fixed potential bugs

2025-06-10 17:21:33 +00:00 · 2020-06-15 11:07:57 +02:00 · 2020-06-15 11:07:57 +02:00 · acb0a2f027
commit acb0a2f027
parent 43bbbbf4e0
2 changed files with 12 additions and 8 deletions
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -3846,12 +3846,13 @@ pacemaker_fuzzing:
             is redundant, or if its entire span has no bytes set in the
             effector map. */

+          /* AFLpp: in puppet mode, eff_map is 0. */
          if ((afl->extras_cnt > MAX_DET_EXTRAS &&
               rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) ||
              afl->extras[j].len > len - i ||
              !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
-              !memchr(eff_map + EFF_APOS(i), 1,
-                      EFF_SPAN_ALEN(i, afl->extras[j].len))) {
+              (eff_map && !memchr(eff_map + EFF_APOS(i), 1,
+                      EFF_SPAN_ALEN(i, afl->extras[j].len)))) {

            afl->stage_max--;
            continue;
@ -3954,11 +3955,12 @@ pacemaker_fuzzing:
          /* See the comment in the earlier code; afl->extras are sorted by
           * size. */

+          /* AFLpp: in puppet mode, eff_map is 0. */
          if (afl->a_extras[j].len > len - i ||
              !memcmp(afl->a_extras[j].data, out_buf + i,
                      afl->a_extras[j].len) ||
-              !memchr(eff_map + EFF_APOS(i), 1,
-                      EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
+              (eff_map && !memchr(eff_map + EFF_APOS(i), 1,
+                      EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) {

            afl->stage_max--;
            continue;
@ -3984,13 +3986,15 @@ pacemaker_fuzzing:
      afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt;
      afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max;

-    skip_extras_v2:
-      new_hit_cnt = afl->queued_paths + afl->unique_crashes;
+    // AFLpp: Never read: skip_extras_v2:
+      // new_hit_cnt = afl->queued_paths + afl->unique_crashes;

    }

  }

+skip_extras_v2:
+
  afl->stage_cur_byte = -1;

  /* The havoc stage mutation code is also invoked when splicing files; if the
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@ -180,7 +180,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) {
  while (ranges) {

    rng = ranges;
-    ranges = ranges->next;
+    ranges = rng->next;
    ck_free(rng);
    rng = NULL;

@ -224,7 +224,7 @@ checksum_fail:
  while (ranges) {

    rng = ranges;
-    ranges = ranges->next;
+    ranges = rng->next;
    ck_free(rng);
    rng = NULL;