ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 00:31:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

ascii redqueen

Browse Source
This commit is contained in:
Andrea Fioraldi 2020-07-22 18:22:31 +02:00
parent a46a733dbe
commit af10c05ac3
1 changed files with 95 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
src/afl-fuzz-redqueen.c
View File

@ -262,6 +262,54 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
} }
static long long strntoll(const char *str, size_t sz, char **end, int base) {
char buf[64];
long long ret;
const char *beg = str;
for (; beg && sz && *beg == ' '; beg++, sz--)
;
if (!sz || sz >= sizeof(buf)) {
if (end)
*end = (char *)str;
return 0;
}
memcpy(buf, beg, sz);
buf[sz] = '\0';
ret = strtoll(buf, end, base);
if (ret == LLONG_MIN || ret == LLONG_MAX)
return ret;
if (end)
*end = (char *)beg + (*end - buf);
return ret;
}
static unsigned long long strntoull(const char *str, size_t sz, char **end, int base) {
char buf[64];
unsigned long long ret;
const char *beg = str;
for (; beg && sz && *beg == ' '; beg++, sz--)
;
if (!sz || sz >= sizeof(buf)) {
if (end)
*end = (char *)str;
return 0;
}
memcpy(buf, beg, sz);
buf[sz] = '\0';
ret = strtoull(buf, end, base);
if (end)
*end = (char *)beg + (*end - buf);
return ret;
}
#define BUF_PARAMS(name) (void **)&afl->name##_buf, &afl->name##_size
static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 pattern, u64 repl, u64 o_pattern, u32 idx, u64 pattern, u64 repl, u64 o_pattern, u32 idx,
u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse,
@ -279,7 +327,52 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u32 its_len = len - idx; u32 its_len = len - idx;
// *status = 0; // *status = 0;
if (SHAPE_BYTES(h->shape) >= 8) { u8 *endptr;
u8 use_num = 0, use_unum = 0;
unsigned long long unum;
long long num;
if (afl->queue_cur->is_ascii) {
endptr = buf_8;
num = strntoll(buf_8, len - idx, (char**)&endptr, 0);
if (endptr == buf_8) {
unum = strntoull(buf_8, len - idx, (char**)&endptr, 0);
if (endptr == buf_8)
use_unum = 1;
} else
use_num = 1;
}
if (use_num && num == pattern) {
size_t old_len = endptr - buf_8;
size_t num_len = snprintf(NULL, 0, "%lld", num);
u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len);
memcpy(new_buf, buf, idx);
snprintf(new_buf +idx, num_len, "%lld", num);
memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len);
if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; }
} else if (use_unum && unum == pattern) {
size_t old_len = endptr - buf_8;
size_t num_len = snprintf(NULL, 0, "%llu", unum);
u8* new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), len + num_len);
memcpy(new_buf, buf, idx);
snprintf(new_buf +idx, num_len, "%llu", unum);
memcpy(new_buf +idx +num_len, buf_8 + old_len, len - idx - old_len);
if (unlikely(its_fuzz(afl, new_buf, len, status))) { return 1; }
}
if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) {
if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) { if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) {
@ -288,7 +381,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
*buf_64 = pattern; *buf_64 = pattern;
} }
// reverse encoding // reverse encoding
if (do_reverse && *status != 1) { if (do_reverse && *status != 1) {