fixes

custom_mutators/gramatron/Makefile

@@ -0,0 +1,7 @@
+all:	gramatron.so
+
+gramatron.so:	gramfuzz.c gramfuzz.h gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c hashmap.h test.c test.h utarray.h uthash.h
+	$(CC) -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c test.c -ljson-c
+
+clean:
+	rm -f gramatron.so

custom_mutators/gramatron/gramfuzz.c

@@ -219,7 +219,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
     data->mut_alloced = 1;
     free(spliceCandidate->start);
     free(spliceCandidate);
-    free(automaton_fn);
+    ck_free(automaton_fn);
 
   } else {  // Generate an input from scratch
 
@@ -251,9 +251,9 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
  * @param filename_new_queue File name of the new queue entry
  * @param filename_orig_queue File name of the original queue entry
  */
-void afl_custom_queue_new_entry(my_mutator_t * data,
-                                const uint8_t *filename_new_queue,
-                                const uint8_t *filename_orig_queue) {
+u8 afl_custom_queue_new_entry(my_mutator_t * data,
+                              const uint8_t *filename_new_queue,
+                              const uint8_t *filename_orig_queue) {
 
   // get the filename
   u8 *   automaton_fn, *unparsed_input;
@@ -270,6 +270,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data,
 
     new_input = gen_input(pda, NULL);
     write_input(new_input, automaton_fn);
+
     // Update the placeholder file
     if (unlink(filename_new_queue)) {
 
@@ -282,15 +283,17 @@ void afl_custom_queue_new_entry(my_mutator_t * data,
               S_IRUSR | S_IWUSR);
     if (fd < 0) { PFATAL("Failed to update file '%s'", filename_new_queue); }
     int written = write(fd, unparsed_input, new_input->inputlen + 1);
+    close(fd);
+
     free(new_input->start);
     free(new_input);
     free(unparsed_input);
 
   }
 
-  free(automaton_fn);
+  ck_free(automaton_fn);
 
-  return;
+  return 1;
 
 }
 
@@ -388,7 +391,7 @@ uint8_t afl_custom_queue_get(my_mutator_t *data, const uint8_t *filename) {
 
   // data->getdupesret = get_dupes(data->orig_walk, &data->recurlen);
 
-  free(automaton_fn);
+  ck_free(automaton_fn);
   return 1;
 
 }

custom_mutators/grammatron/Makefile

@@ -1,7 +0,0 @@
-all:	gramatron.so
-
-gramatron.so:	gramfuzz.c gramfuzz.h gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c hashmap.h test.c test.h utarray.h uthash.h
-	$(CC) -O3 -g -fPIC -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c test.c
-
-clean:
-	rm -f gramatron.so

include/afl-fuzz.h

@@ -972,8 +972,8 @@ struct custom_mutator {
    * @param filename_orig_queue File name of the original queue entry. This
    *     argument can be NULL while initializing the fuzzer
    */
-  void (*afl_custom_queue_new_entry)(void *data, const u8 *filename_new_queue,
-                                     const u8 *filename_orig_queue);
+  u8 (*afl_custom_queue_new_entry)(void *data, const u8 *filename_new_queue,
+                                   const u8 *filename_orig_queue);
   /**
    * Deinitialize the custom mutator.
    *
@@ -1021,7 +1021,7 @@ size_t      havoc_mutation_py(void *, u8 *, size_t, u8 **, size_t);
 u8          havoc_mutation_probability_py(void *);
 u8          queue_get_py(void *, const u8 *);
 const char *introspection_py(void *);
-void        queue_new_entry_py(void *, const u8 *, const u8 *);
+u8          queue_new_entry_py(void *, const u8 *, const u8 *);
 void        deinit_py(void *);
 
 #endif

src/afl-fuzz-python.c

@@ -813,8 +813,8 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) {
 
 }
 
-void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue,
-                        const u8 *filename_orig_queue) {
+u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue,
+                      const u8 *filename_orig_queue) {
 
   PyObject *py_args, *py_value;
 
@@ -861,7 +861,21 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue,
       py_args);
   Py_DECREF(py_args);
 
-  if (py_value == NULL) {
+  if (py_value != NULL) {
+
+    int ret = PyObject_IsTrue(py_value);
+    Py_DECREF(py_value);
+
+    if (ret == -1) {
+
+      PyErr_Print();
+      FATAL("Failed to convert return value");
+
+    }
+
+    return (u8)ret & 0xFF;
+
+  } else {
 
     PyErr_Print();
     FATAL("Call failed");

src/afl-fuzz-queue.c

@@ -474,6 +474,8 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
 
   if (afl->custom_mutators_count) {
 
+    u8 updated = 0;
+
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
 
       if (el->afl_custom_queue_new_entry) {
@@ -487,12 +489,30 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
 
         }
 
-        el->afl_custom_queue_new_entry(el->data, fname, fname_orig);
+        if (el->afl_custom_queue_new_entry(el->data, fname, fname_orig)) {
+
+          updated = 1;
+
+        }
 
       }
 
     });
 
+    if (updated) {
+
+      struct stat st;
+      if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); }
+      if (!st.st_size) {
+
+        FATAL("File %s became empty in custom mutator!", fname);
+
+      }
+
+      q->len = st.st_size;
+
+    }
+
   }
 
   /* only redqueen currently uses is_ascii */