fix laf string transform crash

2025-06-11 17:51:32 +00:00 · 2021-03-05 10:05:43 +01:00
parent a2f40aa285
commit 3342aa751d
5 changed files with 20 additions and 2 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -14,6 +14,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - afl-cc
    - fixed a crash that can occur with ASAN + CMPLOG together plus
      better support for unicode (thanks to @stbergmann for reporting!)
+    - fixed a crash in LAF transform for empty strings
    - handle erroneous setups in which multiple afl-compiler-rt are
      compiled into the target. This now also supports dlopen
      instrumented libs loaded before the forkserver and even after the
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@ -849,15 +849,18 @@ bool ModuleSanitizerCoverage::instrumentModule(
              thestring = Str2;

            optLen = thestring.length();
+            if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }

            if (isMemcmp || isStrncmp || isStrncasecmp) {

              Value *      op2 = callInst->getArgOperand(2);
              ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
              if (ilen) {

                uint64_t literalLength = optLen;
                optLen = ilen->getZExtValue();
+                if (optLen < 2) { continue; }
                if (literalLength + 1 == optLen) {  // add null byte
                  thestring.append("\0", 1);
                  addedNull = true;
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@ -521,14 +521,18 @@ bool AFLdict2filePass::runOnModule(Module &M) {

          optLen = thestring.length();

+          if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
+
          if (isMemcmp || isStrncmp || isStrncasecmp) {

            Value *      op2 = callInst->getArgOperand(2);
            ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
            if (ilen) {

              uint64_t literalLength = optLen;
              optLen = ilen->getZExtValue();
+              if (optLen < 2) { continue; }
              if (literalLength + 1 == optLen) {  // add null byte
                thestring.append("\0", 1);
                addedNull = true;
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@ -635,15 +635,18 @@ bool AFLLTOPass::runOnModule(Module &M) {
              thestring = Str2;

            optLen = thestring.length();
+            if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }

            if (isMemcmp || isStrncmp || isStrncasecmp) {

              Value *      op2 = callInst->getArgOperand(2);
              ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
+
              if (ilen) {

                uint64_t literalLength = optLen;
                optLen = ilen->getZExtValue();
+                if (optLen < 2) { continue; }
                if (literalLength + 1 == optLen) {  // add null byte
                  thestring.append("\0", 1);
                  addedNull = true;
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@ -316,7 +316,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
              uint64_t len = ilen->getZExtValue();
              // if len is zero this is a pointless call but allow real
              // implementation to worry about that
-              if (!len) continue;
+              if (len < 2) continue;

              if (isMemcmp) {

@ -420,8 +420,15 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,

    }

+    if (TmpConstStr.length() < 2 ||
+        (TmpConstStr.length() == 2 && !TmpConstStr[1])) {
+
+      continue;
+
+    }
+
    // add null termination character implicit in c strings
-    if (TmpConstStr[TmpConstStr.length() - 1] != 0) {
+    if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) {

      TmpConstStr.append("\0", 1);