support post_process's own return buffer

2025-06-14 11:08:06 +00:00 · 2022-05-09 13:18:14 +02:00
parent 47dae21f4a
commit 51942b605d
7 changed files with 35 additions and 26 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -1099,7 +1099,7 @@ int  statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen);
 /* Run */
 void sync_fuzzers(afl_state_t *);
-u32  write_to_testcase(afl_state_t *, void *, u32, u32);
+u32  write_to_testcase(afl_state_t *, void **, u32, u32);
 u8   calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
 u8   trim_case(afl_state_t *, struct queue_entry *, u8 *);
 u8   common_fuzz_stuff(afl_state_t *, u8 *, u32);
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -648,7 +648,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
      if (afl->fsrv.exec_tmout < afl->hang_tmout) {
        u8 new_fault;
-        len = write_to_testcase(afl, mem, len, 0);
+        len = write_to_testcase(afl, &mem, len, 0);
        new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout);
        classify_counts(&afl->fsrv);
--- a/src/afl-fuzz-cmplog.c
+++ b/src/afl-fuzz-cmplog.c
@ -49,7 +49,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
  u8 fault;
-  write_to_testcase(afl, out_buf, len, 0);
+  write_to_testcase(afl, (void **)&out_buf, len, 0);
  fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout);
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -617,7 +617,7 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
        }
-        u32 len = write_to_testcase(afl, mem, st.st_size, 1);
+        u32 len = write_to_testcase(afl, (void **)&mem, st.st_size, 1);
        fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
        afl->syncing_party = foreign_name;
        afl->queued_imported += save_if_interesting(afl, mem, len, fault);
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@ -428,7 +428,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
    if (likely(retlen)) {
-      retlen = write_to_testcase(afl, retbuf, retlen, 0);
+      retlen = write_to_testcase(afl, (void **)&retbuf, retlen, 0);
      fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
      ++afl->trim_execs;
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -74,7 +74,7 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
   rewound and truncated. */
 u32 __attribute__((hot))
-write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
+write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
 #ifdef _AFL_DOCUMENT_MUTATIONS
  s32  doc_fd;
@ -86,7 +86,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
  if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >=
      0) {
-    if (write(doc_fd, mem, len) != len)
+    if (write(doc_fd, *mem, len) != len)
      PFATAL("write to mutation file failed: %s", fn);
    close(doc_fd);
@ -97,7 +97,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
  if (unlikely(afl->custom_mutators_count)) {
    ssize_t new_size = len;
-    u8 *    new_mem = mem;
+    u8 *    new_mem = *mem;
    u8 *    new_buf = NULL;
    LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@ -130,8 +130,15 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
    }
    if (new_mem != *mem) {
      *mem = afl_realloc(mem, new_size);
      memcpy(*mem, new_mem, new_size);
    }
    /* everything as planned. use the potentially new data. */
-    afl_fsrv_write_to_testcase(&afl->fsrv, new_mem, new_size);
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size);
    len = new_size;
  } else {
@ -147,7 +154,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
    }
    /* boring uncustom. */
-    afl_fsrv_write_to_testcase(&afl->fsrv, mem, len);
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
  }
@ -370,7 +377,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
  /* we need a dummy run if this is LTO + cmplog */
  if (unlikely(afl->shm.cmplog_mode)) {
-    (void)write_to_testcase(afl, use_mem, q->len, 1);
+    (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
    fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
@ -413,7 +420,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
    u64 cksum;
-    (void)write_to_testcase(afl, use_mem, q->len, 1);
+    (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
    fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
@ -724,7 +731,7 @@ void sync_fuzzers(afl_state_t *afl) {
        /* See what happens. We rely on save_if_interesting() to catch major
           errors and save the test case. */
-        (void)write_to_testcase(afl, mem, st.st_size, 1);
+        (void)write_to_testcase(afl, (void **)&mem, st.st_size, 1);
        fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
@ -967,7 +974,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
  u8 fault;
-  len = write_to_testcase(afl, out_buf, len, 0);
+  len = write_to_testcase(afl, (void **)&out_buf, len, 0);
  fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@ -163,34 +163,36 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
  so we do this worse workaround */
  snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
-#ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
+  #ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
-  /* trying to get large memory segment optimised and monitorable separately as such */
+  /* trying to get large memory segment optimised and monitorable separately as
   * such */
  static size_t sizes[4] = {(size_t)-1};
-  static int psizes = 0;
+  static int    psizes = 0;
-  int i;
+  int           i;
  if (sizes[0] == (size_t)-1) { psizes = getpagesizes(sizes, 4); }
  /* very unlikely to fail even if the arch supports only two sizes */
  if (likely(psizes > 0)) {
-      for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
+    for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
-          if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
+      if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
-          shm->g_shm_fd = shm_create_largepage(shm->g_shm_file_path, shmflags, i,
+      shm->g_shm_fd =
-                             SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
+          shm_create_largepage(shm->g_shm_file_path, shmflags, i,
                               SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
-      }
+    }
  }
 #endif
  #endif
  /* create the shared memory segment as if it was a file */
  if (shm->g_shm_fd == -1) {
-      shm->g_shm_fd = shm_open(shm->g_shm_file_path, shmflags | O_CREAT,
+    shm->g_shm_fd =
-                               DEFAULT_PERMISSION);
+        shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION);
  }