fix stdin trimming

docs/Changelog.md

@@ -20,6 +20,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
     - add recording of previous fuzz attempts for persistent mode
       to allow replay of non-reproducable crashes, see
       AFL_PERSISTENT_RECORD in config.h and docs/envs.h
+    - fixed a bug when trimming for stdin targets
     - default cmplog level (-l) is now 2, better efficiency.
     - cmplog level 3 (-l 3) now performs redqueen on everything.
       use with care.

src/afl-forkserver.c

@@ -1090,7 +1090,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
 
 #endif
 
-  if (likely(fsrv->use_shmem_fuzz && fsrv->shmem_fuzz)) {
+  if (likely(fsrv->use_shmem_fuzz)) {
 
     if (unlikely(len > MAX_FILE)) len = MAX_FILE;
 

src/afl-fuzz-run.c

@@ -203,7 +203,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
   }
 
-  if (afl->fsrv.shmem_fuzz) {
+  if (likely(afl->fsrv.use_shmem_fuzz)) {
 
     if (!post_process_skipped) {
 
@@ -211,9 +211,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
       memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
 
-    }
+    } else {
-
-    else {
 
       memcpy(afl->fsrv.shmem_fuzz, mem, skip_at);
 
@@ -244,7 +242,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
     return;
 
-  } else if (afl->fsrv.out_file) {
+  } else if (unlikely(!afl->fsrv.use_stdin)) {
 
     if (unlikely(afl->no_unlink)) {
 
@@ -279,7 +277,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 
   }
 
-  if (!afl->fsrv.out_file) {
+  if (afl->fsrv.use_stdin) {
 
     if (ftruncate(fd, new_size)) { PFATAL("ftruncate() failed"); }
     lseek(fd, 0, SEEK_SET);

utils/afl_proxy/afl-proxy.c

@@ -195,10 +195,7 @@ static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
   /* report that we are starting the target */
   if (write(FORKSRV_FD + 1, &res, 4) != 4) return 0;
 
-  if (status < 1)
+  return status;
-    return 0;
-  else
-    return status;
 
 }
 
@@ -216,7 +213,7 @@ int main(int argc, char *argv[]) {
 
   /* This is were the testcase data is written into */
   u8  buf[1024];  // this is the maximum size for a test case! set it!
-  u32 len;
+  s32 len;
 
   /* here you specify the map size you need that you are reporting to
      afl-fuzz.  Any value is fine as long as it can be divided by 32. */
@@ -228,10 +225,20 @@ int main(int argc, char *argv[]) {
 
   while ((len = __afl_next_testcase(buf, sizeof(buf))) > 0) {
 
-    /* here you have to create the magic that feeds the buf/len to the
+    if (len > 4) {  // the minimum data size you need for the target
-       target and write the coverage to __afl_area_ptr */
 
-    // ... the magic ...
+      /* here you have to create the magic that feeds the buf/len to the
+         target and write the coverage to __afl_area_ptr */
+
+      // ... the magic ...
+
+      // remove this, this is just to make afl-fuzz not complain when run
+      if (buf[0] == 0xff)
+        __afl_area_ptr[1] = 1;
+      else
+        __afl_area_ptr[2] = 2;
+
+    }
 
     /* report the test case is done and wait for the next */
     __afl_end_testcase();