ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

further refinement

Browse Source
This commit is contained in:
van Hauser
2020-06-22 13:48:59 +02:00
parent 07a4e6370a
commit 76a2d9b59b
4 changed files with 72 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/config.h
View File

@ -419,7 +419,7 @@
/* Maximum mutations on a string */ /* Maximum mutations on a string */
#define AFL_TXT_STRING_MAX_MUTATIONS 8 #define AFL_TXT_STRING_MAX_MUTATIONS 6
#endif /* ! _HAVE_CONFIG_H */ #endif /* ! _HAVE_CONFIG_H */

86
src/afl-fuzz-one.c
View File

@ -409,12 +409,13 @@ static u32 delim_replace(u8 **out_buf, s32 *temp_len, size_t pos,
if (ldelim_start != NULL) { if (ldelim_start != NULL) {
u32 max = (end_buf - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN ? AFL_TXT_STRING_MAX_LEN : end_buf - ldelim_start - 1); u32 max = (end_buf - ldelim_start - 1 > AFL_TXT_STRING_MAX_LEN
? AFL_TXT_STRING_MAX_LEN
: end_buf - ldelim_start - 1);
if (max > 0) { if (max > 0) {
u8 *rdelim_end = u8 *rdelim_end = strnstr(ldelim_start + 1, rdelim, max);
strnstr(ldelim_start + 1, rdelim, max);
if (rdelim_end != NULL) { if (rdelim_end != NULL) {
@ -566,14 +567,21 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) {
for (u32 i = 0; i < mutations; i++) { for (u32 i = 0; i < mutations; i++) {
if (temp_len < AFL_TXT_MIN_LEN) { return 0; } if (temp_len < AFL_TXT_MIN_LEN) {
if (yes)
return 1;
else
return 0;
}
pos = rand_below(afl, temp_len - 1); pos = rand_below(afl, temp_len - 1);
int choice = rand_below(afl, 72); int choice = rand_below(afl, 76);
switch (choice) { switch (choice) {
case 0: /* Semantic statement deletion */ case 0:
yes += string_replace(out_buf, &temp_len, pos, "\n", "\nif (0==1)\n"); yes += string_replace(out_buf, &temp_len, pos, "*", " ");
break; break;
case 1: case 1:
yes += string_replace(out_buf, &temp_len, pos, "(", "(!"); yes += string_replace(out_buf, &temp_len, pos, "(", "(!");
@ -675,10 +683,10 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) {
yes += string_replace(out_buf, &temp_len, pos, "%", "+"); yes += string_replace(out_buf, &temp_len, pos, "%", "+");
break; break;
case 34: case 34:
yes += string_replace(out_buf, &temp_len, pos, "\n", "\nbreak;\n"); yes += string_replace(out_buf, &temp_len, pos, "->", ".");
break; break;
case 35: case 35:
yes += string_replace(out_buf, &temp_len, pos, "\n", "\ncontinue;\n"); yes += string_replace(out_buf, &temp_len, pos, ".", "->");
break; break;
case 36: case 36:
yes += string_replace(out_buf, &temp_len, pos, "0", "1"); yes += string_replace(out_buf, &temp_len, pos, "0", "1");
@ -693,7 +701,7 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) {
yes += string_replace(out_buf, &temp_len, pos, "while", "if"); yes += string_replace(out_buf, &temp_len, pos, "while", "if");
break; break;
case 40: case 40:
yes += string_replace(out_buf, &temp_len, pos, "\n", "\nwhile(1==1)\n"); yes += string_replace(out_buf, &temp_len, pos, "!", " ");
break; break;
case 41: case 41:
yes += string_replace(out_buf, &temp_len, pos, "&&", "||"); yes += string_replace(out_buf, &temp_len, pos, "&&", "||");
@ -731,65 +739,74 @@ static int text_mutation(afl_state_t *afl, u8 **out_buf, s32 *orig_temp_len) {
case 52: case 52:
yes += string_replace(out_buf, &temp_len, pos, "(", "\""); yes += string_replace(out_buf, &temp_len, pos, "(", "\"");
break; break;
case 53: /* Remove a semicolon delimited statement after a semicolon */ case 53:
yes += string_replace(out_buf, &temp_len, pos, "\n", " ");
break;
case 54:
yes += string_replace(out_buf, &temp_len, pos, "\n", ";");
break;
case 55:
yes += string_replace(out_buf, &temp_len, pos, "\n", "<");
break;
case 56: /* Remove a semicolon delimited statement after a semicolon */
yes += delim_replace(out_buf, &temp_len, pos, ";", ";", ";"); yes += delim_replace(out_buf, &temp_len, pos, ";", ";", ";");
break; break;
case 54: /* Remove a semicolon delimited statement after a left curly case 57: /* Remove a semicolon delimited statement after a left curly
brace */ brace */
yes += delim_replace(out_buf, &temp_len, pos, "}", ";", "}"); yes += delim_replace(out_buf, &temp_len, pos, "}", ";", "}");
break; break;
case 55: /* Remove a curly brace construct */ case 58: /* Remove a curly brace construct */
yes += delim_replace(out_buf, &temp_len, pos, "{", "}", ""); yes += delim_replace(out_buf, &temp_len, pos, "{", "}", "");
break; break;
case 56: /* Replace a curly brace construct with an empty one */ case 59: /* Replace a curly brace construct with an empty one */
yes += delim_replace(out_buf, &temp_len, pos, "{", "}", "{}"); yes += delim_replace(out_buf, &temp_len, pos, "{", "}", "{}");
break; break;
case 57: case 60:
yes += delim_swap(out_buf, &temp_len, pos, ";", ";", ";"); yes += delim_swap(out_buf, &temp_len, pos, ";", ";", ";");
break; break;
case 58: case 61:
yes += delim_swap(out_buf, &temp_len, pos, "}", ";", ";"); yes += delim_swap(out_buf, &temp_len, pos, "}", ";", ";");
break; break;
case 59: /* Swap comma delimited things case 1 */ case 62: /* Swap comma delimited things case 1 */
yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ")"); yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ")");
break; break;
case 60: /* Swap comma delimited things case 2 */ case 63: /* Swap comma delimited things case 2 */
yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ","); yes += delim_swap(out_buf, &temp_len, pos, "(", ",", ",");
break; break;
case 61: /* Swap comma delimited things case 3 */ case 64: /* Swap comma delimited things case 3 */
yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ","); yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ",");
break; break;
case 62: /* Swap comma delimited things case 4 */ case 65: /* Swap comma delimited things case 4 */
yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ")"); yes += delim_swap(out_buf, &temp_len, pos, ",", ",", ")");
break; break;
case 63: /* Just delete a line */ case 66: /* Just delete a line */
yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", ""); yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", "");
break; break;
case 64: /* Delete something like "const" case 1 */ case 67: /* Delete something like "const" case 1 */
yes += delim_replace(out_buf, &temp_len, pos, " ", " ", ""); yes += delim_replace(out_buf, &temp_len, pos, " ", " ", "");
break; break;
case 65: /* Delete something like "const" case 2 */ case 68: /* Delete something like "const" case 2 */
yes += delim_replace(out_buf, &temp_len, pos, "\n", " ", ""); yes += delim_replace(out_buf, &temp_len, pos, "\n", " ", "");
break; break;
case 66: /* Delete something like "const" case 3 */ case 69: /* Delete something like "const" case 3 */
yes += delim_replace(out_buf, &temp_len, pos, "(", " ", ""); yes += delim_replace(out_buf, &temp_len, pos, "(", " ", "");
break; break;
case 67: /* Swap space delimited things case 1 */ case 70: /* Swap space delimited things case 1 */
yes += delim_swap(out_buf, &temp_len, pos, " ", " ", " "); yes += delim_swap(out_buf, &temp_len, pos, " ", " ", " ");
break; break;
case 68: /* Swap space delimited things case 2 */ case 71: /* Swap space delimited things case 2 */
yes += delim_swap(out_buf, &temp_len, pos, " ", " ", ")"); yes += delim_swap(out_buf, &temp_len, pos, " ", " ", ")");
break; break;
case 69: /* Swap space delimited things case 3 */ case 72: /* Swap space delimited things case 3 */
yes += delim_swap(out_buf, &temp_len, pos, "(", " ", " "); yes += delim_swap(out_buf, &temp_len, pos, "(", " ", " ");
break; break;
case 70: /* Swap space delimited things case 4 */ case 73: /* Swap space delimited things case 4 */
yes += delim_swap(out_buf, &temp_len, pos, "(", " ", ")"); yes += delim_swap(out_buf, &temp_len, pos, "(", " ", ")");
break; break;
case 71: /* Duplicate a single line of code */ case 74: /* Duplicate a single line of code */
yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", NULL); yes += delim_replace(out_buf, &temp_len, pos, "\n", "\n", NULL);
break; break;
case 72: /* Duplicate a construct (most often, a non-nested for loop */ case 75: /* Duplicate a construct (most often, a non-nested for loop */
yes += delim_replace(out_buf, &temp_len, pos, "\n", "}", NULL); yes += delim_replace(out_buf, &temp_len, pos, "\n", "}", NULL);
break; break;
@ -2720,10 +2737,11 @@ havoc_stage:
// ascii mutations // ascii mutations
if (text_mutation(afl, &out_buf, &temp_len) == 0) goto retry_havoc; if (text_mutation(afl, &out_buf, &temp_len) == 0) goto retry_havoc;
//#ifdef _AFL_DOCUMENT_MUTATIONS //#ifdef _AFL_DOCUMENT_MUTATIONS
// fprintf(stderr, "MUTATED: %s/mutations/%09u:*\n", afl->out_dir, // fprintf(stderr, "MUTATED: %s/mutations/%09u:*\n",
// afl->document_counter); // afl->out_dir,
//#endif // afl->document_counter);
//#endif
} }

16
src/afl-fuzz-queue.c
View File

@ -107,7 +107,7 @@ static u8 check_if_text(struct queue_entry *q) {
if (q->len < AFL_TXT_MIN_LEN) return 0; if (q->len < AFL_TXT_MIN_LEN) return 0;
u8 buf[MAX_FILE]; u8 buf[MAX_FILE], bom[3] = {0xef, 0xbb, 0xbf};
s32 fd, len = q->len, offset = 0, ascii = 0, utf8 = 0, comp; s32 fd, len = q->len, offset = 0, ascii = 0, utf8 = 0, comp;
if ((fd = open(q->fname, O_RDONLY)) < 0) return 0; if ((fd = open(q->fname, O_RDONLY)) < 0) return 0;
@ -189,6 +189,17 @@ static u8 check_if_text(struct queue_entry *q) {
} }
// handle utf8 bom
if (buf[offset + 0] == bom[0] && buf[offset + 1] == bom[1] &&
buf[offset + 2] == bom[2]) {
offset += 3;
utf8++;
comp -= 2;
continue;
}
offset++; offset++;
} }
@ -198,8 +209,7 @@ static u8 check_if_text(struct queue_entry *q) {
if (percent_utf8 >= percent_ascii && percent_utf8 >= AFL_TXT_MIN_PERCENT) if (percent_utf8 >= percent_ascii && percent_utf8 >= AFL_TXT_MIN_PERCENT)
return 2; return 2;
if (percent_ascii >= AFL_TXT_MIN_PERCENT) if (percent_ascii >= AFL_TXT_MIN_PERCENT) return 1;
return 1;
return 0; return 0;
} }