ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 03:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix splicing selection

Browse Source
This commit is contained in:
van Hauser
2020-10-12 04:03:42 +02:00
parent b7e0490bcd
commit d6da5605c8
1 changed files with 8 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/afl-fuzz-one.c
View File

@ -1712,9 +1712,9 @@ custom_mutator_stage:
tid = rand_below(afl, afl->queued_paths);
} while (unlikely(tid == afl->current_entry &&
} while (unlikely(tid == afl->current_entry ||
afl->queue_buf[tid]->len >= 4));
afl->queue_buf[tid]->len < 4));
target = afl->queue_buf[tid];
afl->splicing_with = tid;
@ -1872,7 +1872,7 @@ havoc_stage:
u32 r_max, r;
if (unlikely(afl->expand_havoc)) {
if (unlikely(afl->expand_havoc && afl->ready_for_splicing_count > 1)) {
/* add expensive havoc cases here, they are activated after a full
cycle without finds happened */
@ -2323,24 +2323,15 @@ havoc_stage:
/* Overwrite bytes with a randomly selected chunk from another
testcase or insert that chunk. */
if (afl->queued_paths < 4) break;
/* Pick a random queue entry and seek to it. */
u32 tid;
do
tid = rand_below(afl, afl->queued_paths);
while (tid == afl->current_entry);
while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
struct queue_entry *target = afl->queue_buf[tid];
/* Make sure that the target has a reasonable length. */
while (target && (target->len < 2 || target == afl->queue_cur))
target = target->next;
if (!target) break;
/* Read the testcase into a new buffer. */
fd = open(target->fname, O_RDONLY);
@ -2480,7 +2471,7 @@ havoc_stage:
retry_splicing:
if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) {
afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {
struct queue_entry *target;
u32 tid, split_at;
@ -2503,22 +2494,11 @@ retry_splicing:
tid = rand_below(afl, afl->queued_paths);
} while (tid == afl->current_entry);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
afl->splicing_with = tid;
target = afl->queue_buf[tid];
/* Make sure that the target has a reasonable length. */
while (target && (target->len < 2 || target == afl->queue_cur)) {
target = target->next;
++afl->splicing_with;
}
if (!target) { goto retry_splicing; }
/* Read the testcase into a new buffer. */
fd = open(target->fname, O_RDONLY);
@ -4487,7 +4467,7 @@ pacemaker_fuzzing:
if (afl->use_splicing &&
splice_cycle++ < (u32)afl->SPLICE_CYCLES_puppet &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) {
afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {
struct queue_entry *target;
u32 tid, split_at;
@ -4511,22 +4491,11 @@ pacemaker_fuzzing:
tid = rand_below(afl, afl->queued_paths);
} while (tid == afl->current_entry);
} while (tid == afl->current_entry || afl->queue_buf[tid]->len < 4);
afl->splicing_with = tid;
target = afl->queue_buf[tid];
/* Make sure that the target has a reasonable length. */
while (target && (target->len < 2 || target == afl->queue_cur)) {
target = target->next;
++afl->splicing_with;
}
if (!target) { goto retry_splicing_puppet; }
/* Read the testcase into a new buffer. */
fd = open(target->fname, O_RDONLY);