Merge pull request #2351 from kcwu/fix-double-free

fix double free bug introduced by 73ab495b5d1a99722f4a2c2b1b9507daa73…
2025-06-12 01:58:17 +00:00 · 2025-04-03 15:20:27 +02:00
parent 5069551778 58c5e2b96c
commit 106309492c
1 changed files with 2 additions and 14 deletions
--- a/src/afl-fuzz-skipdet.c
+++ b/src/afl-fuzz-skipdet.c
@ -126,12 +126,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf,
  inf_eff_map = (u8 *)ck_realloc(inf_eff_map, sizeof(u8) * len);
  memset(inf_eff_map, 1, sizeof(u8) * len);

-  if (common_fuzz_stuff(afl, orig_buf, len)) {
-
-    ck_free(inf_eff_map);
-    return 0;
-
-  }
+  if (common_fuzz_stuff(afl, orig_buf, len)) { return 0; }

  u64 prev_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
  u64 _prev_cksum = prev_cksum;
@ -159,12 +154,7 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf,

        flip_range(out_buf, pos, flip_block_size);

-        if (common_fuzz_stuff(afl, out_buf, len)) {
-
-          ck_free(inf_eff_map);
-          return 0;
-
-        }
+        if (common_fuzz_stuff(afl, out_buf, len)) { return 0; }

        flip_range(out_buf, pos, flip_block_size);

@ -329,7 +319,6 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf,

      if (common_fuzz_stuff(afl, out_buf, len)) {

-        ck_free(inf_eff_map);
        ck_free(non_eff_bytes);
        return 0;

@ -378,7 +367,6 @@ u8 skip_deterministic_stage(afl_state_t *afl, u8 *orig_buf, u8 *out_buf,

 cleanup_skipdet:

-  ck_free(inf_eff_map);
  if (fuzz_nearby) {

    u8 *nearby_bytes = (u8 *)ck_alloc(sizeof(u8) * len);