mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-13 02:28:09 +00:00
fix laf string transform crash
This commit is contained in:
vanhauser-thc
@ -14,6 +14,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
|
|||||||
- afl-cc
|
- afl-cc
|
||||||
- fixed a crash that can occur with ASAN + CMPLOG together plus
|
- fixed a crash that can occur with ASAN + CMPLOG together plus
|
||||||
better support for unicode (thanks to @stbergmann for reporting!)
|
better support for unicode (thanks to @stbergmann for reporting!)
|
||||||
|
- fixed a crash in LAF transform for empty strings
|
||||||
- handle erroneous setups in which multiple afl-compiler-rt are
|
- handle erroneous setups in which multiple afl-compiler-rt are
|
||||||
compiled into the target. This now also supports dlopen
|
compiled into the target. This now also supports dlopen
|
||||||
instrumented libs loaded before the forkserver and even after the
|
instrumented libs loaded before the forkserver and even after the
|
||||||
|
|||||||
@ -849,15 +849,18 @@ bool ModuleSanitizerCoverage::instrumentModule(
|
|||||||
thestring = Str2;
|
thestring = Str2;
|
||||||
|
|
||||||
optLen = thestring.length();
|
optLen = thestring.length();
|
||||||
|
if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
|
||||||
|
|
||||||
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
||||||
|
|
||||||
Value * op2 = callInst->getArgOperand(2);
|
Value * op2 = callInst->getArgOperand(2);
|
||||||
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
||||||
|
|
||||||
if (ilen) {
|
if (ilen) {
|
||||||
|
|
||||||
uint64_t literalLength = optLen;
|
uint64_t literalLength = optLen;
|
||||||
optLen = ilen->getZExtValue();
|
optLen = ilen->getZExtValue();
|
||||||
|
if (optLen < 2) { continue; }
|
||||||
if (literalLength + 1 == optLen) { // add null byte
|
if (literalLength + 1 == optLen) { // add null byte
|
||||||
thestring.append("\0", 1);
|
thestring.append("\0", 1);
|
||||||
addedNull = true;
|
addedNull = true;
|
||||||
|
|||||||
@ -521,14 +521,18 @@ bool AFLdict2filePass::runOnModule(Module &M) {
|
|||||||
|
|
||||||
optLen = thestring.length();
|
optLen = thestring.length();
|
||||||
|
|
||||||
|
if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
|
||||||
|
|
||||||
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
||||||
|
|
||||||
Value * op2 = callInst->getArgOperand(2);
|
Value * op2 = callInst->getArgOperand(2);
|
||||||
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
||||||
|
|
||||||
if (ilen) {
|
if (ilen) {
|
||||||
|
|
||||||
uint64_t literalLength = optLen;
|
uint64_t literalLength = optLen;
|
||||||
optLen = ilen->getZExtValue();
|
optLen = ilen->getZExtValue();
|
||||||
|
if (optLen < 2) { continue; }
|
||||||
if (literalLength + 1 == optLen) { // add null byte
|
if (literalLength + 1 == optLen) { // add null byte
|
||||||
thestring.append("\0", 1);
|
thestring.append("\0", 1);
|
||||||
addedNull = true;
|
addedNull = true;
|
||||||
|
|||||||
@ -635,15 +635,18 @@ bool AFLLTOPass::runOnModule(Module &M) {
|
|||||||
thestring = Str2;
|
thestring = Str2;
|
||||||
|
|
||||||
optLen = thestring.length();
|
optLen = thestring.length();
|
||||||
|
if (optLen < 2 || (optLen == 2 && !thestring[1])) { continue; }
|
||||||
|
|
||||||
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
if (isMemcmp || isStrncmp || isStrncasecmp) {
|
||||||
|
|
||||||
Value * op2 = callInst->getArgOperand(2);
|
Value * op2 = callInst->getArgOperand(2);
|
||||||
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
|
||||||
|
|
||||||
if (ilen) {
|
if (ilen) {
|
||||||
|
|
||||||
uint64_t literalLength = optLen;
|
uint64_t literalLength = optLen;
|
||||||
optLen = ilen->getZExtValue();
|
optLen = ilen->getZExtValue();
|
||||||
|
if (optLen < 2) { continue; }
|
||||||
if (literalLength + 1 == optLen) { // add null byte
|
if (literalLength + 1 == optLen) { // add null byte
|
||||||
thestring.append("\0", 1);
|
thestring.append("\0", 1);
|
||||||
addedNull = true;
|
addedNull = true;
|
||||||
|
|||||||
@ -316,7 +316,7 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
|
|||||||
uint64_t len = ilen->getZExtValue();
|
uint64_t len = ilen->getZExtValue();
|
||||||
// if len is zero this is a pointless call but allow real
|
// if len is zero this is a pointless call but allow real
|
||||||
// implementation to worry about that
|
// implementation to worry about that
|
||||||
if (!len) continue;
|
if (len < 2) continue;
|
||||||
|
|
||||||
if (isMemcmp) {
|
if (isMemcmp) {
|
||||||
|
|
||||||
@ -420,8 +420,15 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (TmpConstStr.length() < 2 ||
|
||||||
|
(TmpConstStr.length() == 2 && !TmpConstStr[1])) {
|
||||||
|
|
||||||
|
continue;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
// add null termination character implicit in c strings
|
// add null termination character implicit in c strings
|
||||||
if (TmpConstStr[TmpConstStr.length() - 1] != 0) {
|
if (!isMemcmp && TmpConstStr[TmpConstStr.length() - 1]) {
|
||||||
|
|
||||||
TmpConstStr.append("\0", 1);
|
TmpConstStr.append("\0", 1);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user