| // This simple example just creates random buffer <= 100 filled with 'A' |
| // needs -I /path/to/AFLplusplus/include |
| #include "custom_mutator_helpers.h" |
| |
| #include <stdint.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <stdio.h> |
| |
| #ifndef _FIXED_CHAR |
| #define _FIXED_CHAR 0x41 |
| #endif |
| |
| typedef struct my_mutator { |
| |
| afl_t *afl; |
| |
| // Reused buffers: |
| BUF_VAR(u8, fuzz); |
| |
| } my_mutator_t; |
| |
| my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) { |
| |
| srand(seed); |
| my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); |
| if (!data) { |
| |
| perror("afl_custom_init alloc"); |
| return NULL; |
| |
| } |
| |
| data->afl = afl; |
| |
| return data; |
| |
| } |
| |
| size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, |
| u8 **out_buf, uint8_t *add_buf, |
| size_t add_buf_size, // add_buf can be NULL |
| size_t max_size) { |
| |
| int size = (rand() % 100) + 1; |
| if (size > max_size) size = max_size; |
| u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size); |
| if (!mutated_out) { |
| |
| *out_buf = NULL; |
| perror("custom mutator allocation (maybe_grow)"); |
| return 0; /* afl-fuzz will very likely error out after this. */ |
| |
| } |
| |
| memset(mutated_out, _FIXED_CHAR, size); |
| |
| *out_buf = mutated_out; |
| return size; |
| |
| } |
| |
| /** |
| * Deinitialize everything |
| * |
| * @param data The data ptr from afl_custom_init |
| */ |
| void afl_custom_deinit(my_mutator_t *data) { |
| |
| free(data->fuzz_buf); |
| free(data); |
| |
| } |
| |
