directly add new queue to cache

2025-06-11 01:31:37 +00:00 · 2020-10-16 09:35:35 +02:00 · 2020-10-16 09:35:35 +02:00 · d5c3b4bafd
commit d5c3b4bafd
parent b82e9ad3db
4 changed files with 53 additions and 2 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -1169,6 +1169,10 @@ void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
 void queue_testcase_retake_mem(afl_state_t *afl, struct queue_entry *q, u8 *in,
                               u32 len, u32 old_len);

+/* Add a new queue entry directly to the cache */
+
+void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem);
+
 #if TESTCASE_CACHE == 1
  #error define of TESTCASE_CACHE must be zero or larger than 1
 #endif
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -623,6 +623,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
    ck_write(fd, mem, len, queue_fn);
    close(fd);

+    if (likely(afl->q_testcase_max_cache_size)) {
+
+      queue_testcase_store_mem(afl, afl->queue_top, mem);
+
+    }
+
    keeping = 1;

  }
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@ -1021,7 +1021,7 @@ inline u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q) {

    /* Register testcase as cached */
    afl->q_testcase_cache[tid] = q;
-    afl->q_testcase_cache_size += q->len;
+    afl->q_testcase_cache_size += len;
    ++afl->q_testcase_cache_count;
    if (tid >= afl->q_testcase_max_cache_count)
      afl->q_testcase_max_cache_count = tid + 1;
@ -1032,3 +1032,44 @@ inline u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q) {

 }

+/* Adds the new queue entry to the cache. */
+
+inline void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q,
+                                     u8 *mem) {
+
+  u32 len = q->len;
+
+  if (unlikely(afl->q_testcase_cache_size + len >=
+                   afl->q_testcase_max_cache_size ||
+               afl->q_testcase_cache_count >= TESTCASE_ENTRIES - 1)) {
+
+    return;
+
+  }
+
+  u32 tid = 0;
+
+  while (likely(afl->q_testcase_cache[tid] != NULL))
+    ++tid;
+
+  /* Map the test case into memory. */
+
+  q->testcase_buf = malloc(len);
+
+  if (unlikely(!q->testcase_buf)) {
+
+    PFATAL("Unable to malloc '%s' with len %u", q->fname, len);
+
+  }
+
+  memcpy(q->testcase_buf, mem, len);
+
+  /* Register testcase as cached */
+  afl->q_testcase_cache[tid] = q;
+  afl->q_testcase_cache_size += len;
+  ++afl->q_testcase_cache_count;
+  if (tid >= afl->q_testcase_max_cache_count)
+    afl->q_testcase_max_cache_count = tid + 1;
+
+}
+
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@ -1017,7 +1017,7 @@ int main(int argc, char **argv_orig, char **envp) {
        alloc_printf("%s/.afl-showmap-temp-%u", use_dir, (u32)getpid());
    unlink(stdin_file);
    atexit(at_exit_handler);
-    afl->fsrv.out_file = stdin_file;
+    fsrv->out_file = stdin_file;
    fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600);
    if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); }