Merge pull request #820 from AFLplusplus/dev

push to stable

README.md

@@ -2,9 +2,9 @@
 
   <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo">
 
-  Release Version: [3.10c](https://github.com/AFLplusplus/AFLplusplus/releases)
+  Release Version: [3.11c](https://github.com/AFLplusplus/AFLplusplus/releases)
 
-  Github Version: 3.11a
+  Github Version: 3.12a
 
   Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
 

docs/Changelog.md

@@ -8,11 +8,14 @@
 Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.
 
-### Version ++3.11a (dev)
+### Version ++3.11c (release)
   - afl-fuzz:
+    - better auto detection of map size
     - fix sanitizer settings (bug since 3.10c)
+    - fix an off-by-one overwrite in cmplog
     - add non-unicode variants from unicode-looking dictionary entries
     - Rust custom mutator API improvements
+    - Imported crash stats painted yellow on resume (only new ones are red)
   - afl-cc:
     - added AFL_NOOPT that will just pass everything to the normal
       gcc/clang compiler without any changes - to pass weird configure

include/config.h

@@ -26,7 +26,7 @@
 /* Version string: */
 
 // c = release, a = volatile github dev, e = experimental branch
-#define VERSION "++3.11a"
+#define VERSION "++3.11c"
 
 /******************************************************
  *                                                    *

src/afl-fuzz-queue.c

@@ -325,7 +325,7 @@ static u8 check_if_text(afl_state_t *afl, struct queue_entry *q) {
 
   if (len >= MAX_FILE) len = MAX_FILE - 1;
   if ((fd = open(q->fname, O_RDONLY)) < 0) return 0;
-  buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len);
+  buf = afl_realloc(AFL_BUF_PARAM(in_scratch), len + 1);
   comp = read(fd, buf, len);
   close(fd);
   if (comp != (ssize_t)len) return 0;

src/afl-fuzz-stats.c

@@ -645,6 +645,13 @@ void show_stats(afl_state_t *afl) {
 #define SP10 SP5 SP5
 #define SP20 SP10 SP10
 
+  /* Since `total_crashes` does not get reloaded from disk on restart,
+    it indicates if we found crashes this round already -> paint red.
+    If it's 0, but `unique_crashes` is set from a past run, paint in yellow. */
+  char *crash_color = afl->total_crashes    ? cLRD
+                      : afl->unique_crashes ? cYEL
+                                            : cRST;
+
   /* Lord, forgive me this. */
 
   SAYF(SET_G1 bSTG bLT bH bSTOP                         cCYA
@@ -732,7 +739,7 @@ void show_stats(afl_state_t *afl) {
   u_stringify_time_diff(time_tmp, cur_ms, afl->last_crash_time);
   SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP
                 " uniq crashes : %s%-6s" bSTG               bV "\n",
-       time_tmp, afl->unique_crashes ? cLRD : cRST, tmp);
+       time_tmp, crash_color, tmp);
 
   sprintf(tmp, "%s%s", u_stringify_int(IB(0), afl->unique_hangs),
           (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
@@ -815,20 +822,13 @@ void show_stats(afl_state_t *afl) {
 
     SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP
                   "   new crashes : %s%-22s" bSTG         bV "\n",
-         u_stringify_int(IB(0), afl->fsrv.total_execs),
+         u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp);
-         afl->unique_crashes ? cLRD : cRST, tmp);
 
   } else {
 
     SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP
                   " total crashes : %s%-22s" bSTG         bV "\n",
-         u_stringify_int(IB(0), afl->fsrv.total_execs),
+         u_stringify_int(IB(0), afl->fsrv.total_execs), crash_color, tmp);
-         // New crashes this round -> Red, restored crashes -> yellow, else
-         // white.
-         afl->total_crashes    ? cLRD
-         : afl->unique_crashes ? cYEL
-                               : cRST,
-         tmp);
 
   }
 

src/afl-fuzz.c

@@ -1597,8 +1597,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
     // only reinitialize when it makes sense
     if ((map_size < new_map_size ||
-        (new_map_size != MAP_SIZE && new_map_size < map_size &&
+         (new_map_size != MAP_SIZE && new_map_size < map_size &&
-         map_size - new_map_size > MAP_SIZE))) {
+          map_size - new_map_size > MAP_SIZE))) {
 
       OKF("Re-initializing maps to %u bytes", new_map_size);
 
@@ -1680,6 +1680,7 @@ int main(int argc, char **argv_orig, char **envp) {
       setenv("AFL_NO_AUTODICT", "1", 1);  // loaded already
       afl->fsrv.trace_bits =
           afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode);
+      afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits;
       afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
                      afl->afl_env.afl_debug_child);
       afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,

test/test-llvm.sh

@@ -164,7 +164,7 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && {
     echo ZZZZ > in/in
     $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds"
     {
-      AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 1 -V45 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1
+      AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 123 -V50 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1
     } >>errors 2>&1
     test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && {
       $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly"

unicorn_mode/unicornafl

@@ -1 +0,0 @@
-Subproject commit fb2fc9f25df32f17f6b6b859e4dbd70f9a857e0c

utils/aflpp_driver/aflpp_driver.c

@@ -204,7 +204,7 @@ int main(int argc, char **argv) {
       "To fuzz with afl-fuzz execute this:\n"
       "  afl-fuzz [afl-flags] -- %s [-N]\n"
       "afl-fuzz will run N iterations before re-spawning the process (default: "
-      "1000)\n"
+      "INT_MAX)\n"
       "======================================================\n",
       argv[0], argv[0]);