ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 16:51:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix heap allocation bug

Browse Source 
- Reason: `afl->out_size` is not consistent with the actual allocation
of `afl->out_buf`. The deleted line in `src/afl-fuzz-one.c` may change
`afl->out_size`, but `afl->out_buf` is not changed
This commit is contained in:
h1994st 2020-03-30 05:21:01 -04:00 committed by Dominik Maier
parent 64e1d3a975
commit 61ea398612
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
examples/custom_mutators/example.c
View File

@ -159,13 +159,13 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
uint8_t *pre_save_buf = data->pre_save_buf;
memcpy(pre_save_buf + 5, buf, buf_size);
memcpy(pre_save_buf, buf, buf_size);
size_t out_buf_size = buf_size + 5;
pre_save_buf[0] = 'A';
pre_save_buf[1] = 'F';
pre_save_buf[2] = 'L';
pre_save_buf[3] = '+';
pre_save_buf[4] = '+';
pre_save_buf[buf_size + 0] = 'A';
pre_save_buf[buf_size + 1] = 'F';
pre_save_buf[buf_size + 2] = 'L';
pre_save_buf[buf_size + 3] = '+';
pre_save_buf[buf_size + 4] = '+';
*out_buf = pre_save_buf;

4
src/afl-fuzz-one.c
View File

@ -1621,8 +1621,6 @@ custom_mutator_stage:
if (unlikely(!mutated_buf))
FATAL("Error in custom_fuzz. Size returned: %zd", mutated_size);
if (mutated_size > len) afl->out_size = mutated_size;
if (mutated_size > 0) {
if (common_fuzz_stuff(afl, mutated_buf, (u32)mutated_size)) {
@ -1650,6 +1648,8 @@ custom_mutator_stage:
}
out_buf = ck_maybe_grow(BUF_PARAMS(out), len);
// ??? (h1994st): this line may be not necessary, as we do not modify the
// content of "out_buf".
memcpy(out_buf, in_buf, len);
}