more code format

2025-06-14 19:08:08 +00:00 · 2020-03-09 08:30:28 +01:00
parent 0581f6ec00
commit 36ce9c1fb9
13 changed files with 143 additions and 127 deletions
--- a/examples/custom_mutators/example.c
+++ b/examples/custom_mutators/example.c
@ -38,16 +38,15 @@ void afl_custom_init(unsigned int seed) {
 *     produce data larger than max_size.
 * @return Size of the mutated output.
 */
-size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size,
+size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size, uint8_t *add_buf,
-                       uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL
+                       size_t add_buf_size,  // add_buf can be NULL
                       size_t max_size) {
  // Make sure that the packet size does not exceed the maximum size expected by
  // the fuzzer
  size_t mutated_size = data_size <= max_size ? data_size : max_size;
-  if (mutated_size > buf_size)
+  if (mutated_size > buf_size) *buf = realloc(*buf, mutated_size);
    *buf = realloc(*buf, mutated_size);
  uint8_t *mutated_out = *buf;
@ -172,8 +171,10 @@ void afl_custom_trim(uint8_t **out_buf, size_t* out_buf_size) {
 int afl_custom_post_trim(int success) {
  if (success) {
    ++cur_step;
    return cur_step;
  }
  return trimmming_steps;
@ -193,7 +194,8 @@ int afl_custom_post_trim(int success) {
 *     not produce data larger than max_size.
 * @return Size of the mutated output.
 */
-size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size) {
+size_t afl_custom_havoc_mutation(uint8_t **buf, size_t buf_size,
                                 size_t max_size) {
  if (buf_size == 0) {
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -461,6 +461,7 @@ extern s32 cmplog_child_pid, cmplog_forksrv_pid;
 /* Custom mutators */
 struct custom_mutator {
  const char* name;
  void*       dh;
@ -485,8 +486,8 @@ struct custom_mutator {
   * @param[in] buf_size Size of the input/output data
   * @param[in] add_buf Buffer containing the additional test case
   * @param[in] add_buf_size Size of the additional test case
-   * @param[in] max_size Maximum size of the mutated output. The mutation must not
+   * @param[in] max_size Maximum size of the mutated output. The mutation must
-   *     produce data larger than max_size.
+   * not produce data larger than max_size.
   * @return Size of the mutated output.
   */
  size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf,
@ -574,7 +575,8 @@ struct custom_mutator {
   *     not produce data larger than max_size.
   * @return Size of the mutated output.
   */
-  size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size);
+  size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size,
                                      size_t max_size);
  /**
   * Return the probability (in percentage) that afl_custom_havoc_mutation
@ -609,6 +611,7 @@ struct custom_mutator {
   */
  void (*afl_custom_queue_new_entry)(const u8* filename_new_queue,
                                     const u8* filename_orig_queue);
 };
 extern struct custom_mutator* mutator;
--- a/include/envs.h
+++ b/include/envs.h
@ -1,11 +1,10 @@
 const char *afl_environment_variables[] = {
    "AFL_ALIGNED_ALLOC", "AFL_ALLOW_TMP", "AFL_ANALYZE_HEX", "AFL_AS",
-    "AFL_AUTORESUME",
+    "AFL_AUTORESUME", "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE",
-    "AFL_AS_FORCE_INSTRUMENT", "AFL_BENCH_JUST_ONE", "AFL_BENCH_UNTIL_CRASH",
+    "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY",
-    "AFL_CAL_FAST", "AFL_CC", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY",
+    "AFL_CMIN_CRASHES_ONLY", "AFL_CODE_END", "AFL_CODE_START",
-    "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME",
+    "AFL_COMPCOV_BINNAME", "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY",
    "AFL_COMPCOV_LEVEL", "AFL_CUSTOM_MUTATOR_LIBRARY",
    "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CXX", "AFL_DEBUG", "AFL_DEBUG_CHILD_OUTPUT",
    //"AFL_DEFER_FORKSRV", // not implemented anymore, so warn additionally
    "AFL_DISABLE_TRIM", "AFL_DONT_OPTIMIZE", "AFL_DUMB_FORKSRV",
@ -19,21 +18,19 @@ const char *afl_environment_variables[] = {
    "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS",
    "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES",
    "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY",
-    "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID",
+    "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH",
-    "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV",
+    "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI",
    "AFL_NO_UI",
    "AFL_NO_X86",  // not really an env but we dont want to warn on it
    "AFL_PATH", "AFL_PERFORMANCE_FILE",
    //"AFL_PERSISTENT", // not implemented anymore, so warn additionally
-    "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE",
+    "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV",
-    "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS",
+    "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE",
-    "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR",
+    "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT",
-    "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR",
+    "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK",
-    "AFL_QEMU_PERSISTENT_HOOK", "AFL_QEMU_PERSISTENT_RET",
+    "AFL_QEMU_PERSISTENT_RET", "AFL_QEMU_PERSISTENT_RETADDR_OFFSET",
-    "AFL_QEMU_PERSISTENT_RETADDR_OFFSET", "AFL_QUIET",
+    "AFL_QUIET", "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH",
-    "AFL_RANDOM_ALLOC_CANARY", "AFL_REAL_PATH", "AFL_SHUFFLE_QUEUE",
+    "AFL_SHUFFLE_QUEUE", "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ",
-    "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", "AFL_SKIP_CRASHES",
+    "AFL_SKIP_CRASHES", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE",
-    "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", "AFL_TRACE_PC",
+    "AFL_TRACE_PC", "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC",
-    "AFL_USE_ASAN", "AFL_USE_MSAN", "AFL_USE_TRACE_PC", "AFL_USE_UBSAN",
+    "AFL_USE_UBSAN", "AFL_WINE_PATH", NULL};
    "AFL_WINE_PATH", NULL};
--- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
+++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
@ -217,3 +217,4 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) {
                   ptr2, 32);
 }
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -1036,7 +1036,8 @@ static void handle_existing_out_dir(void) {
    fclose(f);
-    /* Autoresume treats a normal run as in_place_resume if a valid out dir already exists */
+    /* Autoresume treats a normal run as in_place_resume if a valid out dir
     * already exists */
    if (!in_place_resume && autoresume) {
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@ -36,6 +36,7 @@ void setup_custom_mutator(void) {
  u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
  if (fn) {
    if (limit_time_sig)
      FATAL(
          "MOpt and custom mutator are mutually exclusive. We accept pull "
@ -45,6 +46,7 @@ void setup_custom_mutator(void) {
    load_custom_mutator(fn);
    return;
  }
  /* Try Python module */
@ -65,6 +67,7 @@ void setup_custom_mutator(void) {
    load_custom_mutator_py(module_name);
  }
 #else
  if (getenv("AFL_PYTHON_MODULE"))
    FATAL("Your AFL binary was built without Python support");
@ -75,16 +78,20 @@ void setup_custom_mutator(void) {
 void destroy_custom_mutator(void) {
  if (mutator) {
    if (mutator->dh)
      dlclose(mutator->dh);
    else {
      /* Python mutator */
 #ifdef USE_PYTHON
      finalize_py_module();
 #endif
    }
    ck_free(mutator);
  }
 }
@ -104,8 +111,7 @@ void load_custom_mutator(const char* fn) {
  /* Mutator */
  /* "afl_custom_init", optional for backward compatibility */
  mutator->afl_custom_init = dlsym(dh, "afl_custom_init");
-  if (!mutator->afl_custom_init)
+  if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found.");
    WARNF("Symbol 'afl_custom_init' not found.");
  /* "afl_custom_fuzz" or "afl_custom_mutator", required */
  mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz");
@ -133,8 +139,7 @@ void load_custom_mutator(const char* fn) {
  /* "afl_custom_trim", optional */
  mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
-  if (!mutator->afl_custom_trim)
+  if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found.");
    WARNF("Symbol 'afl_custom_trim' not found.");
  /* "afl_custom_post_trim", optional */
  mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
@ -158,7 +163,8 @@ void load_custom_mutator(const char* fn) {
    WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
  /* "afl_custom_havoc_mutation", optional */
-  mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability");
+  mutator->afl_custom_havoc_mutation_probability =
      dlsym(dh, "afl_custom_havoc_mutation_probability");
  if (!mutator->afl_custom_havoc_mutation_probability)
    WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
@ -175,8 +181,7 @@ void load_custom_mutator(const char* fn) {
  OKF("Custom mutator '%s' installed successfully.", fn);
  /* Initialize the custom mutator */
-  if (mutator->afl_custom_init)
+  if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
    mutator->afl_custom_init(UR(0xFFFFFFFF));
 }
@ -309,8 +314,7 @@ void load_custom_mutator_py(const char* module_name) {
  mutator->name = module_name;
  ACTF("Loading Python mutator library from '%s'...", module_name);
-  if (py_functions[PY_FUNC_INIT])
+  if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py;
    mutator->afl_custom_init = init_py;
  /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator
     is quite different from the custom mutator. */
@ -325,14 +329,14 @@ void load_custom_mutator_py(const char* module_name) {
  if (py_functions[PY_FUNC_POST_TRIM])
    mutator->afl_custom_post_trim = post_trim_py;
-  if (py_functions[PY_FUNC_TRIM])
+  if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py;
    mutator->afl_custom_trim = trim_py;
  if (py_functions[PY_FUNC_HAVOC_MUTATION])
    mutator->afl_custom_havoc_mutation = havoc_mutation_py;
  if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
-    mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py;
+    mutator->afl_custom_havoc_mutation_probability =
        havoc_mutation_probability_py;
  if (py_functions[PY_FUNC_QUEUE_GET])
    mutator->afl_custom_queue_get = queue_get_py;
@ -343,8 +347,9 @@ void load_custom_mutator_py(const char* module_name) {
  OKF("Python mutator '%s' installed successfully.", module_name);
  /* Initialize the custom mutator */
-  if (mutator->afl_custom_init)
+  if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF));
    mutator->afl_custom_init(UR(0xFFFFFFFF));
 }
 #endif
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -359,8 +359,7 @@ u8 fuzz_one_original(char** argv) {
    /* The custom mutator will decide to skip this test case or not. */
-    if (!mutator->afl_custom_queue_get(queue_cur->fname))
+    if (!mutator->afl_custom_queue_get(queue_cur->fname)) return 1;
      return 1;
  }
@ -1598,9 +1597,8 @@ custom_mutator_stage:
    ck_read(fd, new_buf, target->len, target->fname);
    close(fd);
-    size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len,
+    size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, new_buf,
-                                                   new_buf, target->len,
+                                                   target->len, max_seed_size);
                                                   max_seed_size);
    ck_free(new_buf);
@ -1694,7 +1692,9 @@ havoc_stage:
    stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability();
    if (stacked_custom_prob > 100)
-      FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100.");
+      FATAL(
          "The probability returned by afl_custom_havoc_mutation_propability "
          "has to be in the range 0-100.");
  }
@ -1711,8 +1711,8 @@ havoc_stage:
      if (stacked_custom && UR(100) < stacked_custom_prob) {
-        temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len,
+        temp_len =
-                                                      MAX_FILE);
+            mutator->afl_custom_havoc_mutation(&out_buf, temp_len, MAX_FILE);
      }
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@ -80,6 +80,7 @@ int init_py_module(u8* module_name) {
          py_notrim = 1;
        } else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) &&
                   (py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) {
          // Implenting the havoc and queue API is optional for now
@ -140,6 +141,7 @@ void finalize_py_module() {
 }
 void init_py(unsigned int seed) {
  PyObject *py_args, *py_value;
  /* Provide the init function a seed for the Python RNG */
@ -171,6 +173,7 @@ void init_py(unsigned int seed) {
    return;
  }
 }
 size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
@ -224,8 +227,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
  if (py_value != NULL) {
    mutated_size = PyByteArray_Size(py_value);
-    if (buf_size < mutated_size)
+    if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
      *buf = ck_realloc(*buf, mutated_size);
    memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
    Py_DECREF(py_value);
@ -414,8 +416,7 @@ size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) {
  if (py_value != NULL) {
    mutated_size = PyByteArray_Size(py_value);
-    if (buf_size < mutated_size)
+    if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size);
      *buf = ck_realloc(*buf, mutated_size);
    memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
@ -436,7 +437,8 @@ u8 havoc_mutation_probability_py(void) {
  PyObject *py_args, *py_value;
  py_args = PyTuple_New(0);
-  py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args);
+  py_value = PyObject_CallObject(
      py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args);
  Py_DECREF(py_args);
  if (py_value != NULL) {
@ -545,8 +547,8 @@ void queue_new_entry_py(const u8* filename_new_queue,
  PyTuple_SetItem(py_args, 1, py_value);
  // Call
-  py_value = PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY],
+  py_value =
-                                 py_args);
+      PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], py_args);
  Py_DECREF(py_args);
  if (py_value == NULL) {
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -119,7 +119,8 @@ static void usage(u8* argv0, int more_help) {
      "                  if using QEMU, just use -c 0.\n\n"
      "Fuzzing behavior settings:\n"
-      "  -N            - do not unlink the fuzzing input file (only for devices etc.!)\n"
+      "  -N            - do not unlink the fuzzing input file (only for "
      "devices etc.!)\n"
      "  -d            - quick & dirty mode (skips deterministic steps)\n"
      "  -n            - fuzz without instrumentation (dumb mode)\n"
      "  -x dir        - optional fuzzer dictionary (see README.md, its really "
@ -752,8 +753,7 @@ int main(int argc, char** argv, char** envp) {
  if (get_afl_env("AFL_AUTORESUME")) {
    autoresume = 1;
-    if (in_place_resume)
+    if (in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'");
      SAYF("AFL_AUTORESUME has no effect for '-i -'");
  }
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@ -731,8 +731,7 @@ int main(int argc, char** argv, char** envp) {
  doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
-  if (getenv("AFL_QUIET") != NULL)
+  if (getenv("AFL_QUIET") != NULL) be_quiet = 1;
    be_quiet = 1;
  while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0)
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@ -99,7 +99,6 @@ static volatile u8 stop_soon;          /* Ctrl-C pressed?                   */
 static u8 qemu_mode;
 /*
 * forkserver section
 */
@ -826,7 +825,8 @@ finalize_all:
         "%0.02f%% (to %u byte%s)\n" cGRA "    Characters simplified : " cRST
         "%0.02f%%\n" cGRA "     Number of execs done : " cRST "%u\n" cGRA
         "          Fruitless execs : " cRST "termination=%u crash=%u\n\n",
-           100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s",
+         100 - ((double)in_len) * 100 / orig_len, in_len,
         in_len == 1 ? "" : "s",
         ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs,
         missed_paths, missed_crashes);
    return;
@ -1146,7 +1146,8 @@ int main(int argc, char** argv, char** envp) {
      case 'e':
        if (edges_only) FATAL("Multiple -e options not supported");
-        if (hang_mode) FATAL("Edges only and hang mode are mutually exclusive.");
+        if (hang_mode)
          FATAL("Edges only and hang mode are mutually exclusive.");
        edges_only = 1;
        break;
@ -1237,7 +1238,8 @@ int main(int argc, char** argv, char** envp) {
        /* Minimizes a testcase to the minimum that still times out */
        if (hang_mode) FATAL("Multipe -H options not supported");
-        if (edges_only) FATAL("Edges only and hang mode are mutually exclusive.");
+        if (edges_only)
          FATAL("Edges only and hang mode are mutually exclusive.");
        hang_mode = 1;
        break;
@ -1314,11 +1316,15 @@ int main(int argc, char** argv, char** envp) {
  run_target(use_argv, in_data, in_len, 1);
  if (hang_mode && !child_timed_out)
-    FATAL("Target binary did not time out but hang minimization mode "
+    FATAL(
-          "(-H) was set (-t %u).", exec_tmout);
+        "Target binary did not time out but hang minimization mode "
        "(-H) was set (-t %u).",
        exec_tmout);
  if (child_timed_out && !hang_mode)
-    FATAL("Target binary times out (adjusting -t may help). Use -H to minimize a hang.");
+    FATAL(
        "Target binary times out (adjusting -t may help). Use -H to minimize a "
        "hang.");
  if (hang_mode) {
`@ -217,3 +217,4 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) {`
	`ptr2, 32);`	`ptr2, 32);`

	`}`	`}`