fixes

include/afl-fuzz.h

@@ -506,7 +506,7 @@ typedef struct afl_state {
       var_byte_count,                   /* Bitmap bytes with var behavior   */
       current_entry,                    /* Current queue entry ID           */
       havoc_div,                        /* Cycle count divisor for havoc    */
-      taint_len;
+      taint_len, taint_count;
 
   u64 total_crashes,                    /* Total number of crashes          */
       unique_crashes,                   /* Crashes with unique signatures   */

src/afl-common.c

@@ -471,8 +471,8 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
 
 u64 get_cur_time(void) {
 
-  static struct timeval  tv;
+  struct timeval  tv;
-  static struct timezone tz;
+  struct timezone tz;
 
   gettimeofday(&tv, &tz);
 

src/afl-fuzz-bitmap.c

@@ -245,6 +245,8 @@ u32 count_bytes_len(afl_state_t *afl, u8 *mem, u32 len) {
 
   (void)(afl);
 
+  if (len % 4) i++;
+
   while (i--) {
 
     u32 v = *(ptr++);

src/afl-fuzz-queue.c

@@ -125,42 +125,64 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
     if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout,
                             &afl->stop_soon) == 0) {
 
-      bytes = count_bytes_len(afl, afl->taint_fsrv.trace_bits, plen);
+      bytes = q->taint_bytes_all =
+          count_bytes_len(afl, afl->taint_fsrv.trace_bits, plen);
       if (afl->debug)
         fprintf(stderr, "Debug: tainted %u out of %u bytes\n", bytes, len);
 
-      if (bytes) {
+      /* DEBUG FIXME TODO XXX */
+      u32 i;
+      for (i = 0; i < len; i++) {
 
-        s32 i = len;
+        if (afl->taint_fsrv.trace_bits[i] &&
-        while (i > 0 && !afl->taint_fsrv.trace_bits[i - 1])
+            afl->taint_fsrv.trace_bits[i] != '!')
-          i--;
+          FATAL("invalid taint map value %02x at pos %d",
-        q->taint_bytes_highest = i;
+                afl->taint_fsrv.trace_bits[i], i);
+
+      }
+
+      if (len < plen)
+        for (i = len; i < plen; i++) {
+
+          if (afl->taint_fsrv.trace_bits[i])
+            FATAL("invalid taint map value %02x in padding at pos %d",
+                  afl->taint_fsrv.trace_bits[i], i);
 
         }
 
     }
 
-    if (((bytes * 100) / len) < 90) {
+    // if all is tainted we do not need to write taint data away
-
+    if (bytes && bytes < len) {
-      // we only use the taint havoc mode if the entry has less than 90% of
-      // overall tainted bytes
-      q->taint_bytes_all = bytes;
 
       // save the bytes away
       int w = open(q->fname_taint, O_CREAT | O_WRONLY, 0644);
       if (w >= 0) {
 
-        ck_write(w, afl->taint_fsrv.trace_bits, plen, q->fname_taint);
+        ck_write(w, afl->taint_fsrv.trace_bits, len, q->fname_taint);
         close(w);
 
+        // find the highest tainted offset in the input (for trim opt)
+        s32 i = len;
+        while (i > 0 && !afl->taint_fsrv.trace_bits[i - 1])
+          i--;
+        q->taint_bytes_highest = i;
+
+        afl->taint_count++;
+
       } else {
 
         FATAL("could not create %s", q->fname_taint);
-        bytes = 0;
+        q->taint_bytes_all = bytes = 0;
 
       }
 
-      if (bytes && prev && prev->taint_bytes_all) {
+      // it is possible that there is no main taint file - if the whole file
+      // is tainted - but a .new taint file if it had new tainted bytes
+
+      // check if there is a previous queue entry and if it had taint
+      if (bytes && prev && prev->taint_bytes_all &&
+          prev->taint_bytes_all < prev->len) {
 
         // check if there are new bytes in the taint vs the previous
         int r = open(prev->fname_taint, O_RDONLY);
@@ -181,9 +203,15 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
             q->taint_bytes_new = count_bytes_len(afl, tmp, plen);
 
+            if (afl->debug)
+              fprintf(stderr, "Debug: %u new taint out of %u bytes\n", bytes,
+                      len);
+
             if (q->taint_bytes_new) {
 
               u8 *fnw = alloc_printf("%s.new", q->fname_taint);
+              if (fnw) {
+
                 int w = open(fnw, O_CREAT | O_WRONLY, 0644);
                 if (w >= 0) {
 
@@ -198,6 +226,12 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
                 ck_free(fnw);
 
+              } else {
+
+                q->taint_bytes_new = 0;
+
+              }
+
             }
 
             munmap(bufr, prev->len);
@@ -210,10 +244,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
       }
 
-    } else {
-
-      bytes = 0;
-
     }
 
     memcpy(afl->taint_fsrv.trace_bits, save, afl->fsrv.map_size);

src/afl-fuzz-stats.c

@@ -116,6 +116,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
           "edges_found       : %u\n"
           "var_byte_count    : %u\n"
           "havoc_expansion   : %u\n"
+          "tainted_inputs    : %u\n"
           "afl_banner        : %s\n"
           "afl_version       : " VERSION
           "\n"
@@ -149,8 +150,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
 #else
           -1,
 #endif
-          t_bytes, afl->var_byte_count, afl->expand_havoc, afl->use_banner,
+          t_bytes, afl->var_byte_count, afl->expand_havoc, afl->taint_count,
-          afl->unicorn_mode ? "unicorn" : "",
+          afl->use_banner, afl->unicorn_mode ? "unicorn" : "",
           afl->fsrv.qemu_mode ? "qemu " : "",
           afl->non_instrumented_mode ? " non_instrumented " : "",
           afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",