fixed uaf and warnings

src/afl-analyze.c

@@ -902,6 +902,12 @@ int main(int argc, char **argv, char **envp) {
         if (mem_limit_given) FATAL("Multiple -m options not supported");
         mem_limit_given = 1;
 
+        if (!optarg) {
+
+          FATAL("Bad syntax used for -m");
+
+        }
+
         if (!strcmp(optarg, "none")) {
 
           mem_limit = 0;
@@ -938,6 +944,8 @@ int main(int argc, char **argv, char **envp) {
         if (timeout_given) FATAL("Multiple -t options not supported");
         timeout_given = 1;
 
+        if (!optarg) FATAL("Wrong usage of -t");
+
         exec_tmout = atoi(optarg);
 
         if (exec_tmout < 10 || optarg[0] == '-')

src/afl-common.c

@@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
     *rsl = 0;
 
     cp = alloc_printf("%s/afl-qemu-trace", own_copy);
-    ck_free(own_copy);
 
-    if (!access(cp, X_OK)) {
+    if (cp && !access(cp, X_OK)) {
 
-      if (cp != NULL) ck_free(cp);
+      ck_free(cp);
 
       cp = alloc_printf("%s/afl-wine-trace", own_copy);
 
@@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
 
     }
 
-  } else
+    ck_free(own_copy);
+
+  } else {
 
     ck_free(own_copy);
 
+  }
+
   u8 *ncp = BIN_PATH "/afl-qemu-trace";
 
   if (!access(ncp, X_OK)) {

src/afl-forkserver.c

@@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
         }
 
-        len = status;
         offset = 0;
         while (offset < status && (u8)dict[offset] + offset < status) {
 

src/afl-fuzz-bitmap.c

@@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
   if (unlikely(len == 0)) return 0;
 
   u8 *queue_fn = "";
-  u8  hnb;
+  u8  hnb = '\0';
   s32 fd;
   u8  keeping = 0, res;
 
@@ -718,9 +718,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 
         // if the user wants to be informed on new crashes - do that
 #if !TARGET_OS_IPHONE
-        if (system(afl->infoexec) == -1)
-          hnb += 0;  // we dont care if system errors, but we dont want a
+        // we dont care if system errors, but we dont want a
           // compiler warning either
+        (void)(system(afl->infoexec)+1);
 #else
         WARNF("command execution unsupported");
 #endif

src/afl-fuzz-extras.c

@@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
 
     wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr);
 
+    if (!wptr) PFATAL("no mem for data");
+
     while (*lptr) {
 
       char *hexdigits = "0123456789abcdef";

src/afl-fuzz-init.c

@@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
 
     u32 l = strlen(argv[i]);
 
+    if (!argv[i] || !buf) FATAL("null deref detected");
+
     memcpy(buf, argv[i], l);
     buf += l;
 

src/afl-fuzz-one.c

@@ -3593,7 +3593,6 @@ pacemaker_fuzzing:
   }
 
   s32 temp_len_puppet;
-  cur_ms_lv = get_cur_time();
 
   // for (; afl->swarm_now < swarm_num; ++afl->swarm_now)
   {
@@ -4167,8 +4166,6 @@ pacemaker_fuzzing:
                  afl->orig_hit_cnt_puppet))) {
 
           afl->key_puppet = 0;
-          cur_ms_lv = get_cur_time();
-          new_hit_cnt = afl->queued_paths + afl->unique_crashes;
           afl->orig_hit_cnt_puppet = 0;
           afl->last_limit_time_start = 0;
 

src/afl-fuzz-queue.c

@@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
 
       }
 
+      if (unlikely(!n_paths)) FATAL("Queue state corrupt");
+
       fuzz_mu = fuzz_total / n_paths;
       if (fuzz <= fuzz_mu) {
 

src/afl-fuzz-redqueen.c

@@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
   afl->stage_short = "colorization";
   afl->stage_max = 1000;
 
-  struct range *rng;
+  struct range *rng = NULL;
   afl->stage_cur = 0;
   while ((rng = pop_biggest_range(&ranges)) != NULL &&
          afl->stage_cur < afl->stage_max) {
@@ -141,6 +141,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
 
   empty_range:
     ck_free(rng);
+    rng = NULL;
     ++afl->stage_cur;
 
   }
@@ -157,6 +158,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
     rng = ranges;
     ranges = ranges->next;
     ck_free(rng);
+    rng = NULL;
 
   }
 
@@ -186,6 +188,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
 
   }
 
+
   return 0;
 
 checksum_fail:
@@ -196,9 +199,12 @@ checksum_fail:
     rng = ranges;
     ranges = ranges->next;
     ck_free(rng);
+    rng = NULL;
 
   }
 
+  // TODO: clang notices a _potential_ leak of mem pointed to by rng
+
   return 1;
 
 }

src/afl-fuzz-stats.c

@@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
 
     bitmap_cvg = afl->last_bitmap_cvg;
     stability = afl->last_stability;
-    eps = afl->last_eps;
 
   } else {
 

src/afl-sharedmem.c

@@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0};
 
 void afl_shm_deinit(sharedmem_t *shm) {
 
+  // TODO: clang reports a potential UAF in this function/makro(?)
   list_remove(&shm_list, shm);
 
 #ifdef USEMMAP
@@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) {
 
 }
 
-/* At exit, remove all leftover maps */
-
-void afl_shm_atexit(void) {
-
-  LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); });
-
-}
-
 /* Configure shared memory.
    Returns a pointer to shm->map for ease of use.
 */
@@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
 #endif
 
   list_append(&shm_list, shm);
-  atexit(afl_shm_atexit);
 
   return shm->map;
 

src/afl-showmap.c

@@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) {
     if (!quiet_mode) OKF("Processed %u input files.", total_execs);
 
     closedir(dir_in);
-    closedir(dir_out);
+    if (dir_out) closedir(dir_out);
 
   } else {