fix afl_custom_post_process with multiple custom mutators

2025-06-15 03:18:07 +00:00 · 2021-06-01 10:40:25 +02:00
parent 5b5dff4584
commit 17e904eedf
2 changed files with 19 additions and 24 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -22,13 +22,14 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      to allow replay of non-reproducable crashes, see
      AFL_PERSISTENT_RECORD in config.h and docs/envs.h
    - fixed a bug when trimming for stdin targets
-    - default cmplog level (-l) is now 2, better efficiency.
-    - cmplog level 3 (-l 3) now performs redqueen on everything.
-      use with care.
-    - better fuzzing strategy yields for enabled options
+    - cmplog -l: default cmplog level is now 2, better efficiency.
+      level 3 now performs redqueen on everything. use with care.
+    - better fuzzing strategy yield display for enabled options
    - ensure one fuzzer sync per cycle
    - fix afl_custom_queue_new_entry original file name when syncing
      from fuzzers
+    - fixed a crash when more than one custom mutator was used together
+      with afl_custom_post_process
    - on a crashing seed potentially the wrong input was disabled
    - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in
      -i dir crashes the target or results in a timeout. By default
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -107,28 +107,22 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
        new_size =
            el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);

+        if (unlikely(!new_buf && new_size <= 0)) {
+
+          FATAL("Custom_post_process failed (ret: %lu)",
+                (long unsigned)new_size);
+
        }

        new_mem = new_buf;

+      }
+
    });

-    if (unlikely(!new_buf && (new_size <= 0))) {
-
-      FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size);
-
-    } else if (likely(new_buf)) {
-
-      /* everything as planned. use the new data. */
+    /* everything as planned. use the potentially new data. */
    afl_fsrv_write_to_testcase(&afl->fsrv, new_buf, new_size);

-    } else {
-
-      /* custom mutators do not has a custom_post_process function */
-      afl_fsrv_write_to_testcase(&afl->fsrv, mem, len);
-
-    }
-
  } else {

    /* boring uncustom. */
@ -188,17 +182,17 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
        new_size =
            el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);

-        if (unlikely(!new_buf || (new_size <= 0))) {
+        if (unlikely(!new_buf || new_size <= 0)) {

          FATAL("Custom_post_process failed (ret: %lu)",
                (long unsigned)new_size);

        }

-      }
-
        new_mem = new_buf;

+      }
+
    });

  }