ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-17 20:28:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

prepare new mutation strategies

Browse Source
This commit is contained in:
vanhauser-thc
2023-03-30 14:00:45 +02:00
parent 7893347e13
commit 145748a7e0
1 changed files with 94 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
src/afl-fuzz-one.c
View File

@ -28,6 +28,21 @@
#include <limits.h> #include <limits.h>
#include "cmplog.h" #include "cmplog.h"
static u32 mutation_array_explore[] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31};
// static u32 mutation_array_exploit[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11,
// 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30,
// 31 }; static u32 mutation_array_txt_explore[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8,
// 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
// 28, 29, 30, 31 }; static u32 mutation_array_txt_exploit[] = { 0, 1, 2, 3, 4,
// 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
// 25, 26, 27, 28, 29, 30, 31 };
// what about more splicing?
// what about -x and cmplog learn?
/* MOpt */ /* MOpt */
static int select_algorithm(afl_state_t *afl, u32 max_algorithm) { static int select_algorithm(afl_state_t *afl, u32 max_algorithm) {
@ -2121,10 +2136,15 @@ havoc_stage:
#define MAX_HAVOC_ENTRY 31 #define MAX_HAVOC_ENTRY 31
#define MUTATE_ASCII_DICT 0 #define MUTATE_ASCII_DICT 0
u32 r_max, r; u32 r_max, mutation_array_len;
u32 **mutation_array;
r_max = (MAX_HAVOC_ENTRY + 1) + (afl->extras_cnt ? 2 : 0) + // if ( ... )
(afl->a_extras_cnt ? 2 : 0); mutation_array = (u32 **)&mutation_array_explore;
mutation_array_len = sizeof(mutation_array_explore) + 1;
r_max = mutation_array_len;
// + (afl->extras_cnt ? 2 : 0) + (afl->a_extras_cnt ? 2 : 0);
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
@ -2174,7 +2194,7 @@ havoc_stage:
} }
switch ((r = rand_below(afl, r_max))) { switch (*mutation_array[rand_below(afl, r_max)]) {
case 0: { case 0: {
@ -2992,13 +3012,9 @@ havoc_stage:
} }
default: case 32: {
r -= (MAX_HAVOC_ENTRY + 1); if (!afl->extras_cnt) { break; }
if (afl->extras_cnt) {
if (r < 1) {
/* Use the dictionary. */ /* Use the dictionary. */
@ -3009,16 +3025,19 @@ havoc_stage:
u32 insert_at = rand_below(afl, temp_len - extra_len + 1); u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
#ifdef INTROSPECTION #ifdef INTROSPECTION
snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA_OVERWRITE-%u-%u", snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA-OVERWRITE_%u_%u",
insert_at, extra_len); insert_at, extra_len);
strcat(afl->mutation, afl->m_tmp); strcat(afl->mutation, afl->m_tmp);
#endif #endif
memcpy(out_buf + insert_at, afl->extras[use_extra].data, memcpy(out_buf + insert_at, afl->extras[use_extra].data, extra_len);
extra_len);
break; break;
} else if (r < 2) { }
case 33: {
if (!afl->extras_cnt) { break; }
u32 use_extra = rand_below(afl, afl->extras_cnt); u32 use_extra = rand_below(afl, afl->extras_cnt);
u32 extra_len = afl->extras[use_extra].len; u32 extra_len = afl->extras[use_extra].len;
@ -3027,7 +3046,7 @@ havoc_stage:
u8 *ptr = afl->extras[use_extra].data; u8 *ptr = afl->extras[use_extra].data;
u32 insert_at = rand_below(afl, temp_len + 1); u32 insert_at = rand_below(afl, temp_len + 1);
#ifdef INTROSPECTION #ifdef INTROSPECTION
snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA_INSERT-%u-%u", snprintf(afl->m_tmp, sizeof(afl->m_tmp), " EXTRA-INSERT_%u_%u",
insert_at, extra_len); insert_at, extra_len);
strcat(afl->mutation, afl->m_tmp); strcat(afl->mutation, afl->m_tmp);
#endif #endif
@ -3045,17 +3064,11 @@ havoc_stage:
break; break;
} else {
r -= 2;
} }
} case 34: {
if (afl->a_extras_cnt) { if (!afl->a_extras_cnt) { break; }
if (r < 1) {
/* Use the dictionary. */ /* Use the dictionary. */
@ -3067,15 +3080,18 @@ havoc_stage:
u32 insert_at = rand_below(afl, temp_len - extra_len + 1); u32 insert_at = rand_below(afl, temp_len - extra_len + 1);
#ifdef INTROSPECTION #ifdef INTROSPECTION
snprintf(afl->m_tmp, sizeof(afl->m_tmp), snprintf(afl->m_tmp, sizeof(afl->m_tmp),
" AUTO_EXTRA_OVERWRITE-%u-%u", insert_at, extra_len); " AUTO-EXTRA-OVERWRITE_%u_%u", insert_at, extra_len);
strcat(afl->mutation, afl->m_tmp); strcat(afl->mutation, afl->m_tmp);
#endif #endif
memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, extra_len);
extra_len);
break; break;
} else if (r < 2) { }
case 35: {
if (!afl->a_extras_cnt) { break; }
u32 use_extra = rand_below(afl, afl->a_extras_cnt); u32 use_extra = rand_below(afl, afl->a_extras_cnt);
u32 extra_len = afl->a_extras[use_extra].len; u32 extra_len = afl->a_extras[use_extra].len;
@ -3084,8 +3100,8 @@ havoc_stage:
u8 *ptr = afl->a_extras[use_extra].data; u8 *ptr = afl->a_extras[use_extra].data;
u32 insert_at = rand_below(afl, temp_len + 1); u32 insert_at = rand_below(afl, temp_len + 1);
#ifdef INTROSPECTION #ifdef INTROSPECTION
snprintf(afl->m_tmp, sizeof(afl->m_tmp), snprintf(afl->m_tmp, sizeof(afl->m_tmp), " AUTO-EXTRA-INSERT_%u_%u",
" AUTO_EXTRA_INSERT-%u-%u", insert_at, extra_len); insert_at, extra_len);
strcat(afl->mutation, afl->m_tmp); strcat(afl->mutation, afl->m_tmp);
#endif #endif
@ -3102,12 +3118,6 @@ havoc_stage:
break; break;
} else {
r -= 2;
}
} }
} }