ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

unified pointer placement

Browse Source
This commit is contained in:
Dominik Maier
2020-03-10 22:04:05 +01:00
parent 2832cb643d
commit cc1d6b33b1
46 changed files with 1040 additions and 1043 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.clang-format
View File

@ -52,7 +52,7 @@ ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: true
DerivePointerAlignment: false
DisableFormat: false
ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true

6
examples/argv_fuzzing/argv-fuzz-inl.h
View File

@ -55,12 +55,12 @@
#define MAX_CMDLINE_LEN 100000
#define MAX_CMDLINE_PAR 50000
static char** afl_init_argv(int* argc) {
static char **afl_init_argv(int *argc) {
static char in_buf[MAX_CMDLINE_LEN];
static char* ret[MAX_CMDLINE_PAR];
static char *ret[MAX_CMDLINE_PAR];
char* ptr = in_buf;
char *ptr = in_buf;
int rc = 0;
if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}

2
examples/persistent_demo/persistent_demo.c
View File

@ -30,7 +30,7 @@
/* Main entry point. */
int main(int argc, char** argv) {
int main(int argc, char **argv) {
ssize_t len; /* how much input did we read? */
char buf[100]; /* Example-only buffer, you'd replace it with other global or

8
examples/post_library/post_library.so.c
View File

@ -76,11 +76,11 @@
/* The actual postprocessor routine called by afl-fuzz: */
const unsigned char* afl_postprocess(const unsigned char* in_buf,
unsigned int* len) {
const unsigned char *afl_postprocess(const unsigned char *in_buf,
unsigned int *len) {
static unsigned char* saved_buf;
unsigned char* new_buf;
static unsigned char *saved_buf;
unsigned char *new_buf;
/* Skip execution altogether for buffers shorter than 6 bytes (just to
show how it's done). We can trust *len to be sane. */

14
examples/post_library/post_library_png.so.c
View File

@ -35,13 +35,13 @@
#define UP4K(_i) ((((_i) >> 12) + 1) << 12)
const unsigned char* afl_postprocess(const unsigned char* in_buf,
unsigned int* len) {
const unsigned char *afl_postprocess(const unsigned char *in_buf,
unsigned int * len) {
static unsigned char* saved_buf;
static unsigned char *saved_buf;
static unsigned int saved_len;
unsigned char* new_buf = (unsigned char*)in_buf;
unsigned char *new_buf = (unsigned char *)in_buf;
unsigned int pos = 8;
/* Don't do anything if there's not enough room for the PNG header
@ -58,7 +58,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
/* Chunk length is the first big-endian dword in the chunk. */
chunk_len = ntohl(*(uint32_t*)(in_buf + pos));
chunk_len = ntohl(*(uint32_t *)(in_buf + pos));
/* Bail out if chunk size is too big or goes past EOF. */
@ -71,7 +71,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
/* The in-file checksum is the last dword past the chunk data. */
file_cksum = *(uint32_t*)(in_buf + pos + 8 + chunk_len);
file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len);
/* If the checksums do not match, we need to fix the file. */
@ -98,7 +98,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
}
*(uint32_t*)(new_buf + pos + 8 + chunk_len) = real_cksum;
*(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum;
}

4
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -2,7 +2,7 @@
#include <stdio.h>
#include <unistd.h>
#define g2h(x) ((void*)((unsigned long)(x) + guest_base))
#define g2h(x) ((void *)((unsigned long)(x) + guest_base))
#define h2g(x) ((uint64_t)(x)-guest_base)
enum {
@ -35,7 +35,7 @@ enum {
};
void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) {
// In this example the register RDI is pointing to the memory location
// of the target buffer, and the length of the input is in RAX.

32
gcc_plugin/afl-gcc-fast.c
View File

@ -37,17 +37,17 @@
#include <stdlib.h>
#include <string.h>
static u8* obj_path; /* Path to runtime libraries */
static u8** cc_params; /* Parameters passed to the real CC */
static u8 *obj_path; /* Path to runtime libraries */
static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
u8 use_stdin = 0; /* dummy */
u8 be_quiet;
/* Try to find the runtime libraries. If that fails, abort. */
static void find_obj(u8* argv0) {
static void find_obj(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH");
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
@ -70,7 +70,7 @@ static void find_obj(u8* argv0) {
if (slash) {
u8* dir;
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
@ -106,12 +106,12 @@ static void find_obj(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) {
static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
u8* name;
u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/');
if (!name)
@ -121,17 +121,17 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-g++-fast")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)AFL_GCC_CXX;
u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8 *)AFL_GCC_CXX;
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)AFL_GCC_CC;
u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8 *)AFL_GCC_CC;
}
char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
char *fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
cc_params[cc_par_cnt++] = fplugin_arg;
/* Detect stray -v calls from ./configure scripts. */
@ -140,7 +140,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) {
u8* cur = *(++argv);
u8 *cur = *(++argv);
#if defined(__x86_64__)
if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
@ -297,7 +297,7 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */
int main(int argc, char** argv, char** envp) {
int main(int argc, char **argv, char **envp) {
if (argc < 2 || strcmp(argv[1], "-h") == 0) {
@ -378,7 +378,7 @@ int main(int argc, char** argv, char** envp) {
}
*/
execvp(cc_params[0], (char**)cc_params);
execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

2
gcc_plugin/afl-gcc-rt.o.c
View File

@ -86,7 +86,7 @@ static void __afl_map_shm(void) {
if (id_str) {
#ifdef USEMMAP
const char * shm_file_path = id_str;
const char *shm_file_path = id_str;
int shm_fd = -1;
unsigned char *shm_base = NULL;

6
include/afl-as.h
View File

@ -108,7 +108,7 @@
*/
static const u8* trampoline_fmt_32 =
static const u8 *trampoline_fmt_32 =
"\n"
"/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
@ -131,7 +131,7 @@ static const u8* trampoline_fmt_32 =
"/* --- END --- */\n"
"\n";
static const u8* trampoline_fmt_64 =
static const u8 *trampoline_fmt_64 =
"\n"
"/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
@ -152,7 +152,7 @@ static const u8* trampoline_fmt_64 =
"/* --- END --- */\n"
"\n";
static const u8* main_payload_32 =
static const u8*main_payload_32 =
"\n"
"/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"

258
include/afl-fuzz.h
View File

@ -115,7 +115,7 @@ extern s32
struct queue_entry {
u8* fname; /* File name for the test case */
u8 *fname; /* File name for the test case */
u32 len; /* Input length */
u8 cal_failed, /* Calibration failed? */
@ -137,7 +137,7 @@ struct queue_entry {
n_fuzz, /* Number of fuzz, does not overflow */
depth; /* Path depth */
u8* trace_mini; /* Trace bytes, if kept */
u8 *trace_mini; /* Trace bytes, if kept */
u32 tc_ref; /* Trace bytes ref count */
struct queue_entry *next, /* Next element, if any */
@ -147,7 +147,7 @@ struct queue_entry {
struct extra_data {
u8* data; /* Dictionary token data */
u8 *data; /* Dictionary token data */
u32 len; /* Dictionary token length */
u32 hit_cnt; /* Use count in the corpus */
@ -234,7 +234,7 @@ enum {
};
extern u8* doc_path; /* gath to documentation dir */
extern u8 *doc_path; /* gath to documentation dir */
/* Python stuff */
#ifdef USE_PYTHON
@ -284,22 +284,22 @@ enum {
typedef struct MOpt_globals {
u64* finds;
u64* finds_v2;
u64* cycles;
u64* cycles_v2;
u64* cycles_v3;
u32 is_pilot_mode;
u64* pTime;
u64 period;
char* havoc_stagename;
char* splice_stageformat;
char* havoc_stagenameshort;
char* splice_stagenameshort;
u64 *finds;
u64 *finds_v2;
u64 *cycles;
u64 *cycles_v2;
u64 *cycles_v3;
u32 is_pilot_mode;
u64 *pTime;
u64 period;
char *havoc_stagename;
char *splice_stageformat;
char *havoc_stagenameshort;
char *splice_stagenameshort;
} MOpt_globals_t;
extern char* power_names[POWER_SCHEDULES_NUM];
extern char *power_names[POWER_SCHEDULES_NUM];
typedef struct afl_state {
@ -309,7 +309,7 @@ typedef struct afl_state {
afl_forkserver_t fsrv;
sharedmem_t shm;
char** argv; /* argv if needed */
char **argv; /* argv if needed */
/* MOpt:
Lots of globals, but mostly for the status UI and other things where it
@ -378,7 +378,7 @@ typedef struct afl_state {
u8 havoc_max_mult;
u8 use_radamsa;
size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);
size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32);
u8 skip_deterministic, /* Skip deterministic stages? */
force_deterministic, /* Force deterministic stages? */
@ -503,23 +503,23 @@ typedef struct afl_state {
*queue_top, /* Top of the list */
*q_prev100; /* Previous 100 marker */
struct queue_entry* top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
struct queue_entry *top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
struct extra_data* extras; /* Extra tokens to fuzz with */
struct extra_data *extras; /* Extra tokens to fuzz with */
u32 extras_cnt; /* Total number of tokens read */
struct extra_data* a_extras; /* Automatically selected extras */
struct extra_data *a_extras; /* Automatically selected extras */
u32 a_extras_cnt; /* Total number of tokens available */
u8* (*post_handler)(u8* buf, u32* len);
u8 *(*post_handler)(u8 *buf, u32 *len);
/* CmpLog */
char* cmplog_binary;
char *cmplog_binary;
s32 cmplog_child_pid, cmplog_fsrv_pid;
/* Custom mutators */
struct custom_mutator* mutator;
struct custom_mutator *mutator;
/* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
@ -529,8 +529,8 @@ typedef struct afl_state {
#ifdef USE_PYTHON
/* Python Mutators */
PyObject* py_module;
PyObject* py_functions[PY_FUNC_COUNT];
PyObject *py_module;
PyObject *py_functions[PY_FUNC_COUNT];
#endif
#ifdef _AFL_DOCUMENT_MUTATIONS
@ -547,8 +547,8 @@ extern list_t afl_states;
struct custom_mutator {
const char* name;
void* dh;
const char *name;
void *dh;
/* hooks for the custom mutator function */
@ -559,7 +559,7 @@ struct custom_mutator {
*
* @param seed Seed used for the mutation.
*/
void (*afl_custom_init)(afl_state_t* afl, unsigned int seed);
void (*afl_custom_init)(afl_state_t *afl, unsigned int seed);
/**
* Perform custom mutations on a given input
@ -575,8 +575,8 @@ struct custom_mutator {
* not produce data larger than max_size.
* @return Size of the mutated output.
*/
size_t (*afl_custom_fuzz)(afl_state_t* afl, u8** buf, size_t buf_size,
u8* add_buf, size_t add_buf_size, size_t max_size);
size_t (*afl_custom_fuzz)(afl_state_t *afl, u8 **buf, size_t buf_size,
u8 *add_buf, size_t add_buf_size, size_t max_size);
/**
* A post-processing function to use right before AFL writes the test case to
@ -592,8 +592,8 @@ struct custom_mutator {
* will release the memory after saving the test case.
* @return Size of the output buffer after processing
*/
size_t (*afl_custom_pre_save)(afl_state_t* afl, u8* buf, size_t buf_size,
u8** out_buf);
size_t (*afl_custom_pre_save)(afl_state_t *afl, u8 *buf, size_t buf_size,
u8 **out_buf);
/**
* This method is called at the start of each trimming operation and receives
@ -615,7 +615,7 @@ struct custom_mutator {
* @param buf_size Size of the test case
* @return The amount of possible iteration steps to trim the input
*/
u32 (*afl_custom_init_trim)(afl_state_t* afl, u8* buf, size_t buf_size);
u32 (*afl_custom_init_trim)(afl_state_t *afl, u8 *buf, size_t buf_size);
/**
* This method is called for each trimming operation. It doesn't have any
@ -633,7 +633,7 @@ struct custom_mutator {
* the memory after saving the test case.
* @param[out] out_buf_size Pointer to the size of the trimmed test case
*/
void (*afl_custom_trim)(afl_state_t* afl, u8** out_buf, size_t* out_buf_size);
void (*afl_custom_trim)(afl_state_t *afl, u8 **out_buf, size_t *out_buf_size);
/**
* This method is called after each trim operation to inform you if your
@ -646,7 +646,7 @@ struct custom_mutator {
* @return The next trim iteration index (from 0 to the maximum amount of
* steps returned in init_trim)
*/
u32 (*afl_custom_post_trim)(afl_state_t* afl, u8 success);
u32 (*afl_custom_post_trim)(afl_state_t *afl, u8 success);
/**
* Perform a single custom mutation on a given input.
@ -661,7 +661,7 @@ struct custom_mutator {
* not produce data larger than max_size.
* @return Size of the mutated output.
*/
size_t (*afl_custom_havoc_mutation)(afl_state_t* afl, u8** buf,
size_t (*afl_custom_havoc_mutation)(afl_state_t *afl, u8 **buf,
size_t buf_size, size_t max_size);
/**
@ -672,7 +672,7 @@ struct custom_mutator {
*
* @return The probability (0-100).
*/
u8 (*afl_custom_havoc_mutation_probability)(afl_state_t* afl);
u8 (*afl_custom_havoc_mutation_probability)(afl_state_t *afl);
/**
* Determine whether the fuzzer should fuzz the current queue entry or not.
@ -683,7 +683,7 @@ struct custom_mutator {
* @return Return True(1) if the fuzzer will fuzz the queue entry, and
* False(0) otherwise.
*/
u8 (*afl_custom_queue_get)(afl_state_t* afl, const u8* filename);
u8 (*afl_custom_queue_get)(afl_state_t *afl, const u8 *filename);
/**
* Allow for additional analysis (e.g. calling a different tool that does a
@ -695,148 +695,148 @@ struct custom_mutator {
* @param filename_orig_queue File name of the original queue entry. This
* argument can be NULL while initializing the fuzzer
*/
void (*afl_custom_queue_new_entry)(afl_state_t* afl,
const u8* filename_new_queue,
const u8* filename_orig_queue);
void (*afl_custom_queue_new_entry)(afl_state_t *afl,
const u8 *filename_new_queue,
const u8 *filename_orig_queue);
};
void afl_state_init(afl_state_t*);
void afl_state_deinit(afl_state_t*);
void afl_state_init(afl_state_t *);
void afl_state_deinit(afl_state_t *);
/**** Prototypes ****/
/* Custom mutators */
void setup_custom_mutator(afl_state_t*);
void destroy_custom_mutator(afl_state_t*);
u8 trim_case_custom(afl_state_t*, struct queue_entry* q, u8* in_buf);
void setup_custom_mutator(afl_state_t *);
void destroy_custom_mutator(afl_state_t *);
u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf);
/* Python */
#ifdef USE_PYTHON
int init_py_module(afl_state_t*, u8*);
void finalize_py_module(afl_state_t*);
int init_py_module(afl_state_t *, u8 *);
void finalize_py_module(afl_state_t *);
void init_py(afl_state_t*, unsigned int);
size_t fuzz_py(afl_state_t*, u8**, size_t, u8*, size_t, size_t);
size_t pre_save_py(afl_state_t*, u8*, size_t, u8**);
u32 init_trim_py(afl_state_t*, u8*, size_t);
u32 post_trim_py(afl_state_t*, u8);
void trim_py(afl_state_t*, u8**, size_t*);
size_t havoc_mutation_py(afl_state_t*, u8**, size_t, size_t);
u8 havoc_mutation_probability_py(afl_state_t*);
u8 queue_get_py(afl_state_t*, const u8*);
void queue_new_entry_py(afl_state_t*, const u8*, const u8*);
void init_py(afl_state_t *, unsigned int);
size_t fuzz_py(afl_state_t *, u8 **, size_t, u8 *, size_t, size_t);
size_t pre_save_py(afl_state_t *, u8 *, size_t, u8 **);
u32 init_trim_py(afl_state_t *, u8 *, size_t);
u32 post_trim_py(afl_state_t *, u8);
void trim_py(afl_state_t *, u8 **, size_t *);
size_t havoc_mutation_py(afl_state_t *, u8 **, size_t, size_t);
u8 havoc_mutation_probability_py(afl_state_t *);
u8 queue_get_py(afl_state_t *, const u8 *);
void queue_new_entry_py(afl_state_t *, const u8 *, const u8 *);
#endif
/* Queue */
void mark_as_det_done(afl_state_t*, struct queue_entry*);
void mark_as_variable(afl_state_t*, struct queue_entry*);
void mark_as_redundant(afl_state_t*, struct queue_entry*, u8);
void add_to_queue(afl_state_t*, u8*, u32, u8);
void destroy_queue(afl_state_t*);
void update_bitmap_score(afl_state_t*, struct queue_entry*);
void cull_queue(afl_state_t*);
u32 calculate_score(afl_state_t*, struct queue_entry*);
void mark_as_det_done(afl_state_t *, struct queue_entry *);
void mark_as_variable(afl_state_t *, struct queue_entry *);
void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
void add_to_queue(afl_state_t *, u8 *, u32, u8);
void destroy_queue(afl_state_t *);
void update_bitmap_score(afl_state_t *, struct queue_entry *);
void cull_queue(afl_state_t *);
u32 calculate_score(afl_state_t *, struct queue_entry *);
/* Bitmap */
void read_bitmap(afl_state_t*, u8*);
void write_bitmap(afl_state_t*);
u32 count_bits(u8*);
u32 count_bytes(u8*);
u32 count_non_255_bytes(u8*);
void read_bitmap(afl_state_t *, u8 *);
void write_bitmap(afl_state_t *);
u32 count_bits(u8 *);
u32 count_bytes(u8 *);
u32 count_non_255_bytes(u8 *);
#ifdef WORD_SIZE_64
void simplify_trace(u64*);
void classify_counts(u64*);
void simplify_trace(u64 *);
void classify_counts(u64 *);
#else
void simplify_trace(u32*);
void classify_counts(u32*);
void simplify_trace(u32 *);
void classify_counts(u32 *);
#endif
void init_count_class16(void);
void minimize_bits(u8*, u8*);
void minimize_bits(u8 *, u8 *);
#ifndef SIMPLE_FILES
u8* describe_op(afl_state_t*, u8);
u8 *describe_op(afl_state_t *, u8);
#endif
u8 save_if_interesting(afl_state_t*, void*, u32, u8);
u8 has_new_bits(afl_state_t*, u8*);
u8 save_if_interesting(afl_state_t *, void *, u32, u8);
u8 has_new_bits(afl_state_t *, u8 *);
/* Misc */
u8* DI(u64);
u8* DF(double);
u8* DMS(u64);
u8* DTD(u64, u64);
u8 *DI(u64);
u8 *DF(double);
u8 *DMS(u64);
u8 *DTD(u64, u64);
/* Extras */
void load_extras_file(afl_state_t*, u8*, u32*, u32*, u32);
void load_extras(afl_state_t*, u8*);
void maybe_add_auto(afl_state_t*, u8*, u32);
void save_auto(afl_state_t*);
void load_auto(afl_state_t*);
void destroy_extras(afl_state_t*);
void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
void load_extras(afl_state_t *, u8 *);
void maybe_add_auto(afl_state_t *, u8 *, u32);
void save_auto(afl_state_t *);
void load_auto(afl_state_t *);
void destroy_extras(afl_state_t *);
/* Stats */
void write_stats_file(afl_state_t*, double, double, double);
void maybe_update_plot_file(afl_state_t*, double, double);
void show_stats(afl_state_t*);
void show_init_stats(afl_state_t*);
void write_stats_file(afl_state_t *, double, double, double);
void maybe_update_plot_file(afl_state_t *, double, double);
void show_stats(afl_state_t *);
void show_init_stats(afl_state_t *);
/* Run */
u8 run_target(afl_state_t*, u32);
void write_to_testcase(afl_state_t*, void*, u32);
u8 calibrate_case(afl_state_t*, struct queue_entry*, u8*, u32, u8);
void sync_fuzzers(afl_state_t*);
u8 trim_case(afl_state_t*, struct queue_entry*, u8*);
u8 common_fuzz_stuff(afl_state_t*, u8*, u32);
u8 run_target(afl_state_t *, u32);
void write_to_testcase(afl_state_t *, void *, u32);
u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
void sync_fuzzers(afl_state_t *);
u8 trim_case(afl_state_t *, struct queue_entry *, u8 *);
u8 common_fuzz_stuff(afl_state_t *, u8 *, u32);
/* Fuzz one */
u8 fuzz_one_original(afl_state_t*);
u8 pilot_fuzzing(afl_state_t*);
u8 core_fuzzing(afl_state_t*);
void pso_updating(afl_state_t*);
u8 fuzz_one(afl_state_t*);
u8 fuzz_one_original(afl_state_t *);
u8 pilot_fuzzing(afl_state_t *);
u8 core_fuzzing(afl_state_t *);
void pso_updating(afl_state_t *);
u8 fuzz_one(afl_state_t *);
/* Init */
#ifdef HAVE_AFFINITY
void bind_to_free_cpu(afl_state_t*);
void bind_to_free_cpu(afl_state_t *);
#endif
void setup_post(afl_state_t*);
void read_testcases(afl_state_t*);
void perform_dry_run(afl_state_t*);
void pivot_inputs(afl_state_t*);
u32 find_start_position(afl_state_t*);
void find_timeout(afl_state_t*);
void setup_post(afl_state_t *);
void read_testcases(afl_state_t *);
void perform_dry_run(afl_state_t *);
void pivot_inputs(afl_state_t *);
u32 find_start_position(afl_state_t *);
void find_timeout(afl_state_t *);
double get_runnable_processes(void);
void nuke_resume_dir(afl_state_t*);
void setup_dirs_fds(afl_state_t*);
void setup_cmdline_file(afl_state_t*, char**);
void setup_stdio_file(afl_state_t*);
void nuke_resume_dir(afl_state_t *);
void setup_dirs_fds(afl_state_t *);
void setup_cmdline_file(afl_state_t *, char **);
void setup_stdio_file(afl_state_t *);
void check_crash_handling(void);
void check_cpu_governor(afl_state_t*);
void get_core_count(afl_state_t*);
void fix_up_sync(afl_state_t*);
void check_cpu_governor(afl_state_t *);
void get_core_count(afl_state_t *);
void fix_up_sync(afl_state_t *);
void check_asan_opts(void);
void check_binary(afl_state_t*, u8*);
void fix_up_banner(afl_state_t*, u8*);
void check_if_tty(afl_state_t*);
void check_binary(afl_state_t *, u8 *);
void fix_up_banner(afl_state_t *, u8 *);
void check_if_tty(afl_state_t *);
void setup_signal_handlers(void);
void save_cmdline(afl_state_t*, u32, char**);
void save_cmdline(afl_state_t *, u32, char **);
/* CmpLog */
void init_cmplog_forkserver(afl_state_t* afl);
u8 common_fuzz_cmplog_stuff(afl_state_t* afl, u8* out_buf, u32 len);
void init_cmplog_forkserver(afl_state_t *afl);
u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
/* RedQueen */
u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len,
u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 exec_cksum);
/**** Inline routines ****/
@ -844,7 +844,7 @@ u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len,
/* Generate a random number (from 0 to limit - 1). This may
have slight bias. */
static inline u32 UR(afl_state_t* afl, u32 limit) {
static inline u32 UR(afl_state_t *afl, u32 limit) {
#ifdef HAVE_ARC4RANDOM
if (afl->fixed_seed) { return random() % limit; }
@ -867,7 +867,7 @@ static inline u32 UR(afl_state_t* afl, u32 limit) {
}
static inline u32 get_rand_seed(afl_state_t* afl) {
static inline u32 get_rand_seed(afl_state_t *afl) {
if (afl->fixed_seed) return (u32)afl->init_seed;
return afl->rand_seed[0];

130
include/alloc-inl.h
View File

@ -45,11 +45,11 @@
#define alloc_printf(_str...) \
({ \
\
u8* _tmp; \
u8 *_tmp; \
s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \
snprintf((char *)_tmp, _len + 1, _str); \
_tmp; \
\
})
@ -80,9 +80,9 @@
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */
static inline void* DFL_ck_alloc_nozero(u32 size) {
static inline void *DFL_ck_alloc_nozero(u32 size) {
u8* ret;
u8 *ret;
if (!size) return NULL;
@ -90,15 +90,15 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
ret = malloc(size);
ALLOC_CHECK_RESULT(ret, size);
return (void*)ret;
return (void *)ret;
}
/* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) {
static inline void *DFL_ck_alloc(u32 size) {
void* mem;
void *mem;
if (!size) return NULL;
mem = DFL_ck_alloc_nozero(size);
@ -110,7 +110,7 @@ static inline void* DFL_ck_alloc(u32 size) {
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */
static inline void DFL_ck_free(void* mem) {
static inline void DFL_ck_free(void *mem) {
if (!mem) return;
@ -122,9 +122,9 @@ static inline void DFL_ck_free(void* mem) {
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) {
static inline void *DFL_ck_realloc(void *orig, u32 size) {
u8* ret;
u8 *ret;
if (!size) {
@ -142,14 +142,14 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
ALLOC_CHECK_RESULT(ret, size);
return (void*)ret;
return (void *)ret;
}
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */
static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
static inline void *DFL_ck_realloc_block(void *orig, u32 size) {
return DFL_ck_realloc(orig, size);
@ -157,14 +157,14 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) {
static inline u8 *DFL_ck_strdup(u8 *str) {
u8* ret;
u8 *ret;
u32 size;
if (!str) return NULL;
size = strlen((char*)str) + 1;
size = strlen((char *)str) + 1;
ALLOC_CHECK_SIZE(size);
ret = malloc(size);
@ -177,9 +177,9 @@ static inline u8* DFL_ck_strdup(u8* str) {
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) {
static inline void *DFL_ck_memdup(void *mem, u32 size) {
u8* ret;
u8 *ret;
if (!mem || !size) return NULL;
@ -194,9 +194,9 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) {
/* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */
static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) {
u8* ret;
u8 *ret;
if (!mem || !size) return NULL;
@ -233,11 +233,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
#define alloc_printf(_str...) \
({ \
\
u8* _tmp; \
u8 *_tmp; \
s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \
snprintf((char *)_tmp, _len + 1, _str); \
_tmp; \
\
})
@ -269,9 +269,9 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Positions of guard tokens in relation to the user-visible pointer. */
#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
#define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2])
#define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1])
#define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)])
#define ALLOC_OFF_HEAD 8
#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
@ -314,9 +314,9 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */
static inline void* DFL_ck_alloc_nozero(u32 size) {
static inline void *DFL_ck_alloc_nozero(u32 size) {
void* ret;
void *ret;
if (!size) return NULL;
@ -336,9 +336,9 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
/* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) {
static inline void *DFL_ck_alloc(u32 size) {
void* mem;
void *mem;
if (!size) return NULL;
mem = DFL_ck_alloc_nozero(size);
@ -350,7 +350,7 @@ static inline void* DFL_ck_alloc(u32 size) {
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */
static inline void DFL_ck_free(void* mem) {
static inline void DFL_ck_free(void *mem) {
if (!mem) return;
@ -373,9 +373,9 @@ static inline void DFL_ck_free(void* mem) {
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) {
static inline void *DFL_ck_realloc(void *orig, u32 size) {
void* ret;
void *ret;
u32 old_size = 0;
if (!size) {
@ -443,7 +443,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */
static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
static inline void *DFL_ck_realloc_block(void *orig, u32 size) {
#ifndef DEBUG_BUILD
@ -465,14 +465,14 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) {
static inline u8 *DFL_ck_strdup(u8 *str) {
void* ret;
void *ret;
u32 size;
if (!str) return NULL;
size = strlen((char*)str) + 1;
size = strlen((char *)str) + 1;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL);
@ -491,9 +491,9 @@ static inline u8* DFL_ck_strdup(u8* str) {
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) {
static inline void *DFL_ck_memdup(void *mem, u32 size) {
void* ret;
void *ret;
if (!mem || !size) return NULL;
@ -514,9 +514,9 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) {
/* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */
static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) {
u8* ret;
u8 *ret;
if (!mem || !size) return NULL;
@ -564,7 +564,7 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
struct TRK_obj {
void* ptr;
void *ptr;
char *file, *func;
u32 line;
@ -572,14 +572,14 @@ struct TRK_obj {
#ifdef AFL_MAIN
struct TRK_obj* TRK[ALLOC_BUCKETS];
struct TRK_obj *TRK[ALLOC_BUCKETS];
u32 TRK_cnt[ALLOC_BUCKETS];
#define alloc_report() TRK_report()
#else
extern struct TRK_obj* TRK[ALLOC_BUCKETS];
extern struct TRK_obj *TRK[ALLOC_BUCKETS];
extern u32 TRK_cnt[ALLOC_BUCKETS];
#define alloc_report()
@ -592,7 +592,7 @@ extern u32 TRK_cnt[ALLOC_BUCKETS];
/* Add a new entry to the list of allocated objects. */
static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
static inline void TRK_alloc_buf(void *ptr, const char *file, const char *func,
u32 line) {
u32 i, bucket;
@ -608,8 +608,8 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
if (!TRK[bucket][i].ptr) {
TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].file = (char *)file;
TRK[bucket][i].func = (char *)func;
TRK[bucket][i].line = line;
return;
@ -621,8 +621,8 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].file = (char *)file;
TRK[bucket][i].func = (char *)func;
TRK[bucket][i].line = line;
TRK_cnt[bucket]++;
@ -631,7 +631,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
/* Remove entry from the list of allocated objects. */
static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
static inline void TRK_free_buf(void *ptr, const char *file, const char *func,
u32 line) {
u32 i, bucket;
@ -674,63 +674,63 @@ static inline void TRK_report(void) {
/* Simple wrappers for non-debugging functions: */
static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
static inline void *TRK_ck_alloc(u32 size, const char *file, const char *func,
u32 line) {
void* ret = DFL_ck_alloc(size);
void *ret = DFL_ck_alloc(size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
const char* func, u32 line) {
static inline void *TRK_ck_realloc(void *orig, u32 size, const char *file,
const char *func, u32 line) {
void* ret = DFL_ck_realloc(orig, size);
void *ret = DFL_ck_realloc(orig, size);
TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
const char* func, u32 line) {
static inline void *TRK_ck_realloc_block(void *orig, u32 size, const char *file,
const char *func, u32 line) {
void* ret = DFL_ck_realloc_block(orig, size);
void *ret = DFL_ck_realloc_block(orig, size);
TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
static inline void *TRK_ck_strdup(u8 *str, const char *file, const char *func,
u32 line) {
void* ret = DFL_ck_strdup(str);
void *ret = DFL_ck_strdup(str);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
const char* func, u32 line) {
static inline void *TRK_ck_memdup(void *mem, u32 size, const char *file,
const char *func, u32 line) {
void* ret = DFL_ck_memdup(mem, size);
void *ret = DFL_ck_memdup(mem, size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
const char* func, u32 line) {
static inline void *TRK_ck_memdup_str(void *mem, u32 size, const char *file,
const char *func, u32 line) {
void* ret = DFL_ck_memdup_str(mem, size);
void *ret = DFL_ck_memdup_str(mem, size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void TRK_ck_free(void* ptr, const char* file, const char* func,
static inline void TRK_ck_free(void *ptr, const char *file, const char *func,
u32 line) {
TRK_free_buf(ptr, file, func, line);

14
include/common.h
View File

@ -31,15 +31,15 @@
#include "types.h"
#include "stdbool.h"
void detect_file_args(char** argv, u8* prog_in, u8* use_stdin);
void check_environment_vars(char** env);
void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin);
void check_environment_vars(char **env);
char** argv_cpy_dup(int argc, char** argv);
void argv_cpy_free(char** argv);
char **argv_cpy_dup(int argc, char **argv);
void argv_cpy_free(char **argv);
char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv);
char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv);
char* get_afl_env(char* env);
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char * get_afl_env(char *env);
/* Get unix time in milliseconds */

8
include/hash.h
View File

@ -34,9 +34,9 @@
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
static inline u32 hash32(const void *key, u32 len, u32 seed) {
const u64* data = (u64*)key;
const u64 *data = (u64 *)key;
u64 h1 = seed ^ len;
len >>= 3;
@ -69,9 +69,9 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
static inline u32 hash32(const void *key, u32 len, u32 seed) {
const u32* data = (u32*)key;
const u32 *data = (u32 *)key;
u32 h1 = seed ^ len;
len >>= 2;

4
include/list.h
View File

@ -43,7 +43,7 @@ typedef struct list_element {
struct list_element *prev;
struct list_element *next;
void * data;
void *data;
} element_t;
@ -100,7 +100,7 @@ static void list_append(list_t *list, void *el) {
#define LIST_FOREACH(list, type, block) \
do { \
\
list_t * li = (list); \
list_t *li = (list); \
element_t *head = get_head((li)); \
element_t *el_box = (head)->next; \
if (!el_box) FATAL("foreach over uninitialized list"); \

54
libdislocator/libdislocator.so.c
View File

@ -56,7 +56,7 @@
\
srand(time(NULL)); \
u32 i; \
u8* ptr = (u8*)p; \
u8 *ptr = (u8 *)p; \
for (i = 0; i < l; i++) \
ptr[i] = rand() % INT_MAX; \
\
@ -136,8 +136,8 @@ typedef struct {
#define TAIL_ALLOC_CANARY 0xAC
#define PTR_C(_p) (((u32*)(_p))[-1])
#define PTR_L(_p) (((u32*)(_p))[-2])
#define PTR_C(_p) (((u32 *)(_p))[-1])
#define PTR_L(_p) (((u32 *)(_p))[-2])
/* Configurable stuff (use AFL_LD_* to set): */
@ -161,9 +161,9 @@ static u32 alloc_canary;
so that it is right-aligned to that boundary. Since it always uses mmap(),
the returned memory will be zeroed. */
static void* __dislocator_alloc(size_t len) {
static void *__dislocator_alloc(size_t len) {
u8* ret;
u8 *ret;
size_t tlen;
int flags, fd, sp;
@ -203,7 +203,7 @@ static void* __dislocator_alloc(size_t len) {
/* We will also store buffer length and a canary below the actual buffer, so
let's add 8 bytes for that. */
ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
#if defined(USEHUGEPAGE)
/* We try one more time with regular call */
if (ret == MAP_FAILED) {
@ -215,7 +215,7 @@ static void* __dislocator_alloc(size_t len) {
#elif defined(__FreeBSD__)
flags &= -MAP_ALIGNED_SUPER;
#endif
ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
}
@ -265,9 +265,9 @@ static void* __dislocator_alloc(size_t len) {
/* The "user-facing" wrapper for calloc(). This just checks for overflows and
displays debug messages if requested. */
void* calloc(size_t elem_len, size_t elem_cnt) {
void *calloc(size_t elem_len, size_t elem_cnt) {
void* ret;
void *ret;
size_t len = elem_len * elem_cnt;
@ -304,9 +304,9 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
memory (unlike calloc(), malloc() is not guaranteed to return zeroed
memory). */
void* malloc(size_t len) {
void *malloc(size_t len) {
void* ret;
void *ret;
ret = __dislocator_alloc(len);
@ -322,7 +322,7 @@ void* malloc(size_t len) {
If the region is already freed, the code will segfault during the attempt to
read the canary. Not very graceful, but works, right? */
void free(void* ptr) {
void free(void *ptr) {
u32 len;
@ -338,7 +338,7 @@ void free(void* ptr) {
if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) {
u8* ptr_ = ptr;
u8 *ptr_ = ptr;
size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
for (; len < rlen; ++len)
if (ptr_[len] != TAIL_ALLOC_CANARY)
@ -361,9 +361,9 @@ void free(void* ptr) {
/* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
move data, and then free (aka mprotect()) the original one. */
void* realloc(void* ptr, size_t len) {
void *realloc(void *ptr, size_t len) {
void* ret;
void *ret;
ret = malloc(len);
@ -387,10 +387,10 @@ void* realloc(void* ptr, size_t len) {
if the requested size fits within the alignment we do
a normal request */
int posix_memalign(void** ptr, size_t align, size_t len) {
int posix_memalign(void **ptr, size_t align, size_t len) {
// if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now
if ((align % 2) || (align % sizeof(void*))) return EINVAL;
if ((align % 2) || (align % sizeof(void *))) return EINVAL;
if (len == 0) {
*ptr = NULL;
@ -413,9 +413,9 @@ int posix_memalign(void** ptr, size_t align, size_t len) {
/* just the non-posix fashion */
void* memalign(size_t align, size_t len) {
void *memalign(size_t align, size_t len) {
void* ret = NULL;
void *ret = NULL;
if (posix_memalign(&ret, align, len)) {
@ -429,9 +429,9 @@ void* memalign(size_t align, size_t len) {
/* sort of C11 alias of memalign only more severe, alignment-wise */
void* aligned_alloc(size_t align, size_t len) {
void *aligned_alloc(size_t align, size_t len) {
void* ret = NULL;
void *ret = NULL;
if ((len % align)) return NULL;
@ -447,11 +447,11 @@ void* aligned_alloc(size_t align, size_t len) {
/* specific BSD api mainly checking possible overflow for the size */
void* reallocarray(void* ptr, size_t elem_len, size_t elem_cnt) {
void *reallocarray(void *ptr, size_t elem_len, size_t elem_cnt) {
const size_t elem_lim = 1UL << (sizeof(size_t) * 4);
const size_t elem_tot = elem_len * elem_cnt;
void* ret = NULL;
void *ret = NULL;
if ((elem_len >= elem_lim || elem_cnt >= elem_lim) && elem_len > 0 &&
elem_cnt > (SIZE_MAX / elem_len)) {
@ -470,19 +470,19 @@ void* reallocarray(void* ptr, size_t elem_len, size_t elem_cnt) {
__attribute__((constructor)) void __dislocator_init(void) {
u8* tmp = (u8*)getenv("AFL_LD_LIMIT_MB");
u8 *tmp = (u8 *)getenv("AFL_LD_LIMIT_MB");
if (tmp) {
u8* tok;
s32 mmem = (s32)strtol((char*)tmp, (char**)&tok, 10);
u8 *tok;
s32 mmem = (s32)strtol((char *)tmp, (char **)&tok, 10);
if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB");
max_mem = mmem * 1024 * 1024;
}
alloc_canary = ALLOC_CANARY;
tmp = (u8*)getenv("AFL_RANDOM_ALLOC_CANARY");
tmp = (u8 *)getenv("AFL_RANDOM_ALLOC_CANARY");
if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary));

134
libtokencap/libtokencap.so.c
View File

@ -54,16 +54,16 @@
#ifdef RTLD_NEXT
/* The libc functions are a magnitude faster than our replacements.
Use them when RTLD_NEXT is available. */
int (*__libc_strcmp)(const char* str1, const char* str2);
int (*__libc_strncmp)(const char* str1, const char* str2, size_t len);
int (*__libc_strcasecmp)(const char* str1, const char* str2);
int (*__libc_strncasecmp)(const char* str1, const char* str2, size_t len);
int (*__libc_memcmp)(const void* mem1, const void* mem2, size_t len);
int (*__libc_bcmp)(const void* mem1, const void* mem2, size_t len);
char* (*__libc_strstr)(const char* haystack, const char* needle);
char* (*__libc_strcasestr)(const char* haystack, const char* needle);
void* (*__libc_memmem)(const void* haystack, size_t haystack_len,
const void* needle, size_t needle_len);
int (*__libc_strcmp)(const char *str1, const char *str2);
int (*__libc_strncmp)(const char *str1, const char *str2, size_t len);
int (*__libc_strcasecmp)(const char *str1, const char *str2);
int (*__libc_strncasecmp)(const char *str1, const char *str2, size_t len);
int (*__libc_memcmp)(const void *mem1, const void *mem2, size_t len);
int (*__libc_bcmp)(const void *mem1, const void *mem2, size_t len);
char *(*__libc_strstr)(const char *haystack, const char *needle);
char *(*__libc_strcasestr)(const char *haystack, const char *needle);
void *(*__libc_memmem)(const void *haystack, size_t haystack_len,
const void *needle, size_t needle_len);
#endif
/* Mapping data and such */
@ -86,7 +86,7 @@ static void __tokencap_load_mappings(void) {
#if defined __linux__
u8 buf[MAX_LINE];
FILE* f = fopen("/proc/self/maps", "r");
FILE *f = fopen("/proc/self/maps", "r");
__tokencap_ro_loaded = 1;
@ -100,8 +100,8 @@ static void __tokencap_load_mappings(void) {
if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
if (wf == 'w' || rf != 'r') continue;
__tokencap_ro[__tokencap_ro_cnt].st = (void*)st;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)en;
__tokencap_ro[__tokencap_ro_cnt].st = (void *)st;
__tokencap_ro[__tokencap_ro_cnt].en = (void *)en;
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -136,8 +136,8 @@ static void __tokencap_load_mappings(void) {
if ((region.protection & VM_PROT_READ) &&
!(region.protection & VM_PROT_WRITE)) {
__tokencap_ro[__tokencap_ro_cnt].st = (void*)base;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)(base + size);
__tokencap_ro[__tokencap_ro_cnt].st = (void *)base;
__tokencap_ro[__tokencap_ro_cnt].en = (void *)(base + size);
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -160,7 +160,7 @@ static void __tokencap_load_mappings(void) {
int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
sizeof(struct kinfo_vmentry)};
#endif
char * buf, *low, *high;
char *buf, *low, *high;
size_t miblen = sizeof(mib) / sizeof(mib[0]);
size_t len;
@ -189,7 +189,7 @@ static void __tokencap_load_mappings(void) {
while (low < high) {
struct kinfo_vmentry* region = (struct kinfo_vmentry*)low;
struct kinfo_vmentry *region = (struct kinfo_vmentry *)low;
#if defined __FreeBSD__ || defined __NetBSD__
@ -216,8 +216,8 @@ static void __tokencap_load_mappings(void) {
!(region->kve_protection & KVE_PROT_WRITE)) {
#endif
__tokencap_ro[__tokencap_ro_cnt].st = (void*)region->kve_start;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)region->kve_end;
__tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start;
__tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end;
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -234,7 +234,7 @@ static void __tokencap_load_mappings(void) {
/* Check an address against the list of read-only mappings. */
static u8 __tokencap_is_ro(const void* ptr) {
static u8 __tokencap_is_ro(const void *ptr) {
u32 i;
@ -250,7 +250,7 @@ static u8 __tokencap_is_ro(const void* ptr) {
/* Dump an interesting token to output file, quoting and escaping it
properly. */
static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
u8 buf[MAX_AUTO_EXTRA * 4 + 1];
u32 i;
@ -293,7 +293,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
#undef strcmp
int strcmp(const char* str1, const char* str2) {
int strcmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -317,7 +317,7 @@ int strcmp(const char* str1, const char* str2) {
#undef strncmp
int strncmp(const char* str1, const char* str2, size_t len) {
int strncmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -343,7 +343,7 @@ int strncmp(const char* str1, const char* str2, size_t len) {
#undef strcasecmp
int strcasecmp(const char* str1, const char* str2) {
int strcasecmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -367,7 +367,7 @@ int strcasecmp(const char* str1, const char* str2) {
#undef strncasecmp
int strncasecmp(const char* str1, const char* str2, size_t len) {
int strncasecmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -393,7 +393,7 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
#undef memcmp
int memcmp(const void* mem1, const void* mem2, size_t len) {
int memcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -402,8 +402,8 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
#endif
const char* strmem1 = (const char*)mem1;
const char* strmem2 = (const char*)mem2;
const char *strmem1 = (const char *)mem1;
const char *strmem2 = (const char *)mem2;
while (len--) {
@ -420,7 +420,7 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
#undef bcmp
int bcmp(const void* mem1, const void* mem2, size_t len) {
int bcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -429,8 +429,8 @@ int bcmp(const void* mem1, const void* mem2, size_t len) {
if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
#endif
const char* strmem1 = (const char*)mem1;
const char* strmem2 = (const char*)mem2;
const char *strmem1 = (const char *)mem1;
const char *strmem2 = (const char *)mem2;
while (len--) {
@ -447,7 +447,7 @@ int bcmp(const void* mem1, const void* mem2, size_t len) {
#undef strstr
char* strstr(const char* haystack, const char* needle) {
char *strstr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1);
@ -460,13 +460,13 @@ char* strstr(const char* haystack, const char* needle) {
do {
const char* n = needle;
const char* h = haystack;
const char *n = needle;
const char *h = haystack;
while (*n && *h && *n == *h)
n++, h++;
if (!*n) return (char*)haystack;
if (!*n) return (char *)haystack;
} while (*(haystack++));
@ -476,7 +476,7 @@ char* strstr(const char* haystack, const char* needle) {
#undef strcasestr
char* strcasestr(const char* haystack, const char* needle) {
char *strcasestr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1);
@ -489,13 +489,13 @@ char* strcasestr(const char* haystack, const char* needle) {
do {
const char* n = needle;
const char* h = haystack;
const char *n = needle;
const char *h = haystack;
while (*n && *h && tolower(*n) == tolower(*h))
n++, h++;
if (!*n) return (char*)haystack;
if (!*n) return (char *)haystack;
} while (*(haystack++));
@ -505,7 +505,7 @@ char* strcasestr(const char* haystack, const char* needle) {
#undef memmem
void* memmem(const void* haystack, size_t haystack_len, const void* needle,
void *memmem(const void *haystack, size_t haystack_len, const void *needle,
size_t needle_len) {
if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
@ -517,19 +517,19 @@ void* memmem(const void* haystack, size_t haystack_len, const void* needle,
return __libc_memmem(haystack, haystack_len, needle, needle_len);
#endif
const char* n = (const char*)needle;
const char* h = (const char*)haystack;
const char *n = (const char *)needle;
const char *h = (const char *)haystack;
if (haystack_len < needle_len) return 0;
if (needle_len == 0) return (void*)haystack;
if (needle_len == 0) return (void *)haystack;
if (needle_len == 1) return memchr(haystack, *n, haystack_len);
const char* end = h + (haystack_len - needle_len);
const char *end = h + (haystack_len - needle_len);
do {
if (*h == *n) {
if (memcmp(h, n, needle_len) == 0) return (void*)h;
if (memcmp(h, n, needle_len) == 0) return (void *)h;
}
@ -544,31 +544,31 @@ void* memmem(const void* haystack, size_t haystack_len, const void* needle,
/*
* Apache's httpd wrappers
*/
int ap_cstr_casecmp(const char* s1, const char* s2) {
int ap_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n);
}
const char* ap_strcasestr(const char* s1, const char* s2) {
const char *ap_strcasestr(const char *s1, const char *s2) {
return strcasestr(s1, s2);
}
int apr_cstr_casecmp(const char* s1, const char* s2) {
int apr_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n);
@ -577,31 +577,31 @@ int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
/*
* *SSL wrappers
*/
int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) {
int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len);
}
int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) {
int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len);
}
int OPENSSL_strcasecmp(const char* s1, const char* s2) {
int OPENSSL_strcasecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) {
int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
return strncasecmp(s1, s2, len);
}
int32_t memcmpct(const void* s1, const void* s2, size_t len) {
int32_t memcmpct(const void *s1, const void *s2, size_t len) {
return memcmp(s1, s2, len);
@ -610,7 +610,7 @@ int32_t memcmpct(const void* s1, const void* s2, size_t len) {
/*
* libXML wrappers
*/
int xmlStrncmp(const char* s1, const char* s2, int len) {
int xmlStrncmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; }
if (s1 == s2) { return 0; }
@ -620,7 +620,7 @@ int xmlStrncmp(const char* s1, const char* s2, int len) {
}
int xmlStrcmp(const char* s1, const char* s2) {
int xmlStrcmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; }
@ -629,7 +629,7 @@ int xmlStrcmp(const char* s1, const char* s2) {
}
int xmlStrEqual(const char* s1, const char* s2) {
int xmlStrEqual(const char *s1, const char *s2) {
if (s1 == s2) { return 1; }
if (s1 == NULL) { return 0; }
@ -639,7 +639,7 @@ int xmlStrEqual(const char* s1, const char* s2) {
}
int xmlStrcasecmp(const char* s1, const char* s2) {
int xmlStrcasecmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; }
@ -648,7 +648,7 @@ int xmlStrcasecmp(const char* s1, const char* s2) {
}
int xmlStrncasecmp(const char* s1, const char* s2, int len) {
int xmlStrncasecmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; }
if (s1 == s2) { return 0; }
@ -658,7 +658,7 @@ int xmlStrncasecmp(const char* s1, const char* s2, int len) {
}
const char* xmlStrstr(const char* haystack, const char* needle) {
const char *xmlStrstr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; }
@ -666,7 +666,7 @@ const char* xmlStrstr(const char* haystack, const char* needle) {
}
const char* xmlStrcasestr(const char* haystack, const char* needle) {
const char *xmlStrcasestr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; }
@ -677,13 +677,13 @@ const char* xmlStrcasestr(const char* haystack, const char* needle) {
/*
* Samba wrappers
*/
int memcmp_const_time(const void* s1, const void* s2, size_t n) {
int memcmp_const_time(const void *s1, const void *s2, size_t n) {
return memcmp(s1, s2, n);
}
bool strcsequal(const void* s1, const void* s2) {
bool strcsequal(const void *s1, const void *s2) {
if (s1 == s2) { return true; }
if (!s1 || !s2) { return false; }
@ -693,13 +693,13 @@ bool strcsequal(const void* s1, const void* s2) {
/* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
int timingsafe_bcmp(const void* mem1, const void* mem2, size_t len) {
int timingsafe_bcmp(const void *mem1, const void *mem2, size_t len) {
return bcmp(mem1, mem2, len);
}
int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) {
int timingsafe_memcmp(const void *mem1, const void *mem2, size_t len) {
return memcmp(mem1, mem2, len);
@ -709,7 +709,7 @@ int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) {
__attribute__((constructor)) void __tokencap_init(void) {
u8* fn = getenv("AFL_TOKEN_FILE");
u8 *fn = getenv("AFL_TOKEN_FILE");
if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
__tokencap_pid = getpid();

42
llvm_mode/afl-clang-fast.c
View File

@ -37,20 +37,20 @@
#include <limits.h>
#include <assert.h>
static u8* obj_path; /* Path to runtime libraries */
static u8** cc_params; /* Parameters passed to the real CC */
static u8 *obj_path; /* Path to runtime libraries */
static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 llvm_fullpath[PATH_MAX];
static u8 lto_mode;
static u8* lto_flag = AFL_CLANG_FLTO;
static u8* march_opt = CFLAGS_OPT;
static u8 *lto_flag = AFL_CLANG_FLTO;
static u8 *march_opt = CFLAGS_OPT;
static u8 debug;
static u8 cwd[4096];
static u8 cmplog_mode;
u8 use_stdin = 0; /* dummy */
u8 be_quiet = 0;
u8* getthecwd() {
u8 *getthecwd() {
static u8 fail[] = "";
if (getcwd(cwd, sizeof(cwd)) == NULL) return fail;
@ -60,9 +60,9 @@ u8* getthecwd() {
/* Try to find the runtime libraries. If that fails, abort. */
static void find_obj(u8* argv0) {
static void find_obj(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH");
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
@ -89,7 +89,7 @@ static void find_obj(u8* argv0) {
if (slash) {
u8* dir;
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
@ -135,13 +135,13 @@ static void find_obj(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) {
static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
u8 has_llvm_config = 0;
u8* name;
u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/');
if (!name)
@ -168,21 +168,21 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) {
u8* alt_cxx = getenv("AFL_CXX");
u8 *alt_cxx = getenv("AFL_CXX");
if (has_llvm_config)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR);
else
sprintf(llvm_fullpath, "clang++");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath;
cc_params[0] = alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;
} else {
u8* alt_cc = getenv("AFL_CC");
u8 *alt_cc = getenv("AFL_CC");
if (has_llvm_config)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR);
else
sprintf(llvm_fullpath, "clang");
cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath;
cc_params[0] = alt_cc ? alt_cc : (u8 *)llvm_fullpath;
}
@ -267,8 +267,8 @@ static void edit_params(u32 argc, char** argv) {
if (lto_mode) {
char* old_path = getenv("PATH");
char* new_path = alloc_printf("%s:%s", AFL_PATH, old_path);
char *old_path = getenv("PATH");
char *new_path = alloc_printf("%s:%s", AFL_PATH, old_path);
setenv("PATH", new_path, 1);
setenv("AFL_LD", "1", 1);
@ -322,7 +322,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) {
u8* cur = *(++argv);
u8 *cur = *(++argv);
if (!strcmp(cur, "-m32")) bit_mode = 32;
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
@ -521,10 +521,10 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */
int main(int argc, char** argv, char** envp) {
int main(int argc, char **argv, char **envp) {
int i;
char* callname = "afl-clang-fast";
char *callname = "afl-clang-fast";
if (getenv("AFL_DEBUG")) {
@ -671,7 +671,7 @@ int main(int argc, char** argv, char** envp) {
}
execvp(cc_params[0], (char**)cc_params);
execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

68
llvm_mode/afl-ld.c
View File

@ -51,17 +51,17 @@ static u8 **ld_params, /* Parameters passed to the real 'ld' */
**opt_params, /* Parameters passed to 'opt' opt */
**inst_params; /* Parameters passed to 'opt' inst */
static u8* input_file; /* Originally specified input file */
static u8 *input_file; /* Originally specified input file */
static u8 *final_file, /* Instrumented file for the real 'ld' */
*linked_file, /* file where we link all files */
*modified_file; /* file that was optimized before instr */
static u8* afl_path = AFL_PATH;
static u8* real_ld = AFL_REAL_LD;
static u8 *afl_path = AFL_PATH;
static u8 *real_ld = AFL_REAL_LD;
static u8 cwd[4096];
static u8* tmp_dir;
static u8* ar_dir;
static u8 *tmp_dir;
static u8 *ar_dir;
static u8 ar_dir_cnt;
static u8* libdirs[254];
static u8 *libdirs[254];
static u8 libdir_cnt;
static u8 be_quiet, /* Quiet mode (no stderr output) */
@ -76,10 +76,10 @@ static u32 ld_param_cnt = 1, /* Number of params to 'ld' */
inst_param_cnt = 1; /* Number of params to 'opt' instr */
/* This function wipes a directory - our AR unpack directory in this case */
static u8 wipe_directory(u8* path) {
static u8 wipe_directory(u8 *path) {
DIR* d;
struct dirent* d_ent;
DIR *d;
struct dirent *d_ent;
d = opendir(path);
@ -89,7 +89,7 @@ static u8 wipe_directory(u8* path) {
if (strcmp(d_ent->d_name, ".") != 0 && strcmp(d_ent->d_name, "..") != 0) {
u8* fname = alloc_printf("%s/%s", path, d_ent->d_name);
u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
if (unlink(fname)) PFATAL("Unable to delete '%s'", fname);
ck_free(fname);
@ -142,7 +142,7 @@ static void at_exit_handler(void) {
/* This function checks if the parameter is a) an existing file and b)
if it is a BC or LL file, if both are true it returns 1 and 0 otherwise */
int is_llvm_file(const char* file) {
int is_llvm_file(const char *file) {
int fd;
u8 buf[5];
@ -169,7 +169,7 @@ int is_llvm_file(const char* file) {
}
/* Return the current working directory, not thread safe ;-) */
u8* getthecwd() {
u8 *getthecwd() {
static u8 fail[] = "";
if (getcwd(cwd, sizeof(cwd)) == NULL) return fail;
@ -178,7 +178,7 @@ u8* getthecwd() {
}
/* Check if an ar extracted file is already in the parameter list */
int is_duplicate(u8** params, u32 ld_param_cnt, u8* ar_file) {
int is_duplicate(u8 **params, u32 ld_param_cnt, u8 *ar_file) {
for (uint32_t i = 0; i < ld_param_cnt; i++)
if (params[i] != NULL)
@ -191,7 +191,7 @@ int is_duplicate(u8** params, u32 ld_param_cnt, u8* ar_file) {
/* Examine and modify parameters to pass to 'ld', 'llvm-link' and 'llmv-ar'.
Note that the file name is always the last parameter passed by GCC,
so we exploit this property to keep the code "simple". */
static void edit_params(int argc, char** argv) {
static void edit_params(int argc, char **argv) {
u32 i, have_lto = 0, libdir_index;
u8 libdir_file[4096];
@ -212,12 +212,12 @@ static void edit_params(int argc, char** argv) {
final_file =
alloc_printf("%s/.afl-%u-%u-3.bc", tmp_dir, getpid(), (u32)time(NULL));
ld_params = ck_alloc(4096 * sizeof(u8*));
link_params = ck_alloc(4096 * sizeof(u8*));
inst_params = ck_alloc(12 * sizeof(u8*));
opt_params = ck_alloc(12 * sizeof(u8*));
ld_params = ck_alloc(4096 * sizeof(u8 *));
link_params = ck_alloc(4096 * sizeof(u8 *));
inst_params = ck_alloc(12 * sizeof(u8 *));
opt_params = ck_alloc(12 * sizeof(u8 *));
ld_params[0] = (u8*)real_ld;
ld_params[0] = (u8 *)real_ld;
ld_params[ld_param_cnt++] = "--allow-multiple-definition";
link_params[0] = alloc_printf("%s/%s", LLVM_BINDIR, "llvm-link");
@ -328,13 +328,13 @@ static void edit_params(int argc, char** argv) {
// where the same "foo.o" was in both .a archives. llvm-link does not
// like this so we have to work around that ...
u8 this_wd[4096], *this_ar;
u8 ar_params_cnt = 4;
u8* ar_params[ar_params_cnt];
u8* file = argv[i];
s32 pid, status;
DIR* arx;
struct dirent* dir_ent;
u8 this_wd[4096], *this_ar;
u8 ar_params_cnt = 4;
u8 *ar_params[ar_params_cnt];
u8 *file = argv[i];
s32 pid, status;
DIR *arx;
struct dirent *dir_ent;
if (libdir_index < libdir_cnt) file = libdir_file;
@ -373,7 +373,7 @@ static void edit_params(int argc, char** argv) {
if (!(pid = fork())) {
execvp(ar_params[0], (char**)ar_params);
execvp(ar_params[0], (char **)ar_params);
FATAL("Oops, failed to execute '%s'", ar_params[0]);
}
@ -389,7 +389,7 @@ static void edit_params(int argc, char** argv) {
while ((dir_ent = readdir(arx)) != NULL) {
u8* ar_file = alloc_printf("%s/%s", ar_dir, dir_ent->d_name);
u8 *ar_file = alloc_printf("%s/%s", ar_dir, dir_ent->d_name);
if (dir_ent->d_name[strlen(dir_ent->d_name) - 1] == 'o' &&
dir_ent->d_name[strlen(dir_ent->d_name) - 2] == '.') {
@ -535,7 +535,7 @@ void clean_path() {
/* Main entry point */
int main(int argc, char** argv) {
int main(int argc, char **argv) {
s32 pid, i;
int status;
@ -665,7 +665,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) {
execvp(link_params[0], (char**)link_params);
execvp(link_params[0], (char **)link_params);
FATAL("Oops, failed to execute '%s'", link_params[0]);
}
@ -707,7 +707,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) {
execvp(opt_params[0], (char**)opt_params);
execvp(opt_params[0], (char **)opt_params);
FATAL("Oops, failed to execute '%s'", opt_params[0]);
}
@ -730,7 +730,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) {
execvp(inst_params[0], (char**)inst_params);
execvp(inst_params[0], (char **)inst_params);
FATAL("Oops, failed to execute '%s'", inst_params[0]);
}
@ -761,8 +761,8 @@ int main(int argc, char** argv) {
unsetenv("AFL_LD");
if (strlen(real_ld) > 1) execvp(real_ld, (char**)ld_params);
execvp("ld", (char**)ld_params); // fallback
if (strlen(real_ld) > 1) execvp(real_ld, (char **)ld_params);
execvp("ld", (char **)ld_params); // fallback
FATAL("Oops, failed to execute 'ld' - check your PATH");
}

42
llvm_mode/afl-llvm-rt.o.c
View File

@ -59,7 +59,7 @@
run. It will end up as .comm, so it shouldn't be too wasteful. */
u8 __afl_area_initial[MAP_SIZE];
u8* __afl_area_ptr = __afl_area_initial;
u8 *__afl_area_ptr = __afl_area_initial;
#ifdef __ANDROID__
u32 __afl_prev_loc;
@ -69,7 +69,7 @@ __thread u32 __afl_prev_loc;
__thread u32 __afl_final_loc;
#endif
struct cmp_map* __afl_cmp_map;
struct cmp_map *__afl_cmp_map;
__thread u32 __afl_cmp_counter;
/* Running in persistent mode? */
@ -80,7 +80,7 @@ static u8 is_persistent;
static void __afl_map_shm(void) {
u8* id_str = getenv(SHM_ENV_VAR);
u8 *id_str = getenv(SHM_ENV_VAR);
/* If we're running under AFL, attach to the appropriate region, replacing the
early-stage __afl_area_initial region that is needed to allow some really
@ -89,9 +89,9 @@ static void __afl_map_shm(void) {
if (id_str) {
#ifdef USEMMAP
const char* shm_file_path = id_str;
int shm_fd = -1;
unsigned char* shm_base = NULL;
const char *shm_file_path = id_str;
int shm_fd = -1;
unsigned char *shm_base = NULL;
/* create the shared memory segment as if it was a file */
shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
@ -123,7 +123,7 @@ static void __afl_map_shm(void) {
/* Whooooops. */
if (__afl_area_ptr == (void*)-1) _exit(1);
if (__afl_area_ptr == (void *)-1) _exit(1);
/* Write something into the bitmap so that even with low AFL_INST_RATIO,
our parent doesn't give up on us. */
@ -137,9 +137,9 @@ static void __afl_map_shm(void) {
if (id_str) {
#ifdef USEMMAP
const char* shm_file_path = id_str;
int shm_fd = -1;
unsigned char* shm_base = NULL;
const char *shm_file_path = id_str;
int shm_fd = -1;
unsigned char *shm_base = NULL;
/* create the shared memory segment as if it was a file */
shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
@ -170,7 +170,7 @@ static void __afl_map_shm(void) {
__afl_cmp_map = shmat(shm_id, NULL, 0);
#endif
if (__afl_cmp_map == (void*)-1) _exit(1);
if (__afl_cmp_map == (void *)-1) _exit(1);
}
@ -354,7 +354,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
The first function (__sanitizer_cov_trace_pc_guard) is called back on every
edge (as opposed to every basic block). */
void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
__afl_area_ptr[*guard]++;
@ -364,10 +364,10 @@ void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
ID of 0 as a special value to indicate non-instrumented bits. That may
still touch the bitmap, but in a fairly harmless way. */
void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
u32 inst_ratio = 100;
u8* x;
u8 *x;
if (start == stop || *start) return;
@ -504,7 +504,7 @@ void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2)
__attribute__((alias("__cmplog_ins_hook8")));
#endif /* defined(__APPLE__) */
void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) {
void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
for (uint64_t i = 0; i < Cases[0]; i++) {
@ -530,10 +530,10 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) {
// POSIX shenanigan to see if an area is mapped.
// If it is mapped as X-only, we have a problem, so maybe we should add a check
// to avoid to call it on .text addresses
static int area_is_mapped(void* ptr, size_t len) {
static int area_is_mapped(void *ptr, size_t len) {
char* p = ptr;
char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
char *p = ptr;
char *page = (char *)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
int r = msync(page, (p - page) + len, MS_ASYNC);
if (r < 0) return errno != ENOMEM;
@ -541,7 +541,7 @@ static int area_is_mapped(void* ptr, size_t len) {
}
void __cmplog_rtn_hook(void* ptr1, void* ptr2) {
void __cmplog_rtn_hook(void *ptr1, void *ptr2) {
if (!__afl_cmp_map) return;
@ -559,9 +559,9 @@ void __cmplog_rtn_hook(void* ptr1, void* ptr2) {
__afl_cmp_map->headers[k].shape = 31;
hits &= CMP_MAP_RTN_H - 1;
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0,
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
ptr1, 32);
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1,
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
ptr2, 32);
}

92
qemu_mode/libcompcov/libcompcov.so.c
View File

@ -45,15 +45,15 @@
static void *__compcov_code_start, *__compcov_code_end;
static u8* __compcov_afl_map;
static u8 *__compcov_afl_map;
static u32 __compcov_level;
static int (*__libc_strcmp)(const char*, const char*);
static int (*__libc_strncmp)(const char*, const char*, size_t);
static int (*__libc_strcasecmp)(const char*, const char*);
static int (*__libc_strncasecmp)(const char*, const char*, size_t);
static int (*__libc_memcmp)(const void*, const void*, size_t);
static int (*__libc_strcmp)(const char *, const char *);
static int (*__libc_strncmp)(const char *, const char *, size_t);
static int (*__libc_strcasecmp)(const char *, const char *);
static int (*__libc_strncasecmp)(const char *, const char *, size_t);
static int (*__libc_memcmp)(const void *, const void *, size_t);
static int debug_fd = -1;
@ -65,7 +65,7 @@ static u32 __compcov_ro_cnt;
/* Check an address against the list of read-only mappings. */
static u8 __compcov_is_ro(const void* ptr) {
static u8 __compcov_is_ro(const void *ptr) {
u32 i;
@ -76,7 +76,7 @@ static u8 __compcov_is_ro(const void* ptr) {
}
static size_t __strlen2(const char* s1, const char* s2, size_t max_length) {
static size_t __strlen2(const char *s1, const char *s2, size_t max_length) {
// from https://github.com/googleprojectzero/CompareCoverage
@ -103,7 +103,7 @@ static void __compcov_load(void) {
}
char* id_str = getenv(SHM_ENV_VAR);
char *id_str = getenv(SHM_ENV_VAR);
int shm_id;
if (id_str) {
@ -111,7 +111,7 @@ static void __compcov_load(void) {
shm_id = atoi(id_str);
__compcov_afl_map = shmat(shm_id, NULL, 0);
if (__compcov_afl_map == (void*)-1) exit(1);
if (__compcov_afl_map == (void *)-1) exit(1);
} else {
@ -121,16 +121,16 @@ static void __compcov_load(void) {
if (getenv("AFL_INST_LIBS")) {
__compcov_code_start = (void*)0;
__compcov_code_end = (void*)-1;
__compcov_code_start = (void *)0;
__compcov_code_end = (void *)-1;
return;
}
char* bin_name = getenv("AFL_COMPCOV_BINNAME");
char *bin_name = getenv("AFL_COMPCOV_BINNAME");
procmaps_iterator* maps = pmparser_parse(-1);
procmaps_struct* maps_tmp = NULL;
procmaps_iterator *maps = pmparser_parse(-1);
procmaps_struct *maps_tmp = NULL;
while ((maps_tmp = pmparser_next(maps)) != NULL) {
@ -159,7 +159,7 @@ static void __compcov_load(void) {
}
static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) {
static void __compcov_trace(u64 cur_loc, const u8 *v0, const u8 *v1, size_t n) {
size_t i;
@ -167,8 +167,8 @@ static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) {
char debugbuf[4096];
snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %lu\n", cur_loc,
v0 == NULL ? "(null)" : (char*)v0,
v1 == NULL ? "(null)" : (char*)v1, n);
v0 == NULL ? "(null)" : (char *)v0,
v1 == NULL ? "(null)" : (char *)v1, n);
write(debug_fd, debugbuf, strlen(debugbuf));
}
@ -183,7 +183,7 @@ static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) {
/* Check an address against the list of read-only mappings. */
static u8 __compcov_is_in_bound(const void* ptr) {
static u8 __compcov_is_in_bound(const void *ptr) {
return ptr >= __compcov_code_start && ptr < __compcov_code_end;
@ -194,9 +194,9 @@ static u8 __compcov_is_in_bound(const void* ptr) {
#undef strcmp
int strcmp(const char* str1, const char* str2) {
int strcmp(const char *str1, const char *str2) {
void* retaddr = __builtin_return_address(0);
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -222,9 +222,9 @@ int strcmp(const char* str1, const char* str2) {
#undef strncmp
int strncmp(const char* str1, const char* str2, size_t len) {
int strncmp(const char *str1, const char *str2, size_t len) {
void* retaddr = __builtin_return_address(0);
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -251,9 +251,9 @@ int strncmp(const char* str1, const char* str2, size_t len) {
#undef strcasecmp
int strcasecmp(const char* str1, const char* str2) {
int strcasecmp(const char *str1, const char *str2) {
void* retaddr = __builtin_return_address(0);
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -281,9 +281,9 @@ int strcasecmp(const char* str1, const char* str2) {
#undef strncasecmp
int strncasecmp(const char* str1, const char* str2, size_t len) {
int strncasecmp(const char *str1, const char *str2, size_t len) {
void* retaddr = __builtin_return_address(0);
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -312,9 +312,9 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
#undef memcmp
int memcmp(const void* mem1, const void* mem2, size_t len) {
int memcmp(const void *mem1, const void *mem2, size_t len) {
void* retaddr = __builtin_return_address(0);
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(mem1) &&
@ -345,25 +345,25 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
/*
* Apache's httpd wrappers
*/
int ap_cstr_casecmp(const char* s1, const char* s2) {
int ap_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n);
}
int apr_cstr_casecmp(const char* s1, const char* s2) {
int apr_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n);
@ -372,31 +372,31 @@ int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
/*
* *SSL wrappers
*/
int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) {
int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len);
}
int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) {
int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len);
}
int OPENSSL_strcasecmp(const char* s1, const char* s2) {
int OPENSSL_strcasecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2);
}
int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) {
int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
return strncasecmp(s1, s2, len);
}
int32_t memcmpct(const void* s1, const void* s2, size_t len) {
int32_t memcmpct(const void *s1, const void *s2, size_t len) {
return memcmp(s1, s2, len);
@ -405,7 +405,7 @@ int32_t memcmpct(const void* s1, const void* s2, size_t len) {
/*
* libXML wrappers
*/
int xmlStrncmp(const char* s1, const char* s2, int len) {
int xmlStrncmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; }
if (s1 == s2) { return 0; }
@ -415,7 +415,7 @@ int xmlStrncmp(const char* s1, const char* s2, int len) {
}
int xmlStrcmp(const char* s1, const char* s2) {
int xmlStrcmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; }
@ -424,7 +424,7 @@ int xmlStrcmp(const char* s1, const char* s2) {
}
int xmlStrEqual(const char* s1, const char* s2) {
int xmlStrEqual(const char *s1, const char *s2) {
if (s1 == s2) { return 1; }
if (s1 == NULL) { return 0; }
@ -434,7 +434,7 @@ int xmlStrEqual(const char* s1, const char* s2) {
}
int xmlStrcasecmp(const char* s1, const char* s2) {
int xmlStrcasecmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; }
@ -443,7 +443,7 @@ int xmlStrcasecmp(const char* s1, const char* s2) {
}
int xmlStrncasecmp(const char* s1, const char* s2, int len) {
int xmlStrncasecmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; }
if (s1 == s2) { return 0; }
@ -453,7 +453,7 @@ int xmlStrncasecmp(const char* s1, const char* s2, int len) {
}
const char* xmlStrcasestr(const char* haystack, const char* needle) {
const char *xmlStrcasestr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; }
@ -464,13 +464,13 @@ const char* xmlStrcasestr(const char* haystack, const char* needle) {
/*
* Samba wrappers
*/
int memcmp_const_time(const void* s1, const void* s2, size_t n) {
int memcmp_const_time(const void *s1, const void *s2, size_t n) {
return memcmp(s1, s2, n);
}
bool strcsequal(const void* s1, const void* s2) {
bool strcsequal(const void *s1, const void *s2) {
if (s1 == s2) { return true; }
if (!s1 || !s2) { return false; }

60
qemu_mode/libcompcov/pmparser.h
View File

@ -32,8 +32,8 @@ implied warranty.
*/
typedef struct procmaps_struct {
void* addr_start; //< start address of the area
void* addr_end; //< end address
void *addr_start; //< start address of the area
void *addr_end; //< end address
unsigned long length; //< size of the range
char perm[5]; //< permissions rwxp
@ -48,7 +48,7 @@ typedef struct procmaps_struct {
char pathname[600]; //< the path of the file that backs the area
// chained list
struct procmaps_struct* next; //<handler of the chinaed list
struct procmaps_struct *next; //<handler of the chinaed list
} procmaps_struct;
@ -58,8 +58,8 @@ typedef struct procmaps_struct {
*/
typedef struct procmaps_iterator {
procmaps_struct* head;
procmaps_struct* current;
procmaps_struct *head;
procmaps_struct *current;
} procmaps_iterator;
@ -69,7 +69,7 @@ typedef struct procmaps_iterator {
* if pid<0
* @return an iterator over all the nodes
*/
procmaps_iterator* pmparser_parse(int pid);
procmaps_iterator *pmparser_parse(int pid);
/**
* pmparser_next
@ -77,28 +77,28 @@ procmaps_iterator* pmparser_parse(int pid);
* @param p_procmaps_it the iterator to move on step in the chained list
* @return a procmaps structure filled with information about this VM area
*/
procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it);
procmaps_struct *pmparser_next(procmaps_iterator *p_procmaps_it);
/**
* pmparser_free
* @description should be called at the end to free the resources
* @param p_procmaps_it the iterator structure returned by pmparser_parse
*/
void pmparser_free(procmaps_iterator* p_procmaps_it);
void pmparser_free(procmaps_iterator *p_procmaps_it);
/**
* _pmparser_split_line
* @description internal usage
*/
void _pmparser_split_line(char* buf, char* addr1, char* addr2, char* perm,
char* offset, char* device, char* inode,
char* pathname);
void _pmparser_split_line(char *buf, char *addr1, char *addr2, char *perm,
char *offset, char *device, char *inode,
char *pathname);
/**
* pmparser_print
* @param map the head of the list
* @order the order of the area to print, -1 to print everything
*/
void pmparser_print(procmaps_struct* map, int order);
void pmparser_print(procmaps_struct *map, int order);
/**
* gobal variables
@ -106,9 +106,9 @@ void pmparser_print(procmaps_struct* map, int order);
// procmaps_struct* g_last_head=NULL;
// procmaps_struct* g_current=NULL;
procmaps_iterator* pmparser_parse(int pid) {
procmaps_iterator *pmparser_parse(int pid) {
procmaps_iterator* maps_it = malloc(sizeof(procmaps_iterator));
procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator));
char maps_path[500];
if (pid >= 0) {
@ -120,7 +120,7 @@ procmaps_iterator* pmparser_parse(int pid) {
}
FILE* file = fopen(maps_path, "r");
FILE *file = fopen(maps_path, "r");
if (!file) {
fprintf(stderr, "pmparser : cannot open the memory maps, %s\n",
@ -132,24 +132,24 @@ procmaps_iterator* pmparser_parse(int pid) {
int ind = 0;
char buf[PROCMAPS_LINE_MAX_LENGTH];
// int c;
procmaps_struct* list_maps = NULL;
procmaps_struct* tmp;
procmaps_struct* current_node = list_maps;
procmaps_struct *list_maps = NULL;
procmaps_struct *tmp;
procmaps_struct *current_node = list_maps;
char addr1[20], addr2[20], perm[8], offset[20], dev[10], inode[30],
pathname[PATH_MAX];
while (!feof(file)) {
fgets(buf, PROCMAPS_LINE_MAX_LENGTH, file);
// allocate a node
tmp = (procmaps_struct*)malloc(sizeof(procmaps_struct));
tmp = (procmaps_struct *)malloc(sizeof(procmaps_struct));
// fill the node
_pmparser_split_line(buf, addr1, addr2, perm, offset, dev, inode, pathname);
// printf("#%s",buf);
// printf("%s-%s %s %s %s
// %s\t%s\n",addr1,addr2,perm,offset,dev,inode,pathname); addr_start &
// addr_end unsigned long l_addr_start;
sscanf(addr1, "%lx", (long unsigned*)&tmp->addr_start);
sscanf(addr2, "%lx", (long unsigned*)&tmp->addr_end);
sscanf(addr1, "%lx", (long unsigned *)&tmp->addr_start);
sscanf(addr2, "%lx", (long unsigned *)&tmp->addr_end);
// size
tmp->length = (unsigned long)(tmp->addr_end - tmp->addr_start);
// perm
@ -194,10 +194,10 @@ procmaps_iterator* pmparser_parse(int pid) {
}
procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it) {
procmaps_struct *pmparser_next(procmaps_iterator *p_procmaps_it) {
if (p_procmaps_it->current == NULL) return NULL;
procmaps_struct* p_current = p_procmaps_it->current;
procmaps_struct *p_current = p_procmaps_it->current;
p_procmaps_it->current = p_procmaps_it->current->next;
return p_current;
/*
@ -214,12 +214,12 @@ procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it) {
}
void pmparser_free(procmaps_iterator* p_procmaps_it) {
void pmparser_free(procmaps_iterator *p_procmaps_it) {
procmaps_struct* maps_list = p_procmaps_it->head;
procmaps_struct *maps_list = p_procmaps_it->head;
if (maps_list == NULL) return;
procmaps_struct* act = maps_list;
procmaps_struct* nxt = act->next;
procmaps_struct *act = maps_list;
procmaps_struct *nxt = act->next;
while (act != NULL) {
free(act);
@ -230,9 +230,9 @@ void pmparser_free(procmaps_iterator* p_procmaps_it) {
}
void _pmparser_split_line(char* buf, char* addr1, char* addr2, char* perm,
char* offset, char* device, char* inode,
char* pathname) {
void _pmparser_split_line(char *buf, char *addr1, char *addr2, char *perm,
char *offset, char *device, char *inode,
char *pathname) {
//
int orig = 0;

8
qemu_mode/patches/afl-qemu-floats.h
View File

@ -64,14 +64,14 @@ union afl_float64 {
// TODO figure out why float*_unpack_canonical does not work
void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2,
void* status) {
void *status) {
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 7;
if (cur_loc >= afl_inst_rms) return;
// float_status* s = (float_status*)status;
// float_status*s = (float_status*)status;
// FloatParts a = float32_unpack_canonical(arg1, s);
// FloatParts b = float32_unpack_canonical(arg2, s);
union afl_float32 a = {.f = arg1};
@ -96,14 +96,14 @@ void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2,
}
void afl_float_compcov_log_64(target_ulong cur_loc, float64 arg1, float64 arg2,
void* status) {
void *status) {
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 7;
if (cur_loc >= afl_inst_rms) return;
// float_status* s = (float_status*)status;
// float_status*s = (float_status*)status;
// FloatParts a = float64_unpack_canonical(arg1, s);
// FloatParts b = float64_unpack_canonical(arg2, s);
union afl_float64 a = {.f = arg1};

28
qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
View File

@ -34,7 +34,7 @@
#include "afl-qemu-common.h"
#include "tcg.h"
void HELPER(afl_entry_routine)(CPUArchState* env) {
void HELPER(afl_entry_routine)(CPUArchState *env) {
afl_forkserver(ENV_GET_CPU(env));
@ -160,10 +160,10 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
#include <sys/mman.h>
static int area_is_mapped(void* ptr, size_t len) {
static int area_is_mapped(void *ptr, size_t len) {
char* p = ptr;
char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
char *p = ptr;
char *page = (char *)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
int r = msync(page, (p - page) + len, MS_ASYNC);
if (r < 0) return errno != ENOMEM;
@ -171,28 +171,28 @@ static int area_is_mapped(void* ptr, size_t len) {
}
void HELPER(afl_cmplog_rtn)(CPUX86State* env) {
void HELPER(afl_cmplog_rtn)(CPUX86State *env) {
#if defined(TARGET_X86_64)
void* ptr1 = g2h(env->regs[R_EDI]);
void* ptr2 = g2h(env->regs[R_ESI]);
void *ptr1 = g2h(env->regs[R_EDI]);
void *ptr2 = g2h(env->regs[R_ESI]);
#elif defined(TARGET_I386)
target_ulong* stack = g2h(env->regs[R_ESP]);
target_ulong *stack = g2h(env->regs[R_ESP]);
if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return;
// when this hook is executed, the retaddr is not on stack yet
void* ptr1 = g2h(stack[0]);
void* ptr2 = g2h(stack[1]);
void *ptr1 = g2h(stack[0]);
void *ptr2 = g2h(stack[1]);
#else
// dumb code to make it compile
void* ptr1 = NULL;
void* ptr2 = NULL;
void *ptr1 = NULL;
void *ptr2 = NULL;
return;
#endif
@ -211,9 +211,9 @@ void HELPER(afl_cmplog_rtn)(CPUX86State* env) {
__afl_cmp_map->headers[k].shape = 31;
hits &= CMP_MAP_RTN_H - 1;
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0,
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
ptr1, 32);
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1,
__builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
ptr2, 32);
}

50
src/afl-analyze.c
View File

@ -57,13 +57,13 @@
static s32 child_pid; /* PID of the tested program */
u8* trace_bits; /* SHM with instrumentation bitmap */
u8 *trace_bits; /* SHM with instrumentation bitmap */
static u8 *in_file, /* Analyzer input test case */
*prog_in, /* Targeted program input file */
*doc_path; /* Path to docs */
static u8* in_data; /* Input data for analysis */
static u8 *in_data; /* Input data for analysis */
static u32 in_len, /* Input data length */
orig_cksum, /* Original checksum */
@ -84,7 +84,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */
static u8 qemu_mode;
static u8* target_path;
static u8 *target_path;
/* Constants used for describing byte behavior. */
@ -114,7 +114,7 @@ static u8 count_class_lookup[256] = {
};
static void classify_counts(u8* mem) {
static void classify_counts(u8 *mem) {
u32 i = MAP_SIZE;
@ -144,7 +144,7 @@ static void classify_counts(u8* mem) {
static inline u8 anything_set(void) {
u32* ptr = (u32*)trace_bits;
u32 *ptr = (u32 *)trace_bits;
u32 i = (MAP_SIZE >> 2);
while (i--)
@ -189,7 +189,7 @@ static void read_initial_file(void) {
/* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) {
static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret;
@ -219,7 +219,7 @@ static void handle_timeout(int sig) {
/* Execute target application. Returns exec checksum, or 0 if program
times out. */
static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
static u32 run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
static struct itimerval it;
int status = 0;
@ -243,7 +243,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 ||
dup2(dev_null_fd, 1) < 0 || dup2(dev_null_fd, 2) < 0) {
*(u32*)trace_bits = EXEC_FAIL_SIG;
*(u32 *)trace_bits = EXEC_FAIL_SIG;
PFATAL("dup2() failed");
}
@ -272,7 +272,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
execv(target_path, argv);
*(u32*)trace_bits = EXEC_FAIL_SIG;
*(u32 *)trace_bits = EXEC_FAIL_SIG;
exit(0);
}
@ -299,7 +299,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
classify_counts(trace_bits);
@ -378,7 +378,7 @@ static void show_legend(void) {
/* Interpret and report a pattern in the input file. */
static void dump_hex(u8* buf, u32 len, u8* b_data) {
static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
u32 i;
@ -409,7 +409,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
case 2: {
u16 val = *(u16*)(in_data + i);
u16 val = *(u16 *)(in_data + i);
/* Small integers may be length fields. */
@ -435,7 +435,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
case 4: {
u32 val = *(u32*)(in_data + i);
u32 val = *(u32 *)(in_data + i);
/* Small integers may be length fields. */
@ -544,12 +544,12 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
/* Actually analyze! */
static void analyze(char** argv) {
static void analyze(char **argv) {
u32 i;
u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0;
u8* b_data = ck_alloc(in_len + 1);
u8 *b_data = ck_alloc(in_len + 1);
u8 seq_byte = 0;
b_data[in_len] = 0xff; /* Intentional terminator. */
@ -651,14 +651,14 @@ static void handle_stop_sig(int sig) {
static void set_up_environment(void) {
u8* x;
u8 *x;
dev_null_fd = open("/dev/null", O_RDWR);
if (dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (!prog_in) {
u8* use_dir = ".";
u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) {
@ -715,9 +715,9 @@ static void set_up_environment(void) {
if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD");
u8* buf;
u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
@ -779,7 +779,7 @@ static void setup_signal_handlers(void) {
/* Display usage hints. */
static void usage(u8* argv0) {
static void usage(u8 *argv0) {
SAYF(
"\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
@ -822,9 +822,9 @@ static void usage(u8* argv0) {
/* Find binary. */
static void find_binary(u8* fname) {
static void find_binary(u8 *fname) {
u8* env_path = 0;
u8 *env_path = 0;
struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -877,11 +877,11 @@ static void find_binary(u8* fname) {
/* Main entry point */
int main(int argc, char** argv, char** envp) {
int main(int argc, char **argv, char **envp) {
s32 opt;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
char** use_argv;
char **use_argv;
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

24
src/afl-as.c
View File

@ -53,10 +53,10 @@
#include <sys/wait.h>
#include <sys/time.h>
static u8** as_params; /* Parameters passed to the real 'as' */
static u8 **as_params; /* Parameters passed to the real 'as' */
static u8* input_file; /* Originally specified input file */
static u8* modified_file; /* Instrumented file for the real 'as' */
static u8 *input_file; /* Originally specified input file */
static u8 *modified_file; /* Instrumented file for the real 'as' */
static u8 be_quiet, /* Quiet mode (no stderr output) */
clang_mode, /* Running in clang mode? */
@ -89,7 +89,7 @@ static u8 use_64bit = 0;
is always the last parameter passed by GCC, so we exploit this property
to keep the code simple. */
static void edit_params(int argc, char** argv) {
static void edit_params(int argc, char **argv) {
u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS");
u32 i;
@ -130,9 +130,9 @@ static void edit_params(int argc, char** argv) {
if (!tmp_dir) tmp_dir = getenv("TMP");
if (!tmp_dir) tmp_dir = "/tmp";
as_params = ck_alloc((argc + 32) * sizeof(u8*));
as_params = ck_alloc((argc + 32) * sizeof(u8 *));
as_params[0] = afl_as ? afl_as : (u8*)"as";
as_params[0] = afl_as ? afl_as : (u8 *)"as";
as_params[argc] = 0;
@ -234,8 +234,8 @@ static void add_instrumentation(void) {
static u8 line[MAX_LINE];
FILE* inf;
FILE* outf;
FILE *inf;
FILE *outf;
s32 outfd;
u32 ins_lines = 0;
@ -244,7 +244,7 @@ static void add_instrumentation(void) {
#ifdef __APPLE__
u8* colon_pos;
u8 *colon_pos;
#endif /* __APPLE__ */
@ -498,12 +498,12 @@ static void add_instrumentation(void) {
/* Main entry point */
int main(int argc, char** argv) {
int main(int argc, char **argv) {
s32 pid;
u32 rand_seed;
int status;
u8* inst_ratio_str = getenv("AFL_INST_RATIO");
u8 *inst_ratio_str = getenv("AFL_INST_RATIO");
struct timeval tv;
struct timezone tz;
@ -590,7 +590,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) {
execvp(as_params[0], (char**)as_params);
execvp(as_params[0], (char **)as_params);
FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]);
}

44
src/afl-common.c
View File

@ -38,16 +38,16 @@
extern u8 be_quiet;
void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) {
void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) {
u32 i = 0;
#ifdef __GLIBC__
u8* cwd = getcwd(NULL, 0); /* non portable glibc extension */
u8 *cwd = getcwd(NULL, 0); /* non portable glibc extension */
#else
u8* cwd;
char* buf;
u8 *cwd;
char *buf;
long size = pathconf(".", _PC_PATH_MAX);
if ((buf = (char*)malloc((size_t)size)) != NULL) {
if ((buf = (char *)malloc((size_t)size)) != NULL) {
cwd = getcwd(buf, (size_t)size); /* portable version */
ck_free(buf);
@ -67,7 +67,7 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) {
while (argv[i]) {
u8* aa_loc = strstr(argv[i], "@@");
u8 *aa_loc = strstr(argv[i], "@@");
if (aa_loc) {
@ -111,11 +111,11 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) {
/* duplicate the system argv so that
we can edit (and free!) it later */
char** argv_cpy_dup(int argc, char** argv) {
char **argv_cpy_dup(int argc, char **argv) {
u32 i = 0;
char** ret = ck_alloc((argc + 1) * sizeof(char*));
char **ret = ck_alloc((argc + 1) * sizeof(char *));
for (i = 0; i < argc; i++) {
@ -132,7 +132,7 @@ char** argv_cpy_dup(int argc, char** argv) {
/* frees all args in the given argv,
previously created by argv_cpy_dup */
void argv_cpy_free(char** argv) {
void argv_cpy_free(char **argv) {
u32 i = 0;
while (argv[i]) {
@ -148,12 +148,12 @@ void argv_cpy_free(char** argv) {
/* Rewrite argv for QEMU. */
char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 * tmp, *cp = NULL, *rsl, *own_copy;
char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
u8 *tmp, *cp = NULL, *rsl, *own_copy;
memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc);
memcpy(new_argv + 3, argv + 1, (int)(sizeof(char *)) * argc);
new_argv[2] = *target_path_p;
new_argv[1] = "--";
@ -226,12 +226,12 @@ char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
/* Rewrite argv for Wine+QEMU. */
char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 3));
u8 * tmp, *cp = NULL, *rsl, *own_copy;
char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
u8 *tmp, *cp = NULL, *rsl, *own_copy;
memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc);
memcpy(new_argv + 2, argv + 1, (int)(sizeof(char *)) * argc);
new_argv[1] = *target_path_p;
@ -285,7 +285,7 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
ck_free(own_copy);
u8* ncp = BIN_PATH "/afl-qemu-trace";
u8 *ncp = BIN_PATH "/afl-qemu-trace";
if (!access(ncp, X_OK)) {
@ -322,10 +322,10 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
}
void check_environment_vars(char** envp) {
void check_environment_vars(char **envp) {
int index = 0, found = 0;
char* env;
char *env;
while ((env = envp[index++]) != NULL) {
if (strncmp(env, "ALF_", 4) == 0) {
@ -358,9 +358,9 @@ void check_environment_vars(char** envp) {
}
char* get_afl_env(char* env) {
char *get_afl_env(char *env) {
char* val;
char *val;
if ((val = getenv(env)) != NULL)
if (!be_quiet)

1
src/afl-forkserver.c
View File

@ -331,6 +331,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) {
rlen = read(fsrv->fsrv_st_fd, &status, 4);
}
} else {
rlen = read(fsrv->fsrv_st_fd, &status, 4);

76
src/afl-fuzz-bitmap.c
View File

@ -29,9 +29,9 @@
-B option, to focus a separate fuzzing session on a particular
interesting input without rediscovering all the others. */
void write_bitmap(afl_state_t* afl) {
void write_bitmap(afl_state_t *afl) {
u8* fname;
u8 *fname;
s32 fd;
if (!afl->bitmap_changed) return;
@ -51,7 +51,7 @@ void write_bitmap(afl_state_t* afl) {
/* Read bitmap from file. This is for the -B option again. */
void read_bitmap(afl_state_t* afl, u8* fname) {
void read_bitmap(afl_state_t *afl, u8 *fname) {
s32 fd = open(fname, O_RDONLY);
@ -71,19 +71,19 @@ void read_bitmap(afl_state_t* afl, u8* fname) {
This function is called after every exec() on a fairly large buffer, so
it needs to be fast. We do this in 32-bit and 64-bit flavors. */
u8 has_new_bits(afl_state_t* afl, u8* virgin_map) {
u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
#ifdef WORD_SIZE_64
u64* current = (u64*)afl->fsrv.trace_bits;
u64* virgin = (u64*)virgin_map;
u64 *current = (u64 *)afl->fsrv.trace_bits;
u64 *virgin = (u64 *)virgin_map;
u32 i = (MAP_SIZE >> 3);
#else
u32* current = (u32*)afl->fsrv.trace_bits;
u32* virgin = (u32*)virgin_map;
u32 *current = (u32 *)afl->fsrv.trace_bits;
u32 *virgin = (u32 *)virgin_map;
u32 i = (MAP_SIZE >> 2);
@ -101,8 +101,8 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) {
if (likely(ret < 2)) {
u8* cur = (u8*)current;
u8* vir = (u8*)virgin;
u8 *cur = (u8 *)current;
u8 *vir = (u8 *)virgin;
/* Looks like we have not found any new bytes yet; see if any non-zero
bytes in current[] are pristine in virgin[]. */
@ -147,9 +147,9 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) {
/* Count the number of bits set in the provided bitmap. Used for the status
screen several times every second, does not have to be fast. */
u32 count_bits(u8* mem) {
u32 count_bits(u8 *mem) {
u32* ptr = (u32*)mem;
u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2);
u32 ret = 0;
@ -183,9 +183,9 @@ u32 count_bits(u8* mem) {
mostly to update the status screen or calibrate and examine confirmed
new paths. */
u32 count_bytes(u8* mem) {
u32 count_bytes(u8 *mem) {
u32* ptr = (u32*)mem;
u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2);
u32 ret = 0;
@ -208,9 +208,9 @@ u32 count_bytes(u8* mem) {
/* Count the number of non-255 bytes set in the bitmap. Used strictly for the
status screen, several calls per second or so. */
u32 count_non_255_bytes(u8* mem) {
u32 count_non_255_bytes(u8 *mem) {
u32* ptr = (u32*)mem;
u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2);
u32 ret = 0;
@ -246,7 +246,7 @@ const u8 simplify_lookup[256] = {
#ifdef WORD_SIZE_64
void simplify_trace(u64* mem) {
void simplify_trace(u64 *mem) {
u32 i = MAP_SIZE >> 3;
@ -256,7 +256,7 @@ void simplify_trace(u64* mem) {
if (unlikely(*mem)) {
u8* mem8 = (u8*)mem;
u8 *mem8 = (u8 *)mem;
mem8[0] = simplify_lookup[mem8[0]];
mem8[1] = simplify_lookup[mem8[1]];
@ -279,7 +279,7 @@ void simplify_trace(u64* mem) {
#else
void simplify_trace(u32* mem) {
void simplify_trace(u32 *mem) {
u32 i = MAP_SIZE >> 2;
@ -289,7 +289,7 @@ void simplify_trace(u32* mem) {
if (unlikely(*mem)) {
u8* mem8 = (u8*)mem;
u8 *mem8 = (u8 *)mem;
mem8[0] = simplify_lookup[mem8[0]];
mem8[1] = simplify_lookup[mem8[1]];
@ -341,7 +341,7 @@ void init_count_class16(void) {
#ifdef WORD_SIZE_64
void classify_counts(u64* mem) {
void classify_counts(u64 *mem) {
u32 i = MAP_SIZE >> 3;
@ -351,7 +351,7 @@ void classify_counts(u64* mem) {
if (unlikely(*mem)) {
u16* mem16 = (u16*)mem;
u16 *mem16 = (u16 *)mem;
mem16[0] = count_class_lookup16[mem16[0]];
mem16[1] = count_class_lookup16[mem16[1]];
@ -368,7 +368,7 @@ void classify_counts(u64* mem) {
#else
void classify_counts(u32* mem) {
void classify_counts(u32 *mem) {
u32 i = MAP_SIZE >> 2;
@ -378,7 +378,7 @@ void classify_counts(u32* mem) {
if (unlikely(*mem)) {
u16* mem16 = (u16*)mem;
u16 *mem16 = (u16 *)mem;
mem16[0] = count_class_lookup16[mem16[0]];
mem16[1] = count_class_lookup16[mem16[1]];
@ -397,7 +397,7 @@ void classify_counts(u32* mem) {
count information here. This is called only sporadically, for some
new paths. */
void minimize_bits(u8* dst, u8* src) {
void minimize_bits(u8 *dst, u8 *src) {
u32 i = 0;
@ -415,9 +415,9 @@ void minimize_bits(u8* dst, u8* src) {
/* Construct a file name for a new test case, capturing the operation
that led to its discovery. Uses a static buffer. */
u8* describe_op(afl_state_t* afl, u8 hnb) {
u8 *describe_op(afl_state_t *afl, u8 hnb) {
u8* ret = afl->describe_op_buf_256;
u8 *ret = afl->describe_op_buf_256;
if (afl->syncing_party) {
@ -459,11 +459,11 @@ u8* describe_op(afl_state_t* afl, u8 hnb) {
/* Write a message accompanying the crash directory :-) */
static void write_crash_readme(afl_state_t* afl) {
static void write_crash_readme(afl_state_t *afl) {
u8* fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
s32 fd;
FILE* f;
u8 *fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
s32 fd;
FILE *f;
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
ck_free(fn);
@ -511,11 +511,11 @@ static void write_crash_readme(afl_state_t* afl) {
save or queue the input test case for further analysis if so. Returns 1 if
entry is saved, 0 otherwise. */
u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (len == 0) return 0;
u8* fn = "";
u8 *fn = "";
u8 hnb;
s32 fd;
u8 keeping = 0, res;
@ -523,7 +523,7 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
/* Update path frequency. */
u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST);
struct queue_entry* q = afl->queue;
struct queue_entry *q = afl->queue;
while (q) {
if (q->exec_cksum == cksum) {
@ -603,9 +603,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
if (!afl->dumb_mode) {
#ifdef WORD_SIZE_64
simplify_trace((u64*)afl->fsrv.trace_bits);
simplify_trace((u64 *)afl->fsrv.trace_bits);
#else
simplify_trace((u32*)afl->fsrv.trace_bits);
simplify_trace((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_tmout)) return keeping;
@ -666,9 +666,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
if (!afl->dumb_mode) {
#ifdef WORD_SIZE_64
simplify_trace((u64*)afl->fsrv.trace_bits);
simplify_trace((u64 *)afl->fsrv.trace_bits);
#else
simplify_trace((u32*)afl->fsrv.trace_bits);
simplify_trace((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_crash)) return keeping;

4
src/afl-fuzz-cmplog.c
View File

@ -190,7 +190,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
timeout.tv_sec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) / 1000);
timeout.tv_usec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) % 1000) * 1000;
int sret = select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout);
int sret =
select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout);
if (sret == 0) {
@ -201,6 +202,7 @@ void init_cmplog_forkserver(afl_state_t *afl) {
rlen = read(afl->cmplog_fsrv_st_fd, &status, 4);
}
} else {
rlen = read(afl->cmplog_fsrv_st_fd, &status, 4);

58
src/afl-fuzz-extras.c
View File

@ -27,17 +27,19 @@
/* Helper function for load_extras. */
static int compare_extras_len(const void* p1, const void* p2) {
static int compare_extras_len(const void *p1, const void *p2) {
struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2;
struct extra_data *e1 = (struct extra_data *)p1,
*e2 = (struct extra_data *)p2;
return e1->len - e2->len;
}
static int compare_extras_use_d(const void* p1, const void* p2) {
static int compare_extras_use_d(const void *p1, const void *p2) {
struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2;
struct extra_data *e1 = (struct extra_data *)p1,
*e2 = (struct extra_data *)p2;
return e2->hit_cnt - e1->hit_cnt;
@ -45,13 +47,13 @@ static int compare_extras_use_d(const void* p1, const void* p2) {
/* Read extras from a file, sort by size. */
void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len,
void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
u32 dict_level) {
FILE* f;
u8 buf[MAX_LINE];
u8* lptr;
u32 cur_line = 0;
FILE *f;
u8 buf[MAX_LINE];
u8 *lptr;
u32 cur_line = 0;
f = fopen(fname, "r");
@ -128,7 +130,7 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len,
while (*lptr) {
char* hexdigits = "0123456789abcdef";
char *hexdigits = "0123456789abcdef";
switch (*lptr) {
@ -184,12 +186,12 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len,
/* Read extras from the extras directory and sort them by size. */
void load_extras(afl_state_t* afl, u8* dir) {
void load_extras(afl_state_t *afl, u8 *dir) {
DIR* d;
struct dirent* de;
u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
u8* x;
DIR *d;
struct dirent *de;
u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
u8 *x;
/* If the name ends with @, extract level and continue. */
@ -222,8 +224,8 @@ void load_extras(afl_state_t* afl, u8* dir) {
while ((de = readdir(d))) {
struct stat st;
u8* fn = alloc_printf("%s/%s", dir, de->d_name);
s32 fd;
u8 *fn = alloc_printf("%s/%s", dir, de->d_name);
s32 fd;
if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn);
@ -285,7 +287,7 @@ check_and_sort:
/* Helper function for maybe_add_auto(afl, ) */
static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) {
static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) {
while (len--)
if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1;
@ -295,7 +297,7 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) {
/* Maybe add automatic extra. */
void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) {
void maybe_add_auto(afl_state_t *afl, u8 *mem, u32 len) {
u32 i;
@ -317,8 +319,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) {
i = sizeof(interesting_16) >> 1;
while (i--)
if (*((u16*)mem) == interesting_16[i] ||
*((u16*)mem) == SWAP16(interesting_16[i]))
if (*((u16 *)mem) == interesting_16[i] ||
*((u16 *)mem) == SWAP16(interesting_16[i]))
return;
}
@ -328,8 +330,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) {
i = sizeof(interesting_32) >> 2;
while (i--)
if (*((u32*)mem) == interesting_32[i] ||
*((u32*)mem) == SWAP32(interesting_32[i]))
if (*((u32 *)mem) == interesting_32[i] ||
*((u32 *)mem) == SWAP32(interesting_32[i]))
return;
}
@ -402,7 +404,7 @@ sort_a_extras:
/* Save automatically generated extras. */
void save_auto(afl_state_t* afl) {
void save_auto(afl_state_t *afl) {
u32 i;
@ -411,7 +413,7 @@ void save_auto(afl_state_t* afl) {
for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) {
u8* fn =
u8 *fn =
alloc_printf("%s/queue/.state/auto_extras/auto_%06u", afl->out_dir, i);
s32 fd;
@ -430,14 +432,14 @@ void save_auto(afl_state_t* afl) {
/* Load automatically generated extras. */
void load_auto(afl_state_t* afl) {
void load_auto(afl_state_t *afl) {
u32 i;
for (i = 0; i < USE_AUTO_EXTRAS; ++i) {
u8 tmp[MAX_AUTO_EXTRA + 1];
u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i);
u8 *fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i);
s32 fd, len;
fd = open(fn, O_RDONLY, 0600);
@ -474,7 +476,7 @@ void load_auto(afl_state_t* afl) {
/* Destroy extras. */
void destroy_extras(afl_state_t* afl) {
void destroy_extras(afl_state_t *afl) {
u32 i;

156
src/afl-fuzz-init.c
View File

@ -30,12 +30,12 @@
/* Build a list of processes bound to specific cores. Returns -1 if nothing
can be found. Assumes an upper bound of 4k CPUs. */
void bind_to_free_cpu(afl_state_t* afl) {
void bind_to_free_cpu(afl_state_t *afl) {
#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
cpu_set_t c;
#elif defined(__NetBSD__)
cpuset_t* c;
cpuset_t *c;
#endif
u8 cpu_used[4096] = {0};
@ -51,8 +51,8 @@ void bind_to_free_cpu(afl_state_t* afl) {
}
#if defined(__linux__)
DIR* d;
struct dirent* de;
DIR *d;
struct dirent *de;
d = opendir("/proc");
if (!d) {
@ -76,8 +76,8 @@ void bind_to_free_cpu(afl_state_t* afl) {
while ((de = readdir(d))) {
u8* fn;
FILE* f;
u8 *fn;
FILE *f;
u8 tmp[MAX_LINE];
u8 has_vmsize = 0;
@ -118,7 +118,7 @@ void bind_to_free_cpu(afl_state_t* afl) {
closedir(d);
#elif defined(__FreeBSD__) || defined(__DragonFly__)
struct kinfo_proc* procs;
struct kinfo_proc *procs;
size_t nprocs;
size_t proccount;
int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL};
@ -151,7 +151,7 @@ void bind_to_free_cpu(afl_state_t* afl) {
ck_free(procs);
#elif defined(__NetBSD__)
struct kinfo_proc2* procs;
struct kinfo_proc2 *procs;
size_t nprocs;
size_t proccount;
int s_name[] = {
@ -272,11 +272,11 @@ cpuset_destroy(c);
/* Load postprocessor, if available. */
void setup_post(afl_state_t* afl) {
void setup_post(afl_state_t *afl) {
void* dh;
u8* fn = get_afl_env("AFL_POST_LIBRARY");
u32 tlen = 6;
void *dh;
u8 *fn = get_afl_env("AFL_POST_LIBRARY");
u32 tlen = 6;
if (!fn) return;
@ -298,14 +298,14 @@ void setup_post(afl_state_t* afl) {
/* Shuffle an array of pointers. Might be slightly biased. */
static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) {
static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) {
u32 i;
for (i = 0; i < cnt - 2; ++i) {
u32 j = i + UR(afl, cnt - i);
void* s = ptrs[i];
void *s = ptrs[i];
ptrs[i] = ptrs[j];
ptrs[j] = s;
@ -316,12 +316,12 @@ static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) {
/* Read all testcases from the input directory, then queue them for testing.
Called at startup. */
void read_testcases(afl_state_t* afl) {
void read_testcases(afl_state_t *afl) {
struct dirent** nl;
s32 nl_cnt;
u32 i;
u8* fn1;
struct dirent **nl;
s32 nl_cnt;
u32 i;
u8 *fn1;
/* Auto-detect non-in-place resumption attempts. */
@ -359,7 +359,7 @@ void read_testcases(afl_state_t* afl) {
if (afl->shuffle_queue && nl_cnt > 1) {
ACTF("Shuffling queue...");
shuffle_ptrs(afl, (void**)nl, nl_cnt);
shuffle_ptrs(afl, (void **)nl, nl_cnt);
}
@ -367,8 +367,8 @@ void read_testcases(afl_state_t* afl) {
struct stat st;
u8* fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir,
u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
u8 *dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir,
nl[i]->d_name);
u8 passed_det = 0;
@ -428,7 +428,7 @@ void read_testcases(afl_state_t* afl) {
/* Examine map coverage. Called once, for first test case. */
static void check_map_coverage(afl_state_t* afl) {
static void check_map_coverage(afl_state_t *afl) {
u32 i;
@ -444,19 +444,19 @@ static void check_map_coverage(afl_state_t* afl) {
/* Perform dry run of all test cases to confirm that the app is working as
expected. This is done only for the initial inputs, and only once. */
void perform_dry_run(afl_state_t* afl) {
void perform_dry_run(afl_state_t *afl) {
struct queue_entry* q = afl->queue;
u32 cal_failures = 0;
u8* skip_crashes = get_afl_env("AFL_SKIP_CRASHES");
struct queue_entry *q = afl->queue;
u32 cal_failures = 0;
u8 *skip_crashes = get_afl_env("AFL_SKIP_CRASHES");
while (q) {
u8* use_mem;
u8 *use_mem;
u8 res;
s32 fd;
u8* fn = strrchr(q->fname, '/') + 1;
u8 *fn = strrchr(q->fname, '/') + 1;
ACTF("Attempting dry run with '%s'...", fn);
@ -673,11 +673,11 @@ void perform_dry_run(afl_state_t* afl) {
/* Helper function: link() if possible, copy otherwise. */
static void link_or_copy(u8* old_path, u8* new_path) {
static void link_or_copy(u8 *old_path, u8 *new_path) {
s32 i = link(old_path, new_path);
s32 sfd, dfd;
u8* tmp;
u8 *tmp;
if (!i) return;
@ -703,9 +703,9 @@ static void link_or_copy(u8* old_path, u8* new_path) {
/* Create hard links for input test cases in the output directory, choosing
good names and pivoting accordingly. */
void pivot_inputs(afl_state_t* afl) {
void pivot_inputs(afl_state_t *afl) {
struct queue_entry* q = afl->queue;
struct queue_entry *q = afl->queue;
u32 id = 0;
ACTF("Creating hard links for all input files...");
@ -727,7 +727,7 @@ void pivot_inputs(afl_state_t* afl) {
if (!strncmp(rsl, CASE_PREFIX, 3) &&
sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) {
u8* src_str;
u8 *src_str;
u32 src_id;
afl->resuming_fuzz = 1;
@ -740,7 +740,7 @@ void pivot_inputs(afl_state_t* afl) {
if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
struct queue_entry* s = afl->queue;
struct queue_entry *s = afl->queue;
while (src_id-- && s)
s = s->next;
if (s) q->depth = s->depth + 1;
@ -756,7 +756,7 @@ void pivot_inputs(afl_state_t* afl) {
#ifndef SIMPLE_FILES
u8* use_name = strstr(rsl, ",orig:");
u8 *use_name = strstr(rsl, ",orig:");
if (use_name)
use_name += 6;
@ -795,7 +795,7 @@ void pivot_inputs(afl_state_t* afl) {
/* When resuming, try to find the queue position to start from. This makes sense
only when resuming, and when we can find the original fuzzer_stats. */
u32 find_start_position(afl_state_t* afl) {
u32 find_start_position(afl_state_t *afl) {
static u8 tmp[4096]; /* Ought to be enough for anybody. */
@ -832,7 +832,7 @@ u32 find_start_position(afl_state_t* afl) {
-t given, we don't want to keep auto-scaling the timeout over and over
again to prevent it from growing due to random flukes. */
void find_timeout(afl_state_t* afl) {
void find_timeout(afl_state_t *afl) {
static u8 tmp[4096]; /* Ought to be enough for anybody. */
@ -870,10 +870,10 @@ void find_timeout(afl_state_t* afl) {
/* A helper function for handle_existing_out_dir(), deleting all prefixed
files in a directory. */
static u8 delete_files(u8* path, u8* prefix) {
static u8 delete_files(u8 *path, u8 *prefix) {
DIR* d;
struct dirent* d_ent;
DIR *d;
struct dirent *d_ent;
d = opendir(path);
@ -884,7 +884,7 @@ static u8 delete_files(u8* path, u8* prefix) {
if (d_ent->d_name[0] != '.' &&
(!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) {
u8* fname = alloc_printf("%s/%s", path, d_ent->d_name);
u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
if (unlink(fname)) PFATAL("Unable to delete '%s'", fname);
ck_free(fname);
@ -919,7 +919,7 @@ double get_runnable_processes(void) {
computed in funny ways and sometimes don't reflect extremely short-lived
processes well. */
FILE* f = fopen("/proc/stat", "r");
FILE *f = fopen("/proc/stat", "r");
u8 tmp[1024];
u32 val = 0;
@ -954,9 +954,9 @@ double get_runnable_processes(void) {
/* Delete the temporary directory used for in-place session resume. */
void nuke_resume_dir(afl_state_t* afl) {
void nuke_resume_dir(afl_state_t *afl) {
u8* fn;
u8 *fn;
fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir);
if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed;
@ -994,10 +994,10 @@ dir_cleanup_failed:
is not currently running, and if the last run time isn't too great.
Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */
static void handle_existing_out_dir(afl_state_t* afl) {
static void handle_existing_out_dir(afl_state_t *afl) {
FILE* f;
u8* fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
FILE *f;
u8 *fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
/* See if the output directory is locked. If yes, bail out. If not,
create a lock that will persist for the lifetime of the process
@ -1084,7 +1084,7 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume) {
u8* orig_q = alloc_printf("%s/queue", afl->out_dir);
u8 *orig_q = alloc_printf("%s/queue", afl->out_dir);
afl->in_dir = alloc_printf("%s/_resume", afl->out_dir);
@ -1161,17 +1161,17 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume && rmdir(fn)) {
time_t cur_t = time(0);
struct tm* t = localtime(&cur_t);
struct tm *t = localtime(&cur_t);
#ifndef SIMPLE_FILES
u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
t->tm_year + 1900, t->tm_mon + 1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec);
#else
u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min,
t->tm_sec);
@ -1192,17 +1192,17 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume && rmdir(fn)) {
time_t cur_t = time(0);
struct tm* t = localtime(&cur_t);
struct tm *t = localtime(&cur_t);
#ifndef SIMPLE_FILES
u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
t->tm_year + 1900, t->tm_mon + 1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec);
#else
u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min,
t->tm_sec);
@ -1278,9 +1278,9 @@ dir_cleanup_failed:
/* Prepare output directories and fds. */
void setup_dirs_fds(afl_state_t* afl) {
void setup_dirs_fds(afl_state_t *afl) {
u8* tmp;
u8 *tmp;
s32 fd;
ACTF("Setting up output directories...");
@ -1402,13 +1402,13 @@ void setup_dirs_fds(afl_state_t* afl) {
}
void setup_cmdline_file(afl_state_t* afl, char** argv) {
void setup_cmdline_file(afl_state_t *afl, char **argv) {
u8* tmp;
u8 *tmp;
s32 fd;
u32 i = 0;
FILE* cmdline_file = NULL;
FILE *cmdline_file = NULL;
/* Store the command line to reproduce our findings */
tmp = alloc_printf("%s/cmdline", afl->out_dir);
@ -1432,9 +1432,9 @@ void setup_cmdline_file(afl_state_t* afl, char** argv) {
/* Setup the output file for fuzzed data, if not using -f. */
void setup_stdio_file(afl_state_t* afl) {
void setup_stdio_file(afl_state_t *afl) {
u8* fn;
u8 *fn;
if (afl->file_extension) {
fn = alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension);
@ -1531,10 +1531,10 @@ void check_crash_handling(void) {
/* Check CPU governor. */
void check_cpu_governor(afl_state_t* afl) {
void check_cpu_governor(afl_state_t *afl) {
#ifdef __linux__
FILE* f;
FILE *f;
u8 tmp[128];
u64 min = 0, max = 0;
@ -1654,7 +1654,7 @@ void check_cpu_governor(afl_state_t* afl) {
/* Count the number of logical CPU cores. */
void get_core_count(afl_state_t* afl) {
void get_core_count(afl_state_t *afl) {
#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
defined(__DragonFly__)
@ -1684,7 +1684,7 @@ void get_core_count(afl_state_t* afl) {
#else
FILE* f = fopen("/proc/stat", "r");
FILE *f = fopen("/proc/stat", "r");
u8 tmp[1024];
if (!f) return;
@ -1742,9 +1742,9 @@ void get_core_count(afl_state_t* afl) {
/* Validate and fix up afl->out_dir and sync_dir when using -S. */
void fix_up_sync(afl_state_t* afl) {
void fix_up_sync(afl_state_t *afl) {
u8* x = afl->sync_id;
u8 *x = afl->sync_id;
if (afl->dumb_mode) FATAL("-S / -M and -n are mutually exclusive");
@ -1793,7 +1793,7 @@ static void handle_resize(int sig) {
void check_asan_opts(void) {
u8* x = get_afl_env("ASAN_OPTIONS");
u8 *x = get_afl_env("ASAN_OPTIONS");
if (x) {
@ -1849,13 +1849,13 @@ static void handle_skipreq(int sig) {
isn't a shell script - a common and painful mistake. We also check for
a valid ELF header and for evidence of AFL instrumentation. */
void check_binary(afl_state_t* afl, u8* fname) {
void check_binary(afl_state_t *afl, u8 *fname) {
u8* env_path = 0;
u8 *env_path = 0;
struct stat st;
s32 fd;
u8* f_data;
u8 *f_data;
u32 f_len = 0;
ACTF("Validating target binary...");
@ -2042,7 +2042,7 @@ void check_binary(afl_state_t* afl, u8* fname) {
/* Trim and possibly create a banner for the run. */
void fix_up_banner(afl_state_t* afl, u8* name) {
void fix_up_banner(afl_state_t *afl, u8 *name) {
if (!afl->use_banner) {
@ -2052,7 +2052,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
} else {
u8* trim = strrchr(name, '/');
u8 *trim = strrchr(name, '/');
if (!trim)
afl->use_banner = name;
else
@ -2064,7 +2064,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
if (strlen(afl->use_banner) > 32) {
u8* tmp = ck_alloc(36);
u8 *tmp = ck_alloc(36);
sprintf(tmp, "%.32s...", afl->use_banner);
afl->use_banner = tmp;
@ -2074,7 +2074,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
/* Check if we're on TTY. */
void check_if_tty(afl_state_t* afl) {
void check_if_tty(afl_state_t *afl) {
struct winsize ws;
@ -2148,10 +2148,10 @@ void setup_signal_handlers(void) {
/* Make a copy of the current command line. */
void save_cmdline(afl_state_t* afl, u32 argc, char** argv) {
void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
u32 len = 1, i;
u8* buf;
u8 *buf;
for (i = 0; i < argc; ++i)
len += strlen(argv[i]) + 1;

8
src/afl-fuzz-misc.c
View File

@ -29,7 +29,7 @@
returned should be five characters or less for all the integers we reasonably
expect to see. */
u8* DI(u64 val) {
u8 *DI(u64 val) {
static u8 tmp[12][16];
static u8 cur;
@ -90,7 +90,7 @@ u8* DI(u64 val) {
/* Describe float. Similar to the above, except with a single
static buffer. */
u8* DF(double val) {
u8 *DF(double val) {
static u8 tmp[16];
@ -114,7 +114,7 @@ u8* DF(double val) {
/* Describe integer as memory size. */
u8* DMS(u64 val) {
u8 *DMS(u64 val) {
static u8 tmp[12][16];
static u8 cur;
@ -164,7 +164,7 @@ u8* DMS(u64 val) {
/* Describe time delta. Returns one static buffer, 34 chars of less. */
u8* DTD(u64 cur_ms, u64 event_ms) {
u8 *DTD(u64 cur_ms, u64 event_ms) {
static u8 tmp[64];
u64 delta;

24
src/afl-fuzz-mutators.c
View File

@ -25,15 +25,15 @@
#include "afl-fuzz.h"
void load_custom_mutator(afl_state_t*, const char*);
void load_custom_mutator(afl_state_t *, const char *);
#ifdef USE_PYTHON
void load_custom_mutator_py(afl_state_t*, const char*);
void load_custom_mutator_py(afl_state_t *, const char *);
#endif
void setup_custom_mutator(afl_state_t* afl) {
void setup_custom_mutator(afl_state_t *afl) {
/* Try mutator library first */
u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
u8 *fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
if (fn) {
@ -51,7 +51,7 @@ void setup_custom_mutator(afl_state_t* afl) {
/* Try Python module */
#ifdef USE_PYTHON
u8* module_name = getenv("AFL_PYTHON_MODULE");
u8 *module_name = getenv("AFL_PYTHON_MODULE");
if (module_name) {
@ -75,7 +75,7 @@ void setup_custom_mutator(afl_state_t* afl) {
}
void destroy_custom_mutator(afl_state_t* afl) {
void destroy_custom_mutator(afl_state_t *afl) {
if (afl->mutator) {
@ -96,9 +96,9 @@ void destroy_custom_mutator(afl_state_t* afl) {
}
void load_custom_mutator(afl_state_t* afl, const char* fn) {
void load_custom_mutator(afl_state_t *afl, const char *fn) {
void* dh;
void *dh;
afl->mutator = ck_alloc(sizeof(struct custom_mutator));
afl->mutator->name = fn;
@ -190,7 +190,7 @@ void load_custom_mutator(afl_state_t* afl, const char* fn) {
}
u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) {
u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
static u8 tmp[64];
static u8 clean_trace[MAP_SIZE];
@ -216,7 +216,7 @@ u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) {
u32 cksum;
u8* retbuf = NULL;
u8 *retbuf = NULL;
size_t retlen = 0;
afl->mutator->afl_custom_trim(afl, &retbuf, &retlen);
@ -312,9 +312,9 @@ abort_trimming:
}
#ifdef USE_PYTHON
void load_custom_mutator_py(afl_state_t* afl, const char* module_name) {
void load_custom_mutator_py(afl_state_t *afl, const char *module_name) {
PyObject** py_functions = afl->py_functions;
PyObject **py_functions = afl->py_functions;
afl->mutator = ck_alloc(sizeof(struct custom_mutator));

218
src/afl-fuzz-one.c
View File

@ -27,7 +27,7 @@
/* MOpt */
int select_algorithm(afl_state_t* afl) {
int select_algorithm(afl_state_t *afl) {
int i_puppet, j_puppet;
@ -62,7 +62,7 @@ int select_algorithm(afl_state_t* afl) {
/* Helper to choose random block len for block operations in fuzz_one().
Doesn't return zero, provided that max_len is > 0. */
static u32 choose_block_len(afl_state_t* afl, u32 limit) {
static u32 choose_block_len(afl_state_t *afl, u32 limit) {
u32 min_value, max_value;
u32 rlim = MIN(afl->queue_cycle, 3);
@ -305,7 +305,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
/* Helper function to compare buffers; returns first and last differing offset.
We use this to find reasonable locations for splicing two files. */
static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) {
static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) {
s32 f_loc = -1;
s32 l_loc = -1;
@ -335,7 +335,7 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) {
function is a tad too long... returns 0 if fuzzed successfully, 1 if
skipped or bailed out. */
u8 fuzz_one_original(afl_state_t* afl) {
u8 fuzz_one_original(afl_state_t *afl) {
s32 len, fd, temp_len, i, j;
u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
@ -538,7 +538,7 @@ u8 fuzz_one_original(afl_state_t* afl) {
#define FLIP_BIT(_ar, _b) \
do { \
\
u8* _arf = (u8*)(_ar); \
u8 *_arf = (u8 *)(_ar); \
u32 _bf = (_b); \
_arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \
\
@ -820,12 +820,12 @@ u8 fuzz_one_original(afl_state_t* afl) {
afl->stage_cur_byte = i;
*(u16*)(out_buf + i) ^= 0xFFFF;
*(u16 *)(out_buf + i) ^= 0xFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
*(u16*)(out_buf + i) ^= 0xFFFF;
*(u16 *)(out_buf + i) ^= 0xFFFF;
}
@ -858,12 +858,12 @@ u8 fuzz_one_original(afl_state_t* afl) {
afl->stage_cur_byte = i;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF;
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF;
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
}
@ -963,7 +963,7 @@ skip_bitflip:
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i);
u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */
@ -992,7 +992,7 @@ skip_bitflip:
if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j;
*(u16*)(out_buf + i) = orig + j;
*(u16 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1004,7 +1004,7 @@ skip_bitflip:
if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = orig - j;
*(u16 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1020,7 +1020,7 @@ skip_bitflip:
if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j);
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1032,7 +1032,7 @@ skip_bitflip:
if ((orig >> 8) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j);
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1041,7 +1041,7 @@ skip_bitflip:
--afl->stage_max;
*(u16*)(out_buf + i) = orig;
*(u16 *)(out_buf + i) = orig;
}
@ -1065,7 +1065,7 @@ skip_bitflip:
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i);
u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */
@ -1093,7 +1093,7 @@ skip_bitflip:
if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j;
*(u32*)(out_buf + i) = orig + j;
*(u32 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1105,7 +1105,7 @@ skip_bitflip:
if ((orig & 0xffff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = orig - j;
*(u32 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1121,7 +1121,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j);
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1133,7 +1133,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j);
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1142,7 +1142,7 @@ skip_bitflip:
--afl->stage_max;
*(u32*)(out_buf + i) = orig;
*(u32 *)(out_buf + i) = orig;
}
@ -1227,7 +1227,7 @@ skip_arith:
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i);
u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */
@ -1253,7 +1253,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE;
*(u16*)(out_buf + i) = interesting_16[j];
*(u16 *)(out_buf + i) = interesting_16[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1269,7 +1269,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
*(u16*)(out_buf + i) = SWAP16(interesting_16[j]);
*(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1279,7 +1279,7 @@ skip_arith:
}
*(u16*)(out_buf + i) = orig;
*(u16 *)(out_buf + i) = orig;
}
@ -1301,7 +1301,7 @@ skip_arith:
for (i = 0; i < len - 3; i++) {
u32 orig = *(u32*)(out_buf + i);
u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */
@ -1328,7 +1328,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE;
*(u32*)(out_buf + i) = interesting_32[j];
*(u32 *)(out_buf + i) = interesting_32[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1344,7 +1344,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
*(u32*)(out_buf + i) = SWAP32(interesting_32[j]);
*(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -1354,7 +1354,7 @@ skip_arith:
}
*(u32*)(out_buf + i) = orig;
*(u32 *)(out_buf + i) = orig;
}
@ -1565,9 +1565,9 @@ custom_mutator_stage:
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
struct queue_entry* target;
u32 tid;
u8* new_buf;
struct queue_entry *target;
u32 tid;
u8 *new_buf;
retry_external_pick:
/* Pick a random other queue entry for passing to external API */
@ -1751,12 +1751,12 @@ havoc_stage:
if (UR(afl, 2)) {
*(u16*)(out_buf + UR(afl, temp_len - 1)) =
*(u16 *)(out_buf + UR(afl, temp_len - 1)) =
interesting_16[UR(afl, sizeof(interesting_16) >> 1)];
} else {
*(u16*)(out_buf + UR(afl, temp_len - 1)) =
*(u16 *)(out_buf + UR(afl, temp_len - 1)) =
SWAP16(interesting_16[UR(afl, sizeof(interesting_16) >> 1)]);
}
@ -1771,12 +1771,12 @@ havoc_stage:
if (UR(afl, 2)) {
*(u32*)(out_buf + UR(afl, temp_len - 3)) =
*(u32 *)(out_buf + UR(afl, temp_len - 3)) =
interesting_32[UR(afl, sizeof(interesting_32) >> 2)];
} else {
*(u32*)(out_buf + UR(afl, temp_len - 3)) =
*(u32 *)(out_buf + UR(afl, temp_len - 3)) =
SWAP32(interesting_32[UR(afl, sizeof(interesting_32) >> 2)]);
}
@ -1807,15 +1807,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num);
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
}
@ -1831,15 +1831,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num);
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
}
@ -1855,15 +1855,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num);
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
}
@ -1879,15 +1879,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num);
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
}
@ -1935,7 +1935,7 @@ havoc_stage:
u8 actually_clone = UR(afl, 4);
u32 clone_from, clone_to, clone_len;
u8* new_buf;
u8 *new_buf;
if (actually_clone) {
@ -2051,7 +2051,7 @@ havoc_stage:
case 16: {
u32 use_extra, extra_len, insert_at = UR(afl, temp_len + 1);
u8* new_buf;
u8 *new_buf;
/* Insert an extra. Do the same dice-rolling stuff as for the
previous case. */
@ -2162,10 +2162,10 @@ retry_splicing:
if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) {
struct queue_entry* target;
u32 tid, split_at;
u8* new_buf;
s32 f_diff, l_diff;
struct queue_entry *target;
u32 tid, split_at;
u8 *new_buf;
s32 f_diff, l_diff;
/* First of all, if we've modified in_buf for havoc, let's clean that
up... */
@ -2275,12 +2275,12 @@ radamsa_stage:
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
/* Read the additional testcase into a new buffer. */
u8* save_buf = ck_alloc_nozero(len);
u8 *save_buf = ck_alloc_nozero(len);
memcpy(save_buf, out_buf, len);
u32 max_len = len + choose_block_len(afl, HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u8* tmp_buf;
u8 *new_buf = ck_alloc_nozero(max_len);
u8 *tmp_buf;
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
@ -2352,7 +2352,7 @@ abandon_entry:
}
/* MOpt mode */
u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (!MOpt_globals.is_pilot_mode) {
@ -2544,7 +2544,7 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
#define FLIP_BIT(_ar, _b) \
do { \
\
u8* _arf = (u8*)(_ar); \
u8 *_arf = (u8 *)(_ar); \
u32 _bf = (_b); \
_arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \
\
@ -2826,12 +2826,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
afl->stage_cur_byte = i;
*(u16*)(out_buf + i) ^= 0xFFFF;
*(u16 *)(out_buf + i) ^= 0xFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
*(u16*)(out_buf + i) ^= 0xFFFF;
*(u16 *)(out_buf + i) ^= 0xFFFF;
} /* for i = 0; i < len */
@ -2864,12 +2864,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
afl->stage_cur_byte = i;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF;
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF;
*(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
} /* for i = 0; i < len - 3 */
@ -2969,7 +2969,7 @@ skip_bitflip:
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i);
u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */
@ -2998,7 +2998,7 @@ skip_bitflip:
if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j;
*(u16*)(out_buf + i) = orig + j;
*(u16 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3010,7 +3010,7 @@ skip_bitflip:
if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = orig - j;
*(u16 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3026,7 +3026,7 @@ skip_bitflip:
if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j);
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3038,7 +3038,7 @@ skip_bitflip:
if ((orig >> 8) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j);
*(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3047,7 +3047,7 @@ skip_bitflip:
--afl->stage_max;
*(u16*)(out_buf + i) = orig;
*(u16 *)(out_buf + i) = orig;
}
@ -3071,7 +3071,7 @@ skip_bitflip:
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i);
u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */
@ -3099,7 +3099,7 @@ skip_bitflip:
if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j;
*(u32*)(out_buf + i) = orig + j;
*(u32 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3111,7 +3111,7 @@ skip_bitflip:
if ((orig & 0xffff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = orig - j;
*(u32 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3127,7 +3127,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j);
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3139,7 +3139,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j);
*(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3148,7 +3148,7 @@ skip_bitflip:
--afl->stage_max;
*(u32*)(out_buf + i) = orig;
*(u32 *)(out_buf + i) = orig;
}
@ -3233,7 +3233,7 @@ skip_arith:
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i);
u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */
@ -3259,7 +3259,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE;
*(u16*)(out_buf + i) = interesting_16[j];
*(u16 *)(out_buf + i) = interesting_16[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3275,7 +3275,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
*(u16*)(out_buf + i) = SWAP16(interesting_16[j]);
*(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3285,7 +3285,7 @@ skip_arith:
}
*(u16*)(out_buf + i) = orig;
*(u16 *)(out_buf + i) = orig;
} /* for i = 0; i < len - 1 */
@ -3307,7 +3307,7 @@ skip_arith:
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i);
u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */
@ -3334,7 +3334,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE;
*(u32*)(out_buf + i) = interesting_32[j];
*(u32 *)(out_buf + i) = interesting_32[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3350,7 +3350,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE;
*(u32*)(out_buf + i) = SWAP32(interesting_32[j]);
*(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur;
@ -3360,7 +3360,7 @@ skip_arith:
}
*(u32*)(out_buf + i) = orig;
*(u32 *)(out_buf + i) = orig;
} /* for i = 0; i < len - 3 */
@ -3688,13 +3688,13 @@ pacemaker_fuzzing:
case 4:
if (temp_len < 8) break;
*(u16*)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF;
*(u16 *)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP16] += 1;
break;
case 5:
if (temp_len < 8) break;
*(u32*)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF;
*(u32 *)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP32] += 1;
break;
@ -3710,14 +3710,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num);
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
}
@ -3725,14 +3725,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num);
*(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
}
@ -3745,14 +3745,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num);
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
}
@ -3761,14 +3761,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else {
u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num);
*(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
}
@ -3788,12 +3788,12 @@ pacemaker_fuzzing:
if (temp_len < 8) break;
if (UR(afl, 2)) {
*(u16*)(out_buf + UR(afl, temp_len - 1)) =
*(u16 *)(out_buf + UR(afl, temp_len - 1)) =
interesting_16[UR(afl, sizeof(interesting_16) >> 1)];
} else {
*(u16*)(out_buf + UR(afl, temp_len - 1)) = SWAP16(
*(u16 *)(out_buf + UR(afl, temp_len - 1)) = SWAP16(
interesting_16[UR(afl, sizeof(interesting_16) >> 1)]);
}
@ -3808,12 +3808,12 @@ pacemaker_fuzzing:
if (UR(afl, 2)) {
*(u32*)(out_buf + UR(afl, temp_len - 3)) =
*(u32 *)(out_buf + UR(afl, temp_len - 3)) =
interesting_32[UR(afl, sizeof(interesting_32) >> 2)];
} else {
*(u32*)(out_buf + UR(afl, temp_len - 3)) = SWAP32(
*(u32 *)(out_buf + UR(afl, temp_len - 3)) = SWAP32(
interesting_32[UR(afl, sizeof(interesting_32) >> 2)]);
}
@ -3865,7 +3865,7 @@ pacemaker_fuzzing:
u8 actually_clone = UR(afl, 4);
u32 clone_from, clone_to, clone_len;
u8* new_buf;
u8 *new_buf;
if (actually_clone) {
@ -4020,9 +4020,9 @@ pacemaker_fuzzing:
if (afl->use_splicing && splice_cycle++ < afl->SPLICE_CYCLES_puppet &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) {
struct queue_entry* target;
struct queue_entry *target;
u32 tid, split_at;
u8* new_buf;
u8 * new_buf;
s32 f_diff, l_diff;
/* First of all, if we've modified in_buf for havoc, let's clean that
@ -4268,19 +4268,19 @@ pacemaker_fuzzing:
#undef FLIP_BIT
u8 core_fuzzing(afl_state_t* afl) {
u8 core_fuzzing(afl_state_t *afl) {
return mopt_common_fuzzing(afl, afl->mopt_globals_core);
}
u8 pilot_fuzzing(afl_state_t* afl) {
u8 pilot_fuzzing(afl_state_t *afl) {
return mopt_common_fuzzing(afl, afl->mopt_globals_pilot);
}
void pso_updating(afl_state_t* afl) {
void pso_updating(afl_state_t *afl) {
afl->g_now += 1;
if (afl->g_now > afl->g_max) afl->g_now = 0;
@ -4358,14 +4358,14 @@ void pso_updating(afl_state_t* afl) {
to fuzz_one_original. All documentation references to fuzz_one therefore
mean fuzz_one_original */
u8 fuzz_one(afl_state_t* afl) {
u8 fuzz_one(afl_state_t *afl) {
int key_val_lv = 0;
#ifdef _AFL_DOCUMENT_MUTATIONS
if (afl->do_document == 0) {
char* fn = alloc_printf("%s/mutations", afl->out_dir);
char *fn = alloc_printf("%s/mutations", afl->out_dir);
if (fn) {
afl->do_document = mkdir(fn, 0700); // if it exists we do not care

2
src/afl-fuzz-python.c
View File

@ -43,7 +43,7 @@ int init_py_module(afl_state_t *afl, u8 *module_name) {
afl->py_module = PyImport_Import(py_name);
Py_DECREF(py_name);
PyObject * py_module = afl->py_module;
PyObject *py_module = afl->py_module;
PyObject **py_functions = afl->py_functions;
if (afl->py_module != NULL) {

28
src/afl-fuzz-queue.c
View File

@ -28,9 +28,9 @@
.state file to avoid repeating deterministic fuzzing when resuming aborted
scans. */
void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) {
void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
u8* fn = strrchr(q->fname, '/');
u8 *fn = strrchr(q->fname, '/');
s32 fd;
fn = alloc_printf("%s/queue/.state/deterministic_done/%s", afl->out_dir,
@ -49,7 +49,7 @@ void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) {
/* Mark as variable. Create symlinks if possible to make it easier to examine
the files. */
void mark_as_variable(afl_state_t* afl, struct queue_entry* q) {
void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
u8 *fn = strrchr(q->fname, '/') + 1, *ldest;
@ -74,9 +74,9 @@ void mark_as_variable(afl_state_t* afl, struct queue_entry* q) {
/* Mark / unmark as redundant (edge-only). This is not used for restoring state,
but may be useful for post-processing datasets. */
void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) {
void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
u8* fn;
u8 *fn;
if (state == q->fs_redundant) return;
@ -105,9 +105,9 @@ void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) {
/* Append new test case to the queue. */
void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) {
void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
struct queue_entry* q = ck_alloc(sizeof(struct queue_entry));
struct queue_entry *q = ck_alloc(sizeof(struct queue_entry));
q->fname = fname;
q->len = len;
@ -142,7 +142,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) {
if (afl->mutator && afl->mutator->afl_custom_queue_new_entry) {
u8* fname_orig = NULL;
u8 *fname_orig = NULL;
/* At the initialization stage, queue_cur is NULL */
if (afl->queue_cur) fname_orig = afl->queue_cur->fname;
@ -155,7 +155,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) {
/* Destroy the entire queue. */
void destroy_queue(afl_state_t* afl) {
void destroy_queue(afl_state_t *afl) {
struct queue_entry *q = afl->queue, *n;
@ -182,7 +182,7 @@ void destroy_queue(afl_state_t* afl) {
previous contender, or if the contender has a more favorable speed x size
factor. */
void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) {
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u32 i;
u64 fav_factor = q->exec_us * q->len;
@ -251,9 +251,9 @@ void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) {
until the next run. The favored entries are given more air time during
all fuzzing steps. */
void cull_queue(afl_state_t* afl) {
void cull_queue(afl_state_t *afl) {
struct queue_entry* q;
struct queue_entry *q;
static u8 temp_v[MAP_SIZE >> 3];
u32 i;
@ -312,7 +312,7 @@ void cull_queue(afl_state_t* afl) {
A helper function for fuzz_one(). Maybe some of these constants should
go into config.h. */
u32 calculate_score(afl_state_t* afl, struct queue_entry* q) {
u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles;
u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries;
@ -405,7 +405,7 @@ u32 calculate_score(afl_state_t* afl, struct queue_entry* q) {
fuzz_total = 0;
n_paths = 0;
struct queue_entry* queue_it = afl->queue;
struct queue_entry *queue_it = afl->queue;
while (queue_it) {
fuzz_total += queue_it->n_fuzz;

78
src/afl-fuzz-redqueen.c
View File

@ -33,13 +33,13 @@ struct range {
u32 start;
u32 end;
struct range* next;
struct range *next;
};
struct range* add_range(struct range* ranges, u32 start, u32 end) {
struct range *add_range(struct range *ranges, u32 start, u32 end) {
struct range* r = ck_alloc_nozero(sizeof(struct range));
struct range *r = ck_alloc_nozero(sizeof(struct range));
r->start = start;
r->end = end;
r->next = ranges;
@ -47,12 +47,12 @@ struct range* add_range(struct range* ranges, u32 start, u32 end) {
}
struct range* pop_biggest_range(struct range** ranges) {
struct range *pop_biggest_range(struct range **ranges) {
struct range* r = *ranges;
struct range* prev = NULL;
struct range* rmax = NULL;
struct range* prev_rmax = NULL;
struct range *r = *ranges;
struct range *prev = NULL;
struct range *rmax = NULL;
struct range *prev_rmax = NULL;
u32 max_size = 0;
while (r) {
@ -84,7 +84,7 @@ struct range* pop_biggest_range(struct range** ranges) {
}
static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) {
static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1;
@ -93,7 +93,7 @@ static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) {
}
static void rand_replace(afl_state_t* afl, u8* buf, u32 len) {
static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) {
u32 i;
for (i = 0; i < len; ++i)
@ -101,10 +101,10 @@ static void rand_replace(afl_state_t* afl, u8* buf, u32 len) {
}
static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) {
static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
struct range* ranges = add_range(NULL, 0, len);
u8* backup = ck_alloc_nozero(len);
struct range *ranges = add_range(NULL, 0, len);
u8 * backup = ck_alloc_nozero(len);
u8 needs_write = 0;
@ -115,7 +115,7 @@ static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) {
afl->stage_short = "colorization";
afl->stage_max = 1000;
struct range* rng;
struct range *rng;
afl->stage_cur = 0;
while ((rng = pop_biggest_range(&ranges)) != NULL &&
afl->stage_cur < afl->stage_max) {
@ -205,7 +205,7 @@ checksum_fail:
///// Input to State replacement
static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) {
static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
u64 orig_hit_cnt, new_hit_cnt;
@ -224,13 +224,13 @@ static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) {
}
static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h,
u64 pattern, u64 repl, u32 idx, u8* orig_buf,
u8* buf, u32 len, u8 do_reverse, u8* status) {
static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 pattern, u64 repl, u32 idx, u8 *orig_buf,
u8 *buf, u32 len, u8 do_reverse, u8 *status) {
u64* buf_64 = (u64*)&buf[idx];
u32* buf_32 = (u32*)&buf[idx];
u16* buf_16 = (u16*)&buf[idx];
u64 *buf_64 = (u64 *)&buf[idx];
u32 *buf_32 = (u32 *)&buf[idx];
u16 *buf_16 = (u16 *)&buf[idx];
// u8* buf_8 = &buf[idx];
// u64* o_buf_64 = (u64*)&orig_buf[idx];
// u32* o_buf_32 = (u32*)&orig_buf[idx];
@ -313,9 +313,9 @@ static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h,
}
static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) {
static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
u8* b = (u8*)&v;
u8 *b = (u8 *)&v;
u32 k;
u8 cons_ff = 0, cons_0 = 0;
@ -332,7 +332,7 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) {
}
maybe_add_auto(afl, (u8*)&v, shape);
maybe_add_auto(afl, (u8 *)&v, shape);
u64 rev;
switch (shape) {
@ -340,24 +340,24 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) {
case 1: break;
case 2:
rev = SWAP16((u16)v);
maybe_add_auto(afl, (u8*)&rev, shape);
maybe_add_auto(afl, (u8 *)&rev, shape);
break;
case 4:
rev = SWAP32((u32)v);
maybe_add_auto(afl, (u8*)&rev, shape);
maybe_add_auto(afl, (u8 *)&rev, shape);
break;
case 8:
rev = SWAP64(v);
maybe_add_auto(afl, (u8*)&rev, shape);
maybe_add_auto(afl, (u8 *)&rev, shape);
break;
}
}
static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
struct cmp_header* h = &afl->shm.cmp_map->headers[key];
struct cmp_header *h = &afl->shm.cmp_map->headers[key];
u32 i, j, idx;
u32 loggeds = h->hits;
@ -369,7 +369,7 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
for (i = 0; i < loggeds; ++i) {
struct cmp_operands* o = &afl->shm.cmp_map->log[key][i];
struct cmp_operands *o = &afl->shm.cmp_map->log[key][i];
// opt not in the paper
for (j = 0; j < i; ++j)
@ -414,9 +414,9 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
}
static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h,
u8* pattern, u8* repl, u32 idx, u8* orig_buf,
u8* buf, u32 len, u8* status) {
static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u8 *pattern, u8 *repl, u32 idx, u8 *orig_buf,
u8 *buf, u32 len, u8 *status) {
u32 i;
u32 its_len = MIN(32, len - idx);
@ -440,9 +440,9 @@ static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h,
}
static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
struct cmp_header* h = &afl->shm.cmp_map->headers[key];
struct cmp_header *h = &afl->shm.cmp_map->headers[key];
u32 i, j, idx;
u32 loggeds = h->hits;
@ -454,12 +454,12 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
for (i = 0; i < loggeds; ++i) {
struct cmpfn_operands* o =
&((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[i];
struct cmpfn_operands *o =
&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i];
// opt not in the paper
for (j = 0; j < i; ++j)
if (!memcmp(&((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[j], o,
if (!memcmp(&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[j], o,
sizeof(struct cmpfn_operands)))
goto rtn_fuzz_next_iter;
@ -503,7 +503,7 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
///// Input to State stage
// afl->queue_cur->exec_cksum
u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len,
u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 exec_cksum) {
u8 r = 1;

74
src/afl-fuzz-run.c
View File

@ -32,12 +32,12 @@
void timeout_handle(union sigval timer_data) {
pid_t child_pid = timer_data.sival_int;
pid_t child_pid = timer_data.sival_int;
if (child_pid > 0) kill(child_pid, SIGKILL);
}
u8 run_target(afl_state_t* afl, u32 timeout) {
u8 run_target(afl_state_t *afl, u32 timeout) {
// static struct itimerval it;
struct sigevent timer_signal_event;
@ -146,7 +146,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
/* Use a distinctive bitmap value to tell the parent about execv()
falling through. */
*(u32*)afl->fsrv.trace_bits = EXEC_FAIL_SIG;
*(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG;
exit(0);
}
@ -181,11 +181,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
timer_signal_event.sigev_value.sival_int = afl->fsrv.child_pid;
timer_status = timer_create(CLOCK_MONOTONIC, &timer_signal_event, &timer);
if (timer_status == -1) {
FATAL("Failed to create Timer");
}
if (timer_status == -1) { FATAL("Failed to create Timer"); }
timer_period.it_value.tv_sec = (timeout / 1000);
timer_period.it_value.tv_nsec = (timeout % 1000) * 1000000;
@ -203,13 +199,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
} else {
FATAL("Failed to set the timer to the given timeout");
FATAL("Failed to set the timer to the given timeout");
}
}
/* The SIGALRM handler simply kills the afl->fsrv.child_pid and sets
* afl->fsrv.child_timed_out. */
@ -221,6 +216,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
PFATAL("waitpid() failed");
}
} else {
s32 res;
@ -261,11 +257,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
timer_period.it_value.tv_nsec / 1000000);
if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms;
if (exec_ms >= timeout) {
afl->fsrv.child_timed_out = 1;
}
if (exec_ms >= timeout) { afl->fsrv.child_timed_out = 1; }
timer_period.it_value.tv_sec = 0;
timer_period.it_value.tv_nsec = 0;
@ -289,12 +281,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
MEM_BARRIER();
tb4 = *(u32*)afl->fsrv.trace_bits;
tb4 = *(u32 *)afl->fsrv.trace_bits;
#ifdef WORD_SIZE_64
classify_counts((u64*)afl->fsrv.trace_bits);
classify_counts((u64 *)afl->fsrv.trace_bits);
#else
classify_counts((u32*)afl->fsrv.trace_bits);
classify_counts((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
prev_timed_out = afl->fsrv.child_timed_out;
@ -327,9 +319,9 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
return FAULT_NONE;
handle_stop_soon:
timer_delete(timer);
return 0;
handle_stop_soon:
timer_delete(timer);
return 0;
}
@ -337,13 +329,13 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is
rewound and truncated. */
void write_to_testcase(afl_state_t* afl, void* mem, u32 len) {
void write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
s32 fd = afl->fsrv.out_fd;
#ifdef _AFL_DOCUMENT_MUTATIONS
s32 doc_fd;
char* fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir,
char *fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir,
afl->document_counter++, describe_op(0));
if (fn != NULL) {
@ -382,7 +374,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) {
if (afl->mutator && afl->mutator->afl_custom_pre_save) {
u8* new_data;
u8 *new_data;
size_t new_size =
afl->mutator->afl_custom_pre_save(afl, mem, len, &new_data);
ck_write(fd, new_data, new_size, afl->fsrv.out_file);
@ -407,7 +399,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) {
/* The same, but with an adjustable gap. Used for trimming. */
static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at,
static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
u32 skip_len) {
s32 fd = afl->fsrv.out_fd;
@ -434,7 +426,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at,
if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file);
u8* memu8 = mem;
u8 *memu8 = mem;
if (tail_len)
ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file);
@ -453,7 +445,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at,
to warn about flaky or otherwise problematic test cases early on; and when
new paths are discovered to detect variable behavior and so on. */
u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem,
u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 handicap, u8 from_queue) {
static u8 first_trace[MAP_SIZE];
@ -465,7 +457,7 @@ u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem,
s32 old_sc = afl->stage_cur, old_sm = afl->stage_max;
u32 use_tmout = afl->fsrv.exec_tmout;
u8* old_sn = afl->stage_name;
u8 *old_sn = afl->stage_name;
/* Be a bit more generous about timeouts when resuming sessions, or when
trying to calibrate already-added finds. This helps avoid trouble due
@ -612,11 +604,11 @@ abort_calibration:
/* Grab interesting test cases from other fuzzers. */
void sync_fuzzers(afl_state_t* afl) {
void sync_fuzzers(afl_state_t *afl) {
DIR* sd;
struct dirent* sd_ent;
u32 sync_cnt = 0;
DIR *sd;
struct dirent *sd_ent;
u32 sync_cnt = 0;
sd = opendir(afl->sync_dir);
if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir);
@ -631,10 +623,10 @@ void sync_fuzzers(afl_state_t* afl) {
static u8 stage_tmp[128];
DIR* qd;
struct dirent* qd_ent;
u8 * qd_path, *qd_synced_path;
u32 min_accept = 0, next_min_accept;
DIR *qd;
struct dirent *qd_ent;
u8 *qd_path, *qd_synced_path;
u32 min_accept = 0, next_min_accept;
s32 id_fd;
@ -679,8 +671,8 @@ void sync_fuzzers(afl_state_t* afl) {
while ((qd_ent = readdir(qd))) {
u8* path;
s32 fd;
u8 *path;
s32 fd;
struct stat st;
if (qd_ent->d_name[0] == '.' ||
@ -713,7 +705,7 @@ void sync_fuzzers(afl_state_t* afl) {
if (st.st_size && st.st_size <= MAX_FILE) {
u8 fault;
u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path);
@ -760,7 +752,7 @@ void sync_fuzzers(afl_state_t* afl) {
trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of
file size, to keep the stage short and sweet. */
u8 trim_case(afl_state_t* afl, struct queue_entry* q, u8* in_buf) {
u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
/* Custom mutator trimmer */
if (afl->mutator && afl->mutator->afl_custom_trim)
@ -896,7 +888,7 @@ abort_trimming:
error conditions, returning 1 if it's time to bail out. This is
a helper function for fuzz_one(). */
u8 common_fuzz_stuff(afl_state_t* afl, u8* out_buf, u32 len) {
u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
u8 fault;

14
src/afl-fuzz-stats.c
View File

@ -347,9 +347,9 @@ void show_stats(afl_state_t *afl) {
/* Lord, forgive me this. */
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
" process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
" overall results " bSTG bH2 bH2 bRT "\n");
" overall results " bSTG bH2 bH2 bRT "\n");
if (afl->dumb_mode) {
@ -429,9 +429,9 @@ void show_stats(afl_state_t *afl) {
" uniq hangs : " cRST "%-6s" bSTG bV "\n",
DTD(cur_ms, afl->last_hang_time), tmp);
SAYF(bVR bH bSTOP cCYA
SAYF(bVR bH bSTOP cCYA
" cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
/* This gets funny because we want to print several variable-length variables
together, but then cram them into a fixed-width field - so we need to
@ -460,9 +460,9 @@ void show_stats(afl_state_t *afl) {
SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
SAYF(bVR bH bSTOP cCYA
SAYF(bVR bH bSTOP cCYA
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths);
@ -533,7 +533,7 @@ void show_stats(afl_state_t *afl) {
/* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP
SAYF(bVR bH cCYA bSTOP
" fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
" path geometry " bSTG bH5 bH2 bVL "\n");

34
src/afl-fuzz.c
View File

@ -27,7 +27,7 @@
u8 be_quiet = 0;
static u8* get_libradamsa_path(u8* own_loc) {
static u8 *get_libradamsa_path(u8 *own_loc) {
u8 *tmp, *cp, *rsl, *own_copy;
@ -84,7 +84,7 @@ static u8* get_libradamsa_path(u8* own_loc) {
/* Display usage hints. */
static void usage(afl_state_t* afl, u8* argv0, int more_help) {
static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
SAYF(
"\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n"
@ -198,7 +198,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) {
#ifdef USE_PYTHON
SAYF("Compiled with %s module support, see docs/custom_mutator.md\n",
(char*)PYTHON_VERSION);
(char *)PYTHON_VERSION);
#endif
SAYF("For additional help please consult %s/README.md\n\n", doc_path);
@ -210,7 +210,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) {
#ifndef AFL_LIB
static int stricmp(char const* a, char const* b) {
static int stricmp(char const *a, char const *b) {
for (;; ++a, ++b) {
@ -224,22 +224,22 @@ static int stricmp(char const* a, char const* b) {
/* Main entry point */
int main(int argc, char** argv_orig, char** envp) {
int main(int argc, char **argv_orig, char **envp) {
s32 opt;
u64 prev_queued = 0;
u32 sync_interval_cnt = 0, seek_to, show_help = 0;
u8* extras_dir = 0;
u8 * extras_dir = 0;
u8 mem_limit_given = 0;
u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE");
char** use_argv;
char **use_argv;
struct timeval tv;
struct timezone tz;
char** argv = argv_cpy_dup(argc, argv_orig);
char **argv = argv_cpy_dup(argc, argv_orig);
afl_state_t* afl = calloc(1, sizeof(afl_state_t));
afl_state_t *afl = calloc(1, sizeof(afl_state_t));
if (!afl) { FATAL("Could not create afl state"); }
afl_state_init(afl);
@ -248,7 +248,7 @@ int main(int argc, char** argv_orig, char** envp) {
SAYF(cCYA "afl-fuzz" VERSION cRST
" based on afl by Michal Zalewski and a big online community\n");
doc_path = access(DOC_PATH, F_OK) ? (u8*)"docs" : doc_path;
doc_path = access(DOC_PATH, F_OK) ? (u8 *)"docs" : doc_path;
gettimeofday(&tv, &tz);
afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
@ -337,7 +337,7 @@ int main(int argc, char** argv_orig, char** envp) {
case 'M': { /* master sync ID */
u8* c;
u8 *c;
if (afl->sync_id) FATAL("Multiple -S or -M options not supported");
afl->sync_id = ck_strdup(optarg);
@ -696,8 +696,8 @@ int main(int argc, char** argv_orig, char** envp) {
OKF("Using Radamsa add-on");
u8* libradamsa_path = get_libradamsa_path(argv[0]);
void* handle = dlopen(libradamsa_path, RTLD_NOW);
u8 * libradamsa_path = get_libradamsa_path(argv[0]);
void *handle = dlopen(libradamsa_path, RTLD_NOW);
ck_free(libradamsa_path);
if (!handle) FATAL("Failed to dlopen() libradamsa");
@ -794,9 +794,9 @@ int main(int argc, char** argv_orig, char** envp) {
if (afl->qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD");
u8* buf;
u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
@ -926,7 +926,7 @@ int main(int argc, char** argv_orig, char** envp) {
u32 i = optind + 1;
while (argv[i]) {
u8* aa_loc = strstr(argv[i], "@@");
u8 *aa_loc = strstr(argv[i], "@@");
if (aa_loc && !afl->fsrv.out_file) {

48
src/afl-gcc.c
View File

@ -48,18 +48,18 @@
#include <stdlib.h>
#include <string.h>
static u8* as_path; /* Path to the AFL 'as' wrapper */
static u8** cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */
static u8 *as_path; /* Path to the AFL 'as' wrapper */
static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */
clang_mode; /* Invoked as afl-clang*? */
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
from argv[0]. If that fails, abort. */
static void find_as(u8* argv0) {
static void find_as(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH");
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
@ -82,7 +82,7 @@ static void find_as(u8* argv0) {
if (slash) {
u8* dir;
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
@ -116,16 +116,16 @@ static void find_as(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) {
static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0;
u8* name;
u8 *name;
#if defined(__FreeBSD__) && defined(WORD_SIZE_64)
u8 m32_set = 0;
#endif
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/');
if (!name)
@ -141,13 +141,13 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-clang++")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"clang++";
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8 *)"clang";
}
@ -186,18 +186,18 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-g++")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"g++";
} else if (!strcmp(name, "afl-gcj")) {
u8* alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
u8 *alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcj";
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcc";
}
@ -207,7 +207,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) {
u8* cur = *(++argv);
u8 *cur = *(++argv);
if (!strncmp(cur, "-B", 2)) {
@ -340,9 +340,9 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */
int main(int argc, char** argv) {
int main(int argc, char **argv) {
char* env_info =
char *env_info =
"Environment variables used by afl-gcc:\n"
"AFL_CC: path to the C compiler to use\n"
"AFL_CXX: path to the C++ compiler to use\n"
@ -415,7 +415,7 @@ int main(int argc, char** argv) {
edit_params(argc, argv);
execvp(cc_params[0], (char**)cc_params);
execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

4
src/afl-gotcpu.c
View File

@ -129,7 +129,7 @@ repeat_loop:
/* Do the benchmark thing. */
int main(int argc, char** argv) {
int main(int argc, char **argv) {
if (argc > 1) {
@ -165,7 +165,7 @@ int main(int argc, char** argv) {
CPU_ZERO(&c);
CPU_SET(i, &c);
#elif defined(__NetBSD__)
cpuset_t* c;
cpuset_t *c;
c = cpuset_create();
if (c == NULL) PFATAL("cpuset_create failed");

60
src/afl-showmap.c
View File

@ -61,13 +61,13 @@
u8 be_quiet;
char* stdin_file; /* stdin file */
char *stdin_file; /* stdin file */
u8 *in_dir, /* input folder */
*doc_path, /* Path to docs */
*at_file = NULL; /* Substitution string for @@ */
static u8* in_data; /* Input data */
static u8 *in_data; /* Input data */
static u32 total, highest; /* tuple content information */
@ -111,7 +111,7 @@ static const u8 count_class_binary[256] = {
};
static void classify_counts(u8* mem, const u8* map) {
static void classify_counts(u8 *mem, const u8 *map) {
u32 i = MAP_SIZE;
@ -147,7 +147,7 @@ static void at_exit_handler(void) {
/* Write results. */
static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) {
static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
s32 fd;
u32 i, ret = 0;
@ -183,7 +183,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) {
} else {
FILE* f = fdopen(fd, "w");
FILE *f = fdopen(fd, "w");
if (!f) PFATAL("fdopen() failed");
@ -218,7 +218,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) {
/* Write results. */
static u32 write_results(afl_forkserver_t* fsrv) {
static u32 write_results(afl_forkserver_t *fsrv) {
return write_results_to_file(fsrv, fsrv->out_file);
@ -226,7 +226,7 @@ static u32 write_results(afl_forkserver_t* fsrv) {
/* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) {
static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret;
@ -248,7 +248,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) {
is unlinked and a new one is created. Otherwise, out_fd is rewound and
truncated. */
static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) {
static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) {
lseek(fsrv->out_fd, 0, SEEK_SET);
ck_write(fsrv->out_fd, mem, len, fsrv->out_file);
@ -260,7 +260,7 @@ static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) {
/* Execute target application. Returns 0 if the changes are a dud, or
1 if they should be kept. */
static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem,
static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,
u32 len) {
static struct itimerval it;
@ -321,7 +321,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem,
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
classify_counts(fsrv->trace_bits,
@ -356,7 +356,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem,
/* Read initial file. */
u32 read_file(u8* in_file) {
u32 read_file(u8 *in_file) {
struct stat st;
s32 fd = open(in_file, O_RDONLY);
@ -381,7 +381,7 @@ u32 read_file(u8* in_file) {
/* Execute target application. */
static void run_target(afl_forkserver_t* fsrv, char** argv) {
static void run_target(afl_forkserver_t *fsrv, char **argv) {
static struct itimerval it;
int status = 0;
@ -404,7 +404,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) {
*(u32*)fsrv->trace_bits = EXEC_FAIL_SIG;
*(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;
PFATAL("Descriptor initialization failed");
}
@ -442,7 +442,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
execv(fsrv->target_path, argv);
*(u32*)fsrv->trace_bits = EXEC_FAIL_SIG;
*(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;
exit(0);
}
@ -470,7 +470,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
classify_counts(fsrv->trace_bits,
@ -525,9 +525,9 @@ static void set_up_environment(void) {
if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD");
u8* buf;
u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
@ -597,7 +597,7 @@ static void show_banner(void) {
/* Display usage hints. */
static void usage(u8* argv0) {
static void usage(u8 *argv0) {
show_banner();
@ -647,9 +647,9 @@ static void usage(u8* argv0) {
/* Find binary. */
static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
u8* env_path = 0;
u8 *env_path = 0;
struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -703,19 +703,19 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
/* Main entry point */
int main(int argc, char** argv_orig, char** envp) {
int main(int argc, char **argv_orig, char **envp) {
// TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */
s32 opt, i;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
u32 tcnt = 0;
char** use_argv;
char **use_argv;
char** argv = argv_cpy_dup(argc, argv_orig);
char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0};
afl_forkserver_t* fsrv = &fsrv_var;
afl_forkserver_t *fsrv = &fsrv_var;
afl_fsrv_init(fsrv);
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
@ -929,10 +929,10 @@ int main(int argc, char** argv_orig, char** envp) {
if (in_dir) {
DIR * dir_in, *dir_out;
struct dirent* dir_ent;
int done = 0;
u8 infile[4096], outfile[4096];
DIR *dir_in, *dir_out;
struct dirent *dir_ent;
int done = 0;
u8 infile[4096], outfile[4096];
#if !defined(DT_REG)
struct stat statbuf;
#endif
@ -946,7 +946,7 @@ int main(int argc, char** argv_orig, char** envp) {
if (mkdir(fsrv->out_file, 0700))
PFATAL("cannot create output directory %s", fsrv->out_file);
u8* use_dir = ".";
u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) {

54
src/afl-tmin.c
View File

@ -58,13 +58,13 @@
#include <sys/types.h>
#include <sys/resource.h>
static u8* mask_bitmap; /* Mask for trace bits (-B) */
static u8 *mask_bitmap; /* Mask for trace bits (-B) */
u8 *in_file, /* Minimizer input test case */
*output_file, /* Minimizer output file */
*doc_path; /* Path to docs */
static u8* in_data; /* Input data for trimming */
static u8 *in_data; /* Input data for trimming */
static u32 in_len, /* Input data length */
orig_cksum, /* Original checksum */
@ -105,7 +105,7 @@ static const u8 count_class_lookup[256] = {
};
static void classify_counts(u8* mem) {
static void classify_counts(u8 *mem) {
u32 i = MAP_SIZE;
@ -133,7 +133,7 @@ static void classify_counts(u8* mem) {
/* Apply mask to classified bitmap (if set). */
static void apply_mask(u32* mem, u32* mask) {
static void apply_mask(u32 *mem, u32 *mask) {
u32 i = (MAP_SIZE >> 2);
@ -151,9 +151,9 @@ static void apply_mask(u32* mem, u32* mask) {
/* See if any bytes are set in the bitmap. */
static inline u8 anything_set(afl_forkserver_t* fsrv) {
static inline u8 anything_set(afl_forkserver_t *fsrv) {
u32* ptr = (u32*)fsrv->trace_bits;
u32 *ptr = (u32 *)fsrv->trace_bits;
u32 i = (MAP_SIZE >> 2);
while (i--)
@ -196,7 +196,7 @@ static void read_initial_file(void) {
/* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) {
static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret;
@ -218,7 +218,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) {
is unlinked and a new one is created. Otherwise, out_fd is rewound and
truncated. */
static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) {
static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) {
s32 fd = fsrv->out_fd;
@ -395,7 +395,7 @@ static void init_forkserver(char **argv) {
/* Execute target application. Returns 0 if the changes are a dud, or
1 if they should be kept. */
static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len,
static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
u8 first_run) {
static struct itimerval it;
@ -460,13 +460,13 @@ static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len,
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
if (!hang_mode) {
classify_counts(fsrv->trace_bits);
apply_mask((u32*)fsrv->trace_bits, (u32*)mask_bitmap);
apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
}
@ -565,11 +565,11 @@ static u32 next_p2(u32 val) {
/* Actually minimize! */
static void minimize(afl_forkserver_t* fsrv, char** argv) {
static void minimize(afl_forkserver_t *fsrv, char **argv) {
static u32 alpha_map[256];
u8* tmp_buf = ck_alloc_nozero(in_len);
u8 *tmp_buf = ck_alloc_nozero(in_len);
u32 orig_len = in_len, stage_o_len;
u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0;
@ -835,16 +835,16 @@ static void handle_stop_sig(int sig) {
/* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(afl_forkserver_t* fsrv) {
static void set_up_environment(afl_forkserver_t *fsrv) {
u8* x;
u8 *x;
fsrv->dev_null_fd = open("/dev/null", O_RDWR);
if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (!fsrv->out_file) {
u8* use_dir = ".";
u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) {
@ -907,9 +907,9 @@ static void set_up_environment(afl_forkserver_t* fsrv) {
if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD");
u8* buf;
u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8 *afl_preload = getenv("AFL_PRELOAD");
u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
@ -971,7 +971,7 @@ static void setup_signal_handlers(void) {
/* Display usage hints. */
static void usage(u8* argv0) {
static void usage(u8 *argv0) {
SAYF(
"\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
@ -1018,9 +1018,9 @@ static void usage(u8* argv0) {
/* Find binary. */
static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
u8* env_path = 0;
u8 * env_path = 0;
struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -1074,7 +1074,7 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
/* Read mask bitmap from file. This is for the -B option. */
static void read_bitmap(u8* fname) {
static void read_bitmap(u8 *fname) {
s32 fd = open(fname, O_RDONLY);
@ -1088,16 +1088,16 @@ static void read_bitmap(u8* fname) {
/* Main entry point */
int main(int argc, char** argv_orig, char** envp) {
int main(int argc, char **argv_orig, char **envp) {
s32 opt;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
char** use_argv;
char **use_argv;
char** argv = argv_cpy_dup(argc, argv_orig);
char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0};
afl_forkserver_t* fsrv = &fsrv_var;
afl_forkserver_t *fsrv = &fsrv_var;
afl_fsrv_init(fsrv);
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

4
test-instr.c
View File

@ -23,11 +23,11 @@
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char** argv) {
int main(int argc, char **argv) {
int fd = 0;
char buff[8];
char* buf = buff;
char *buf = buff;
// we support command line parameter and stdin
if (argc == 2) {

2
test/test-compcov.c
View File

@ -3,7 +3,7 @@
#include <unistd.h>
#include <string.h>
int main(int argc, char** argv) {
int main(int argc, char **argv) {
char *input = argv[1], *buf, buffer[20];
if (argc < 2) {