Merge pull request #545 from AFLplusplus/dev

v2.68c

.clang-format

@@ -0,0 +1,148 @@
+---
+Language:        Cpp
+# BasedOnStyle:  Google
+AccessModifierOffset: -1
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: true
+AlignEscapedNewlines: Left
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortBlocksOnASingleLine: true
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: false
+AllowShortIfStatementsOnASingleLine: true
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: true
+AlwaysBreakTemplateDeclarations: Yes
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:   
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     80
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:   
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Preserve
+IncludeCategories: 
+  - Regex:           '^<ext/.*\.h>'
+    Priority:        2
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '^<.*'
+    Priority:        2
+  - Regex:           '.*'
+    Priority:        3
+IncludeIsMainRegex: '([-_](test|unittest))?$'
+IndentCaseLabels: true
+IndentPPDirectives: BeforeHash
+IndentWidth:     2
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: false
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+ObjCBinPackProtocolList: Never
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 1
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 200
+PointerAlignment: Right
+RawStringFormats: 
+  - Language:        Cpp
+    Delimiters:      
+      - cc
+      - CC
+      - cpp
+      - Cpp
+      - CPP
+      - 'c++'
+      - 'C++'
+    CanonicalDelimiter: ''
+    BasedOnStyle:    google
+  - Language:        TextProto
+    Delimiters:      
+      - pb
+      - PB
+      - proto
+      - PROTO
+    EnclosingFunctions: 
+      - EqualsProto
+      - EquivToProto
+      - PARSE_PARTIAL_TEXT_PROTO
+      - PARSE_TEST_PROTO
+      - PARSE_TEXT_PROTO
+      - ParseTextOrDie
+      - ParseTextProtoOrDie
+    CanonicalDelimiter: ''
+    BasedOnStyle:    google
+ReflowComments:  true
+SortIncludes:    false
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 2
+SpacesInAngles:  false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard:        Auto
+TabWidth:        8
+UseTab:          Never
+...
+

.custom-format.py

@@ -0,0 +1,123 @@
+#!/usr/bin/env python3
+#
+# american fuzzy lop++ - custom code formatter
+# --------------------------------------------
+#
+# Written and maintaned by Andrea Fioraldi <andreafioraldi@gmail.com>
+#
+# Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+import subprocess
+import sys
+import os
+import re
+
+# string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # future use
+
+with open(".clang-format") as f:
+    fmt = f.read()
+
+CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
+if CLANG_FORMAT_BIN is None:
+    o = 0
+    try:
+        p = subprocess.Popen(["clang-format-10", "--version"], stdout=subprocess.PIPE)
+        o, _ = p.communicate()
+        o = str(o, "utf-8")
+        o = re.sub(r".*ersion ", "", o)
+        #o = o[len("clang-format version "):].strip()
+        o = o[:o.find(".")]
+        o = int(o)
+    except:
+        print ("clang-format-10 is needed. Aborted.")
+        exit(1)
+    #if o < 7:
+    #    if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-7'
+    #    elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-8'
+    #    elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-9'
+    #    elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-10'
+    #    else:
+    #        print ("clang-format 7 or above is needed. Aborted.")
+    #        exit(1)
+    else:
+        CLANG_FORMAT_BIN = 'clang-format-10'
+            
+COLUMN_LIMIT = 80
+for line in fmt.split("\n"):
+    line = line.split(":")
+    if line[0].strip() == "ColumnLimit":
+        COLUMN_LIMIT = int(line[1].strip())
+
+
+def custom_format(filename):
+    p = subprocess.Popen([CLANG_FORMAT_BIN, filename], stdout=subprocess.PIPE)
+    src, _ = p.communicate()
+    src = str(src, "utf-8")
+
+    in_define = False
+    last_line = None
+    out = ""
+    
+    for line in src.split("\n"):
+        if line.lstrip().startswith("#"):
+            if line[line.find("#")+1:].lstrip().startswith("define"):
+                in_define = True
+        
+        if "/*" in line and not line.strip().startswith("/*") and line.endswith("*/") and len(line) < (COLUMN_LIMIT-2):
+            cmt_start = line.rfind("/*")
+            line = line[:cmt_start] + " " * (COLUMN_LIMIT-2 - len(line)) + line[cmt_start:]
+
+        define_padding = 0
+        if last_line is not None and in_define and last_line.endswith("\\"):
+            last_line = last_line[:-1]
+            define_padding = max(0, len(last_line[last_line.rfind("\n")+1:]))
+
+        if last_line is not None and last_line.strip().endswith("{") and line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+        elif last_line is not None and last_line.strip().startswith("}") and line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+        elif line.strip().startswith("}") and last_line is not None and last_line.strip() != "":
+            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
+
+        if not line.endswith("\\"):
+            in_define = False
+
+        out += line + "\n"
+        last_line = line
+
+    return (out)
+
+args = sys.argv[1:]
+if len(args) == 0:
+    print ("Usage: ./format.py [-i] <filename>")
+    print ()
+    print (" The -i option, if specified, let the script to modify in-place")
+    print (" the source files. By default the results are written to stdout.")
+    print()
+    exit(1)
+
+in_place = False
+if args[0] == "-i":
+    in_place = True
+    args = args[1:]
+
+for filename in args:
+    code = custom_format(filename)
+    if in_place:
+        with open(filename, "w") as f:
+            f.write(code)
+    else:
+        print(code)
+

.dockerignore

@@ -0,0 +1,65 @@
+.test
+.test2
+.sync_tmp
+*.o
+*.so
+*.pyc
+*.dSYM
+as
+ld
+in
+out
+core*
+afl-analyze
+afl-as
+afl-clang
+afl-clang\+\+
+afl-clang-fast
+afl-clang-fast\+\+
+afl-clang-lto
+afl-clang-lto\+\+
+afl-fuzz
+afl-g\+\+
+afl-gcc
+afl-gcc-fast
+afl-g\+\+-fast
+afl-gotcpu
+afl-ld
+afl-ld-lto
+afl-qemu-trace
+afl-showmap
+afl-tmin
+afl-analyze.8
+afl-as.8
+afl-clang-fast\+\+.8
+afl-clang-fast.8
+afl-clang-lto.8
+afl-clang-lto\+\+.8
+afl-cmin.8
+afl-cmin.bash.8
+afl-fuzz.8
+afl-gcc.8
+afl-gcc-fast.8
+afl-g\+\+-fast.8
+afl-gotcpu.8
+afl-plot.8
+afl-showmap.8
+afl-system-config.8
+afl-tmin.8
+afl-whatsup.8
+qemu_mode/libcompcov/compcovtest
+qemu_mode/qemu-*
+unicorn_mode/samples/*/\.test-*
+unicorn_mode/samples/*/output
+unicorn_mode/unicornafl
+test/unittests/unit_maybe_alloc
+test/unittests/unit_preallocable
+test/unittests/unit_list
+test/unittests/unit_rand
+test/unittests/unit_hash
+examples/afl_network_proxy/afl-network-server
+examples/afl_network_proxy/afl-network-client
+examples/afl_frida/afl-frida
+examples/afl_frida/libtestinstr.so
+examples/afl_frida/frida-gum-example.c
+examples/afl_frida/frida-gum.h

.gitignore

@@ -1,23 +1,69 @@
+.test
+.test2
+.sync_tmp
+.vscode
 *.o
 *.so
-.gitignore
+*.swp
+*.pyc
+*.dSYM
+as
+ld
+in
+out
+core*
+compile_commands.json
 afl-analyze
 afl-as
 afl-clang
 afl-clang++
 afl-clang-fast
 afl-clang-fast++
+afl-clang-lto
+afl-clang-lto++
 afl-fuzz
 afl-g++
 afl-gcc
 afl-gcc-fast
 afl-g++-fast
 afl-gotcpu
+afl-ld
+afl-ld-lto
 afl-qemu-trace
 afl-showmap
 afl-tmin
-as
-qemu_mode/qemu-3.1.0
-qemu_mode/qemu-3.1.0.tar.xz
-unicorn_mode/unicorn
-unicorn_mode/unicorn-*
+afl-analyze.8
+afl-as.8
+afl-clang-fast++.8
+afl-clang-fast.8
+afl-clang-lto.8
+afl-clang-lto++.8
+afl-cmin.8
+afl-cmin.bash.8
+afl-fuzz.8
+afl-gcc.8
+afl-g++.8
+afl-gcc-fast.8
+afl-g++-fast.8
+afl-gotcpu.8
+afl-plot.8
+afl-showmap.8
+afl-system-config.8
+afl-tmin.8
+afl-whatsup.8
+qemu_mode/libcompcov/compcovtest
+qemu_mode/qemu-*
+unicorn_mode/samples/*/\.test-*
+unicorn_mode/samples/*/output/
+unicorn_mode/unicornafl
+test/unittests/unit_maybe_alloc
+test/unittests/unit_preallocable
+test/unittests/unit_list
+test/unittests/unit_rand
+test/unittests/unit_hash
+examples/afl_network_proxy/afl-network-server
+examples/afl_network_proxy/afl-network-client
+examples/afl_frida/afl-frida
+examples/afl_frida/libtestinstr.so
+examples/afl_frida/frida-gum-example.c
+examples/afl_frida/frida-gum.h

.gitmodules

@@ -0,0 +1,7 @@
+[submodule "unicorn_mode/unicornafl"]
+	path = unicorn_mode/unicornafl
+	url = https://github.com/AFLplusplus/unicornafl
+
+[submodule "custom_mutators/Grammar-Mutator"]
+	path = custom_mutators/Grammar-Mutator
+	url = https://github.com/AFLplusplus/Grammar-Mutator

.travis.yml

@@ -1,11 +1,60 @@
 language: c
 
+sudo: required
+
+branches:
+  only:
+    - stable
+    - dev
+    - llvm_merge
+
+matrix:
+  include:
+#  - os: linux	# focal errors every run with a timeout while installing packages
+#    dist: focal
+#    env: NAME="focal-amd64" MODERN="yes" GCC="9"
+  - os: linux
+    dist: bionic
+    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
+  - os: linux
+    dist: xenial
+    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
+  - os: linux
+    dist: trusty
+    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
+#  - os: linux # until travis can fix this!
+#    dist: xenial
+#    arch: arm64
+#    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
+#  - os: osx
+#    osx_image: xcode11.2
+#    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
+
+jobs:
+  allow_failures:
+    - os: osx
+    - arch: arm64
+
 env:
   - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
+ # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
+
+before_install:
+  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
+  - echo Testing on $NAME
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
+  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0-0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi
+  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python3-setuptools ; fi
 
 script:
-  - make
-  - ./afl-gcc ./test-instr.c -o test-instr
-  - mkdir seeds; mkdir out
-  - echo "" > seeds/nil_seed
-  - timeout --preserve-status 5s ./afl-fuzz -i seeds -o out/ -- ./test-instr
+  - gcc -v
+  - clang -v
+  - sudo -E ./afl-system-config
+  - sudo sysctl -w kernel.shmmax=10000000000
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi
+  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
+  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
+  - make tests
+#  - travis_terminate 0

Android.bp

@@ -0,0 +1,141 @@
+cc_defaults {
+  name: "afl-defaults",
+
+  cflags: [
+    "-funroll-loops",
+    "-Wno-pointer-sign",
+    "-Wno-pointer-arith",
+    "-Wno-sign-compare",
+    "-Wno-unused-parameter",
+    "-Wno-unused-function",
+    "-Wno-format",
+    "-Wno-user-defined-warnings",
+    "-DUSE_TRACE_PC=1",
+    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
+    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
+    "-D__USE_GNU",
+  ],
+}
+
+cc_binary {
+  name: "afl-fuzz",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-fuzz.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-showmap",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-showmap.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-tmin",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-tmin.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-analyze",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-analyze.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-gotcpu",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-gotcpu.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast++",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_library_static {
+  name: "afl-llvm-rt",
+  compile_multilib: "both",
+  vendor_available: true,
+  host_supported: true,
+  recovery_available: true,
+  sdk_version: "9",
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-llvm-rt.o.c",
+  ],
+}

Android.mk

@@ -0,0 +1 @@
+Makefile

CONTRIBUTING.md

@@ -0,0 +1,24 @@
+# How to submit a Pull Request to AFLplusplus
+
+All contributions (pull requests) must be made against our `dev` branch.
+
+Each modified source file, before merging, must be formatted.
+
+```
+make code-format
+```
+
+This should be fine if you modified one of the files already present in the
+project, or added a file in a directory we already format, otherwise run:
+
+```
+./.custom-format.py -i file-that-you-have-created.c
+```
+
+Regarding the coding style, please follow the AFL style.
+No camel case at all and use the AFL's macros wherever possible 
+(e.g. WARNF, FATAL, MAP_SIZE, ...).
+
+Remember that AFLplusplus has to build and run on many platforms, so
+generalize your Makefiles/GNUmakefile (or your patches to our pre-existing
+Makefiles) to be as much generic as possible.

Changelog

@@ -1 +0,0 @@
-docs/ChangeLog

Changelog.md

@@ -0,0 +1 @@
+docs/Changelog.md

Dockerfile

@@ -0,0 +1,64 @@
+#
+# This Dockerfile for AFLplusplus uses Ubuntu 20.04 focal and
+# installs LLVM 11 from llvm.org for afl-clang-lto support :-)
+# It also installs gcc/g++ 10 from the Ubuntu development platform
+# has focal has gcc-10 but not g++-10 ...
+#
+
+FROM ubuntu:20.04 AS aflplusplus
+MAINTAINER afl++ team <afl@aflplus.plus>
+LABEL "about"="AFLplusplus docker image"
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get -y install --no-install-suggests --no-install-recommends \
+    automake \
+    bison flex \
+    build-essential \
+    git \
+    python3 python3-dev python3-setuptools python-is-python3 \
+    libtool libtool-bin \
+    libglib2.0-dev \
+    wget vim jupp nano bash-completion \
+    apt-utils apt-transport-https ca-certificates gnupg dialog \
+    libpixman-1-dev
+
+RUN echo deb http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main >> /etc/apt/sources.list && \
+    wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - 
+  
+RUN echo deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal main >> /etc/apt/sources.list && \
+    apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F
+    
+RUN apt-get update && apt-get upgrade -y
+
+RUN apt-get install -y gcc-10 g++-10 gcc-10-plugin-dev gcc-10-multilib \
+    libc++-10-dev gdb lcov
+
+RUN apt-get install -y clang-11 clang-tools-11 libc++1-11 libc++-11-dev \
+    libc++abi1-11 libc++abi-11-dev libclang1-11 libclang-11-dev \
+    libclang-common-11-dev libclang-cpp11 libclang-cpp11-dev liblld-11 \
+    liblld-11-dev liblldb-11 liblldb-11-dev libllvm11 libomp-11-dev \
+    libomp5-11 lld-11 lldb-11 llvm-11 llvm-11-dev llvm-11-runtime llvm-11-tools
+
+RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 0
+RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
+
+RUN rm -rf /var/cache/apt/archives/*
+
+ENV LLVM_CONFIG=llvm-config-11
+ENV AFL_SKIP_CPUFREQ=1
+
+RUN git clone https://github.com/vanhauser-thc/afl-cov /afl-cov
+RUN cd /afl-cov && make install && cd ..
+
+COPY . /AFLplusplus
+WORKDIR /AFLplusplus
+
+RUN export REAL_CXX=g++-10 && export CC=gcc-10 && \
+    export CXX=g++-10 && make clean && \
+    make distrib && make install && make clean
+
+RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc
+RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc
+ENV IS_DOCKER="1"

GNUmakefile

@@ -0,0 +1,621 @@
+#
+# american fuzzy lop++ - makefile
+# -----------------------------
+#
+# Originally written by Michal Zalewski
+#
+# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# For Heiko:
+#TEST_MMAP=1
+# the hash character is treated differently in different make versions
+# so use a variable for '#'
+HASH=\#
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+DOC_PATH    = $(PREFIX)/share/doc/afl
+MISC_PATH   = $(PREFIX)/share/afl
+MAN_PATH    = $(PREFIX)/share/man/man8
+
+PROGNAME    = afl
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+
+# PROGS intentionally omit afl-as, which gets installed elsewhere.
+
+PROGS       = afl-gcc afl-g++ afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
+SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config
+MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
+
+ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=full
+ else
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=thin
+  else
+   ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto
+   endif
+  endif
+ endif
+endif
+
+ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -fno-move-loop-invariants -fdisable-tree-cunrolli -x c - -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	SPECIAL_PERFORMANCE += -fno-move-loop-invariants -fdisable-tree-cunrolli
+endif
+
+ifneq "$(shell uname)" "Darwin"
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+   ifndef SOURCE_DATE_EPOCH
+ 	#CFLAGS_OPT += -march=native
+ 	SPECIAL_PERFORMANCE += -march=native
+   endif
+ endif
+ # OS X does not like _FORTIFY_SOURCE=2
+ # _FORTIFY_SOURCE=2 does not like -O0
+ ifndef DEBUG
+  CFLAGS_OPT += -D_FORTIFY_SOURCE=2
+ endif
+endif
+
+ifeq "$(shell uname)" "SunOS"
+ CFLAGS_OPT += -Wno-format-truncation
+ LDFLAGS=-lkstat -lrt
+endif
+
+ifdef STATIC
+  $(info Compiling static version of binaries, disabling python though)
+  # Disable python for static compilation to simplify things
+  PYTHON_OK=0
+  PYFLAGS=
+  PYTHON_INCLUDE=/
+
+  CFLAGS_OPT += -static
+  LDFLAGS += -lm -lpthread -lz -lutil
+endif
+
+ifdef PROFILING
+  $(info Compiling with profiling information, for analysis: gprof ./afl-fuzz gmon.out > prof.txt)
+  CFLAGS_OPT += -pg -DPROFILING=1
+  LDFLAGS += -pg
+endif
+
+ifneq "$(shell uname -m)" "x86_64"
+ ifneq "$(patsubst i%86,i386,$(shell uname -m))" "i386"
+  ifneq "$(shell uname -m)" "amd64"
+   ifneq "$(shell uname -m)" "i86pc"
+	AFL_NO_X86=1
+   endif
+  endif
+ endif
+endif
+
+ifdef DEBUG
+  $(info Compiling DEBUG version of binaries)
+  CFLAGS += -ggdb3 -O0 -Wall -Wextra -Werror
+else
+  CFLAGS     ?= -O3 -funroll-loops $(CFLAGS_OPT)
+endif
+
+override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \
+			  -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \
+			  -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\"
+
+ifeq "$(shell uname -s)" "FreeBSD"
+  override CFLAGS  += -I /usr/local/include/
+  LDFLAGS += -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "DragonFly"
+  override CFLAGS  += -I /usr/local/include/
+  LDFLAGS += -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "OpenBSD"
+  override CFLAGS  += -I /usr/local/include/ -mno-retpoline
+  LDFLAGS += -Wl,-z,notext -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "NetBSD"
+  override CFLAGS  += -I /usr/pkg/include/
+  LDFLAGS += -L /usr/pkg/lib/
+endif
+
+ifeq "$(shell uname -s)" "Haiku"
+  SHMAT_OK=0
+  override CFLAGS  += -DUSEMMAP=1 -Wno-error=format -fPIC
+  LDFLAGS += -Wno-deprecated-declarations -lgnu
+  SPECIAL_PERFORMANCE += -DUSEMMAP=1
+endif
+
+AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)
+
+ifneq "$(shell command -v python3m 2>/dev/null)" ""
+  ifneq "$(shell command -v python3m-config 2>/dev/null)" ""
+    PYTHON_INCLUDE  ?= $(shell python3m-config --includes)
+    PYTHON_VERSION  ?= $(strip $(shell python3m --version 2>&1))
+    # Starting with python3.8, we need to pass the `embed` flag. Earlier versions didn't know this flag.
+    ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+      PYTHON_LIB      ?= $(shell python3m-config --libs --embed --ldflags)
+    else
+      PYTHON_LIB      ?= $(shell python3m-config --ldflags)
+    endif
+  endif
+endif
+
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python3 2>/dev/null)" ""
+    ifneq "$(shell command -v python3-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python3-config --includes)
+      PYTHON_VERSION  ?= $(strip $(shell python3 --version 2>&1))
+      # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
+      ifeq "$(shell python3-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+        PYTHON_LIB      ?= $(shell python3-config --libs --embed --ldflags)
+      else
+        PYTHON_LIB      ?= $(shell python3-config --ldflags)
+      endif
+    endif
+  endif
+endif
+
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python 2>/dev/null)" ""
+    ifneq "$(shell command -v python-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python-config --includes)
+      PYTHON_LIB      ?= $(shell python-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python --version 2>&1))
+    endif
+  endif
+endif
+
+# Old Ubuntu and others dont have python/python3-config so we hardcode 3.7
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python3.7 2>/dev/null)" ""
+    ifneq "$(shell command -v python3.7-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python3.7-config --includes)
+      PYTHON_LIB      ?= $(shell python3.7-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python3.7 --version 2>&1))
+    endif
+  endif
+endif
+
+# Old Ubuntu and others dont have python/python2-config so we hardcode 2.7
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python2.7 2>/dev/null)" ""
+    ifneq "$(shell command -v python2.7-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python2.7-config --includes)
+      PYTHON_LIB      ?= $(shell python2.7-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python2.7 --version 2>&1))
+    endif
+  endif
+endif
+
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+else
+    BUILD_DATE ?= $(shell date "+%Y-%m-%d")
+endif
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+ # _FORTIFY_SOURCE=2 does not like -O0
+ ifndef DEBUG
+  override CFLAGS += -D_FORTIFY_SOURCE=2
+ endif
+  LDFLAGS += -ldl -lrt
+endif
+
+ifneq "$(findstring FreeBSD, $(shell uname))" ""
+  override CFLAGS  += -pthread
+  LDFLAGS += -lpthread
+endif
+
+ifneq "$(findstring NetBSD, $(shell uname))" ""
+  override CFLAGS  += -pthread
+  LDFLAGS += -lpthread
+endif
+
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+  TEST_CC  = afl-gcc
+else
+  TEST_CC  = afl-clang
+endif
+
+COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
+
+ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	PYTHON_OK=1
+	PYFLAGS=-DUSE_PYTHON $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) -DPYTHON_VERSION="\"$(PYTHON_VERSION)\""
+else
+	PYTHON_OK=0
+	PYFLAGS=
+endif
+
+ifdef NO_PYTHON
+	PYTHON_OK=0
+	PYFLAGS=
+endif
+
+IN_REPO=0
+ifeq "$(shell command -v git >/dev/null && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1"
+  IN_REPO=1
+endif
+ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1"
+  IN_REPO=1
+endif
+
+ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
+	ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
+endif
+
+ifdef ASAN_BUILD
+  $(info Compiling ASAN version of binaries)
+  override CFLAGS+=$(ASAN_CFLAGS)
+  LDFLAGS+=$(ASAN_LDFLAGS)
+endif
+
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	override CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -Wno-deprecated-declarations
+endif
+
+ifdef TEST_MMAP
+	SHMAT_OK=0
+	override CFLAGS += -DUSEMMAP=1
+	LDFLAGS += -Wno-deprecated-declarations
+endif
+
+all:	test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
+
+man:    afl-gcc all $(MANPAGES)
+
+tests:	source-only
+	@cd test ; ./test-all.sh
+	@rm -f test/errors
+
+performance-tests:	performance-test
+test-performance:	performance-test
+
+performance-test:	source-only
+	@cd test ; ./test-performance.sh
+
+
+# hint: make targets are also listed in the top level README.md
+help:
+	@echo "HELP --- the following make targets exist:"
+	@echo "=========================================="
+	@echo "all: just the main afl++ binaries"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap"
+	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap"
+	@echo "distrib: everything (for both binary-only and source code fuzzing)"
+	@echo "man: creates simple man pages from the help option of the programs"
+	@echo "install: installs everything you have compiled with the build option above"
+	@echo "clean: cleans everything compiled (not downloads when on a checkout)"
+	@echo "deepclean: cleans everything including downloads"
+	@echo "code-format: format the code, do this before you commit and send a PR please!"
+	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
+	@echo "unit: perform unit tests (based on cmocka and GNU linker)"
+	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
+	@echo "help: shows these build options :-)"
+	@echo "=========================================="
+	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
+	@echo
+	@echo Known build environment options:
+	@echo "=========================================="
+	@echo STATIC - compile AFL++ static
+	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
+	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
+	@echo PROFILING - compile afl-fuzz with profiling information
+	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
+	@echo "=========================================="
+	@echo e.g.: make ASAN_BUILD=1
+
+ifndef AFL_NO_X86
+
+test_x86:
+	@echo "[*] Checking for the default compiler cc..."
+	@type $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
+	@echo "[*] Testing the PATH environment variable..."
+	@test "$${PATH}" != "$${PATH#.:}" && { echo "Please remove current directory '.' from PATH to avoid recursion of 'as', thanks!"; echo; exit 1; } || :
+	@echo "[*] Checking for the ability to compile x86 code..."
+	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) $(CFLAGS) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
+	@rm -f .test1
+
+else
+
+test_x86:
+	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
+
+endif
+
+
+ifeq "$(SHMAT_OK)" "1"
+
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+
+else
+
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+
+endif
+
+
+ifeq "$(PYTHON_OK)" "1"
+
+test_python:
+	@rm -f .test 2> /dev/null
+	@echo "[+] $(PYTHON_VERSION) support seems to be working."
+
+else
+
+test_python:
+	@echo "[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue"
+
+endif
+
+
+ready:
+	@echo "[+] Everything seems to be working, ready to compile."
+
+afl-g++: afl-gcc
+
+afl-gcc: src/afl-gcc.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(CPPFLAGS) src/$@.c -o $@ $(LDFLAGS)
+	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
+
+afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(CPPFLAGS) src/$@.c -o $@ $(LDFLAGS)
+	ln -sf afl-as as
+
+src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h
+	$(CC) $(CFLAGS) $(CPPFLAGS) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o
+
+src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(CPPFLAGS) -c src/afl-common.c -o src/afl-common.o
+
+src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(CPPFLAGS) -c src/afl-forkserver.c -o src/afl-forkserver.o
+
+src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(CPPFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
+
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) $(CPPFLAGS) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
+
+afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(CPPFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(CPPFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
+
+afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(CPPFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o -o $@ $(LDFLAGS)
+
+afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(CPPFLAGS) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
+
+
+# document all mutations and only do one run (use with only one input file!)
+document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
+	$(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) $(CPPFLAGS) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS)
+
+test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o
+
+unit_maybe_alloc: test/unittests/unit_maybe_alloc.o
+	@$(CC) $(CFLAGS) $(CPPFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_maybe_alloc
+
+test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o
+
+unit_hash: test/unittests/unit_hash.o src/afl-performance.o
+	@$(CC) $(CFLAGS) $(CPPFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_hash
+
+test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o
+
+unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_rand
+
+test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o
+
+unit_list: test/unittests/unit_list.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_list
+
+test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o
+
+unit_preallocable: test/unittests/unit_preallocable.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CPPFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_preallocable
+
+unit_clean:
+	@rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o
+
+ifneq "$(shell uname)" "Darwin"
+
+unit: unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash
+
+else
+
+unit:
+	@echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\)
+
+endif
+
+code-format:
+	./.custom-format.py -i src/*.c
+	./.custom-format.py -i include/*.h
+	./.custom-format.py -i libdislocator/*.c
+	./.custom-format.py -i libtokencap/*.c
+	./.custom-format.py -i llvm_mode/*.c
+	./.custom-format.py -i llvm_mode/*.h
+	./.custom-format.py -i llvm_mode/*.cc
+	./.custom-format.py -i gcc_plugin/*.c
+	@#./.custom-format.py -i gcc_plugin/*.h
+	./.custom-format.py -i gcc_plugin/*.cc
+	./.custom-format.py -i custom_mutators/*/*.c
+	@#./.custom-format.py -i custom_mutators/*/*.h # destroys input.h :-(
+	./.custom-format.py -i examples/*/*.c
+	./.custom-format.py -i examples/*/*.h
+	./.custom-format.py -i test/*.c
+	./.custom-format.py -i qemu_mode/patches/*.h
+	./.custom-format.py -i qemu_mode/libcompcov/*.c
+	./.custom-format.py -i qemu_mode/libcompcov/*.cc
+	./.custom-format.py -i qemu_mode/libcompcov/*.h
+	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qbdi_mode/*.cpp
+	./.custom-format.py -i *.h
+	./.custom-format.py -i *.c
+
+
+ifndef AFL_NO_X86
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_DEBUG=1 AFL_INST_RATIO=100 AFL_AS_FORCE_INSTRUMENT=1 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
+	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
+	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+else
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
+
+endif
+
+
+all_done: test_build
+	@if [ ! "`type clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
+	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
+	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
+	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null
+
+.NOTPARALLEL: clean all
+
+clean:
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-*
+	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
+	-$(MAKE) -C llvm_mode clean
+	-$(MAKE) -C gcc_plugin clean
+	$(MAKE) -C libdislocator clean
+	$(MAKE) -C libtokencap clean
+	$(MAKE) -C examples/afl_network_proxy clean
+	$(MAKE) -C examples/socket_fuzzing clean
+	$(MAKE) -C examples/argv_fuzzing clean
+	$(MAKE) -C qemu_mode/unsigaction clean
+	$(MAKE) -C qemu_mode/libcompcov clean
+	rm -rf qemu_mode/qemu-3.1.1
+ifeq "$(IN_REPO)" "1"
+	test -e unicorn_mode/unicornafl/Makefile && $(MAKE) -C unicorn_mode/unicornafl clean || true
+else
+	rm -rf qemu_mode/qemu-3.1.1.tar.xz
+	rm -rf unicorn_mode/unicornafl
+endif
+
+deepclean:	clean
+	rm -rf qemu_mode/qemu-3.1.1.tar.xz
+	rm -rf unicorn_mode/unicornafl
+	git reset --hard >/dev/null 2>&1 || true
+
+distrib: all
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C examples/afl_network_proxy
+	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C examples/argv_fuzzing
+	-cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+
+binary-only: all
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C examples/afl_network_proxy
+	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C examples/argv_fuzzing
+	-cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+
+source-only: all
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	@#$(MAKE) -C examples/afl_network_proxy
+	@#$(MAKE) -C examples/socket_fuzzing
+	@#$(MAKE) -C examples/argv_fuzzing
+
+%.8:	%
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
+	@echo .SH NAME >> $@
+	@printf "%s" ".B $* \- " >> $@
+	@./$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> $@
+	@echo >> $@
+	@echo .SH SYNOPSIS >> $@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> $@
+	@echo >> $@
+	@echo .SH OPTIONS >> $@
+	@echo .nf >> $@
+	@./$* -hh 2>&1 | tail -n +4 >> $@
+	@echo >> $@
+	@echo .SH AUTHOR >> $@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> $@
+	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> $@
+	@echo >> $@
+	@echo .SH LICENSE >> $@
+	@echo Apache License Version 2.0, January 2004 >> $@
+
+install: all $(MANPAGES)
+	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
+	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
+	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-clang-fast ]; then $(MAKE) -C llvm_mode install; fi
+	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C examples/socket_fuzzing install; fi
+	if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C examples/argv_fuzzing install; fi
+	if [ -f examples/afl_network_proxy/afl-network-server ]; then $(MAKE) -C examples/afl_network_proxy install; fi
+	if [ -f libAFLDriver.a ]; then install -m 644 libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libAFLQemuDriver.a ]; then install -m 644 libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi
+
+	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
+	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
+
+	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
+	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
+
+	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
+	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
+	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
+	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
+	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)

Makefile

@@ -1,230 +1,42 @@
-#
-# american fuzzy lop - makefile
-# -----------------------------
-#
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
-# 
-# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
-# 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-# 
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
 
-# For Heiko:
-#TEST_MMAP=1
+source-only:
+	@gmake source-only
 
-PROGNAME    = afl
-VERSION     = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
+binary-only:
+	@gmake binary-only
 
-PREFIX     ?= /usr/local
-BIN_PATH    = $(PREFIX)/bin
-HELPER_PATH = $(PREFIX)/lib/afl
-DOC_PATH    = $(PREFIX)/share/doc/afl
-MISC_PATH   = $(PREFIX)/share/afl
+distrib:
+	@gmake distrib
 
-# PROGS intentionally omit afl-as, which gets installed elsewhere.
+man:
+	@gmake man
 
-PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
-SH_PROGS    = afl-plot afl-cmin afl-whatsup afl-system-config
+install:
+	@gmake install
 
-CFLAGS     ?= -O3 -funroll-loops
-CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-	      -DBIN_PATH=\"$(BIN_PATH)\"
+document:
+	@gmake document
 
-PYTHON_INCLUDE	?= /usr/include/python2.7
+deepclean:
+	@gmake deepclean
 
-ifneq "$(filter Linux GNU%,$(shell uname))" ""
-  LDFLAGS  += -ldl
-endif
+code-format:
+	@gmake code-format
 
-ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
-  TEST_CC   = afl-gcc
-else
-  TEST_CC   = afl-clang
-endif
+help:
+	@gmake help
 
-COMM_HDR    = alloc-inl.h config.h debug.h types.h
+tests:
+	@gmake tests
 
+unit:
+	@gmake unit
 
-ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) -lpython2.7 2>/dev/null && echo 1 || echo 0 )" "1"
-	PYTHON_OK=1
-	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) -lpython2.7
-else
-	PYTHON_OK=0
-	PYFLAGS=
-endif
-
-
-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
-	SHMAT_OK=1
-else
-	SHMAT_OK=0
-	CFLAGS+=-DUSEMMAP=1
-	LDFLAGS+=-Wno-deprecated-declarations -lrt
-endif
-
-ifeq "$(TEST_MMAP)" "1"
-	SHMAT_OK=0
-	CFLAGS+=-DUSEMMAP=1
-	LDFLAGS+=-Wno-deprecated-declarations -lrt
-endif
-
-
-all:	test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done
-
-
-ifndef AFL_NO_X86
-
-test_x86:
-	@echo "[*] Checking for the ability to compile x86 code..."
-	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
-	@rm -f .test1
-
-else
-
-test_x86:
-	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
-
-endif
-
-
-ifeq "$(SHMAT_OK)" "1"
-
-test_shm:
-	@echo "[+] shmat seems to be working."
-	@rm -f .test2
-
-else
-
-test_shm:
-	@echo "[-] shmat seems not to be working, switching to mmap implementation"
-
-endif
-
-
-ifeq "$(PYTHON_OK)" "1"
-
-test_python27:
-	@rm -f .test 2> /dev/null
-	@echo "[+] Python 2.7 support seems to be working."
-
-else
-
-test_python27:
-	@echo "[-] You seem to need to install the package python2.7-dev, but it is optional so we continue"
-
-endif
-
-
-ready:
-	@echo "[+] Everything seems to be working, ready to compile."
-
-afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
-	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
-
-afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
-	ln -sf afl-as as
-
-afl-common.o : afl-common.c
-	$(CC) $(CFLAGS) -c afl-common.c
-
-sharedmem.o : sharedmem.c
-	$(CC) $(CFLAGS) -c sharedmem.c
-
-afl-fuzz: afl-fuzz.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS) $(PYFLAGS)
-
-afl-showmap: afl-showmap.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
-
-afl-tmin: afl-tmin.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
-
-afl-analyze: afl-analyze.c afl-common.o sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c afl-common.o sharedmem.o -o $@ $(LDFLAGS)
-
-afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
-
-
-ifndef AFL_NO_X86
-
-test_build: afl-gcc afl-as afl-showmap
-	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
-	echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
-	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
-	@rm -f test-instr
-	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
-	@echo "[+] All right, the instrumentation seems to be working!"
-
-else
-
-test_build: afl-gcc afl-as afl-showmap
-	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
-
-endif
-
-
-all_done: test_build
-	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
-	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
-	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
-	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
-
-.NOTPARALLEL: clean
+unit_clean:
+	@gmake unit_clean
 
 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.0.tar.xz afl-qemu-trace afl-gcc-fast  afl-gcc-pass.so  afl-gcc-rt.o  afl-g++-fast
-	rm -rf out_dir qemu_mode/qemu-3.1.0
-	$(MAKE) -C llvm_mode clean
-	$(MAKE) -C libdislocator clean
-	$(MAKE) -C libtokencap clean
-
-install: all
-	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
-	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
-	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	#if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
-ifndef AFL_TRACE_PC
-	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
-else
-	if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
-endif
-	if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi
-
-	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
-	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
-
-	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
-	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
-	install -m 644 docs/README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
-	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
-	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
-
-publish: clean
-#	test "`basename $$PWD`" = "afl" || exit 1
-#	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
-#	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
-#	  tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
-#	chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
-#	( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
-#	cat docs/README.md >~/www/afl/README.txt
-#	cat docs/status_screen.txt >~/www/afl/status_screen.txt
-#	cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
-#	cat docs/technical_details.txt >~/www/afl/technical_details.txt
-#	cat docs/ChangeLog >~/www/afl/ChangeLog.txt
-#	cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
-#	echo -n "$(VERSION)" >~/www/afl/version.txt
+	@gmake clean

PATCHES

@@ -1 +0,0 @@
-docs/PATCHES

QuickStartGuide.md

@@ -0,0 +1 @@
+docs/QuickStartGuide.md

QuickStartGuide.txt

@@ -1 +0,0 @@
-docs/QuickStartGuide.txt

TODO

@@ -1,34 +0,0 @@
-Roadmap 2.53d:
-==============
- - indent all the code: clang-format -style=Google
-
- - update docs/sister_projects.txt
-
-afl-fuzz:
- - put mutator, scheduler, forkserver and input channels in individual files
- - reuse forkserver for showmap, afl-cmin, etc.
-
-gcc_plugin:
- - needs to be rewritten
- - fix crashes when compiling :(
- - whitelist support
- - skip over uninteresting blocks
- - laf-intel
- - neverZero
-
-qemu_mode:
- - deferred mode with AFL_DEFERRED_QEMU=0xaddress
-
-unit testing / or large testcase campaign
-
-
-Roadmap 2.54d:
-==============
- - expand MAP size to 256k (current L2 cache size on processors)
-   -> 18 bit map
- - llvm_mode: dynamic map size and collission free basic block IDs
-
-qemu_mode:
- - persistent mode patching the return address (WinAFL style)
- - instrument only comparison with immediate values by default when using compcov
-

TODO.md

@@ -0,0 +1,42 @@
+# TODO list for AFL++
+
+## Roadmap 2.68+
+
+ - AFL_MAP_SIZE for qemu_mode and unicorn_mode
+ - CPU affinity for many cores? There seems to be an issue > 96 cores
+ - afl-plot to support multiple plot_data
+ - afl_custom_fuzz_splice_optin()
+ - intel-pt tracer
+
+## Further down the road
+
+afl-fuzz:
+ - setting min_len/max_len/start_offset/end_offset limits for mutation output
+ - add __sanitizer_cov_trace_cmp* support via shmem
+
+llvm_mode:
+ - add __sanitizer_cov_trace_cmp* support
+
+gcc_plugin:
+ - (wait for submission then decide)
+
+qemu_mode:
+ - non colliding instrumentation
+ - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END,
+   AFL_COMPCOV_LEVEL?)
+ - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as we have
+   persistent mode
+ - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
+ - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses
+
+## Ideas
+
+ - LTO/sancov: write current edge to prev_loc and use that information when
+   using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow
+   up edge numbers that both following cmp paths have been found and then
+   disable working on this edge id -> cmplog_intelligence branch
+
+ - new tancov: use some lightweight taint analysis to see which parts of a
+   new queue entry is accessed and only fuzz these bytes - or better, only
+   fuzz those bytes that are newly in coverage compared to the queue entry
+   the new one is based on -> taint branch, not useful :-(

afl-cmin

@@ -1,467 +1,510 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
+export AFL_QUIET=1
+export ASAN_OPTIONS=detect_leaks=0
+THISPATH=`dirname ${0}`
+export PATH="${THISPATH}:$PATH"
+awk -f - -- ${@+"$@"} <<'EOF'
+#!/usr/bin/awk -f
+
+# awk script to minimize a test corpus of input files
 #
-# american fuzzy lop - corpus minimization tool
-# ---------------------------------------------
+# based on afl-cmin bash script written by Michal Zalewski
+# rewritten by Heiko Eißfeldt (hexcoder-)
+# tested with:
+#   gnu awk (x86 Linux)
+#   bsd awk (x86 *BSD)
+#   mawk (arm32 raspbian)
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
-#
-# Copyright 2014, 2015 Google Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# This tool tries to find the smallest subset of files in the input directory
-# that still trigger the full range of instrumentation data points seen in
-# the starting corpus. This has two uses:
-#
-#   - Screening large corpora of input files before using them as a seed for
-#     afl-fuzz. The tool will remove functionally redundant files and likely
-#     leave you with a much smaller set.
-#
-#     (In this case, you probably also want to consider running afl-tmin on
-#     the individual files later on to reduce their size.)
-#
-#   - Minimizing the corpus generated organically by afl-fuzz, perhaps when
-#     planning to feed it to more resource-intensive tools. The tool achieves
-#     this by removing all entries that used to trigger unique behaviors in the
-#     past, but have been made obsolete by later finds.
-#
-# Note that the tool doesn't modify the files themselves. For that, you want
-# afl-tmin.
-#
-# This script must use bash because other shells may have hardcoded limits on
-# array sizes.
+# uses getopt.awk package from Arnold Robbins
 #
+# external tools used by this script:
+# test
+# grep
+# rm
+# mkdir
+# ln
+# cp
+# pwd
+# type
+# cd
+# find
+# stat
+# sort
+# cut
+# and afl-showmap from this project :-)
 
-echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
-echo
+# getopt.awk --- Do C library getopt(3) function in awk
 
-#########
-# SETUP #
-#########
+# External variables:
+#    Optind -- index in ARGV of first nonoption argument
+#    Optarg -- string value of argument to current option
+#    Opterr -- if nonzero, print our own diagnostic
+#    Optopt -- current option letter
 
-# Process command-line options...
+# Returns:
+#    -1     at end of options
+#    "?"    for unrecognized option
+#    <c>    a character representing the current option
 
-MEM_LIMIT=100
-TIMEOUT=none
+# Private Data:
+#    _opti  -- index in multiflag option, e.g., -abc
 
-unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
-  AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE
+function getopt(argc, argv, options,    thisopt, i)
+{
+    if (length(options) == 0)    # no options given
+        return -1
 
-while getopts "+i:o:f:m:t:eQUC" opt; do
+    if (argv[Optind] == "--") {  # all done
+        Optind++
+        _opti = 0
+        return -1
+    } else if (argv[Optind] !~ /^-[^:\t ]/) {
+        _opti = 0
+        return -1
+    }
+    if (_opti == 0)
+        _opti = 2
+    thisopt = substr(argv[Optind], _opti, 1)
+    Optopt = thisopt
+    i = index(options, thisopt)
+    if (i == 0) {
+        if (Opterr)
+            printf("%c -- invalid option\n", thisopt) > "/dev/stderr"
+        if (_opti >= length(argv[Optind])) {
+            Optind++
+            _opti = 0
+        } else
+            _opti++
+        return "?"
+    }
+    if (substr(options, i + 1, 1) == ":") {
+        # get option argument
+        if (length(substr(argv[Optind], _opti + 1)) > 0)
+            Optarg = substr(argv[Optind], _opti + 1)
+        else
+            Optarg = argv[++Optind]
+        _opti = 0
+    } else
+        Optarg = ""
+    if (_opti == 0 || _opti >= length(argv[Optind])) {
+        Optind++
+        _opti = 0
+    } else
+        _opti++
+    return thisopt
+}
 
-  case "$opt" in 
+function usage() {
+   print \
+"afl-cmin [ options ] -- /path/to/target_app [ ... ]\n" \
+"\n" \
+"Required parameters:\n" \
+"  -i dir        - input directory with starting corpus\n" \
+"  -o dir        - output directory for minimized files\n" \
+"\n" \
+"Execution control settings:\n" \
+"  -f file       - location read by the fuzzed program (stdin)\n" \
+"  -m megs       - memory limit for child process ("mem_limit" MB)\n" \
+"  -t msec       - run time limit for child process (none)\n" \
+"  -Q            - use binary-only instrumentation (QEMU mode)\n" \
+"  -U            - use unicorn-based instrumentation (unicorn mode)\n" \
+"\n" \
+"Minimization settings:\n" \
+"  -C            - keep crashing inputs, reject everything else\n" \
+"  -e            - solve for edge coverage only, ignore hit counts\n" \
+"\n" \
+"For additional tips, please consult docs/README.md\n" \
+"\n" \
+"Environment variables used:\n" \
+"AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
+"AFL_PATH: path for the afl-showmap binary\n" \
+"AFL_SKIP_BIN_CHECK: skip check for target binary\n" \
+"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n"
+"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n"
+   exit 1
+}
 
-    "i")
-         IN_DIR="$OPTARG"
-         ;;
+function exists_and_is_executable(binarypath) {
+  return 0 == system("test -f "binarypath" -a -x "binarypath)
+}
 
-    "o")
-         OUT_DIR="$OPTARG"
-         ;;
-    "f")
-         STDIN_FILE="$OPTARG"
-         ;;
-    "m")
-         MEM_LIMIT="$OPTARG"
-         MEM_LIMIT_GIVEN=1
-         ;;
-    "t")
-         TIMEOUT="$OPTARG"
-         ;;
-    "e")
-         EXTRA_PAR="$EXTRA_PAR -e"
-         ;;
-    "C")
-         export AFL_CMIN_CRASHES_ONLY=1
-         ;;
-    "Q")
-         EXTRA_PAR="$EXTRA_PAR -Q"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
-         QEMU_MODE=1
-         ;;
-    "U")
-         EXTRA_PAR="$EXTRA_PAR -U"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
-         UNICORN_MODE=1
-         ;;    
-    "?")
-         exit 1
-         ;;
+BEGIN {
+  print "corpus minimization tool for afl++ (awk version)\n"
 
-   esac
+  # defaults
+  extra_par = ""
+  # process options
+  Opterr = 1    # default is to diagnose
+  Optind = 1    # skip ARGV[0]
+  while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCQU?")) != -1) {
+    if (_go_c == "i") {
+      if (!Optarg) usage()
+      if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      in_dir = Optarg
+      continue
+    } else 
+    if (_go_c == "o") {
+      if (!Optarg) usage()
+      if (out_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      out_dir = Optarg
+      continue
+    } else 
+    if (_go_c == "f") {
+      if (!Optarg) usage()
+      if (stdin_file) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      stdin_file = Optarg
+      continue
+    } else 
+    if (_go_c == "m") {
+      if (!Optarg) usage()
+      if (mem_limit) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      mem_limit = Optarg
+      mem_limit_given = 1
+      continue
+    } else 
+    if (_go_c == "t") {
+      if (!Optarg) usage()
+      if (timeout) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      timeout = Optarg
+      continue
+    } else 
+    if (_go_c == "C") {
+      ENVIRON["AFL_CMIN_CRASHES_ONLY"] = 1
+      continue
+    } else 
+    if (_go_c == "e") {
+      extra_par = extra_par " -e"
+      continue
+    } else 
+    if (_go_c == "Q") {
+      if (qemu_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      extra_par = extra_par " -Q"
+      if ( !mem_limit_given ) mem_limit = "250"
+      qemu_mode = 1
+      continue
+    } else 
+    if (_go_c == "U") {
+      if (unicorn_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
+      extra_par = extra_par " -U"
+      if ( !mem_limit_given ) mem_limit = "250"
+      unicorn_mode = 1
+      continue
+    } else 
+    if (_go_c == "?") {
+      exit 1
+    } else 
+      usage()
+  } # while options
 
-done
+  if (!mem_limit) mem_limit = 200
+  if (!timeout) timeout = "none"
 
-shift $((OPTIND-1))
+  # get program args
+  i = 0
+  prog_args_string = ""
+  for (; Optind < ARGC; Optind++) {
+    prog_args[i++] = ARGV[Optind]
+    if (i > 1)
+      prog_args_string = prog_args_string" "ARGV[Optind]
+  }
 
-TARGET_BIN="$1"
+  # sanity checks
+  if (!prog_args[0] || !in_dir || !out_dir) usage()
 
-if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
+  target_bin = prog_args[0] 
 
-  cat 1>&2 <<_EOF_
-Usage: $0 [ options ] -- /path/to/target_app [ ... ]
+  # Do a sanity check to discourage the use of /tmp, since we can't really
+  # handle this safely from an awk script.
 
-Required parameters:
+  if (!ENVIRON["AFL_ALLOW_TMP"]) {
+    dirlist[0] = in_dir
+    dirlist[1] = target_bin
+    dirlist[2] = out_dir
+    dirlist[3] = stdin_file
+    "pwd" | getline dirlist[4] # current directory
+    for (dirind in dirlist) {
+      dir = dirlist[dirind]
 
-  -i dir        - input directory with the starting corpus
-  -o dir        - output directory for minimized files
+      if (dir ~ /^(\/var)?\/tmp/) {
+        print "[-] Error: do not use this script in /tmp or /var/tmp." > "/dev/stderr"
+        exit 1
+      }
+    }
+    delete dirlist
+  }
 
-Execution control settings:
+  # If @@ is specified, but there's no -f, let's come up with a temporary input
+  # file name.
 
-  -f file       - location read by the fuzzed program (stdin)
-  -m megs       - memory limit for child process ($MEM_LIMIT MB)
-  -t msec       - run time limit for child process (none)
-  -Q            - use binary-only instrumentation (QEMU mode)
-  -U            - use unicorn-based instrumentation (Unicorn mode)
+  trace_dir = out_dir "/.traces"
+
+  if (!stdin_file) {
+    found_atat = 0
+    for (prog_args_ind in prog_args) {
+      if ("@@" == prog_args[prog_args_ind]) {
+        found_atat = 1
+        break
+      }
+    }
+    if (found_atat) {
+      stdin_file = trace_dir "/.cur_input"
+    }
+  }
+
+  # Check for obvious errors.
+
+  if (mem_limit && mem_limit != "none" && mem_limit < 5) {
+    print "[-] Error: dangerously low memory limit." > "/dev/stderr"
+    exit 1
+  }
+
+  if (timeout && timeout != "none" && timeout < 10) {
+    print "[-] Error: dangerously low timeout." > "/dev/stderr"
+    exit 1
+  }
+
+  if (target_bin && !exists_and_is_executable(target_bin)) {
+
+    "command -v "target_bin" 2>/dev/null" | getline tnew
+    if (!tnew || !exists_and_is_executable(tnew)) {
+      print "[-] Error: binary '"target_bin"' not found or not executable." > "/dev/stderr"
+      exit 1
+    }
+    target_bin = tnew
+  }
+
+  if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !unicorn_mode) {
+    if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) {
+      print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr"
+      exit 1
+    }
+  }
+
+  if (0 != system( "test -d "in_dir )) {
+    print "[-] Error: directory '"in_dir"' not found." > "/dev/stderr"
+    exit 1
+  }
+
+  if (0 == system( "test -d "in_dir"/queue" )) {
+    in_dir = in_dir "/queue"
+  }
+
+  system("rm -rf "trace_dir" 2>/dev/null");
+  system("rm "out_dir"/id[:_]* 2>/dev/null")
+
+  "ls "out_dir"/* 2>/dev/null | wc -l" | getline noofentries
+  if (0 == system( "test -d "out_dir" -a "noofentries" -gt 0" )) {
+    print "[-] Error: directory '"out_dir"' exists and is not empty - delete it first." > "/dev/stderr"
+    exit 1
+  }
+
+  # Check for the more efficient way to copy files...
+  if (0 != system("mkdir -p -m 0700 "trace_dir)) {
+    print "[-] Error: Cannot create directory "trace_dir > "/dev/stderr"
+    exit 1
+  }
+
+  if (stdin_file) {
+    # truncate input file
+    printf "" > stdin_file
+    close( stdin_file )
+  }
+
+  if (!ENVIRON["AFL_PATH"]) {
+    if (0 == system("test -f afl-cmin")) {
+      showmap = "./afl-showmap"
+    } else {
+      "command -v afl-showmap 2>/dev/null" | getline showmap
+    }
+  } else {
+    showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
+  }
+
+  if (!showmap || 0 != system("test -x "showmap )) {
+    print "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." > "/dev/stderr"
+    exit 1
+  }
+
+  # get list of input filenames sorted by size
+  i = 0
+  # yuck, gnu stat is option incompatible to bsd stat
+  # we use a heuristic to differentiate between
+  # GNU stat and other stats
+  "stat --version 2>/dev/null" | getline statversion
+  if (statversion ~ /GNU coreutils/) {
+    stat_format = "-c '%s %n'" # GNU
+  } else {
+    stat_format = "-f '%z %N'" # *BSD, MacOS
+  }
+  cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r"
+  cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format") | sort -k1n -k2r"
+  while (cmdline | getline) {
+    sub(/^[0-9]+ (\.\/)?/,"",$0)
+    infilesSmallToBig[i++] = $0
+  }
+  in_count = i
+
+  first_file = infilesSmallToBig[0]
   
-Minimization settings:
+  # Make sure that we're not dealing with a directory.
 
-  -C            - keep crashing inputs, reject everything else
-  -e            - solve for edge coverage only, ignore hit counts
-
-For additional tips, please consult docs/README.
-
-_EOF_
-  exit 1
-fi
-
-# Do a sanity check to discourage the use of /tmp, since we can't really
-# handle this safely from a shell script.
-
-if [ "$AFL_ALLOW_TMP" = "" ]; then
-
-  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
-
-  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-  T3="$?"
-
-  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-  T4="$?"
-
-  echo "$PWD" | grep -qE '^(/var)?/tmp/'
-  T5="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+  if (0 == system("test -d "in_dir"/"first_file)) {
+    print "[-] Error: The input directory contains subdirectories - please fix." > "/dev/stderr"
     exit 1
-  fi
+  }
 
-fi
+  if (0 == system("ln "in_dir"/"first_file" "trace_dir"/.link_test")) {
+    cp_tool = "ln"
+  } else {
+    cp_tool = "cp"
+  }
 
-# If @@ is specified, but there's no -f, let's come up with a temporary input
-# file name.
+  # Make sure that we can actually get anything out of afl-showmap before we
+  # waste too much time.
 
-TRACE_DIR="$OUT_DIR/.traces"
+  print "[*] Testing the target binary..."
 
-if [ "$STDIN_FILE" = "" ]; then
+  if (!stdin_file) {
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
+  } else {
+    system("cp "in_dir"/"first_file" "stdin_file)
+    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+  }
 
-  if echo "$*" | grep -qF '@@'; then
-    STDIN_FILE="$TRACE_DIR/.cur_input"
-  fi
+  first_count = 0
 
-fi
+  runtest = trace_dir"/.run_test"
+  while ((getline < runtest) > 0) {
+    ++first_count
+  }
 
-# Check for obvious errors.
-
-if [ ! "$MEM_LIMIT" = "none" ]; then
-
-  if [ "$MEM_LIMIT" -lt "5" ]; then
-    echo "[-] Error: dangerously low memory limit." 1>&2
+  if (first_count) {
+    print "[+] OK, "first_count" tuples recorded."
+  } else {
+    print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
+    if (!ENVIRON["AFL_KEEP_TRACES"]) {
+      system("rm -rf "trace_dir" 2>/dev/null")
+    }
     exit 1
-  fi
-
-fi
-
-if [ ! "$TIMEOUT" = "none" ]; then
-
-  if [ "$TIMEOUT" -lt "10" ]; then
-    echo "[-] Error: dangerously low timeout." 1>&2
-    exit 1
-  fi
-
-fi
-
-if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
-
-  TNEW="`which "$TARGET_BIN" 2>/dev/null`"
-
-  if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
-    echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
-    exit 1
-  fi
-
-  TARGET_BIN="$TNEW"
-
-fi
-
-if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$UNICORN_MODE" = "" ]; then
-
-  if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
-    echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
-    exit 1
-  fi
-
-fi
-
-if [ ! -d "$IN_DIR" ]; then
-  echo "[-] Error: directory '$IN_DIR' not found." 1>&2
-  exit 1
-fi
-
-test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
-
-find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
-rm -rf "$TRACE_DIR" 2>/dev/null
-
-rmdir "$OUT_DIR" 2>/dev/null
-
-if [ -d "$OUT_DIR" ]; then
-  echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
-  exit 1
-fi
-
-mkdir -m 700 -p "$TRACE_DIR" || exit 1
-
-if [ ! "$STDIN_FILE" = "" ]; then
-  rm -f "$STDIN_FILE" || exit 1
-  touch "$STDIN_FILE" || exit 1
-fi
-
-if [ "$AFL_PATH" = "" ]; then
-  SHOWMAP="${0%/afl-cmin}/afl-showmap"
-else
-  SHOWMAP="$AFL_PATH/afl-showmap"
-fi
-
-if [ ! -x "$SHOWMAP" ]; then
-  echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
-
-if [ "$IN_COUNT" = "0" ]; then
-  echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-FIRST_FILE=`ls "$IN_DIR" | head -1`
-
-# Make sure that we're not dealing with a directory.
-
-if [ -d "$IN_DIR/$FIRST_FILE" ]; then
-  echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
-  rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-# Check for the more efficient way to copy files...
-
-if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
-  CP_TOOL=ln
-else
-  CP_TOOL=cp
-fi
-
-# Make sure that we can actually get anything out of afl-showmap before we
-# waste too much time.
-
-echo "[*] Testing the target binary..."
-
-if [ "$STDIN_FILE" = "" ]; then
-
-  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
-
-else
-
-  cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
-  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
-
-fi
-
-FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
-
-if [ "$FIRST_COUNT" -gt "0" ]; then
-
-  echo "[+] OK, $FIRST_COUNT tuples recorded."
-
-else
-
-  echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
-  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-  exit 1
-
-fi
-
-# Let's roll!
-
-#############################
-# STEP 1: COLLECTING TRACES #
-#############################
-
-echo "[*] Obtaining traces for input files in '$IN_DIR'..."
-
-(
-
-  CUR=0
-
-  if [ "$STDIN_FILE" = "" ]; then
-
-    while read -r fn; do
-
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
-
-    done < <(ls "$IN_DIR")
-
-  else
-
-    while read -r fn; do
-
-      CUR=$((CUR+1))
-      printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-      cp "$IN_DIR/$fn" "$STDIN_FILE"
-
-      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
-
-    done < <(ls "$IN_DIR")
-
-
-  fi
-
-)
-
-echo
-
-##########################
-# STEP 2: SORTING TUPLES #
-##########################
-
-# With this out of the way, we sort all tuples by popularity across all
-# datasets. The reasoning here is that we won't be able to avoid the files
-# that trigger unique tuples anyway, so we will want to start with them and
-# see what's left.
-
-echo "[*] Sorting trace sets (this may take a while)..."
-
-ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
-  sort | uniq -c | sort -k 1,1 -n >"$TRACE_DIR/.all_uniq"
-
-TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
-
-echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
-
-#####################################
-# STEP 3: SELECTING CANDIDATE FILES #
-#####################################
-
-# The next step is to find the best candidate for each tuple. The "best"
-# part is understood simply as the smallest input that includes a particular
-# tuple in its trace. Empirical evidence suggests that this produces smaller
-# datasets than more involved algorithms that could be still pulled off in
-# a shell script.
-
-echo "[*] Finding best candidates for each tuple..."
-
-CUR=0
-
-while read -r fn; do
-
-  CUR=$((CUR+1))
-  printf "\\r    Processing file $CUR/$IN_COUNT... "
-
-  sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
-
-done < <(ls -rS "$IN_DIR")
-
-echo
-
-##############################
-# STEP 4: LOADING CANDIDATES #
-##############################
-
-# At this point, we have a file of tuple-file pairs, sorted by file size
-# in ascending order (as a consequence of ls -rS). By doing sort keyed
-# only by tuple (-k 1,1) and configured to output only the first line for
-# every key (-s -u), we end up with the smallest file for each tuple.
-
-echo "[*] Sorting candidate list (be patient)..."
-
-sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
-  sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
-
-if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
-  echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
-  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-  exit 1
-fi
-
-# The sed command converted the sorted list to a shell script that populates
-# BEST_FILE[tuple]="fname". Let's load that!
-
-. "$TRACE_DIR/.candidate_script"
-
-##########################
-# STEP 5: WRITING OUTPUT #
-##########################
-
-# The final trick is to grab the top pick for each tuple, unless said tuple is
-# already set due to the inclusion of an earlier candidate; and then put all
-# tuples associated with the newly-added file to the "already have" list. The
-# loop works from least popular tuples and toward the most common ones.
-
-echo "[*] Processing candidates and writing output files..."
-
-CUR=0
-
-touch "$TRACE_DIR/.already_have"
-
-while read -r cnt tuple; do
-
-  CUR=$((CUR+1))
-  printf "\\r    Processing tuple $CUR/$TUPLE_COUNT... "
-
-  # If we already have this tuple, skip it.
-
-  grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
-
-  FN=${BEST_FILE[tuple]}
-
-  $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
-
-  if [ "$((CUR % 5))" = "0" ]; then
-    sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
-    mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
-  else
-    cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
-  fi
-
-done <"$TRACE_DIR/.all_uniq"
-
-echo
-
-OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
-
-if [ "$OUT_COUNT" = "1" ]; then
-  echo "[!] WARNING: All test cases had the same traces, check syntax!"
-fi
-
-echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
-echo
-
-test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
-
-exit 0
+  }
+
+  # Let's roll!
+
+  #############################
+  # STEP 1: Collecting traces #
+  #############################
+
+  print "[*] Obtaining traces for "in_count" input files in '"in_dir"'."
+
+  cur = 0;
+  if (!stdin_file) {
+    print "    Processing "in_count" files (forkserver mode)..."
+    retval = system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
+  } else {
+    print "    Processing "in_count" files (forkserver mode)..."
+    retval = system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+  }
+
+  if (retval) {
+    print "[!]Exit code != 0 received from afl-showmap, terminating..."
+
+    if (!ENVIRON["AFL_KEEP_TRACES"]) {
+      system("rm -rf "trace_dir" 2>/dev/null")
+      system("rmdir "out_dir)
+    }
+    exit retval
+  }
+
+  #######################################################
+  # STEP 2: register smallest input file for each tuple #
+  # STEP 3: copy that file (at most once)               #
+  #######################################################
+
+  print "[*] Processing traces for input files in '"in_dir"'."
+
+  cur = 0
+  out_count = 0
+  tuple_count = 0
+
+  # from rare to frequent new tuples
+  # get the best (smallest) file for it
+  # and copy it
+  while (cur < in_count) {
+    fn = infilesSmallToBig[cur]
+    ++cur
+    printf "\r    Processing file "cur"/"in_count
+    # create path for the trace file from afl-showmap
+    tracefile_path = trace_dir"/"fn
+    # gather all keys, and count them
+    while ((getline line < tracefile_path) > 0) {
+        key = line
+        if (!(key in key_count)) {
+          ++tuple_count
+        }
+        ++key_count[key]
+        if (! (key in best_file)) {
+            # this is the best file for this key
+            best_file[key] = fn
+#printf "BEST_FILE[%d]=\"%s\"\n",key,fn | "sort -t'[' -k2 > "trace_dir"/.candidate_script"
+        }
+#printf "%d %s\n",key,fn > trace_dir"/.candidate_list"
+    }
+    close(tracefile_path)
+  }
+  print ""
+
+  # sort keys
+  sortedKeys = trace_dir"/.all_uniq"
+  sortKeysCmd = "sort -k1n > "sortedKeys
+  for (key in key_count) {
+     printf "%7d %s\n",key_count[key],key | sortKeysCmd
+  }
+  close(sortKeysCmd)
+
+  # iterate over keys from rare to frequent and
+  # copy best file
+  while ((getline < sortedKeys) > 0) {
+
+    # split
+    nrFields = split($0, field, / +/)
+#print nrFields" Felder: '"field[0]"',  '"field[1]"',  '"field[2]"',  '"field[3]"'"
+    key = field[nrFields]
+
+    ++tcnt;
+    printf "\r    Processing tuple "tcnt"/"tuple_count" with count "key_count[key]"..."
+    if (key in keyAlreadyKnown) {
+      continue
+    }
+
+    fn = best_file[key]
+    # gather all tuples from the best file for this key
+    tracedfn = trace_dir"/"fn
+    while ((getline < tracedfn) > 0) {
+      keyAlreadyKnown[$0] = ""
+    }
+    close(tracedfn)
+
+    # copy file unless already done
+    if (! (fn in file_already_copied)) {
+      system(cp_tool" "in_dir"/"fn" "out_dir"/"fn)
+      file_already_copied[fn] = ""
+      ++out_count
+      #printf "tuple nr %d (%d cnt=%d) -> %s\n",tcnt,key,key_count[key],fn > trace_dir"/.log"
+    }
+  }
+  close(sortedKeys)
+  print ""
+  print "[+] Found "tuple_count" unique tuples across "in_count" files."
+
+  if (out_count == 1) {
+    print "[!] WARNING: All test cases had the same traces, check syntax!"
+  }
+  print "[+] Narrowed down to "out_count" files, saved in '"out_dir"'."
+
+  if (!ENVIRON["AFL_KEEP_TRACES"]) {
+    system("rm -rf "trace_dir" 2>/dev/null")
+  }
+
+  exit 0
+}
+EOF

afl-cmin.bash

@@ -0,0 +1,477 @@
+#!/usr/bin/env bash
+#
+# american fuzzy lop++ - corpus minimization tool
+# ---------------------------------------------
+#
+# Originally written by Michal Zalewski
+#
+# Copyright 2014, 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# This tool tries to find the smallest subset of files in the input directory
+# that still trigger the full range of instrumentation data points seen in
+# the starting corpus. This has two uses:
+#
+#   - Screening large corpora of input files before using them as a seed for
+#     afl-fuzz. The tool will remove functionally redundant files and likely
+#     leave you with a much smaller set.
+#
+#     (In this case, you probably also want to consider running afl-tmin on
+#     the individual files later on to reduce their size.)
+#
+#   - Minimizing the corpus generated organically by afl-fuzz, perhaps when
+#     planning to feed it to more resource-intensive tools. The tool achieves
+#     this by removing all entries that used to trigger unique behaviors in the
+#     past, but have been made obsolete by later finds.
+#
+# Note that the tool doesn't modify the files themselves. For that, you want
+# afl-tmin.
+#
+# This script must use bash because other shells may have hardcoded limits on
+# array sizes.
+#
+
+echo "corpus minimization tool for afl-fuzz by Michal Zalewski"
+echo
+
+#########
+# SETUP #
+#########
+
+# Process command-line options...
+
+MEM_LIMIT=200
+TIMEOUT=none
+
+unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
+  AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE
+
+export AFL_QUIET=1
+
+while getopts "+i:o:f:m:t:eQUCh" opt; do
+
+  case "$opt" in 
+
+    "h")
+	;;
+
+    "i")
+         IN_DIR="$OPTARG"
+         ;;
+
+    "o")
+         OUT_DIR="$OPTARG"
+         ;;
+    "f")
+         STDIN_FILE="$OPTARG"
+         ;;
+    "m")
+         MEM_LIMIT="$OPTARG"
+         MEM_LIMIT_GIVEN=1
+         ;;
+    "t")
+         TIMEOUT="$OPTARG"
+         ;;
+    "e")
+         EXTRA_PAR="$EXTRA_PAR -e"
+         ;;
+    "C")
+         export AFL_CMIN_CRASHES_ONLY=1
+         ;;
+    "Q")
+         EXTRA_PAR="$EXTRA_PAR -Q"
+         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
+         QEMU_MODE=1
+         ;;
+    "U")
+         EXTRA_PAR="$EXTRA_PAR -U"
+         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
+         UNICORN_MODE=1
+         ;;    
+    "?")
+         exit 1
+         ;;
+
+   esac
+
+done
+
+shift $((OPTIND-1))
+
+TARGET_BIN="$1"
+
+if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
+
+  cat 1>&2 <<_EOF_
+Usage: $0 [ options ] -- /path/to/target_app [ ... ]
+
+Required parameters:
+
+  -i dir        - input directory with the starting corpus
+  -o dir        - output directory for minimized files
+
+Execution control settings:
+
+  -f file       - location read by the fuzzed program (stdin)
+  -m megs       - memory limit for child process ($MEM_LIMIT MB)
+  -t msec       - run time limit for child process (none)
+  -Q            - use binary-only instrumentation (QEMU mode)
+  -U            - use unicorn-based instrumentation (Unicorn mode)
+  
+Minimization settings:
+
+  -C            - keep crashing inputs, reject everything else
+  -e            - solve for edge coverage only, ignore hit counts
+
+For additional tips, please consult docs/README.md.
+
+Environment variables used:
+AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
+AFL_PATH: path for the afl-showmap binary
+AFL_SKIP_BIN_CHECK: skip check for target binary
+_EOF_
+  exit 1
+fi
+
+# Do a sanity check to discourage the use of /tmp, since we can't really
+# handle this safely from a shell script.
+
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+#  T3="$?"
+#
+#  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+#  T4="$?"
+#
+#  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+#  T5="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+#    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+#    exit 1
+#  fi
+#
+#fi
+
+# If @@ is specified, but there's no -f, let's come up with a temporary input
+# file name.
+
+TRACE_DIR="$OUT_DIR/.traces"
+
+if [ "$STDIN_FILE" = "" ]; then
+
+  if echo "$*" | grep -qF '@@'; then
+    STDIN_FILE="$TRACE_DIR/.cur_input"
+  fi
+
+fi
+
+# Check for obvious errors.
+
+if [ ! "$MEM_LIMIT" = "none" ]; then
+
+  if [ "$MEM_LIMIT" -lt "5" ]; then
+    echo "[-] Error: dangerously low memory limit." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! "$TIMEOUT" = "none" ]; then
+
+  if [ "$TIMEOUT" -lt "10" ]; then
+    echo "[-] Error: dangerously low timeout." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
+
+  TNEW="`which "$TARGET_BIN" 2>/dev/null`"
+
+  if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
+    echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
+    exit 1
+  fi
+
+  TARGET_BIN="$TNEW"
+
+fi
+
+if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$UNICORN_MODE" = "" ]; then
+
+  if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
+    echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
+    exit 1
+  fi
+
+fi
+
+if [ ! -d "$IN_DIR" ]; then
+  echo "[-] Error: directory '$IN_DIR' not found." 1>&2
+  exit 1
+fi
+
+test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
+
+find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
+rm -rf "$TRACE_DIR" 2>/dev/null
+
+rmdir "$OUT_DIR" 2>/dev/null
+
+if [ -d "$OUT_DIR" ]; then
+  echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
+  exit 1
+fi
+
+mkdir -m 700 -p "$TRACE_DIR" || exit 1
+
+if [ ! "$STDIN_FILE" = "" ]; then
+  rm -f "$STDIN_FILE" || exit 1
+  touch "$STDIN_FILE" || exit 1
+fi
+
+if [ "$AFL_PATH" = "" ]; then
+  SHOWMAP="${0%/afl-cmin.bash}/afl-showmap"
+else
+  SHOWMAP="$AFL_PATH/afl-showmap"
+fi
+
+if [ ! -x "$SHOWMAP" ]; then
+  echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
+
+if [ "$IN_COUNT" = "0" ]; then
+  echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+FIRST_FILE=`ls "$IN_DIR" | head -1`
+
+# Make sure that we're not dealing with a directory.
+
+if [ -d "$IN_DIR/$FIRST_FILE" ]; then
+  echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
+  rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+# Check for the more efficient way to copy files...
+
+if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
+  CP_TOOL=ln
+else
+  CP_TOOL=cp
+fi
+
+# Make sure that we can actually get anything out of afl-showmap before we
+# waste too much time.
+
+echo "[*] Testing the target binary..."
+
+if [ "$STDIN_FILE" = "" ]; then
+
+  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
+
+else
+
+  cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
+  AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+
+fi
+
+FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
+
+if [ "$FIRST_COUNT" -gt "0" ]; then
+
+  echo "[+] OK, $FIRST_COUNT tuples recorded."
+
+else
+
+  echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
+  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+  exit 1
+
+fi
+
+# Let's roll!
+
+#############################
+# STEP 1: COLLECTING TRACES #
+#############################
+
+echo "[*] Obtaining traces for input files in '$IN_DIR'..."
+
+(
+
+  CUR=0
+
+  if [ "$STDIN_FILE" = "" ]; then
+
+    ls "$IN_DIR" | while read -r fn; do
+
+      CUR=$((CUR+1))
+      printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
+
+    done
+
+  else
+
+    ls "$IN_DIR" | while read -r fn; do
+
+      CUR=$((CUR+1))
+      printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+      cp "$IN_DIR/$fn" "$STDIN_FILE"
+
+      "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
+
+    done
+
+
+  fi
+
+)
+
+echo
+
+##########################
+# STEP 2: SORTING TUPLES #
+##########################
+
+# With this out of the way, we sort all tuples by popularity across all
+# datasets. The reasoning here is that we won't be able to avoid the files
+# that trigger unique tuples anyway, so we will want to start with them and
+# see what's left.
+
+echo "[*] Sorting trace sets (this may take a while)..."
+
+ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
+  sort | uniq -c | sort -k 1,1 -n >"$TRACE_DIR/.all_uniq"
+
+TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
+
+echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
+
+#####################################
+# STEP 3: SELECTING CANDIDATE FILES #
+#####################################
+
+# The next step is to find the best candidate for each tuple. The "best"
+# part is understood simply as the smallest input that includes a particular
+# tuple in its trace. Empirical evidence suggests that this produces smaller
+# datasets than more involved algorithms that could be still pulled off in
+# a shell script.
+
+echo "[*] Finding best candidates for each tuple..."
+
+CUR=0
+
+ls -rS "$IN_DIR" | while read -r fn; do
+
+  CUR=$((CUR+1))
+  printf "\\r    Processing file $CUR/$IN_COUNT... "
+
+  sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
+
+done
+
+echo
+
+##############################
+# STEP 4: LOADING CANDIDATES #
+##############################
+
+# At this point, we have a file of tuple-file pairs, sorted by file size
+# in ascending order (as a consequence of ls -rS). By doing sort keyed
+# only by tuple (-k 1,1) and configured to output only the first line for
+# every key (-s -u), we end up with the smallest file for each tuple.
+
+echo "[*] Sorting candidate list (be patient)..."
+
+sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
+  sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
+
+if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
+  echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
+  test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+  exit 1
+fi
+
+# The sed command converted the sorted list to a shell script that populates
+# BEST_FILE[tuple]="fname". Let's load that!
+
+. "$TRACE_DIR/.candidate_script"
+
+##########################
+# STEP 5: WRITING OUTPUT #
+##########################
+
+# The final trick is to grab the top pick for each tuple, unless said tuple is
+# already set due to the inclusion of an earlier candidate; and then put all
+# tuples associated with the newly-added file to the "already have" list. The
+# loop works from least popular tuples and toward the most common ones.
+
+echo "[*] Processing candidates and writing output files..."
+
+CUR=0
+
+touch "$TRACE_DIR/.already_have"
+
+while read -r cnt tuple; do
+
+  CUR=$((CUR+1))
+  printf "\\r    Processing tuple $CUR/$TUPLE_COUNT with count $cnt... "
+
+  # If we already have this tuple, skip it.
+
+  grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
+
+  FN=${BEST_FILE[tuple]}
+
+#  echo "tuple nr $CUR ($tuple cnt=$cnt) -> $FN" >> "$TRACE_DIR/.log"
+  $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
+
+  if [ "$((CUR % 5))" = "0" ]; then
+    sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
+    mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
+  else
+    cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
+  fi
+
+done <"$TRACE_DIR/.all_uniq"
+
+echo
+
+OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
+
+if [ "$OUT_COUNT" = "1" ]; then
+  echo "[!] WARNING: All test cases had the same traces, check syntax!"
+fi
+
+echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
+echo
+
+test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
+
+exit 0

afl-common.c

@@ -1,69 +0,0 @@
-/*
- gather some functions common to multiple executables
-
- detect_file_args
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <strings.h>
-
-#include "debug.h"
-#include "alloc-inl.h"
-
-/* Detect @@ in args. */
-#ifndef __glibc__
-#include <unistd.h>
-#endif
-void detect_file_args(char** argv, u8* prog_in) {
-
-  u32 i = 0;
-#ifdef __GLIBC__
-  u8* cwd = getcwd(NULL, 0); /* non portable glibc extension */
-#else
-  u8* cwd;
-  char *buf;
-  long size = pathconf(".", _PC_PATH_MAX);
-  if ((buf = (char *)malloc((size_t)size)) != NULL) {
-    cwd = getcwd(buf, (size_t)size); /* portable version */
-  } else {
-    PFATAL("getcwd() failed");
-  }
-#endif
-
-  if (!cwd) PFATAL("getcwd() failed");
-
-  while (argv[i]) {
-
-    u8* aa_loc = strstr(argv[i], "@@");
-
-    if (aa_loc) {
-
-      u8 *aa_subst, *n_arg;
-
-      if (!prog_in) FATAL("@@ syntax is not supported by this tool.");
-
-      /* Be sure that we're always using fully-qualified paths. */
-
-      if (prog_in[0] == '/') aa_subst = prog_in;
-      else aa_subst = alloc_printf("%s/%s", cwd, prog_in);
-
-      /* Construct a replacement argv value. */
-
-      *aa_loc = 0;
-      n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2);
-      argv[i] = n_arg;
-      *aa_loc = '@';
-
-      if (prog_in[0] != '/') ck_free(aa_subst);
-
-    }
-
-    i++;
-
-  }
-
-  free(cwd); /* not tracked */
-
-}
-

afl-common.h

@@ -1,5 +0,0 @@
-#ifndef __AFLCOMMON_H
-#define __AFLCOMMON_H
-
-void detect_file_args(char **argv, u8 *prog_in);
-#endif

afl-gcc.c

@@ -1,343 +0,0 @@
-/*
-   american fuzzy lop - wrapper for GCC and clang
-   ----------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-   This program is a drop-in replacement for GCC or clang. The most common way
-   of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
-   ./configure.
-
-   (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
-
-   The wrapper needs to know the path to afl-as (renamed to 'as'). The default
-   is /usr/local/lib/afl/. A convenient way to specify alternative directories
-   would be to set AFL_PATH.
-
-   If AFL_HARDEN is set, the wrapper will compile the target app with various
-   hardening options that may help detect memory management issues more
-   reliably. You can also specify AFL_USE_ASAN to enable ASAN.
-
-   If you want to call a non-default compiler as a next step of the chain,
-   specify its location via AFL_CC or AFL_CXX.
-
- */
-
-#define AFL_MAIN
-
-#include "config.h"
-#include "types.h"
-#include "debug.h"
-#include "alloc-inl.h"
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-
-static u8*  as_path;                /* Path to the AFL 'as' wrapper      */
-static u8** cc_params;              /* Parameters passed to the real CC  */
-static u32  cc_par_cnt = 1;         /* Param count, including argv0      */
-static u8   be_quiet,               /* Quiet mode                        */
-            clang_mode;             /* Invoked as afl-clang*?            */
-
-
-/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
-   from argv[0]. If that fails, abort. */
-
-static void find_as(u8* argv0) {
-
-  u8 *afl_path = getenv("AFL_PATH");
-  u8 *slash, *tmp;
-
-  if (afl_path) {
-
-    tmp = alloc_printf("%s/as", afl_path);
-
-    if (!access(tmp, X_OK)) {
-      as_path = afl_path;
-      ck_free(tmp);
-      return;
-    }
-
-    ck_free(tmp);
-
-  }
-
-  slash = strrchr(argv0, '/');
-
-  if (slash) {
-
-    u8 *dir;
-
-    *slash = 0;
-    dir = ck_strdup(argv0);
-    *slash = '/';
-
-    tmp = alloc_printf("%s/afl-as", dir);
-
-    if (!access(tmp, X_OK)) {
-      as_path = dir;
-      ck_free(tmp);
-      return;
-    }
-
-    ck_free(tmp);
-    ck_free(dir);
-
-  }
-
-  if (!access(AFL_PATH "/as", X_OK)) {
-    as_path = AFL_PATH;
-    return;
-  }
-
-  FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
- 
-}
-
-
-/* Copy argv to cc_params, making the necessary edits. */
-
-static void edit_params(u32 argc, char** argv) {
-
-  u8 fortify_set = 0, asan_set = 0;
-  u8 *name;
-
-#if defined(__FreeBSD__) && defined(__x86_64__)
-  u8 m32_set = 0;
-#endif
-
-  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
-
-  name = strrchr(argv[0], '/');
-  if (!name) name = argv[0]; else name++;
-
-  if (!strncmp(name, "afl-clang", 9)) {
-
-    clang_mode = 1;
-
-    setenv(CLANG_ENV_VAR, "1", 1);
-
-    if (!strcmp(name, "afl-clang++")) {
-      u8* alt_cxx = getenv("AFL_CXX");
-      cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
-    } else {
-      u8* alt_cc = getenv("AFL_CC");
-      cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
-    }
-
-  } else {
-
-    /* With GCJ and Eclipse installed, you can actually compile Java! The
-       instrumentation will work (amazingly). Alas, unhandled exceptions do
-       not call abort(), so afl-fuzz would need to be modified to equate
-       non-zero exit codes with crash conditions when working with Java
-       binaries. Meh. */
-
-#ifdef __APPLE__
-
-    if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX");
-    else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ");
-    else cc_params[0] = getenv("AFL_CC");
-
-    if (!cc_params[0]) {
-
-      SAYF("\n" cLRD "[-] " cRST
-           "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n"
-           "    'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n"
-           "    set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n");
-
-      FATAL("AFL_CC or AFL_CXX required on MacOS X");
-
-    }
-
-#else
-
-    if (!strcmp(name, "afl-g++")) {
-      u8* alt_cxx = getenv("AFL_CXX");
-      cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
-    } else if (!strcmp(name, "afl-gcj")) {
-      u8* alt_cc = getenv("AFL_GCJ");
-      cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
-    } else {
-      u8* alt_cc = getenv("AFL_CC");
-      cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
-    }
-
-#endif /* __APPLE__ */
-
-  }
-
-  while (--argc) {
-    u8* cur = *(++argv);
-
-    if (!strncmp(cur, "-B", 2)) {
-
-      if (!be_quiet) WARNF("-B is already set, overriding");
-
-      if (!cur[2] && argc > 1) { argc--; argv++; }
-      continue;
-
-    }
-
-    if (!strcmp(cur, "-integrated-as")) continue;
-
-    if (!strcmp(cur, "-pipe")) continue;
-
-#if defined(__FreeBSD__) && defined(__x86_64__)
-    if (!strcmp(cur, "-m32")) m32_set = 1;
-#endif
-
-    if (!strcmp(cur, "-fsanitize=address") ||
-        !strcmp(cur, "-fsanitize=memory")) asan_set = 1;
-
-    if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
-
-    cc_params[cc_par_cnt++] = cur;
-
-  }
-
-  cc_params[cc_par_cnt++] = "-B";
-  cc_params[cc_par_cnt++] = as_path;
-
-  if (clang_mode)
-    cc_params[cc_par_cnt++] = "-no-integrated-as";
-
-  if (getenv("AFL_HARDEN")) {
-
-    cc_params[cc_par_cnt++] = "-fstack-protector-all";
-
-    if (!fortify_set)
-      cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
-
-  }
-
-  if (asan_set) {
-
-    /* Pass this on to afl-as to adjust map density. */
-
-    setenv("AFL_USE_ASAN", "1", 1);
-
-  } else if (getenv("AFL_USE_ASAN")) {
-
-    if (getenv("AFL_USE_MSAN"))
-      FATAL("ASAN and MSAN are mutually exclusive");
-
-    if (getenv("AFL_HARDEN"))
-      FATAL("ASAN and AFL_HARDEN are mutually exclusive");
-
-    cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
-    cc_params[cc_par_cnt++] = "-fsanitize=address";
-
-  } else if (getenv("AFL_USE_MSAN")) {
-
-    if (getenv("AFL_USE_ASAN"))
-      FATAL("ASAN and MSAN are mutually exclusive");
-
-    if (getenv("AFL_HARDEN"))
-      FATAL("MSAN and AFL_HARDEN are mutually exclusive");
-
-    cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
-    cc_params[cc_par_cnt++] = "-fsanitize=memory";
-
-
-  }
-
-#ifdef USEMMAP
-    cc_params[cc_par_cnt++] = "-lrt";
-#endif
-
-  if (!getenv("AFL_DONT_OPTIMIZE")) {
-
-#if defined(__FreeBSD__) && defined(__x86_64__)
-
-    /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
-       works OK. This has nothing to do with us, but let's avoid triggering
-       that bug. */
-
-    if (!clang_mode || !m32_set)
-      cc_params[cc_par_cnt++] = "-g";
-
-#else
-
-      cc_params[cc_par_cnt++] = "-g";
-
-#endif
-
-    cc_params[cc_par_cnt++] = "-O3";
-    cc_params[cc_par_cnt++] = "-funroll-loops";
-
-    /* Two indicators that you're building for fuzzing; one of them is
-       AFL-specific, the other is shared with libfuzzer. */
-
-    cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
-    cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
-
-  }
-
-  if (getenv("AFL_NO_BUILTIN")) {
-
-    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
-    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
-    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
-    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
-    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
-    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
-    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
-
-  }
-
-  cc_params[cc_par_cnt] = NULL;
-
-}
-
-
-/* Main entry point */
-
-int main(int argc, char** argv) {
-
-  if (isatty(2) && !getenv("AFL_QUIET")) {
-
-    SAYF(cCYA "afl-cc" VERSION cRST " by <lcamtuf@google.com>\n");
-    SAYF(cYEL "[!] " cBRI "NOTE: " cRST "afl-gcc is deprecated, llvm_mode is much faster and has more options\n");
-
-  } else be_quiet = 1;
-
-  if (argc < 2) {
-
-    SAYF("\n"
-         "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
-         "for gcc or clang, letting you recompile third-party code with the required\n"
-         "runtime instrumentation. A common use pattern would be one of the following:\n\n"
-
-         "  CC=%s/afl-gcc ./configure\n"
-         "  CXX=%s/afl-g++ ./configure\n\n"
-
-         "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n"
-         "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
-         BIN_PATH, BIN_PATH);
-
-    exit(1);
-
-  }
-
-  find_as(argv[0]);
-
-  edit_params(argc, argv);
-
-  execvp(cc_params[0], (char**)cc_params);
-
-  FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
-
-  return 0;
-
-}

afl-plot

@@ -1,9 +1,9 @@
 #!/bin/sh
 #
-# american fuzzy lop - Advanced Persistent Graphing
+# american fuzzy lop++ - Advanced Persistent Graphing
 # -------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 # Based on a design & prototype by Michael Rash.
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
@@ -15,58 +15,73 @@
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 
-echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
+get_abs_path() {
+  echo $(cd "`dirname "$1"`" && pwd)/"`basename "$1"`"
+}
+
+echo "progress plotting utility for afl-fuzz by Michal Zalewski"
 echo
 
 if [ ! "$#" = "2" ]; then
 
   cat 1>&2 <<_EOF_
-This program generates gnuplot images from afl-fuzz output data. Usage:
-
 $0 afl_state_dir graph_output_dir
 
+This program generates gnuplot images from afl-fuzz output data. Usage:
+
 The afl_state_dir parameter should point to an existing state directory for any
 active or stopped instance of afl-fuzz; while graph_output_dir should point to
 an empty directory where this tool can write the resulting plots to.
 
 The program will put index.html and three PNG images in the output directory;
 you should be able to view it with any web browser of your choice.
-
 _EOF_
 
   exit 1
 
 fi
 
-if [ "$AFL_ALLOW_TMP" = "" ]; then
+inputdir=`get_abs_path "$1"`
+outputdir=`get_abs_path "$2"`
 
-  echo "$1" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$inputdir" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$outputdir" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" ]; then
+#
+#    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
+#    exit 1
+#
+#  fi
+#
+#fi
 
-  echo "$2" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" ]; then
-
-    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
-    exit 1
-
-  fi
-
-fi
-
-if [ ! -f "$1/plot_data" ]; then
+if [ ! -f "$inputdir/plot_data" ]; then
 
   echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
   exit 1
 
 fi
 
-BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
+LINES=`cat "$inputdir/plot_data" | wc -l`
+
+if [ "$LINES" -lt 3 ]; then
+
+  echo "[-] Error: plot_data carries too little data, let it run longer." 1>&2
+  exit 1
+
+fi
+
+BANNER="`cat "$inputdir/fuzzer_stats" 2> /dev/null | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
 
 test "$BANNER" = "" && BANNER="(none)"
 
-GNUPLOT=`which gnuplot 2>/dev/null`
+GNUPLOT=`command -v gnuplot 2>/dev/null`
 
 if [ "$GNUPLOT" = "" ]; then
 
@@ -75,17 +90,17 @@ if [ "$GNUPLOT" = "" ]; then
 
 fi
 
-mkdir "$2" 2>/dev/null
+mkdir "$outputdir" 2>/dev/null
 
-if [ ! -d "$2" ]; then
+if [ ! -d "$outputdir" ]; then
 
   echo "[-] Error: unable to create the output directory - pick another location." 1>&2
   exit 1
 
 fi
 
-rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
-mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
+rm -f "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png"
+mv -f "$outputdir/index.html" "$outputdir/index.html.orig" 2>/dev/null
 
 echo "[*] Generating plots..."
 
@@ -94,7 +109,7 @@ echo "[*] Generating plots..."
 cat <<_EOF_
 set terminal png truecolor enhanced size 1000,300 butt
 
-set output '$2/high_freq.png'
+set output '$outputdir/high_freq.png'
 
 set xdata time
 set timefmt '%s'
@@ -112,31 +127,36 @@ set key outside
 set autoscale xfixmin
 set autoscale xfixmax
 
-plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
+set xlabel "all times in UTC" font "small"
+
+set ytics auto
+plot '$inputdir/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
      '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
      '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
      '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
      '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
 
 set terminal png truecolor enhanced size 1000,200 butt
-set output '$2/low_freq.png'
+set output '$outputdir/low_freq.png'
 
-plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
+set ytics 1
+plot '$inputdir/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
      '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
      '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
      '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
 
 set terminal png truecolor enhanced size 1000,200 butt
-set output '$2/exec_speed.png'
+set output '$outputdir/exec_speed.png'
 
-plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
-     '$1/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
+set ytics auto
+plot '$inputdir/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
+     '$inputdir/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
 
 _EOF_
 
 ) | gnuplot 
 
-if [ ! -s "$2/exec_speed.png" ]; then
+if [ ! -s "$outputdir/exec_speed.png" ]; then
 
   echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
   exit 1
@@ -145,10 +165,10 @@ fi
 
 echo "[*] Generating index.html..."
 
-cat >"$2/index.html" <<_EOF_
+cat >"$outputdir/index.html" <<_EOF_
 <table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
 <tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
-<tr><td><b>Directory:</b></td><td>$1</td></tr>
+<tr><td><b>Directory:</b></td><td>$inputdir</td></tr>
 <tr><td><b>Generated on:</b></td><td>`date`</td></tr>
 </table>
 <p>
@@ -162,8 +182,8 @@ _EOF_
 # served by Apache or other HTTP daemon. Since the plots aren't horribly
 # sensitive, this seems like a reasonable trade-off.
 
-chmod 755 "$2"
-chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
+chmod 755 "$outputdir"
+chmod 644 "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/index.html"
 
 echo "[+] All done - enjoy your charts!"
 

afl-showmap.c

@@ -1,709 +0,0 @@
-/*
-   american fuzzy lop - map display utility
-   ----------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-   A very simple tool that runs the targeted binary and displays
-   the contents of the trace bitmap in a human-readable form. Useful in
-   scripts to eliminate redundant inputs and perform other checks.
-
-   Exit code is 2 if the target program crashes; 1 if it times out or
-   there is a problem executing it; or 0 if execution is successful.
-
- */
-
-#define AFL_MAIN
-
-#include "config.h"
-#include "types.h"
-#include "debug.h"
-#include "alloc-inl.h"
-#include "hash.h"
-#include "sharedmem.h"
-#include "afl-common.h"
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-#include <signal.h>
-#include <dirent.h>
-#include <fcntl.h>
-
-#include <sys/wait.h>
-#include <sys/time.h>
-#include <sys/shm.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/resource.h>
-
-static s32 child_pid;                 /* PID of the tested program         */
-
-       u8* trace_bits;                /* SHM with instrumentation bitmap   */
-
-static u8 *out_file,                  /* Trace output file                 */
-          *doc_path,                  /* Path to docs                      */
-          *target_path,               /* Path to target binary             */
-          *at_file;                   /* Substitution string for @@        */
-
-static u32 exec_tmout;                /* Exec timeout (ms)                 */
-
-static u64 mem_limit = MEM_LIMIT;     /* Memory limit (MB)                 */
-
-static u8  quiet_mode,                /* Hide non-essential messages?      */
-           edges_only,                /* Ignore hit counts?                */
-           cmin_mode,                 /* Generate output in afl-cmin mode? */
-           binary_mode,               /* Write output as a binary map      */
-           keep_cores;                /* Allow coredumps?                  */
-
-static volatile u8
-           stop_soon,                 /* Ctrl-C pressed?                   */
-           child_timed_out,           /* Child timed out?                  */
-           child_crashed;             /* Child crashed?                    */
-
-/* Classify tuple counts. Instead of mapping to individual bits, as in
-   afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */
-
-static const u8 count_class_human[256] = {
-
-  [0]           = 0,
-  [1]           = 1,
-  [2]           = 2,
-  [3]           = 3,
-  [4 ... 7]     = 4,
-  [8 ... 15]    = 5,
-  [16 ... 31]   = 6,
-  [32 ... 127]  = 7,
-  [128 ... 255] = 8
-
-};
-
-static const u8 count_class_binary[256] = {
-
-  [0]           = 0,
-  [1]           = 1,
-  [2]           = 2,
-  [3]           = 4,
-  [4 ... 7]     = 8,
-  [8 ... 15]    = 16,
-  [16 ... 31]   = 32,
-  [32 ... 127]  = 64,
-  [128 ... 255] = 128
-
-};
-
-static void classify_counts(u8* mem, const u8* map) {
-
-  u32 i = MAP_SIZE;
-
-  if (edges_only) {
-
-    while (i--) {
-      if (*mem) *mem = 1;
-      mem++;
-    }
-
-  } else {
-
-    while (i--) {
-      *mem = map[*mem];
-      mem++;
-    }
-
-  }
-
-}
-
-
-/* Write results. */
-
-static u32 write_results(void) {
-
-  s32 fd;
-  u32 i, ret = 0;
-
-  u8  cco = !!getenv("AFL_CMIN_CRASHES_ONLY"),
-      caa = !!getenv("AFL_CMIN_ALLOW_ANY");
-
-  if (!strncmp(out_file, "/dev/", 5)) {
-
-    fd = open(out_file, O_WRONLY, 0600);
-    if (fd < 0) PFATAL("Unable to open '%s'", out_file);
-
-  } else if (!strcmp(out_file, "-")) {
-
-    fd = dup(1);
-    if (fd < 0) PFATAL("Unable to open stdout");
-
-  } else {
-
-    unlink(out_file); /* Ignore errors */
-    fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600);
-    if (fd < 0) PFATAL("Unable to create '%s'", out_file);
-
-  }
-
-
-  if (binary_mode) {
-
-    for (i = 0; i < MAP_SIZE; i++)
-      if (trace_bits[i]) ret++;
-    
-    ck_write(fd, trace_bits, MAP_SIZE, out_file);
-    close(fd);
-
-  } else {
-
-    FILE* f = fdopen(fd, "w");
-
-    if (!f) PFATAL("fdopen() failed");
-
-    for (i = 0; i < MAP_SIZE; i++) {
-
-      if (!trace_bits[i]) continue;
-      ret++;
-
-      if (cmin_mode) {
-
-        if (child_timed_out) break;
-        if (!caa && child_crashed != cco) break;
-
-        fprintf(f, "%u%u\n", trace_bits[i], i);
-
-      } else fprintf(f, "%06u:%u\n", i, trace_bits[i]);
-
-    }
-  
-    fclose(f);
-
-  }
-
-  return ret;
-
-}
-
-
-/* Handle timeout signal. */
-
-static void handle_timeout(int sig) {
-
-  child_timed_out = 1;
-  if (child_pid > 0) kill(child_pid, SIGKILL);
-
-}
-
-
-/* Execute target application. */
-
-static void run_target(char** argv) {
-
-  static struct itimerval it;
-  int status = 0;
-
-  if (!quiet_mode)
-    SAYF("-- Program output begins --\n" cRST);
-
-  MEM_BARRIER();
-
-  child_pid = fork();
-
-  if (child_pid < 0) PFATAL("fork() failed");
-
-  if (!child_pid) {
-
-    struct rlimit r;
-
-    if (quiet_mode) {
-
-      s32 fd = open("/dev/null", O_RDWR);
-
-      if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) {
-        *(u32*)trace_bits = EXEC_FAIL_SIG;
-        PFATAL("Descriptor initialization failed");
-      }
-
-      close(fd);
-
-    }
-
-    if (mem_limit) {
-
-      r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20;
-
-#ifdef RLIMIT_AS
-
-      setrlimit(RLIMIT_AS, &r); /* Ignore errors */
-
-#else
-
-      setrlimit(RLIMIT_DATA, &r); /* Ignore errors */
-
-#endif /* ^RLIMIT_AS */
-
-    }
-
-    if (!keep_cores) r.rlim_max = r.rlim_cur = 0;
-    else r.rlim_max = r.rlim_cur = RLIM_INFINITY;
-
-    setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
-
-    if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
-
-    setsid();
-
-    execv(target_path, argv);
-
-    *(u32*)trace_bits = EXEC_FAIL_SIG;
-    exit(0);
-
-  }
-
-  /* Configure timeout, wait for child, cancel timeout. */
-
-  if (exec_tmout) {
-
-    child_timed_out = 0;
-    it.it_value.tv_sec = (exec_tmout / 1000);
-    it.it_value.tv_usec = (exec_tmout % 1000) * 1000;
-
-  }
-
-  setitimer(ITIMER_REAL, &it, NULL);
-
-  if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed");
-
-  child_pid = 0;
-  it.it_value.tv_sec = 0;
-  it.it_value.tv_usec = 0;
-  setitimer(ITIMER_REAL, &it, NULL);
-
-  MEM_BARRIER();
-
-  /* Clean up bitmap, analyze exit condition, etc. */
-
-  if (*(u32*)trace_bits == EXEC_FAIL_SIG)
-    FATAL("Unable to execute '%s'", argv[0]);
-
-  classify_counts(trace_bits, binary_mode ?
-                  count_class_binary : count_class_human);
-
-  if (!quiet_mode)
-    SAYF(cRST "-- Program output ends --\n");
-
-  if (!child_timed_out && !stop_soon && WIFSIGNALED(status))
-    child_crashed = 1;
-
-  if (!quiet_mode) {
-
-    if (child_timed_out)
-      SAYF(cLRD "\n+++ Program timed off +++\n" cRST);
-    else if (stop_soon)
-      SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST);
-    else if (child_crashed)
-      SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status));
-
-  }
-
-
-}
-
-
-/* Handle Ctrl-C and the like. */
-
-static void handle_stop_sig(int sig) {
-
-  stop_soon = 1;
-
-  if (child_pid > 0) kill(child_pid, SIGKILL);
-
-}
-
-
-/* Do basic preparations - persistent fds, filenames, etc. */
-
-static void set_up_environment(void) {
-
-  setenv("ASAN_OPTIONS", "abort_on_error=1:"
-                         "detect_leaks=0:"
-                         "symbolize=0:"
-                         "allocator_may_return_null=1", 0);
-
-  setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
-                         "symbolize=0:"
-                         "abort_on_error=1:"
-                         "allocator_may_return_null=1:"
-                         "msan_track_origins=0", 0);
-
-  if (getenv("AFL_PRELOAD")) {
-    setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
-    setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1);
-  }
-
-}
-
-
-/* Setup signal handlers, duh. */
-
-static void setup_signal_handlers(void) {
-
-  struct sigaction sa;
-
-  sa.sa_handler   = NULL;
-  sa.sa_flags     = SA_RESTART;
-  sa.sa_sigaction = NULL;
-
-  sigemptyset(&sa.sa_mask);
-
-  /* Various ways of saying "stop". */
-
-  sa.sa_handler = handle_stop_sig;
-  sigaction(SIGHUP, &sa, NULL);
-  sigaction(SIGINT, &sa, NULL);
-  sigaction(SIGTERM, &sa, NULL);
-
-  /* Exec timeout notifications. */
-
-  sa.sa_handler = handle_timeout;
-  sigaction(SIGALRM, &sa, NULL);
-
-}
-
-
-/* Show banner. */
-
-static void show_banner(void) {
-
-  SAYF(cCYA "afl-showmap" VERSION cRST " by <lcamtuf@google.com>\n");
-
-}
-
-/* Display usage hints. */
-
-static void usage(u8* argv0) {
-
-  show_banner();
-
-  SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
-
-       "Required parameters:\n\n"
-
-       "  -o file       - file to write the trace data to\n\n"
-
-       "Execution control settings:\n\n"
-
-       "  -t msec       - timeout for each run (none)\n"
-       "  -m megs       - memory limit for child process (%u MB)\n"
-       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
-       "  -U            - use Unicorn-based instrumentation (Unicorn mode)\n"
-       "                  (Not necessary, here for consistency with other afl-* tools)\n\n"  
-
-       "Other settings:\n\n"
-
-       "  -q            - sink program's output and don't show messages\n"
-       "  -e            - show edge coverage only, ignore hit counts\n"
-       "  -c            - allow core dumps\n\n"
-
-       "This tool displays raw tuple data captured by AFL instrumentation.\n"
-       "For additional help, consult %s/README.\n\n" cRST,
-
-       argv0, MEM_LIMIT, doc_path);
-
-  exit(1);
-
-}
-
-
-/* Find binary. */
-
-static void find_binary(u8* fname) {
-
-  u8* env_path = 0;
-  struct stat st;
-
-  if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
-
-    target_path = ck_strdup(fname);
-
-    if (stat(target_path, &st) || !S_ISREG(st.st_mode) ||
-        !(st.st_mode & 0111) || st.st_size < 4)
-      FATAL("Program '%s' not found or not executable", fname);
-
-  } else {
-
-    while (env_path) {
-
-      u8 *cur_elem, *delim = strchr(env_path, ':');
-
-      if (delim) {
-
-        cur_elem = ck_alloc(delim - env_path + 1);
-        memcpy(cur_elem, env_path, delim - env_path);
-        delim++;
-
-      } else cur_elem = ck_strdup(env_path);
-
-      env_path = delim;
-
-      if (cur_elem[0])
-        target_path = alloc_printf("%s/%s", cur_elem, fname);
-      else
-        target_path = ck_strdup(fname);
-
-      ck_free(cur_elem);
-
-      if (!stat(target_path, &st) && S_ISREG(st.st_mode) &&
-          (st.st_mode & 0111) && st.st_size >= 4) break;
-
-      ck_free(target_path);
-      target_path = 0;
-
-    }
-
-    if (!target_path) FATAL("Program '%s' not found or not executable", fname);
-
-  }
-
-}
-
-
-/* Fix up argv for QEMU. */
-
-static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
-
-  char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
-  u8 *tmp, *cp, *rsl, *own_copy;
-
-  memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
-
-  new_argv[2] = target_path;
-  new_argv[1] = "--";
-
-  /* Now we need to actually find qemu for argv[0]. */
-
-  tmp = getenv("AFL_PATH");
-
-  if (tmp) {
-
-    cp = alloc_printf("%s/afl-qemu-trace", tmp);
-
-    if (access(cp, X_OK))
-      FATAL("Unable to find '%s'", tmp);
-
-    target_path = new_argv[0] = cp;
-    return new_argv;
-
-  }
-
-  own_copy = ck_strdup(own_loc);
-  rsl = strrchr(own_copy, '/');
-
-  if (rsl) {
-
-    *rsl = 0;
-
-    cp = alloc_printf("%s/afl-qemu-trace", own_copy);
-    ck_free(own_copy);
-
-    if (!access(cp, X_OK)) {
-
-      target_path = new_argv[0] = cp;
-      return new_argv;
-
-    }
-
-  } else ck_free(own_copy);
-
-  if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
-
-    target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
-    return new_argv;
-
-  }
-
-  FATAL("Unable to find 'afl-qemu-trace'.");
-
-}
-
-/* Main entry point */
-
-int main(int argc, char** argv) {
-
-  s32 opt;
-  u8  mem_limit_given = 0, timeout_given = 0, qemu_mode = 0, unicorn_mode = 0;
-  u32 tcnt;
-  char** use_argv;
-
-  doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
-
-  while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQUbc")) > 0)
-
-    switch (opt) {
-
-      case 'o':
-
-        if (out_file) FATAL("Multiple -o options not supported");
-        out_file = optarg;
-        break;
-
-      case 'm': {
-
-          u8 suffix = 'M';
-
-          if (mem_limit_given) FATAL("Multiple -m options not supported");
-          mem_limit_given = 1;
-
-          if (!strcmp(optarg, "none")) {
-
-            mem_limit = 0;
-            break;
-
-          }
-
-          if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 ||
-              optarg[0] == '-') FATAL("Bad syntax used for -m");
-
-          switch (suffix) {
-
-            case 'T': mem_limit *= 1024 * 1024; break;
-            case 'G': mem_limit *= 1024; break;
-            case 'k': mem_limit /= 1024; break;
-            case 'M': break;
-
-            default:  FATAL("Unsupported suffix or bad syntax for -m");
-
-          }
-
-          if (mem_limit < 5) FATAL("Dangerously low value of -m");
-
-          if (sizeof(rlim_t) == 4 && mem_limit > 2000)
-            FATAL("Value of -m out of range on 32-bit systems");
-
-        }
-
-        break;
-
-      case 't':
-
-        if (timeout_given) FATAL("Multiple -t options not supported");
-        timeout_given = 1;
-
-        if (strcmp(optarg, "none")) {
-          exec_tmout = atoi(optarg);
-
-          if (exec_tmout < 20 || optarg[0] == '-')
-            FATAL("Dangerously low value of -t");
-
-        }
-
-        break;
-
-      case 'e':
-
-        if (edges_only) FATAL("Multiple -e options not supported");
-        edges_only = 1;
-        break;
-
-      case 'q':
-
-        if (quiet_mode) FATAL("Multiple -q options not supported");
-        quiet_mode = 1;
-        break;
-
-      case 'Z':
-
-        /* This is an undocumented option to write data in the syntax expected
-           by afl-cmin. Nobody else should have any use for this. */
-
-        cmin_mode  = 1;
-        quiet_mode = 1;
-        break;
-
-      case 'A':
-
-        /* Another afl-cmin specific feature. */
-        at_file = optarg;
-        break;
-
-      case 'Q':
-
-        if (qemu_mode) FATAL("Multiple -Q options not supported");
-        if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU;
-
-        qemu_mode = 1;
-        break;
-
-      case 'U':
-
-        if (unicorn_mode) FATAL("Multiple -U options not supported");
-        if (!mem_limit_given) mem_limit = MEM_LIMIT_UNICORN;
-
-        unicorn_mode = 1;
-        break;
-
-      case 'b':
-
-        /* Secret undocumented mode. Writes output in raw binary format
-           similar to that dumped by afl-fuzz in <out_dir/queue/fuzz_bitmap. */
-
-        binary_mode = 1;
-        break;
-
-      case 'c':
-
-        if (keep_cores) FATAL("Multiple -c options not supported");
-        keep_cores = 1;
-        break;
-
-      default:
-
-        usage(argv[0]);
-
-    }
-
-  if (optind == argc || !out_file) usage(argv[0]);
-
-  setup_shm(0);
-  setup_signal_handlers();
-
-  set_up_environment();
-
-  find_binary(argv[optind]);
-
-  if (!quiet_mode) {
-    show_banner();
-    ACTF("Executing '%s'...\n", target_path);
-  }
-
-  detect_file_args(argv + optind, at_file);
-
-  if (qemu_mode)
-    use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind);
-  else
-    use_argv = argv + optind;
-
-  run_target(use_argv);
-
-  tcnt = write_results();
-
-  if (!quiet_mode) {
-
-    if (!tcnt) FATAL("No instrumentation detected" cRST);
-    OKF("Captured %u tuples in '%s'." cRST, tcnt, out_file);
-
-  }
-
-  exit(child_crashed * 2 + child_timed_out);
-
-}
-

afl-system-config

@@ -1,23 +1,83 @@
 #!/bin/sh
-echo This reconfigures the system to have a better fuzzing performance
+test "$1" = "-h" -o "$1" = "-hh" && {
+  echo 'afl-system-config by Marc Heuse <mh@mh-sec.de>'
+  echo
+  echo $0
+  echo
+  echo afl-system-config has no command line options
+  echo
+  echo afl-system reconfigures the system to a high performance fuzzing state
+  echo WARNING: this reduces the security of the system
+  echo
+  exit 1
+}
+
+DONE=
+PLATFORM=`uname -s`
+echo This reconfigures the system to have a better fuzzing performance.
 if [ '!' "$EUID" = 0 ] && [ '!' `id -u` = 0 ] ; then
-	echo Error you need to be root to run this
-	exit 1
+	echo "Warning: you need to be root to run this!"
+	# we do not exit as other mechanisms exist that allows to do this than
+	# being root. let the errors speak for themselves.
 fi
-sysctl -w kernel.core_pattern=core
-sysctl -w kernel.randomize_va_space=0
-sysctl -w kernel.sched_child_runs_first=1
-sysctl -w kernel.sched_autogroup_enabled=1
-sysctl -w kernel.sched_migration_cost_ns=50000000
-sysctl -w kernel.sched_latency_ns=250000000
-echo never > /sys/kernel/mm/transparent_hugepage/enabled
-test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
-test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
-test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
-test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
-test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
-echo
-echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-echo '/etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
-echo
-echo Also use AFL_TMPDIR to use a tmpfs for the input file
+if [ "$PLATFORM" = "Linux" ] ; then
+{
+  sysctl -w kernel.core_pattern=core
+  sysctl -w kernel.randomize_va_space=0
+  sysctl -w kernel.sched_child_runs_first=1
+  sysctl -w kernel.sched_autogroup_enabled=1
+  sysctl -w kernel.sched_migration_cost_ns=50000000
+  sysctl -w kernel.sched_latency_ns=250000000
+  echo never > /sys/kernel/mm/transparent_hugepage/enabled
+  test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
+  test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
+  test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
+  test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
+  test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
+} > /dev/null
+  echo Settings applied.
+  dmesg | egrep -q 'nospectre_v2|spectre_v2=off' || {
+    echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
+  }
+  DONE=1
+fi
+if [ "$PLATFORM" = "FreeBSD" ] ; then
+{
+  sysctl kern.elf32.aslr.enable=0
+  sysctl kern.elf64.aslr.enable=0
+} > /dev/null
+  echo Settings applied.
+  echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
+  echo '  sysctl hw.ibrs_disable=1'
+  echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
+  DONE=1
+fi
+if [ "$PLATFORM" = "OpenBSD" ] ; then
+  echo
+  echo 'System security features cannot be disabled on OpenBSD.'
+  DONE=1
+fi
+if [ "$PLATFORM" = "NetBSD" ] ; then
+{
+  #echo It is recommended to enable unprivileged users to set cpu affinity
+  #echo to be able to use afl-gotcpu meaningfully.
+  /sbin/sysctl -w security.models.extensions.user_set_cpu_affinity=1
+} > /dev/null
+  echo Settings applied.
+  DONE=1
+fi
+if [ "$PLATFORM" = "Darwin" ] ; then
+  if [ $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') ] ; then
+    echo We unload the default crash reporter here
+    SL=/System/Library; PL=com.apple.ReportCrash
+    launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
+    sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist
+    echo Settings applied.
+  else
+    echo Nothing to do.
+  fi
+  DONE=1
+fi
+test -z "$DONE" && echo Error: Unknown platform: $PLATFORM
+test -z "$AFL_TMPDIR" && echo Also use AFL_TMPDIR and point it to a tmpfs for the input file caching

afl-whatsup

@@ -1,11 +1,12 @@
 #!/bin/sh
 #
-# american fuzzy lop - status check tool
-# --------------------------------------
+# american fuzzy lop++ - status check tool
+# ----------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Originally written by Michal Zalewski
 #
 # Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,8 +18,16 @@
 # instances of afl-fuzz.
 #
 
-echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
+echo "$0 status check tool for afl-fuzz by Michal Zalewski"
 echo
+test "$1" = "-h" -o "$1" = "-hh" && {
+  echo $0 [-s] output_directory
+  echo
+  echo Options:
+  echo   -s  -  skip details and output summary results only
+  echo
+  exit 1
+}
 
 if [ "$1" = "-s" ]; then
 
@@ -37,7 +46,7 @@ if [ "$DIR" = "" ]; then
   echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
   echo 1>&2
   echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
-  echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
+  echo "just the summary results. See docs/parallel_fuzzing.md for additional tips." 1>&2
   echo 1>&2
   exit 1
 
@@ -52,9 +61,16 @@ if [ -d queue ]; then
 
 fi
 
+RED=`tput setaf 9 1 1`
+GREEN=`tput setaf 2 1 1`
+BLUE=`tput setaf 4 1 1`
+YELLOW=`tput setaf 11 1 1`
+NC=`tput sgr0`
+RESET="$NC"
+
 CUR_TIME=`date +%s`
 
-TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || exit 1
+TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
 
 ALIVE_CNT=0
 DEAD_CNT=0
@@ -66,6 +82,12 @@ TOTAL_CRASHES=0
 TOTAL_PFAV=0
 TOTAL_PENDING=0
 
+# Time since last path / crash / hang, formatted as string
+FMT_TIME="0 days 0 hours"
+FMT_PATH="${RED}none seen yet${NC}"
+FMT_CRASH="none seen yet"
+FMT_HANG="none seen yet"
+
 if [ "$SUMMARY_ONLY" = "" ]; then
 
   echo "Individual fuzzers"
@@ -74,6 +96,38 @@ if [ "$SUMMARY_ONLY" = "" ]; then
 
 fi
 
+fmt_duration()
+{
+  DUR_STRING=
+  if [ $1 -le 0 ]; then
+    return 1
+  fi
+
+  local duration=$((CUR_TIME - $1))
+  local days=$((duration / 60 / 60 / 24))
+  local hours=$(((duration / 60 / 60) % 24))
+  local minutes=$(((duration / 60) % 60))
+  local seconds=$((duration % 60))
+
+  if [ $duration -le 0 ]; then
+    DUR_STRING="0 seconds"
+  elif [ $duration -eq 1 ]; then
+    DUR_STRING="1 second"
+  elif [ $days -gt 0 ]; then
+    DUR_STRING="$days days, $hours hours"
+  elif [ $hours -gt 0 ]; then
+    DUR_STRING="$hours hours, $minutes minutes"
+  elif [ $minutes -gt 0 ]; then
+    DUR_STRING="$minutes minutes, $seconds seconds"
+  else
+    DUR_STRING="$seconds seconds"
+  fi
+}
+
+FIRST=true
+TOTAL_WCOP=
+TOTAL_LAST_PATH=0
+
 for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
 
   sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
@@ -83,9 +137,15 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
   RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
   RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
 
+  test -n "$cycles_wo_finds" && {
+    test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/"
+    TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}"
+    FIRST=
+  }
+
   if [ "$SUMMARY_ONLY" = "" ]; then
 
-    echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
+    echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<"
     echo
 
   fi
@@ -106,7 +166,8 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
 
   ALIVE_CNT=$((ALIVE_CNT + 1))
 
-  EXEC_SEC=$((execs_done / RUN_UNIX))
+  EXEC_SEC=0
+  test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX))
   PATH_PERC=$((cur_path * 100 / paths_total))
 
   TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
@@ -116,8 +177,43 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
   TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
   TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
 
+  if [ "$last_path" -gt "$TOTAL_LAST_PATH" ]; then
+    TOTAL_LAST_PATH=$last_path
+  fi
+
   if [ "$SUMMARY_ONLY" = "" ]; then
 
+    # Warnings in red
+    TIMEOUT_PERC=$((exec_timeout * 100 / execs_done))
+    if [ $TIMEOUT_PERC -ge 10 ]; then
+      echo "  ${RED}timeout_ratio $TIMEOUT_PERC%${NC}"
+    fi
+
+    if [ $EXEC_SEC -eq 0 ]; then
+      echo "  ${YELLOW}no data yet, 0 execs/sec${NC}"
+    elif [ $EXEC_SEC -lt 100 ]; then
+      echo "  ${RED}slow execution, $EXEC_SEC execs/sec${NC}"
+    fi
+
+    fmt_duration $last_path && FMT_PATH=$DUR_STRING
+    fmt_duration $last_crash && FMT_CRASH=$DUR_STRING
+    fmt_duration $last_hang && FMT_HANG=$DUR_STRING
+    FMT_CWOP="not available"
+    test -n "$cycles_wo_finds" && {
+      test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds"
+      test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}"
+      test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}"
+    }
+
+    echo "  last_path       : $FMT_PATH"
+    echo "  last_crash      : $FMT_CRASH"
+    echo "  last_hang       : $FMT_HANG"
+    echo "  cycles_wo_finds : $FMT_CWOP"
+
+    CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}')
+    MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}')
+
+    echo "  cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%"
     echo "  cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"
 
     if [ "$unique_crashes" = "0" ]; then
@@ -132,11 +228,28 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
 
 done
 
+# Formatting for total time, time since last path, crash, and hang
+fmt_duration $((CUR_TIME - TOTAL_TIME)) && FMT_TIME=$DUR_STRING
+# Formatting for total execution
+FMT_EXECS="0 millions"
+EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000))
+EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000))
+if [ $EXECS_MILLION -gt 9 ]; then
+  FMT_EXECS="$EXECS_MILLION millions"
+elif [ $EXECS_MILLION -gt 0 ]; then
+  FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands"
+else
+  FMT_EXECS="$EXECS_THOUSAND thousands"
+fi
+
 rm -f "$TMP"
 
 TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
 TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))
 
+test -z "$TOTAL_WCOP" && TOTAL_WCOP="not available"
+fmt_duration $TOTAL_LAST_PATH && TOTAL_LAST_PATH=$DUR_STRING
+
 test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
 
 echo "Summary stats"
@@ -148,9 +261,12 @@ if [ ! "$DEAD_CNT" = "0" ]; then
   echo "      Dead or remote : $DEAD_CNT (excluded from stats)"
 fi
 
-echo "      Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
-echo "         Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
+echo "      Total run time : $FMT_TIME"
+echo "         Total execs : $FMT_EXECS"
 echo "    Cumulative speed : $TOTAL_EPS execs/sec"
+if [ "$ALIVE_CNT" -gt "0" ]; then
+  echo "       Average speed : $((TOTAL_EPS / ALIVE_CNT)) execs/sec"
+fi
 echo "       Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"
 
 if [ "$ALIVE_CNT" -gt "1" ]; then
@@ -158,6 +274,8 @@ if [ "$ALIVE_CNT" -gt "1" ]; then
 fi
 
 echo "       Crashes found : $TOTAL_CRASHES locally unique"
+echo "Cycles without finds : $TOTAL_WCOP"
+echo "  Time without finds : $TOTAL_LAST_PATH"
 echo
 
 exit 0

afl-wine-trace

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import pefile
+import shutil
+import subprocess
+
+if len(sys.argv) < 2:
+    print("[afl-wine-trace] usage: ./afl-wine-trace binary [args...]\n")
+    exit(1)
+
+if os.getenv("AFL_PATH"):
+    my_dir = os.getenv("AFL_PATH")
+else:
+    my_dir = os.path.dirname(os.path.abspath(__file__))
+
+os.environ["WINELOADERNOEXEC"] = "1"
+
+pe = pefile.PE(sys.argv[1])
+
+if "AFL_ENTRYPOINT" not in os.environ:
+    os.environ["AFL_ENTRYPOINT"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+if not os.getenv("AFL_INST_LIBS"):
+    if "AFL_CODE_START" not in os.environ:
+        os.environ["AFL_CODE_START"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode)
+    if "AFL_CODE_END" not in os.environ:
+        os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode)
+
+if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so")
+else:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so")
+
+if os.getenv("WINECOV_QEMU_PATH"):
+    qemu_path = os.getenv("WINECOV_QEMU_PATH")
+elif os.path.exists(os.path.join(my_dir, "afl-qemu-trace")):
+    qemu_path = os.path.join(my_dir, "afl-qemu-trace")
+else:
+    qemu_path = "qemu-"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        qemu_path += "x86_64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        qemu_path += "i386"
+    else:
+        print ("[afl-wine-trace] unsuppoted architecture\n")
+        exit(1)
+    qemu_path = shutil.which(qemu_path)
+
+wine_path = None
+if os.getenv("AFL_WINE_PATH"):
+    wine_path = os.getenv("AFL_WINE_PATH")
+else:
+    if not wine_path and shutil.which("wine"):
+        wine_path = shutil.which("wine")
+    if not wine_path and os.path.exists("/usr/bin/wine"):
+        wine_path = "/usr/bin/wine"
+    if not wine_path and os.path.exists("/usr/lib/wine/wine"):
+        wine_path = "/usr/lib/wine/wine"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        wine_path += "64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        pass
+    else:
+        print ("[afl-wine-trace] unsopported architecture\n")
+        exit(1)
+
+argv = sys.argv[1:]
+for i in range(len(argv)):
+    if ".cur_input" in argv[i]:
+        # Get the Wine translated path using the winepath tool
+        arg_translated = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        # Remove the spurious LF at the end of the path
+        if len(arg_translated) > 0 and arg_translated[-1] == '\n':
+            arg_translated = arg_translated[:-1]
+        argv[i] = arg_translated
+        break
+
+print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv))
+os.execve(qemu_path, [qemu_path, wine_path] + argv, os.environ)

alloc-inl.h

@@ -1,582 +0,0 @@
-/*
-   american fuzzy lop - error-checking, memory-zeroing alloc routines
-   ------------------------------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-   This allocator is not designed to resist malicious attackers (the canaries
-   are small and predictable), but provides a robust and portable way to detect
-   use-after-free, off-by-one writes, stale pointers, and so on.
-
- */
-
-#ifndef _HAVE_ALLOC_INL_H
-#define _HAVE_ALLOC_INL_H
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "config.h"
-#include "types.h"
-#include "debug.h"
-
-/* User-facing macro to sprintf() to a dynamically allocated buffer. */
-
-#define alloc_printf(_str...) ({ \
-    u8* _tmp; \
-    s32 _len = snprintf(NULL, 0, _str); \
-    if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
-    _tmp = ck_alloc(_len + 1); \
-    snprintf((char*)_tmp, _len + 1, _str); \
-    _tmp; \
-  })
-
-/* Macro to enforce allocation limits as a last-resort defense against
-   integer overflows. */
-
-#define ALLOC_CHECK_SIZE(_s) do { \
-    if ((_s) > MAX_ALLOC) \
-      ABORT("Bad alloc request: %u bytes", (_s)); \
-  } while (0)
-
-/* Macro to check malloc() failures and the like. */
-
-#define ALLOC_CHECK_RESULT(_r, _s) do { \
-    if (!(_r)) \
-      ABORT("Out of memory: can't allocate %u bytes", (_s)); \
-  } while (0)
-
-/* Magic tokens used to mark used / freed chunks. */
-
-#define ALLOC_MAGIC_C1  0xFF00FF00 /* Used head (dword)  */
-#define ALLOC_MAGIC_F   0xFE00FE00 /* Freed head (dword) */
-#define ALLOC_MAGIC_C2  0xF0       /* Used tail (byte)   */
-
-/* Positions of guard tokens in relation to the user-visible pointer. */
-
-#define ALLOC_C1(_ptr)  (((u32*)(_ptr))[-2])
-#define ALLOC_S(_ptr)   (((u32*)(_ptr))[-1])
-#define ALLOC_C2(_ptr)  (((u8*)(_ptr))[ALLOC_S(_ptr)])
-
-#define ALLOC_OFF_HEAD  8
-#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
-
-/* Allocator increments for ck_realloc_block(). */
-
-#define ALLOC_BLK_INC    256
-
-/* Sanity-checking macros for pointers. */
-
-#define CHECK_PTR(_p) do { \
-    if (_p) { \
-      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
-        if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
-          ABORT("Use after free."); \
-        else ABORT("Corrupted head alloc canary."); \
-      } \
-   } \
-  } while (0)
-
-/*
-#define CHECK_PTR(_p) do { \
-    if (_p) { \
-      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
-        if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
-          ABORT("Use after free."); \
-        else ABORT("Corrupted head alloc canary."); \
-      } \
-      if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
-        ABORT("Corrupted tail alloc canary."); \
-    } \
-  } while (0)
-*/
-
-#define CHECK_PTR_EXPR(_p) ({ \
-    typeof (_p) _tmp = (_p); \
-    CHECK_PTR(_tmp); \
-    _tmp; \
-  })
-
-
-/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
-   requests. */
-
-static inline void* DFL_ck_alloc_nozero(u32 size) {
-
-  void* ret;
-
-  if (!size) return NULL;
-
-  ALLOC_CHECK_SIZE(size);
-  ret = malloc(size + ALLOC_OFF_TOTAL);
-  ALLOC_CHECK_RESULT(ret, size);
-
-  ret += ALLOC_OFF_HEAD;
-
-  ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
-  ALLOC_C2(ret) = ALLOC_MAGIC_C2;
-
-  return ret;
-
-}
-
-
-/* Allocate a buffer, returning zeroed memory. */
-
-static inline void* DFL_ck_alloc(u32 size) {
-
-  void* mem;
-
-  if (!size) return NULL;
-  mem = DFL_ck_alloc_nozero(size);
-
-  return memset(mem, 0, size);
-
-}
-
-
-/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
-   is set, the old memory will be also clobbered with 0xFF. */
-
-static inline void DFL_ck_free(void* mem) {
-
-  if (!mem) return;
-
-  CHECK_PTR(mem);
-
-#ifdef DEBUG_BUILD
-
-  /* Catch pointer issues sooner. */
-  memset(mem, 0xFF, ALLOC_S(mem));
-
-#endif /* DEBUG_BUILD */
-
-  ALLOC_C1(mem) = ALLOC_MAGIC_F;
-
-  free(mem - ALLOC_OFF_HEAD);
-
-}
-
-
-/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
-   With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
-   old memory is clobbered with 0xFF. */
-
-static inline void* DFL_ck_realloc(void* orig, u32 size) {
-
-  void* ret;
-  u32   old_size = 0;
-
-  if (!size) {
-
-    DFL_ck_free(orig);
-    return NULL;
-
-  }
-
-  if (orig) {
-
-    CHECK_PTR(orig);
-
-#ifndef DEBUG_BUILD
-    ALLOC_C1(orig) = ALLOC_MAGIC_F;
-#endif /* !DEBUG_BUILD */
-
-    old_size  = ALLOC_S(orig);
-    orig     -= ALLOC_OFF_HEAD;
-
-    ALLOC_CHECK_SIZE(old_size);
-
-  }
-
-  ALLOC_CHECK_SIZE(size);
-
-#ifndef DEBUG_BUILD
-
-  ret = realloc(orig, size + ALLOC_OFF_TOTAL);
-  ALLOC_CHECK_RESULT(ret, size);
-
-#else
-
-  /* Catch pointer issues sooner: force relocation and make sure that the
-     original buffer is wiped. */
-
-  ret = malloc(size + ALLOC_OFF_TOTAL);
-  ALLOC_CHECK_RESULT(ret, size);
-
-  if (orig) {
-
-    memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size));
-    memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size);
-
-    ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
-
-    free(orig);
-
-  }
-
-#endif /* ^!DEBUG_BUILD */
-
-  ret += ALLOC_OFF_HEAD;
-
-  ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
-  ALLOC_C2(ret) = ALLOC_MAGIC_C2;
-
-  if (size > old_size)
-    memset(ret + old_size, 0, size - old_size);
-
-  return ret;
-
-}
-
-
-/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
-   repeated small reallocs without complicating the user code). */
-
-static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
-
-#ifndef DEBUG_BUILD
-
-  if (orig) {
-
-    CHECK_PTR(orig);
-
-    if (ALLOC_S(orig) >= size) return orig;
-
-    size += ALLOC_BLK_INC;
-
-  }
-
-#endif /* !DEBUG_BUILD */
-
-  return DFL_ck_realloc(orig, size);
-
-}
-
-
-/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
-
-static inline u8* DFL_ck_strdup(u8* str) {
-
-  void* ret;
-  u32   size;
-
-  if (!str) return NULL;
-
-  size = strlen((char*)str) + 1;
-
-  ALLOC_CHECK_SIZE(size);
-  ret = malloc(size + ALLOC_OFF_TOTAL);
-  ALLOC_CHECK_RESULT(ret, size);
-
-  ret += ALLOC_OFF_HEAD;
-
-  ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
-  ALLOC_C2(ret) = ALLOC_MAGIC_C2;
-
-  return memcpy(ret, str, size);
-
-}
-
-
-/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
-   or NULL inputs. */
-
-static inline void* DFL_ck_memdup(void* mem, u32 size) {
-
-  void* ret;
-
-  if (!mem || !size) return NULL;
-
-  ALLOC_CHECK_SIZE(size);
-  ret = malloc(size + ALLOC_OFF_TOTAL);
-  ALLOC_CHECK_RESULT(ret, size);
-  
-  ret += ALLOC_OFF_HEAD;
-
-  ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
-  ALLOC_C2(ret) = ALLOC_MAGIC_C2;
-
-  return memcpy(ret, mem, size);
-
-}
-
-
-/* Create a buffer with a block of text, appending a NUL terminator at the end.
-   Returns NULL for zero-sized or NULL inputs. */
-
-static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
-
-  u8* ret;
-
-  if (!mem || !size) return NULL;
-
-  ALLOC_CHECK_SIZE(size);
-  ret = malloc(size + ALLOC_OFF_TOTAL + 1);
-  ALLOC_CHECK_RESULT(ret, size);
-  
-  ret += ALLOC_OFF_HEAD;
-
-  ALLOC_C1(ret) = ALLOC_MAGIC_C1;
-  ALLOC_S(ret)  = size;
-  ALLOC_C2(ret) = ALLOC_MAGIC_C2;
-
-  memcpy(ret, mem, size);
-  ret[size] = 0;
-
-  return ret;
-
-}
-
-
-#ifndef DEBUG_BUILD
-
-/* In non-debug mode, we just do straightforward aliasing of the above functions
-   to user-visible names such as ck_alloc(). */
-
-#define ck_alloc          DFL_ck_alloc
-#define ck_alloc_nozero   DFL_ck_alloc_nozero
-#define ck_realloc        DFL_ck_realloc
-#define ck_realloc_block  DFL_ck_realloc_block
-#define ck_strdup         DFL_ck_strdup
-#define ck_memdup         DFL_ck_memdup
-#define ck_memdup_str     DFL_ck_memdup_str
-#define ck_free           DFL_ck_free
-
-#define alloc_report()
-
-#else
-
-/* In debugging mode, we also track allocations to detect memory leaks, and the
-   flow goes through one more layer of indirection. */
-
-/* Alloc tracking data structures: */
-
-#define ALLOC_BUCKETS     4096
-
-struct TRK_obj {
-  void *ptr;
-  char *file, *func;
-  u32  line;
-};
-
-#ifdef AFL_MAIN
-
-struct TRK_obj* TRK[ALLOC_BUCKETS];
-u32 TRK_cnt[ALLOC_BUCKETS];
-
-#  define alloc_report() TRK_report()
-
-#else
-
-extern struct TRK_obj* TRK[ALLOC_BUCKETS];
-extern u32 TRK_cnt[ALLOC_BUCKETS];
-
-#  define alloc_report()
-
-#endif /* ^AFL_MAIN */
-
-/* Bucket-assigning function for a given pointer: */
-
-#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
-
-
-/* Add a new entry to the list of allocated objects. */
-
-static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
-                                 u32 line) {
-
-  u32 i, bucket;
-
-  if (!ptr) return;
-
-  bucket = TRKH(ptr);
-
-  /* Find a free slot in the list of entries for that bucket. */
-
-  for (i = 0; i < TRK_cnt[bucket]; i++)
-
-    if (!TRK[bucket][i].ptr) {
-
-      TRK[bucket][i].ptr  = ptr;
-      TRK[bucket][i].file = (char*)file;
-      TRK[bucket][i].func = (char*)func;
-      TRK[bucket][i].line = line;
-      return;
-
-    }
-
-  /* No space available - allocate more. */
-
-  TRK[bucket] = DFL_ck_realloc_block(TRK[bucket],
-    (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
-
-  TRK[bucket][i].ptr  = ptr;
-  TRK[bucket][i].file = (char*)file;
-  TRK[bucket][i].func = (char*)func;
-  TRK[bucket][i].line = line;
-
-  TRK_cnt[bucket]++;
-
-}
-
-
-/* Remove entry from the list of allocated objects. */
-
-static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
-                                u32 line) {
-
-  u32 i, bucket;
-
-  if (!ptr) return;
-
-  bucket = TRKH(ptr);
-
-  /* Find the element on the list... */
-
-  for (i = 0; i < TRK_cnt[bucket]; i++)
-
-    if (TRK[bucket][i].ptr == ptr) {
-
-      TRK[bucket][i].ptr = 0;
-      return;
-
-    }
-
-  WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)",
-        func, file, line);
-
-}
-
-
-/* Do a final report on all non-deallocated objects. */
-
-static inline void TRK_report(void) {
-
-  u32 i, bucket;
-
-  fflush(0);
-
-  for (bucket = 0; bucket < ALLOC_BUCKETS; bucket++)
-    for (i = 0; i < TRK_cnt[bucket]; i++)
-      if (TRK[bucket][i].ptr)
-        WARNF("ALLOC: Memory never freed, created in %s (%s:%u)",
-              TRK[bucket][i].func, TRK[bucket][i].file, TRK[bucket][i].line);
-
-}
-
-
-/* Simple wrappers for non-debugging functions: */
-
-static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
-                                 u32 line) {
-
-  void* ret = DFL_ck_alloc(size);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
-                                   const char* func, u32 line) {
-
-  void* ret = DFL_ck_realloc(orig, size);
-  TRK_free_buf(orig, file, func, line);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
-                                         const char* func, u32 line) {
-
-  void* ret = DFL_ck_realloc_block(orig, size);
-  TRK_free_buf(orig, file, func, line);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
-                                  u32 line) {
-
-  void* ret = DFL_ck_strdup(str);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
-                                  const char* func, u32 line) {
-
-  void* ret = DFL_ck_memdup(mem, size);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
-                                      const char* func, u32 line) {
-
-  void* ret = DFL_ck_memdup_str(mem, size);
-  TRK_alloc_buf(ret, file, func, line);
-  return ret;
-
-}
-
-
-static inline void TRK_ck_free(void* ptr, const char* file,
-                                const char* func, u32 line) {
-
-  TRK_free_buf(ptr, file, func, line);
-  DFL_ck_free(ptr);
-
-}
-
-/* Aliasing user-facing names to tracking functions: */
-
-#define ck_alloc(_p1) \
-  TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_alloc_nozero(_p1) \
-  TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_realloc(_p1, _p2) \
-  TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_realloc_block(_p1, _p2) \
-  TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_strdup(_p1) \
-  TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_memdup(_p1, _p2) \
-  TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_memdup_str(_p1, _p2) \
-  TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
-
-#define ck_free(_p1) \
-  TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
-
-#endif /* ^!DEBUG_BUILD */
-
-#endif /* ! _HAVE_ALLOC_INL_H */

config.h

@@ -1,359 +0,0 @@
-/*
-   american fuzzy lop plus plus - vaguely configurable bits
-   ----------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- */
-
-#ifndef _HAVE_CONFIG_H
-#define _HAVE_CONFIG_H
-
-#include "types.h"
-
-/* Version string: */
-
-#define VERSION             "++2.53c"
-
-/******************************************************
- *                                                    *
- *  Settings that may be of interest to power users:  *
- *                                                    *
- ******************************************************/
-
-/* Comment out to disable terminal colors (note that this makes afl-analyze
-   a lot less nice): */
-
-#define USE_COLOR
-
-/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
-
-#define FANCY_BOXES
-
-/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
-   also used for detecting hangs; the actual value is auto-scaled: */
-
-#define EXEC_TIMEOUT        1000
-
-/* Timeout rounding factor when auto-scaling (milliseconds): */
-
-#define EXEC_TM_ROUND       20
-
-/* Default memory limit for child process (MB): */
-
-#ifndef __x86_64__ 
-#  define MEM_LIMIT         25
-#else
-#  define MEM_LIMIT         50
-#endif /* ^!__x86_64__ */
-
-/* Default memory limit when running in QEMU mode (MB): */
-
-#define MEM_LIMIT_QEMU      200
-
-/* Default memory limit when running in Unicorn mode (MB): */
-
-#define MEM_LIMIT_UNICORN   200
-
-/* Number of calibration cycles per every new test case (and for test
-   cases that show variable behavior): */
-
-#define CAL_CYCLES          8
-#define CAL_CYCLES_LONG     40
-
-/* Number of subsequent timeouts before abandoning an input file: */
-
-#define TMOUT_LIMIT         250
-
-/* Maximum number of unique hangs or crashes to record: */
-
-#define KEEP_UNIQUE_HANG    500
-#define KEEP_UNIQUE_CRASH   5000
-
-/* Baseline number of random tweaks during a single 'havoc' stage: */
-
-#define HAVOC_CYCLES        256
-#define HAVOC_CYCLES_INIT   1024
-
-/* Maximum multiplier for the above (should be a power of two, beware
-   of 32-bit int overflows): */
-
-#define HAVOC_MAX_MULT      16
-#define HAVOC_MAX_MULT_MOPT 32
-
-/* Absolute minimum number of havoc cycles (after all adjustments): */
-
-#define HAVOC_MIN           16
-
-/* Power Schedule Divisor */
-#define POWER_BETA          1
-#define MAX_FACTOR          (POWER_BETA * 32)
-
-/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
-   like this: 
-
-   n = random between 1 and HAVOC_STACK_POW2
-   stacking = 2^n
-
-   In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
-   128 stacked tweaks: */
-
-#define HAVOC_STACK_POW2    7
-
-/* Caps on block sizes for cloning and deletion operations. Each of these
-   ranges has a 33% probability of getting picked, except for the first
-   two cycles where smaller blocks are favored: */
-
-#define HAVOC_BLK_SMALL     32
-#define HAVOC_BLK_MEDIUM    128
-#define HAVOC_BLK_LARGE     1500
-
-/* Extra-large blocks, selected very rarely (<5% of the time): */
-
-#define HAVOC_BLK_XL        32768
-
-/* Probabilities of skipping non-favored entries in the queue, expressed as
-   percentages: */
-
-#define SKIP_TO_NEW_PROB    99 /* ...when there are new, pending favorites */
-#define SKIP_NFAV_OLD_PROB  95 /* ...no new favs, cur entry already fuzzed */
-#define SKIP_NFAV_NEW_PROB  75 /* ...no new favs, cur entry not fuzzed yet */
-
-/* Splicing cycle count: */
-
-#define SPLICE_CYCLES       15
-
-/* Nominal per-splice havoc cycle length: */
-
-#define SPLICE_HAVOC        32
-
-/* Maximum offset for integer addition / subtraction stages: */
-
-#define ARITH_MAX           35
-
-/* Limits for the test case trimmer. The absolute minimum chunk size; and
-   the starting and ending divisors for chopping up the input file: */
-
-#define TRIM_MIN_BYTES      4
-#define TRIM_START_STEPS    16
-#define TRIM_END_STEPS      1024
-
-/* Maximum size of input file, in bytes (keep under 100MB): */
-
-#define MAX_FILE            (1 * 1024 * 1024)
-
-/* The same, for the test case minimizer: */
-
-#define TMIN_MAX_FILE       (10 * 1024 * 1024)
-
-/* Block normalization steps for afl-tmin: */
-
-#define TMIN_SET_MIN_SIZE   4
-#define TMIN_SET_STEPS      128
-
-/* Maximum dictionary token size (-x), in bytes: */
-
-#define MAX_DICT_FILE       128
-
-/* Length limits for auto-detected dictionary tokens: */
-
-#define MIN_AUTO_EXTRA      3
-#define MAX_AUTO_EXTRA      32
-
-/* Maximum number of user-specified dictionary tokens to use in deterministic
-   steps; past this point, the "extras/user" step will be still carried out,
-   but with proportionally lower odds: */
-
-#define MAX_DET_EXTRAS      200
-
-/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
-   (first value), and to keep in memory as candidates. The latter should be much
-   higher than the former. */
-
-#define USE_AUTO_EXTRAS     50
-#define MAX_AUTO_EXTRAS     (USE_AUTO_EXTRAS * 10)
-
-/* Scaling factor for the effector map used to skip some of the more
-   expensive deterministic steps. The actual divisor is set to
-   2^EFF_MAP_SCALE2 bytes: */
-
-#define EFF_MAP_SCALE2      3
-
-/* Minimum input file length at which the effector logic kicks in: */
-
-#define EFF_MIN_LEN         128
-
-/* Maximum effector density past which everything is just fuzzed
-   unconditionally (%): */
-
-#define EFF_MAX_PERC        90
-
-/* UI refresh frequency (Hz): */
-
-#define UI_TARGET_HZ        5
-
-/* Fuzzer stats file and plot update intervals (sec): */
-
-#define STATS_UPDATE_SEC    60
-#define PLOT_UPDATE_SEC     5
-
-/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
-
-#define AVG_SMOOTHING       16
-
-/* Sync interval (every n havoc cycles): */
-
-#define SYNC_INTERVAL       5
-
-/* Output directory reuse grace period (minutes): */
-
-#define OUTPUT_GRACE        25
-
-/* Uncomment to use simple file names (id_NNNNNN): */
-
-// #define SIMPLE_FILES
-
-/* List of interesting values to use in fuzzing. */
-
-#define INTERESTING_8 \
-  -128,          /* Overflow signed 8-bit when decremented  */ \
-  -1,            /*                                         */ \
-   0,            /*                                         */ \
-   1,            /*                                         */ \
-   16,           /* One-off with common buffer size         */ \
-   32,           /* One-off with common buffer size         */ \
-   64,           /* One-off with common buffer size         */ \
-   100,          /* One-off with common buffer size         */ \
-   127           /* Overflow signed 8-bit when incremented  */
-
-#define INTERESTING_16 \
-  -32768,        /* Overflow signed 16-bit when decremented */ \
-  -129,          /* Overflow signed 8-bit                   */ \
-   128,          /* Overflow signed 8-bit                   */ \
-   255,          /* Overflow unsig 8-bit when incremented   */ \
-   256,          /* Overflow unsig 8-bit                    */ \
-   512,          /* One-off with common buffer size         */ \
-   1000,         /* One-off with common buffer size         */ \
-   1024,         /* One-off with common buffer size         */ \
-   4096,         /* One-off with common buffer size         */ \
-   32767         /* Overflow signed 16-bit when incremented */
-
-#define INTERESTING_32 \
-  -2147483648LL, /* Overflow signed 32-bit when decremented */ \
-  -100663046,    /* Large negative number (endian-agnostic) */ \
-  -32769,        /* Overflow signed 16-bit                  */ \
-   32768,        /* Overflow signed 16-bit                  */ \
-   65535,        /* Overflow unsig 16-bit when incremented  */ \
-   65536,        /* Overflow unsig 16 bit                   */ \
-   100663045,    /* Large positive number (endian-agnostic) */ \
-   2147483647    /* Overflow signed 32-bit when incremented */
-
-/***********************************************************
- *                                                         *
- *  Really exotic stuff you probably don't want to touch:  *
- *                                                         *
- ***********************************************************/
-
-/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
-
-#define RESEED_RNG          10000
-
-/* Maximum line length passed from GCC to 'as' and used for parsing
-   configuration files: */
-
-#define MAX_LINE            8192
-
-/* Environment variable used to pass SHM ID to the called program. */
-
-#define SHM_ENV_VAR         "__AFL_SHM_ID"
-
-/* Other less interesting, internal-only variables. */
-
-#define CLANG_ENV_VAR       "__AFL_CLANG_MODE"
-#define AS_LOOP_ENV_VAR     "__AFL_AS_LOOPCHECK"
-#define PERSIST_ENV_VAR     "__AFL_PERSISTENT"
-#define DEFER_ENV_VAR       "__AFL_DEFER_FORKSRV"
-
-/* In-code signatures for deferred and persistent mode. */
-
-#define PERSIST_SIG         "##SIG_AFL_PERSISTENT##"
-#define DEFER_SIG           "##SIG_AFL_DEFER_FORKSRV##"
-
-/* Distinctive bitmap signature used to indicate failed execution: */
-
-#define EXEC_FAIL_SIG       0xfee1dead
-
-/* Distinctive exit code used to indicate MSAN trip condition: */
-
-#define MSAN_ERROR          86
-
-/* Designated file descriptors for forkserver commands (the application will
-   use FORKSRV_FD and FORKSRV_FD + 1): */
-
-#define FORKSRV_FD          198
-
-/* Fork server init timeout multiplier: we'll wait the user-selected
-   timeout plus this much for the fork server to spin up. */
-
-#define FORK_WAIT_MULT      10
-
-/* Calibration timeout adjustments, to be a bit more generous when resuming
-   fuzzing sessions or trying to calibrate already-added internal finds.
-   The first value is a percentage, the other is in milliseconds: */
-
-#define CAL_TMOUT_PERC      125
-#define CAL_TMOUT_ADD       50
-
-/* Number of chances to calibrate a case before giving up: */
-
-#define CAL_CHANCES         3
-
-/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
-   2; you probably want to keep it under 18 or so for performance reasons
-   (adjusting AFL_INST_RATIO when compiling is probably a better way to solve
-   problems with complex programs). You need to recompile the target binary
-   after changing this - otherwise, SEGVs may ensue. */
-
-#define MAP_SIZE_POW2       16
-#define MAP_SIZE            (1 << MAP_SIZE_POW2)
-
-/* Maximum allocator request size (keep well under INT_MAX): */
-
-#define MAX_ALLOC           0x40000000
-
-/* A made-up hashing seed: */
-
-#define HASH_CONST          0xa5b35705
-
-/* Constants for afl-gotcpu to control busy loop timing: */
-
-#define  CTEST_TARGET_MS    5000
-#define  CTEST_CORE_TRG_MS  1000
-#define  CTEST_BUSY_CYCLES  (10 * 1000 * 1000)
-
-/* Uncomment this to use inferior block-coverage-based instrumentation. Note
-   that you need to recompile the target binary for this to have any effect: */
-
-// #define COVERAGE_ONLY
-
-/* Uncomment this to ignore hit counts and output just one bit per tuple.
-   As with the previous setting, you will need to recompile the target
-   binary: */
-
-// #define SKIP_COUNTS
-
-/* Uncomment this to use instrumentation data to record newly discovered paths,
-   but do not use them as seeds for fuzzing. This is useful for conveniently
-   measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
-
-// #define IGNORE_FINDS
-
-#endif /* ! _HAVE_CONFIG_H */

config.h

@@ -0,0 +1 @@
+include/config.h

custom_mutators/README.md

@@ -0,0 +1,52 @@
+# Custom Mutators
+
+Custom mutators enhance and alter the mutation strategies of afl++.
+For further information and documentation on how to write your own, read [the docs](../docs/custom_mutators.md).
+
+## The afl++ Grammar Mutator
+
+If you use git to clone afl++, then the following will incorporate our
+excellent grammar custom mutator:
+```
+git submodule init
+git submodule update
+```
+
+otherwise just checkout the repository here with either
+`git clone https://github.com/AFLplusplus/Grammar-Mutator` or
+`svn co https://github.com/AFLplusplus/Grammar-Mutator`.
+
+Read the [Grammar-Mutator/README.md](Grammar-Mutator/README.md) on how to use
+it.
+
+## Production-Ready Custom Mutators
+
+This directory holds ready to use custom mutators.
+Just type "make" in the individual subdirectories.
+
+Use with e.g.
+
+`AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/radamsa/radamsa-mutator.so afl-fuzz ....`
+
+and add `AFL_CUSTOM_MUTATOR_ONLY=1` if you only want to use the custom mutator.
+
+Multiple custom mutators can be used by separating their paths with `:` in the environment variable.
+
+## 3rd Party Custom Mutators
+
+### Superion Mutators
+
+Adrian Tiron ported the Superion grammar fuzzer to afl++, it is WIP and
+requires cmake (among other things):
+[https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
+
+### libprotobuf Mutators
+
+There are two WIP protobuf projects, that require work to be working though:
+
+transforms protobuf raw:
+https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator
+
+has a transform function you need to fill for your protobuf format, however
+needs to be ported to the updated afl++ custom mutator API (not much work):
+https://github.com/thebabush/afl-libprotobuf-mutator

custom_mutators/honggfuzz/Makefile

@@ -0,0 +1,17 @@
+
+CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
+
+all: honggfuzz.so
+
+honggfuzz.so:	honggfuzz.c input.h mangle.c ../../src/afl-performance.c
+	$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz.so honggfuzz.c mangle.c ../../src/afl-performance.c
+
+update:
+	@# seriously? --unlink is a dud option? sigh ...
+	rm -f mangle.c mangle.h honggfuzz.h
+	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
+	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
+	wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h
+
+clean:
+	rm -f *.o *~ *.so core

custom_mutators/honggfuzz/README.md

@@ -0,0 +1,12 @@
+# custum mutator: honggfuzz mangle
+
+this is the very good honggfuzz mutator in mangle.c as a custom mutator
+module for afl++. It is the original mangle.c, mangle.h and honggfuzz.h
+with a lot of mocking around it :-)
+
+just type `make` to build
+
+```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz.so afl-fuzz ...```
+
+> Original repository: https://github.com/google/honggfuzz
+> Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5

custom_mutators/honggfuzz/custom_mutator_helpers.h

@@ -0,0 +1,22 @@
+#ifndef CUSTOM_MUTATOR_HELPERS
+#define CUSTOM_MUTATOR_HELPERS
+
+#include "config.h"
+#include "types.h"
+#include "afl-fuzz.h"
+#include <stdlib.h>
+
+#define INITIAL_GROWTH_SIZE (64)
+
+/* Use in a struct: creates a name_buf and a name_size variable. */
+#define BUF_VAR(type, name) \
+  type * name##_buf;        \
+  size_t name##_size;
+/* this filles in `&structptr->something_buf, &structptr->something_size`. */
+#define BUF_PARAMS(struct, name) \
+  (void **)&struct->name##_buf, &struct->name##_size
+
+#undef INITIAL_GROWTH_SIZE
+
+#endif
+

custom_mutators/honggfuzz/honggfuzz.c

@@ -0,0 +1,143 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "custom_mutator_helpers.h"
+#include "mangle.h"
+
+#define NUMBER_OF_MUTATIONS 5
+
+uint8_t *         queue_input;
+size_t            queue_input_size;
+afl_state_t *     afl_struct;
+run_t             run;
+honggfuzz_t       global;
+struct _dynfile_t dynfile;
+
+typedef struct my_mutator {
+
+  afl_state_t *afl;
+  run_t *      run;
+  u8 *         mutator_buf;
+  unsigned int seed;
+  unsigned int extras_cnt, a_extras_cnt;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) {
+
+    perror("mutator_buf alloc");
+    return NULL;
+
+  }
+
+  run.dynfile = &dynfile;
+  run.global = &global;
+  data->afl = afl;
+  data->seed = seed;
+  data->run = &run;
+  afl_struct = afl;
+
+  run.global->mutate.maxInputSz = MAX_FILE;
+  run.global->mutate.mutationsPerRun = NUMBER_OF_MUTATIONS;
+  run.mutationsPerRun = NUMBER_OF_MUTATIONS;
+  run.global->timing.lastCovUpdate = 6;
+
+  // global->feedback.cmpFeedback
+  // global->feedback.cmpFeedbackMap
+
+  return data;
+
+}
+
+/* When a new queue entry is added we check if there are new dictionary
+   entries to add to honggfuzz structure */
+
+void afl_custom_queue_new_entry(my_mutator_t * data,
+                                const uint8_t *filename_new_queue,
+                                const uint8_t *filename_orig_queue) {
+
+  if (run.global->mutate.dictionaryCnt >= 1024) return;
+
+  while (data->extras_cnt < data->afl->extras_cnt &&
+         run.global->mutate.dictionaryCnt < 1024) {
+
+    memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+           data->afl->extras[data->extras_cnt].data,
+           data->afl->extras[data->extras_cnt].len);
+    run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+        data->afl->extras[data->extras_cnt].len;
+    run.global->mutate.dictionaryCnt++;
+    data->extras_cnt++;
+
+  }
+
+  while (data->a_extras_cnt < data->afl->a_extras_cnt &&
+         run.global->mutate.dictionaryCnt < 1024) {
+
+    memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+           data->afl->a_extras[data->a_extras_cnt].data,
+           data->afl->a_extras[data->a_extras_cnt].len);
+    run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+        data->afl->a_extras[data->a_extras_cnt].len;
+    run.global->mutate.dictionaryCnt++;
+    data->a_extras_cnt++;
+
+  }
+
+}
+
+/* we could set only_printable if is_ascii is set ... let's see
+uint8_t afl_custom_queue_get(void *data, const uint8_t *filename) {
+
+  //run.global->cfg.only_printable = ...
+
+}
+
+*/
+
+/* here we run the honggfuzz mutator, which is really good */
+
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+                       u8 **out_buf, uint8_t *add_buf, size_t add_buf_size,
+                       size_t max_size) {
+
+  /* set everything up, costly ... :( */
+  memcpy(data->mutator_buf, buf, buf_size);
+  queue_input = data->mutator_buf;
+  run.dynfile->data = data->mutator_buf;
+  queue_input_size = buf_size;
+  run.dynfile->size = buf_size;
+  *out_buf = data->mutator_buf;
+
+  /* the mutation */
+  mangle_mangleContent(&run, NUMBER_OF_MUTATIONS);
+
+  /* return size of mutated data */
+  return run.dynfile->size;
+
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->mutator_buf);
+  free(data);
+
+}
+

custom_mutators/honggfuzz/honggfuzz.h

@@ -0,0 +1,385 @@
+/*
+ *
+ * honggfuzz - core structures and macros
+ * -----------------------------------------
+ *
+ * Author: Robert Swiecki <swiecki@google.com>
+ *
+ * Copyright 2010-2018 by Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ *
+ */
+
+#ifndef _HF_HONGGFUZZ_H_
+#define _HF_HONGGFUZZ_H_
+
+#include <dirent.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <sys/param.h>
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <time.h>
+
+#include "libhfcommon/util.h"
+
+#define PROG_NAME    "honggfuzz"
+#define PROG_VERSION "2.3"
+
+/* Name of the template which will be replaced with the proper name of the file */
+#define _HF_FILE_PLACEHOLDER "___FILE___"
+
+/* Default name of the report created with some architectures */
+#define _HF_REPORT_FILE "HONGGFUZZ.REPORT.TXT"
+
+/* Default stack-size of created threads. */
+#define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL) /* 2MB */
+
+/* Name of envvar which indicates sequential number of fuzzer */
+#define _HF_THREAD_NO_ENV "HFUZZ_THREAD_NO"
+
+/* Name of envvar which indicates that the netDriver should be used */
+#define _HF_THREAD_NETDRIVER_ENV "HFUZZ_USE_NETDRIVER"
+
+/* Name of envvar which indicates honggfuzz's log level in use */
+#define _HF_LOG_LEVEL_ENV "HFUZZ_LOG_LEVEL"
+
+/* Number of crash verifier iterations before tag crash as stable */
+#define _HF_VERIFIER_ITER 5
+
+/* Size (in bytes) for report data to be stored in stack before written to file */
+#define _HF_REPORT_SIZE 32768
+
+/* Perf bitmap size */
+#define _HF_PERF_BITMAP_SIZE_16M   (1024U * 1024U * 16U)
+#define _HF_PERF_BITMAP_BITSZ_MASK 0x7FFFFFFULL
+/* Maximum number of PC guards (=trace-pc-guard) we support */
+#define _HF_PC_GUARD_MAX (1024ULL * 1024ULL * 64ULL)
+
+/* Maximum size of the input file in bytes (1 MiB) */
+#define _HF_INPUT_MAX_SIZE (1024ULL * 1024ULL)
+
+/* Default maximum size of produced inputs */
+#define _HF_INPUT_DEFAULT_SIZE (1024ULL * 8)
+
+/* Per-thread bitmap */
+#define _HF_PERTHREAD_BITMAP_FD 1018
+/* FD used to report back used int/str constants from the fuzzed process */
+#define _HF_CMP_BITMAP_FD 1019
+/* FD used to log inside the child process */
+#define _HF_LOG_FD 1020
+/* FD used to represent the input file */
+#define _HF_INPUT_FD 1021
+/* FD used to pass coverage feedback from the fuzzed process */
+#define _HF_COV_BITMAP_FD 1022
+#define _HF_BITMAP_FD     _HF_COV_BITMAP_FD /* Old name for _HF_COV_BITMAP_FD */
+/* FD used to pass data to a persistent process */
+#define _HF_PERSISTENT_FD 1023
+
+/* Input file as a string */
+#define _HF_INPUT_FILE_PATH "/dev/fd/" HF_XSTR(_HF_INPUT_FD)
+
+/* Maximum number of supported execve() args */
+#define _HF_ARGS_MAX 2048
+
+/* Message indicating that the fuzzed process is ready for new data */
+static const uint8_t HFReadyTag = 'R';
+
+/* Maximum number of active fuzzing threads */
+#define _HF_THREAD_MAX 1024U
+
+/* Persistent-binary signature - if found within file, it means it's a persistent mode binary */
+#define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF"
+/* HF NetDriver signature - if found within file, it means it's a NetDriver-based binary */
+#define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF"
+
+/* printf() nonmonetary separator. According to MacOSX's man it's supported there as well */
+#define _HF_NONMON_SEP "'"
+
+typedef enum {
+    _HF_DYNFILE_NONE         = 0x0,
+    _HF_DYNFILE_INSTR_COUNT  = 0x1,
+    _HF_DYNFILE_BRANCH_COUNT = 0x2,
+    _HF_DYNFILE_BTS_EDGE     = 0x10,
+    _HF_DYNFILE_IPT_BLOCK    = 0x20,
+    _HF_DYNFILE_SOFT         = 0x40,
+} dynFileMethod_t;
+
+typedef struct {
+    uint64_t cpuInstrCnt;
+    uint64_t cpuBranchCnt;
+    uint64_t bbCnt;
+    uint64_t newBBCnt;
+    uint64_t softCntPc;
+    uint64_t softCntEdge;
+    uint64_t softCntCmp;
+} hwcnt_t;
+
+typedef enum {
+    _HF_STATE_UNSET = 0,
+    _HF_STATE_STATIC,
+    _HF_STATE_DYNAMIC_DRY_RUN,
+    _HF_STATE_DYNAMIC_MAIN,
+    _HF_STATE_DYNAMIC_MINIMIZE,
+} fuzzState_t;
+
+typedef enum {
+    HF_MAYBE = -1,
+    HF_NO    = 0,
+    HF_YES   = 1,
+} tristate_t;
+
+struct _dynfile_t {
+    size_t             size;
+    uint64_t           cov[4];
+    size_t             idx;
+    int                fd;
+    uint64_t           timeExecUSecs;
+    char               path[PATH_MAX];
+    struct _dynfile_t* src;
+    uint32_t           refs;
+    uint8_t*           data;
+    TAILQ_ENTRY(_dynfile_t) pointers;
+};
+
+typedef struct _dynfile_t dynfile_t;
+
+struct strings_t {
+    size_t len;
+    TAILQ_ENTRY(strings_t) pointers;
+    char s[];
+};
+
+typedef struct {
+    uint8_t  pcGuardMap[_HF_PC_GUARD_MAX];
+    uint8_t  bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
+    uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
+    uint64_t pidNewPC[_HF_THREAD_MAX];
+    uint64_t pidNewEdge[_HF_THREAD_MAX];
+    uint64_t pidNewCmp[_HF_THREAD_MAX];
+    uint64_t guardNb;
+    uint64_t pidTotalPC[_HF_THREAD_MAX];
+    uint64_t pidTotalEdge[_HF_THREAD_MAX];
+    uint64_t pidTotalCmp[_HF_THREAD_MAX];
+} feedback_t;
+
+typedef struct {
+    uint32_t cnt;
+    struct {
+        uint8_t  val[32];
+        uint32_t len;
+    } valArr[1024 * 16];
+} cmpfeedback_t;
+
+typedef struct {
+    struct {
+        size_t    threadsMax;
+        size_t    threadsFinished;
+        uint32_t  threadsActiveCnt;
+        pthread_t mainThread;
+        pid_t     mainPid;
+        pthread_t threads[_HF_THREAD_MAX];
+    } threads;
+    struct {
+        const char* inputDir;
+        const char* outputDir;
+        DIR*        inputDirPtr;
+        size_t      fileCnt;
+        size_t      testedFileCnt;
+        const char* fileExtn;
+        size_t      maxFileSz;
+        size_t      newUnitsAdded;
+        char        workDir[PATH_MAX];
+        const char* crashDir;
+        const char* covDirNew;
+        bool        saveUnique;
+        size_t      dynfileqMaxSz;
+        size_t      dynfileqCnt;
+        dynfile_t*  dynfileqCurrent;
+        dynfile_t*  dynfileq2Current;
+        TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
+        bool exportFeedback;
+    } io;
+    struct {
+        int                argc;
+        const char* const* cmdline;
+        bool               nullifyStdio;
+        bool               fuzzStdin;
+        const char*        externalCommand;
+        const char*        postExternalCommand;
+        const char*        feedbackMutateCommand;
+        bool               netDriver;
+        bool               persistent;
+        uint64_t           asLimit;
+        uint64_t           rssLimit;
+        uint64_t           dataLimit;
+        uint64_t           coreLimit;
+        uint64_t           stackLimit;
+        bool               clearEnv;
+        char*              env_ptrs[128];
+        char               env_vals[128][4096];
+        sigset_t           waitSigSet;
+    } exe;
+    struct {
+        time_t  timeStart;
+        time_t  runEndTime;
+        time_t  tmOut;
+        time_t  lastCovUpdate;
+        int64_t timeOfLongestUnitUSecs;
+        bool    tmoutVTALRM;
+    } timing;
+    struct {
+        struct {
+            uint8_t val[256];
+            size_t  len;
+        } dictionary[1024];
+        size_t      dictionaryCnt;
+        const char* dictionaryFile;
+        size_t      mutationsMax;
+        unsigned    mutationsPerRun;
+        size_t      maxInputSz;
+    } mutate;
+    struct {
+        bool    useScreen;
+        char    cmdline_txt[65];
+        int64_t lastDisplayUSecs;
+    } display;
+    struct {
+        bool        useVerifier;
+        bool        exitUponCrash;
+        const char* reportFile;
+        size_t      dynFileIterExpire;
+        bool        only_printable;
+        bool        minimize;
+        bool        switchingToFDM;
+    } cfg;
+    struct {
+        bool enable;
+        bool del_report;
+    } sanitizer;
+    struct {
+        fuzzState_t     state;
+        feedback_t*     covFeedbackMap;
+        int             covFeedbackFd;
+        cmpfeedback_t*  cmpFeedbackMap;
+        int             cmpFeedbackFd;
+        bool            cmpFeedback;
+        const char*     blacklistFile;
+        uint64_t*       blacklist;
+        size_t          blacklistCnt;
+        bool            skipFeedbackOnTimeout;
+        uint64_t        maxCov[4];
+        dynFileMethod_t dynFileMethod;
+        hwcnt_t         hwCnts;
+    } feedback;
+    struct {
+        size_t mutationsCnt;
+        size_t crashesCnt;
+        size_t uniqueCrashesCnt;
+        size_t verifiedCrashesCnt;
+        size_t blCrashesCnt;
+        size_t timeoutedCnt;
+    } cnts;
+    struct {
+        bool enabled;
+        int  serverSocket;
+        int  clientSocket;
+    } socketFuzzer;
+    struct {
+        pthread_rwlock_t dynfileq;
+        pthread_mutex_t  feedback;
+        pthread_mutex_t  report;
+        pthread_mutex_t  state;
+        pthread_mutex_t  input;
+        pthread_mutex_t  timing;
+    } mutex;
+
+    /* For the Linux code */
+    struct {
+        int         exeFd;
+        uint64_t    dynamicCutOffAddr;
+        bool        disableRandomization;
+        void*       ignoreAddr;
+        const char* symsBlFile;
+        char**      symsBl;
+        size_t      symsBlCnt;
+        const char* symsWlFile;
+        char**      symsWl;
+        size_t      symsWlCnt;
+        uintptr_t   cloneFlags;
+        tristate_t  useNetNs;
+        bool        kernelOnly;
+        bool        useClone;
+    } arch_linux;
+    /* For the NetBSD code */
+    struct {
+        void*       ignoreAddr;
+        const char* symsBlFile;
+        char**      symsBl;
+        size_t      symsBlCnt;
+        const char* symsWlFile;
+        char**      symsWl;
+        size_t      symsWlCnt;
+    } arch_netbsd;
+} honggfuzz_t;
+
+typedef enum {
+    _HF_RS_UNKNOWN                   = 0,
+    _HF_RS_WAITING_FOR_INITIAL_READY = 1,
+    _HF_RS_WAITING_FOR_READY         = 2,
+    _HF_RS_SEND_DATA                 = 3,
+} runState_t;
+
+typedef struct {
+    honggfuzz_t* global;
+    pid_t        pid;
+    int64_t      timeStartedUSecs;
+    char         crashFileName[PATH_MAX];
+    uint64_t     pc;
+    uint64_t     backtrace;
+    uint64_t     access;
+    int          exception;
+    char         report[_HF_REPORT_SIZE];
+    bool         mainWorker;
+    unsigned     mutationsPerRun;
+    dynfile_t*   dynfile;
+    bool         staticFileTryMore;
+    uint32_t     fuzzNo;
+    int          persistentSock;
+    runState_t   runState;
+    bool         tmOutSignaled;
+    char*        args[_HF_ARGS_MAX + 1];
+    int          perThreadCovFeedbackFd;
+    unsigned     triesLeft;
+    dynfile_t*   current;
+#if !defined(_HF_ARCH_DARWIN)
+    timer_t timerId;
+#endif    // !defined(_HF_ARCH_DARWIN)
+    hwcnt_t hwCnts;
+
+    struct {
+        /* For Linux code */
+        uint8_t* perfMmapBuf;
+        uint8_t* perfMmapAux;
+        int      cpuInstrFd;
+        int      cpuBranchFd;
+        int      cpuIptBtsFd;
+    } arch_linux;
+} run_t;
+
+#endif

custom_mutators/honggfuzz/input.h

@@ -0,0 +1,106 @@
+#ifndef _HG_INPUT_
+#define _HG_INPUT_
+
+#include <stdarg.h>
+#ifdef __clang__
+#include <stdatomic.h>
+#endif
+#include <stdbool.h>
+#include <stdint.h>
+#include <time.h>
+
+#include "honggfuzz.h"
+#include "afl-fuzz.h"
+
+/*
+ * Go-style defer scoped implementation
+ *
+ * If compiled with clang, use: -fblocks -lBlocksRuntime
+ *
+ * Example of use:
+ *
+ * {
+ *   int fd = open(fname, O_RDONLY);
+ *   if (fd == -1) {
+ *     error(....);
+ *     return;
+ *   }
+ *   defer { close(fd); };
+ *   ssize_t sz = read(fd, buf, sizeof(buf));
+ *   ...
+ *   ...
+ * }
+ *
+ */
+
+#define __STRMERGE(a, b) a##b
+#define _STRMERGE(a, b)  __STRMERGE(a, b)
+#ifdef __clang__
+#if __has_extension(blocks)
+static void __attribute__((unused)) __clang_cleanup_func(void (^*dfunc)(void)) {
+    (*dfunc)();
+}
+
+#define defer                                                                                      \
+    void (^_STRMERGE(__defer_f_, __COUNTER__))(void)                                               \
+        __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) = ^
+
+#else /* __has_extension(blocks) */
+#define defer UNIMPLEMENTED - NO - SUPPORT - FOR - BLOCKS - IN - YOUR - CLANG - ENABLED
+#endif /*  __has_extension(blocks) */
+#else  /* !__clang__, e.g.: gcc */
+
+#define __block
+#define _DEFER(a, count)                                                                            \
+    auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)));               \
+    int       _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \
+        __attribute__((unused));                                                                    \
+    void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)))
+#define defer _DEFER(a, __COUNTER__)
+#endif /* ifdef __clang__ */
+
+#define HF_MIN(x, y) (x <= y ? x : y)
+#define HF_MAX(x, y) (x >= y ? x : y)
+#define ATOMIC_GET
+#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
+#define HF_ATTR_UNUSED __attribute__((unused))
+#define util_Malloc(x) malloc(x)
+
+extern uint8_t *         queue_input;
+extern size_t            queue_input_size;
+extern afl_state_t *     afl_struct;
+
+inline void wmb() { }
+inline void LOG_F(const char *format, ...) { }
+static inline uint64_t util_rndGet(uint64_t min, uint64_t max) {
+  return min + rand_below(afl_struct, max - min + 1);
+}
+static inline uint64_t util_rnd64() { return rand_below(afl_struct, 1 << 30); }
+
+static inline size_t input_getRandomInputAsBuf(run_t *run, const uint8_t **buf) {
+  *buf = queue_input;
+  run->dynfile->data = queue_input;
+  run->dynfile->size = queue_input_size;
+  return queue_input_size;
+}
+static inline void input_setSize(run_t* run, size_t sz) {
+  run->dynfile->size = sz;
+}
+static inline void util_turnToPrintable(uint8_t* buf, size_t sz) {
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = buf[i] % 95 + 32;
+}
+static inline void util_rndBuf(uint8_t* buf, size_t sz) {
+  if (sz == 0) return;
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = (uint8_t)rand_below(afl_struct, 256);
+}
+static inline uint8_t util_rndPrintable() {
+  return 32 + rand_below(afl_struct, 127 - 32);
+}
+static inline void util_rndBufPrintable(uint8_t* buf, size_t sz) {
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = util_rndPrintable();
+}
+
+#endif

custom_mutators/honggfuzz/libhfcommon

@@ -0,0 +1 @@
+.

custom_mutators/honggfuzz/log.h

@@ -0,0 +1 @@
+common.h

custom_mutators/honggfuzz/mangle.h

@@ -0,0 +1,31 @@
+/*
+ *
+ * honggfuzz - buffer mangling routines
+ * -----------------------------------------
+ *
+ * Author: Robert Swiecki <swiecki@google.com>
+ *
+ * Copyright 2010-2018 by Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ *
+ */
+
+#ifndef _HF_MANGLE_H_
+#define _HF_MANGLE_H_
+
+#include "honggfuzz.h"
+
+extern void mangle_mangleContent(run_t* run, int speed_factor);
+
+#endif

custom_mutators/honggfuzz/util.h

@@ -0,0 +1 @@
+common.h

custom_mutators/radamsa/GNUmakefile

@@ -0,0 +1,30 @@
+CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+
+all: radamsa-mutator.so
+
+# These can be overriden:
+CFLAGS	?= $(CFLAGS_FLTO)
+
+# These are required: (otherwise radamsa gets very very slooooow)
+CFLAGS	+= -O3 -funroll-loops
+
+#libradamsa.so: libradamsa.a
+#	$(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so
+
+libradamsa.a: libradamsa.c radamsa.h
+	@echo " ***************************************************************"
+	@echo " * Compiling libradamsa, wait some minutes (~3 on modern CPUs) *"
+	@echo " ***************************************************************"
+	$(CC) -fPIC $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c
+
+radamsa-mutator.so: radamsa-mutator.c libradamsa.a
+	$(CC) $(CFLAGS) $(CPPFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a
+
+test: libradamsa.a libradamsa-test.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a
+	./libradamsa-test libradamsa-test.c | grep "library test passed"
+	rm /tmp/libradamsa-*.fuzz
+
+clean:
+	rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core

custom_mutators/radamsa/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2013 Aki Helin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

custom_mutators/radamsa/README.md

@@ -0,0 +1,9 @@
+# custum mutator: libradamsa
+
+Pretranslated radamsa library. This code belongs to the radamsa author.
+
+> Original repository: https://gitlab.com/akihe/radamsa
+
+> Source commit: 7b2cc2d0
+
+> The code here is adapted for AFL++ with minor changes respect the original version

custom_mutators/radamsa/custom_mutator_helpers.h

@@ -0,0 +1,342 @@
+#ifndef CUSTOM_MUTATOR_HELPERS
+#define CUSTOM_MUTATOR_HELPERS
+
+#include "config.h"
+#include "types.h"
+#include <stdlib.h>
+
+#define INITIAL_GROWTH_SIZE (64)
+
+#define RAND_BELOW(limit) (rand() % (limit))
+
+/* Use in a struct: creates a name_buf and a name_size variable. */
+#define BUF_VAR(type, name) \
+  type * name##_buf;        \
+  size_t name##_size;
+/* this filles in `&structptr->something_buf, &structptr->something_size`. */
+#define BUF_PARAMS(struct, name) \
+  (void **)&struct->name##_buf, &struct->name##_size
+
+typedef struct {
+
+} afl_t;
+
+static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) {
+
+  static s8  interesting_8[] = {INTERESTING_8};
+  static s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
+  static s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
+
+  switch (RAND_BELOW(12)) {
+
+    case 0: {
+
+      /* Flip a single bit somewhere. Spooky! */
+
+      s32 bit_idx = ((RAND_BELOW(end - begin) + begin) << 3) + RAND_BELOW(8);
+
+      out_buf[bit_idx >> 3] ^= 128 >> (bit_idx & 7);
+
+      break;
+
+    }
+
+    case 1: {
+
+      /* Set byte to interesting value. */
+
+      u8 val = interesting_8[RAND_BELOW(sizeof(interesting_8))];
+      out_buf[(RAND_BELOW(end - begin) + begin)] = val;
+
+      break;
+
+    }
+
+    case 2: {
+
+      /* Set word to interesting value, randomly choosing endian. */
+
+      if (end - begin < 2) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 1) break;
+
+      switch (RAND_BELOW(2)) {
+
+        case 0:
+          *(u16 *)(out_buf + byte_idx) =
+              interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)];
+          break;
+        case 1:
+          *(u16 *)(out_buf + byte_idx) =
+              SWAP16(interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)]);
+          break;
+
+      }
+
+      break;
+
+    }
+
+    case 3: {
+
+      /* Set dword to interesting value, randomly choosing endian. */
+
+      if (end - begin < 4) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 3) break;
+
+      switch (RAND_BELOW(2)) {
+
+        case 0:
+          *(u32 *)(out_buf + byte_idx) =
+              interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)];
+          break;
+        case 1:
+          *(u32 *)(out_buf + byte_idx) =
+              SWAP32(interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]);
+          break;
+
+      }
+
+      break;
+
+    }
+
+    case 4: {
+
+      /* Set qword to interesting value, randomly choosing endian. */
+
+      if (end - begin < 8) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 7) break;
+
+      switch (RAND_BELOW(2)) {
+
+        case 0:
+          *(u64 *)(out_buf + byte_idx) =
+              (s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)];
+          break;
+        case 1:
+          *(u64 *)(out_buf + byte_idx) = SWAP64(
+              (s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]);
+          break;
+
+      }
+
+      break;
+
+    }
+
+    case 5: {
+
+      /* Randomly subtract from byte. */
+
+      out_buf[(RAND_BELOW(end - begin) + begin)] -= 1 + RAND_BELOW(ARITH_MAX);
+
+      break;
+
+    }
+
+    case 6: {
+
+      /* Randomly add to byte. */
+
+      out_buf[(RAND_BELOW(end - begin) + begin)] += 1 + RAND_BELOW(ARITH_MAX);
+
+      break;
+
+    }
+
+    case 7: {
+
+      /* Randomly subtract from word, random endian. */
+
+      if (end - begin < 2) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 1) break;
+
+      if (RAND_BELOW(2)) {
+
+        *(u16 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX);
+
+      } else {
+
+        u16 num = 1 + RAND_BELOW(ARITH_MAX);
+
+        *(u16 *)(out_buf + byte_idx) =
+            SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) - num);
+
+      }
+
+      break;
+
+    }
+
+    case 8: {
+
+      /* Randomly add to word, random endian. */
+
+      if (end - begin < 2) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 1) break;
+
+      if (RAND_BELOW(2)) {
+
+        *(u16 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX);
+
+      } else {
+
+        u16 num = 1 + RAND_BELOW(ARITH_MAX);
+
+        *(u16 *)(out_buf + byte_idx) =
+            SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) + num);
+
+      }
+
+      break;
+
+    }
+
+    case 9: {
+
+      /* Randomly subtract from dword, random endian. */
+
+      if (end - begin < 4) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 3) break;
+
+      if (RAND_BELOW(2)) {
+
+        *(u32 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX);
+
+      } else {
+
+        u32 num = 1 + RAND_BELOW(ARITH_MAX);
+
+        *(u32 *)(out_buf + byte_idx) =
+            SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) - num);
+
+      }
+
+      break;
+
+    }
+
+    case 10: {
+
+      /* Randomly add to dword, random endian. */
+
+      if (end - begin < 4) break;
+
+      s32 byte_idx = (RAND_BELOW(end - begin) + begin);
+
+      if (byte_idx >= end - 3) break;
+
+      if (RAND_BELOW(2)) {
+
+        *(u32 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX);
+
+      } else {
+
+        u32 num = 1 + RAND_BELOW(ARITH_MAX);
+
+        *(u32 *)(out_buf + byte_idx) =
+            SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) + num);
+
+      }
+
+      break;
+
+    }
+
+    case 11: {
+
+      /* Just set a random byte to a random value. Because,
+         why not. We use XOR with 1-255 to eliminate the
+         possibility of a no-op. */
+
+      out_buf[(RAND_BELOW(end - begin) + begin)] ^= 1 + RAND_BELOW(255);
+
+      break;
+
+    }
+
+  }
+
+}
+
+/* This function calculates the next power of 2 greater or equal its argument.
+ @return The rounded up power of 2 (if no overflow) or 0 on overflow.
+*/
+static inline size_t next_pow2(size_t in) {
+
+  if (in == 0 || in > (size_t)-1)
+    return 0;                  /* avoid undefined behaviour under-/overflow */
+  size_t out = in - 1;
+  out |= out >> 1;
+  out |= out >> 2;
+  out |= out >> 4;
+  out |= out >> 8;
+  out |= out >> 16;
+  return out + 1;
+
+}
+
+/* This function makes sure *size is > size_needed after call.
+ It will realloc *buf otherwise.
+ *size will grow exponentially as per:
+ https://blog.mozilla.org/nnethercote/2014/11/04/please-grow-your-buffers-exponentially/
+ Will return NULL and free *buf if size_needed is <1 or realloc failed.
+ @return For convenience, this function returns *buf.
+ */
+static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) {
+
+  /* No need to realloc */
+  if (likely(size_needed && *size >= size_needed)) return *buf;
+
+  /* No initial size was set */
+  if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE;
+
+  /* grow exponentially */
+  size_t next_size = next_pow2(size_needed);
+
+  /* handle overflow */
+  if (!next_size) { next_size = size_needed; }
+
+  /* alloc */
+  *buf = realloc(*buf, next_size);
+  *size = *buf ? next_size : 0;
+
+  return *buf;
+
+}
+
+/* Swaps buf1 ptr and buf2 ptr, as well as their sizes */
+static inline void afl_swap_bufs(void **buf1, size_t *size1, void **buf2,
+                             size_t *size2) {
+
+  void * scratch_buf = *buf1;
+  size_t scratch_size = *size1;
+  *buf1 = *buf2;
+  *size1 = *size2;
+  *buf2 = scratch_buf;
+  *size2 = scratch_size;
+
+}
+
+#undef INITIAL_GROWTH_SIZE
+
+#endif
+

custom_mutators/radamsa/libradamsa-test.c

@@ -0,0 +1,81 @@
+#include <radamsa.h>
+#include <stdio.h>
+#include <inttypes.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+size_t filesize(char *filename) {
+
+  struct stat st;
+  stat(filename, &st);
+  return st.st_size;
+
+}
+
+#define BUFSIZE 1024 * 1024
+
+void fail(char *why) {
+
+  printf("fail: %s\n", why);
+  exit(1);
+
+}
+
+void write_output(char *data, size_t len, int num) {
+
+  char path[32];
+  int  fd;
+  int  wrote;
+  sprintf(path, "/tmp/libradamsa-%d.fuzz", num);
+  fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+  printf("Opened %s -> %d\n", path, fd);
+  if (fd < 0) { fail("failed to open output file"); }
+  wrote = write(fd, data, len);
+  printf("wrote %d of %zu bytes\n", wrote, len);
+  if (wrote != len) { fail("failed to write all of output at once"); }
+  close(fd);
+  printf("Wrote %zu bytes to %s\n", len, path);
+
+}
+
+int main(int nargs, char **argv) {
+
+  char * spath = argv[1];
+  int    fd = open(spath, O_RDONLY, 0);
+  size_t len;
+  char * input;
+  char * output;
+  int    seed = 0;
+  if (fd < 0) { fail("cannot open input file"); }
+  len = filesize(spath);
+  input = malloc(len);
+  output = malloc(BUFSIZE);
+  if (!input || !output) { fail("failed to allocate buffers\n"); }
+  radamsa_init();
+  if (len != read(fd, input, len)) {
+
+    fail("failed to read the entire sample at once");
+
+  }
+
+  while (seed++ < 100) {
+
+    size_t n;
+    n = radamsa((uint8_t *)input, len, (uint8_t *)output, BUFSIZE, seed);
+    write_output(output, n, seed);
+    printf("Fuzzed %zu -> %zu bytes\n", len, n);
+
+  }
+
+  printf("library test passed\n");
+  free(output);
+  free(input);
+  return 0;
+
+}
+

custom_mutators/radamsa/radamsa-mutator.c

@@ -0,0 +1,70 @@
+// This simple example just creates random buffer <= 100 filled with 'A'
+// needs -I /path/to/AFLplusplus/include
+//#include "custom_mutator_helpers.h"
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "radamsa.h"
+#include "custom_mutator_helpers.h"
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+  u8 *mutator_buf;
+
+  unsigned int seed;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  srand(seed);
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) {
+
+    perror("mutator_buf alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+  data->seed = seed;
+
+  radamsa_init();
+
+  return data;
+
+}
+
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+                       u8 **out_buf, uint8_t *add_buf, size_t add_buf_size,
+                       size_t max_size) {
+
+  *out_buf = data->mutator_buf;
+  return radamsa(buf, buf_size, data->mutator_buf, max_size, data->seed++);
+
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->mutator_buf);
+  free(data);
+
+}
+

custom_mutators/radamsa/radamsa.h

@@ -0,0 +1,10 @@
+#include <inttypes.h>
+#include <stddef.h>
+
+void radamsa_init(void);
+
+size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max,
+               unsigned int seed);
+
+size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed);
+

debug.h

@@ -1,251 +0,0 @@
-/*
-   american fuzzy lop - debug / error handling macros
-   --------------------------------------------------
-
-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
-
-   Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at:
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
- */
-
-#ifndef _HAVE_DEBUG_H
-#define _HAVE_DEBUG_H
-
-#include <errno.h>
-
-#include "types.h"
-#include "config.h"
-
-/*******************
- * Terminal colors *
- *******************/
-
-#ifdef USE_COLOR
-
-#  define cBLK "\x1b[0;30m"
-#  define cRED "\x1b[0;31m"
-#  define cGRN "\x1b[0;32m"
-#  define cBRN "\x1b[0;33m"
-#  define cBLU "\x1b[0;34m"
-#  define cMGN "\x1b[0;35m"
-#  define cCYA "\x1b[0;36m"
-#  define cLGR "\x1b[0;37m"
-#  define cGRA "\x1b[1;90m"
-#  define cLRD "\x1b[1;91m"
-#  define cLGN "\x1b[1;92m"
-#  define cYEL "\x1b[1;93m"
-#  define cLBL "\x1b[1;94m"
-#  define cPIN "\x1b[1;95m"
-#  define cLCY "\x1b[1;96m"
-#  define cBRI "\x1b[1;97m"
-#  define cRST "\x1b[0m"
-
-#  define bgBLK "\x1b[40m"
-#  define bgRED "\x1b[41m"
-#  define bgGRN "\x1b[42m"
-#  define bgBRN "\x1b[43m"
-#  define bgBLU "\x1b[44m"
-#  define bgMGN "\x1b[45m"
-#  define bgCYA "\x1b[46m"
-#  define bgLGR "\x1b[47m"
-#  define bgGRA "\x1b[100m"
-#  define bgLRD "\x1b[101m"
-#  define bgLGN "\x1b[102m"
-#  define bgYEL "\x1b[103m"
-#  define bgLBL "\x1b[104m"
-#  define bgPIN "\x1b[105m"
-#  define bgLCY "\x1b[106m"
-#  define bgBRI "\x1b[107m"
-
-#else
-
-#  define cBLK ""
-#  define cRED ""
-#  define cGRN ""
-#  define cBRN ""
-#  define cBLU ""
-#  define cMGN ""
-#  define cCYA ""
-#  define cLGR ""
-#  define cGRA ""
-#  define cLRD ""
-#  define cLGN ""
-#  define cYEL ""
-#  define cLBL ""
-#  define cPIN ""
-#  define cLCY ""
-#  define cBRI ""
-#  define cRST ""
-
-#  define bgBLK ""
-#  define bgRED ""
-#  define bgGRN ""
-#  define bgBRN ""
-#  define bgBLU ""
-#  define bgMGN ""
-#  define bgCYA ""
-#  define bgLGR ""
-#  define bgGRA ""
-#  define bgLRD ""
-#  define bgLGN ""
-#  define bgYEL ""
-#  define bgLBL ""
-#  define bgPIN ""
-#  define bgLCY ""
-#  define bgBRI ""
-
-#endif /* ^USE_COLOR */
-
-/*************************
- * Box drawing sequences *
- *************************/
-
-#ifdef FANCY_BOXES
-
-#  define SET_G1   "\x1b)0"       /* Set G1 for box drawing    */
-#  define RESET_G1 "\x1b)B"       /* Reset G1 to ASCII         */
-#  define bSTART   "\x0e"         /* Enter G1 drawing mode     */
-#  define bSTOP    "\x0f"         /* Leave G1 drawing mode     */
-#  define bH       "q"            /* Horizontal line           */
-#  define bV       "x"            /* Vertical line             */
-#  define bLT      "l"            /* Left top corner           */
-#  define bRT      "k"            /* Right top corner          */
-#  define bLB      "m"            /* Left bottom corner        */
-#  define bRB      "j"            /* Right bottom corner       */
-#  define bX       "n"            /* Cross                     */
-#  define bVR      "t"            /* Vertical, branch right    */
-#  define bVL      "u"            /* Vertical, branch left     */
-#  define bHT      "v"            /* Horizontal, branch top    */
-#  define bHB      "w"            /* Horizontal, branch bottom */
-
-#else
-
-#  define SET_G1   ""
-#  define RESET_G1 ""
-#  define bSTART   ""
-#  define bSTOP    ""
-#  define bH       "-"
-#  define bV       "|"
-#  define bLT      "+"
-#  define bRT      "+"
-#  define bLB      "+"
-#  define bRB      "+"
-#  define bX       "+"
-#  define bVR      "+"
-#  define bVL      "+"
-#  define bHT      "+"
-#  define bHB      "+"
-
-#endif /* ^FANCY_BOXES */
-
-/***********************
- * Misc terminal codes *
- ***********************/
-
-#define TERM_HOME     "\x1b[H"
-#define TERM_CLEAR    TERM_HOME "\x1b[2J"
-#define cEOL          "\x1b[0K"
-#define CURSOR_HIDE   "\x1b[?25l"
-#define CURSOR_SHOW   "\x1b[?25h"
-
-/************************
- * Debug & error macros *
- ************************/
-
-/* Just print stuff to the appropriate stream. */
-
-#ifdef MESSAGES_TO_STDOUT
-#  define SAYF(x...)    printf(x)
-#else 
-#  define SAYF(x...)    fprintf(stderr, x)
-#endif /* ^MESSAGES_TO_STDOUT */
-
-/* Show a prefixed warning. */
-
-#define WARNF(x...) do { \
-    SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed "doing something" message. */
-
-#define ACTF(x...) do { \
-    SAYF(cLBL "[*] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed "success" message. */
-
-#define OKF(x...) do { \
-    SAYF(cLGN "[+] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Show a prefixed fatal error message (not used in afl). */
-
-#define BADF(x...) do { \
-    SAYF(cLRD "\n[-] " cRST x); \
-    SAYF(cRST "\n"); \
-  } while (0)
-
-/* Die with a verbose non-OS fatal error message. */
-
-#define FATAL(x...) do { \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
-         cBRI x); \
-    SAYF(cLRD "\n         Location : " cRST "%s(), %s:%u\n\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    exit(1); \
-  } while (0)
-
-/* Die by calling abort() to provide a core dump. */
-
-#define ABORT(x...) do { \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
-         cBRI x); \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    abort(); \
-  } while (0)
-
-/* Die while also including the output of perror(). */
-
-#define PFATAL(x...) do { \
-    fflush(stdout); \
-    SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-]  SYSTEM ERROR : " \
-         cBRI x); \
-    SAYF(cLRD "\n    Stop location : " cRST "%s(), %s:%u\n", \
-         __FUNCTION__, __FILE__, __LINE__); \
-    SAYF(cLRD "       OS message : " cRST "%s\n", strerror(errno)); \
-    exit(1); \
-  } while (0)
-
-/* Die with FAULT() or PFAULT() depending on the value of res (used to
-   interpret different failure modes for read(), write(), etc). */
-
-#define RPFATAL(res, x...) do { \
-    if (res < 0) PFATAL(x); else FATAL(x); \
-  } while (0)
-
-/* Error-checking versions of read() and write() that call RPFATAL() as
-   appropriate. */
-
-#define ck_write(fd, buf, len, fn) do { \
-    u32 _len = (len); \
-    s32 _res = write(fd, buf, _len); \
-    if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
-  } while (0)
-
-#define ck_read(fd, buf, len, fn) do { \
-    u32 _len = (len); \
-    s32 _res = read(fd, buf, _len); \
-    if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
-  } while (0)
-
-#endif /* ! _HAVE_DEBUG_H */

dictionaries/README.md

@@ -1,19 +1,20 @@
-================
-AFL dictionaries
-================
+# AFL dictionaries
 
-  (See ../docs/README for the general instruction manual.)
+(See [../docs/README.md](../docs/README.md) for the general instruction manual.)
 
 This subdirectory contains a set of dictionaries that can be used in
 conjunction with the -x option to allow the fuzzer to effortlessly explore the
 grammar of some of the more verbose data formats or languages. The basic
-principle behind the operation of fuzzer dictionaries is outlined in section 9
-of the "main" README for the project.
+principle behind the operation of fuzzer dictionaries is outlined in section 10
+of the "main" README.md for the project.
+
+These sets were done by Michal Zalewski, various contributors, and imported
+from oss-fuzz, go-fuzz and libfuzzer.
 
 Custom dictionaries can be added at will. They should consist of a
 reasonably-sized set of rudimentary syntax units that the fuzzer will then try
-to clobber together in various ways. Snippets between 2 and 16 bytes are usually
-the sweet spot.
+to clobber together in various ways. Snippets between 2 and 16 bytes are
+usually the sweet spot.
 
 Custom dictionaries can be created in two ways:
 
@@ -32,12 +33,12 @@ parameter is a file or a directory.
 
 In the file mode, every name field can be optionally followed by @<num>, e.g.:
 
-  keyword_foo@1 = "foo"
+  `keyword_foo@1 = "foo"`
 
 Such entries will be loaded only if the requested dictionary level is equal or
 higher than this number. The default level is zero; a higher value can be set
 by appending @<num> to the dictionary file name, like so:
 
-  -x path/to/dictionary.dct@2
+  `-x path/to/dictionary.dct@2`
 
 Good examples of dictionaries can be found in xml.dict and png.dict.

dictionaries/aff.dict

@@ -0,0 +1,73 @@
+# https://www.systutorials.com/docs/linux/man/4-hunspell/
+
+# Affix keywords
+"AF"
+"AM"
+"BREAK"
+"CHECKCOMPOUNDCASE"
+"CHECKCOMPOUNDDUP"
+"CHECKCOMPOUNDPATTERN"
+"CHECKCOMPOUNDREP"
+"CHECKCOMPOUNDTRIPLE"
+"COMPLEXPREFIXES"
+"COMPOUNDBEGIN"
+"COMPOUNDFLAG"
+"COMPOUNDFORBIDFLAG"
+"COMPOUNDLAST"
+"COMPOUNDMIDDLE"
+"COMPOUNDMIN"
+"COMPOUNDPERMITFLAG"
+"COMPOUNDROOT"
+"COMPOUNDRULE"
+"COMPOUNDSYLLABLE"
+"COMPOUNDWORDMAX"
+"FLAG"
+"FORBIDWARN"
+"FORCEUCASE"
+"IGNORE"
+"KEY"
+"LANG"
+"MAP"
+"MAXCODSUGS"
+"MAXDIFF"
+"MAXNGRAMSUGS"
+"NOSPLITSUGS"
+"NOSUGGEST"
+"ONLYINCOMPOUND"
+"ONLYMAXDIFF"
+"PFX"
+"PHONE"
+"REP"
+"SET"
+"SFX"
+"SIMPLIFIEDTRIPLE"
+"SUGWITHDOTS"
+"SYLLABLENUM"
+"TRY"
+"WARN"
+"CIRCUMFIX"
+"FORBIDDENWORD"
+"FULLSTRIP"
+"KEEPCASE"
+"ICONV"
+"OCONV"
+"LEMMA_PRESENT"
+"NEEDAFFIX"
+"PSEUDOROOT"
+"SUBSTANDARD"
+"WORDCHARS"
+"CHECKSHARPS"
+
+# Optional data fields
+"ph:"
+"st:"
+"al:"
+"po:"
+"ds:"
+"is:"
+"ts:"
+"sp:"
+"pa:"
+"dp:"
+"ip:"
+"tp:"

dictionaries/ass.dict

@@ -0,0 +1,112 @@
+"0x"
+"\\1a"
+"\\2a"
+"\\2c"
+"\\3a"
+"\\3c"
+"\\4a"
+"\\4c"
+"\\a"
+"\\alpha"
+"\\an"
+"Arial"
+"\\b"
+"Banner;"
+"\\be"
+"\\blur"
+"\\bord"
+"\\c"
+"CFF"
+"CID Type 1"
+"\\clip"
+"clip"
+"Courier"
+"Courier New"
+"Default"
+"Dialogue:"
+"[Events]"
+"\\fade"
+"\\fax"
+"\\fay"
+"\\fe"
+"\\fn"
+"fontname:"
+"[Fonts]"
+"Format:"
+"\\frx"
+"\\fry"
+"\\frz"
+"\\fs"
+"\\fsc"
+"\\fscx"
+"\\fscy"
+"\\fsp"
+"&h"
+"Helvetica"
+"\\i"
+"\\iclip"
+"iclip"
+"\\k"
+"Kerning:"
+"Kerning"
+"\\kf"
+"\\ko"
+"Language:"
+"monospace"
+"\\move"
+"move"
+"none"
+"\\org"
+"org"
+"OverrideStyle"
+"\\p"
+"p"
+"\\pbo"
+"pbo"
+"pc.240m"
+"pc.601"
+"pc.709"
+"pc.fcc"
+"PlayResX:"
+"PlayResX"
+"PlayResY:"
+"PlayResY"
+"\\pos"
+"pos"
+"\\q"
+"\\r"
+"\\s"
+"sans-serif"
+"ScaledBorderAndShadow:"
+"ScaledBorderAndShadow"
+"[Script Info]"
+"Scroll down;"
+"Scroll up;"
+"serif"
+"\\shad"
+"Style:"
+"\\t"
+"Text"
+"Timer:"
+"Timer"
+"Times"
+"Times New Roman"
+"tv.240m"
+"tv.601"
+"tv.709"
+"tv.fcc"
+"Type 1"
+"Type 42"
+"\\u"
+"UTF-8"
+"[V4 Styles]"
+"[V4+ Styles]"
+"WrapStyle:"
+"WrapStyle"
+"\\xbord"
+"\\xshad"
+"\\ybord"
+"YCbCr Matrix:"
+"YCbCr Matrix"
+"yes"
+"\\yshad"

dictionaries/atom.dict

@@ -0,0 +1,33 @@
+# https://validator.w3.org/feed/docs/atom.html
+# https://tools.ietf.org/html/rfc4287
+
+"<?xml version='1.0' encoding='utf-8'?>"
+"<feed xmlns='http://www.w3.org/2005/Atom'>"
+
+"<alternate>"
+"<author>"
+"<category>"
+"<content>"
+"<contributor>"
+"<email>"
+"<entry>"
+"<feed>"
+"<first>"
+"<generator>"
+"<icon>"
+"<id>"
+"<last>"
+"<link>"
+"<logo>"
+"<modified/>
+"<name>"
+"<next>"
+"<previous>"
+"<published>"
+"<rights>"
+"<source>"
+"<subtitle>"
+"<summary>"
+"<title>"
+"<updated>"
+"<uri>"

dictionaries/av1_dc.dict

@@ -0,0 +1,5 @@
+# IVF Signature + version (bytes 0-5)
+kw1="DKIF\x00\x00"
+
+# AV1 codec fourCC (bytes 8-11)
+kw2="AV01"

dictionaries/bash.dict

@@ -0,0 +1,152 @@
+# Keywords taken from
+#  - https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html
+#  - https://www.gnu.org/software/bash/manual/html_node/Bourne-Shell-Builtins.html
+#  - https://www.gnu.org/software/bash/manual/html_node/Bourne-Shell-Variables.html
+#  - https://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html
+
+"!"
+"."
+":"
+"["
+"[["
+"]]"
+"{"
+"}"
+"BASH"
+"BASH_ALIASES"
+"BASH_ARGC"
+"BASH_ARGV"
+"BASH_ARGV0"
+"BASH_CMDS"
+"BASH_COMMAND"
+"BASH_COMPAT"
+"BASH_ENV"
+"BASH_EXECUTION_STRING"
+"BASH_LINENO"
+"BASH_LOADABLES_PATH"
+"BASHOPTS"
+"BASHPID"
+"BASH_REMATCH"
+"BASH_SOURCE"
+"BASH_SUBSHELL"
+"BASH_VERSINFO"
+"BASH_VERSION"
+"BASH_XTRACEFD"
+"break"
+"case"
+"cd"
+"CDPATH"
+"CHILD_MAX"
+"COLUMNS"
+"COMP_CWORD"
+"COMP_KEY"
+"COMP_LINE"
+"COMP_POINT"
+"COMPREPLY"
+"COMP_TYPE"
+"COMP_WORDBREAKS"
+"COMP_WORDS"
+"continue"
+"COPROC"
+"DIRSTACK"
+"do"
+"done"
+"elif"
+"else"
+"EMACS"
+"ENV"
+"EPOCHREALTIME"
+"EPOCHSECONDS"
+"esac"
+"EUID"
+"eval"
+"exec"
+"EXECIGNORE"
+"exit"
+"export"
+"FCEDIT"
+"fi"
+"FIGNORE"
+"for"
+"FUNCNAME"
+"FUNCNEST"
+"function"
+"getopts"
+"GLOBIGNORE"
+"GROUPS"
+"hash"
+"histchars"
+"HISTCMD"
+"HISTCONTROL"
+"HISTFILE"
+"HISTFILESIZE"
+"HISTIGNORE"
+"HISTSIZE"
+"HISTTIMEFORMAT"
+"HOME"
+"HOSTFILE"
+"HOSTNAME"
+"HOSTTYPE"
+"if"
+"IFS"
+"IGNOREEOF"
+"in"
+"INPUTRC"
+"INSIDE_EMACS"
+"LANG"
+"LC_ALL"
+"LC_COLLATE"
+"LC_CTYPE"
+"LC_MESSAGES"
+"LC_NUMERIC"
+"LC_TIME"
+"LINENO"
+"LINES"
+"MACHTYPE"
+"MAIL"
+"MAILCHECK"
+"MAILPATH"
+"MAPFILE"
+"OLDPWD"
+"OPTARG"
+"OPTERR"
+"OPTIND"
+"OSTYPE"
+"PATH"
+"PIPESTATUS"
+"POSIXLY_CORRECT"
+"PPID"
+"PROMPT_COMMAND"
+"PROMPT_DIRTRIM"
+"PS0"
+"PS1"
+"PS2"
+"PS3"
+"PS4"
+"pwd"
+"PWD"
+"RANDOM"
+"READLINE_LINE"
+"READLINE_POINT"
+"readonly"
+"REPLY"
+"return"
+"SECONDS"
+"select"
+"SHELL"
+"SHELLOPTS"
+"shift"
+"SHLVL"
+"test"
+"then"
+"time"
+"TIMEFORMAT"
+"times"
+"TMOUT"
+"TMPDIR"
+"trap"
+"UID"
+"umask"
+"unset"
+"until"
+"while"

dictionaries/bdf.dict

@@ -0,0 +1,30 @@
+# https://en.wikipedia.org/wiki/Glyph_Bitmap_Distribution_Format
+# https://www.adobe.com/content/dam/acom/en/devnet/font/pdfs/5005.BDF_Spec.pdf
+
+"STARTFONT"
+"COMMENT"
+"CONTENTVERSION"
+"FONT"
+"SIZE"
+"FONTBOUNDINGBOX"
+"METRICSSET"
+"SWIDTH"
+"DWIDTH"
+"SWIDTH1"
+"DWIDTH1"
+"VVECTOR"
+"STARTPROPERTIES"
+"ENDPROPERTIES"
+"CHARS"
+"STARTCHAR"
+"ENCODING"
+"BBX"
+"BITMAP"
+"ENDCHAR"
+"ENDFONT"
+
+# misc
+"255"
+"-1"
+"0"
+"2.1"

dictionaries/bmp.dict

@@ -0,0 +1,10 @@
+windows="BM"
+os2_bitmap="BA"
+os2_icon="CI"
+os2_pointer="CP"
+os2_struct="IC"
+os2_ptr="PT"
+windows_color_space="Win "
+srgb="sRGB"
+link="LINK"
+mbed="MBED"

dictionaries/bz2.dict

@@ -0,0 +1,3 @@
+magic="BZ"
+compress_magic="\x31\x41\x59\x26\x53\x59"
+eos_magic="\x17\x72\x45\x38\x50\x90"

dictionaries/creole.dict

@@ -0,0 +1,14 @@
+# http://www.wikicreole.org/wiki/Creole1.0
+
+bold="**"
+italic="//"
+heading="=="
+link1="[[a|b]]"
+link2="[[a:b]]"
+hr="----"
+img=" {{a|b}}"
+table_heading="|=a |=b |"
+raw="{{{a}}}"
+escape="~"
+placeholder="<<<x>>>"
+line_break="\\\\"

dictionaries/css.dict

@@ -0,0 +1,354 @@
+# https://en.wikipedia.org/wiki/Cascading_Style_Sheets
+
+# selectors
+"::after"
+"::before"
+"::first-letter"
+"::first-line"
+"::placeholder"
+"::selection"
+":active"
+":checked"
+":default"
+":disabled"
+":empty"
+":enabled"
+":first-child"
+":first-of-type"
+":focus"
+":hover"
+":in-range"
+":indeterminate"
+":invalid"
+":lang("
+":last-child"
+":last-of-type"
+":link"
+":not("
+":nth-child("
+":nth-last-child("
+":nth-last-of-type("
+":nth-of-type("
+":only-child"
+":only-of-type"
+":optional"
+":out-of-range"
+":read-only"
+":read-write"
+":required"
+":root"
+":target"
+":valid"
+":visited"
+
+# units
+"ch"
+"cm"
+"em"
+"ex"
+"in"
+"mm"
+"pc"
+"pt"
+"px"
+"rem"
+"vh"
+"vmax"
+"vmin"
+"vw"
+
+# functions
+"attr("
+"calc("
+"cubic-bezier("
+"hsl("
+"hsls("
+"linear-gradient("
+"radial-gradient("
+"repeating-linear-gradient("
+"repeating-radial-gradient("
+"rgb("
+"rgba("
+"var("
+
+# prefixes
+"-moz"
+"-webkit"
+
+# properties
+"@charset"
+"@font-face"
+"@font-feature-values"
+"@import"
+"@keyframes"
+"@media"
+"align-items"
+"align-self"
+"all"
+"animation"
+"animation-delay"
+"animation-direction"
+"animation-duration"
+"animation-fill-mode"
+"animation-iteration-count"
+"animation-name"
+"animation-play-state"
+"animation-timing-function"
+"backface-visibility"
+"background"
+"background-attachment"
+"background-blend-mode"
+"background-clip"
+"background-color"
+"background-image"
+"background-origin"
+"background-position"
+"background-repeat"
+"background-size"
+"border"
+"border-bottom"
+"border-bottom-color"
+"border-bottom-left-radius"
+"border-bottom-right-radius"
+"border-bottom-style"
+"border-bottom-width"
+"border-collapse"
+"border-color"
+"border-image"
+"border-image-outset"
+"border-image-repeat"
+"border-image-slice"
+"border-image-source"
+"border-image-width"
+"border-left"
+"border-left-color"
+"border-left-style"
+"border-left-width"
+"border-radius"
+"border-right"
+"border-right-color"
+"border-right-style"
+"border-right-width"
+"border-spacing"
+"border-style"
+"border-top"
+"border-top-color"
+"border-top-left-radius"
+"border-top-right-radius"
+"border-top-style"
+"border-top-width"
+"border-width"
+"bottom"
+"box-decoration-break"
+"box-shadow"
+"box-sizing"
+"break-after"
+"break-before"
+"break-inside"
+"caption-side"
+"caret-color"
+"clear"
+"clip"
+"color"
+"column-count"
+"column-fill"
+"column-gap"
+"column-rule"
+"column-rule-color"
+"column-rule-style"
+"column-rule-width"
+"column-span"
+"column-width"
+"columns"
+"content"
+"counter-increment"
+"counter-reset"
+"cursor"
+"direction"
+"display"
+"empty-cells"
+"filter"
+"flex"
+"flex-basis"
+"flex-direction"
+"flex-flow"
+"flex-grow"
+"flex-shrink"
+"flex-wrap"
+"float"
+"font"
+"font-family"
+"font-feature-settings"
+"font-kerning"
+"font-language-override"
+"font-size"
+"font-size-adjust"
+"font-stretch"
+"font-style"
+"font-synthesis"
+"font-variant"
+"font-variant-alternates"
+"font-variant-caps"
+"font-variant-east-asian"
+"font-variant-ligatures"
+"font-variant-numeric"
+"font-variant-position"
+"font-weight"
+"from"
+"grid"
+"grid-area"
+"grid-auto-columns"
+"grid-auto-flow"
+"grid-auto-rows"
+"grid-column"
+"grid-column-end"
+"grid-column-gap"
+"grid-column-start"
+"grid-gap"
+"grid-row"
+"grid-row-end"
+"grid-row-gap"
+"grid-row-start"
+"grid-template"
+"grid-template-areas"
+"grid-template-columns"
+"grid-template-rows"
+"hanging-punctuation"
+"height"
+"hyphens"
+"image-rendering"
+"isolation"
+"justify-content"
+"left"
+"letter-spacing"
+"line-break"
+"line-height"
+"list-style"
+"list-style-image"
+"list-style-position"
+"list-style-type"
+"margin"
+"margin-bottom"
+"margin-left"
+"margin-right"
+"margin-top"
+"max-height"
+"max-width"
+"min-height"
+"min-width"
+"mix-blend-mode"
+"object-fit"
+"object-position"
+"opacity"
+"order"
+"orphans"
+"outline"
+"outline-color"
+"outline-offset"
+"outline-style"
+"outline-width"
+"overflow"
+"overflow-wrap"
+"overflow-x"
+"overflow-y"
+"padding"
+"padding-bottom"
+"padding-left"
+"padding-right"
+"padding-top"
+"page-break-after"
+"page-break-before"
+"page-break-inside"
+"perspective"
+"perspective-origin"
+"pointer-events"
+"position"
+"quotes"
+"resize"
+"right"
+"scroll-behavior"
+"tab-size"
+"table-layout"
+"text-align"
+"text-align-last"
+"text-combine-upright"
+"text-decoration"
+"text-decoration-color"
+"text-decoration-line"
+"text-decoration-style"
+"text-indent"
+"text-justify"
+"text-orientation"
+"text-overflow"
+"text-shadow"
+"text-transform"
+"text-underline-position"
+"to"
+"top"
+"transform"
+"transform-origin"
+"transform-style"
+"transition"
+"transition-delay"
+"transition-duration"
+"transition-property"
+"transition-timing-function"
+"unicode-bidi"
+"user-select"
+"vertical-align"
+"visibility"
+"white-space"
+"widows"
+"width"
+"word-break"
+"word-spacing"
+"word-wrap"
+"writing-mode"
+"z-index"
+
+
+# aural - https://www.w3schools.com/cssref/css_ref_aural.asp
+"above"
+"azimuth"
+"below"
+"center"
+"code"
+"continuous"
+"cue"
+"cue-after"
+"cue-before"
+"elevation"
+"generic-voice"
+"left"
+"left-side"
+"leftwards"
+"lower"
+"medium"
+"mix"
+"none"
+"once"
+"pause"
+"pause-after"
+"pause-before"
+"pitch"
+"pitch-range"
+"play-during"
+"richness"
+"right"
+"right-side"
+"slower"
+"speak"
+"speak-header"
+"speak-numeral"
+"speak-punctuation"
+"speech-rate"
+"stress"
+"url"
+"voice-family"
+"volume"
+"x-fast"
+"x-high"
+"x-loud"
+"x-low"
+"x-slow"
+"x-soft"

dictionaries/csv.dict

@@ -0,0 +1,6 @@
+"\x00"
+"\r\n"
+";;"
+",,"
+"\t;"
+"\n;"

dictionaries/dds.dict

@@ -0,0 +1,35 @@
+# See http://www.mindcontrol.org/~hplus/graphics/dds-info/
+
+magic="\x20\x53\x44\x44"
+
+# Headers
+"\x00\x00\x00\x01"
+"\x00\x00\x00\x02"
+"\x00\x00\x00\x04"
+"\x00\x00\x00\x08"
+"\x00\x00\x10\x00"
+"\x00\x02\x00\x00"
+"\x00\x08\x00\x00"
+"\x00\x80\x00\x00"
+"\x00\x00\x00\x01"
+"\x00\x00\x00\x04"
+"\x00\x00\x00\x20"
+"\x00\x00\x00\x40"
+"\x00\x00\x00\x08"
+"\x00\x00\x10\x00"
+"\x00\x40\x00\x00"
+"\x00\x00\x02\x00"
+"\x00\x00\x04\x00"
+"\x00\x00\x08\x00"
+"\x00\x00\x10\x00"
+"\x00\x00\x20\x00"
+"\x00\x00\x40\x00"
+"\x00\x00\x80\x00"
+"\x00\x20\x00\x00"
+
+#formats
+"1TXD"
+"2TXD"
+"3TXD"
+"4TXD"
+"5TXD"

dictionaries/djvu.dict

@@ -0,0 +1,34 @@
+"ANTa"
+"ANTz"
+"BG2k"
+"BG44"
+"BGjp"
+"BM44"
+"CELX"
+"DIRM"
+"DJVI"
+"DJVM"
+"DJVU"
+"Djbz"
+"FAKE"
+"FG2k"
+"FG44"
+"FGbz"
+"FGjp"
+"FORM"
+"INCL"
+"INFO"
+"LINK"
+"METa"
+"METz"
+"NAVM"
+"NDIR"
+"PM44"
+"SINF"
+"Sjbz"
+"Smmr"
+"TH44"
+"THUM"
+"TXTa"
+"TXTz"
+"WMRM"

dictionaries/docommand.dict

@@ -0,0 +1,688 @@
+#SELECT WORD FROM INFORMATION_SCHEMA.KEYWORDS;
+ACCESSIBLE="ACCESSIBLE"
+ACCOUNT="ACCOUNT"
+ACTION="ACTION"
+ACTIVE="ACTIVE"
+ADD="ADD"
+ADMIN="ADMIN"
+AFTER="AFTER"
+AGAINST="AGAINST"
+AGGREGATE="AGGREGATE"
+ALGORITHM="ALGORITHM"
+ALL="ALL"
+ALTER="ALTER"
+ALWAYS="ALWAYS"
+ANALYZE="ANALYZE"
+AND="AND"
+ANY="ANY"
+AS="AS"
+ASC="ASC"
+ASCII="ASCII"
+ASENSITIVE="ASENSITIVE"
+AT="AT"
+AUTOEXTEND_SIZE="AUTOEXTEND_SIZE"
+AUTO_INCREMENT="AUTO_INCREMENT"
+AVG="AVG"
+AVG_ROW_LENGTH="AVG_ROW_LENGTH"
+BACKUP="BACKUP"
+BEFORE="BEFORE"
+BEGIN="BEGIN"
+BETWEEN="BETWEEN"
+BIGINT="BIGINT"
+BINARY="BINARY"
+BINLOG="BINLOG"
+BIT="BIT"
+BLOB="BLOB"
+BLOCK="BLOCK"
+BOOL="BOOL"
+BOOLEAN="BOOLEAN"
+BOTH="BOTH"
+BTREE="BTREE"
+BUCKETS="BUCKETS"
+BY="BY"
+BYTE="BYTE"
+CACHE="CACHE"
+CALL="CALL"
+CASCADE="CASCADE"
+CASCADED="CASCADED"
+CASE="CASE"
+CATALOG_NAME="CATALOG_NAME"
+CHAIN="CHAIN"
+CHANGE="CHANGE"
+CHANGED="CHANGED"
+CHANNEL="CHANNEL"
+CHAR="CHAR"
+CHARACTER="CHARACTER"
+CHARSET="CHARSET"
+CHECK="CHECK"
+CHECKSUM="CHECKSUM"
+CIPHER="CIPHER"
+CLASS_ORIGIN="CLASS_ORIGIN"
+CLIENT="CLIENT"
+CLONE="CLONE"
+CLOSE="CLOSE"
+COALESCE="COALESCE"
+CODE="CODE"
+COLLATE="COLLATE"
+COLLATION="COLLATION"
+COLUMN="COLUMN"
+COLUMNS="COLUMNS"
+COLUMN_FORMAT="COLUMN_FORMAT"
+COLUMN_NAME="COLUMN_NAME"
+COMMENT="COMMENT"
+COMMIT="COMMIT"
+COMMITTED="COMMITTED"
+COMPACT="COMPACT"
+COMPLETION="COMPLETION"
+COMPONENT="COMPONENT"
+COMPRESSED="COMPRESSED"
+COMPRESSION="COMPRESSION"
+CONCURRENT="CONCURRENT"
+CONDITION="CONDITION"
+CONNECTION="CONNECTION"
+CONSISTENT="CONSISTENT"
+CONSTRAINT="CONSTRAINT"
+CONSTRAINT_CATALOG="CONSTRAINT_CATALOG"
+CONSTRAINT_NAME="CONSTRAINT_NAME"
+CONSTRAINT_SCHEMA="CONSTRAINT_SCHEMA"
+CONTAINS="CONTAINS"
+CONTEXT="CONTEXT"
+CONTINUE="CONTINUE"
+CONVERT="CONVERT"
+CPU="CPU"
+CREATE="CREATE"
+CROSS="CROSS"
+CUBE="CUBE"
+CUME_DIST="CUME_DIST"
+CURRENT="CURRENT"
+CURRENT_DATE="CURRENT_DATE"
+CURRENT_TIME="CURRENT_TIME"
+CURRENT_TIMESTAMP="CURRENT_TIMESTAMP"
+CURRENT_USER="CURRENT_USER"
+CURSOR="CURSOR"
+CURSOR_NAME="CURSOR_NAME"
+DATA="DATA"
+DATABASE="DATABASE"
+DATABASES="DATABASES"
+DATAFILE="DATAFILE"
+DATE="DATE"
+DATETIME="DATETIME"
+DAY="DAY"
+DAY_HOUR="DAY_HOUR"
+DAY_MICROSECOND="DAY_MICROSECOND"
+DAY_MINUTE="DAY_MINUTE"
+DAY_SECOND="DAY_SECOND"
+DEALLOCATE="DEALLOCATE"
+DEC="DEC"
+DECIMAL="DECIMAL"
+DECLARE="DECLARE"
+DEFAULT="DEFAULT"
+DEFAULT_AUTH="DEFAULT_AUTH"
+DEFINER="DEFINER"
+DEFINITION="DEFINITION"
+DELAYED="DELAYED"
+DELAY_KEY_WRITE="DELAY_KEY_WRITE"
+DELETE="DELETE"
+DENSE_RANK="DENSE_RANK"
+DESC="DESC"
+DESCRIBE="DESCRIBE"
+DESCRIPTION="DESCRIPTION"
+DETERMINISTIC="DETERMINISTIC"
+DIAGNOSTICS="DIAGNOSTICS"
+DIRECTORY="DIRECTORY"
+DISABLE="DISABLE"
+DISCARD="DISCARD"
+DISK="DISK"
+DISTINCT="DISTINCT"
+DISTINCTROW="DISTINCTROW"
+DIV="DIV"
+DO="DO"
+DOUBLE="DOUBLE"
+DROP="DROP"
+DUAL="DUAL"
+DUMPFILE="DUMPFILE"
+DUPLICATE="DUPLICATE"
+DYNAMIC="DYNAMIC"
+EACH="EACH"
+ELSE="ELSE"
+ELSEIF="ELSEIF"
+EMPTY="EMPTY"
+ENABLE="ENABLE"
+ENCLOSED="ENCLOSED"
+ENCRYPTION="ENCRYPTION"
+END="END"
+ENDS="ENDS"
+ENFORCED="ENFORCED"
+ENGINE="ENGINE"
+ENGINES="ENGINES"
+ENUM="ENUM"
+ERROR="ERROR"
+ERRORS="ERRORS"
+ESCAPE="ESCAPE"
+ESCAPED="ESCAPED"
+EVENT="EVENT"
+EVENTS="EVENTS"
+EVERY="EVERY"
+EXCEPT="EXCEPT"
+EXCHANGE="EXCHANGE"
+EXCLUDE="EXCLUDE"
+EXECUTE="EXECUTE"
+EXISTS="EXISTS"
+EXIT="EXIT"
+EXPANSION="EXPANSION"
+EXPIRE="EXPIRE"
+EXPLAIN="EXPLAIN"
+EXPORT="EXPORT"
+EXTENDED="EXTENDED"
+EXTENT_SIZE="EXTENT_SIZE"
+FALSE="FALSE"
+FAST="FAST"
+FAULTS="FAULTS"
+FETCH="FETCH"
+FIELDS="FIELDS"
+FILE="FILE"
+FILE_BLOCK_SIZE="FILE_BLOCK_SIZE"
+FILTER="FILTER"
+FIRST="FIRST"
+FIRST_VALUE="FIRST_VALUE"
+FIXED="FIXED"
+FLOAT="FLOAT"
+FLOAT4="FLOAT4"
+FLOAT8="FLOAT8"
+FLUSH="FLUSH"
+FOLLOWING="FOLLOWING"
+FOLLOWS="FOLLOWS"
+FOR="FOR"
+FORCE="FORCE"
+FOREIGN="FOREIGN"
+FORMAT="FORMAT"
+FOUND="FOUND"
+FROM="FROM"
+FULL="FULL"
+FULLTEXT="FULLTEXT"
+FUNCTION="FUNCTION"
+GENERAL="GENERAL"
+GENERATED="GENERATED"
+GEOMCOLLECTION="GEOMCOLLECTION"
+GEOMETRY="GEOMETRY"
+GEOMETRYCOLLECTION="GEOMETRYCOLLECTION"
+GET="GET"
+GET_FORMAT="GET_FORMAT"
+GET_MASTER_PUBLIC_KEY="GET_MASTER_PUBLIC_KEY"
+GLOBAL="GLOBAL"
+GRANT="GRANT"
+GRANTS="GRANTS"
+GROUP="GROUP"
+GROUPING="GROUPING"
+GROUPS="GROUPS"
+GROUP_REPLICATION="GROUP_REPLICATION"
+HANDLER="HANDLER"
+HASH="HASH"
+HAVING="HAVING"
+HELP="HELP"
+HIGH_PRIORITY="HIGH_PRIORITY"
+HISTOGRAM="HISTOGRAM"
+HISTORY="HISTORY"
+HOST="HOST"
+HOSTS="HOSTS"
+HOUR="HOUR"
+HOUR_MICROSECOND="HOUR_MICROSECOND"
+HOUR_MINUTE="HOUR_MINUTE"
+HOUR_SECOND="HOUR_SECOND"
+IDENTIFIED="IDENTIFIED"
+IF="IF"
+IGNORE="IGNORE"
+IGNORE_SERVER_IDS="IGNORE_SERVER_IDS"
+IMPORT="IMPORT"
+IN="IN"
+INACTIVE="INACTIVE"
+INDEX="INDEX"
+INDEXES="INDEXES"
+INFILE="INFILE"
+INITIAL_SIZE="INITIAL_SIZE"
+INNER="INNER"
+INOUT="INOUT"
+INSENSITIVE="INSENSITIVE"
+INSERT="INSERT"
+INSERT_METHOD="INSERT_METHOD"
+INSTALL="INSTALL"
+INSTANCE="INSTANCE"
+INT="INT"
+INT1="INT1"
+INT2="INT2"
+INT3="INT3"
+INT4="INT4"
+INT8="INT8"
+INTEGER="INTEGER"
+INTERVAL="INTERVAL"
+INTO="INTO"
+INVISIBLE="INVISIBLE"
+INVOKER="INVOKER"
+IO="IO"
+IO_AFTER_GTIDS="IO_AFTER_GTIDS"
+IO_BEFORE_GTIDS="IO_BEFORE_GTIDS"
+IO_THREAD="IO_THREAD"
+IPC="IPC"
+IS="IS"
+ISOLATION="ISOLATION"
+ISSUER="ISSUER"
+ITERATE="ITERATE"
+JOIN="JOIN"
+JSON="JSON"
+JSON_TABLE="JSON_TABLE"
+KEY="KEY"
+KEYS="KEYS"
+KEY_BLOCK_SIZE="KEY_BLOCK_SIZE"
+KILL="KILL"
+LAG="LAG"
+LANGUAGE="LANGUAGE"
+LAST="LAST"
+LAST_VALUE="LAST_VALUE"
+LATERAL="LATERAL"
+LEAD="LEAD"
+LEADING="LEADING"
+LEAVE="LEAVE"
+LEAVES="LEAVES"
+LEFT="LEFT"
+LESS="LESS"
+LEVEL="LEVEL"
+LIKE="LIKE"
+LIMIT="LIMIT"
+LINEAR="LINEAR"
+LINES="LINES"
+LINESTRING="LINESTRING"
+LIST="LIST"
+LOAD="LOAD"
+LOCAL="LOCAL"
+LOCALTIME="LOCALTIME"
+LOCALTIMESTAMP="LOCALTIMESTAMP"
+LOCK="LOCK"
+LOCKED="LOCKED"
+LOCKS="LOCKS"
+LOGFILE="LOGFILE"
+LOGS="LOGS"
+LONG="LONG"
+LONGBLOB="LONGBLOB"
+LONGTEXT="LONGTEXT"
+LOOP="LOOP"
+LOW_PRIORITY="LOW_PRIORITY"
+MASTER="MASTER"
+MASTER_AUTO_POSITION="MASTER_AUTO_POSITION"
+MASTER_BIND="MASTER_BIND"
+MASTER_CONNECT_RETRY="MASTER_CONNECT_RETRY"
+MASTER_DELAY="MASTER_DELAY"
+MASTER_HEARTBEAT_PERIOD="MASTER_HEARTBEAT_PERIOD"
+MASTER_HOST="MASTER_HOST"
+MASTER_LOG_FILE="MASTER_LOG_FILE"
+MASTER_LOG_POS="MASTER_LOG_POS"
+MASTER_PASSWORD="MASTER_PASSWORD"
+MASTER_PORT="MASTER_PORT"
+MASTER_PUBLIC_KEY_PATH="MASTER_PUBLIC_KEY_PATH"
+MASTER_RETRY_COUNT="MASTER_RETRY_COUNT"
+MASTER_SERVER_ID="MASTER_SERVER_ID"
+MASTER_SSL="MASTER_SSL"
+MASTER_SSL_CA="MASTER_SSL_CA"
+MASTER_SSL_CAPATH="MASTER_SSL_CAPATH"
+MASTER_SSL_CERT="MASTER_SSL_CERT"
+MASTER_SSL_CIPHER="MASTER_SSL_CIPHER"
+MASTER_SSL_CRL="MASTER_SSL_CRL"
+MASTER_SSL_CRLPATH="MASTER_SSL_CRLPATH"
+MASTER_SSL_KEY="MASTER_SSL_KEY"
+MASTER_SSL_VERIFY_SERVER_CERT="MASTER_SSL_VERIFY_SERVER_CERT"
+MASTER_TLS_VERSION="MASTER_TLS_VERSION"
+MASTER_USER="MASTER_USER"
+MATCH="MATCH"
+MAXVALUE="MAXVALUE"
+MAX_CONNECTIONS_PER_HOUR="MAX_CONNECTIONS_PER_HOUR"
+MAX_QUERIES_PER_HOUR="MAX_QUERIES_PER_HOUR"
+MAX_ROWS="MAX_ROWS"
+MAX_SIZE="MAX_SIZE"
+MAX_UPDATES_PER_HOUR="MAX_UPDATES_PER_HOUR"
+MAX_USER_CONNECTIONS="MAX_USER_CONNECTIONS"
+MEDIUM="MEDIUM"
+MEDIUMBLOB="MEDIUMBLOB"
+MEDIUMINT="MEDIUMINT"
+MEDIUMTEXT="MEDIUMTEXT"
+MEMORY="MEMORY"
+MERGE="MERGE"
+MESSAGE_TEXT="MESSAGE_TEXT"
+MICROSECOND="MICROSECOND"
+MIDDLEINT="MIDDLEINT"
+MIGRATE="MIGRATE"
+MINUTE="MINUTE"
+MINUTE_MICROSECOND="MINUTE_MICROSECOND"
+MINUTE_SECOND="MINUTE_SECOND"
+MIN_ROWS="MIN_ROWS"
+MOD="MOD"
+MODE="MODE"
+MODIFIES="MODIFIES"
+MODIFY="MODIFY"
+MONTH="MONTH"
+MULTILINESTRING="MULTILINESTRING"
+MULTIPOINT="MULTIPOINT"
+MULTIPOLYGON="MULTIPOLYGON"
+MUTEX="MUTEX"
+MYSQL_ERRNO="MYSQL_ERRNO"
+NAME="NAME"
+NAMES="NAMES"
+NATIONAL="NATIONAL"
+NATURAL="NATURAL"
+NCHAR="NCHAR"
+NDB="NDB"
+NDBCLUSTER="NDBCLUSTER"
+NESTED="NESTED"
+NETWORK_NAMESPACE="NETWORK_NAMESPACE"
+NEVER="NEVER"
+NEW="NEW"
+NEXT="NEXT"
+NO="NO"
+NODEGROUP="NODEGROUP"
+NONE="NONE"
+NOT="NOT"
+NOWAIT="NOWAIT"
+NO_WAIT="NO_WAIT"
+NO_WRITE_TO_BINLOG="NO_WRITE_TO_BINLOG"
+NTH_VALUE="NTH_VALUE"
+NTILE="NTILE"
+NULL="NULL"
+NULLS="NULLS"
+NUMBER="NUMBER"
+NUMERIC="NUMERIC"
+NVARCHAR="NVARCHAR"
+OF="OF"
+OFFSET="OFFSET"
+OJ="OJ"
+OLD="OLD"
+ON="ON"
+ONE="ONE"
+ONLY="ONLY"
+OPEN="OPEN"
+OPTIMIZE="OPTIMIZE"
+OPTIMIZER_COSTS="OPTIMIZER_COSTS"
+OPTION="OPTION"
+OPTIONAL="OPTIONAL"
+OPTIONALLY="OPTIONALLY"
+OPTIONS="OPTIONS"
+OR="OR"
+ORDER="ORDER"
+ORDINALITY="ORDINALITY"
+ORGANIZATION="ORGANIZATION"
+OTHERS="OTHERS"
+OUT="OUT"
+OUTER="OUTER"
+OUTFILE="OUTFILE"
+OVER="OVER"
+OWNER="OWNER"
+PACK_KEYS="PACK_KEYS"
+PAGE="PAGE"
+PARSER="PARSER"
+PARTIAL="PARTIAL"
+PARTITION="PARTITION"
+PARTITIONING="PARTITIONING"
+PARTITIONS="PARTITIONS"
+PASSWORD="PASSWORD"
+PATH="PATH"
+PERCENT_RANK="PERCENT_RANK"
+PERSIST="PERSIST"
+PERSIST_ONLY="PERSIST_ONLY"
+PHASE="PHASE"
+PLUGIN="PLUGIN"
+PLUGINS="PLUGINS"
+PLUGIN_DIR="PLUGIN_DIR"
+POINT="POINT"
+POLYGON="POLYGON"
+PORT="PORT"
+PRECEDES="PRECEDES"
+PRECEDING="PRECEDING"
+PRECISION="PRECISION"
+PREPARE="PREPARE"
+PRESERVE="PRESERVE"
+PREV="PREV"
+PRIMARY="PRIMARY"
+PRIVILEGES="PRIVILEGES"
+PROCEDURE="PROCEDURE"
+PROCESS="PROCESS"
+PROCESSLIST="PROCESSLIST"
+PROFILE="PROFILE"
+PROFILES="PROFILES"
+PROXY="PROXY"
+PURGE="PURGE"
+QUARTER="QUARTER"
+QUERY="QUERY"
+QUICK="QUICK"
+RANGE="RANGE"
+RANK="RANK"
+READ="READ"
+READS="READS"
+READ_ONLY="READ_ONLY"
+READ_WRITE="READ_WRITE"
+REAL="REAL"
+REBUILD="REBUILD"
+RECOVER="RECOVER"
+RECURSIVE="RECURSIVE"
+REDO_BUFFER_SIZE="REDO_BUFFER_SIZE"
+REDUNDANT="REDUNDANT"
+REFERENCE="REFERENCE"
+REFERENCES="REFERENCES"
+REGEXP="REGEXP"
+RELAY="RELAY"
+RELAYLOG="RELAYLOG"
+RELAY_LOG_FILE="RELAY_LOG_FILE"
+RELAY_LOG_POS="RELAY_LOG_POS"
+RELAY_THREAD="RELAY_THREAD"
+RELEASE="RELEASE"
+RELOAD="RELOAD"
+REMOVE="REMOVE"
+RENAME="RENAME"
+REORGANIZE="REORGANIZE"
+REPAIR="REPAIR"
+REPEAT="REPEAT"
+REPEATABLE="REPEATABLE"
+REPLACE="REPLACE"
+REPLICATE_DO_DB="REPLICATE_DO_DB"
+REPLICATE_DO_TABLE="REPLICATE_DO_TABLE"
+REPLICATE_IGNORE_DB="REPLICATE_IGNORE_DB"
+REPLICATE_IGNORE_TABLE="REPLICATE_IGNORE_TABLE"
+REPLICATE_REWRITE_DB="REPLICATE_REWRITE_DB"
+REPLICATE_WILD_DO_TABLE="REPLICATE_WILD_DO_TABLE"
+REPLICATE_WILD_IGNORE_TABLE="REPLICATE_WILD_IGNORE_TABLE"
+REPLICATION="REPLICATION"
+REQUIRE="REQUIRE"
+RESET="RESET"
+RESIGNAL="RESIGNAL"
+RESOURCE="RESOURCE"
+RESPECT="RESPECT"
+RESTART="RESTART"
+RESTORE="RESTORE"
+RESTRICT="RESTRICT"
+RESUME="RESUME"
+RETAIN="RETAIN"
+RETURN="RETURN"
+RETURNED_SQLSTATE="RETURNED_SQLSTATE"
+RETURNS="RETURNS"
+REUSE="REUSE"
+REVERSE="REVERSE"
+REVOKE="REVOKE"
+RIGHT="RIGHT"
+RLIKE="RLIKE"
+ROLE="ROLE"
+ROLLBACK="ROLLBACK"
+ROLLUP="ROLLUP"
+ROTATE="ROTATE"
+ROUTINE="ROUTINE"
+ROW="ROW"
+ROWS="ROWS"
+ROW_COUNT="ROW_COUNT"
+ROW_FORMAT="ROW_FORMAT"
+ROW_NUMBER="ROW_NUMBER"
+RTREE="RTREE"
+SAVEPOINT="SAVEPOINT"
+SCHEDULE="SCHEDULE"
+SCHEMA="SCHEMA"
+SCHEMAS="SCHEMAS"
+SCHEMA_NAME="SCHEMA_NAME"
+SECOND="SECOND"
+SECONDARY="SECONDARY"
+SECONDARY_ENGINE="SECONDARY_ENGINE"
+SECONDARY_LOAD="SECONDARY_LOAD"
+SECONDARY_UNLOAD="SECONDARY_UNLOAD"
+SECOND_MICROSECOND="SECOND_MICROSECOND"
+SECURITY="SECURITY"
+SELECT="SELECT"
+SENSITIVE="SENSITIVE"
+SEPARATOR="SEPARATOR"
+SERIAL="SERIAL"
+SERIALIZABLE="SERIALIZABLE"
+SERVER="SERVER"
+SESSION="SESSION"
+SET="SET"
+SHARE="SHARE"
+SHOW="SHOW"
+SHUTDOWN="SHUTDOWN"
+SIGNAL="SIGNAL"
+SIGNED="SIGNED"
+SIMPLE="SIMPLE"
+SKIP="SKIP"
+SLAVE="SLAVE"
+SLOW="SLOW"
+SMALLINT="SMALLINT"
+SNAPSHOT="SNAPSHOT"
+SOCKET="SOCKET"
+SOME="SOME"
+SONAME="SONAME"
+SOUNDS="SOUNDS"
+SOURCE="SOURCE"
+SPATIAL="SPATIAL"
+SPECIFIC="SPECIFIC"
+SQL="SQL"
+SQLEXCEPTION="SQLEXCEPTION"
+SQLSTATE="SQLSTATE"
+SQLWARNING="SQLWARNING"
+SQL_AFTER_GTIDS="SQL_AFTER_GTIDS"
+SQL_AFTER_MTS_GAPS="SQL_AFTER_MTS_GAPS"
+SQL_BEFORE_GTIDS="SQL_BEFORE_GTIDS"
+SQL_BIG_RESULT="SQL_BIG_RESULT"
+SQL_BUFFER_RESULT="SQL_BUFFER_RESULT"
+SQL_CALC_FOUND_ROWS="SQL_CALC_FOUND_ROWS"
+SQL_NO_CACHE="SQL_NO_CACHE"
+SQL_SMALL_RESULT="SQL_SMALL_RESULT"
+SQL_THREAD="SQL_THREAD"
+SQL_TSI_DAY="SQL_TSI_DAY"
+SQL_TSI_HOUR="SQL_TSI_HOUR"
+SQL_TSI_MINUTE="SQL_TSI_MINUTE"
+SQL_TSI_MONTH="SQL_TSI_MONTH"
+SQL_TSI_QUARTER="SQL_TSI_QUARTER"
+SQL_TSI_SECOND="SQL_TSI_SECOND"
+SQL_TSI_WEEK="SQL_TSI_WEEK"
+SQL_TSI_YEAR="SQL_TSI_YEAR"
+SRID="SRID"
+SSL="SSL"
+STACKED="STACKED"
+START="START"
+STARTING="STARTING"
+STARTS="STARTS"
+STATS_AUTO_RECALC="STATS_AUTO_RECALC"
+STATS_PERSISTENT="STATS_PERSISTENT"
+STATS_SAMPLE_PAGES="STATS_SAMPLE_PAGES"
+STATUS="STATUS"
+STOP="STOP"
+STORAGE="STORAGE"
+STORED="STORED"
+STRAIGHT_JOIN="STRAIGHT_JOIN"
+STRING="STRING"
+SUBCLASS_ORIGIN="SUBCLASS_ORIGIN"
+SUBJECT="SUBJECT"
+SUBPARTITION="SUBPARTITION"
+SUBPARTITIONS="SUBPARTITIONS"
+SUPER="SUPER"
+SUSPEND="SUSPEND"
+SWAPS="SWAPS"
+SWITCHES="SWITCHES"
+SYSTEM="SYSTEM"
+TABLE="TABLE"
+TABLES="TABLES"
+TABLESPACE="TABLESPACE"
+TABLE_CHECKSUM="TABLE_CHECKSUM"
+TABLE_NAME="TABLE_NAME"
+TEMPORARY="TEMPORARY"
+TEMPTABLE="TEMPTABLE"
+TERMINATED="TERMINATED"
+TEXT="TEXT"
+THAN="THAN"
+THEN="THEN"
+THREAD_PRIORITY="THREAD_PRIORITY"
+TIES="TIES"
+TIME="TIME"
+TIMESTAMP="TIMESTAMP"
+TIMESTAMPADD="TIMESTAMPADD"
+TIMESTAMPDIFF="TIMESTAMPDIFF"
+TINYBLOB="TINYBLOB"
+TINYINT="TINYINT"
+TINYTEXT="TINYTEXT"
+TO="TO"
+TRAILING="TRAILING"
+TRANSACTION="TRANSACTION"
+TRIGGER="TRIGGER"
+TRIGGERS="TRIGGERS"
+TRUE="TRUE"
+TRUNCATE="TRUNCATE"
+TYPE="TYPE"
+TYPES="TYPES"
+UNBOUNDED="UNBOUNDED"
+UNCOMMITTED="UNCOMMITTED"
+UNDEFINED="UNDEFINED"
+UNDO="UNDO"
+UNDOFILE="UNDOFILE"
+UNDO_BUFFER_SIZE="UNDO_BUFFER_SIZE"
+UNICODE="UNICODE"
+UNINSTALL="UNINSTALL"
+UNION="UNION"
+UNIQUE="UNIQUE"
+UNKNOWN="UNKNOWN"
+UNLOCK="UNLOCK"
+UNSIGNED="UNSIGNED"
+UNTIL="UNTIL"
+UPDATE="UPDATE"
+UPGRADE="UPGRADE"
+USAGE="USAGE"
+USE="USE"
+USER="USER"
+USER_RESOURCES="USER_RESOURCES"
+USE_FRM="USE_FRM"
+USING="USING"
+UTC_DATE="UTC_DATE"
+UTC_TIME="UTC_TIME"
+UTC_TIMESTAMP="UTC_TIMESTAMP"
+VALIDATION="VALIDATION"
+VALUE="VALUE"
+VALUES="VALUES"
+VARBINARY="VARBINARY"
+VARCHAR="VARCHAR"
+VARCHARACTER="VARCHARACTER"
+VARIABLES="VARIABLES"
+VARYING="VARYING"
+VCPU="VCPU"
+VIEW="VIEW"
+VIRTUAL="VIRTUAL"
+VISIBLE="VISIBLE"
+WAIT="WAIT"
+WARNINGS="WARNINGS"
+WEEK="WEEK"
+WEIGHT_STRING="WEIGHT_STRING"
+WHEN="WHEN"
+WHERE="WHERE"
+WHILE="WHILE"
+WINDOW="WINDOW"
+WITH="WITH"
+WITHOUT="WITHOUT"
+WORK="WORK"
+WRAPPER="WRAPPER"
+WRITE="WRITE"
+X509="X509"
+XA="XA"
+XID="XID"
+XML="XML"
+XOR="XOR"
+YEAR="YEAR"
+YEAR_MONTH="YEAR_MONTH"
+ZEROFILL="ZEROFILL"

dictionaries/exif.dict

@@ -0,0 +1,222 @@
+"\x00\x01"
+"\x00\x02"
+"\x00\x10"
+"\x00\x90"
+"\x00\xa0"
+"\x00\xa3"
+"\x00\xa5"
+"\x00\xfe"
+"\x01\x00"
+"\x01\x01"
+"\x01\x02"
+"\x01\x03"
+"\x01\x06"
+"\x01\x0a"
+"\x01\x0d"
+"\x01\x0e"
+"\x01\x0f"
+"\x01\x10"
+"\x01\x11"
+"\x01\x12"
+"\x01\x15"
+"\x01\x16"
+"\x01\x17"
+"\x01\x1a"
+"\x01\x1b"
+"\x01\x1c"
+"\x01\x28"
+"\x01\x2d"
+"\x01\x31"
+"\x01\x32"
+"\x01\x3b"
+"\x01\x3e"
+"\x01\x3f"
+"\x01\x4a"
+"\x01\x56"
+"\x01\x91"
+"\x01\x92"
+"\x01\xa0"
+"\x01\xa3"
+"\x01\xa4"
+"\x02\x00"
+"\x02\x01"
+"\x02\x02"
+"\x02\x10"
+"\x02\x11"
+"\x02\x12"
+"\x02\x13"
+"\x02\x14"
+"\x02\x91"
+"\x02\x92"
+"\x02\xa0"
+"\x02\xa3"
+"\x02\xa4"
+"\x02\xbc"
+"\x03\x01"
+"\x03\x90"
+"\x03\x92"
+"\x03\xa0"
+"\x03\xa4"
+"\x04\x90"
+"\x04\x92"
+"\x04\xa0"
+"\x04\xa4"
+"\x05\x92"
+"\x05\xa0"
+"\x05\xa4"
+"\x06\x01"
+"\x06\x92"
+"\x06\xa4"
+"\x07\x92"
+"\x07\xa4"
+"\x08\x92"
+"\x08\xa4"
+"\x09\x92"
+"\x09\xa4"
+"\x0a\x01"
+"\x0a\x92"
+"\x0a\xa4"
+"\x0b\xa2"
+"\x0b\xa4"
+"\x0c\xa2"
+"\x0c\xa4"
+"\x0d\x01"
+"\x0e\x01"
+"\x0e\xa2"
+"\x0f\x01"
+"\x0f\xa2"
+"\x10\x00"
+"\x10\x01"
+"\x10\x02"
+"\x10\xa2"
+"\x11\x01"
+"\x11\x02"
+"\x12\x01"
+"\x12\x02"
+"\x13\x02"
+"\x14\x02"
+"\x14\x92"
+"\x14\xa2"
+"\x15\x01"
+"\x15\xa2"
+"\x16\x01"
+"\x16\x92"
+"\x17\x01"
+"\x17\xa2"
+"\x1a\x01"
+"\x1b\x01"
+"\x1c\x01"
+"\x1c\xea"
+"\x20\xa4"
+"\x22\x88"
+"\x24\x88"
+"\x25\x88"
+"\x27\x88"
+"\x28\x01"
+"\x28\x88"
+"\x2a\x88"
+"\x2d\x01"
+"\x31\x01"
+"\x32\x01"
+"\x3b\x01"
+"\x3e\x01"
+"\x3f\x01"
+"\x49\x86"
+"\x4a\x01"
+"\x56\x01"
+"\x69\x87"
+"\x73\x87"
+"\x7c\x92"
+"\x82\x8d"
+"\x82\x8e"
+"\x82\x8f"
+"\x82\x98"
+"\x82\x9a"
+"\x82\x9d"
+"\x83\xbb"
+"\x86\x49"
+"\x86\x92"
+"\x87\x69"
+"\x87\x73"
+"\x88\x22"
+"\x88\x24"
+"\x88\x25"
+"\x88\x27"
+"\x88\x28"
+"\x88\x2a"
+"\x8d\x82"
+"\x8e\x82"
+"\x8f\x82"
+"\x90\x00"
+"\x90\x03"
+"\x90\x04"
+"\x90\x92"
+"\x91\x01"
+"\x91\x02"
+"\x91\x92"
+"\x92\x01"
+"\x92\x02"
+"\x92\x03"
+"\x92\x04"
+"\x92\x05"
+"\x92\x06"
+"\x92\x07"
+"\x92\x08"
+"\x92\x09"
+"\x92\x0a"
+"\x92\x14"
+"\x92\x16"
+"\x92\x7c"
+"\x92\x86"
+"\x92\x90"
+"\x92\x91"
+"\x92\x92"
+"\x98\x82"
+"\x9a\x82"
+"\x9b\x9c"
+"\x9c\x9b"
+"\x9c\x9c"
+"\x9c\x9d"
+"\x9c\x9e"
+"\x9c\x9f"
+"\x9d\x82"
+"\x9d\x9c"
+"\x9e\x9c"
+"\x9f\x9c"
+"\xa0\x00"
+"\xa0\x01"
+"\xa0\x02"
+"\xa0\x03"
+"\xa0\x04"
+"\xa0\x05"
+"\xa2\x0b"
+"\xa2\x0c"
+"\xa2\x0e"
+"\xa2\x0f"
+"\xa2\x10"
+"\xa2\x14"
+"\xa2\x15"
+"\xa2\x17"
+"\xa3\x00"
+"\xa3\x01"
+"\xa3\x02"
+"\xa4\x01"
+"\xa4\x02"
+"\xa4\x03"
+"\xa4\x04"
+"\xa4\x05"
+"\xa4\x06"
+"\xa4\x07"
+"\xa4\x08"
+"\xa4\x09"
+"\xa4\x0a"
+"\xa4\x0b"
+"\xa4\x0c"
+"\xa4\x20"
+"\xa5\x00"
+"\xa5\xc4"
+"\xbb\x83"
+"\xbc\x02"
+"\xc4\xa5"
+"\xea\x1c"
+"\xfe\x00"

dictionaries/fbs.dict

@@ -0,0 +1,42 @@
+# spec: https://google.github.io/flatbuffers/flatbuffers_grammar.html
+
+attribute="attribute"
+bool="bool"
+byte="byte"
+double="double"
+enum="enum"
+false="false"
+file_extension="file_extension"
+float32="float32"
+float64="float64"
+float="float"
+include="include"
+inf="inf"
+infinity="infinity"
+int16="int16"
+int32="int32"
+int64="int64"
+int8="int8"
+int="int"
+long="long"
+namespace="namespace"
+nan="nan"
+root_type="root_type"
+root_type="root_type"
+rpc_service="rpc_service"
+short="short"
+string="string"
+struct="struct"
+table="table"
+true="true"
+ubyte="ubyte"
+uint16="uint16"
+uint32="uint32"
+uint64="uint64"
+uint="uint"
+ulong="ulong"
+union="union"
+ushort="ushort"
+
+separator=":"
+eol=";"

dictionaries/ftp.dict

@@ -0,0 +1,124 @@
+# from https://github.com/antonio-morales/Fuzzing/Dictionaries/FTP/Example.dict.txt
+#Parameters
+#tls = {0,1,2,3}
+
+#Input1
+"user"
+"pass"
+"syst"
+"acct"
+"feat"
+"noop"
+"help"
+"stat"
+"stru"
+"adat"
+"site"
+
+#Input2
+"mkd"
+"cwd"
+"pwd"
+"cdup"
+
+#Input3
+"port"
+"list"
+"mlst"
+"nlst"
+"mlsd"
+
+#Input4
+"rmd"
+
+#Input5
+"stor"
+
+#Input6
+"retr"
+
+#Input7
+"dele"
+
+#Input8
+"pasv"
+
+#Input9
+"epsv"
+
+#Input10
+"type"
+"size"
+
+#Input11
+"mode"
+
+#Input12
+"rnfr"
+"rnto"
+
+#Input13
+"appe"
+
+#Input14
+"allo"
+"quit"
+
+#Input15
+"connect"
+
+#Input16
+"esta"
+"estp"
+
+#Input17
+"mdtm"
+"opts"
+"eprt"
+
+#Input18
+"mfmt"
+"pret"
+"stou"
+"rest"
+
+
+#-------------------------------------
+"\x00"
+"\x0d\x0a"
+"\x0d"
+"\x0a"
+"-"
+"-a "
+"-C "
+"-d "
+"-F "
+"-l "
+"-r "
+"-R "
+"-S "
+"-t"
+" "
+"fuzzing"
+"test"
+"teste"
+".txt"
+"test.txt"
+" UTC"
+"C"
+"E"
+"P"
+"S"
+"abor"
+
+#ifdef WITH_TLS
+"pbsz"
+"auth"
+"prot"
+"ccc"
+
+#ifdef DEBUG
+"xdbg"
+
+# ifdef WITH_DIRALIASES
+"alias"

dictionaries/gif.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for GIF images
 # -----------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_87a="87a"

dictionaries/graphviz.dict

@@ -0,0 +1,373 @@
+# Semi-manually curated list of interesting words within a graphviz input file.
+# TODO(robhart): Consider expanding from:
+#   - htmllex.c
+#   - ?
+# Not included exhaustive list of colortables, fontnames, etc. that are unlikely
+# to influence core graphviz behaviour.
+
+# Attributes (from http://www.graphviz.org/doc/info/attrs.html)
+"Damping"
+"K"
+"URL"
+"_background"
+"area"
+"arrowhead"
+"arrowsize"
+"arrowtail"
+"bb"
+"bgcolor"
+"colorList"
+"center"
+"charset"
+"clusterrank"
+"color"
+"colorList"
+"colorscheme"
+"comment"
+"compound"
+"concentrate"
+"constraint"
+"decorate"
+"defaultdist"
+"dim"
+"dimen"
+"dir"
+"diredgeconstraints"
+"distortion"
+"dpi"
+"edgeURL"
+"edgehref"
+"edgetarget"
+"edgetooltip"
+"epsilon"
+"esep"
+"fillcolor"
+"fixedsize"
+"fontcolor"
+"fontname"
+"fontnames"
+"fontpath"
+"fontsize"
+"forcelabels"
+"gradientangle"
+"group"
+"headURL"
+"head_lp"
+"headclip"
+"headhref"
+"headlabel"
+"headport"
+"headtarget"
+"headtooltip"
+"height"
+"href"
+"id"
+"image"
+"imagepath"
+"imagescale"
+"inputscale"
+"label"
+"labelURL"
+"label_scheme"
+"labelangle"
+"labeldistance"
+"labelfloat"
+"labelfontcolor"
+"labelfontname"
+"labelfontsize"
+"labelhref"
+"labeljust"
+"labelloc"
+"labeltarget"
+"labeltooltip"
+"landscape"
+"layer"
+"layerlistsep"
+"layers"
+"layerselect"
+"layersep"
+"layout"
+"len"
+"levels"
+"levelsgap"
+"lhead"
+"lheight"
+"lp"
+"ltail"
+"lwidth"
+"margin"
+"maxiter"
+"mclimit"
+"mindist"
+"minlen"
+"mode"
+"model"
+"mosek"
+"newrank"
+"nodesep"
+"nojustify"
+"normalize"
+"notranslate"
+"nslimit "
+"nslimit1"
+"ordering"
+"orientation"
+"OrientationGraph"
+"outputorder"
+"overlap"
+"overlap_scaling"
+"overlap_shrink"
+"pack"
+"packmode"
+"pad"
+"point"
+"page"
+"point"
+"pagedir"
+"pencolor"
+"penwidth"
+"peripheries"
+"pin"
+"pos"
+"splineType"
+"quadtree"
+"quantum"
+"rank"
+"rankdir"
+"ranksep"
+"ratio"
+"string"
+"rects"
+"regular"
+"remincross"
+"RemoveOverlaps"
+"repulsiveforce"
+"resolution"
+"root"
+"rotate"
+"rotation"
+"samehead"
+"sametail"
+"samplepoints"
+"scale"
+"searchsize"
+"sep"
+"setlinewidth"
+"shape"
+"shapefile"
+"showboxes"
+"sides"
+"size"
+"skew"
+"smoothing"
+"sortv"
+"splines"
+"string"
+"start"
+"style"
+"stylesheet"
+"tailURL"
+"tail_lp"
+"tailclip"
+"tailhref"
+"taillabel"
+"tailport"
+"tailtarget"
+"tailtooltip"
+"target"
+"tooltip"
+"truecolor"
+"vertices"
+"viewport"
+"voro_margin"
+"weight"
+"width"
+"xdotversion"
+"xlabel"
+"xlp"
+"z"
+
+# Shapes (from shapes.c)
+"box"
+"polygon"
+"ellipse"
+"oval"
+"circle"
+"point"
+"egg"
+"triangle"
+"none"
+"plaintext"
+"plain"
+"diamond"
+"trapezium"
+"parallelogram"
+"house"
+"pentagon"
+"hexagon"
+"septagon"
+"octagon"
+"note"
+"tab"
+"folder"
+"box3d"
+"component"
+"cylinder"
+"rect"
+"rectangle"
+"square"
+"doublecircle"
+"doubleoctagon"
+"tripleoctagon"
+"invtriangle"
+"invtrapezium"
+"invhouse"
+"underline"
+"Mdiamond"
+"Msquare"
+"Mcircle"
+"DotGraphs"
+
+"promoter"
+"cds"
+"terminator"
+"utr"
+"insulator"
+"ribosite"
+"rnastab"
+"proteasesite"
+"proteinstab"
+
+"primersite"
+"restrictionsite"
+"fivepoverhang"
+"threepoverhang"
+"noverhang"
+"assembly"
+"signature"
+"rpromoter"
+"larrow"
+"rarrow"
+"lpromoter"
+
+"record"
+"Mrecord"
+"epsf"
+"star"
+
+# styles
+"bold"
+"dashed"
+"diagonals"
+"dotted"
+"filled"
+"invis"
+"radial"
+"rounded"
+"solid"
+"striped"
+"tapered"
+"wedged"
+
+
+# misc -- https://graphviz.gitlab.io/_pages/doc/info/lang.html
+"node"
+"edge"
+"digraph"
+"subgraph"
+"strict"
+"same"
+"->"
+"--"
+" {A B} "
+" a -- b "
+# Special value for the "shape" attribute
+"epsf"
+
+# html
+"=\""
+"<table"
+"<tr"
+"<td"
+"<font"
+"<br"
+"<img"
+"<i"
+"<b"
+"<u"
+"<o"
+"<sub"
+"<sup"
+"<s"
+"<hr"
+"<vr"
+
+# html attributes
+"align"
+"balign"
+"bgcolor"
+"border"
+"cellborder"
+"cellpadding"
+"cellspacing"
+"color"
+"colspan"
+"columns"
+"face"
+"fixedsize"
+"gradientangle"
+"height"
+"href"
+"id"
+"point-size"
+"port"
+"rows"
+"rowspan"
+"scale"
+"sides"
+"src"
+"style"
+"target"
+"title"
+"tooltip"
+"valign"
+"width"
+
+# arrow spaces
+"box"
+"crow"
+"curve"
+"icurve"
+"diamond"
+"dot"
+"inv"
+"none"
+"normal"
+"tee"
+"vee"
+
+
+# Examples of parameters
+"%f"
+"50,50,.5,'2.8 BSD'"
+"100,100,2,450,-1"
+"none"
+"avg_dist"
+"graph_dist"
+"power_dist"
+"rng"
+"spring"
+"triangle"
+"same"
+"min"
+"source"
+"max"
+"sink"
+"node"
+"clust"
+"graph"
+"array_flags"
+"%2x"
+"%s"
+"%99$p"
+"%n"

dictionaries/heif.dict

@@ -0,0 +1,76 @@
+# https://standards.iso.org/ittf/PubliclyAvailableStandards/c066067_ISO_IEC_23008-12_2017.zip
+
+"altr"
+"auxC"
+"auxc"
+"auxi"
+"auxv"
+"avcC"
+"avci"
+"avcs"
+"ccst"
+"cdsc"
+"clap"
+"colr"
+"dimg"
+"dinf"
+"dref"
+"elst"
+"equi"
+"free"
+"frma"
+"ftyp"
+"grid"
+"grp1"
+"hdlr"
+"heic"
+"heim"
+"heis"
+"heix"
+"hevc"
+"hevx"
+"hvc1"
+"hvc2"
+"hvcC"
+"idat"
+"iden"
+"iinf"
+"iloc"
+"imir"
+"infe"
+"iovl"
+"ipro"
+"iprp"
+"iref"
+"irot"
+"ispe"
+"jpeg"
+"jpgC"
+"jpgs"
+"lhv1"
+"lhvC"
+"lsel"
+"mdat"
+"meta"
+"mif1"
+"mime"
+"mjpg"
+"msf1"
+"oinf"
+"pasp"
+"pict"
+"pitm"
+"pixi"
+"refs"
+"rloc"
+"schi"
+"schm"
+"sgpd"
+"sinf"
+"skip"
+"stsz"
+"subs"
+"thmb"
+"tkhd"
+"tols"
+"trak"

dictionaries/hoextdown.dict

@@ -0,0 +1,49 @@
+asterisk="*"
+attr_generic=" a=\"1\""
+attr_href=" href=\"1\""
+attr_xml_lang=" xml:lang=\"1\""
+attr_xmlns=" xmlns=\"1\""
+backslash="\\"
+backtick="`"
+colon=":"
+dashes="---"
+double_quote="\""
+entity_builtin="<"
+entity_decimal=""
+entity_external="&a;"
+entity_hex=""
+equals="==="
+exclamation="!"
+greater_than=">"
+hash="#"
+hyphen="-"
+indent="  "
+left_bracket="["
+left_paren="("
+less_than="<"
+plus="+"
+right_bracket="]"
+right_paren=")"
+single_quote="'"
+string_any="ANY"
+string_brackets="[]"
+string_cdata="CDATA"
+string_dashes="--"
+string_empty_dblquotes="\"\""
+string_empty_quotes="''"
+string_idrefs="IDREFS"
+string_parentheses="()"
+string_pcdata="#PCDATA"
+tag_cdata="<![CDATA["
+tag_close="</a>"
+tag_doctype="<!DOCTYPE"
+tag_element="<!ELEMENT"
+tag_entity="<!ENTITY"
+tag_notation="<!NOTATION"
+tag_open="<a>"
+tag_open_close="<a />"
+tag_open_exclamation="<!"
+tag_open_q="<?"
+tag_sq2_close="]]>"
+tag_xml_q="<?xml?>"
+underscore="_"

dictionaries/html_tags.dict

@@ -5,7 +5,7 @@
 # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
 # include any attributes or attribute values.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 tag_a="<a>"

dictionaries/http.dict

@@ -0,0 +1,119 @@
+# Sources: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
+
+# misc
+"HTTP/1.1"
+
+# verbs
+"CONNECT"
+"DELETE"
+"GET"
+"HEAD"
+"OPTIONS"
+"PATCH"
+"POST"
+"PUT"
+"TRACE"
+
+
+# Fields
+"A-IM"
+"Accept"
+"Accept-Charset"
+"Accept-Datetime"
+"Accept-Encoding"
+"Accept-Language"
+"Accept-Patch"
+"Accept-Ranges"
+"Access-Control-Allow-Credentials"
+"Access-Control-Allow-Headers"
+"Access-Control-Allow-Methods"
+"Access-Control-Allow-Origin"
+"Access-Control-Expose-Headers"
+"Access-Control-Max-Age"
+"Access-Control-Request-Headers"
+"Access-Control-Request-Method"
+"Age"
+"Allow"
+"Alt-Svc"
+"Authorization"
+"Cache-Control"
+"Connection"
+"Connection:"
+"Content-Disposition"
+"Content-Encoding"
+"Content-Language"
+"Content-Length"
+"Content-Location"
+"Content-MD5"
+"Content-Range"
+"Content-Security-Policy"
+"Content-Type"
+"Cookie"
+"DNT"
+"Date"
+"Delta-Base"
+"ETag"
+"Expect"
+"Expires"
+"Forwarded"
+"From"
+"Front-End-Https"
+"HTTP2-Settings"
+"Host"
+"IM"
+"If-Match"
+"If-Modified-Since"
+"If-None-Match"
+"If-Range"
+"If-Unmodified-Since"
+"Last-Modified"
+"Link"
+"Location"
+"Max-Forwards"
+"Origin"
+"P3P"
+"Pragma"
+"Proxy-Authenticate"
+"Proxy-Authorization"
+"Proxy-Connection"
+"Public-Key-Pins"
+"Range"
+"Referer"
+"Refresh"
+"Retry-After"
+"Save-Data"
+"Server"
+"Set-Cookie"
+"Status"
+"Strict-Transport-Security"
+"TE"
+"Timing-Allow-Origin"
+"Tk"
+"Trailer"
+"Transfer-Encoding"
+"Upgrade"
+"Upgrade-Insecure-Requests"
+"User-Agent"
+"Vary"
+"Via"
+"WWW-Authenticate"
+"Warning"
+"X-ATT-DeviceId"
+"X-Content-Duration"
+"X-Content-Security-Policy"
+"X-Content-Type-Options"
+"X-Correlation-ID"
+"X-Csrf-Token"
+"X-Forwarded-For"
+"X-Forwarded-Host"
+"X-Forwarded-Proto"
+"X-Frame-Options"
+"X-Http-Method-Override"
+"X-Powered-By"
+"X-Request-ID"
+"X-Requested-With"
+"X-UA-Compatible"
+"X-UIDH"
+"X-Wap-Profile"
+"X-WebKit-CSP"
+"X-XSS-Protection"

dictionaries/icc.dict

@@ -0,0 +1,591 @@
+# See http://www.color.org/specification/ICC.2-2019.pdf
+
+magic="acsp"
+
+# spectral encoding
+"rs"
+"ts"
+"es"
+"bs"
+"sm"
+"mc"
+
+# Profile classes
+"scnr"
+"mntr"
+"prtr"
+"link"
+"spac"
+"abst"
+"nmcl"
+"cenc"
+"mod "
+"mlnk"
+"mvis"
+
+# Data colour space field
+"XYZ "
+"Lab "
+"Luv "
+"YVbr"
+"Yxy "
+"LMS "
+"RGB "
+"GRAY"
+"HSV "
+"HLS "
+"CMYK"
+"CMY "
+"2CLR"
+"3CLR"
+"4CLR"
+"5CLR"
+"6CLR"
+"7CLR"
+"8CLR"
+"9CLR"
+"ACLR"
+"BCLR"
+"CCLR"
+"DCLR"
+"ECLR"
+"FCLR"
+"nc"
+"YCC"
+
+# primary platforms
+"APPL"
+"MSFT"
+"SGI "
+"SUNW"
+
+
+# Tags
+"A2B0"
+"A2B1"
+"A2B2"
+"A2B3"
+"A2M0"
+"bcp0"
+"bcp1"
+"bcp2"
+"bcp3"
+"bsp0"
+"bsp1"
+"bsp2"
+"bsp3"
+"bAB0"
+"bAB1"
+"bAB2"
+"bAB3"
+"bBA0"
+"bBA1"
+"bBA2"
+"bBA3"
+"bBD0"
+"bBD1"
+"bBD2"
+"bBD3"
+"bDB0"
+"bDB1"
+"bDB2"
+"bDB3"
+"bMB0"
+"bMB1"
+"bMB2"
+"bMB3"
+"bMS0"
+"bMS1"
+"bMS2"
+"bMS3"
+"B2A0"
+"B2A1"
+"B2A2"
+"B2A3"
+"B2D0"
+"B2D1"
+"B2D2"
+"B2D3"
+"calt"
+"targ"
+"cept"
+"csnm"
+"clro"
+"cloo"
+"clin"
+"clio"
+"ciis"
+"cprt"
+"c2sp"
+"cxF "
+"dmnd"
+"dmdd"
+"dAB0"
+"dAB2"
+"dAB3"
+"dAB4"
+"dBA0"
+"dBA1"
+"dBA2"
+"dBA3"
+"dBD0"
+"dBD1"
+"dBD2"
+"dBD3"
+"dDB0"
+"dDB1"
+"dDB2"
+"dDB3"
+"d2B0"
+"d2B1"
+"d2B2"
+"d2B3"
+"gbd0"
+"gbd1"
+"gbd2"
+"gbd3"
+"mdv "
+"mcta"
+"minf"
+"miin"
+"wtpt"
+"meta"
+"M2A0"
+"M2B0"
+"M2B1"
+"M2B2"
+"M2B3"
+"M2S0"
+"M2S1"
+"M2S2"
+"M2S3"
+"nmcl"
+"rig0"
+"desc"
+"psin"
+"rfnm"
+"rig2"
+"svcn"
+"swpt"
+"s2cp"
+"smap"
+"tech"
+
+# tag types
+"clro"
+"curv"
+"data"
+"dtim"
+"dict"
+"ehim"
+"enim"
+"fl16"
+"fl32"
+"fl64"
+"gbd "
+"mAB "
+"mBA "
+"meas"
+"mluc"
+"mpet"
+"para"
+"sf32"
+"sig "
+"smat"
+"tary"
+"tstr"
+"ui32"
+"ui64"
+"ui08"
+"ut16"
+"utf8"
+"zut8"
+"zxml"
+
+# Function operands
+"calc"
+"func"
+"true"
+"ndef"
+"env "
+"in  "
+"out "
+"tget"
+"tput"
+"tsav"
+"curv"
+"mtx "
+"clut"
+"tint"
+"elem"
+"copy"
+"rotl"
+"rotr"
+"posd"
+"flip"
+"pop "
+"solv"
+"tran"
+"sum "
+"prod"
+"min "
+"max "
+"and "
+"or  "
+"pi  "
+"+INF"
+"-INF"
+"NaN "
+"add "
+"sub "
+"mul "
+"dic "
+"mod "
+"pow "
+"gama"
+"sadd"
+"ssub"
+"sdiv"
+"smul"
+"sq  "
+"sqrt"
+"cb  "
+"cbrt"
+"abs "
+"neg "
+"rond"
+"flor"
+"ceil"
+"trnc"
+"sign"
+"exp "
+"log "
+"ln  "
+"sin "
+"cos "
+"tan "
+"asin"
+"acos"
+"atan"
+"atn2"
+"ctop"
+"ptoc"
+"rnum"
+"lt  "
+"le  "
+"eq"
+"near"
+"ge  "
+"gt  "
+"vmin"
+"vmax"
+"vand"
+"vor "
+"tLab"
+"tXYZ"
+"if  "
+"else"
+"sel "
+"case"
+"dflt"
+"cvst"
+"sngf"
+"curf"
+"parf"
+"smaf"
+"clut"
+"eclt"
+"emtx"
+"eobs"
+"xclt"
+"iemx"
+"JtoX"
+"matf"
+"smet"
+"rclt"
+"robs"
+"tint"
+"XtoJ"
+"bACS"
+"eACS"
+"brdf"
+"type"
+"func"
+"nump"
+"xfrm"
+"BPh0"
+"BPh1"
+"CT10"
+"CT20"
+"CT30"
+"CT11"
+"CT21"
+"CT31"
+"War0"
+"War1"
+"La10"
+"La20"
+"La30"
+"La11"
+"La21"
+"La31"
+"name"
+"lcnm"
+"pcs "
+"spec"
+"spcb"
+"spcg"
+"ncol"
+"pinf"
+
+# from oss-fuzz, some duplicates
+# Fuzzing dictionary for icc
+# Extracted from lcms2.h of Little-CMS project 2.8.
+
+magic="acsp"
+sig="lcms"
+
+# Base ICC type definitions
+"chrm"
+"clro"
+"clrt"
+"crdi"
+"curv"
+"data"
+"dict"
+"dtim"
+"devs"
+"mft2"
+"mft1"
+"mAB "
+"mBA "
+"meas"
+"mluc"
+"mpet"
+"ncol"
+"ncl2"
+"para"
+"pseq"
+"psid"
+"rcs2"
+"sf32"
+"scrn"
+"sig "
+"text"
+"desc"
+"uf32"
+"bfd "
+"ui16"
+"ui32"
+"ui64"
+"ui08"
+"vcgt"
+"view"
+"XYZ "
+
+# Base ICC tag definitions
+"A2B0"
+"A2B1"
+"A2B2"
+"bXYZ"
+"bXYZ"
+"bTRC"
+"B2A0"
+"B2A1"
+"B2A2"
+"calt"
+"targ"
+"chad"
+"chrm"
+"clro"
+"clrt"
+"clot"
+"ciis"
+"cprt"
+"crdi"
+"data"
+"dtim"
+"dmnd"
+"dmdd"
+"devs"
+"D2B0"
+"D2B1"
+"D2B2"
+"D2B3"
+"B2D0"
+"B2D1"
+"B2D2"
+"B2D3"
+"gamt"
+"kTRC"
+"gXYZ"
+"gXYZ"
+"gTRC"
+"lumi"
+"meas"
+"bkpt"
+"wtpt"
+"ncol"
+"ncl2"
+"resp"
+"rig0"
+"pre0"
+"pre1"
+"pre2"
+"desc"
+"dscm"
+"pseq"
+"psid"
+"psd0"
+"psd1"
+"psd2"
+"psd3"
+"ps2s"
+"ps2i"
+"rXYZ"
+"rXYZ"
+"rTRC"
+"rig2"
+"scrd"
+"scrn"
+"tech"
+"bfd "
+"vued"
+"view"
+"vcgt"
+"meta"
+"arts"
+
+# ICC Technology tag
+"dcam"
+"fscn"
+"rscn"
+"ijet"
+"twax"
+"epho"
+"esta"
+"dsub"
+"rpho"
+"fprn"
+"vidm"
+"vidc"
+"pjtv"
+"CRT "
+"PMD "
+"AMD "
+"KPCD"
+"imgs"
+"grav"
+"offs"
+"silk"
+"flex"
+"mpfs"
+"mpfr"
+"dmpc"
+"dcpj"
+
+# ICC Color spaces
+"XYZ "
+"Lab "
+"Luv "
+"YCbr"
+"Yxy "
+"RGB "
+"GRAY"
+"HSV "
+"HLS "
+"CMYK"
+"CMY "
+"MCH1"
+"MCH2"
+"MCH3"
+"MCH4"
+"MCH5"
+"MCH6"
+"MCH7"
+"MCH8"
+"MCH9"
+"MCHA"
+"MCHB"
+"MCHC"
+"MCHD"
+"MCHE"
+"MCHF"
+"nmcl"
+"1CLR"
+"2CLR"
+"3CLR"
+"4CLR"
+"5CLR"
+"6CLR"
+"7CLR"
+"8CLR"
+"9CLR"
+"ACLR"
+"BCLR"
+"CCLR"
+"DCLR"
+"ECLR"
+"FCLR"
+"LuvK"
+
+# ICC Profile Class
+"scnr"
+"mntr"
+"prtr"
+"link"
+"abst"
+"spac"
+"nmcl"
+
+# ICC Platforms
+"APPL"
+"MSFT"
+"SUNW"
+"SGI "
+"TGNT"
+"*nix"
+
+# Reference gamut
+"prmg"
+
+# For cmsSigColorimetricIntentImageStateTag
+"scoe"
+"sape"
+"fpce"
+"rhoc"
+"rpoc"
+
+# Multi process elements types
+"cvst"
+"matf"
+"clut"
+"bACS"
+"eACS"
+"l2x "
+"x2l "
+"ncl "
+"2 4 "
+"4 2 "
+"idn "
+"d2l "
+"l2d "
+"d2x "
+"x2d "
+"clp "
+
+# Types of CurveElements
+"parf"
+"samf"
+"curf"
+
+# Used in ResponseCurveType
+"StaA"
+"StaE"
+"StaI"
+"StaT"
+"StaM"
+"DN  "
+"DN P"
+"DNN "
+"DNNP"

dictionaries/iccprofile.dict

@@ -0,0 +1,25 @@
+# Dict for ICC profiles parsed by skcms.
+
+"mft1"
+"mft2"
+"mAB "
+"rXYZ"
+"gXYZ"
+"bXYZ"
+"rTRC"
+"gTRC"
+"bTRC"
+"kTRC"
+"A2B0"
+"curv"
+"para"
+"mluc"
+"XYZ "
+"Lab "
+"RGB "
+"CMYK"
+"GRAY"
+"mntr"
+"scnr"
+"prtr"
+"spac"

dictionaries/icns.dict

@@ -0,0 +1,43 @@
+# https://en.wikipedia.org/wiki/Apple_Icon_Image_format
+
+"ICN#"
+"ICON"
+"TOC "
+"h8mk"
+"ic04"
+"ic05"
+"ic07"
+"ic08"
+"ic09"
+"ic10"
+"ic11"
+"ic12"
+"ic13"
+"ic14"
+"ich#"
+"ich4"
+"ich8"
+"icl4"
+"icl8"
+"icm#"
+"icm4"
+"icm8"
+"icnV"
+"icns"
+"icp4"
+"icp5"
+"icp6"
+"ics#"
+"ics4"
+"ics8"
+"icsB"
+"icsb"
+"ih32"
+"il32"
+"info"
+"is32"
+"it32"
+"l8mk"
+"name"
+"s8mk"
+"t8mk"

dictionaries/initfile.dict

@@ -0,0 +1,688 @@
+#SELECT WORD FROM INFORMATION_SCHEMA.KEYWORDS;
+ACCESSIBLE="ACCESSIBLE"
+ACCOUNT="ACCOUNT"
+ACTION="ACTION"
+ACTIVE="ACTIVE"
+ADD="ADD"
+ADMIN="ADMIN"
+AFTER="AFTER"
+AGAINST="AGAINST"
+AGGREGATE="AGGREGATE"
+ALGORITHM="ALGORITHM"
+ALL="ALL"
+ALTER="ALTER"
+ALWAYS="ALWAYS"
+ANALYZE="ANALYZE"
+AND="AND"
+ANY="ANY"
+AS="AS"
+ASC="ASC"
+ASCII="ASCII"
+ASENSITIVE="ASENSITIVE"
+AT="AT"
+AUTOEXTEND_SIZE="AUTOEXTEND_SIZE"
+AUTO_INCREMENT="AUTO_INCREMENT"
+AVG="AVG"
+AVG_ROW_LENGTH="AVG_ROW_LENGTH"
+BACKUP="BACKUP"
+BEFORE="BEFORE"
+BEGIN="BEGIN"
+BETWEEN="BETWEEN"
+BIGINT="BIGINT"
+BINARY="BINARY"
+BINLOG="BINLOG"
+BIT="BIT"
+BLOB="BLOB"
+BLOCK="BLOCK"
+BOOL="BOOL"
+BOOLEAN="BOOLEAN"
+BOTH="BOTH"
+BTREE="BTREE"
+BUCKETS="BUCKETS"
+BY="BY"
+BYTE="BYTE"
+CACHE="CACHE"
+CALL="CALL"
+CASCADE="CASCADE"
+CASCADED="CASCADED"
+CASE="CASE"
+CATALOG_NAME="CATALOG_NAME"
+CHAIN="CHAIN"
+CHANGE="CHANGE"
+CHANGED="CHANGED"
+CHANNEL="CHANNEL"
+CHAR="CHAR"
+CHARACTER="CHARACTER"
+CHARSET="CHARSET"
+CHECK="CHECK"
+CHECKSUM="CHECKSUM"
+CIPHER="CIPHER"
+CLASS_ORIGIN="CLASS_ORIGIN"
+CLIENT="CLIENT"
+CLONE="CLONE"
+CLOSE="CLOSE"
+COALESCE="COALESCE"
+CODE="CODE"
+COLLATE="COLLATE"
+COLLATION="COLLATION"
+COLUMN="COLUMN"
+COLUMNS="COLUMNS"
+COLUMN_FORMAT="COLUMN_FORMAT"
+COLUMN_NAME="COLUMN_NAME"
+COMMENT="COMMENT"
+COMMIT="COMMIT"
+COMMITTED="COMMITTED"
+COMPACT="COMPACT"
+COMPLETION="COMPLETION"
+COMPONENT="COMPONENT"
+COMPRESSED="COMPRESSED"
+COMPRESSION="COMPRESSION"
+CONCURRENT="CONCURRENT"
+CONDITION="CONDITION"
+CONNECTION="CONNECTION"
+CONSISTENT="CONSISTENT"
+CONSTRAINT="CONSTRAINT"
+CONSTRAINT_CATALOG="CONSTRAINT_CATALOG"
+CONSTRAINT_NAME="CONSTRAINT_NAME"
+CONSTRAINT_SCHEMA="CONSTRAINT_SCHEMA"
+CONTAINS="CONTAINS"
+CONTEXT="CONTEXT"
+CONTINUE="CONTINUE"
+CONVERT="CONVERT"
+CPU="CPU"
+CREATE="CREATE"
+CROSS="CROSS"
+CUBE="CUBE"
+CUME_DIST="CUME_DIST"
+CURRENT="CURRENT"
+CURRENT_DATE="CURRENT_DATE"
+CURRENT_TIME="CURRENT_TIME"
+CURRENT_TIMESTAMP="CURRENT_TIMESTAMP"
+CURRENT_USER="CURRENT_USER"
+CURSOR="CURSOR"
+CURSOR_NAME="CURSOR_NAME"
+DATA="DATA"
+DATABASE="DATABASE"
+DATABASES="DATABASES"
+DATAFILE="DATAFILE"
+DATE="DATE"
+DATETIME="DATETIME"
+DAY="DAY"
+DAY_HOUR="DAY_HOUR"
+DAY_MICROSECOND="DAY_MICROSECOND"
+DAY_MINUTE="DAY_MINUTE"
+DAY_SECOND="DAY_SECOND"
+DEALLOCATE="DEALLOCATE"
+DEC="DEC"
+DECIMAL="DECIMAL"
+DECLARE="DECLARE"
+DEFAULT="DEFAULT"
+DEFAULT_AUTH="DEFAULT_AUTH"
+DEFINER="DEFINER"
+DEFINITION="DEFINITION"
+DELAYED="DELAYED"
+DELAY_KEY_WRITE="DELAY_KEY_WRITE"
+DELETE="DELETE"
+DENSE_RANK="DENSE_RANK"
+DESC="DESC"
+DESCRIBE="DESCRIBE"
+DESCRIPTION="DESCRIPTION"
+DETERMINISTIC="DETERMINISTIC"
+DIAGNOSTICS="DIAGNOSTICS"
+DIRECTORY="DIRECTORY"
+DISABLE="DISABLE"
+DISCARD="DISCARD"
+DISK="DISK"
+DISTINCT="DISTINCT"
+DISTINCTROW="DISTINCTROW"
+DIV="DIV"
+DO="DO"
+DOUBLE="DOUBLE"
+DROP="DROP"
+DUAL="DUAL"
+DUMPFILE="DUMPFILE"
+DUPLICATE="DUPLICATE"
+DYNAMIC="DYNAMIC"
+EACH="EACH"
+ELSE="ELSE"
+ELSEIF="ELSEIF"
+EMPTY="EMPTY"
+ENABLE="ENABLE"
+ENCLOSED="ENCLOSED"
+ENCRYPTION="ENCRYPTION"
+END="END"
+ENDS="ENDS"
+ENFORCED="ENFORCED"
+ENGINE="ENGINE"
+ENGINES="ENGINES"
+ENUM="ENUM"
+ERROR="ERROR"
+ERRORS="ERRORS"
+ESCAPE="ESCAPE"
+ESCAPED="ESCAPED"
+EVENT="EVENT"
+EVENTS="EVENTS"
+EVERY="EVERY"
+EXCEPT="EXCEPT"
+EXCHANGE="EXCHANGE"
+EXCLUDE="EXCLUDE"
+EXECUTE="EXECUTE"
+EXISTS="EXISTS"
+EXIT="EXIT"
+EXPANSION="EXPANSION"
+EXPIRE="EXPIRE"
+EXPLAIN="EXPLAIN"
+EXPORT="EXPORT"
+EXTENDED="EXTENDED"
+EXTENT_SIZE="EXTENT_SIZE"
+FALSE="FALSE"
+FAST="FAST"
+FAULTS="FAULTS"
+FETCH="FETCH"
+FIELDS="FIELDS"
+FILE="FILE"
+FILE_BLOCK_SIZE="FILE_BLOCK_SIZE"
+FILTER="FILTER"
+FIRST="FIRST"
+FIRST_VALUE="FIRST_VALUE"
+FIXED="FIXED"
+FLOAT="FLOAT"
+FLOAT4="FLOAT4"
+FLOAT8="FLOAT8"
+FLUSH="FLUSH"
+FOLLOWING="FOLLOWING"
+FOLLOWS="FOLLOWS"
+FOR="FOR"
+FORCE="FORCE"
+FOREIGN="FOREIGN"
+FORMAT="FORMAT"
+FOUND="FOUND"
+FROM="FROM"
+FULL="FULL"
+FULLTEXT="FULLTEXT"
+FUNCTION="FUNCTION"
+GENERAL="GENERAL"
+GENERATED="GENERATED"
+GEOMCOLLECTION="GEOMCOLLECTION"
+GEOMETRY="GEOMETRY"
+GEOMETRYCOLLECTION="GEOMETRYCOLLECTION"
+GET="GET"
+GET_FORMAT="GET_FORMAT"
+GET_MASTER_PUBLIC_KEY="GET_MASTER_PUBLIC_KEY"
+GLOBAL="GLOBAL"
+GRANT="GRANT"
+GRANTS="GRANTS"
+GROUP="GROUP"
+GROUPING="GROUPING"
+GROUPS="GROUPS"
+GROUP_REPLICATION="GROUP_REPLICATION"
+HANDLER="HANDLER"
+HASH="HASH"
+HAVING="HAVING"
+HELP="HELP"
+HIGH_PRIORITY="HIGH_PRIORITY"
+HISTOGRAM="HISTOGRAM"
+HISTORY="HISTORY"
+HOST="HOST"
+HOSTS="HOSTS"
+HOUR="HOUR"
+HOUR_MICROSECOND="HOUR_MICROSECOND"
+HOUR_MINUTE="HOUR_MINUTE"
+HOUR_SECOND="HOUR_SECOND"
+IDENTIFIED="IDENTIFIED"
+IF="IF"
+IGNORE="IGNORE"
+IGNORE_SERVER_IDS="IGNORE_SERVER_IDS"
+IMPORT="IMPORT"
+IN="IN"
+INACTIVE="INACTIVE"
+INDEX="INDEX"
+INDEXES="INDEXES"
+INFILE="INFILE"
+INITIAL_SIZE="INITIAL_SIZE"
+INNER="INNER"
+INOUT="INOUT"
+INSENSITIVE="INSENSITIVE"
+INSERT="INSERT"
+INSERT_METHOD="INSERT_METHOD"
+INSTALL="INSTALL"
+INSTANCE="INSTANCE"
+INT="INT"
+INT1="INT1"
+INT2="INT2"
+INT3="INT3"
+INT4="INT4"
+INT8="INT8"
+INTEGER="INTEGER"
+INTERVAL="INTERVAL"
+INTO="INTO"
+INVISIBLE="INVISIBLE"
+INVOKER="INVOKER"
+IO="IO"
+IO_AFTER_GTIDS="IO_AFTER_GTIDS"
+IO_BEFORE_GTIDS="IO_BEFORE_GTIDS"
+IO_THREAD="IO_THREAD"
+IPC="IPC"
+IS="IS"
+ISOLATION="ISOLATION"
+ISSUER="ISSUER"
+ITERATE="ITERATE"
+JOIN="JOIN"
+JSON="JSON"
+JSON_TABLE="JSON_TABLE"
+KEY="KEY"
+KEYS="KEYS"
+KEY_BLOCK_SIZE="KEY_BLOCK_SIZE"
+KILL="KILL"
+LAG="LAG"
+LANGUAGE="LANGUAGE"
+LAST="LAST"
+LAST_VALUE="LAST_VALUE"
+LATERAL="LATERAL"
+LEAD="LEAD"
+LEADING="LEADING"
+LEAVE="LEAVE"
+LEAVES="LEAVES"
+LEFT="LEFT"
+LESS="LESS"
+LEVEL="LEVEL"
+LIKE="LIKE"
+LIMIT="LIMIT"
+LINEAR="LINEAR"
+LINES="LINES"
+LINESTRING="LINESTRING"
+LIST="LIST"
+LOAD="LOAD"
+LOCAL="LOCAL"
+LOCALTIME="LOCALTIME"
+LOCALTIMESTAMP="LOCALTIMESTAMP"
+LOCK="LOCK"
+LOCKED="LOCKED"
+LOCKS="LOCKS"
+LOGFILE="LOGFILE"
+LOGS="LOGS"
+LONG="LONG"
+LONGBLOB="LONGBLOB"
+LONGTEXT="LONGTEXT"
+LOOP="LOOP"
+LOW_PRIORITY="LOW_PRIORITY"
+MASTER="MASTER"
+MASTER_AUTO_POSITION="MASTER_AUTO_POSITION"
+MASTER_BIND="MASTER_BIND"
+MASTER_CONNECT_RETRY="MASTER_CONNECT_RETRY"
+MASTER_DELAY="MASTER_DELAY"
+MASTER_HEARTBEAT_PERIOD="MASTER_HEARTBEAT_PERIOD"
+MASTER_HOST="MASTER_HOST"
+MASTER_LOG_FILE="MASTER_LOG_FILE"
+MASTER_LOG_POS="MASTER_LOG_POS"
+MASTER_PASSWORD="MASTER_PASSWORD"
+MASTER_PORT="MASTER_PORT"
+MASTER_PUBLIC_KEY_PATH="MASTER_PUBLIC_KEY_PATH"
+MASTER_RETRY_COUNT="MASTER_RETRY_COUNT"
+MASTER_SERVER_ID="MASTER_SERVER_ID"
+MASTER_SSL="MASTER_SSL"
+MASTER_SSL_CA="MASTER_SSL_CA"
+MASTER_SSL_CAPATH="MASTER_SSL_CAPATH"
+MASTER_SSL_CERT="MASTER_SSL_CERT"
+MASTER_SSL_CIPHER="MASTER_SSL_CIPHER"
+MASTER_SSL_CRL="MASTER_SSL_CRL"
+MASTER_SSL_CRLPATH="MASTER_SSL_CRLPATH"
+MASTER_SSL_KEY="MASTER_SSL_KEY"
+MASTER_SSL_VERIFY_SERVER_CERT="MASTER_SSL_VERIFY_SERVER_CERT"
+MASTER_TLS_VERSION="MASTER_TLS_VERSION"
+MASTER_USER="MASTER_USER"
+MATCH="MATCH"
+MAXVALUE="MAXVALUE"
+MAX_CONNECTIONS_PER_HOUR="MAX_CONNECTIONS_PER_HOUR"
+MAX_QUERIES_PER_HOUR="MAX_QUERIES_PER_HOUR"
+MAX_ROWS="MAX_ROWS"
+MAX_SIZE="MAX_SIZE"
+MAX_UPDATES_PER_HOUR="MAX_UPDATES_PER_HOUR"
+MAX_USER_CONNECTIONS="MAX_USER_CONNECTIONS"
+MEDIUM="MEDIUM"
+MEDIUMBLOB="MEDIUMBLOB"
+MEDIUMINT="MEDIUMINT"
+MEDIUMTEXT="MEDIUMTEXT"
+MEMORY="MEMORY"
+MERGE="MERGE"
+MESSAGE_TEXT="MESSAGE_TEXT"
+MICROSECOND="MICROSECOND"
+MIDDLEINT="MIDDLEINT"
+MIGRATE="MIGRATE"
+MINUTE="MINUTE"
+MINUTE_MICROSECOND="MINUTE_MICROSECOND"
+MINUTE_SECOND="MINUTE_SECOND"
+MIN_ROWS="MIN_ROWS"
+MOD="MOD"
+MODE="MODE"
+MODIFIES="MODIFIES"
+MODIFY="MODIFY"
+MONTH="MONTH"
+MULTILINESTRING="MULTILINESTRING"
+MULTIPOINT="MULTIPOINT"
+MULTIPOLYGON="MULTIPOLYGON"
+MUTEX="MUTEX"
+MYSQL_ERRNO="MYSQL_ERRNO"
+NAME="NAME"
+NAMES="NAMES"
+NATIONAL="NATIONAL"
+NATURAL="NATURAL"
+NCHAR="NCHAR"
+NDB="NDB"
+NDBCLUSTER="NDBCLUSTER"
+NESTED="NESTED"
+NETWORK_NAMESPACE="NETWORK_NAMESPACE"
+NEVER="NEVER"
+NEW="NEW"
+NEXT="NEXT"
+NO="NO"
+NODEGROUP="NODEGROUP"
+NONE="NONE"
+NOT="NOT"
+NOWAIT="NOWAIT"
+NO_WAIT="NO_WAIT"
+NO_WRITE_TO_BINLOG="NO_WRITE_TO_BINLOG"
+NTH_VALUE="NTH_VALUE"
+NTILE="NTILE"
+NULL="NULL"
+NULLS="NULLS"
+NUMBER="NUMBER"
+NUMERIC="NUMERIC"
+NVARCHAR="NVARCHAR"
+OF="OF"
+OFFSET="OFFSET"
+OJ="OJ"
+OLD="OLD"
+ON="ON"
+ONE="ONE"
+ONLY="ONLY"
+OPEN="OPEN"
+OPTIMIZE="OPTIMIZE"
+OPTIMIZER_COSTS="OPTIMIZER_COSTS"
+OPTION="OPTION"
+OPTIONAL="OPTIONAL"
+OPTIONALLY="OPTIONALLY"
+OPTIONS="OPTIONS"
+OR="OR"
+ORDER="ORDER"
+ORDINALITY="ORDINALITY"
+ORGANIZATION="ORGANIZATION"
+OTHERS="OTHERS"
+OUT="OUT"
+OUTER="OUTER"
+OUTFILE="OUTFILE"
+OVER="OVER"
+OWNER="OWNER"
+PACK_KEYS="PACK_KEYS"
+PAGE="PAGE"
+PARSER="PARSER"
+PARTIAL="PARTIAL"
+PARTITION="PARTITION"
+PARTITIONING="PARTITIONING"
+PARTITIONS="PARTITIONS"
+PASSWORD="PASSWORD"
+PATH="PATH"
+PERCENT_RANK="PERCENT_RANK"
+PERSIST="PERSIST"
+PERSIST_ONLY="PERSIST_ONLY"
+PHASE="PHASE"
+PLUGIN="PLUGIN"
+PLUGINS="PLUGINS"
+PLUGIN_DIR="PLUGIN_DIR"
+POINT="POINT"
+POLYGON="POLYGON"
+PORT="PORT"
+PRECEDES="PRECEDES"
+PRECEDING="PRECEDING"
+PRECISION="PRECISION"
+PREPARE="PREPARE"
+PRESERVE="PRESERVE"
+PREV="PREV"
+PRIMARY="PRIMARY"
+PRIVILEGES="PRIVILEGES"
+PROCEDURE="PROCEDURE"
+PROCESS="PROCESS"
+PROCESSLIST="PROCESSLIST"
+PROFILE="PROFILE"
+PROFILES="PROFILES"
+PROXY="PROXY"
+PURGE="PURGE"
+QUARTER="QUARTER"
+QUERY="QUERY"
+QUICK="QUICK"
+RANGE="RANGE"
+RANK="RANK"
+READ="READ"
+READS="READS"
+READ_ONLY="READ_ONLY"
+READ_WRITE="READ_WRITE"
+REAL="REAL"
+REBUILD="REBUILD"
+RECOVER="RECOVER"
+RECURSIVE="RECURSIVE"
+REDO_BUFFER_SIZE="REDO_BUFFER_SIZE"
+REDUNDANT="REDUNDANT"
+REFERENCE="REFERENCE"
+REFERENCES="REFERENCES"
+REGEXP="REGEXP"
+RELAY="RELAY"
+RELAYLOG="RELAYLOG"
+RELAY_LOG_FILE="RELAY_LOG_FILE"
+RELAY_LOG_POS="RELAY_LOG_POS"
+RELAY_THREAD="RELAY_THREAD"
+RELEASE="RELEASE"
+RELOAD="RELOAD"
+REMOVE="REMOVE"
+RENAME="RENAME"
+REORGANIZE="REORGANIZE"
+REPAIR="REPAIR"
+REPEAT="REPEAT"
+REPEATABLE="REPEATABLE"
+REPLACE="REPLACE"
+REPLICATE_DO_DB="REPLICATE_DO_DB"
+REPLICATE_DO_TABLE="REPLICATE_DO_TABLE"
+REPLICATE_IGNORE_DB="REPLICATE_IGNORE_DB"
+REPLICATE_IGNORE_TABLE="REPLICATE_IGNORE_TABLE"
+REPLICATE_REWRITE_DB="REPLICATE_REWRITE_DB"
+REPLICATE_WILD_DO_TABLE="REPLICATE_WILD_DO_TABLE"
+REPLICATE_WILD_IGNORE_TABLE="REPLICATE_WILD_IGNORE_TABLE"
+REPLICATION="REPLICATION"
+REQUIRE="REQUIRE"
+RESET="RESET"
+RESIGNAL="RESIGNAL"
+RESOURCE="RESOURCE"
+RESPECT="RESPECT"
+RESTART="RESTART"
+RESTORE="RESTORE"
+RESTRICT="RESTRICT"
+RESUME="RESUME"
+RETAIN="RETAIN"
+RETURN="RETURN"
+RETURNED_SQLSTATE="RETURNED_SQLSTATE"
+RETURNS="RETURNS"
+REUSE="REUSE"
+REVERSE="REVERSE"
+REVOKE="REVOKE"
+RIGHT="RIGHT"
+RLIKE="RLIKE"
+ROLE="ROLE"
+ROLLBACK="ROLLBACK"
+ROLLUP="ROLLUP"
+ROTATE="ROTATE"
+ROUTINE="ROUTINE"
+ROW="ROW"
+ROWS="ROWS"
+ROW_COUNT="ROW_COUNT"
+ROW_FORMAT="ROW_FORMAT"
+ROW_NUMBER="ROW_NUMBER"
+RTREE="RTREE"
+SAVEPOINT="SAVEPOINT"
+SCHEDULE="SCHEDULE"
+SCHEMA="SCHEMA"
+SCHEMAS="SCHEMAS"
+SCHEMA_NAME="SCHEMA_NAME"
+SECOND="SECOND"
+SECONDARY="SECONDARY"
+SECONDARY_ENGINE="SECONDARY_ENGINE"
+SECONDARY_LOAD="SECONDARY_LOAD"
+SECONDARY_UNLOAD="SECONDARY_UNLOAD"
+SECOND_MICROSECOND="SECOND_MICROSECOND"
+SECURITY="SECURITY"
+SELECT="SELECT"
+SENSITIVE="SENSITIVE"
+SEPARATOR="SEPARATOR"
+SERIAL="SERIAL"
+SERIALIZABLE="SERIALIZABLE"
+SERVER="SERVER"
+SESSION="SESSION"
+SET="SET"
+SHARE="SHARE"
+SHOW="SHOW"
+SHUTDOWN="SHUTDOWN"
+SIGNAL="SIGNAL"
+SIGNED="SIGNED"
+SIMPLE="SIMPLE"
+SKIP="SKIP"
+SLAVE="SLAVE"
+SLOW="SLOW"
+SMALLINT="SMALLINT"
+SNAPSHOT="SNAPSHOT"
+SOCKET="SOCKET"
+SOME="SOME"
+SONAME="SONAME"
+SOUNDS="SOUNDS"
+SOURCE="SOURCE"
+SPATIAL="SPATIAL"
+SPECIFIC="SPECIFIC"
+SQL="SQL"
+SQLEXCEPTION="SQLEXCEPTION"
+SQLSTATE="SQLSTATE"
+SQLWARNING="SQLWARNING"
+SQL_AFTER_GTIDS="SQL_AFTER_GTIDS"
+SQL_AFTER_MTS_GAPS="SQL_AFTER_MTS_GAPS"
+SQL_BEFORE_GTIDS="SQL_BEFORE_GTIDS"
+SQL_BIG_RESULT="SQL_BIG_RESULT"
+SQL_BUFFER_RESULT="SQL_BUFFER_RESULT"
+SQL_CALC_FOUND_ROWS="SQL_CALC_FOUND_ROWS"
+SQL_NO_CACHE="SQL_NO_CACHE"
+SQL_SMALL_RESULT="SQL_SMALL_RESULT"
+SQL_THREAD="SQL_THREAD"
+SQL_TSI_DAY="SQL_TSI_DAY"
+SQL_TSI_HOUR="SQL_TSI_HOUR"
+SQL_TSI_MINUTE="SQL_TSI_MINUTE"
+SQL_TSI_MONTH="SQL_TSI_MONTH"
+SQL_TSI_QUARTER="SQL_TSI_QUARTER"
+SQL_TSI_SECOND="SQL_TSI_SECOND"
+SQL_TSI_WEEK="SQL_TSI_WEEK"
+SQL_TSI_YEAR="SQL_TSI_YEAR"
+SRID="SRID"
+SSL="SSL"
+STACKED="STACKED"
+START="START"
+STARTING="STARTING"
+STARTS="STARTS"
+STATS_AUTO_RECALC="STATS_AUTO_RECALC"
+STATS_PERSISTENT="STATS_PERSISTENT"
+STATS_SAMPLE_PAGES="STATS_SAMPLE_PAGES"
+STATUS="STATUS"
+STOP="STOP"
+STORAGE="STORAGE"
+STORED="STORED"
+STRAIGHT_JOIN="STRAIGHT_JOIN"
+STRING="STRING"
+SUBCLASS_ORIGIN="SUBCLASS_ORIGIN"
+SUBJECT="SUBJECT"
+SUBPARTITION="SUBPARTITION"
+SUBPARTITIONS="SUBPARTITIONS"
+SUPER="SUPER"
+SUSPEND="SUSPEND"
+SWAPS="SWAPS"
+SWITCHES="SWITCHES"
+SYSTEM="SYSTEM"
+TABLE="TABLE"
+TABLES="TABLES"
+TABLESPACE="TABLESPACE"
+TABLE_CHECKSUM="TABLE_CHECKSUM"
+TABLE_NAME="TABLE_NAME"
+TEMPORARY="TEMPORARY"
+TEMPTABLE="TEMPTABLE"
+TERMINATED="TERMINATED"
+TEXT="TEXT"
+THAN="THAN"
+THEN="THEN"
+THREAD_PRIORITY="THREAD_PRIORITY"
+TIES="TIES"
+TIME="TIME"
+TIMESTAMP="TIMESTAMP"
+TIMESTAMPADD="TIMESTAMPADD"
+TIMESTAMPDIFF="TIMESTAMPDIFF"
+TINYBLOB="TINYBLOB"
+TINYINT="TINYINT"
+TINYTEXT="TINYTEXT"
+TO="TO"
+TRAILING="TRAILING"
+TRANSACTION="TRANSACTION"
+TRIGGER="TRIGGER"
+TRIGGERS="TRIGGERS"
+TRUE="TRUE"
+TRUNCATE="TRUNCATE"
+TYPE="TYPE"
+TYPES="TYPES"
+UNBOUNDED="UNBOUNDED"
+UNCOMMITTED="UNCOMMITTED"
+UNDEFINED="UNDEFINED"
+UNDO="UNDO"
+UNDOFILE="UNDOFILE"
+UNDO_BUFFER_SIZE="UNDO_BUFFER_SIZE"
+UNICODE="UNICODE"
+UNINSTALL="UNINSTALL"
+UNION="UNION"
+UNIQUE="UNIQUE"
+UNKNOWN="UNKNOWN"
+UNLOCK="UNLOCK"
+UNSIGNED="UNSIGNED"
+UNTIL="UNTIL"
+UPDATE="UPDATE"
+UPGRADE="UPGRADE"
+USAGE="USAGE"
+USE="USE"
+USER="USER"
+USER_RESOURCES="USER_RESOURCES"
+USE_FRM="USE_FRM"
+USING="USING"
+UTC_DATE="UTC_DATE"
+UTC_TIME="UTC_TIME"
+UTC_TIMESTAMP="UTC_TIMESTAMP"
+VALIDATION="VALIDATION"
+VALUE="VALUE"
+VALUES="VALUES"
+VARBINARY="VARBINARY"
+VARCHAR="VARCHAR"
+VARCHARACTER="VARCHARACTER"
+VARIABLES="VARIABLES"
+VARYING="VARYING"
+VCPU="VCPU"
+VIEW="VIEW"
+VIRTUAL="VIRTUAL"
+VISIBLE="VISIBLE"
+WAIT="WAIT"
+WARNINGS="WARNINGS"
+WEEK="WEEK"
+WEIGHT_STRING="WEIGHT_STRING"
+WHEN="WHEN"
+WHERE="WHERE"
+WHILE="WHILE"
+WINDOW="WINDOW"
+WITH="WITH"
+WITHOUT="WITHOUT"
+WORK="WORK"
+WRAPPER="WRAPPER"
+WRITE="WRITE"
+X509="X509"
+XA="XA"
+XID="XID"
+XML="XML"
+XOR="XOR"
+YEAR="YEAR"
+YEAR_MONTH="YEAR_MONTH"
+ZEROFILL="ZEROFILL"

dictionaries/jbig2.dict

@@ -0,0 +1,98 @@
+# AFL dictionary for jbig2 images
+# by Sebastian Rasmussen <sebras@gmail.com>
+
+id_string="\x97\x4a\x42\x32\x0d\x0a\x1a\x0a"
+
+# segments
+
+noretain_allpages_symbol_dictionary="\x00"
+noretain_allpages_intermediate_text_region="\x04"
+noretain_allpages_immediate_text_region="\x06"
+noretain_allpages_immediate_lossless_text_region="\x07"
+noretain_allpages_pattern_dictionary="\x10"
+noretain_allpages_intermediate_halftone_region="\x14"
+noretain_allpages_immediate_halftone_region="\x16"
+noretain_allpages_immediate_lossless_halftone_region="\x17"
+noretain_allpages_intermediate_generic_region="\x24"
+noretain_allpages_immediate_generic_region="\x26"
+noretain_allpages_immediate_lossless_generic_region="\x27"
+noretain_allpages_intermediate_generic_refinement_region="\x28"
+noretain_allpages_immediate_generic_refinement_region="\x2a"
+noretain_allpages_immediate_lossless_generic_refinement_region="\x2b"
+noretain_allpages_page_information="\x30"
+noretain_allpages_end_of_page="\x31"
+noretain_allpages_end_of_stripe="\x32"
+noretain_allpages_end_of_file="\x33"
+noretain_allpages_profiles="\x34"
+noretain_allpages_tables="\x35"
+noretain_allpages_color_palette="\x36"
+noretain_allpages_extension="\x3e"
+
+noretain_specificpage_symbol_dictionary="\x40"
+noretain_specificpage_intermediate_text_region="\x44"
+noretain_specificpage_immediate_text_region="\x46"
+noretain_specificpage_immediate_lossless_text_region="\x47"
+noretain_specificpage_pattern_dictionary="\x50"
+noretain_specificpage_intermediate_halftone_region="\x54"
+noretain_specificpage_immediate_halftone_region="\x56"
+noretain_specificpage_immediate_lossless_halftone_region="\x57"
+noretain_specificpage_intermediate_generic_region="\x64"
+noretain_specificpage_immediate_generic_region="\x66"
+noretain_specificpage_immediate_lossless_generic_region="\x67"
+noretain_specificpage_intermediate_generic_refinement_region="\x68"
+noretain_specificpage_immediate_generic_refinement_region="\x6a"
+noretain_specificpage_immediate_lossless_generic_refinement_regio6="\x6b"
+noretain_specificpage_page_information="\x70"
+noretain_specificpage_end_of_page="\x71"
+noretain_specificpage_end_of_stripe="\x72"
+noretain_specificpage_end_of_file="\x73"
+noretain_specificpage_profiles="\x74"
+noretain_specificpage_tables="\x75"
+noretain_specificpage_color_palette="\x76"
+noretain_specificpage_extension="\x7e"
+
+retain_allpages_symbol_dictionary="\x80"
+retain_allpages_intermediate_text_region="\x84"
+retain_allpages_immediate_text_region="\x86"
+retain_allpages_immediate_lossless_text_region="\x87"
+retain_allpages_pattern_dictionary="\x90"
+retain_allpages_intermediate_halftone_region="\x94"
+retain_allpages_immediate_halftone_region="\x96"
+retain_allpages_immediate_lossless_halftone_region="\x97"
+retain_allpages_intermediate_generic_region="\xa4"
+retain_allpages_immediate_generic_region="\xa6"
+retain_allpages_immediate_lossless_generic_region="\xa7"
+retain_allpages_intermediate_generic_refinement_region="\xa8"
+retain_allpages_immediate_generic_refinement_region="\xaa"
+retain_allpages_immediate_lossless_generic_refinement_regio6="\xab"
+retain_allpages_page_information="\xb0"
+retain_allpages_end_of_page="\xb1"
+retain_allpages_end_of_stripe="\xb2"
+retain_allpages_end_of_file="\xb3"
+retain_allpages_profiles="\xb4"
+retain_allpages_tables="\xb5"
+retain_allpages_color_palette="\xb6"
+retain_allpages_extension="\xbe"
+
+retain_specificpage_symbol_dictionary="\xc0"
+retain_specificpage_intermediate_text_region="\xc4"
+retain_specificpage_immediate_text_region="\xc6"
+retain_specificpage_immediate_lossless_text_region="\xc7"
+retain_specificpage_pattern_dictionary="\xd0"
+retain_specificpage_intermediate_halftone_region="\xd4"
+retain_specificpage_immediate_halftone_region="\xd6"
+retain_specificpage_immediate_lossless_halftone_region="\xd7"
+retain_specificpage_intermediate_generic_region="\xe4"
+retain_specificpage_immediate_generic_region="\xe6"
+retain_specificpage_immediate_lossless_generic_region="\xe7"
+retain_specificpage_intermediate_generic_refinement_region="\xe8"
+retain_specificpage_immediate_generic_refinement_region="\xea"
+retain_specificpage_immediate_lossless_generic_refinement_regio6="\xeb"
+retain_specificpage_page_information="\xf0"
+retain_specificpage_end_of_page="\xf1"
+retain_specificpage_end_of_stripe="\xf2"
+retain_specificpage_end_of_file="\xf3"
+retain_specificpage_profiles="\xf4"
+retain_specificpage_tables="\xf5"
+retain_specificpage_color_palette="\xf6"
+retain_specificpage_extension="\xfe"

dictionaries/jpeg.dict

@@ -2,7 +2,7 @@
 # AFL dictionary for JPEG images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 header_jfif="JFIF\x00"

dictionaries/jpeg2000.dict

@@ -0,0 +1,22 @@
+type="jP  "
+ftyp="ftyp"
+subtype1="jp2 "
+subtype2="jp20"
+subtype3="jpm "
+subtype4="jpx "
+subtype5="jp2h"
+subtype6="jpxb"
+subtype7="mjp2"
+subtype8="mj2s"
+subtype9="jp2c"
+subtype10="jpch"
+subtype11="jplh"
+codestream="\xFF\x4F\xFF\x51"
+signature="\x0d\x0a\x87\x0a"
+tag1="hdr"
+tag2="colr"
+tag3="url"
+tag4="req"
+tag5="res"
+tag6="page"
+tag7="obj"

dictionaries/js.dict

@@ -4,7 +4,7 @@
 #
 # Contains basic reserved keywords and syntax building blocks.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #
 
 keyword_arguments="arguments"

dictionaries/json.dict

@@ -50,3 +50,12 @@
 "\"\":0"
 "//"
 "/**/"
+
+"$ref"
+"type"
+"coordinates"
+"@context"
+"@id"
+
+","
+":"

dictionaries/jsonnet.dict

@@ -0,0 +1,60 @@
+# https://jsonnet.org/ref/spec.html
+
+# Keywords
+"assert"
+"else"
+"error"
+"false"
+"for"
+"function"
+"if"
+"import"
+"importstr"
+"in"
+"local"
+"null"
+"self"
+"super"
+"tailstrict"
+"then"
+"true"
+"super"
+"local"
+
+# operators
+"|||"
+"@\""
+"@'"
+"!="
+"=="
+"[::]"
+"+:::"
+
+# functions
+"std.acos("
+"std.asin("
+"std.atan("
+"std.ceil("
+"std.char("
+"std.codepoint("
+"std.cos("
+"std.equals("
+"std.exp("
+"std.exponent("
+"std.floor("
+"std.join("
+"std.length("
+"std.log("
+"std.makeArray("
+"std.mantissa("
+"std.mod"
+"std.modulo("
+"std.objectFiledsEx("
+"std.objectsHasEx("
+"std.pow("
+"std.primitiveEquals("
+"std.sin("
+"std.slice("
+"std.sqrt("
+"std.tan("
+"std.type("

dictionaries/markdown.dict

@@ -0,0 +1,28 @@
+strike="~~"
+list="2."
+link="[a]("
+link_without_ref="[a]["
+image="![b]("
+bold="**"
+separator="---"
+title="# "
+fence="```"
+link_bottom="[a]:"
+link_inline="<http://"
+link_bottom_title="[1]: http://a.com"
+checklist="- [x"
+toc="[TOC]"
+highlight_rst=":::python"
+
+
+# GFM - https://github.github.com/gfm/
+"| ---"
+leaf1="***"
+leaf2="___"
+code_hl="```html"
+task="- [ ]"
+
+
+# Extended syntax: https://www.markdownguide.org/extended-syntax/
+footnote="[^a]"
+title_id="#a {#b}"

dictionaries/math.dict

@@ -0,0 +1,20 @@
+"{"
+"}"
+","
+"["
+"]"
+","
+":"
+"e"
+"e+"
+"e-"
+"E"
+"E+"
+"E-"
+"\""
+"\\"
+" "
+"null"
+"1"
+"1.234"
+"3e4"

dictionaries/mathml.dict

@@ -0,0 +1,279 @@
+#https://developer.mozilla.org/en-US/docs/Web/MathML/Element
+# https://www.w3.org/TR/MathML3/chapter4.html
+
+header="<math xmlns='http://www.w3.org/1998/Math/MathML'>"
+
+# presentation mathml
+"<annotation-xml>"
+"<annotation>"
+"<apply>"
+"<maction>"
+"<maligngroup>"
+"<malignmark>"
+"<math>"
+"<menclose>"
+"<merror>"
+"<mfenced> "
+"<mfrac>"
+"<mglyph>"
+"<mi>"
+"<mlabeledtr>"
+"<mlongdiv>"
+"<mmultiscripts>"
+"<mn>"
+"<mo>"
+"<mover>"
+"<mpadded>"
+"<mphantom>"
+"<mprescripts>"
+"<mroot>"
+"<mrow>"
+"<ms>"
+"<mscarries>"
+"<mscarry>"
+"<msgroup>"
+"<msline>"
+"<mspace>"
+"<msqrt>"
+"<msrow>"
+"<mstack>"
+"<mstyle>"
+"<msub>"
+"<msubsup>"
+"<msup>"
+"<mtable>"
+"<mtd>"
+"<mtext>"
+"<mtr>"
+"<munder>"
+"<munderover>"
+"<none>"
+"<semantics>"
+
+# attributes
+"accent"
+"accentunder"
+"actiontype"
+"align"
+"alignmentscope"
+"altimg"
+"altimg-height"
+"alttext"
+"bevelled"
+"charalign"
+"close"
+"columnalign"
+"columnlines"
+"columnspacing"
+"columnspan"
+"columnwidth"
+"crossout"
+"decimalpoint"
+"denomalign"
+"depth"
+"dir"
+"display"
+"displaystyle"
+"edge"
+"equalcolumns"
+"equalrows"
+"fence"
+"form"
+"frame"
+"framespacing"
+"groupalign"
+"height"
+"href"
+"id"
+"indentalign"
+"indentalignfirst"
+"indentalignlast"
+"indentshift"
+"indentshiftfirst"
+"indentshiftlast"
+"indenttarget"
+"infixlinebreakstyle"
+"largeop"
+"length"
+"linebreak"
+"linebreakmultchar"
+"linebreakstyle"
+"lineleading"
+"linethickness"
+"location"
+"longdivstyle"
+"lquote"
+"lspace"
+"mathbackground"
+"mathcolor"
+"mathsize"
+"mathvariant"
+"maxsize"
+"minlabelspacing"
+"minsize"
+"movablelimits"
+"notation"
+"numalign"
+"open"
+"overflow"
+"position"
+"rowalign"
+"rowlines"
+"rowspacing"
+"rowspan"
+"rquote"
+"rspace"
+"scriptlevel"
+"scriptminsize"
+"scriptsizemultiplier"
+"selection"
+"separator"
+"separators"
+"shift"
+"side"
+"src"
+"stackalign"
+"stretchy"
+"subscriptshift"
+"supscriptshift"
+"symmetric"
+"voffset"
+"width"
+"xlink:href"
+"xmlns"
+
+# content mathml
+"<interval>"
+"<inverse>"
+"<lambda>"
+"<compose/>"
+"<ident/>"
+"<domain/>"
+"<codomain/>"
+"<image/>"
+"<piecewise>"
+"<piece>"
+"<otherwise>"
+"<quotient/>"
+"<factorial/>"
+"<divide/>"
+"<max/>"
+"<min/>"
+"<minus/>"
+"<plus/>"
+"<power/>"
+"<rem/>"
+"<times/>"
+"<root/>"
+"<gcd/>"
+"<and/>"
+"<or/>"
+"<xor/>"
+"<not/>"
+"<implies/>"
+"<forall/>"
+"<exists/>"
+"<abs/>"
+"<conjugate/>"
+"<arg/>"
+"<real/>"
+"<imaginary/>"
+"<lcm/>"
+"<floor/>"
+"<ceiling/>"
+"Relations"
+"<eq/>"
+"<neq/>"
+"<gt/>"
+"<lt/>"
+"<geq/>"
+"<leq/>"
+"<equivalent/>"
+"<approx/>"
+"<factorof/>"
+"<int/>"
+"<diff/>"
+"<partialdiff/>"
+"<divergence/>"
+"<grad/>"
+"<curl/>"
+"<laplacian/>"
+"<set>"
+"<list>"
+"<union/>"
+"<intersect/>"
+"<in/>"
+"<notin/>"
+"<subset/>"
+"<prsubset/>"
+"<notsubset/>"
+"<notprsubset/>"
+"<setdiff/>"
+"<card/>"
+"<cartesianproduct/>"
+"<sum/>"
+"<product/>"
+"<limit/>"
+"<tendsto/>"
+"<sin/>"
+"<cos/>"
+"<tan/>"
+"<sec/>"
+"<csc/>"
+"<cot/>"
+"<arcsin/>"
+"<arccos/>"
+"<arctan/>"
+"<arcsec/>"
+"<arccsc/>"
+"<arccot/>"
+"<sinh/>"
+"<cosh/>"
+"<tanh/>"
+"<sech/>"
+"<csch/>"
+"<coth/>"
+"<arcsinh/>"
+"<arccosh/>"
+"<arctanh/>"
+"<arcsech/>"
+"<arccsch/>"
+"<arccoth/>"
+"<exp/>"
+"<ln/>"
+"<log/>"
+"<logbase>"
+"<mean/>"
+"<sdev/>"
+"<variance/>"
+"<median/>"
+"<mode/>"
+"<moment/>"
+"<momentabout>"
+"<vector>"
+"<matrix>"
+"<matrixrow>"
+"<determinant/>"
+"<transpose/>"
+"<selector/>"
+"<vectorproduct/>"
+"<scalarproduct/>"
+"<outerproduct/>"
+"<integers/>"
+"<reals/>"
+"<rationals/>"
+"<naturalnumbers/>"
+"<complexes/>"
+"<primes/>"
+"<exponentiale/>"
+"<imaginaryi/>"
+"<notanumber/>"
+"<true/>"
+"<false/>"
+"<emptyset/>"
+"<pi/>"
+"<eulergamma/>"
+"<infinity/>"
+"<declare>"
+"<reln>"
+"<fn>"

dictionaries/mp4.dict

@@ -0,0 +1,82 @@
+# Taken from https://chromium.googlesource.com/chromium/src/+/master/media/test/mp4.dict
+
+FOURCC_NULL="\x00\x00\x00\x00"
+FOURCC_AC3 ="\x61\x63\x2d\x33"
+FOURCC_EAC3="\x65\x63\x2d\x33"
+FOURCC_AVC1="\x61\x76\x63\x31"
+FOURCC_AVC3="\x61\x76\x63\x33"
+FOURCC_AVCC="\x61\x76\x63\x43"
+FOURCC_BLOC="\x62\x6C\x6F\x63"
+FOURCC_CENC="\x63\x65\x6e\x63"
+FOURCC_CO64="\x63\x6f\x36\x34"
+FOURCC_CTTS="\x63\x74\x74\x73"
+FOURCC_DINF="\x64\x69\x6e\x66"
+FOURCC_EDTS="\x65\x64\x74\x73"
+FOURCC_EMSG="\x65\x6d\x73\x67"
+FOURCC_ELST="\x65\x6c\x73\x74"
+FOURCC_ENCA="\x65\x6e\x63\x61"
+FOURCC_ENCV="\x65\x6e\x63\x76"
+FOURCC_ESDS="\x65\x73\x64\x73"
+FOURCC_FREE="\x66\x72\x65\x65"
+FOURCC_FRMA="\x66\x72\x6d\x61"
+FOURCC_FTYP="\x66\x74\x79\x70"
+FOURCC_HDLR="\x68\x64\x6c\x72"
+FOURCC_HINT="\x68\x69\x6e\x74"
+FOURCC_HVC1="\x68\x76\x63\x31"
+FOURCC_HVCC="\x68\x76\x63\x43"
+FOURCC_IODS="\x69\x6f\x64\x73"
+FOURCC_MDAT="\x6d\x64\x61\x74"
+FOURCC_MDHD="\x6d\x64\x68\x64"
+FOURCC_MDIA="\x6d\x64\x69\x61"
+FOURCC_MECO="\x6d\x65\x63\x6f"
+FOURCC_MEHD="\x6d\x65\x68\x64"
+FOURCC_META="\x6d\x65\x74\x61"
+FOURCC_MFHD="\x6d\x66\x68\x64"
+FOURCC_MFRA="\x6d\x66\x72\x61"
+FOURCC_MINF="\x6d\x69\x6e\x66"
+FOURCC_MOOF="\x6d\x6f\x6f\x66"
+FOURCC_MOOV="\x6d\x6f\x6f\x76"
+FOURCC_MP4A="\x6d\x70\x34\x61"
+FOURCC_MP4V="\x6d\x70\x34\x76"
+FOURCC_MVEX="\x6d\x76\x65\x78"
+FOURCC_MVHD="\x6d\x76\x68\x64"
+FOURCC_PASP="\x70\x61\x73\x70"
+FOURCC_PDIN="\x70\x64\x69\x6e"
+FOURCC_PRFT="\x70\x72\x66\x74"
+FOURCC_PSSH="\x70\x73\x73\x68"
+FOURCC_SAIO="\x73\x61\x69\x6f"
+FOURCC_SAIZ="\x73\x61\x69\x7a"
+FOURCC_SBGP="\x73\x62\x67\x70"
+FOURCC_SCHI="\x73\x63\x68\x69"
+FOURCC_SCHM="\x73\x63\x68\x6d"
+FOURCC_SDTP="\x73\x64\x74\x70"
+FOURCC_SEIG="\x73\x65\x69\x67"
+FOURCC_SENC="\x73\x65\x6e\x63"
+FOURCC_SGPD="\x73\x67\x70\x64"
+FOURCC_SIDX="\x73\x69\x64\x78"
+FOURCC_SINF="\x73\x69\x6e\x66"
+FOURCC_SKIP="\x73\x6b\x69\x70"
+FOURCC_SMHD="\x73\x6d\x68\x64"
+FOURCC_SOUN="\x73\x6f\x75\x6e"
+FOURCC_SSIX="\x73\x73\x69\x78"
+FOURCC_STBL="\x73\x74\x62\x6c"
+FOURCC_STCO="\x73\x74\x63\x6f"
+FOURCC_STSC="\x73\x74\x73\x63"
+FOURCC_STSD="\x73\x74\x73\x64"
+FOURCC_STSS="\x73\x74\x73\x73"
+FOURCC_STSZ="\x73\x74\x73\x7a"
+FOURCC_STTS="\x73\x74\x74\x73"
+FOURCC_STYP="\x73\x74\x79\x70"
+FOURCC_TENC="\x74\x65\x6e\x63"
+FOURCC_TFDT="\x74\x66\x64\x74"
+FOURCC_TFHD="\x74\x66\x68\x64"
+FOURCC_TKHD="\x74\x6b\x68\x64"
+FOURCC_TRAF="\x74\x72\x61\x66"
+FOURCC_TRAK="\x74\x72\x61\x6b"
+FOURCC_TREX="\x74\x72\x65\x78"
+FOURCC_TRUN="\x74\x72\x75\x6e"
+FOURCC_UDTA="\x75\x64\x74\x61"
+FOURCC_UUID="\x75\x75\x69\x64"
+FOURCC_VIDE="\x76\x69\x64\x65"
+FOURCC_VMHD="\x76\x6d\x68\x64"
+FOURCC_WIDE="\x77\x69\x64\x65"

dictionaries/mysqld.dict

@@ -0,0 +1 @@
+user="root"

dictionaries/ogg.dict

@@ -0,0 +1,36 @@
+# https://xiph.org/vorbis/doc/Vorbis_I_spec.html
+
+header="OggS"
+
+# Codecs
+"BBCD\x00"
+"\x7fFLAC"
+"\x80theora"
+"\x01vorbis"
+"CELT    "
+"CMML\x00\x00\x00\x00"
+"\x8bJNG\x0d\x0a\x1a\x0a"
+"\x80kate\x00\x00\x00"
+"OggMIDI\x00"
+"\x8aMNG\x0d\x0a\x1a\x0a"
+"PCM     "
+"\x89PNG\x0d\x0a\x1a\x0a"
+"Speex   "
+"YUV4MPEG"
+
+# Metadata
+"TITLE="
+"VERSION="
+"ALBUM="
+"TRACKNUMBER="
+"ARTIST="
+"PERFORMER="
+"COPYRIGHT="
+"LICENSE="
+"ORGANIZATION="
+"DESCRIPTION="
+"GENRE="
+"DATE="
+"LOCATION="
+"CONTACT="
+"ISRC="

dictionaries/openexr.dict

@@ -0,0 +1,57 @@
+# specs:
+#  - https://www.openexr.com/documentation/openexrfilelayout.pdf
+#  - https://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/OpenEXR.html
+
+lay="_lay"
+ver="_ver"
+adoptNeutral="AdoptNeutral"
+altitude="altitude"
+aperture="aperture"
+box2f="box2f"
+box2i="box2i"
+capdate="capDate"
+channels="channels"
+chlist="chlist"
+chromaticities="chromaticities"
+comments="comments"
+compression="compression"
+dataWindow="dataWindow"
+displayWindow="displayWindow"
+double="double"
+envmap="envmap"
+expTime="expTime"
+focus="focus"
+framesPerSecond="framesPerSecond"
+float="float"
+header="\x76\x2F\x31\x01"
+int="int"
+isoSpeed="isoSpeed"
+keycode="keyCode"
+latitude="latitude"
+lineOrder="lineOrder"
+longitude="longitude"
+lookModTransform="lookModTransform"
+m33f="m33f"
+m44f="m44f"
+owner="owner"
+pixelAspectRatio="pixelAspectRatio"
+preview="preview"
+renderingTransform="renderingTransform"
+rational="rational"
+screenWindowCenter="screenWindowCenter"
+screenWindowWidth="screenWindowWidth"
+string="string"
+stringvector="stringvector"
+tiles="tiles"
+tiledesc="tileDesc"
+timecode="timeCode"
+utcOffset="itcOffset"
+whiteLuminance="whiteLuminance"
+worldToCamera="worldToCamera"
+worldToNDC="worldToNDC"
+v2f="v2f"
+v2i="v2i"
+v3f="v3f"
+v3i="v3i"
+wrapmodes="wrapmodes"
+xDensity="xDensity"

dictionaries/otf.dict

@@ -0,0 +1,963 @@
+# https://docs.microsoft.com/en-us/typography/opentype/spec/
+
+# magic
+"ttcf"
+
+# feature tags
+"aalt"
+"abvf"
+"abvm"
+"abvs"
+"afrc"
+"akhn"
+"blwf"
+"blwm"
+"blws"
+"calt"
+"case"
+"ccmp"
+"cfar"
+"cjct"
+"clig"
+"cpct"
+"cpsp"
+"cswh"
+"curs"
+"cv01"
+"c2pc"
+"c2sc"
+"dist"
+"dlig"
+"dnom"
+"dtls"
+"expt"
+"falt"
+"fin2"
+"fin3"
+"fina"
+"flac"
+"frac"
+"fwid"
+"half"
+"haln"
+"halt"
+"hist"
+"hkna"
+"hlig"
+"hngl"
+"hojo"
+"hwid"
+"init"
+"isol"
+"ital"
+"jalt"
+"jp78"
+"jp83"
+"jp90"
+"jp04"
+"kern"
+"lfbd"
+"liga"
+"ljmo"
+"lnum"
+"locl"
+"ltra"
+"ltrm"
+"mark"
+"med2"
+"medi"
+"mgrk"
+"mkmk"
+"mset"
+"nalt"
+"nlck"
+"nukt"
+"numr"
+"onum"
+"opbd"
+"ordn"
+"ornm"
+"palt"
+"pcap"
+"pkna"
+"pnum"
+"pref"
+"pres"
+"pstf"
+"psts"
+"pwid"
+"qwid"
+"rand"
+"rclt"
+"rlig"
+"rkrf"
+"rphf"
+"rtbd"
+"rtla"
+"rtlm"
+"ruby"
+"rvrn"
+"salt"
+"sinf"
+"size"
+"smcp"
+"smpl"
+"ss01"
+"ssty"
+"stch"
+"subs"
+"sups"
+"swsh"
+"titl"
+"tjmo"
+"tnam"
+"tnum"
+"trad"
+"twid"
+"unic"
+"valt"
+"vatu"
+"vert"
+"vhal"
+"vjmo"
+"vkna"
+"vkrn"
+"vpal"
+"vrt2"
+"vrtr"
+"zero"
+
+# baseline tags
+"hang"
+"icfb"
+"ictf"
+"ideo"
+"idtp"
+"math"
+"romn"
+
+# axis tags
+"ital"
+"opsz"
+"slnt"
+"wdth"
+"wght"
+
+# tables
+"BASE"
+"CBDT"
+"CBLC"
+"CFF"
+"CFF2"
+"COLR"
+"CPAL"
+"DSIG"
+"EBDT"
+"EBLC"
+"EBSC"
+"GDEF"
+"GPOS"
+"GSUB"
+"HVAR"
+"JSTF"
+"LTSH"
+"MATH"
+"MERG"
+"MVAR"
+"OTTO"
+"PCLT"
+"STAT"
+"SVG"
+"VDMX"
+"VORG"
+"VVAR"
+"avar"
+"cmap"
+"cmat"
+"cvar"
+"cvt"
+"fpgm"
+"fvar"
+"gasp"
+"glyf"
+"gvar"
+"hdmx"
+"head"
+"hhea"
+"hmtx"
+"kern"
+"loca"
+"maxp"
+"meta"
+"name"
+"post"
+"prep"
+"sbix"
+"vhea"
+"vmtx"
+
+# script tags
+"adlm"
+"ahom"
+"hluw"
+"arab"
+"armn"
+"avst"
+"bali"
+"bamu"
+"bass"
+"batk"
+"beng"
+"bng2"
+"bhks"
+"bopo"
+"brah"
+"brai"
+"bugi"
+"buhd"
+"byzm"
+"cans"
+"cari"
+"aghb"
+"cakm"
+"cham"
+"cher"
+"hani"
+"copt"
+"cprt"
+"cyrl"
+"dsrt"
+"deva"
+"dev2"
+"dogr"
+"dupl"
+"egyp"
+"elba"
+"ethi"
+"geor"
+"glag"
+"goth"
+"gran"
+"grek"
+"gujr"
+"gjr2"
+"gong"
+"guru"
+"gur2"
+"hang"
+"jamo"
+"rohg"
+"hano"
+"hatr"
+"hebr"
+"kana"
+"armi"
+"phli"
+"prti"
+"java"
+"kthi"
+"knda"
+"knd2"
+"kana"
+"kali"
+"khar"
+"khmr"
+"khoj"
+"sind"
+"lao "
+"latn"
+"lepc"
+"limb"
+"lina"
+"linb"
+"lisu"
+"lyci"
+"lydi"
+"mahj"
+"maka"
+"mlym"
+"mlm2"
+"mand"
+"mani"
+"marc"
+"gonm"
+"math"
+"medf"
+"mtei"
+"mend"
+"merc"
+"mero"
+"plrd"
+"modi"
+"mong"
+"mroo"
+"mult"
+"musc"
+"mymr"
+"mym2"
+"nbat"
+"newa"
+"talu"
+"nko "
+"nshu"
+"orya"
+"ory2"
+"ogam"
+"olck"
+"ital"
+"hung"
+"narb"
+"perm"
+"xpeo"
+"sogo"
+"sarb"
+"orkh"
+"osge"
+"osma"
+"hmng"
+"palm"
+"pauc"
+"phag"
+"phnx"
+"phlp"
+"rjng"
+"runr"
+"samr"
+"saur"
+"shrd"
+"shaw"
+"sidd"
+"sgnw"
+"sinh"
+"sogd"
+"sora"
+"soyo"
+"xsux"
+"sund"
+"sylo"
+"syrc"
+"tglg"
+"tagb"
+"tale"
+"lana"
+"tavt"
+"takr"
+"taml"
+"tml2"
+"tang"
+"telu"
+"tel2"
+"thaa"
+"thai"
+"tibt"
+"tfng"
+"tirh"
+"ugar"
+"vai "
+"wara"
+"yi "
+"zanb"
+
+# language tags
+"ABA "
+"ABK "
+"ACH "
+"ACR "
+"ADY "
+"AFK "
+"AFR "
+"AGW "
+"AIO "
+"AKA "
+"ALS "
+"ALT "
+"AMH "
+"ANG "
+"APPH"
+"ARA "
+"ARG "
+"ARI "
+"ARK "
+"ASM "
+"AST "
+"ATH "
+"AVR "
+"AWA "
+"AYM "
+"AZB "
+"AZE "
+"BAD "
+"BAD0"
+"BAG "
+"BAL "
+"BAN "
+"BAR "
+"BAU "
+"BBC "
+"BBR "
+"BCH "
+"BCR "
+"BDY "
+"BEL "
+"BEM "
+"BEN "
+"BGC "
+"BGQ "
+"BGR "
+"BHI "
+"BHO "
+"BIK "
+"BIL "
+"BIS "
+"BJJ "
+"BKF "
+"BLI "
+"BLK "
+"BLN "
+"BLT "
+"BMB "
+"BML "
+"BOS "
+"BPY "
+"BRE "
+"BRH "
+"BRI "
+"BRM "
+"BRX "
+"BSH "
+"BSK "
+"BTI "
+"BTS "
+"BUG "
+"BYV "
+"CAK "
+"CAT "
+"CBK "
+"CCHN"
+"CEB "
+"CHE "
+"CHG "
+"CHH "
+"CHI "
+"CHK "
+"CHK0"
+"CHO "
+"CHP "
+"CHR "
+"CHA "
+"CHU "
+"CHY "
+"CGG "
+"CJA "
+"CJM "
+"CMR "
+"COP "
+"COR "
+"COS "
+"CPP "
+"CRE "
+"CRR "
+"CRT "
+"CSB "
+"CSL "
+"CSY "
+"CTG "
+"CUK "
+"DAN "
+"DAR "
+"DAX "
+"DCR "
+"DEU "
+"DGO "
+"DGR "
+"DHG "
+"DHV "
+"DIQ "
+"DIV "
+"DJR "
+"DJR0"
+"DNG "
+"DNJ "
+"DNK "
+"DRI "
+"DUJ "
+"DUN "
+"DZN "
+"EBI "
+"ECR "
+"EDO "
+"EFI "
+"ELL "
+"EMK "
+"ENG "
+"ERZ "
+"ESP "
+"ESU "
+"ETI "
+"EUQ "
+"EVK "
+"EVN "
+"EWE "
+"FAN "
+"FAN0"
+"FAR "
+"FAT "
+"FIN "
+"FJI "
+"FLE "
+"FMP "
+"FNE "
+"FON "
+"FOS "
+"FRA "
+"FRC "
+"FRI "
+"FRL "
+"FRP "
+"FTA "
+"FUL "
+"FUV "
+"GAD "
+"GAE "
+"GAG "
+"GAL "
+"GAR "
+"GAW "
+"GEZ "
+"GIH "
+"GIL "
+"GIL0"
+"GKP "
+"GLK "
+"GMZ "
+"GNN "
+"GOG "
+"GON "
+"GRN "
+"GRO "
+"GUA "
+"GUC "
+"GUF "
+"GUJ "
+"GUZ "
+"HAI "
+"HAL "
+"HAR "
+"HAU "
+"HAW "
+"HAY "
+"HAZ "
+"HBN "
+"HER "
+"HIL "
+"HIN "
+"HMA "
+"HMN "
+"HMO "
+"HND "
+"HO  "
+"HRI "
+"HRV "
+"HUN "
+"HYE "
+"HYE0"
+"IBA "
+"IBB "
+"IBO "
+"IJO "
+"IDO "
+"ILE "
+"ILO "
+"INA "
+"IND "
+"ING "
+"INU "
+"IPK "
+"IPPH"
+"IRT "
+"ISL "
+"ISM "
+"ITA "
+"IWR "
+"JAM "
+"JAN "
+"JAV "
+"JBO "
+"JCT "
+"JII "
+"JUD "
+"JUL "
+"KAB "
+"KAB0"
+"KAC "
+"KAL "
+"KAN "
+"KAR "
+"KAT "
+"KAZ "
+"KDE "
+"KEA "
+"KEB "
+"KEK "
+"KGE "
+"KHA "
+"KHK "
+"KHM "
+"KHS "
+"KHT "
+"KHV "
+"KHW "
+"KIK "
+"KIR "
+"KIS "
+"KIU "
+"KJD "
+"KJP "
+"KJZ "
+"KKN "
+"KLM "
+"KMB "
+"KMN "
+"KMO "
+"KMS "
+"KMZ "
+"KNR "
+"KOD "
+"KOH "
+"KOK "
+"KON "
+"KOM "
+"KON0"
+"KOP "
+"KOR "
+"KOS "
+"KOZ "
+"KPL "
+"KRI "
+"KRK "
+"KRL "
+"KRM "
+"KRN "
+"KRT "
+"KSH "
+"KSH0"
+"KSI "
+"KSM "
+"KSW "
+"KUA "
+"KUI "
+"KUL "
+"KUM "
+"KUR "
+"KUU "
+"KUY "
+"KYK "
+"KYU "
+"LAD "
+"LAH "
+"LAK "
+"LAM "
+"LAO "
+"LAT "
+"LAZ "
+"LCR "
+"LDK "
+"LEZ "
+"LIJ "
+"LIM "
+"LIN "
+"LIS "
+"LJP "
+"LKI "
+"LMA "
+"LMB "
+"LMO "
+"LMW "
+"LOM "
+"LRC "
+"LSB "
+"LSM "
+"LTH "
+"LTZ "
+"LUA "
+"LUB "
+"LUG "
+"LUH "
+"LUO "
+"LVI "
+"MAD "
+"MAG "
+"MAH "
+"MAJ "
+"MAK "
+"MAL "
+"MAM "
+"MAN "
+"MAP "
+"MAR "
+"MAW "
+"MBN "
+"MBO "
+"MCH "
+"MCR "
+"MDE "
+"MDR "
+"MEN "
+"MER "
+"MFA "
+"MFE "
+"MIN "
+"MIZ "
+"MKD "
+"MKR "
+"MKW "
+"MLE "
+"MLG "
+"MLN "
+"MLR "
+"MLY "
+"MND "
+"MNG "
+"MNI "
+"MNK "
+"MNX "
+"MOH "
+"MOK "
+"MOL "
+"MON "
+"MOR "
+"MOS "
+"MRI "
+"MTH "
+"MTS "
+"MUN "
+"MUS "
+"MWL "
+"MWW "
+"MYN "
+"MZN "
+"NAG "
+"NAH "
+"NAN "
+"NAP "
+"NAS "
+"NAU "
+"NAV "
+"NCR "
+"NDB "
+"NDC "
+"NDG "
+"NDS "
+"NEP "
+"NEW "
+"NGA "
+"NGR "
+"NHC "
+"NIS "
+"NIU "
+"NKL "
+"NKO "
+"NLD "
+"NOE "
+"NOG "
+"NOR "
+"NOV "
+"NSM "
+"NSO "
+"NTA "
+"NTO "
+"NYM "
+"NYN "
+"NZA "
+"OCI "
+"OCR "
+"OJB "
+"ORI "
+"ORO "
+"OSS "
+"PAA "
+"PAG "
+"PAL "
+"PAM "
+"PAN "
+"PAP "
+"PAP0"
+"PAS "
+"PAU "
+"PCC "
+"PCD "
+"PDC "
+"PGR "
+"PHK "
+"PIH "
+"PIL "
+"PLG "
+"PLK "
+"PMS "
+"PNB "
+"POH "
+"PON "
+"PRO "
+"PTG "
+"PWO "
+"QIN "
+"QUC "
+"QUH "
+"QUZ "
+"QVI "
+"QWH "
+"RAJ "
+"RAR "
+"RBU "
+"RCR "
+"REJ "
+"RIA "
+"RIF "
+"RIT "
+"RKW "
+"RMS "
+"RMY "
+"ROM "
+"ROY "
+"RSY "
+"RTM "
+"RUA "
+"RUN "
+"RUP "
+"RUS "
+"SAD "
+"SAN "
+"SAS "
+"SAT "
+"SAY "
+"SCN "
+"SCO "
+"SEK "
+"SEL "
+"SGA "
+"SGO "
+"SGS "
+"SHI "
+"SHN "
+"SIB "
+"SID "
+"SIG "
+"SKS "
+"SKY "
+"SCS "
+"SLA "
+"SLV "
+"SML "
+"SMO "
+"SNA "
+"SNA0"
+"SND "
+"SNH "
+"SNK "
+"SOG "
+"SOP "
+"SOT "
+"SQI "
+"SRB "
+"SRD "
+"SRK "
+"SRR "
+"SSL "
+"SSM "
+"STQ "
+"SUK "
+"SUN "
+"SUR "
+"SVA "
+"SVE "
+"SWA "
+"SWK "
+"SWZ "
+"SXT "
+"SXU "
+"SYL "
+"SYR "
+"SYRE"
+"SYRJ"
+"SYRN"
+"SZL "
+"TAB "
+"TAJ "
+"TAM "
+"TAT "
+"TCR "
+"TDD "
+"TEL "
+"TET "
+"TGL "
+"TGN "
+"TGR "
+"TGY "
+"THA "
+"THT "
+"TIB "
+"TIV "
+"TKM "
+"TMH "
+"TMN "
+"TNA "
+"TNE "
+"TNG "
+"TOD "
+"TOD0"
+"TPI "
+"TRK "
+"TSG "
+"TSJ "
+"TUA "
+"TUM "
+"TUL "
+"TUV "
+"TVL "
+"TWI "
+"TYZ "
+"TZM "
+"TZO "
+"UDM "
+"UKR "
+"UMB "
+"URD "
+"USB "
+"UYG "
+"UZB "
+"VEC "
+"VEN "
+"VIT "
+"VOL "
+"VRO "
+"WA "
+"WAG "
+"WAR "
+"WCR "
+"WEL "
+"WLN "
+"WLF "
+"WTM "
+"XBD "
+"XKF "
+"XHS "
+"XJB "
+"XOG "
+"XPE "
+"YAK "
+"YAO "
+"YAP "
+"YBA "
+"YCR "
+"YIC "
+"YIM "
+"ZEA "
+"ZGH "
+"ZHA "
+"ZHH "
+"ZHP "
+"ZHS "
+"ZHT "
+"ZND "
+"ZUL "
+"ZZA "