || !post_len) return 0;
+ out_buf = post_buf;
+ len = post_len;
}