ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix invalid memory access bug in afl_custom_pre_save of example.c

Browse Source
This commit is contained in:
h1994st
2020-03-28 00:52:29 -04:00
committed by Dominik Maier
parent d568559f01
commit 0dd8ed9171
2 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
examples/custom_mutators/example.c
View File

@ -157,15 +157,17 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
} }
*out_buf = data->pre_save_buf; uint8_t *pre_save_buf = data->pre_save_buf;
memcpy(*out_buf + 5, buf, buf_size); memcpy(pre_save_buf + 5, buf, buf_size);
size_t out_buf_size = buf_size + 5; size_t out_buf_size = buf_size + 5;
*out_buf[0] = 'A'; pre_save_buf[0] = 'A';
*out_buf[1] = 'F'; pre_save_buf[1] = 'F';
*out_buf[2] = 'L'; pre_save_buf[2] = 'L';
*out_buf[3] = '+'; pre_save_buf[3] = '+';
*out_buf[4] = '+'; pre_save_buf[4] = '+';
*out_buf = pre_save_buf;
return out_buf_size; return out_buf_size;

3
src/afl-fuzz-python.c
View File

@ -133,8 +133,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
if (py_module != NULL) { if (py_module != NULL) {
u8 py_notrim = 0, py_idx; u8 py_notrim = 0, py_idx;
/* init, required */
py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init"); py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init");
py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit");
py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz");
py_functions[PY_FUNC_PRE_SAVE] = py_functions[PY_FUNC_PRE_SAVE] =
PyObject_GetAttrString(py_module, "pre_save"); PyObject_GetAttrString(py_module, "pre_save");
@ -151,6 +151,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
PyObject_GetAttrString(py_module, "queue_get"); PyObject_GetAttrString(py_module, "queue_get");
py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = py_functions[PY_FUNC_QUEUE_NEW_ENTRY] =
PyObject_GetAttrString(py_module, "queue_new_entry"); PyObject_GetAttrString(py_module, "queue_new_entry");
py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit");
for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) {