diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 9f5735816e..1a6d6dc4d4 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -1,67 +1,73 @@ -name: Build and Test - -on: - push: - branches: [ main ] - pull_request: - branches: [ main, dev ] - -env: - CARGO_TERM_COLOR: always - -jobs: - lint: - strategy: - matrix: - os: [ubuntu-latest, windows-latest] - runs-on: ${{ matrix.os }} - steps: - - uses: actions/checkout@v2 - - name: Cache cargo registry - uses: actions/cache@v2 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - key: clippy-cargo-${{ hashFiles('**/Cargo.toml') }} - - name: Add clippy - run: rustup component add clippy - - name: Run clippy - uses: actions-rs/cargo@v1 - with: - command: clippy - args: --all - ubuntu: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Default Build - run: cargo build --verbose - - name: Default Test - run: cargo test --verbose - - name: Build all features - run: cd libafl && cargo build --all-features --verbose - - name: Test all features - run: cd libafl && cargo test --all-features --verbose - - name: Build no_std - run: cd libafl && cargo build --no-default-features --verbose - - name: Test no_std - run: cd libafl && cargo test --no-default-features --verbose - - name: Build examples - run: cargo build --examples --verbose - - uses: actions/checkout@v2 - - name: Format - run: cargo fmt -- --check - - uses: actions/checkout@v2 - - name: Build Docs - run: cargo doc - - name: Test Docs - run: cargo test --doc - windows: - runs-on: windows-latest - steps: - - uses: actions/checkout@v2 - - name: Windows Build - run: cargo build --verbose - - name: Windows Test - run: cargo test --verbose +name: Build and Test + +on: + push: + branches: [ main, dev ] + pull_request: + branches: [ main, dev ] + +env: + CARGO_TERM_COLOR: always + +jobs: + lint: + strategy: + matrix: + os: [ubuntu-latest, windows-latest] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v2 + - name: Cache cargo registry + uses: actions/cache@v2 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + key: clippy-cargo-${{ hashFiles('**/Cargo.toml') }} + - name: Add clippy + run: rustup component add clippy + - name: Run clippy + uses: actions-rs/cargo@v1 + with: + command: clippy + args: --all + ubuntu: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Default Build + run: cargo build --verbose + - name: Default Test + run: cargo test --verbose + - name: Build all features + run: cd libafl && cargo build --all-features --verbose + - name: Test all features + run: cd libafl && cargo test --all-features --verbose + - name: Build no_std + run: cd libafl && cargo build --no-default-features --verbose + - name: Test no_std + run: cd libafl && cargo test --no-default-features --verbose + - name: Build examples + run: cargo build --examples --verbose + - uses: actions/checkout@v2 + - name: Format + run: cargo fmt -- --check + - uses: actions/checkout@v2 + - name: Build Docs + run: cargo doc + - name: Test Docs + run: cargo test --doc + windows: + runs-on: windows-latest + steps: + - uses: actions/checkout@v2 + - name: Windows Build + run: cargo build --verbose + # TODO: Figure out how to properly build stuff with clang + #- name: Add clang path to $PATH env + # if: runner.os == 'Windows' + # run: echo "C:\msys64\mingw64\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 + #- name: Try if clang works + # run: clang -v + #- name: Windows Test + # run: C:\Rust\.cargo\bin\cargo.exe test --verbose diff --git a/.gitignore b/.gitignore index 0c466bba6e..3727f15757 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,6 @@ perf.data.old .vscode test.dict + +# Ignore all built fuzzers +fuzzer_* \ No newline at end of file diff --git a/.gitmodules b/.gitmodules index a0c3ef7ad6..e69de29bb2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +0,0 @@ -[submodule "fuzzers/qemufuzzer/qemu-fuzz"] - path = fuzzers/qemufuzzer/qemu-fuzz - url = git@github.com:AFLplusplus/qemu-fuzz.git diff --git a/Cargo.toml b/Cargo.toml index 77ae433219..02afa27c46 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,9 +8,16 @@ debug = true members = [ "libafl", "libafl_derive", - - #example fuzzers - "fuzzers/libfuzzer_libpng", - "fuzzers/libfuzzer_libmozjpeg", - "fuzzers/libfuzzer_libpng_cmpalloc", + "libafl_cc", + "libafl_targets", + "libafl_frida", +] +default-members = [ + "libafl", + "libafl_derive", + "libafl_cc", + "libafl_targets", +] +exclude = [ + "fuzzers", ] diff --git a/README.md b/README.md index b1e6deff73..523d388e81 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,41 @@ # LibAFL, the fuzzer library. + AFL++ Logo + Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and maintained by Andrea Fioraldi and Dominik Maier . -It is released as Open Source Software under the [Apache v2](LICENSE-APACHE) or [MIT](LICENSE-MIT) licenses. +## Why LibAFL? + +LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. +Some highlight features currently include: +- `multi platform`: LibAFL was confirmed to work on *Windows*, *MacOS*, *Linux*, and *Android* on *x86_64* and *aarch64*. +- `portable`: `LibAFL` can be built in `no_std` mode. Inject LibAFL in obscure targets like embedded devices and hypervisors. +- `adaptable`: You can replace each part of LibAFL. For example, `BytesInput` is just one potential form input: +feel free to add an AST-based input for structured fuzzing, and more. +- `scalable`: `Low Level Message Passing`, `LLMP` for short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines! +- `fast`: We do everything we can at compile time, keeping runtime overhead minimal. +- `bring your own target`: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends. +- `usable`: We hope. But we'll let you be the judge. Enjoy LibAFL. + +## Overview + +LibAFL is a collection of reusable pieces of fuzzers, written in Rust. +It is fast, multi-platform, no_std compatible, and scales over cores and machines. + +It offers a main crate that provide building blocks for custom fuzzers, [libafl](./libafl), a library containing common code that can be used for targets instrumentation, [libafl_targets](./libafl_targets), and a library providing facilities to wrap compilers, [libafl_cc](./libafl_cc). + +LibAFL offers integrations with popular instrumemntation frameworks. At the moment, the supported backends are: + ++ SanitizerCoverage, in [libafl_targets](./libafl_targets) ++ Frida, in [libafl_frida](./libafl_frida), by s1341 (Windows support is broken atm, it relies on [this upstream issue](https://github.com/meme/frida-rust/issues/9) to be fixed.) ++ More to come (QEMU-mode, ...) + +LibAFL offers integrations with popular instrumemntation frameworks too. At the moment, the supported backends are: + ++ SanitizerCoverage, in [libafl_targets](./libafl_targets) ++ Frida, in [libafl_frida](./libafl_frida), by s1341 (Windows support will be added soon) ## Getting started @@ -25,29 +56,51 @@ Build the library using cargo build --release ``` -Build the documentation with +Build the API documentation with ``` cargo doc ``` -We collect example fuzzers in `./fuzzers`. They can be build using `cargo build --example [fuzzer_name] --release`. +Browse the LibAFL book (WIP!) with (requires [mdbook](https://github.com/rust-lang/mdBook)) -The best-tested fuzzer is `./fuzzers/libfuzzer_libpng`, a clone of libfuzzer using libafl for a libpng harness. -See its readme [here](./fuzzers/libfuzzer_libpng/README.md). +``` +cd docs && mdbook serve +``` -## The Core Concepts +We collect all example fuzzers in [`./fuzzers`](./fuzzers/). +Be sure to read their documentation (and source), this is *the natural way to get started!* -The entire library is based on some core concepts that we think can generalize Fuzz Testing. +The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness. -We're still working on extending the documentation. +## Resources -In the meantime, you can watch the Video from last year's RC3, here: ++ [Installation guide](./docs/src/getting_started/setup.md) -[![Video explaining libAFL's core concepts](http://img.youtube.com/vi/3RWkT1Q5IV0/3.jpg)](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") ++ Our RC3 [talk](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") explaining the core concepts + ++ [Online API documentation](https://docs.rs/libafl/) + ++ The LibAFL book (very WIP) [online](https://aflplus.plus/libafl-book) or in the [repo](./docs/src/) ## Contributing Check the [TODO.md](./TODO.md) file for features that we plan to support. For bugs, feel free to open issues or contact us directly. Thank you for your support. <3 + +#### License + + +Licensed under either of Apache License, Version +2.0 or MIT license at your option. + + +
+ + +Unless you explicitly state otherwise, any contribution intentionally submitted +for inclusion in this crate by you, as defined in the Apache-2.0 license, shall +be dual licensed as above, without any additional terms or conditions. + + diff --git a/TODO.md b/TODO.md index 8a12d2cbea..62c31a0eef 100644 --- a/TODO.md +++ b/TODO.md @@ -1,22 +1,26 @@ # TODOs -- [x] ~~Minset corpus scheduler~~ still doc missing -- [ ] Win32 shared mem and crash handler to have Windows in-process executor -- [x] Other feedbacks examples (e.g. maximize allocations to spot OOMs) +- [ ] Conditional composition of feedbacks (issue #24) - [ ] Other objectives examples (e.g. execution of a given program point) - [ ] Objective-Specific Corpuses (named per objective) -- [x] A macro crate with derive directives (e.g. for SerdeAny impl). - [ ] Good documentation -- [ ] LLMP brotli compression +- [ ] LLMP compression - [ ] AFL-Style Forkserver Executor -- [x] Restarting EventMgr could use forks on unix -- [ ] Android Ashmem support - [ ] Restart Count in Fuzzing Loop - [ ] LAIN / structured fuzzing example -- [ ] Errors in the Fuzzer should exit the fuzz run - [ ] More informative outpus, deeper introspection (stats, what mutation did x, etc.) -- [x] Timeouts for executors - [ ] Timeout handling for llmp clients (no ping for n seconds -> treat as disconnected) - [ ] LLMP Cross Machine Link (2 brokers connected via TCP) - [ ] "Launcher" example that spawns broker + n clients - [ ] Heap for signal handling (bumpallo or llmp directly?) +- [ ] Frida support for Windows +- [ ] QEMU based instrumentation +- [ ] AFL++ LLVM passes in libafl_cc +- [x] Minset corpus scheduler +- [x] Win32 shared mem and crash handler to have Windows in-process executor +- [x] Other feedbacks examples (e.g. maximize allocations to spot OOMs) +- [x] A macro crate with derive directives (e.g. for SerdeAny impl). +- [x] Restarting EventMgr could use forks on Unix +- [x] Android Ashmem support +- [x] Errors in the Fuzzer should exit the fuzz run +- [x] Timeouts for executors (WIP on Windows) diff --git a/clippy.sh b/clippy.sh new file mode 100755 index 0000000000..7f4e6ac479 --- /dev/null +++ b/clippy.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# Clippy checks +cargo clean -p libafl +RUST_BACKTRACE=full cargo clippy --all -- \ + -D clippy::pedantic \ + -W clippy::cast_sign_loss \ + -W clippy::similar-names \ + -W clippy::cast_ptr_alignment \ + -W clippy::cast_possible_wrap \ + -W clippy::unused_self \ + -W clippy::too_many_lines \ + -A missing-docs \ + -A clippy::doc_markdown \ + -A clippy::must-use-candidate \ + -A clippy::type_repetition_in_bounds \ + -A clippy::missing-errors-doc \ + -A clippy::cast-possible-truncation \ + -A clippy::used-underscore-binding \ + -A clippy::ptr-as-ptr \ + -A clippy::missing-panics-doc \ + -A clippy::missing-docs-in-private-items \ + -A clippy::unseparated-literal-suffix \ + -A clippy::module-name-repetitions \ + -A clippy::unreadable-literal \ + -A clippy::if-not-else \ diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 0000000000..7585238efe --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1 @@ +book diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000000..393df1c64d --- /dev/null +++ b/docs/README.md @@ -0,0 +1,13 @@ +# LibAFL Documentation Book + +This project contains the out-of-source LibAFL documentation as a book. + +Here you can find tutorials, examples, and detailed explanations. + +For the API documentation instead, run `cargo doc` in the LibAFl root folder. + +## Usage + +To build this book, you need [mdBook](https://github.com/rust-lang/mdBook). + +`mdbook build` to build, `mdbook serve` to serve the book locally. diff --git a/docs/book.toml b/docs/book.toml new file mode 100644 index 0000000000..8901056073 --- /dev/null +++ b/docs/book.toml @@ -0,0 +1,6 @@ +[book] +authors = ["Andrea Fioraldi", "Dominik Maier"] +language = "en" +multilingual = false +src = "src" +title = "The LibAFL Fuzzing Library" diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md new file mode 100644 index 0000000000..72152e1872 --- /dev/null +++ b/docs/src/SUMMARY.md @@ -0,0 +1,21 @@ +# Summary + +[The LibAFL Fuzzing Library](./libafl.md) + +[Introduction](./introduction.md) + +- [Getting Started](./getting_started/getting_started.md) + - [Setup](./getting_started/setup.md) + - [Build](./getting_started/build.md) + - [Crates](./getting_started/crates.md) + +- [Baby Fuzzer](./baby_fuzzer.md) + +- [Design](./design/design.md) + - [Core Concepts](./design/core_concepts.md) + - [Architecture](./design/architecture.md) + +- [Understanding Metadata](./medatata/metadata.md) + - [Definition](./medatata/definition.md) + - [(De)Serialization](./medatata/de_serialization.md) + - [Usage](./medatata/usage.md) diff --git a/docs/src/baby_fuzzer.md b/docs/src/baby_fuzzer.md new file mode 100644 index 0000000000..4f1e4ff234 --- /dev/null +++ b/docs/src/baby_fuzzer.md @@ -0,0 +1 @@ +# Baby Fuzzer diff --git a/docs/src/design/architecture.md b/docs/src/design/architecture.md new file mode 100644 index 0000000000..b600ebdc75 --- /dev/null +++ b/docs/src/design/architecture.md @@ -0,0 +1,13 @@ +# Architecture + +The LibAFL architecture is built around some entities to allow code reuse and low-cost abstractions. + +Initially, we started thinking to implement LibAFL in an Object Oriented language, such C++. When we landed to Rust, we immediately changed our idea as we realized that, while Rust allow a sort of OOP pattern, we can build the library using a more sane approach like the one described in [this blogpost](https://kyren.github.io/2018/09/14/rustconf-talk.html) about game design in Rust. + +The LibAFL code reuse meachanism is so based on components rather than sub-classes, but there are still some OOP patterns in the library. + +Thinking about similar fuzzers, you can observe that most of the times the data structures that are modified are the ones related to testcases and the fuzzer global state. + +Beside the entities described previously, we introduce the Testcase and State entities. The Testcase is a container for an Input stored in the Corpus and its metadata (so, in the implementation, the Corpus stores Testcases) and the State contains all the metadata that are evolved while running the fuzzer, Corpus included. + + diff --git a/docs/src/design/core_concepts.md b/docs/src/design/core_concepts.md new file mode 100644 index 0000000000..ea87125e2e --- /dev/null +++ b/docs/src/design/core_concepts.md @@ -0,0 +1,86 @@ +# Core Concepts + +LibAFL is designed around some core concepts that we think can effectively abstract most of the other fuzzers designs. + +Here, we discuss these concepts and provide some examples related to other fuzzers. + +TODO add links to trait definitions in docs.rs + +## Observer + +An Observer, or Observation Channel, is an entity that provides an information observed during the execution of the program under test to the fuzzer. + +The information contained in the Observer is not preserved cross executions. + +As an example, the coverage shared map filled during the execution to report the executed edges used by fuzzers such as AFL and HoggFuzz can be considered an Observation Channel. +This information is not preserved accros runs and it is an observation of a dynamic property of the program. + +## Executor + +In different fuzzers, the concept of executing the program under test each run is now always the same. +For instance, for in-memory fuzzers like libFuzzer an execution is a call to an harness function, for hypervisor-based fuzzers like [kAFL](https://github.com/IntelLabs/kAFL) instead an entire operating system is started from a snapshot each run. + +In our model, an Executor is the entity that defines not only how to execute the target, but all the volatile operations that are related to just a single run of the target. + +So the Executor is for instance reponsible to inform the program about the input that the fuzzer wants to use in the run, writing to a memory location for instance or passing it as a parameter to the harness function. + +It also holds a set of Observers, as thay are related to just a single run of the target. + +## Feedback + +The Feedback is an entity that classify the outcome of an execution of the program under test as interesting or not. +Tipically, if an exeuction is interesting, the corresponding input used to feed the target program is added to a corpus. + +Most of the times, the notion of Feedback is deeply linked to the Observer, but they are different concepts. + +The Feedback, in most of the cases, process the information reported by one or more observer to decide if the execution is interesting. +The concept of "interestingness" is abstract, but tipically it is related to a novelty search (i.e. interesting inputs are those that reach a previosly unseen edge in the control flow graph). + +As an example, given an Observer that reports all the size of memory allocations, a maximization Feedback can be used to maximize these sizes to sport patological inputs in terms of memory consumption. + +## Input + +Formally, the input of a program is the data taken from external sources and that affect the program behaviour. + +In our model of an abstarct fuzzer, we define the Input as the internal representation of the program input (or a part of it). + +In the straightforward case, the input of the program is a byte array and in fuzzers such as AFL we store an manipulate exaclty these byte arrays. + +But it is not always the case. A program can expect inputs that are not byte arrays (e.g. a sequence of syscalls) and the fuzzer does not represent the Input in the same way that the program consume it. + +In case of a grammar fuzzer for instance, the Input is generally an Abstract Syntax Tree because it is a data structure that can be easily manipulated while maintaining the validity, but the program expects a byte array as input so, just before the execution, the tree is serialized to a sequence of bytes. + +## Corpus + +The Corpus is where testcases are stored. A Testcase is defined as an Input and a set of related metadata like execution time for instance. + +For instance, a Corpus can store testcases on disk, or in memory, or implement a cache to speedup on disk storage. + +Usually, a testcase is added to the Corpus when it is considered as interesting. + +## Mutator + +The Mutator is an entitiy that takes one or more Inputs and generates a new derived one. + +Mutators can be composed and they are generally linked to a specific Input type. + +There can be, for instance, a Mutator that applies more than a single type of mutation on the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the single one, there is also, for instance, the random replacement of a byte of the copy of a chunk. + +This Mutator will simple schedule the application of some other Mutators. + +## Generator + +A Generator is a component designed to generate an Input from scratch. + +Tipically, a random generator is used to generate random inputs. + +Generators are traditionally less used in Feedback-driven Fuzzing, but there are exceptions, like Nautilus, that uses a Grammar generator to create the initial corpus and a sub-tree Generator as a mutation of its grammar Mutator. + +## Stage + +A Stage is an entity that operates on a single Input got from the Corpus. + +For instamce, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more time. How many times this has to be done can be scheduled, AFL for instance use a performance score of the input to choose how many times the havoc mutator should be invoked. This can depends also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or be a fixed value. + +A stage can be also an analysis stage, for instance, the Colorization stage of Redqueen that aims to introduce more entropy in a testcase or the Trimming stage of AFL that aims to reduce the size of a testcase. + diff --git a/docs/src/design/design.md b/docs/src/design/design.md new file mode 100644 index 0000000000..3650272973 --- /dev/null +++ b/docs/src/design/design.md @@ -0,0 +1,3 @@ +# Design + +In this chapter, we introduce the abstract Core Concepts behind LibAFL, we then discuss how we designed the library to take into account these concepts while allowing code reuse and extensibility. diff --git a/docs/src/getting_started/build.md b/docs/src/getting_started/build.md new file mode 100644 index 0000000000..b4649a6999 --- /dev/null +++ b/docs/src/getting_started/build.md @@ -0,0 +1,25 @@ +# Build + +LibAFL, as most of the Rust projects, can be built using `cargo` from the root directory of the project with: + +```sh +$ cargo build --release +``` + +Note that the `--release` flag is optional for development, but you needed to add it to fuzzing at a decent speed. +Slowdowns of 10x or more are not uncommon for Debug builds. + +The LibAFL repository is composed of multiple crates. +The top-level Cargo.toml is the workspace file grouping these crates. +Calling `cargo build` from the root directory will compile all crates in the workspace. + +## Build Example Fuzzers + +We group example fuzzers in the `./fuzzers` directory of the LibAFL repository. +The directory contains a set of crates that are not part of the workspace. + +Each of these example fuzzers uses particular features of LibAFL, sometimes combined with different instrumentation backends (e.g. [SanitizerCoverage](https://clang.llvm.org/docs/SanitizerCoverage.html), [Frida](https://frida.re/), ...). + +You can use these crates as examples and as skeletons for custom fuzzers with similar featuresets. + +To build an example fuzzer you have to invoke cargo from its respective folder (`fuzzers/[FUZZER_NAME]). diff --git a/docs/src/getting_started/crates.md b/docs/src/getting_started/crates.md new file mode 100644 index 0000000000..841094e076 --- /dev/null +++ b/docs/src/getting_started/crates.md @@ -0,0 +1,40 @@ +# Crates + +LibAFL is composed by different crates. +Each one has its self-contained purpose, and the user may not need to use all of them in its project. + +Following the naming convention of the folders in the project's root, they are: + +### libafl + +This is the main crate that contains all the components needed to build a fuzzer. + +This crate has the following feature flags: + +- std, that enables the parts of the code that use the Rust standard library. Without this flags, libafl is no_std. +- derive, that enables the usage of the `derive(...)` macros defined in libafl_derive from libafl. + +By default, std and derive are both set. + +### libafl_derive + +This a proc-macro crate paired with the libafl crate. + +At the moment, it just expose the `derive(SerdeAny)` macro that can be used to define metadata structs. + +### libafl_targets + +This crate that exposes, under feature flags, pieces of code to interact with targets + +Currently, the supported flags are: + +- pcguard_edges, that defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges in a map. +- pcguard_hitcounts, that defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges with the hitcounts (like AFL) in a map. +- libfuzzer, that expose a compatibility layer with libFuzzer style harnesses. +- value_profile, that defines the SanitizerCoverage trace-cmp hooks to track the matching bits of each comparison in a map. + +### libafl_cc + +This is a library that provides some utils to wrap compilers and create source level fuzzers. + +At the moment, only the Clang compiler is supported. diff --git a/docs/src/getting_started/getting_started.md b/docs/src/getting_started/getting_started.md new file mode 100644 index 0000000000..ef05e80138 --- /dev/null +++ b/docs/src/getting_started/getting_started.md @@ -0,0 +1,4 @@ +# Getting Started + +To start using LibAFL, there are some first steps to do. In this chapter, we will +discuss how to download LibAFL and build with `cargo`, how are structured its crates and the purpose of each crate. diff --git a/docs/src/getting_started/setup.md b/docs/src/getting_started/setup.md new file mode 100644 index 0000000000..e57aca1f14 --- /dev/null +++ b/docs/src/getting_started/setup.md @@ -0,0 +1,58 @@ +# Setup + +The first step is to download LibAFL and all its dependencies that are not automatically installed with `cargo`. + +> ### Command Line Notation +> +> In this chapter and throughout the book, we’ll show some commands used in the +> terminal. Lines that you should enter in a terminal all start with `$`. You +> don’t need to type in the `$` character; it indicates the start of each +> command. Lines that don’t start with `$` typically show the output of the +> previous command. Additionally, PowerShell-specific examples will use `>` +> rather than `$`. + +The easiest way to download LibAFL is using `git`. + +```sh +$ git clone git@github.com:AFLplusplus/LibAFL.git +``` + +You can alternatively, on a UNIX-like machine, download a compressed archive and extract with: + +```sh +$ wget https://github.com/AFLplusplus/LibAFL/archive/main.tar.gz +$ tar xvf LibAFL-main.tar.gz +$ rm LibAFL-main.tar.gz +$ ls LibAFL-main # this is the extracted folder +``` + +## Clang installation + +One of the external dependencies of LibAFL is the Clang C/C++ compiler. +While most of the code is in pure Rust, we still need a C compiler because Rust stable +still does not support features that we need such as weak linking and LLVM builtins linking, +and so we use C to expose the missing functionalities to our Rust codebase. + +In addition, if you want to perform source-level fuzz testing of C/C++ applications, +you will likely need Clang with its instrumentation options to compile the programs +under test. + +You can download and build the LLVM source tree, Clang included, following the steps +explained [here](https://clang.llvm.org/get_started.html). + +Alternatively, on Linux, you can use your distro's package manager to get Clang, +but these packages are not always updated, so we suggest you to use the +Debian/Ubuntu prebuilt packages from LLVM that are available using their [official repository](https://apt.llvm.org/). + +For Miscrosoft Windows, you can download the [installer package](https://llvm.org/builds/) that LLVM generates periodically. + +Despite that Clang is the default C compiler on macOS, we discourage the use of the build shipped by Apple and encourage +the installation from `brew` or direclty a fresh build from the source code. + +## Rust installation + +If you don't have Rust installed, you can easily follow the steps described [here](https://www.rust-lang.org/tools/install) +to install it on any supported system. + +We suggest to install Clang and LLVM first. + diff --git a/docs/src/introduction.md b/docs/src/introduction.md new file mode 100644 index 0000000000..c35050b44b --- /dev/null +++ b/docs/src/introduction.md @@ -0,0 +1,29 @@ +# Introduction + +Fuzzers are important assets in the pockets of security researchers and developers alike. +A wide range of cool state-of-the-art tools like [AFL++](https://github.com/AFLplusplus/AFLplusplus), [libFuzzer](https://llvm.org/docs/LibFuzzer.html) or [honggfuzz](https://github.com/google/honggfuzz) are available to users. They do their job in a very effective way, finding thousands of bugs. + +From the power user perspective, however, these tools are limited. +Their design does not treat extensibility as a first-class citizen. +Usually, a fuzzer developer can choose to either fork one of these existing tools, or to create a new fuzzer from scratch. +In any case, researchers end up with tons of fuzzers, all of which are incompatible with each other. +Their outstanding features can not just be combined for new projects. +Instead, we keep reinventing the wheel and may completely miss out on features that are complex to reimplement. + +Here comes LibAFL, a library that IS NOT a fuzzer, but a collection of reusable pieces of fuzzers, written in Rust. +LibAFL helps you develop your own custom fuzzer, tailored for your specific needs. +Be it a specific target, a particular instrumentation backend, or a custom mutator, you can leverage existing bits and pieces to craft the fastest and most efficient fuzzer you can envision. + +## Why LibAFL? + +LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. +Some highlight features currently include: +- `multi platform`: LibAFL works pretty much anywhere you can find a Rust compiler for. We already used it on *Windows*, *Android*, *MacOS*, and *Linux*, on *x86_64*, *aarch64*, ... +- `portable`: `LibAFL` can be built in `no_std` mode. This means it does not require a specific OS-dependent runtime to function. Define an allocator and a way to map pages, you should be good to inject LibAFL in obscure targets like embedded devices, hypervisors, or maybe even WebAssembly? +- `adaptable`: Given year of experience fine-tuning *AFLplusplus* and our academic fuzzing background, we could incorporate recent fuzzing trends into LibAFL's deign and make it future-proof. +To give an example, as opposed to old-skool fuzzers, a `BytesInput` is just one of the potential forms of inputs: +feel free to use and mutate an Abstract Syntax Tree instead, for structured fuzzing. +- `scalable`: As part of LibAFL, we developed `Low Level Message Passing`, `LLMP` for short, which allows LibAFL to scale almost linearly over cores. That is, if you chose to use this feature - it is your fuzzer, after all. Scaling to multiple machines over TCP is on the near road-map. +- `fast`: We do everything we can at compiletime so that the runtime overhead is as minimal as it can get. +- `bring your own target`: We support binary-only modes, like Frida-Mode with ASAN and CmpLog, as well as multiple compilation passes for sourced-based instrumentation, and of course supoprt custom instrumentation. +- `usable`: This one is on you to decide. Dig right in! \ No newline at end of file diff --git a/docs/src/libafl.md b/docs/src/libafl.md new file mode 100644 index 0000000000..b3dbcbbd36 --- /dev/null +++ b/docs/src/libafl.md @@ -0,0 +1,9 @@ +# The LibAFL Fuzzing Library + +*by Andrea Fioraldi and Dominik Maier* + +This version of the LibAFL book is coupled with the release 1.0 beta of the library. + +This document is still work-in-progress and incomplete. The structure and the concepts explained here are subject to change in future revisions, as the structure of LibAFL itself will evolve. + +The HTML version of this book is available online at PLACEHOLDER and offline from the LibAFL repository in the docs/ folder. diff --git a/docs/src/medatata/de_serialization.md b/docs/src/medatata/de_serialization.md new file mode 100644 index 0000000000..de75e3c413 --- /dev/null +++ b/docs/src/medatata/de_serialization.md @@ -0,0 +1,3 @@ +# (De)Serialization + +TODO describe the SerdeAny registry diff --git a/docs/src/medatata/definition.md b/docs/src/medatata/definition.md new file mode 100644 index 0000000000..f78e552859 --- /dev/null +++ b/docs/src/medatata/definition.md @@ -0,0 +1,19 @@ +# Definition + +A metadata in LibAFL is a self contained structure that holds associated data to the State or to a Testcase. + +In terms of code, a metadata can be defined as a Rust struct registered in the SerdeAny register. + +```rust +use libafl::SerdeAny; +use serde::{Serialize, Deserialize}; + +#[derive(Serialize, Deserialize, SerdeAny)] +pub struct MyMetadata { + ... +} +``` + +The struct must be static, so it cannot holds references to borrowed objects. + + diff --git a/docs/src/medatata/metadata.md b/docs/src/medatata/metadata.md new file mode 100644 index 0000000000..48511f3a03 --- /dev/null +++ b/docs/src/medatata/metadata.md @@ -0,0 +1,3 @@ +# Understanding Metadata + +In this chapter, we discuss in depth the metadata system of LibAFL and its usage. diff --git a/docs/src/medatata/usage.md b/docs/src/medatata/usage.md new file mode 100644 index 0000000000..1dfeb5194c --- /dev/null +++ b/docs/src/medatata/usage.md @@ -0,0 +1,3 @@ +# Usage + +TODO describe the HasMetadata interface diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/.gitignore b/fuzzers/baby_fuzzer/.gitignore similarity index 100% rename from fuzzers/libfuzzer_libpng_cmpalloc/.gitignore rename to fuzzers/baby_fuzzer/.gitignore diff --git a/fuzzers/baby_fuzzer/Cargo.toml b/fuzzers/baby_fuzzer/Cargo.toml new file mode 100644 index 0000000000..b464bafe45 --- /dev/null +++ b/fuzzers/baby_fuzzer/Cargo.toml @@ -0,0 +1,22 @@ +[package] +name = "baby_fuzzer" +version = "0.1.0" +authors = ["Andrea Fioraldi ", "Dominik Maier "] +edition = "2018" + +[features] +default = ["std"] +std = [] + +[profile.dev] +panic = "abort" + +[profile.release] +panic = "abort" +lto = true +codegen-units = 1 +opt-level = 3 +debug = true + +[dependencies] +libafl = { path = "../../libafl/" } diff --git a/fuzzers/baby_fuzzer/README.md b/fuzzers/baby_fuzzer/README.md new file mode 100644 index 0000000000..d7766a569b --- /dev/null +++ b/fuzzers/baby_fuzzer/README.md @@ -0,0 +1,7 @@ +# Baby fuzzer + +This is a minimalistic example about how to create a libafl based fuzzer. + +It runs on a single core until a crash occurs and then exits. + +The tested program is a simple Rust function without any instrumentation. diff --git a/fuzzers/baby_fuzzer/src/main.rs b/fuzzers/baby_fuzzer/src/main.rs new file mode 100644 index 0000000000..d53dfec70a --- /dev/null +++ b/fuzzers/baby_fuzzer/src/main.rs @@ -0,0 +1,99 @@ +use std::path::PathBuf; + +use libafl::{ + bolts::tuples::tuple_list, + corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler}, + events::SimpleEventManager, + executors::{inprocess::InProcessExecutor, ExitKind}, + feedbacks::{CrashFeedback, MaxMapFeedback}, + fuzzer::{Fuzzer, StdFuzzer}, + generators::RandPrintablesGenerator, + mutators::scheduled::{havoc_mutations, StdScheduledMutator}, + observers::StdMapObserver, + stages::mutational::StdMutationalStage, + state::State, + stats::SimpleStats, + utils::{current_nanos, StdRand}, +}; + +// Coverage map with explicit assignments due to the lack of instrumentation +static mut SIGNALS: [u8; 16] = [0; 16]; + +fn signals_set(idx: usize) { + unsafe { SIGNALS[idx] = 1 }; +} + +pub fn main() { + // The closure that we want to fuzz + let mut harness = |buf: &[u8]| { + signals_set(0); + if buf.len() > 0 && buf[0] == 'a' as u8 { + signals_set(1); + if buf.len() > 1 && buf[1] == 'b' as u8 { + signals_set(2); + if buf.len() > 2 && buf[2] == 'c' as u8 { + panic!("=)"); + } + } + } + ExitKind::Ok + }; + + // The Stats trait define how the fuzzer stats are reported to the user + let stats = SimpleStats::new(|s| println!("{}", s)); + + // The event manager handle the various events generated during the fuzzing loop + // such as the notification of the addition of a new item to the corpus + let mut mgr = SimpleEventManager::new(stats); + + // Create an observation channel using the siganls map + let observer = + StdMapObserver::new("signals", unsafe { &mut SIGNALS }, unsafe { SIGNALS.len() }); + + // create a State from scratch + let mut state = State::new( + // RNG + StdRand::with_seed(current_nanos()), + // Corpus that will be evolved, we keep it in memory for performance + InMemoryCorpus::new(), + // Feedbacks to rate the interestingness of an input + tuple_list!(MaxMapFeedback::new_with_observer(&observer)), + // Corpus in which we store solutions (crashes in this example), + // on disk so the user can get them after stopping the fuzzer + OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(), + // Feedbacks to recognize an input as solution + tuple_list!(CrashFeedback::new()), + ); + + // Setup a basic mutator with a mutational stage + let mutator = StdScheduledMutator::new(havoc_mutations()); + let stage = StdMutationalStage::new(mutator); + + // A fuzzer with just one stage + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); + + // A queue policy to get testcasess from the corpus + let scheduler = QueueCorpusScheduler::new(); + + // Create the executor for an in-process function with just one observer + let mut executor = InProcessExecutor::new( + "in-process(signals)", + &mut harness, + tuple_list!(observer), + &mut state, + &mut mgr, + ) + .expect("Failed to create the Executor".into()); + + // Generator of printable bytearrays of max size 32 + let mut generator = RandPrintablesGenerator::new(32); + + // Generate 8 initial inputs + state + .generate_initial_inputs(&mut executor, &mut generator, &mut mgr, &scheduler, 8) + .expect("Failed to generate the initial corpus".into()); + + fuzzer + .fuzz_loop(&mut state, &mut executor, &mut mgr, &scheduler) + .expect("Error in the fuzzing loop".into()); +} diff --git a/fuzzers/frida_libpng/.gitignore b/fuzzers/frida_libpng/.gitignore new file mode 100644 index 0000000000..a977a2ca5b --- /dev/null +++ b/fuzzers/frida_libpng/.gitignore @@ -0,0 +1 @@ +libpng-* \ No newline at end of file diff --git a/fuzzers/frida_libpng/Cargo.toml b/fuzzers/frida_libpng/Cargo.toml new file mode 100644 index 0000000000..c59b89c88c --- /dev/null +++ b/fuzzers/frida_libpng/Cargo.toml @@ -0,0 +1,35 @@ +[package] +name = "frida_libpng" +version = "0.1.0" +authors = ["Andrea Fioraldi ", "Dominik Maier "] +edition = "2018" +build = "build.rs" + +[features] +default = ["std", "frida"] +std = [] +frida = ["frida-gum", "frida-gum-sys"] + +[profile.release] +lto = true +codegen-units = 1 +opt-level = 3 +debug = true + +[build-dependencies] +cc = { version = "1.0", features = ["parallel"] } +num_cpus = "1.0" +which = "4.1" + +[target.'cfg(unix)'.dependencies] +libafl = { path = "../../libafl/", features = [ "std" ] } #, "llmp_small_maps", "llmp_debug"]} +capstone = "0.8.0" +frida-gum = { version = "0.4", optional = true, features = [ "auto-download", "event-sink", "invocation-listener"] } +frida-gum-sys = { version = "0.2.4", optional = true, features = [ "auto-download", "event-sink", "invocation-listener"] } +libafl_frida = { path = "../../libafl_frida", version = "0.1.0" } +lazy_static = "1.4.0" +libc = "0.2" +libloading = "0.7.0" +num-traits = "0.2.14" +rangemap = "0.1.10" +seahash = "4.1.0" diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/README.md b/fuzzers/frida_libpng/README.md similarity index 74% rename from fuzzers/libfuzzer_libpng_cmpalloc/README.md rename to fuzzers/frida_libpng/README.md index bfd858fbcb..dd032eb121 100644 --- a/fuzzers/libfuzzer_libpng_cmpalloc/README.md +++ b/fuzzers/frida_libpng/README.md @@ -1,18 +1,15 @@ -# Libfuzzer for libpng (cmp+alloc) +# Libfuzzer for libpng This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection. To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example. It has been tested on Linux. -The difference between the normal Libfuzzer for libpng example here is that this fuzzer is not just using edge coverage as feedback but also comparisons values (-value-profile like) and allocations sizes. -This is an example how multiple feedbacks can be combined in a fuzzer. - ## Build -To build this example, run `cargo build --example libfuzzer_libpng_cmpalloc --release`. -This will call (the build.rs)[./builld.rs], which in turn downloads a libpng archive from the web. +To build this example, run `cargo build --example libfuzzer_libpng --release`. +This will call (the build.rs)[./build.rs], which in turn downloads a libpng archive from the web. Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the C++ harness)[./harness.cc] and the instrumented `libpng`. -Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng_cmpalloc`. +Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`. ## Run diff --git a/fuzzers/libfuzzer_libpng/build.rs b/fuzzers/frida_libpng/build.rs similarity index 51% rename from fuzzers/libfuzzer_libpng/build.rs rename to fuzzers/frida_libpng/build.rs index 49f3cfba94..0fa8a7e5b3 100644 --- a/fuzzers/libfuzzer_libpng/build.rs +++ b/fuzzers/frida_libpng/build.rs @@ -6,12 +6,28 @@ use std::{ process::{exit, Command}, }; +use which::which; + const LIBPNG_URL: &str = "https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz"; +fn build_dep_check(tools: &[&str]) { + for tool in tools.into_iter() { + println!("Checking for build tool {}...", tool); + + match which(tool) { + Ok(path) => println!("Found build tool {}", path.to_str().unwrap()), + Err(_) => { + println!("ERROR: missing build tool {}", tool); + exit(1); + } + }; + } +} + fn main() { if cfg!(windows) { - println!("cargo:warning=Skipping libpng example on Windows"); + println!("cargo:warning=Skipping libpng frida example on Windows"); exit(0); } @@ -19,22 +35,32 @@ fn main() { let cwd = env::current_dir().unwrap().to_string_lossy().to_string(); let out_dir = out_dir.to_string_lossy().to_string(); let out_dir_path = Path::new(&out_dir); + std::fs::create_dir_all(&out_dir).expect(&format!("Failed to create {}", &out_dir)); + println!("cargo:rerun-if-changed=build.rs"); println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",); println!("cargo:rerun-if-changed=harness.cc"); + build_dep_check(&["clang", "clang++", "wget", "tar", "make"]); + let libpng = format!("{}/libpng-1.6.37", &out_dir); let libpng_path = Path::new(&libpng); let libpng_tar = format!("{}/libpng-1.6.37.tar.xz", &cwd); // Enforce clang for its -fsanitize-coverage support. - std::env::set_var("CC", "clang"); - std::env::set_var("CXX", "clang++"); + let clang = match env::var("CLANG_PATH") { + Ok(path) => path, + Err(_) => "clang".to_string(), + }; + let clangpp = format!("{}++", &clang); + std::env::set_var("CC", &clang); + std::env::set_var("CXX", &clangpp); let ldflags = match env::var("LDFLAGS") { Ok(val) => val, Err(_) => "".to_string(), }; + // println!("cargo:warning=output path is {}", libpng); if !libpng_path.is_dir() { if !Path::new(&libpng_tar).is_file() { println!("cargo:warning=Libpng not found, downloading..."); @@ -49,7 +75,7 @@ fn main() { } Command::new("tar") .current_dir(&out_dir_path) - .arg("-xvf") + .arg("xvf") .arg(&libpng_tar) .status() .unwrap(); @@ -59,19 +85,20 @@ fn main() { "--disable-shared", &format!("--host={}", env::var("TARGET").unwrap())[..], ]) - .env("CC", "clang") - .env("CXX", "clang++") + .env("CC", &clang) + .env("CXX", &clangpp) .env( "CFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", + "-O3 -g -D_DEFAULT_SOURCE -fPIC -fno-omit-frame-pointer", ) .env( "CXXFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", + "-O3 -g -D_DEFAULT_SOURCE -fPIC -fno-omit-frame-pointer", ) .env( "LDFLAGS", - format!("-g -fPIE -fsanitize-coverage=trace-pc-guard {}", ldflags), + //format!("-g -fPIE -fsanitize=address {}", ldflags), + format!("-g -fPIE {}", ldflags), ) .status() .unwrap(); @@ -81,29 +108,31 @@ fn main() { .unwrap(); } - cc::Build::new() - .file("../libfuzzer_runtime/rt.c") - .compile("libfuzzer-sys"); - - cc::Build::new() - .include(&libpng_path) + let status = cc::Build::new() .cpp(true) - .flag("-fsanitize-coverage=trace-pc-guard") - // .define("HAS_DUMMY_CRASH", "1") - .file("./harness.cc") - .compile("libfuzzer-harness"); - - println!("cargo:rustc-link-search=native={}", &out_dir); - println!("cargo:rustc-link-search=native={}/.libs", &libpng); - println!("cargo:rustc-link-lib=static=png16"); - - //Deps for libpng: -pthread -lz -lm - println!("cargo:rustc-link-lib=dylib=m"); - println!("cargo:rustc-link-lib=dylib=z"); - - //For the C++ harness - //must by dylib for android - println!("cargo:rustc-link-lib=dylib=stdc++"); - - println!("cargo:rerun-if-changed=build.rs"); + .get_compiler() + .to_command() + .current_dir(&cwd) + .arg("-I") + .arg(&libpng) + //.arg("-D") + //.arg("HAS_DUMMY_CRASH=1") + .arg("-fPIC") + .arg("-shared") + .arg("-O3") + //.arg("-fomit-frame-pointer") + .arg(if env::var("CARGO_CFG_TARGET_OS").unwrap() == "android" { + "-static-libstdc++" + } else { + "" + }) + .arg("-o") + .arg(format!("{}/libpng-harness.so", &out_dir)) + .arg("./harness.cc") + .arg(format!("{}/.libs/libpng16.a", &libpng)) + .arg("-l") + .arg("z") + .status() + .unwrap(); + assert!(status.success()); } diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/harness.cc b/fuzzers/frida_libpng/harness.cc similarity index 92% rename from fuzzers/libfuzzer_libpng_cmpalloc/harness.cc rename to fuzzers/frida_libpng/harness.cc index 65faff685d..20a2070e16 100644 --- a/fuzzers/libfuzzer_libpng_cmpalloc/harness.cc +++ b/fuzzers/frida_libpng/harness.cc @@ -17,6 +17,7 @@ #include #include #include +#include #include @@ -79,6 +80,29 @@ void user_read_data(png_structp png_ptr, png_bytep data, size_t length) { static const int kPngHeaderSize = 8; +extern "C" int afl_libfuzzer_init() { + return 0; +} + +static char * allocation = NULL; +__attribute__((noinline)) +void func3( char * alloc) { + printf("func3\n"); + if (random() % 5 == 0) { + alloc[0xff] = 0xde; + } +} +__attribute__((noinline)) +void func2() { + allocation = (char*)malloc(0xff); + printf("func2\n"); + func3(allocation); +} +__attribute__((noinline)) +void func1() { + printf("func1\n"); + func2(); +} // Entry point for LibFuzzer. // Roughly follows the libpng book example: // http://www.libpng.org/pub/png/book/chapter13.html @@ -87,6 +111,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; } + + func1(); + std::vector v(data, data + size); if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) { // not a PNG. diff --git a/fuzzers/frida_libpng/src/fuzzer.rs b/fuzzers/frida_libpng/src/fuzzer.rs new file mode 100644 index 0000000000..d7df2525cb --- /dev/null +++ b/fuzzers/frida_libpng/src/fuzzer.rs @@ -0,0 +1,360 @@ +//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts +//! The example harness is built for libpng. + +use libafl::{ + bolts::tuples::{tuple_list, Named}, + corpus::{ + ondisk::OnDiskMetadataFormat, Corpus, InMemoryCorpus, + IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler, + }, + events::{setup_restarting_mgr_std, EventManager}, + executors::{ + inprocess::InProcessExecutor, timeout::TimeoutExecutor, Executor, ExitKind, HasObservers, + }, + feedbacks::{CrashFeedback, MaxMapFeedback, TimeoutFeedback}, + fuzzer::{Fuzzer, StdFuzzer}, + inputs::{HasTargetBytes, Input}, + mutators::scheduled::{havoc_mutations, StdScheduledMutator}, + mutators::token_mutations::Tokens, + observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver}, + stages::mutational::StdMutationalStage, + state::{HasCorpus, HasMetadata, State}, + stats::SimpleStats, + utils::{current_nanos, StdRand}, + Error, +}; + +use frida_gum::{ + stalker::{NoneEventSink, Stalker}, + Gum, NativePointer, +}; + +use std::{env, ffi::c_void, marker::PhantomData, path::PathBuf, time::Duration}; + +use libafl_frida::{ + asan_rt::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS}, + helper::{FridaHelper, FridaInstrumentationHelper, MAP_SIZE}, + FridaOptions, +}; + +struct FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT> +where + FH: FridaHelper<'b>, + H: FnMut(&[u8]) -> ExitKind, + I: Input + HasTargetBytes, + OT: ObserversTuple, +{ + base: TimeoutExecutor, I, OT>, + /// Frida's dynamic rewriting engine + stalker: Stalker<'a>, + /// User provided callback for instrumentation + helper: &'c mut FH, + followed: bool, + _phantom: PhantomData<&'b u8>, +} + +impl<'a, 'b, 'c, FH, H, I, OT> Executor for FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT> +where + FH: FridaHelper<'b>, + H: FnMut(&[u8]) -> ExitKind, + I: Input + HasTargetBytes, + OT: ObserversTuple, +{ + /// Called right before exexution starts + #[inline] + fn pre_exec(&mut self, state: &mut S, event_mgr: &mut EM, input: &I) -> Result<(), Error> + where + EM: EventManager, + { + if self.helper.stalker_enabled() { + if !self.followed { + self.followed = true; + self.stalker + .follow_me::(self.helper.transformer(), None); + } else { + self.stalker.activate(NativePointer( + self.base.inner().harness_mut() as *mut _ as *mut c_void + )) + } + } + + self.helper.pre_exec(input); + + self.base.pre_exec(state, event_mgr, input) + } + + /// Instruct the target about the input and run + #[inline] + fn run_target(&mut self, input: &I) -> Result { + let res = self.base.run_target(input); + if unsafe { ASAN_ERRORS.is_some() && !ASAN_ERRORS.as_ref().unwrap().is_empty() } { + println!("Crashing target as it had ASAN errors"); + unsafe { + libc::raise(libc::SIGABRT); + } + } + res + } + + /// Called right after execution finished. + #[inline] + fn post_exec( + &mut self, + state: &mut S, + event_mgr: &mut EM, + input: &I, + ) -> Result<(), Error> + where + EM: EventManager, + { + if self.helper.stalker_enabled() { + self.stalker.deactivate(); + } + self.helper.post_exec(input); + self.base.post_exec(state, event_mgr, input) + } +} + +impl<'a, 'b, 'c, FH, H, I, OT> HasObservers for FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT> +where + FH: FridaHelper<'b>, + H: FnMut(&[u8]) -> ExitKind, + I: Input + HasTargetBytes, + OT: ObserversTuple, +{ + #[inline] + fn observers(&self) -> &OT { + self.base.observers() + } + + #[inline] + fn observers_mut(&mut self) -> &mut OT { + self.base.observers_mut() + } +} + +impl<'a, 'b, 'c, FH, H, I, OT> Named for FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT> +where + FH: FridaHelper<'b>, + H: FnMut(&[u8]) -> ExitKind, + I: Input + HasTargetBytes, + OT: ObserversTuple, +{ + fn name(&self) -> &str { + self.base.name() + } +} + +impl<'a, 'b, 'c, FH, H, I, OT> FridaInProcessExecutor<'a, 'b, 'c, FH, H, I, OT> +where + FH: FridaHelper<'b>, + H: FnMut(&[u8]) -> ExitKind, + I: Input + HasTargetBytes, + OT: ObserversTuple, +{ + pub fn new( + gum: &'a Gum, + base: InProcessExecutor<'a, H, I, OT>, + helper: &'c mut FH, + timeout: Duration, + ) -> Self { + let stalker = Stalker::new(gum); + + // Let's exclude the main module and libc.so at least: + //stalker.exclude(&MemoryRange::new( + //Module::find_base_address(&env::args().next().unwrap()), + //get_module_size(&env::args().next().unwrap()), + //)); + //stalker.exclude(&MemoryRange::new( + //Module::find_base_address("libc.so"), + //get_module_size("libc.so"), + //)); + + Self { + base: TimeoutExecutor::new(base, timeout), + stalker, + helper, + followed: false, + _phantom: PhantomData, + } + } +} + +/// The main fn, usually parsing parameters, and starting the fuzzer +pub fn main() { + // Registry the metadata types used in this fuzzer + // Needed only on no_std + //RegistryBuilder::register::(); + + println!( + "Workdir: {:?}", + env::current_dir().unwrap().to_string_lossy().to_string() + ); + unsafe { + fuzz( + &env::args().nth(1).expect("no module specified"), + &env::args().nth(2).expect("no symbol specified"), + env::args() + .nth(3) + .expect("no modules to instrument specified") + .split(":") + .collect(), + vec![PathBuf::from("./corpus")], + PathBuf::from("./crashes"), + 1337, + ) + .expect("An error occurred while fuzzing"); + } +} + +/// Not supported on windows right now +#[cfg(windows)] +fn fuzz( + _module_name: &str, + _symbol_name: &str, + _corpus_dirs: Vec, + _objective_dir: PathBuf, + _broker_port: u16, +) -> Result<(), ()> { + todo!("Example not supported on Windows"); +} + +/// The actual fuzzer +#[cfg(unix)] +unsafe fn fuzz( + module_name: &str, + symbol_name: &str, + modules_to_instrument: Vec<&str>, + corpus_dirs: Vec, + objective_dir: PathBuf, + broker_port: u16, +) -> Result<(), Error> { + // 'While the stats are state, they are usually used in the broker - which is likely never restarted + let stats = SimpleStats::new(|s| println!("{}", s)); + + // The restarting state will spawn the same process again as child, then restarted it each time it crashes. + let (state, mut restarting_mgr) = match setup_restarting_mgr_std(stats, broker_port) { + Ok(res) => res, + Err(err) => match err { + Error::ShuttingDown => { + return Ok(()); + } + _ => { + panic!("Failed to setup the restarter: {}", err); + } + }, + }; + + let gum = Gum::obtain(); + + let lib = libloading::Library::new(module_name).unwrap(); + let target_func: libloading::Symbol i32> = + lib.get(symbol_name.as_bytes()).unwrap(); + + let mut frida_harness = move |buf: &[u8]| { + (target_func)(buf.as_ptr(), buf.len()); + ExitKind::Ok + }; + + let mut frida_helper = FridaInstrumentationHelper::new( + &gum, + FridaOptions::parse_env_options(), + module_name, + &modules_to_instrument, + ); + + // Create an observation channel using the coverage map + let edges_observer = HitcountsMapObserver::new(StdMapObserver::new_from_ptr( + "edges", + frida_helper.map_ptr(), + MAP_SIZE, + )); + + // If not restarting, create a State from scratch + let mut state = state.unwrap_or_else(|| { + State::new( + // RNG + StdRand::with_seed(current_nanos()), + // Corpus that will be evolved, we keep it in memory for performance + InMemoryCorpus::new(), + // Feedbacks to rate the interestingness of an input + tuple_list!(MaxMapFeedback::new_with_observer_track( + &edges_observer, + true, + false + )), + // Corpus in which we store solutions (crashes in this example), + // on disk so the user can get them after stopping the fuzzer + OnDiskCorpus::new_save_meta(objective_dir, Some(OnDiskMetadataFormat::JsonPretty)) + .unwrap(), + // Feedbacks to recognize an input as solution + tuple_list!( + CrashFeedback::new(), + TimeoutFeedback::new(), + AsanErrorsFeedback::new() + ), + ) + }); + + println!("We're a client, let's fuzz :)"); + + // Create a PNG dictionary if not existing + if state.metadata().get::().is_none() { + state.add_metadata(Tokens::new(vec![ + vec![137, 80, 78, 71, 13, 10, 26, 10], // PNG header + b"IHDR".to_vec(), + b"IDAT".to_vec(), + b"PLTE".to_vec(), + b"IEND".to_vec(), + ])); + } + + // Setup a basic mutator with a mutational stage + let mutator = StdScheduledMutator::new(havoc_mutations()); + let stage = StdMutationalStage::new(mutator); + + // A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus + let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); + + frida_helper.register_thread(); + + // Create the executor for an in-process function with just one observer for edge coverage + let mut executor = FridaInProcessExecutor::new( + &gum, + InProcessExecutor::new( + "in-process(edges)", + &mut frida_harness, + tuple_list!(edges_observer, AsanErrorsObserver::new(&ASAN_ERRORS)), + &mut state, + &mut restarting_mgr, + )?, + &mut frida_helper, + Duration::new(10, 0), + ); + // Let's exclude the main module and libc.so at least: + //executor.stalker.exclude(&MemoryRange::new( + //Module::find_base_address(&env::args().next().unwrap()), + //get_module_size(&env::args().next().unwrap()), + //)); + //executor.stalker.exclude(&MemoryRange::new( + //Module::find_base_address("libc.so"), + //get_module_size("libc.so"), + //)); + + // In case the corpus is empty (on first run), reset + if state.corpus().count() < 1 { + state + .load_initial_inputs(&mut executor, &mut restarting_mgr, &scheduler, &corpus_dirs) + .expect(&format!( + "Failed to load initial corpus at {:?}", + &corpus_dirs + )); + println!("We imported {} inputs from disk.", state.corpus().count()); + } + + fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr, &scheduler)?; + + // Never reached + Ok(()) +} diff --git a/fuzzers/frida_libpng/src/main.rs b/fuzzers/frida_libpng/src/main.rs new file mode 100644 index 0000000000..ae199821eb --- /dev/null +++ b/fuzzers/frida_libpng/src/main.rs @@ -0,0 +1,10 @@ +#[cfg(unix)] +mod fuzzer; +#[cfg(unix)] +pub fn main() { + fuzzer::main(); +} +#[cfg(not(unix))] +pub fn main() { + todo!("Frida not yet supported on this OS."); +} diff --git a/fuzzers/libfuzzer_libmozjpeg/.gitignore b/fuzzers/libfuzzer_libmozjpeg/.gitignore index 335ec9573d..377532b6d2 100644 --- a/fuzzers/libfuzzer_libmozjpeg/.gitignore +++ b/fuzzers/libfuzzer_libmozjpeg/.gitignore @@ -1 +1,2 @@ -*.tar.gz +*.tar.gz* +mozjpeg-4.0.3 \ No newline at end of file diff --git a/fuzzers/libfuzzer_libmozjpeg/Cargo.toml b/fuzzers/libfuzzer_libmozjpeg/Cargo.toml index ede0d941fc..76658ebb41 100644 --- a/fuzzers/libfuzzer_libmozjpeg/Cargo.toml +++ b/fuzzers/libfuzzer_libmozjpeg/Cargo.toml @@ -1,31 +1,29 @@ [package] name = "libfuzzer_libmozjpeg" version = "0.1.0" -authors = ["Marcin Kozlowski "] +authors = ["Andrea Fioraldi ", "Dominik Maier "] edition = "2018" -build = "build.rs" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] default = ["std"] std = [] -#[profile.release] -#lto = true -#codegen-units = 1 -#opt-level = 3 -#debug = true +[profile.release] +lto = true +codegen-units = 1 +opt-level = 3 +debug = true + +[dependencies] +libafl = { path = "../../libafl/" } +libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_edges", "value_profile", "libfuzzer"] } +# TODO Include it only when building cc +libafl_cc = { path = "../../libafl_cc/" } [build-dependencies] cc = { version = "1.0", features = ["parallel"] } num_cpus = "1.0" -[dependencies] -libafl = { path = "../../libafl/" } - -[[example]] +[lib] name = "libfuzzer_libmozjpeg" -path = "./src/fuzzer.rs" -test = false -bench = false +crate-type = ["staticlib"] diff --git a/fuzzers/libfuzzer_libmozjpeg/README.md b/fuzzers/libfuzzer_libmozjpeg/README.md index 931138306c..826af53365 100644 --- a/fuzzers/libfuzzer_libmozjpeg/README.md +++ b/fuzzers/libfuzzer_libmozjpeg/README.md @@ -1,14 +1,39 @@ # Libfuzzer for libmozjpeg This folder contains an example fuzzer for libmozjpeg, using LLMP for fast multi-process fuzzing and crash detection. +Alongside the traditional edge coverage, this example shows how to use a value-profile like feedback to bypass CMPs and an allocations size maximization feedback to spot patological inputs in terms of memory usage. It has been tested on Linux. ## Build -To build this example, run `cargo build --example libfuzzer_libmozjpeg --release`. -This will call (the build.rs)[./builld.rs], which in turn downloads a libmozjpeg archive from the web. -Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the c++ harness)[./harness.cc] and the instrumented `libmozjpeg`. -Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libmozjpeg`. +To build this example, run `cargo build --release`. +This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer. the SanitizerCoverage runtime functions for edges and value-profile feedbacks and the `hook_allocs.c` C file that hooks the allocator to report the size to the fuzzer. +In addition, it will build also two C and C++ compiler wrappers (bin/c(c/xx).rs) that you must use to compile the target. + +Then download the mozjpeg source tarball from and unpack the archive: +```bash +wget https://github.com/mozilla/mozjpeg/archive/v4.0.3.tar.gz +tar -xzvf v4.0.3.tar.gz +``` + +Now compile it with: + +``` +cd mozjpeg-4.0.3 +cmake --disable-shared . -DCMAKE_C_COMPILER=$(realpath ../target/release/libafl_cc) -DCMAKE_CXX_COMPILER=$(realpath ../target/release/libafl_cxx) -G "Unix Makefiles" +make -j `nproc` +cd .. +``` + +Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary. + +``` +./target/debug/cxx ./harness.cc ./mozjpeg-4.0.3/*.a -I ./mozjpeg-4.0.3/ -o fuzzer_mozjpeg +``` + +Afterward, the fuzzer will be ready to run by simply executing `./fuzzer_mozjpeg`. +Note that, unless you use the `launcher`, you will have to run the binary multiple times to actually start the fuzz process, see `Run` in the following. +This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (`-fsanitize=address`) or with different mutators. ## Run @@ -19,10 +44,4 @@ As this example uses in-process fuzzing, we added a Restarting Event Manager (`s This means each client will start itself again to listen for crashes and timeouts. By restarting the actual fuzzer, it can recover from these exit conditions. -For convenience, you may just run `./test.sh` in this folder or: - -broker.sh - starts the broker -start.sh - starts as many clients as there are cores -stop.sh - stop everything - - +In any real-world scenario, you should use `taskset` to pin each client to an empty CPU core, the lib does not pick an empty core automatically, unless you use the `launcher`. diff --git a/fuzzers/libfuzzer_libmozjpeg/broker.sh b/fuzzers/libfuzzer_libmozjpeg/broker.sh deleted file mode 100755 index bbe5b82ae6..0000000000 --- a/fuzzers/libfuzzer_libmozjpeg/broker.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -taskset -c 0 ./.libfuzzer_test.elf - diff --git a/fuzzers/libfuzzer_libmozjpeg/build.rs b/fuzzers/libfuzzer_libmozjpeg/build.rs index 96f09a9db0..e3961e1e56 100644 --- a/fuzzers/libfuzzer_libmozjpeg/build.rs +++ b/fuzzers/libfuzzer_libmozjpeg/build.rs @@ -1,119 +1,21 @@ // build.rs -use std::{ - env, - path::Path, - process::{exit, Command}, -}; - -const LIBMOZJPEG_URL: &str = "https://github.com/mozilla/mozjpeg/archive/v4.0.3.tar.gz"; +use std::env; fn main() { - if cfg!(windows) { - println!("cargo:warning=Skipping libmozjpeg example on Windows"); - exit(0); - } - let out_dir = env::var_os("OUT_DIR").unwrap(); - let cwd = env::current_dir().unwrap().to_string_lossy().to_string(); let out_dir = out_dir.to_string_lossy().to_string(); - let out_dir_path = Path::new(&out_dir); - println!("cargo:rerun-if-changed=./runtime/rt.c",); - println!("cargo:rerun-if-changed=harness.cc"); - - let libmozjpeg = format!("{}/mozjpeg-4.0.3", &out_dir); - let libmozjpeg_path = Path::new(&libmozjpeg); - let libmozjpeg_tar = format!("{}/v4.0.3.tar.gz", &cwd); - - // Enforce clang for its -fsanitize-coverage support. - std::env::set_var("CC", "clang"); - std::env::set_var("CXX", "clang++"); - - if !libmozjpeg_path.is_dir() { - if !Path::new(&libmozjpeg_tar).is_file() { - println!("cargo:warning=Libmozjpeg not found, downloading..."); - // Download libmozjpeg - Command::new("wget") - .arg("-c") - .arg(LIBMOZJPEG_URL) - .arg("-O") - .arg(&libmozjpeg_tar) - .status() - .unwrap(); - } - Command::new("tar") - .current_dir(&out_dir_path) - .arg("-xvf") - .arg(&libmozjpeg_tar) - .status() - .unwrap(); - Command::new(format!("{}/cmake", &libmozjpeg)) - .current_dir(&out_dir_path) - .args(&[ - "-G\"Unix Makefiles\"", - "--disable-shared", - &libmozjpeg, - "CC=clang", - "CFLAGS=-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - "LDFLAGS=-g -fPIE -fsanitize-coverage=trace-pc-guard", - ]) - .env("CC", "clang") - .env("CXX", "clang++") - .env( - "CFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env( - "CXXFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env("LDFLAGS", "-g -fPIE -fsanitize-coverage=trace-pc-guard"); - Command::new("make") - .current_dir(&libmozjpeg_path) - //.arg(&format!("-j{}", num_cpus::get())) - .args(&[ - "CC=clang", - "CXX=clang++", - "CFLAGS=-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - "LDFLAGS=-g -fPIE -fsanitize-coverage=trace-pc-guard", - "CXXFLAGS=-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ]) - .env("CC", "clang") - .env("CXX", "clang++") - .env( - "CFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env( - "CXXFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env("LDFLAGS", "-g -fPIE -fsanitize-coverage=trace-pc-guard") - .status() - .unwrap(); - } + println!("cargo:rerun-if-changed=harness.c"); cc::Build::new() - .file("../libfuzzer_runtime/rt.c") - .compile("libfuzzer-sys"); - - cc::Build::new() - .include(&libmozjpeg_path) - .flag("-fsanitize-coverage=trace-pc-guard") - .file("./harness.cc") - .compile("libfuzzer-harness"); + // Use sanitizer coverage to track the edges in the PUT + // Take advantage of LTO (needs lld-link set in your cargo config) + //.flag("-flto=thin") + .file("./hook_allocs.c") + .compile("hook_allocs"); println!("cargo:rustc-link-search=native={}", &out_dir); - println!("cargo:rustc-link-search=native={}/", &libmozjpeg); - println!("cargo:rustc-link-lib=static=jpeg"); - - //Deps for libmozjpeg: -pthread -lz -lm - println!("cargo:rustc-link-lib=dylib=m"); - println!("cargo:rustc-link-lib=dylib=z"); - - //For the C++ harness - println!("cargo:rustc-link-lib=static=stdc++"); println!("cargo:rerun-if-changed=build.rs"); } diff --git a/fuzzers/libfuzzer_libmozjpeg/hook_allocs.c b/fuzzers/libfuzzer_libmozjpeg/hook_allocs.c new file mode 100644 index 0000000000..62ab077570 --- /dev/null +++ b/fuzzers/libfuzzer_libmozjpeg/hook_allocs.c @@ -0,0 +1,62 @@ +#include +#include +#include + +#define MAP_SIZE (16*1024) + +#ifdef _WIN32 +#define posix_memalign(p, a, s) (((*(p)) = _aligned_malloc((s), (a))), *(p) ?0 :errno) +#define RETADDR (uintptr_t)_ReturnAddress() +#else +#define RETADDR (uintptr_t)__builtin_return_address(0) +#endif + +#ifdef __GNUC__ +#define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) +#else +#define MAX(a, b) (((a) > (b)) ? (a) : (b)) +#endif + +size_t libafl_alloc_map[MAP_SIZE]; + +void *malloc(size_t size) { + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_alloc_map[k] = MAX(libafl_alloc_map[k], size); + + // We cannot malloc in malloc. + // Hence, even realloc(NULL, size) would loop in an optimized build. + // We fall back to a stricter allocation function. Fingers crossed. + void *ret = NULL; + if (posix_memalign(&ret, 1<<6, size) != 0) { + return NULL; + } + return ret; + +} + +void *calloc(size_t nmemb, size_t size) { + + size *= nmemb; + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_alloc_map[k] = MAX(libafl_alloc_map[k], size); + + void *ret = NULL; + if (posix_memalign(&ret, 1<<6, size) != 0) { + return NULL; + }; + return ret; + +} diff --git a/fuzzers/libfuzzer_libmozjpeg/jpeg.tkns b/fuzzers/libfuzzer_libmozjpeg/jpeg.dict similarity index 100% rename from fuzzers/libfuzzer_libmozjpeg/jpeg.tkns rename to fuzzers/libfuzzer_libmozjpeg/jpeg.dict diff --git a/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cc.rs b/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cc.rs new file mode 100644 index 0000000000..8bc7675165 --- /dev/null +++ b/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cc.rs @@ -0,0 +1,33 @@ +use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX}; +use std::env; + +fn main() { + let args: Vec = env::args().collect(); + if args.len() > 1 { + let mut dir = env::current_exe().unwrap(); + dir.pop(); + + let mut cc = ClangWrapper::new("clang", "clang++"); + cc.from_args(&args) + .unwrap() + .add_arg("-fsanitize-coverage=trace-pc-guard,trace-cmp".into()) + .unwrap() + .add_arg("-fPIC".into()) + .unwrap() + .add_link_arg( + dir.join(format!("{}libfuzzer_libmozjpeg.{}", LIB_PREFIX, LIB_EXT)) + .display() + .to_string(), + ) + .unwrap(); + // Libraries needed by libafl on Windows + #[cfg(windows)] + cc.add_link_arg("-lws2_32".into()) + .unwrap() + .add_link_arg("-lBcrypt".into()) + .unwrap() + .add_link_arg("-lAdvapi32".into()) + .unwrap(); + cc.run().unwrap(); + } +} diff --git a/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cxx.rs b/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cxx.rs new file mode 100644 index 0000000000..164de2fb7a --- /dev/null +++ b/fuzzers/libfuzzer_libmozjpeg/src/bin/libafl_cxx.rs @@ -0,0 +1,34 @@ +use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX}; +use std::env; + +fn main() { + let args: Vec = env::args().collect(); + if args.len() > 1 { + let mut dir = env::current_exe().unwrap(); + dir.pop(); + + let mut cc = ClangWrapper::new("clang", "clang++"); + cc.is_cpp() + .from_args(&args) + .unwrap() + .add_arg("-fsanitize-coverage=trace-pc-guard,trace-cmp".into()) + .unwrap() + .add_arg("-fPIC".into()) + .unwrap() + .add_link_arg( + dir.join(format!("{}libfuzzer_libmozjpeg.{}", LIB_PREFIX, LIB_EXT)) + .display() + .to_string(), + ) + .unwrap(); + // Libraries needed by libafl on Windows + #[cfg(windows)] + cc.add_link_arg("-lws2_32".into()) + .unwrap() + .add_link_arg("-lBcrypt".into()) + .unwrap() + .add_link_arg("-lAdvapi32".into()) + .unwrap(); + cc.run().unwrap(); + } +} diff --git a/fuzzers/libfuzzer_libmozjpeg/src/fuzzer.rs b/fuzzers/libfuzzer_libmozjpeg/src/lib.rs similarity index 56% rename from fuzzers/libfuzzer_libmozjpeg/src/fuzzer.rs rename to fuzzers/libfuzzer_libmozjpeg/src/lib.rs index ffbbcdfa78..c3e99c2dac 100644 --- a/fuzzers/libfuzzer_libmozjpeg/src/fuzzer.rs +++ b/fuzzers/libfuzzer_libmozjpeg/src/lib.rs @@ -3,16 +3,14 @@ use std::{env, path::PathBuf}; -#[cfg(unix)] use libafl::{ - bolts::{shmem::UnixShMem, tuples::tuple_list}, + bolts::tuples::tuple_list, corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, RandCorpusScheduler}, - events::setup_restarting_mgr, - executors::{inprocess::InProcessExecutor, Executor, ExitKind}, + events::setup_restarting_mgr_std, + executors::{inprocess::InProcessExecutor, ExitKind}, feedbacks::{CrashFeedback, MaxMapFeedback}, - fuzzer::{Fuzzer, HasCorpusScheduler, StdFuzzer}, - inputs::Input, - mutators::scheduled::HavocBytesMutator, + fuzzer::{Fuzzer, StdFuzzer}, + mutators::scheduled::{havoc_mutations, StdScheduledMutator}, mutators::token_mutations::Tokens, observers::StdMapObserver, stages::mutational::StdMutationalStage, @@ -22,35 +20,17 @@ use libafl::{ Error, }; -/// We will interact with a C++ target, so use external c functionality -#[cfg(unix)] +use libafl_targets::{ + libfuzzer_initialize, libfuzzer_test_one_input, CMP_MAP, CMP_MAP_SIZE, EDGES_MAP, MAX_EDGES_NUM, +}; + +const ALLOC_MAP_SIZE: usize = 16 * 1024; extern "C" { - /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) - fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; - - // afl_libfuzzer_init calls LLVMFUzzerInitialize() - fn afl_libfuzzer_init() -> i32; - - static __lafl_edges_map: *mut u8; - static __lafl_cmp_map: *mut u8; - static __lafl_max_edges_size: u32; -} - -/// The wrapped harness function, calling out to the LLVM-style harness -#[cfg(unix)] -fn harness(_executor: &E, buf: &[u8]) -> ExitKind -where - E: Executor, - I: Input, -{ - // println!("{:?}", buf); - unsafe { - LLVMFuzzerTestOneInput(buf.as_ptr(), buf.len()); - } - ExitKind::Ok + static mut libafl_alloc_map: [usize; ALLOC_MAP_SIZE]; } /// The main fn, usually parsing parameters, and starting the fuzzer +#[no_mangle] pub fn main() { // Registry the metadata types used in this fuzzer // Needed only on no_std @@ -68,27 +48,25 @@ pub fn main() { .expect("An error occurred while fuzzing"); } -/// Not supported on windows right now -#[cfg(windows)] -fn fuzz(_corpus_dirs: Vec, _objective_dir: PathBuf, _broker_port: u16) -> Result<(), ()> { - todo!("Example not supported on Windows"); -} - /// The actual fuzzer -#[cfg(unix)] fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> { // 'While the stats are state, they are usually used in the broker - which is likely never restarted let stats = SimpleStats::new(|s| println!("{}", s)); // The restarting state will spawn the same process again as child, then restarted it each time it crashes. let (state, mut restarting_mgr) = - setup_restarting_mgr::<_, _, UnixShMem, _>(stats, broker_port) - .expect("Failed to setup the restarter".into()); + setup_restarting_mgr_std(stats, broker_port).expect("Failed to setup the restarter".into()); // Create an observation channel using the coverage map - let edges_observer = unsafe { - StdMapObserver::new_from_ptr("edges", __lafl_edges_map, __lafl_max_edges_size as usize) - }; + let edges_observer = + StdMapObserver::new("edges", unsafe { &mut EDGES_MAP }, unsafe { MAX_EDGES_NUM }); + + // Create an observation channel using the cmp map + let cmps_observer = StdMapObserver::new("cmps", unsafe { &mut CMP_MAP }, CMP_MAP_SIZE); + + // Create an observation channel using the allocations map + let allocs_observer = + StdMapObserver::new("allocs", unsafe { &mut libafl_alloc_map }, ALLOC_MAP_SIZE); // If not restarting, create a State from scratch let mut state = state.unwrap_or_else(|| { @@ -98,7 +76,11 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> // Corpus that will be evolved, we keep it in memory for performance InMemoryCorpus::new(), // Feedbacks to rate the interestingness of an input - tuple_list!(MaxMapFeedback::new_with_observer(&edges_observer)), + tuple_list!( + MaxMapFeedback::new_with_observer(&edges_observer), + MaxMapFeedback::new_with_observer(&cmps_observer), + MaxMapFeedback::new_with_observer(&allocs_observer) + ), // Corpus in which we store solutions (crashes in this example), // on disk so the user can get them after stopping the fuzzer OnDiskCorpus::new(objective_dir).unwrap(), @@ -111,42 +93,44 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> // Add the JPEG tokens if not existing if state.metadata().get::().is_none() { - state.add_metadata(Tokens::from_tokens_file("./jpeg.tkns")?); + state.add_metadata(Tokens::from_tokens_file("./jpeg.dict")?); } // Setup a basic mutator with a mutational stage - let mutator = HavocBytesMutator::default(); + let mutator = StdScheduledMutator::new(havoc_mutations()); let stage = StdMutationalStage::new(mutator); - // A fuzzer with just one stage and a random policy to get testcasess from the corpus - let fuzzer = StdFuzzer::new(RandCorpusScheduler::new(), tuple_list!(stage)); + // A random policy to get testcasess from the corpus + let scheduler = RandCorpusScheduler::new(); + // A fuzzer with just one stage + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); - // Create the executor for an in-process function with just one observer for edge coverage + // The wrapped harness function, calling out to the LLVM-style harness + let mut harness = |buf: &[u8]| { + libfuzzer_test_one_input(buf); + ExitKind::Ok + }; + + // Create the executor for an in-process function with observers for edge coverage, value-profile and allocations sizes let mut executor = InProcessExecutor::new( - "in-process(edges)", - harness, - tuple_list!(edges_observer), + "in-process(edges,cmp,alloc)", + &mut harness, + tuple_list!(edges_observer, cmps_observer, allocs_observer), &mut state, &mut restarting_mgr, )?; // The actual target run starts here. // Call LLVMFUzzerInitialize() if present. - unsafe { - if afl_libfuzzer_init() == -1 { - println!("Warning: LLVMFuzzerInitialize failed with -1") - } + let args: Vec = env::args().collect(); + if libfuzzer_initialize(&args) == -1 { + println!("Warning: LLVMFuzzerInitialize failed with -1") } // In case the corpus is empty (on first run), reset if state.corpus().count() < 1 { state - .load_initial_inputs( - &mut executor, - &mut restarting_mgr, - fuzzer.scheduler(), - &corpus_dirs, - ) + .load_initial_inputs(&mut executor, &mut restarting_mgr, &scheduler, &corpus_dirs) .expect(&format!( "Failed to load initial corpus at {:?}", &corpus_dirs @@ -154,7 +138,7 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> println!("We imported {} inputs from disk.", state.corpus().count()); } - fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr)?; + fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr, &scheduler)?; // Never reached Ok(()) diff --git a/fuzzers/libfuzzer_libmozjpeg/start.sh b/fuzzers/libfuzzer_libmozjpeg/start.sh deleted file mode 100755 index 9e0b74d5de..0000000000 --- a/fuzzers/libfuzzer_libmozjpeg/start.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -cores=$(grep -c ^processor /proc/cpuinfo) -for (( c=1;c<$cores;c++)) -do - echo $c - taskset -c $c ./.libfuzzer_test.elf 2>/dev/null & - sleep 0.1 -done - diff --git a/fuzzers/libfuzzer_libmozjpeg/stop.sh b/fuzzers/libfuzzer_libmozjpeg/stop.sh deleted file mode 100755 index a97094121b..0000000000 --- a/fuzzers/libfuzzer_libmozjpeg/stop.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -killall -9 .libfuzzer_test.elf diff --git a/fuzzers/libfuzzer_libmozjpeg/test.sh b/fuzzers/libfuzzer_libmozjpeg/test.sh deleted file mode 100755 index 55df5cee43..0000000000 --- a/fuzzers/libfuzzer_libmozjpeg/test.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -mkdir -p ./crashes - -cargo build --example libfuzzer_libmozjpeg --release || exit 1 -cp ../../target/release/examples/libfuzzer_libmozjpeg ./.libfuzzer_test.elf - -# The broker -RUST_BACKTRACE=full taskset -c 0 ./.libfuzzer_test.elf & -# Give the broker time to spawn -sleep 2 -echo "Spawning client" -# The 1st fuzzer client, pin to cpu 0x1 -RUST_BACKTRACE=full taskset -c 1 ./.libfuzzer_test.elf 2>/dev/null - -killall .libfuzzer_test.elf -rm -rf ./.libfuzzer_test.elf diff --git a/fuzzers/libfuzzer_libpng/Cargo.toml b/fuzzers/libfuzzer_libpng/Cargo.toml index 7c0615cfd0..589fc6bb6b 100644 --- a/fuzzers/libfuzzer_libpng/Cargo.toml +++ b/fuzzers/libfuzzer_libpng/Cargo.toml @@ -3,9 +3,6 @@ name = "libfuzzer_libpng" version = "0.1.0" authors = ["Andrea Fioraldi ", "Dominik Maier "] edition = "2018" -build = "build.rs" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] default = ["std"] @@ -19,13 +16,15 @@ std = [] [build-dependencies] cc = { version = "1.0", features = ["parallel"] } +which = { version = "4.0.2" } num_cpus = "1.0" [dependencies] libafl = { path = "../../libafl/" } +libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_hitcounts", "libfuzzer"] } +# TODO Include it only when building cc +libafl_cc = { path = "../../libafl_cc/" } -[[example]] +[lib] name = "libfuzzer_libpng" -path = "./src/fuzzer.rs" -test = false -bench = false +crate-type = ["staticlib"] diff --git a/fuzzers/libfuzzer_libpng/README.md b/fuzzers/libfuzzer_libpng/README.md index f56138c2b5..922667e8fe 100644 --- a/fuzzers/libfuzzer_libpng/README.md +++ b/fuzzers/libfuzzer_libpng/README.md @@ -1,25 +1,79 @@ # Libfuzzer for libpng This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection. -To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example. + +In contrast to other fuzzer examples, this setup uses `fuzz_loop_for`, to occasionally respawn the fuzzer executor. +While this costs performance, it can be useful for targets with memory leaks or other instabilities. +If your target is really instable, however, consider exchanging the `InProcessExecutor` for a `ForkserverExecutor` instead. + +To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example. It has been tested on Linux. ## Build -To build this example, run `cargo build --example libfuzzer_libpng --release`. -This will call (the build.rs)[./builld.rs], which in turn downloads a libpng archive from the web. -Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the C++ harness)[./harness.cc] and the instrumented `libpng`. -Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`. +To build this example, run + +```bash +cargo build --release +``` + +This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. +In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target. + +The compiler wrappers, `libafl_cc` and libafl_cxx`, will end up in `./target/release/` (or `./target/debug`, in case you did not build with the `--release` flag). + +Then download libpng, and unpack the archive: +```bash +wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz +tar -xvf libpng-1.6.37.tar.xz +``` + +Now compile libpng, using the libafl_cc compiler wrapper: + +```bash +cd libpng-1.6.37 +./configure +make CC=$(realpath ../target/release/libafl_cc) CXX=$(realpath ../target/release/libafl_cxx) -j `nproc` +``` + +You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`. + +Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary. + +``` +cd .. +./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm +``` + +Afterward, the fuzzer will be ready to run. +Note that, unless you use the `launcher`, you will have to run the binary multiple times to actually start the fuzz process, see `Run` in the following. +This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (`-fsanitize=address`) or with different mutators. ## Run -The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. +The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. Currently you must run the clients from the libfuzzer_libpng directory for them to be able to access the PNG corpus. + +``` +./fuzzer_libpng + +[libafl/src/bolts/llmp.rs:407] "We're the broker" = "We\'re the broker" +Doing broker things. Run this tool again to start fuzzing in a client. +``` + +And after running the above again in a separate terminal: + +``` +[libafl/src/bolts/llmp.rs:1464] "New connection" = "New connection" +[libafl/src/bolts/llmp.rs:1464] addr = 127.0.0.1:33500 +[libafl/src/bolts/llmp.rs:1464] stream.peer_addr().unwrap() = 127.0.0.1:33500 +[LOG Debug]: Loaded 4 initial testcases. +[New Testcase #2] clients: 3, corpus: 6, objectives: 0, executions: 5, exec/sec: 0 +< fuzzing stats > +``` -Each following execution will run a fuzzer client. As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`). This means each client will start itself again to listen for crashes and timeouts. By restarting the actual fuzzer, it can recover from these exit conditions. In any real-world scenario, you should use `taskset` to pin each client to an empty CPU core, the lib does not pick an empty core automatically (yet). -For convenience, you may just run `./test.sh` in this folder to test it. diff --git a/fuzzers/libfuzzer_libpng/src/bin/libafl_cc.rs b/fuzzers/libfuzzer_libpng/src/bin/libafl_cc.rs new file mode 100644 index 0000000000..dc65a9a57b --- /dev/null +++ b/fuzzers/libfuzzer_libpng/src/bin/libafl_cc.rs @@ -0,0 +1,33 @@ +use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX}; +use std::env; + +fn main() { + let args: Vec = env::args().collect(); + if args.len() > 1 { + let mut dir = env::current_exe().unwrap(); + dir.pop(); + + let mut cc = ClangWrapper::new("clang", "clang++"); + cc.from_args(&args) + .unwrap() + .add_arg("-fsanitize-coverage=trace-pc-guard".into()) + .unwrap() + .add_link_arg( + dir.join(format!("{}libfuzzer_libpng.{}", LIB_PREFIX, LIB_EXT)) + .display() + .to_string(), + ) + .unwrap(); + // Libraries needed by libafl on Windows + #[cfg(windows)] + cc.add_link_arg("-lws2_32".into()) + .unwrap() + .add_link_arg("-lBcrypt".into()) + .unwrap() + .add_link_arg("-lAdvapi32".into()) + .unwrap(); + cc.run().unwrap(); + } else { + panic!("LibAFL CC: No Arguments given"); + } +} diff --git a/fuzzers/libfuzzer_libpng/src/bin/libafl_cxx.rs b/fuzzers/libfuzzer_libpng/src/bin/libafl_cxx.rs new file mode 100644 index 0000000000..2183682d96 --- /dev/null +++ b/fuzzers/libfuzzer_libpng/src/bin/libafl_cxx.rs @@ -0,0 +1,34 @@ +use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX}; +use std::env; + +fn main() { + let args: Vec = env::args().collect(); + if args.len() > 1 { + let mut dir = env::current_exe().unwrap(); + dir.pop(); + + let mut cc = ClangWrapper::new("clang", "clang++"); + cc.is_cpp() + .from_args(&args) + .unwrap() + .add_arg("-fsanitize-coverage=trace-pc-guard".into()) + .unwrap() + .add_link_arg( + dir.join(format!("{}libfuzzer_libpng.{}", LIB_PREFIX, LIB_EXT)) + .display() + .to_string(), + ) + .unwrap(); + // Libraries needed by libafl on Windows + #[cfg(windows)] + cc.add_link_arg("-lws2_32".into()) + .unwrap() + .add_link_arg("-lBcrypt".into()) + .unwrap() + .add_link_arg("-lAdvapi32".into()) + .unwrap(); + cc.run().unwrap(); + } else { + panic!("LibAFL CC: No Arguments given"); + } +} diff --git a/fuzzers/libfuzzer_libpng/src/fuzzer.rs b/fuzzers/libfuzzer_libpng/src/lib.rs similarity index 59% rename from fuzzers/libfuzzer_libpng/src/fuzzer.rs rename to fuzzers/libfuzzer_libpng/src/lib.rs index 9bd2febdc3..4d1b78ecd5 100644 --- a/fuzzers/libfuzzer_libpng/src/fuzzer.rs +++ b/fuzzers/libfuzzer_libpng/src/lib.rs @@ -4,19 +4,18 @@ use core::time::Duration; use std::{env, path::PathBuf}; -#[cfg(unix)] use libafl::{ - bolts::{shmem::UnixShMem, tuples::tuple_list}, + bolts::tuples::tuple_list, corpus::{ Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler, }, - events::setup_restarting_mgr, - executors::{inprocess::InProcessExecutor, Executor, ExitKind, TimeoutExecutor}, + events::{setup_restarting_mgr_std, EventManager}, + executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor}, feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, - fuzzer::{Fuzzer, HasCorpusScheduler, StdFuzzer}, - inputs::Input, - mutators::{scheduled::HavocBytesMutator, token_mutations::Tokens}, + fuzzer::{Fuzzer, StdFuzzer}, + mutators::scheduled::{havoc_mutations, StdScheduledMutator}, + mutators::token_mutations::Tokens, observers::{HitcountsMapObserver, StdMapObserver, TimeObserver}, stages::mutational::StdMutationalStage, state::{HasCorpus, HasMetadata, State}, @@ -25,35 +24,10 @@ use libafl::{ Error, }; -/// We will interact with a C++ target, so use external c functionality -#[cfg(unix)] -extern "C" { - /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) - fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; +use libafl_targets::{libfuzzer_initialize, libfuzzer_test_one_input, EDGES_MAP, MAX_EDGES_NUM}; - // afl_libfuzzer_init calls LLVMFUzzerInitialize() - fn afl_libfuzzer_init() -> i32; - - static __lafl_edges_map: *mut u8; - static __lafl_cmp_map: *mut u8; - static __lafl_max_edges_size: u32; -} - -/// The wrapped harness function, calling out to the LLVM-style harness -#[cfg(unix)] -fn harness(_executor: &E, buf: &[u8]) -> ExitKind -where - E: Executor, - I: Input, -{ - // println!("{:?}", buf); - unsafe { - LLVMFuzzerTestOneInput(buf.as_ptr(), buf.len()); - } - ExitKind::Ok -} - -/// The main fn, usually parsing parameters, and starting the fuzzer +/// The main fn, no_mangle as it is a C main +#[no_mangle] pub fn main() { // Registry the metadata types used in this fuzzer // Needed only on no_std @@ -71,35 +45,27 @@ pub fn main() { .expect("An error occurred while fuzzing"); } -/// Not supported on windows right now -#[cfg(windows)] -fn fuzz(_corpus_dirs: Vec, _objective_dir: PathBuf, _broker_port: u16) -> Result<(), ()> { - todo!("Example not supported on Windows"); -} - /// The actual fuzzer -#[cfg(unix)] fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> { // 'While the stats are state, they are usually used in the broker - which is likely never restarted let stats = SimpleStats::new(|s| println!("{}", s)); // The restarting state will spawn the same process again as child, then restarted it each time it crashes. - let (state, mut restarting_mgr) = - match setup_restarting_mgr::<_, _, UnixShMem, _>(stats, broker_port) { - Ok(res) => res, - Err(err) => match err { - Error::ShuttingDown => { - return Ok(()); - } - _ => { - panic!("Failed to setup the restarter: {}", err); - } - }, - }; + let (state, mut restarting_mgr) = match setup_restarting_mgr_std(stats, broker_port) { + Ok(res) => res, + Err(err) => match err { + Error::ShuttingDown => { + return Ok(()); + } + _ => { + panic!("Failed to setup the restarter: {}", err); + } + }, + }; // Create an observation channel using the coverage map let edges_observer = HitcountsMapObserver::new(unsafe { - StdMapObserver::new_from_ptr("edges", __lafl_edges_map, __lafl_max_edges_size as usize) + StdMapObserver::new("edges", &mut EDGES_MAP, MAX_EDGES_NUM) }); // If not restarting, create a State from scratch @@ -136,18 +102,26 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> } // Setup a basic mutator with a mutational stage - let mutator = HavocBytesMutator::default(); + let mutator = StdScheduledMutator::new(havoc_mutations()); let stage = StdMutationalStage::new(mutator); - // A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus - let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); - let fuzzer = StdFuzzer::new(scheduler, tuple_list!(stage)); + // A fuzzer with just one stage + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); - // Create the executor for an in-process function with just one observer for edge coverage + // A minimization+queue policy to get testcasess from the corpus + let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); + + // The wrapped harness function, calling out to the LLVM-style harness + let mut harness = |buf: &[u8]| { + libfuzzer_test_one_input(buf); + ExitKind::Ok + }; + + // Create the executor for an in-process function with one observer for edge coverage and one for the execution time let mut executor = TimeoutExecutor::new( InProcessExecutor::new( - "in-process(edges)", - harness, + "in-process(edges,time)", + &mut harness, tuple_list!(edges_observer, TimeObserver::new("time")), &mut state, &mut restarting_mgr, @@ -158,21 +132,15 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> // The actual target run starts here. // Call LLVMFUzzerInitialize() if present. - unsafe { - if afl_libfuzzer_init() == -1 { - println!("Warning: LLVMFuzzerInitialize failed with -1") - } + let args: Vec = env::args().collect(); + if libfuzzer_initialize(&args) == -1 { + println!("Warning: LLVMFuzzerInitialize failed with -1") } // In case the corpus is empty (on first run), reset if state.corpus().count() < 1 { state - .load_initial_inputs( - &mut executor, - &mut restarting_mgr, - fuzzer.scheduler(), - &corpus_dirs, - ) + .load_initial_inputs(&mut executor, &mut restarting_mgr, &scheduler, &corpus_dirs) .expect(&format!( "Failed to load initial corpus at {:?}", &corpus_dirs @@ -180,8 +148,22 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> println!("We imported {} inputs from disk.", state.corpus().count()); } - fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr)?; + // This fuzzer restarts after 1 mio `fuzz_one` executions. + // Each fuzz_one will internally do many executions of the target. + // If your target is very instable, setting a low count here may help. + // However, you will lose a lot of performance that way. + let iters = 1_000_000; + fuzzer.fuzz_loop_for( + &mut state, + &mut executor, + &mut restarting_mgr, + &scheduler, + iters, + )?; + + // It's important, that we store the state before restarting! + // Else, the parent will not respawn a new child and quit. + restarting_mgr.on_restart(&mut state)?; - // Never reached Ok(()) } diff --git a/fuzzers/libfuzzer_libpng/test.sh b/fuzzers/libfuzzer_libpng/test.sh deleted file mode 100755 index 156cf1de04..0000000000 --- a/fuzzers/libfuzzer_libpng/test.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -mkdir -p ./crashes -rm -rf ./.libfuzzer_test.elf - -cargo build --example libfuzzer_libpng --release || exit 1 -cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf - -# The broker -RUST_BACKTRACE=full taskset -c 0 ./.libfuzzer_test.elf & -# Give the broker time to spawn -sleep 2 -echo "Spawning client" -# The 1st fuzzer client, pin to cpu 0x1 -RUST_BACKTRACE=full taskset -c 1 ./.libfuzzer_test.elf 2>/dev/null - -killall .libfuzzer_test.elf -rm -rf ./.libfuzzer_test.elf diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/build.rs b/fuzzers/libfuzzer_libpng_cmpalloc/build.rs deleted file mode 100644 index 49f3cfba94..0000000000 --- a/fuzzers/libfuzzer_libpng_cmpalloc/build.rs +++ /dev/null @@ -1,109 +0,0 @@ -// build.rs - -use std::{ - env, - path::Path, - process::{exit, Command}, -}; - -const LIBPNG_URL: &str = - "https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz"; - -fn main() { - if cfg!(windows) { - println!("cargo:warning=Skipping libpng example on Windows"); - exit(0); - } - - let out_dir = env::var_os("OUT_DIR").unwrap(); - let cwd = env::current_dir().unwrap().to_string_lossy().to_string(); - let out_dir = out_dir.to_string_lossy().to_string(); - let out_dir_path = Path::new(&out_dir); - - println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",); - println!("cargo:rerun-if-changed=harness.cc"); - - let libpng = format!("{}/libpng-1.6.37", &out_dir); - let libpng_path = Path::new(&libpng); - let libpng_tar = format!("{}/libpng-1.6.37.tar.xz", &cwd); - - // Enforce clang for its -fsanitize-coverage support. - std::env::set_var("CC", "clang"); - std::env::set_var("CXX", "clang++"); - let ldflags = match env::var("LDFLAGS") { - Ok(val) => val, - Err(_) => "".to_string(), - }; - - if !libpng_path.is_dir() { - if !Path::new(&libpng_tar).is_file() { - println!("cargo:warning=Libpng not found, downloading..."); - // Download libpng - Command::new("wget") - .arg("-c") - .arg(LIBPNG_URL) - .arg("-O") - .arg(&libpng_tar) - .status() - .unwrap(); - } - Command::new("tar") - .current_dir(&out_dir_path) - .arg("-xvf") - .arg(&libpng_tar) - .status() - .unwrap(); - Command::new(format!("{}/configure", &libpng)) - .current_dir(&libpng_path) - .args(&[ - "--disable-shared", - &format!("--host={}", env::var("TARGET").unwrap())[..], - ]) - .env("CC", "clang") - .env("CXX", "clang++") - .env( - "CFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env( - "CXXFLAGS", - "-O3 -g -D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard", - ) - .env( - "LDFLAGS", - format!("-g -fPIE -fsanitize-coverage=trace-pc-guard {}", ldflags), - ) - .status() - .unwrap(); - Command::new("make") - .current_dir(&libpng_path) - .status() - .unwrap(); - } - - cc::Build::new() - .file("../libfuzzer_runtime/rt.c") - .compile("libfuzzer-sys"); - - cc::Build::new() - .include(&libpng_path) - .cpp(true) - .flag("-fsanitize-coverage=trace-pc-guard") - // .define("HAS_DUMMY_CRASH", "1") - .file("./harness.cc") - .compile("libfuzzer-harness"); - - println!("cargo:rustc-link-search=native={}", &out_dir); - println!("cargo:rustc-link-search=native={}/.libs", &libpng); - println!("cargo:rustc-link-lib=static=png16"); - - //Deps for libpng: -pthread -lz -lm - println!("cargo:rustc-link-lib=dylib=m"); - println!("cargo:rustc-link-lib=dylib=z"); - - //For the C++ harness - //must by dylib for android - println!("cargo:rustc-link-lib=dylib=stdc++"); - - println!("cargo:rerun-if-changed=build.rs"); -} diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/test.sh b/fuzzers/libfuzzer_libpng_cmpalloc/test.sh deleted file mode 100755 index f707f77271..0000000000 --- a/fuzzers/libfuzzer_libpng_cmpalloc/test.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -mkdir -p ./crashes - -cargo build --example libfuzzer_libpng --release || exit 1 -cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf - -# The broker -RUST_BACKTRACE=full taskset 0 ./.libfuzzer_test.elf & -# Give the broker time to spawn -sleep 2 -echo "Spawning client" -# The 1st fuzzer client, pin to cpu 0x1 -RUST_BACKTRACE=full taskset 1 ./.libfuzzer_test.elf 2>/dev/null - -killall .libfuzzer_test.elf -rm -rf ./.libfuzzer_test.elf diff --git a/fuzzers/libfuzzer_runtime/rt.c b/fuzzers/libfuzzer_runtime/rt.c deleted file mode 100644 index 8379132732..0000000000 --- a/fuzzers/libfuzzer_runtime/rt.c +++ /dev/null @@ -1,185 +0,0 @@ -#include -#include -#include -#include - -#define MAP_SIZE (16*1024) - -int orig_argc; -char **orig_argv; -char **orig_envp; - -uint8_t __lafl_dummy_map[MAP_SIZE]; -size_t __lafl_dummy_map_usize[MAP_SIZE]; - -uint8_t *__lafl_edges_map = __lafl_dummy_map; -uint8_t *__lafl_cmp_map = __lafl_dummy_map; -size_t *__lafl_alloc_map = __lafl_dummy_map_usize; - -uint32_t __lafl_max_edges_size = 0; - -void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { - - uint32_t pos = *guard; - uint16_t val = __lafl_edges_map[pos] + 1; - __lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8); - //__lafl_edges_map[pos] = 1; - -} - -void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { - - if (start == stop || *start) { return; } - - *(start++) = (++__lafl_max_edges_size) & (MAP_SIZE -1); - - while (start < stop) { - - *start = (++__lafl_max_edges_size) & (MAP_SIZE -1); - start++; - - } - -} - -#define MAX(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; \ - \ - }) - -#if defined(__APPLE__) - #pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1 - #pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2 - #pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4 - #pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8 -#else -void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1"))); -void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp2"))); -void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp4"))); -void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp8"))); -#endif - -void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { - - uintptr_t rt = (uintptr_t)__builtin_return_address(0); - if (cases[1] == 64) { - - for (uint64_t i = 0; i < cases[0]; i++) { - - uintptr_t k = rt + i; - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(val ^ cases[i + 2])))); - - } - - } else { - - for (uint64_t i = 0; i < cases[0]; i++) { - - uintptr_t k = rt + i; - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(val ^ cases[i + 2])))); - - } - - } - -} - -void *malloc(size_t size) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_alloc_map[k] = MAX(__lafl_alloc_map[k], size); - - // We cannot malloc in malloc. - // Hence, even realloc(NULL, size) would loop in an optimized build. - // We fall back to a stricter allocation function. Fingers crossed. - void *ret = NULL; - posix_memalign(&ret, 1<<6, size); - return ret; - -} - -void *calloc(size_t nmemb, size_t size) { - - size *= nmemb; - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_alloc_map[k] = MAX(__lafl_alloc_map[k], size); - - void *ret = NULL; - posix_memalign(&ret, 1<<6, size); - memset(ret, 0, size); - return ret; - -} - -static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) { - orig_argc = argc; - orig_argv = argv; - orig_envp = envp; -} - -__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args; - -__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -void afl_libfuzzer_main(); - -int afl_libfuzzer_init() { - - if (LLVMFuzzerInitialize) { - return LLVMFuzzerInitialize(&orig_argc, &orig_argv); - } else { - return 0; - } - -} diff --git a/fuzzers/libfuzzer_runtime/rt.rs b/fuzzers/libfuzzer_runtime/rt.rs deleted file mode 100644 index 13c4b7ea12..0000000000 --- a/fuzzers/libfuzzer_runtime/rt.rs +++ /dev/null @@ -1,61 +0,0 @@ -#![allow(dead_code, mutable_transmutes, non_camel_case_types, non_snake_case, - non_upper_case_globals, unused_assignments, unused_mut)] - -use std::ptr; - -pub const MAP_SIZE: usize = 65536; - -extern "C" { - /// __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); - fn LLVMFuzzerInitialize(argc: *mut libc::c_int, - argv: *mut *mut *mut libc::c_char) -> libc::c_int; - - /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) - pub fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; -} - -static mut orig_argc: libc::c_int = 0; -static mut orig_argv: *mut *mut libc::c_char = ptr::null_mut(); -static mut orig_envp: *mut *mut libc::c_char = ptr::null_mut(); - -pub static mut edges_map: [u8; MAP_SIZE] = [0; MAP_SIZE]; -pub static mut cmp_map: [u8; MAP_SIZE] = [0; MAP_SIZE]; -pub static mut max_edges_size: usize = 0; - -#[no_mangle] -pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(mut guard: *mut u32) { - let mut pos: u32 = *guard; - //uint16_t val = __lafl_edges_map[pos] + 1; - //__lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8); - edges_map[pos as usize] = 1 as u8; -} - -#[no_mangle] -pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_init(mut start: *mut u32, mut stop: *mut u32) { - if start == stop || *start != 0 { return } - - while start < stop { - max_edges_size += 1; - *start = (max_edges_size & (MAP_SIZE -1)) as u32; - start = start.offset(1); - } -} - -unsafe extern "C" fn copy_args_init(mut argc: libc::c_int, mut argv: *mut *mut libc::c_char, mut envp: *mut *mut libc::c_char) { - orig_argc = argc; - orig_argv = argv; - orig_envp = envp; -} - -#[no_mangle] -#[link_section = ".init_array"] -static mut p_copy_args_init: Option ()> = Some(copy_args_init); - -#[no_mangle] -pub unsafe extern "C" fn afl_libfuzzer_init() -> libc::c_int { - if Some(LLVMFuzzerInitialize).is_some() { - LLVMFuzzerInitialize(&mut orig_argc, &mut orig_argv) - } else { - 0 as libc::c_int - } -} diff --git a/fuzzers/libfuzzer_stb_image/.gitignore b/fuzzers/libfuzzer_stb_image/.gitignore new file mode 100644 index 0000000000..a977a2ca5b --- /dev/null +++ b/fuzzers/libfuzzer_stb_image/.gitignore @@ -0,0 +1 @@ +libpng-* \ No newline at end of file diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/Cargo.toml b/fuzzers/libfuzzer_stb_image/Cargo.toml similarity index 52% rename from fuzzers/libfuzzer_libpng_cmpalloc/Cargo.toml rename to fuzzers/libfuzzer_stb_image/Cargo.toml index 16e498bb93..3b3cd143ce 100644 --- a/fuzzers/libfuzzer_libpng_cmpalloc/Cargo.toml +++ b/fuzzers/libfuzzer_stb_image/Cargo.toml @@ -1,31 +1,24 @@ [package] -name = "libfuzzer_libpng_cmpalloc" +name = "libfuzzer_stb_image" version = "0.1.0" authors = ["Andrea Fioraldi ", "Dominik Maier "] edition = "2018" build = "build.rs" -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - [features] default = ["std"] std = [] -#[profile.release] -#lto = true -#codegen-units = 1 -#opt-level = 3 -#debug = true +[profile.release] +lto = true +codegen-units = 1 +opt-level = 3 +debug = true + +[dependencies] +libafl = { path = "../../libafl/" } +libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_edges", "libfuzzer"] } [build-dependencies] cc = { version = "1.0", features = ["parallel"] } num_cpus = "1.0" - -[dependencies] -libafl = { path = "../../libafl/" } - -[[example]] -name = "libfuzzer_libpng_cmpalloc" -path = "./src/fuzzer.rs" -test = false -bench = false diff --git a/fuzzers/libfuzzer_stb_image/README.md b/fuzzers/libfuzzer_stb_image/README.md new file mode 100644 index 0000000000..1daf0a4c47 --- /dev/null +++ b/fuzzers/libfuzzer_stb_image/README.md @@ -0,0 +1,23 @@ +# Libfuzzer for stb_image + +This folder contains an example fuzzer for stb_image, using LLMP for fast multi-process fuzzing and crash detection. +It has been tested on Linux and Windows. + +## Build + +To build this example, run `cargo build --release`. +This will build the the fuzzer (src/main.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback as a standalone binary. + +Unlike the libpng example, in this example the harness (that entirely includes the program under test) is compiled in the `build.rs` file while building the crate, and linked with the fuzzer by cargo when producing the final binary, `target/release/libfuzzer_stb_image`. + +## Run + +The first time you run the binary (`target/release/libfuzzer_stb_image`), the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. + +Each following execution will run a fuzzer client. +As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`). +This means each client will start itself again to listen for crashes and timeouts. +By restarting the actual fuzzer, it can recover from these exit conditions. + +In any real-world scenario, you should use `taskset` to pin each client to an empty CPU core, the lib does not pick an empty core automatically (yet). + diff --git a/fuzzers/libfuzzer_stb_image/build.rs b/fuzzers/libfuzzer_stb_image/build.rs new file mode 100644 index 0000000000..50cb1582bc --- /dev/null +++ b/fuzzers/libfuzzer_stb_image/build.rs @@ -0,0 +1,27 @@ +// build.rs + +use std::env; + +fn main() { + let out_dir = env::var_os("OUT_DIR").unwrap(); + let out_dir = out_dir.to_string_lossy().to_string(); + + println!("cargo:rerun-if-changed=harness.c"); + + // Enforce clang for its -fsanitize-coverage support. + std::env::set_var("CC", "clang"); + std::env::set_var("CXX", "clang++"); + + cc::Build::new() + // Use sanitizer coverage to track the edges in the PUT + .flag("-fsanitize-coverage=trace-pc-guard") + // Take advantage of LTO (needs lld-link set in your cargo config) + //.flag("-flto=thin") + .flag("-Wno-sign-compare") + .file("./harness.c") + .compile("harness"); + + println!("cargo:rustc-link-search=native={}", &out_dir); + + println!("cargo:rerun-if-changed=build.rs"); +} diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty.png b/fuzzers/libfuzzer_stb_image/corpus/not_kitty.png similarity index 100% rename from fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty.png rename to fuzzers/libfuzzer_stb_image/corpus/not_kitty.png diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_alpha.png b/fuzzers/libfuzzer_stb_image/corpus/not_kitty_alpha.png similarity index 100% rename from fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_alpha.png rename to fuzzers/libfuzzer_stb_image/corpus/not_kitty_alpha.png diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_gamma.png b/fuzzers/libfuzzer_stb_image/corpus/not_kitty_gamma.png similarity index 100% rename from fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_gamma.png rename to fuzzers/libfuzzer_stb_image/corpus/not_kitty_gamma.png diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_icc.png b/fuzzers/libfuzzer_stb_image/corpus/not_kitty_icc.png similarity index 100% rename from fuzzers/libfuzzer_libpng_cmpalloc/corpus/not_kitty_icc.png rename to fuzzers/libfuzzer_stb_image/corpus/not_kitty_icc.png diff --git a/fuzzers/libfuzzer_stb_image/harness.c b/fuzzers/libfuzzer_stb_image/harness.c new file mode 100644 index 0000000000..be70ac5d98 --- /dev/null +++ b/fuzzers/libfuzzer_stb_image/harness.c @@ -0,0 +1,28 @@ +#include +#include + +#define STBI_ASSERT(x) +#define STBI_NO_SIMD +#define STBI_NO_LINEAR +#define STBI_NO_STDIO +#define STB_IMAGE_IMPLEMENTATION + +#include "stb_image.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + int x, y, channels; + + if(!stbi_info_from_memory(data, size, &x, &y, &channels)) return 0; + + /* exit if the image is larger than ~80MB */ + if(y && x > (80000000 / 4) / y) return 0; + + unsigned char *img = stbi_load_from_memory(data, size, &x, &y, &channels, 4); + + free(img); + + // if (x > 10000) free(img); // free crash + + return 0; +} diff --git a/fuzzers/libfuzzer_libpng_cmpalloc/src/fuzzer.rs b/fuzzers/libfuzzer_stb_image/src/main.rs similarity index 53% rename from fuzzers/libfuzzer_libpng_cmpalloc/src/fuzzer.rs rename to fuzzers/libfuzzer_stb_image/src/main.rs index 58215afc63..1f018de01f 100644 --- a/fuzzers/libfuzzer_libpng_cmpalloc/src/fuzzer.rs +++ b/fuzzers/libfuzzer_stb_image/src/main.rs @@ -1,22 +1,21 @@ //! A libfuzzer-like fuzzer with llmp-multithreading support and restarts -//! The example harness is built for libpng. +//! The example harness is built for stb_image. use std::{env, path::PathBuf}; -#[cfg(unix)] use libafl::{ - bolts::{shmem::UnixShMem, tuples::tuple_list}, + bolts::tuples::tuple_list, corpus::{ Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler, }, - events::setup_restarting_mgr, - executors::{inprocess::InProcessExecutor, Executor, ExitKind}, + events::setup_restarting_mgr_std, + executors::{inprocess::InProcessExecutor, ExitKind}, feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback}, - fuzzer::{Fuzzer, HasCorpusScheduler, StdFuzzer}, - inputs::Input, - mutators::{scheduled::HavocBytesMutator, token_mutations::Tokens}, - observers::{HitcountsMapObserver, StdMapObserver, TimeObserver}, + fuzzer::{Fuzzer, StdFuzzer}, + mutators::scheduled::{havoc_mutations, StdScheduledMutator}, + mutators::token_mutations::Tokens, + observers::{StdMapObserver, TimeObserver}, stages::mutational::StdMutationalStage, state::{HasCorpus, HasMetadata, State}, stats::SimpleStats, @@ -24,38 +23,8 @@ use libafl::{ Error, }; -const MAP_SIZE: usize = 16 * 1024; +use libafl_targets::{libfuzzer_initialize, libfuzzer_test_one_input, EDGES_MAP, MAX_EDGES_NUM}; -/// We will interact with a C++ target, so use external c functionality -#[cfg(unix)] -extern "C" { - /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) - fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; - - // afl_libfuzzer_init calls LLVMFUzzerInitialize() - fn afl_libfuzzer_init() -> i32; - - static __lafl_edges_map: *mut u8; - static __lafl_cmp_map: *mut u8; - static __lafl_alloc_map: *mut usize; - static __lafl_max_edges_size: u32; -} - -/// The wrapped harness function, calling out to the LLVM-style harness -#[cfg(unix)] -fn harness(_executor: &E, buf: &[u8]) -> ExitKind -where - E: Executor, - I: Input, -{ - // println!("{:?}", buf); - unsafe { - LLVMFuzzerTestOneInput(buf.as_ptr(), buf.len()); - } - ExitKind::Ok -} - -/// The main fn, usually parsing parameters, and starting the fuzzer pub fn main() { // Registry the metadata types used in this fuzzer // Needed only on no_std @@ -73,43 +42,28 @@ pub fn main() { .expect("An error occurred while fuzzing"); } -/// Not supported on windows right now -#[cfg(windows)] -fn fuzz(_corpus_dirs: Vec, _objective_dir: PathBuf, _broker_port: u16) -> Result<(), ()> { - todo!("Example not supported on Windows"); -} - /// The actual fuzzer -#[cfg(unix)] fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> { // 'While the stats are state, they are usually used in the broker - which is likely never restarted let stats = SimpleStats::new(|s| println!("{}", s)); // The restarting state will spawn the same process again as child, then restarted it each time it crashes. - let (state, mut restarting_mgr) = - match setup_restarting_mgr::<_, _, UnixShMem, _>(stats, broker_port) { - Ok(res) => res, - Err(err) => match err { - Error::ShuttingDown => { - return Ok(()); - } - _ => { - panic!("Failed to setup the restarter: {}", err); - } - }, - }; + let (state, mut restarting_mgr) = match setup_restarting_mgr_std(stats, broker_port) { + Ok(res) => res, + Err(err) => match err { + Error::ShuttingDown => { + return Ok(()); + } + _ => { + panic!("Failed to setup the restarter: {}", err); + } + }, + }; // Create an observation channel using the coverage map - let edges_observer = HitcountsMapObserver::new(unsafe { - StdMapObserver::new_from_ptr("edges", __lafl_edges_map, __lafl_max_edges_size as usize) - }); - - // Create an observation channel using the cmp map - let cmps_observer = unsafe { StdMapObserver::new_from_ptr("cmps", __lafl_cmp_map, MAP_SIZE) }; - - // Create an observation channel using the allocations map - let allocs_observer = - unsafe { StdMapObserver::new_from_ptr("allocs", __lafl_alloc_map, MAP_SIZE) }; + // We don't use the hitcounts (see the Cargo.toml, we use pcguard_edges) + let edges_observer = + StdMapObserver::new("edges", unsafe { &mut EDGES_MAP }, unsafe { MAX_EDGES_NUM }); // If not restarting, create a State from scratch let mut state = state.unwrap_or_else(|| { @@ -121,8 +75,6 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> // Feedbacks to rate the interestingness of an input tuple_list!( MaxMapFeedback::new_with_observer_track(&edges_observer, true, false), - MaxMapFeedback::new_with_observer(&cmps_observer), - MaxMapFeedback::new_with_observer(&allocs_observer), TimeFeedback::new() ), // Corpus in which we store solutions (crashes in this example), @@ -147,44 +99,41 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> } // Setup a basic mutator with a mutational stage - let mutator = HavocBytesMutator::default(); + let mutator = StdScheduledMutator::new(havoc_mutations()); let stage = StdMutationalStage::new(mutator); // A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); + + // A minimization+queue policy to get testcasess from the corpus let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); - let fuzzer = StdFuzzer::new(scheduler, tuple_list!(stage)); + + // The wrapped harness function, calling out to the LLVM-style harness + let mut harness = |buf: &[u8]| { + libfuzzer_test_one_input(buf); + ExitKind::Ok + }; // Create the executor for an in-process function with just one observer for edge coverage let mut executor = InProcessExecutor::new( - "in-process(edges,cmps,allocs)", - harness, - tuple_list!( - edges_observer, - cmps_observer, - allocs_observer, - TimeObserver::new("time") - ), + "in-process(edges,time)", + &mut harness, + tuple_list!(edges_observer, TimeObserver::new("time")), &mut state, &mut restarting_mgr, )?; // The actual target run starts here. // Call LLVMFUzzerInitialize() if present. - unsafe { - if afl_libfuzzer_init() == -1 { - println!("Warning: LLVMFuzzerInitialize failed with -1") - } + let args: Vec = env::args().collect(); + if libfuzzer_initialize(&args) == -1 { + println!("Warning: LLVMFuzzerInitialize failed with -1") } // In case the corpus is empty (on first run), reset if state.corpus().count() < 1 { state - .load_initial_inputs( - &mut executor, - &mut restarting_mgr, - fuzzer.scheduler(), - &corpus_dirs, - ) + .load_initial_inputs(&mut executor, &mut restarting_mgr, &scheduler, &corpus_dirs) .expect(&format!( "Failed to load initial corpus at {:?}", &corpus_dirs @@ -192,7 +141,7 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> println!("We imported {} inputs from disk.", state.corpus().count()); } - fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr)?; + fuzzer.fuzz_loop(&mut state, &mut executor, &mut restarting_mgr, &scheduler)?; // Never reached Ok(()) diff --git a/fuzzers/libfuzzer_stb_image/stb_image.h b/fuzzers/libfuzzer_stb_image/stb_image.h new file mode 100644 index 0000000000..6542ede682 --- /dev/null +++ b/fuzzers/libfuzzer_stb_image/stb_image.h @@ -0,0 +1,7762 @@ +/* stb_image - v2.26 - public domain image loader - http://nothings.org/stb + no warranty implied; use at your own risk + + Do this: + #define STB_IMAGE_IMPLEMENTATION + before you include this file in *one* C or C++ file to create the implementation. + + // i.e. it should look like this: + #include ... + #include ... + #include ... + #define STB_IMAGE_IMPLEMENTATION + #include "stb_image.h" + + You can #define STBI_ASSERT(x) before the #include to avoid using assert.h. + And #define STBI_MALLOC, STBI_REALLOC, and STBI_FREE to avoid using malloc,realloc,free + + + QUICK NOTES: + Primarily of interest to game developers and other people who can + avoid problematic images and only need the trivial interface + + JPEG baseline & progressive (12 bpc/arithmetic not supported, same as stock IJG lib) + PNG 1/2/4/8/16-bit-per-channel + + TGA (not sure what subset, if a subset) + BMP non-1bpp, non-RLE + PSD (composited view only, no extra channels, 8/16 bit-per-channel) + + GIF (*comp always reports as 4-channel) + HDR (radiance rgbE format) + PIC (Softimage PIC) + PNM (PPM and PGM binary only) + + Animated GIF still needs a proper API, but here's one way to do it: + http://gist.github.com/urraka/685d9a6340b26b830d49 + + - decode from memory or through FILE (define STBI_NO_STDIO to remove code) + - decode from arbitrary I/O callbacks + - SIMD acceleration on x86/x64 (SSE2) and ARM (NEON) + + Full documentation under "DOCUMENTATION" below. + + +LICENSE + + See end of file for license information. + +RECENT REVISION HISTORY: + + 2.26 (2020-07-13) many minor fixes + 2.25 (2020-02-02) fix warnings + 2.24 (2020-02-02) fix warnings; thread-local failure_reason and flip_vertically + 2.23 (2019-08-11) fix clang static analysis warning + 2.22 (2019-03-04) gif fixes, fix warnings + 2.21 (2019-02-25) fix typo in comment + 2.20 (2019-02-07) support utf8 filenames in Windows; fix warnings and platform ifdefs + 2.19 (2018-02-11) fix warning + 2.18 (2018-01-30) fix warnings + 2.17 (2018-01-29) bugfix, 1-bit BMP, 16-bitness query, fix warnings + 2.16 (2017-07-23) all functions have 16-bit variants; optimizations; bugfixes + 2.15 (2017-03-18) fix png-1,2,4; all Imagenet JPGs; no runtime SSE detection on GCC + 2.14 (2017-03-03) remove deprecated STBI_JPEG_OLD; fixes for Imagenet JPGs + 2.13 (2016-12-04) experimental 16-bit API, only for PNG so far; fixes + 2.12 (2016-04-02) fix typo in 2.11 PSD fix that caused crashes + 2.11 (2016-04-02) 16-bit PNGS; enable SSE2 in non-gcc x64 + RGB-format JPEG; remove white matting in PSD; + allocate large structures on the stack; + correct channel count for PNG & BMP + 2.10 (2016-01-22) avoid warning introduced in 2.09 + 2.09 (2016-01-16) 16-bit TGA; comments in PNM files; STBI_REALLOC_SIZED + + See end of file for full revision history. + + + ============================ Contributors ========================= + + Image formats Extensions, features + Sean Barrett (jpeg, png, bmp) Jetro Lauha (stbi_info) + Nicolas Schulz (hdr, psd) Martin "SpartanJ" Golini (stbi_info) + Jonathan Dummer (tga) James "moose2000" Brown (iPhone PNG) + Jean-Marc Lienher (gif) Ben "Disch" Wenger (io callbacks) + Tom Seddon (pic) Omar Cornut (1/2/4-bit PNG) + Thatcher Ulrich (psd) Nicolas Guillemot (vertical flip) + Ken Miller (pgm, ppm) Richard Mitton (16-bit PSD) + github:urraka (animated gif) Junggon Kim (PNM comments) + Christopher Forseth (animated gif) Daniel Gibson (16-bit TGA) + socks-the-fox (16-bit PNG) + Jeremy Sawicki (handle all ImageNet JPGs) + Optimizations & bugfixes Mikhail Morozov (1-bit BMP) + Fabian "ryg" Giesen Anael Seghezzi (is-16-bit query) + Arseny Kapoulkine + John-Mark Allen + Carmelo J Fdez-Aguera + + Bug & warning fixes + Marc LeBlanc David Woo Guillaume George Martins Mozeiko + Christpher Lloyd Jerry Jansson Joseph Thomson Blazej Dariusz Roszkowski + Phil Jordan Dave Moore Roy Eltham + Hayaki Saito Nathan Reed Won Chun + Luke Graham Johan Duparc Nick Verigakis the Horde3D community + Thomas Ruf Ronny Chevalier github:rlyeh + Janez Zemva John Bartholomew Michal Cichon github:romigrou + Jonathan Blow Ken Hamada Tero Hanninen github:svdijk + Laurent Gomila Cort Stratton github:snagar + Aruelien Pocheville Sergio Gonzalez Thibault Reuille github:Zelex + Cass Everitt Ryamond Barbiero github:grim210 + Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw + Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus + Josh Tobin Matthew Gregan github:poppolopoppo + Julian Raschke Gregory Mullen Christian Floisand github:darealshinji + Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007 + Brad Weinberger Matvey Cherevko [reserved] + Luca Sas Alexander Veselov Zack Middleton [reserved] + Ryan C. Gordon [reserved] [reserved] + DO NOT ADD YOUR NAME HERE + + To add your name to the credits, pick a random blank space in the middle and fill it. + 80% of merge conflicts on stb PRs are due to people adding their name at the end + of the credits. +*/ + +#ifndef STBI_INCLUDE_STB_IMAGE_H +#define STBI_INCLUDE_STB_IMAGE_H + +// DOCUMENTATION +// +// Limitations: +// - no 12-bit-per-channel JPEG +// - no JPEGs with arithmetic coding +// - GIF always returns *comp=4 +// +// Basic usage (see HDR discussion below for HDR usage): +// int x,y,n; +// unsigned char *data = stbi_load(filename, &x, &y, &n, 0); +// // ... process data if not NULL ... +// // ... x = width, y = height, n = # 8-bit components per pixel ... +// // ... replace '0' with '1'..'4' to force that many components per pixel +// // ... but 'n' will always be the number that it would have been if you said 0 +// stbi_image_free(data) +// +// Standard parameters: +// int *x -- outputs image width in pixels +// int *y -- outputs image height in pixels +// int *channels_in_file -- outputs # of image components in image file +// int desired_channels -- if non-zero, # of image components requested in result +// +// The return value from an image loader is an 'unsigned char *' which points +// to the pixel data, or NULL on an allocation failure or if the image is +// corrupt or invalid. The pixel data consists of *y scanlines of *x pixels, +// with each pixel consisting of N interleaved 8-bit components; the first +// pixel pointed to is top-left-most in the image. There is no padding between +// image scanlines or between pixels, regardless of format. The number of +// components N is 'desired_channels' if desired_channels is non-zero, or +// *channels_in_file otherwise. If desired_channels is non-zero, +// *channels_in_file has the number of components that _would_ have been +// output otherwise. E.g. if you set desired_channels to 4, you will always +// get RGBA output, but you can check *channels_in_file to see if it's trivially +// opaque because e.g. there were only 3 channels in the source image. +// +// An output image with N components has the following components interleaved +// in this order in each pixel: +// +// N=#comp components +// 1 grey +// 2 grey, alpha +// 3 red, green, blue +// 4 red, green, blue, alpha +// +// If image loading fails for any reason, the return value will be NULL, +// and *x, *y, *channels_in_file will be unchanged. The function +// stbi_failure_reason() can be queried for an extremely brief, end-user +// unfriendly explanation of why the load failed. Define STBI_NO_FAILURE_STRINGS +// to avoid compiling these strings at all, and STBI_FAILURE_USERMSG to get slightly +// more user-friendly ones. +// +// Paletted PNG, BMP, GIF, and PIC images are automatically depalettized. +// +// =========================================================================== +// +// UNICODE: +// +// If compiling for Windows and you wish to use Unicode filenames, compile +// with +// #define STBI_WINDOWS_UTF8 +// and pass utf8-encoded filenames. Call stbi_convert_wchar_to_utf8 to convert +// Windows wchar_t filenames to utf8. +// +// =========================================================================== +// +// Philosophy +// +// stb libraries are designed with the following priorities: +// +// 1. easy to use +// 2. easy to maintain +// 3. good performance +// +// Sometimes I let "good performance" creep up in priority over "easy to maintain", +// and for best performance I may provide less-easy-to-use APIs that give higher +// performance, in addition to the easy-to-use ones. Nevertheless, it's important +// to keep in mind that from the standpoint of you, a client of this library, +// all you care about is #1 and #3, and stb libraries DO NOT emphasize #3 above all. +// +// Some secondary priorities arise directly from the first two, some of which +// provide more explicit reasons why performance can't be emphasized. +// +// - Portable ("ease of use") +// - Small source code footprint ("easy to maintain") +// - No dependencies ("ease of use") +// +// =========================================================================== +// +// I/O callbacks +// +// I/O callbacks allow you to read from arbitrary sources, like packaged +// files or some other source. Data read from callbacks are processed +// through a small internal buffer (currently 128 bytes) to try to reduce +// overhead. +// +// The three functions you must define are "read" (reads some bytes of data), +// "skip" (skips some bytes of data), "eof" (reports if the stream is at the end). +// +// =========================================================================== +// +// SIMD support +// +// The JPEG decoder will try to automatically use SIMD kernels on x86 when +// supported by the compiler. For ARM Neon support, you must explicitly +// request it. +// +// (The old do-it-yourself SIMD API is no longer supported in the current +// code.) +// +// On x86, SSE2 will automatically be used when available based on a run-time +// test; if not, the generic C versions are used as a fall-back. On ARM targets, +// the typical path is to have separate builds for NEON and non-NEON devices +// (at least this is true for iOS and Android). Therefore, the NEON support is +// toggled by a build flag: define STBI_NEON to get NEON loops. +// +// If for some reason you do not want to use any of SIMD code, or if +// you have issues compiling it, you can disable it entirely by +// defining STBI_NO_SIMD. +// +// =========================================================================== +// +// HDR image support (disable by defining STBI_NO_HDR) +// +// stb_image supports loading HDR images in general, and currently the Radiance +// .HDR file format specifically. You can still load any file through the existing +// interface; if you attempt to load an HDR file, it will be automatically remapped +// to LDR, assuming gamma 2.2 and an arbitrary scale factor defaulting to 1; +// both of these constants can be reconfigured through this interface: +// +// stbi_hdr_to_ldr_gamma(2.2f); +// stbi_hdr_to_ldr_scale(1.0f); +// +// (note, do not use _inverse_ constants; stbi_image will invert them +// appropriately). +// +// Additionally, there is a new, parallel interface for loading files as +// (linear) floats to preserve the full dynamic range: +// +// float *data = stbi_loadf(filename, &x, &y, &n, 0); +// +// If you load LDR images through this interface, those images will +// be promoted to floating point values, run through the inverse of +// constants corresponding to the above: +// +// stbi_ldr_to_hdr_scale(1.0f); +// stbi_ldr_to_hdr_gamma(2.2f); +// +// Finally, given a filename (or an open file or memory block--see header +// file for details) containing image data, you can query for the "most +// appropriate" interface to use (that is, whether the image is HDR or +// not), using: +// +// stbi_is_hdr(char *filename); +// +// =========================================================================== +// +// iPhone PNG support: +// +// By default we convert iphone-formatted PNGs back to RGB, even though +// they are internally encoded differently. You can disable this conversion +// by calling stbi_convert_iphone_png_to_rgb(0), in which case +// you will always just get the native iphone "format" through (which +// is BGR stored in RGB). +// +// Call stbi_set_unpremultiply_on_load(1) as well to force a divide per +// pixel to remove any premultiplied alpha *only* if the image file explicitly +// says there's premultiplied data (currently only happens in iPhone images, +// and only if iPhone convert-to-rgb processing is on). +// +// =========================================================================== +// +// ADDITIONAL CONFIGURATION +// +// - You can suppress implementation of any of the decoders to reduce +// your code footprint by #defining one or more of the following +// symbols before creating the implementation. +// +// STBI_NO_JPEG +// STBI_NO_PNG +// STBI_NO_BMP +// STBI_NO_PSD +// STBI_NO_TGA +// STBI_NO_GIF +// STBI_NO_HDR +// STBI_NO_PIC +// STBI_NO_PNM (.ppm and .pgm) +// +// - You can request *only* certain decoders and suppress all other ones +// (this will be more forward-compatible, as addition of new decoders +// doesn't require you to disable them explicitly): +// +// STBI_ONLY_JPEG +// STBI_ONLY_PNG +// STBI_ONLY_BMP +// STBI_ONLY_PSD +// STBI_ONLY_TGA +// STBI_ONLY_GIF +// STBI_ONLY_HDR +// STBI_ONLY_PIC +// STBI_ONLY_PNM (.ppm and .pgm) +// +// - If you use STBI_NO_PNG (or _ONLY_ without PNG), and you still +// want the zlib decoder to be available, #define STBI_SUPPORT_ZLIB +// +// - If you define STBI_MAX_DIMENSIONS, stb_image will reject images greater +// than that size (in either width or height) without further processing. +// This is to let programs in the wild set an upper bound to prevent +// denial-of-service attacks on untrusted data, as one could generate a +// valid image of gigantic dimensions and force stb_image to allocate a +// huge block of memory and spend disproportionate time decoding it. By +// default this is set to (1 << 24), which is 16777216, but that's still +// very big. + +#ifndef STBI_NO_STDIO +#include +#endif // STBI_NO_STDIO + +#define STBI_VERSION 1 + +enum +{ + STBI_default = 0, // only used for desired_channels + + STBI_grey = 1, + STBI_grey_alpha = 2, + STBI_rgb = 3, + STBI_rgb_alpha = 4 +}; + +#include +typedef unsigned char stbi_uc; +typedef unsigned short stbi_us; + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef STBIDEF +#ifdef STB_IMAGE_STATIC +#define STBIDEF static +#else +#define STBIDEF extern +#endif +#endif + +////////////////////////////////////////////////////////////////////////////// +// +// PRIMARY API - works on images of any type +// + +// +// load image by filename, open file, or memory buffer +// + +typedef struct +{ + int (*read) (void *user,char *data,int size); // fill 'data' with 'size' bytes. return number of bytes actually read + void (*skip) (void *user,int n); // skip the next 'n' bytes, or 'unget' the last -n bytes if negative + int (*eof) (void *user); // returns nonzero if we are at end of file/data +} stbi_io_callbacks; + +//////////////////////////////////// +// +// 8-bits-per-channel interface +// + +STBIDEF stbi_uc *stbi_load_from_memory (stbi_uc const *buffer, int len , int *x, int *y, int *channels_in_file, int desired_channels); +STBIDEF stbi_uc *stbi_load_from_callbacks(stbi_io_callbacks const *clbk , void *user, int *x, int *y, int *channels_in_file, int desired_channels); + +#ifndef STBI_NO_STDIO +STBIDEF stbi_uc *stbi_load (char const *filename, int *x, int *y, int *channels_in_file, int desired_channels); +STBIDEF stbi_uc *stbi_load_from_file (FILE *f, int *x, int *y, int *channels_in_file, int desired_channels); +// for stbi_load_from_file, file pointer is left pointing immediately after image +#endif + +#ifndef STBI_NO_GIF +STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int **delays, int *x, int *y, int *z, int *comp, int req_comp); +#endif + +#ifdef STBI_WINDOWS_UTF8 +STBIDEF int stbi_convert_wchar_to_utf8(char *buffer, size_t bufferlen, const wchar_t* input); +#endif + +//////////////////////////////////// +// +// 16-bits-per-channel interface +// + +STBIDEF stbi_us *stbi_load_16_from_memory (stbi_uc const *buffer, int len, int *x, int *y, int *channels_in_file, int desired_channels); +STBIDEF stbi_us *stbi_load_16_from_callbacks(stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *channels_in_file, int desired_channels); + +#ifndef STBI_NO_STDIO +STBIDEF stbi_us *stbi_load_16 (char const *filename, int *x, int *y, int *channels_in_file, int desired_channels); +STBIDEF stbi_us *stbi_load_from_file_16(FILE *f, int *x, int *y, int *channels_in_file, int desired_channels); +#endif + +//////////////////////////////////// +// +// float-per-channel interface +// +#ifndef STBI_NO_LINEAR + STBIDEF float *stbi_loadf_from_memory (stbi_uc const *buffer, int len, int *x, int *y, int *channels_in_file, int desired_channels); + STBIDEF float *stbi_loadf_from_callbacks (stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *channels_in_file, int desired_channels); + + #ifndef STBI_NO_STDIO + STBIDEF float *stbi_loadf (char const *filename, int *x, int *y, int *channels_in_file, int desired_channels); + STBIDEF float *stbi_loadf_from_file (FILE *f, int *x, int *y, int *channels_in_file, int desired_channels); + #endif +#endif + +#ifndef STBI_NO_HDR + STBIDEF void stbi_hdr_to_ldr_gamma(float gamma); + STBIDEF void stbi_hdr_to_ldr_scale(float scale); +#endif // STBI_NO_HDR + +#ifndef STBI_NO_LINEAR + STBIDEF void stbi_ldr_to_hdr_gamma(float gamma); + STBIDEF void stbi_ldr_to_hdr_scale(float scale); +#endif // STBI_NO_LINEAR + +// stbi_is_hdr is always defined, but always returns false if STBI_NO_HDR +STBIDEF int stbi_is_hdr_from_callbacks(stbi_io_callbacks const *clbk, void *user); +STBIDEF int stbi_is_hdr_from_memory(stbi_uc const *buffer, int len); +#ifndef STBI_NO_STDIO +STBIDEF int stbi_is_hdr (char const *filename); +STBIDEF int stbi_is_hdr_from_file(FILE *f); +#endif // STBI_NO_STDIO + + +// get a VERY brief reason for failure +// on most compilers (and ALL modern mainstream compilers) this is threadsafe +STBIDEF const char *stbi_failure_reason (void); + +// free the loaded image -- this is just free() +STBIDEF void stbi_image_free (void *retval_from_stbi_load); + +// get image dimensions & components without fully decoding +STBIDEF int stbi_info_from_memory(stbi_uc const *buffer, int len, int *x, int *y, int *comp); +STBIDEF int stbi_info_from_callbacks(stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *comp); +STBIDEF int stbi_is_16_bit_from_memory(stbi_uc const *buffer, int len); +STBIDEF int stbi_is_16_bit_from_callbacks(stbi_io_callbacks const *clbk, void *user); + +#ifndef STBI_NO_STDIO +STBIDEF int stbi_info (char const *filename, int *x, int *y, int *comp); +STBIDEF int stbi_info_from_file (FILE *f, int *x, int *y, int *comp); +STBIDEF int stbi_is_16_bit (char const *filename); +STBIDEF int stbi_is_16_bit_from_file(FILE *f); +#endif + + + +// for image formats that explicitly notate that they have premultiplied alpha, +// we just return the colors as stored in the file. set this flag to force +// unpremultiplication. results are undefined if the unpremultiply overflow. +STBIDEF void stbi_set_unpremultiply_on_load(int flag_true_if_should_unpremultiply); + +// indicate whether we should process iphone images back to canonical format, +// or just pass them through "as-is" +STBIDEF void stbi_convert_iphone_png_to_rgb(int flag_true_if_should_convert); + +// flip the image vertically, so the first pixel in the output array is the bottom left +STBIDEF void stbi_set_flip_vertically_on_load(int flag_true_if_should_flip); + +// as above, but only applies to images loaded on the thread that calls the function +// this function is only available if your compiler supports thread-local variables; +// calling it will fail to link if your compiler doesn't +STBIDEF void stbi_set_flip_vertically_on_load_thread(int flag_true_if_should_flip); + +// ZLIB client - used by PNG, available for other purposes + +STBIDEF char *stbi_zlib_decode_malloc_guesssize(const char *buffer, int len, int initial_size, int *outlen); +STBIDEF char *stbi_zlib_decode_malloc_guesssize_headerflag(const char *buffer, int len, int initial_size, int *outlen, int parse_header); +STBIDEF char *stbi_zlib_decode_malloc(const char *buffer, int len, int *outlen); +STBIDEF int stbi_zlib_decode_buffer(char *obuffer, int olen, const char *ibuffer, int ilen); + +STBIDEF char *stbi_zlib_decode_noheader_malloc(const char *buffer, int len, int *outlen); +STBIDEF int stbi_zlib_decode_noheader_buffer(char *obuffer, int olen, const char *ibuffer, int ilen); + + +#ifdef __cplusplus +} +#endif + +// +// +//// end header file ///////////////////////////////////////////////////// +#endif // STBI_INCLUDE_STB_IMAGE_H + +#ifdef STB_IMAGE_IMPLEMENTATION + +#if defined(STBI_ONLY_JPEG) || defined(STBI_ONLY_PNG) || defined(STBI_ONLY_BMP) \ + || defined(STBI_ONLY_TGA) || defined(STBI_ONLY_GIF) || defined(STBI_ONLY_PSD) \ + || defined(STBI_ONLY_HDR) || defined(STBI_ONLY_PIC) || defined(STBI_ONLY_PNM) \ + || defined(STBI_ONLY_ZLIB) + #ifndef STBI_ONLY_JPEG + #define STBI_NO_JPEG + #endif + #ifndef STBI_ONLY_PNG + #define STBI_NO_PNG + #endif + #ifndef STBI_ONLY_BMP + #define STBI_NO_BMP + #endif + #ifndef STBI_ONLY_PSD + #define STBI_NO_PSD + #endif + #ifndef STBI_ONLY_TGA + #define STBI_NO_TGA + #endif + #ifndef STBI_ONLY_GIF + #define STBI_NO_GIF + #endif + #ifndef STBI_ONLY_HDR + #define STBI_NO_HDR + #endif + #ifndef STBI_ONLY_PIC + #define STBI_NO_PIC + #endif + #ifndef STBI_ONLY_PNM + #define STBI_NO_PNM + #endif +#endif + +#if defined(STBI_NO_PNG) && !defined(STBI_SUPPORT_ZLIB) && !defined(STBI_NO_ZLIB) +#define STBI_NO_ZLIB +#endif + + +#include +#include // ptrdiff_t on osx +#include +#include +#include + +#if !defined(STBI_NO_LINEAR) || !defined(STBI_NO_HDR) +#include // ldexp, pow +#endif + +#ifndef STBI_NO_STDIO +#include +#endif + +#ifndef STBI_ASSERT +#include +#define STBI_ASSERT(x) assert(x) +#endif + +#ifdef __cplusplus +#define STBI_EXTERN extern "C" +#else +#define STBI_EXTERN extern +#endif + + +#ifndef _MSC_VER + #ifdef __cplusplus + #define stbi_inline inline + #else + #define stbi_inline + #endif +#else + #define stbi_inline __forceinline +#endif + +#ifndef STBI_NO_THREAD_LOCALS + #if defined(__cplusplus) && __cplusplus >= 201103L + #define STBI_THREAD_LOCAL thread_local + #elif defined(__GNUC__) && __GNUC__ < 5 + #define STBI_THREAD_LOCAL __thread + #elif defined(_MSC_VER) + #define STBI_THREAD_LOCAL __declspec(thread) + #elif defined (__STDC_VERSION__) && __STDC_VERSION__ >= 201112L && !defined(__STDC_NO_THREADS__) + #define STBI_THREAD_LOCAL _Thread_local + #endif + + #ifndef STBI_THREAD_LOCAL + #if defined(__GNUC__) + #define STBI_THREAD_LOCAL __thread + #endif + #endif +#endif + +#ifdef _MSC_VER +typedef unsigned short stbi__uint16; +typedef signed short stbi__int16; +typedef unsigned int stbi__uint32; +typedef signed int stbi__int32; +#else +#include +typedef uint16_t stbi__uint16; +typedef int16_t stbi__int16; +typedef uint32_t stbi__uint32; +typedef int32_t stbi__int32; +#endif + +// should produce compiler error if size is wrong +typedef unsigned char validate_uint32[sizeof(stbi__uint32)==4 ? 1 : -1]; + +#ifdef _MSC_VER +#define STBI_NOTUSED(v) (void)(v) +#else +#define STBI_NOTUSED(v) (void)sizeof(v) +#endif + +#ifdef _MSC_VER +#define STBI_HAS_LROTL +#endif + +#ifdef STBI_HAS_LROTL + #define stbi_lrot(x,y) _lrotl(x,y) +#else + #define stbi_lrot(x,y) (((x) << (y)) | ((x) >> (32 - (y)))) +#endif + +#if defined(STBI_MALLOC) && defined(STBI_FREE) && (defined(STBI_REALLOC) || defined(STBI_REALLOC_SIZED)) +// ok +#elif !defined(STBI_MALLOC) && !defined(STBI_FREE) && !defined(STBI_REALLOC) && !defined(STBI_REALLOC_SIZED) +// ok +#else +#error "Must define all or none of STBI_MALLOC, STBI_FREE, and STBI_REALLOC (or STBI_REALLOC_SIZED)." +#endif + +#ifndef STBI_MALLOC +#define STBI_MALLOC(sz) malloc(sz) +#define STBI_REALLOC(p,newsz) realloc(p,newsz) +#define STBI_FREE(p) free(p) +#endif + +#ifndef STBI_REALLOC_SIZED +#define STBI_REALLOC_SIZED(p,oldsz,newsz) STBI_REALLOC(p,newsz) +#endif + +// x86/x64 detection +#if defined(__x86_64__) || defined(_M_X64) +#define STBI__X64_TARGET +#elif defined(__i386) || defined(_M_IX86) +#define STBI__X86_TARGET +#endif + +#if defined(__GNUC__) && defined(STBI__X86_TARGET) && !defined(__SSE2__) && !defined(STBI_NO_SIMD) +// gcc doesn't support sse2 intrinsics unless you compile with -msse2, +// which in turn means it gets to use SSE2 everywhere. This is unfortunate, +// but previous attempts to provide the SSE2 functions with runtime +// detection caused numerous issues. The way architecture extensions are +// exposed in GCC/Clang is, sadly, not really suited for one-file libs. +// New behavior: if compiled with -msse2, we use SSE2 without any +// detection; if not, we don't use it at all. +#define STBI_NO_SIMD +#endif + +#if defined(__MINGW32__) && defined(STBI__X86_TARGET) && !defined(STBI_MINGW_ENABLE_SSE2) && !defined(STBI_NO_SIMD) +// Note that __MINGW32__ doesn't actually mean 32-bit, so we have to avoid STBI__X64_TARGET +// +// 32-bit MinGW wants ESP to be 16-byte aligned, but this is not in the +// Windows ABI and VC++ as well as Windows DLLs don't maintain that invariant. +// As a result, enabling SSE2 on 32-bit MinGW is dangerous when not +// simultaneously enabling "-mstackrealign". +// +// See https://github.com/nothings/stb/issues/81 for more information. +// +// So default to no SSE2 on 32-bit MinGW. If you've read this far and added +// -mstackrealign to your build settings, feel free to #define STBI_MINGW_ENABLE_SSE2. +#define STBI_NO_SIMD +#endif + +#if !defined(STBI_NO_SIMD) && (defined(STBI__X86_TARGET) || defined(STBI__X64_TARGET)) +#define STBI_SSE2 +#include + +#ifdef _MSC_VER + +#if _MSC_VER >= 1400 // not VC6 +#include // __cpuid +static int stbi__cpuid3(void) +{ + int info[4]; + __cpuid(info,1); + return info[3]; +} +#else +static int stbi__cpuid3(void) +{ + int res; + __asm { + mov eax,1 + cpuid + mov res,edx + } + return res; +} +#endif + +#define STBI_SIMD_ALIGN(type, name) __declspec(align(16)) type name + +#if !defined(STBI_NO_JPEG) && defined(STBI_SSE2) +static int stbi__sse2_available(void) +{ + int info3 = stbi__cpuid3(); + return ((info3 >> 26) & 1) != 0; +} +#endif + +#else // assume GCC-style if not VC++ +#define STBI_SIMD_ALIGN(type, name) type name __attribute__((aligned(16))) + +#if !defined(STBI_NO_JPEG) && defined(STBI_SSE2) +static int stbi__sse2_available(void) +{ + // If we're even attempting to compile this on GCC/Clang, that means + // -msse2 is on, which means the compiler is allowed to use SSE2 + // instructions at will, and so are we. + return 1; +} +#endif + +#endif +#endif + +// ARM NEON +#if defined(STBI_NO_SIMD) && defined(STBI_NEON) +#undef STBI_NEON +#endif + +#ifdef STBI_NEON +#include +// assume GCC or Clang on ARM targets +#define STBI_SIMD_ALIGN(type, name) type name __attribute__((aligned(16))) +#endif + +#ifndef STBI_SIMD_ALIGN +#define STBI_SIMD_ALIGN(type, name) type name +#endif + +#ifndef STBI_MAX_DIMENSIONS +#define STBI_MAX_DIMENSIONS (1 << 24) +#endif + +/////////////////////////////////////////////// +// +// stbi__context struct and start_xxx functions + +// stbi__context structure is our basic context used by all images, so it +// contains all the IO context, plus some basic image information +typedef struct +{ + stbi__uint32 img_x, img_y; + int img_n, img_out_n; + + stbi_io_callbacks io; + void *io_user_data; + + int read_from_callbacks; + int buflen; + stbi_uc buffer_start[128]; + int callback_already_read; + + stbi_uc *img_buffer, *img_buffer_end; + stbi_uc *img_buffer_original, *img_buffer_original_end; +} stbi__context; + + +static void stbi__refill_buffer(stbi__context *s); + +// initialize a memory-decode context +static void stbi__start_mem(stbi__context *s, stbi_uc const *buffer, int len) +{ + s->io.read = NULL; + s->read_from_callbacks = 0; + s->callback_already_read = 0; + s->img_buffer = s->img_buffer_original = (stbi_uc *) buffer; + s->img_buffer_end = s->img_buffer_original_end = (stbi_uc *) buffer+len; +} + +// initialize a callback-based context +static void stbi__start_callbacks(stbi__context *s, stbi_io_callbacks *c, void *user) +{ + s->io = *c; + s->io_user_data = user; + s->buflen = sizeof(s->buffer_start); + s->read_from_callbacks = 1; + s->callback_already_read = 0; + s->img_buffer = s->img_buffer_original = s->buffer_start; + stbi__refill_buffer(s); + s->img_buffer_original_end = s->img_buffer_end; +} + +#ifndef STBI_NO_STDIO + +static int stbi__stdio_read(void *user, char *data, int size) +{ + return (int) fread(data,1,size,(FILE*) user); +} + +static void stbi__stdio_skip(void *user, int n) +{ + int ch; + fseek((FILE*) user, n, SEEK_CUR); + ch = fgetc((FILE*) user); /* have to read a byte to reset feof()'s flag */ + if (ch != EOF) { + ungetc(ch, (FILE *) user); /* push byte back onto stream if valid. */ + } +} + +static int stbi__stdio_eof(void *user) +{ + return feof((FILE*) user) || ferror((FILE *) user); +} + +static stbi_io_callbacks stbi__stdio_callbacks = +{ + stbi__stdio_read, + stbi__stdio_skip, + stbi__stdio_eof, +}; + +static void stbi__start_file(stbi__context *s, FILE *f) +{ + stbi__start_callbacks(s, &stbi__stdio_callbacks, (void *) f); +} + +//static void stop_file(stbi__context *s) { } + +#endif // !STBI_NO_STDIO + +static void stbi__rewind(stbi__context *s) +{ + // conceptually rewind SHOULD rewind to the beginning of the stream, + // but we just rewind to the beginning of the initial buffer, because + // we only use it after doing 'test', which only ever looks at at most 92 bytes + s->img_buffer = s->img_buffer_original; + s->img_buffer_end = s->img_buffer_original_end; +} + +enum +{ + STBI_ORDER_RGB, + STBI_ORDER_BGR +}; + +typedef struct +{ + int bits_per_channel; + int num_channels; + int channel_order; +} stbi__result_info; + +#ifndef STBI_NO_JPEG +static int stbi__jpeg_test(stbi__context *s); +static void *stbi__jpeg_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__jpeg_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_PNG +static int stbi__png_test(stbi__context *s); +static void *stbi__png_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__png_info(stbi__context *s, int *x, int *y, int *comp); +static int stbi__png_is16(stbi__context *s); +#endif + +#ifndef STBI_NO_BMP +static int stbi__bmp_test(stbi__context *s); +static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__bmp_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_TGA +static int stbi__tga_test(stbi__context *s); +static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__tga_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_PSD +static int stbi__psd_test(stbi__context *s); +static void *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri, int bpc); +static int stbi__psd_info(stbi__context *s, int *x, int *y, int *comp); +static int stbi__psd_is16(stbi__context *s); +#endif + +#ifndef STBI_NO_HDR +static int stbi__hdr_test(stbi__context *s); +static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__hdr_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_PIC +static int stbi__pic_test(stbi__context *s); +static void *stbi__pic_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__pic_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_GIF +static int stbi__gif_test(stbi__context *s); +static void *stbi__gif_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y, int *z, int *comp, int req_comp); +static int stbi__gif_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +#ifndef STBI_NO_PNM +static int stbi__pnm_test(stbi__context *s); +static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri); +static int stbi__pnm_info(stbi__context *s, int *x, int *y, int *comp); +#endif + +static +#ifdef STBI_THREAD_LOCAL +STBI_THREAD_LOCAL +#endif +const char *stbi__g_failure_reason; + +STBIDEF const char *stbi_failure_reason(void) +{ + return stbi__g_failure_reason; +} + +#ifndef STBI_NO_FAILURE_STRINGS +static int stbi__err(const char *str) +{ + stbi__g_failure_reason = str; + return 0; +} +#endif + +static void *stbi__malloc(size_t size) +{ + return STBI_MALLOC(size); +} + +// stb_image uses ints pervasively, including for offset calculations. +// therefore the largest decoded image size we can support with the +// current code, even on 64-bit targets, is INT_MAX. this is not a +// significant limitation for the intended use case. +// +// we do, however, need to make sure our size calculations don't +// overflow. hence a few helper functions for size calculations that +// multiply integers together, making sure that they're non-negative +// and no overflow occurs. + +// return 1 if the sum is valid, 0 on overflow. +// negative terms are considered invalid. +static int stbi__addsizes_valid(int a, int b) +{ + if (b < 0) return 0; + // now 0 <= b <= INT_MAX, hence also + // 0 <= INT_MAX - b <= INTMAX. + // And "a + b <= INT_MAX" (which might overflow) is the + // same as a <= INT_MAX - b (no overflow) + return a <= INT_MAX - b; +} + +// returns 1 if the product is valid, 0 on overflow. +// negative factors are considered invalid. +static int stbi__mul2sizes_valid(int a, int b) +{ + if (a < 0 || b < 0) return 0; + if (b == 0) return 1; // mul-by-0 is always safe + // portable way to check for no overflows in a*b + return a <= INT_MAX/b; +} + +#if !defined(STBI_NO_JPEG) || !defined(STBI_NO_PNG) || !defined(STBI_NO_TGA) || !defined(STBI_NO_HDR) +// returns 1 if "a*b + add" has no negative terms/factors and doesn't overflow +static int stbi__mad2sizes_valid(int a, int b, int add) +{ + return stbi__mul2sizes_valid(a, b) && stbi__addsizes_valid(a*b, add); +} +#endif + +// returns 1 if "a*b*c + add" has no negative terms/factors and doesn't overflow +static int stbi__mad3sizes_valid(int a, int b, int c, int add) +{ + return stbi__mul2sizes_valid(a, b) && stbi__mul2sizes_valid(a*b, c) && + stbi__addsizes_valid(a*b*c, add); +} + +// returns 1 if "a*b*c*d + add" has no negative terms/factors and doesn't overflow +#if !defined(STBI_NO_LINEAR) || !defined(STBI_NO_HDR) +static int stbi__mad4sizes_valid(int a, int b, int c, int d, int add) +{ + return stbi__mul2sizes_valid(a, b) && stbi__mul2sizes_valid(a*b, c) && + stbi__mul2sizes_valid(a*b*c, d) && stbi__addsizes_valid(a*b*c*d, add); +} +#endif + +#if !defined(STBI_NO_JPEG) || !defined(STBI_NO_PNG) || !defined(STBI_NO_TGA) || !defined(STBI_NO_HDR) +// mallocs with size overflow checking +static void *stbi__malloc_mad2(int a, int b, int add) +{ + if (!stbi__mad2sizes_valid(a, b, add)) return NULL; + return stbi__malloc(a*b + add); +} +#endif + +static void *stbi__malloc_mad3(int a, int b, int c, int add) +{ + if (!stbi__mad3sizes_valid(a, b, c, add)) return NULL; + return stbi__malloc(a*b*c + add); +} + +#if !defined(STBI_NO_LINEAR) || !defined(STBI_NO_HDR) +static void *stbi__malloc_mad4(int a, int b, int c, int d, int add) +{ + if (!stbi__mad4sizes_valid(a, b, c, d, add)) return NULL; + return stbi__malloc(a*b*c*d + add); +} +#endif + +// stbi__err - error +// stbi__errpf - error returning pointer to float +// stbi__errpuc - error returning pointer to unsigned char + +#ifdef STBI_NO_FAILURE_STRINGS + #define stbi__err(x,y) 0 +#elif defined(STBI_FAILURE_USERMSG) + #define stbi__err(x,y) stbi__err(y) +#else + #define stbi__err(x,y) stbi__err(x) +#endif + +#define stbi__errpf(x,y) ((float *)(size_t) (stbi__err(x,y)?NULL:NULL)) +#define stbi__errpuc(x,y) ((unsigned char *)(size_t) (stbi__err(x,y)?NULL:NULL)) + +STBIDEF void stbi_image_free(void *retval_from_stbi_load) +{ + STBI_FREE(retval_from_stbi_load); +} + +#ifndef STBI_NO_LINEAR +static float *stbi__ldr_to_hdr(stbi_uc *data, int x, int y, int comp); +#endif + +#ifndef STBI_NO_HDR +static stbi_uc *stbi__hdr_to_ldr(float *data, int x, int y, int comp); +#endif + +static int stbi__vertically_flip_on_load_global = 0; + +STBIDEF void stbi_set_flip_vertically_on_load(int flag_true_if_should_flip) +{ + stbi__vertically_flip_on_load_global = flag_true_if_should_flip; +} + +#ifndef STBI_THREAD_LOCAL +#define stbi__vertically_flip_on_load stbi__vertically_flip_on_load_global +#else +static STBI_THREAD_LOCAL int stbi__vertically_flip_on_load_local, stbi__vertically_flip_on_load_set; + +STBIDEF void stbi_set_flip_vertically_on_load_thread(int flag_true_if_should_flip) +{ + stbi__vertically_flip_on_load_local = flag_true_if_should_flip; + stbi__vertically_flip_on_load_set = 1; +} + +#define stbi__vertically_flip_on_load (stbi__vertically_flip_on_load_set \ + ? stbi__vertically_flip_on_load_local \ + : stbi__vertically_flip_on_load_global) +#endif // STBI_THREAD_LOCAL + +static void *stbi__load_main(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri, int bpc) +{ + memset(ri, 0, sizeof(*ri)); // make sure it's initialized if we add new fields + ri->bits_per_channel = 8; // default is 8 so most paths don't have to be changed + ri->channel_order = STBI_ORDER_RGB; // all current input & output are this, but this is here so we can add BGR order + ri->num_channels = 0; + + #ifndef STBI_NO_JPEG + if (stbi__jpeg_test(s)) return stbi__jpeg_load(s,x,y,comp,req_comp, ri); + #endif + #ifndef STBI_NO_PNG + if (stbi__png_test(s)) return stbi__png_load(s,x,y,comp,req_comp, ri); + #endif + #ifndef STBI_NO_BMP + if (stbi__bmp_test(s)) return stbi__bmp_load(s,x,y,comp,req_comp, ri); + #endif + #ifndef STBI_NO_GIF + if (stbi__gif_test(s)) return stbi__gif_load(s,x,y,comp,req_comp, ri); + #endif + #ifndef STBI_NO_PSD + if (stbi__psd_test(s)) return stbi__psd_load(s,x,y,comp,req_comp, ri, bpc); + #else + STBI_NOTUSED(bpc); + #endif + #ifndef STBI_NO_PIC + if (stbi__pic_test(s)) return stbi__pic_load(s,x,y,comp,req_comp, ri); + #endif + #ifndef STBI_NO_PNM + if (stbi__pnm_test(s)) return stbi__pnm_load(s,x,y,comp,req_comp, ri); + #endif + + #ifndef STBI_NO_HDR + if (stbi__hdr_test(s)) { + float *hdr = stbi__hdr_load(s, x,y,comp,req_comp, ri); + return stbi__hdr_to_ldr(hdr, *x, *y, req_comp ? req_comp : *comp); + } + #endif + + #ifndef STBI_NO_TGA + // test tga last because it's a crappy test! + if (stbi__tga_test(s)) + return stbi__tga_load(s,x,y,comp,req_comp, ri); + #endif + + return stbi__errpuc("unknown image type", "Image not of any known type, or corrupt"); +} + +static stbi_uc *stbi__convert_16_to_8(stbi__uint16 *orig, int w, int h, int channels) +{ + int i; + int img_len = w * h * channels; + stbi_uc *reduced; + + reduced = (stbi_uc *) stbi__malloc(img_len); + if (reduced == NULL) return stbi__errpuc("outofmem", "Out of memory"); + + for (i = 0; i < img_len; ++i) + reduced[i] = (stbi_uc)((orig[i] >> 8) & 0xFF); // top half of each byte is sufficient approx of 16->8 bit scaling + + STBI_FREE(orig); + return reduced; +} + +static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int channels) +{ + int i; + int img_len = w * h * channels; + stbi__uint16 *enlarged; + + enlarged = (stbi__uint16 *) stbi__malloc(img_len*2); + if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory"); + + for (i = 0; i < img_len; ++i) + enlarged[i] = (stbi__uint16)((orig[i] << 8) + orig[i]); // replicate to high and low byte, maps 0->0, 255->0xffff + + STBI_FREE(orig); + return enlarged; +} + +static void stbi__vertical_flip(void *image, int w, int h, int bytes_per_pixel) +{ + int row; + size_t bytes_per_row = (size_t)w * bytes_per_pixel; + stbi_uc temp[2048]; + stbi_uc *bytes = (stbi_uc *)image; + + for (row = 0; row < (h>>1); row++) { + stbi_uc *row0 = bytes + row*bytes_per_row; + stbi_uc *row1 = bytes + (h - row - 1)*bytes_per_row; + // swap row0 with row1 + size_t bytes_left = bytes_per_row; + while (bytes_left) { + size_t bytes_copy = (bytes_left < sizeof(temp)) ? bytes_left : sizeof(temp); + memcpy(temp, row0, bytes_copy); + memcpy(row0, row1, bytes_copy); + memcpy(row1, temp, bytes_copy); + row0 += bytes_copy; + row1 += bytes_copy; + bytes_left -= bytes_copy; + } + } +} + +#ifndef STBI_NO_GIF +static void stbi__vertical_flip_slices(void *image, int w, int h, int z, int bytes_per_pixel) +{ + int slice; + int slice_size = w * h * bytes_per_pixel; + + stbi_uc *bytes = (stbi_uc *)image; + for (slice = 0; slice < z; ++slice) { + stbi__vertical_flip(bytes, w, h, bytes_per_pixel); + bytes += slice_size; + } +} +#endif + +static unsigned char *stbi__load_and_postprocess_8bit(stbi__context *s, int *x, int *y, int *comp, int req_comp) +{ + stbi__result_info ri; + void *result = stbi__load_main(s, x, y, comp, req_comp, &ri, 8); + + if (result == NULL) + return NULL; + + // it is the responsibility of the loaders to make sure we get either 8 or 16 bit. + STBI_ASSERT(ri.bits_per_channel == 8 || ri.bits_per_channel == 16); + + if (ri.bits_per_channel != 8) { + result = stbi__convert_16_to_8((stbi__uint16 *) result, *x, *y, req_comp == 0 ? *comp : req_comp); + ri.bits_per_channel = 8; + } + + // @TODO: move stbi__convert_format to here + + if (stbi__vertically_flip_on_load) { + int channels = req_comp ? req_comp : *comp; + stbi__vertical_flip(result, *x, *y, channels * sizeof(stbi_uc)); + } + + return (unsigned char *) result; +} + +static stbi__uint16 *stbi__load_and_postprocess_16bit(stbi__context *s, int *x, int *y, int *comp, int req_comp) +{ + stbi__result_info ri; + void *result = stbi__load_main(s, x, y, comp, req_comp, &ri, 16); + + if (result == NULL) + return NULL; + + // it is the responsibility of the loaders to make sure we get either 8 or 16 bit. + STBI_ASSERT(ri.bits_per_channel == 8 || ri.bits_per_channel == 16); + + if (ri.bits_per_channel != 16) { + result = stbi__convert_8_to_16((stbi_uc *) result, *x, *y, req_comp == 0 ? *comp : req_comp); + ri.bits_per_channel = 16; + } + + // @TODO: move stbi__convert_format16 to here + // @TODO: special case RGB-to-Y (and RGBA-to-YA) for 8-bit-to-16-bit case to keep more precision + + if (stbi__vertically_flip_on_load) { + int channels = req_comp ? req_comp : *comp; + stbi__vertical_flip(result, *x, *y, channels * sizeof(stbi__uint16)); + } + + return (stbi__uint16 *) result; +} + +#if !defined(STBI_NO_HDR) && !defined(STBI_NO_LINEAR) +static void stbi__float_postprocess(float *result, int *x, int *y, int *comp, int req_comp) +{ + if (stbi__vertically_flip_on_load && result != NULL) { + int channels = req_comp ? req_comp : *comp; + stbi__vertical_flip(result, *x, *y, channels * sizeof(float)); + } +} +#endif + +#ifndef STBI_NO_STDIO + +#if defined(_MSC_VER) && defined(STBI_WINDOWS_UTF8) +STBI_EXTERN __declspec(dllimport) int __stdcall MultiByteToWideChar(unsigned int cp, unsigned long flags, const char *str, int cbmb, wchar_t *widestr, int cchwide); +STBI_EXTERN __declspec(dllimport) int __stdcall WideCharToMultiByte(unsigned int cp, unsigned long flags, const wchar_t *widestr, int cchwide, char *str, int cbmb, const char *defchar, int *used_default); +#endif + +#if defined(_MSC_VER) && defined(STBI_WINDOWS_UTF8) +STBIDEF int stbi_convert_wchar_to_utf8(char *buffer, size_t bufferlen, const wchar_t* input) +{ + return WideCharToMultiByte(65001 /* UTF8 */, 0, input, -1, buffer, (int) bufferlen, NULL, NULL); +} +#endif + +static FILE *stbi__fopen(char const *filename, char const *mode) +{ + FILE *f; +#if defined(_MSC_VER) && defined(STBI_WINDOWS_UTF8) + wchar_t wMode[64]; + wchar_t wFilename[1024]; + if (0 == MultiByteToWideChar(65001 /* UTF8 */, 0, filename, -1, wFilename, sizeof(wFilename))) + return 0; + + if (0 == MultiByteToWideChar(65001 /* UTF8 */, 0, mode, -1, wMode, sizeof(wMode))) + return 0; + +#if _MSC_VER >= 1400 + if (0 != _wfopen_s(&f, wFilename, wMode)) + f = 0; +#else + f = _wfopen(wFilename, wMode); +#endif + +#elif defined(_MSC_VER) && _MSC_VER >= 1400 + if (0 != fopen_s(&f, filename, mode)) + f=0; +#else + f = fopen(filename, mode); +#endif + return f; +} + + +STBIDEF stbi_uc *stbi_load(char const *filename, int *x, int *y, int *comp, int req_comp) +{ + FILE *f = stbi__fopen(filename, "rb"); + unsigned char *result; + if (!f) return stbi__errpuc("can't fopen", "Unable to open file"); + result = stbi_load_from_file(f,x,y,comp,req_comp); + fclose(f); + return result; +} + +STBIDEF stbi_uc *stbi_load_from_file(FILE *f, int *x, int *y, int *comp, int req_comp) +{ + unsigned char *result; + stbi__context s; + stbi__start_file(&s,f); + result = stbi__load_and_postprocess_8bit(&s,x,y,comp,req_comp); + if (result) { + // need to 'unget' all the characters in the IO buffer + fseek(f, - (int) (s.img_buffer_end - s.img_buffer), SEEK_CUR); + } + return result; +} + +STBIDEF stbi__uint16 *stbi_load_from_file_16(FILE *f, int *x, int *y, int *comp, int req_comp) +{ + stbi__uint16 *result; + stbi__context s; + stbi__start_file(&s,f); + result = stbi__load_and_postprocess_16bit(&s,x,y,comp,req_comp); + if (result) { + // need to 'unget' all the characters in the IO buffer + fseek(f, - (int) (s.img_buffer_end - s.img_buffer), SEEK_CUR); + } + return result; +} + +STBIDEF stbi_us *stbi_load_16(char const *filename, int *x, int *y, int *comp, int req_comp) +{ + FILE *f = stbi__fopen(filename, "rb"); + stbi__uint16 *result; + if (!f) return (stbi_us *) stbi__errpuc("can't fopen", "Unable to open file"); + result = stbi_load_from_file_16(f,x,y,comp,req_comp); + fclose(f); + return result; +} + + +#endif //!STBI_NO_STDIO + +STBIDEF stbi_us *stbi_load_16_from_memory(stbi_uc const *buffer, int len, int *x, int *y, int *channels_in_file, int desired_channels) +{ + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__load_and_postprocess_16bit(&s,x,y,channels_in_file,desired_channels); +} + +STBIDEF stbi_us *stbi_load_16_from_callbacks(stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *channels_in_file, int desired_channels) +{ + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *)clbk, user); + return stbi__load_and_postprocess_16bit(&s,x,y,channels_in_file,desired_channels); +} + +STBIDEF stbi_uc *stbi_load_from_memory(stbi_uc const *buffer, int len, int *x, int *y, int *comp, int req_comp) +{ + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__load_and_postprocess_8bit(&s,x,y,comp,req_comp); +} + +STBIDEF stbi_uc *stbi_load_from_callbacks(stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *comp, int req_comp) +{ + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *) clbk, user); + return stbi__load_and_postprocess_8bit(&s,x,y,comp,req_comp); +} + +#ifndef STBI_NO_GIF +STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int **delays, int *x, int *y, int *z, int *comp, int req_comp) +{ + unsigned char *result; + stbi__context s; + stbi__start_mem(&s,buffer,len); + + result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp); + if (stbi__vertically_flip_on_load) { + stbi__vertical_flip_slices( result, *x, *y, *z, *comp ); + } + + return result; +} +#endif + +#ifndef STBI_NO_LINEAR +static float *stbi__loadf_main(stbi__context *s, int *x, int *y, int *comp, int req_comp) +{ + unsigned char *data; + #ifndef STBI_NO_HDR + if (stbi__hdr_test(s)) { + stbi__result_info ri; + float *hdr_data = stbi__hdr_load(s,x,y,comp,req_comp, &ri); + if (hdr_data) + stbi__float_postprocess(hdr_data,x,y,comp,req_comp); + return hdr_data; + } + #endif + data = stbi__load_and_postprocess_8bit(s, x, y, comp, req_comp); + if (data) + return stbi__ldr_to_hdr(data, *x, *y, req_comp ? req_comp : *comp); + return stbi__errpf("unknown image type", "Image not of any known type, or corrupt"); +} + +STBIDEF float *stbi_loadf_from_memory(stbi_uc const *buffer, int len, int *x, int *y, int *comp, int req_comp) +{ + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__loadf_main(&s,x,y,comp,req_comp); +} + +STBIDEF float *stbi_loadf_from_callbacks(stbi_io_callbacks const *clbk, void *user, int *x, int *y, int *comp, int req_comp) +{ + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *) clbk, user); + return stbi__loadf_main(&s,x,y,comp,req_comp); +} + +#ifndef STBI_NO_STDIO +STBIDEF float *stbi_loadf(char const *filename, int *x, int *y, int *comp, int req_comp) +{ + float *result; + FILE *f = stbi__fopen(filename, "rb"); + if (!f) return stbi__errpf("can't fopen", "Unable to open file"); + result = stbi_loadf_from_file(f,x,y,comp,req_comp); + fclose(f); + return result; +} + +STBIDEF float *stbi_loadf_from_file(FILE *f, int *x, int *y, int *comp, int req_comp) +{ + stbi__context s; + stbi__start_file(&s,f); + return stbi__loadf_main(&s,x,y,comp,req_comp); +} +#endif // !STBI_NO_STDIO + +#endif // !STBI_NO_LINEAR + +// these is-hdr-or-not is defined independent of whether STBI_NO_LINEAR is +// defined, for API simplicity; if STBI_NO_LINEAR is defined, it always +// reports false! + +STBIDEF int stbi_is_hdr_from_memory(stbi_uc const *buffer, int len) +{ + #ifndef STBI_NO_HDR + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__hdr_test(&s); + #else + STBI_NOTUSED(buffer); + STBI_NOTUSED(len); + return 0; + #endif +} + +#ifndef STBI_NO_STDIO +STBIDEF int stbi_is_hdr (char const *filename) +{ + FILE *f = stbi__fopen(filename, "rb"); + int result=0; + if (f) { + result = stbi_is_hdr_from_file(f); + fclose(f); + } + return result; +} + +STBIDEF int stbi_is_hdr_from_file(FILE *f) +{ + #ifndef STBI_NO_HDR + long pos = ftell(f); + int res; + stbi__context s; + stbi__start_file(&s,f); + res = stbi__hdr_test(&s); + fseek(f, pos, SEEK_SET); + return res; + #else + STBI_NOTUSED(f); + return 0; + #endif +} +#endif // !STBI_NO_STDIO + +STBIDEF int stbi_is_hdr_from_callbacks(stbi_io_callbacks const *clbk, void *user) +{ + #ifndef STBI_NO_HDR + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *) clbk, user); + return stbi__hdr_test(&s); + #else + STBI_NOTUSED(clbk); + STBI_NOTUSED(user); + return 0; + #endif +} + +#ifndef STBI_NO_LINEAR +static float stbi__l2h_gamma=2.2f, stbi__l2h_scale=1.0f; + +STBIDEF void stbi_ldr_to_hdr_gamma(float gamma) { stbi__l2h_gamma = gamma; } +STBIDEF void stbi_ldr_to_hdr_scale(float scale) { stbi__l2h_scale = scale; } +#endif + +static float stbi__h2l_gamma_i=1.0f/2.2f, stbi__h2l_scale_i=1.0f; + +STBIDEF void stbi_hdr_to_ldr_gamma(float gamma) { stbi__h2l_gamma_i = 1/gamma; } +STBIDEF void stbi_hdr_to_ldr_scale(float scale) { stbi__h2l_scale_i = 1/scale; } + + +////////////////////////////////////////////////////////////////////////////// +// +// Common code used by all image loaders +// + +enum +{ + STBI__SCAN_load=0, + STBI__SCAN_type, + STBI__SCAN_header +}; + +static void stbi__refill_buffer(stbi__context *s) +{ + int n = (s->io.read)(s->io_user_data,(char*)s->buffer_start,s->buflen); + s->callback_already_read += (int) (s->img_buffer - s->img_buffer_original); + if (n == 0) { + // at end of file, treat same as if from memory, but need to handle case + // where s->img_buffer isn't pointing to safe memory, e.g. 0-byte file + s->read_from_callbacks = 0; + s->img_buffer = s->buffer_start; + s->img_buffer_end = s->buffer_start+1; + *s->img_buffer = 0; + } else { + s->img_buffer = s->buffer_start; + s->img_buffer_end = s->buffer_start + n; + } +} + +stbi_inline static stbi_uc stbi__get8(stbi__context *s) +{ + if (s->img_buffer < s->img_buffer_end) + return *s->img_buffer++; + if (s->read_from_callbacks) { + stbi__refill_buffer(s); + return *s->img_buffer++; + } + return 0; +} + +#if defined(STBI_NO_JPEG) && defined(STBI_NO_HDR) && defined(STBI_NO_PIC) && defined(STBI_NO_PNM) +// nothing +#else +stbi_inline static int stbi__at_eof(stbi__context *s) +{ + if (s->io.read) { + if (!(s->io.eof)(s->io_user_data)) return 0; + // if feof() is true, check if buffer = end + // special case: we've only got the special 0 character at the end + if (s->read_from_callbacks == 0) return 1; + } + + return s->img_buffer >= s->img_buffer_end; +} +#endif + +#if defined(STBI_NO_JPEG) && defined(STBI_NO_PNG) && defined(STBI_NO_BMP) && defined(STBI_NO_PSD) && defined(STBI_NO_TGA) && defined(STBI_NO_GIF) && defined(STBI_NO_PIC) +// nothing +#else +static void stbi__skip(stbi__context *s, int n) +{ + if (n == 0) return; // already there! + if (n < 0) { + s->img_buffer = s->img_buffer_end; + return; + } + if (s->io.read) { + int blen = (int) (s->img_buffer_end - s->img_buffer); + if (blen < n) { + s->img_buffer = s->img_buffer_end; + (s->io.skip)(s->io_user_data, n - blen); + return; + } + } + s->img_buffer += n; +} +#endif + +#if defined(STBI_NO_PNG) && defined(STBI_NO_TGA) && defined(STBI_NO_HDR) && defined(STBI_NO_PNM) +// nothing +#else +static int stbi__getn(stbi__context *s, stbi_uc *buffer, int n) +{ + if (s->io.read) { + int blen = (int) (s->img_buffer_end - s->img_buffer); + if (blen < n) { + int res, count; + + memcpy(buffer, s->img_buffer, blen); + + count = (s->io.read)(s->io_user_data, (char*) buffer + blen, n - blen); + res = (count == (n-blen)); + s->img_buffer = s->img_buffer_end; + return res; + } + } + + if (s->img_buffer+n <= s->img_buffer_end) { + memcpy(buffer, s->img_buffer, n); + s->img_buffer += n; + return 1; + } else + return 0; +} +#endif + +#if defined(STBI_NO_JPEG) && defined(STBI_NO_PNG) && defined(STBI_NO_PSD) && defined(STBI_NO_PIC) +// nothing +#else +static int stbi__get16be(stbi__context *s) +{ + int z = stbi__get8(s); + return (z << 8) + stbi__get8(s); +} +#endif + +#if defined(STBI_NO_PNG) && defined(STBI_NO_PSD) && defined(STBI_NO_PIC) +// nothing +#else +static stbi__uint32 stbi__get32be(stbi__context *s) +{ + stbi__uint32 z = stbi__get16be(s); + return (z << 16) + stbi__get16be(s); +} +#endif + +#if defined(STBI_NO_BMP) && defined(STBI_NO_TGA) && defined(STBI_NO_GIF) +// nothing +#else +static int stbi__get16le(stbi__context *s) +{ + int z = stbi__get8(s); + return z + (stbi__get8(s) << 8); +} +#endif + +#ifndef STBI_NO_BMP +static stbi__uint32 stbi__get32le(stbi__context *s) +{ + stbi__uint32 z = stbi__get16le(s); + return z + (stbi__get16le(s) << 16); +} +#endif + +#define STBI__BYTECAST(x) ((stbi_uc) ((x) & 255)) // truncate int to byte without warnings + +#if defined(STBI_NO_JPEG) && defined(STBI_NO_PNG) && defined(STBI_NO_BMP) && defined(STBI_NO_PSD) && defined(STBI_NO_TGA) && defined(STBI_NO_GIF) && defined(STBI_NO_PIC) && defined(STBI_NO_PNM) +// nothing +#else +////////////////////////////////////////////////////////////////////////////// +// +// generic converter from built-in img_n to req_comp +// individual types do this automatically as much as possible (e.g. jpeg +// does all cases internally since it needs to colorspace convert anyway, +// and it never has alpha, so very few cases ). png can automatically +// interleave an alpha=255 channel, but falls back to this for other cases +// +// assume data buffer is malloced, so malloc a new one and free that one +// only failure mode is malloc failing + +static stbi_uc stbi__compute_y(int r, int g, int b) +{ + return (stbi_uc) (((r*77) + (g*150) + (29*b)) >> 8); +} +#endif + +#if defined(STBI_NO_PNG) && defined(STBI_NO_BMP) && defined(STBI_NO_PSD) && defined(STBI_NO_TGA) && defined(STBI_NO_GIF) && defined(STBI_NO_PIC) && defined(STBI_NO_PNM) +// nothing +#else +static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int req_comp, unsigned int x, unsigned int y) +{ + int i,j; + unsigned char *good; + + if (req_comp == img_n) return data; + STBI_ASSERT(req_comp >= 1 && req_comp <= 4); + + good = (unsigned char *) stbi__malloc_mad3(req_comp, x, y, 0); + if (good == NULL) { + STBI_FREE(data); + return stbi__errpuc("outofmem", "Out of memory"); + } + + for (j=0; j < (int) y; ++j) { + unsigned char *src = data + j * x * img_n ; + unsigned char *dest = good + j * x * req_comp; + + #define STBI__COMBO(a,b) ((a)*8+(b)) + #define STBI__CASE(a,b) case STBI__COMBO(a,b): for(i=x-1; i >= 0; --i, src += a, dest += b) + // convert source image with img_n components to one with req_comp components; + // avoid switch per pixel, so use switch per scanline and massive macros + switch (STBI__COMBO(img_n, req_comp)) { + STBI__CASE(1,2) { dest[0]=src[0]; dest[1]=255; } break; + STBI__CASE(1,3) { dest[0]=dest[1]=dest[2]=src[0]; } break; + STBI__CASE(1,4) { dest[0]=dest[1]=dest[2]=src[0]; dest[3]=255; } break; + STBI__CASE(2,1) { dest[0]=src[0]; } break; + STBI__CASE(2,3) { dest[0]=dest[1]=dest[2]=src[0]; } break; + STBI__CASE(2,4) { dest[0]=dest[1]=dest[2]=src[0]; dest[3]=src[1]; } break; + STBI__CASE(3,4) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2];dest[3]=255; } break; + STBI__CASE(3,1) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); } break; + STBI__CASE(3,2) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); dest[1] = 255; } break; + STBI__CASE(4,1) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); } break; + STBI__CASE(4,2) { dest[0]=stbi__compute_y(src[0],src[1],src[2]); dest[1] = src[3]; } break; + STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break; + default: STBI_ASSERT(0); STBI_FREE(data); STBI_FREE(good); return stbi__errpuc("unsupported", "Unsupported format conversion"); + } + #undef STBI__CASE + } + + STBI_FREE(data); + return good; +} +#endif + +#if defined(STBI_NO_PNG) && defined(STBI_NO_PSD) +// nothing +#else +static stbi__uint16 stbi__compute_y_16(int r, int g, int b) +{ + return (stbi__uint16) (((r*77) + (g*150) + (29*b)) >> 8); +} +#endif + +#if defined(STBI_NO_PNG) && defined(STBI_NO_PSD) +// nothing +#else +static stbi__uint16 *stbi__convert_format16(stbi__uint16 *data, int img_n, int req_comp, unsigned int x, unsigned int y) +{ + int i,j; + stbi__uint16 *good; + + if (req_comp == img_n) return data; + STBI_ASSERT(req_comp >= 1 && req_comp <= 4); + + good = (stbi__uint16 *) stbi__malloc(req_comp * x * y * 2); + if (good == NULL) { + STBI_FREE(data); + return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory"); + } + + for (j=0; j < (int) y; ++j) { + stbi__uint16 *src = data + j * x * img_n ; + stbi__uint16 *dest = good + j * x * req_comp; + + #define STBI__COMBO(a,b) ((a)*8+(b)) + #define STBI__CASE(a,b) case STBI__COMBO(a,b): for(i=x-1; i >= 0; --i, src += a, dest += b) + // convert source image with img_n components to one with req_comp components; + // avoid switch per pixel, so use switch per scanline and massive macros + switch (STBI__COMBO(img_n, req_comp)) { + STBI__CASE(1,2) { dest[0]=src[0]; dest[1]=0xffff; } break; + STBI__CASE(1,3) { dest[0]=dest[1]=dest[2]=src[0]; } break; + STBI__CASE(1,4) { dest[0]=dest[1]=dest[2]=src[0]; dest[3]=0xffff; } break; + STBI__CASE(2,1) { dest[0]=src[0]; } break; + STBI__CASE(2,3) { dest[0]=dest[1]=dest[2]=src[0]; } break; + STBI__CASE(2,4) { dest[0]=dest[1]=dest[2]=src[0]; dest[3]=src[1]; } break; + STBI__CASE(3,4) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2];dest[3]=0xffff; } break; + STBI__CASE(3,1) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); } break; + STBI__CASE(3,2) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); dest[1] = 0xffff; } break; + STBI__CASE(4,1) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); } break; + STBI__CASE(4,2) { dest[0]=stbi__compute_y_16(src[0],src[1],src[2]); dest[1] = src[3]; } break; + STBI__CASE(4,3) { dest[0]=src[0];dest[1]=src[1];dest[2]=src[2]; } break; + default: STBI_ASSERT(0); STBI_FREE(data); STBI_FREE(good); return (stbi__uint16*) stbi__errpuc("unsupported", "Unsupported format conversion"); + } + #undef STBI__CASE + } + + STBI_FREE(data); + return good; +} +#endif + +#ifndef STBI_NO_LINEAR +static float *stbi__ldr_to_hdr(stbi_uc *data, int x, int y, int comp) +{ + int i,k,n; + float *output; + if (!data) return NULL; + output = (float *) stbi__malloc_mad4(x, y, comp, sizeof(float), 0); + if (output == NULL) { STBI_FREE(data); return stbi__errpf("outofmem", "Out of memory"); } + // compute number of non-alpha components + if (comp & 1) n = comp; else n = comp-1; + for (i=0; i < x*y; ++i) { + for (k=0; k < n; ++k) { + output[i*comp + k] = (float) (pow(data[i*comp+k]/255.0f, stbi__l2h_gamma) * stbi__l2h_scale); + } + } + if (n < comp) { + for (i=0; i < x*y; ++i) { + output[i*comp + n] = data[i*comp + n]/255.0f; + } + } + STBI_FREE(data); + return output; +} +#endif + +#ifndef STBI_NO_HDR +#define stbi__float2int(x) ((int) (x)) +static stbi_uc *stbi__hdr_to_ldr(float *data, int x, int y, int comp) +{ + int i,k,n; + stbi_uc *output; + if (!data) return NULL; + output = (stbi_uc *) stbi__malloc_mad3(x, y, comp, 0); + if (output == NULL) { STBI_FREE(data); return stbi__errpuc("outofmem", "Out of memory"); } + // compute number of non-alpha components + if (comp & 1) n = comp; else n = comp-1; + for (i=0; i < x*y; ++i) { + for (k=0; k < n; ++k) { + float z = (float) pow(data[i*comp+k]*stbi__h2l_scale_i, stbi__h2l_gamma_i) * 255 + 0.5f; + if (z < 0) z = 0; + if (z > 255) z = 255; + output[i*comp + k] = (stbi_uc) stbi__float2int(z); + } + if (k < comp) { + float z = data[i*comp+k] * 255 + 0.5f; + if (z < 0) z = 0; + if (z > 255) z = 255; + output[i*comp + k] = (stbi_uc) stbi__float2int(z); + } + } + STBI_FREE(data); + return output; +} +#endif + +////////////////////////////////////////////////////////////////////////////// +// +// "baseline" JPEG/JFIF decoder +// +// simple implementation +// - doesn't support delayed output of y-dimension +// - simple interface (only one output format: 8-bit interleaved RGB) +// - doesn't try to recover corrupt jpegs +// - doesn't allow partial loading, loading multiple at once +// - still fast on x86 (copying globals into locals doesn't help x86) +// - allocates lots of intermediate memory (full size of all components) +// - non-interleaved case requires this anyway +// - allows good upsampling (see next) +// high-quality +// - upsampled channels are bilinearly interpolated, even across blocks +// - quality integer IDCT derived from IJG's 'slow' +// performance +// - fast huffman; reasonable integer IDCT +// - some SIMD kernels for common paths on targets with SSE2/NEON +// - uses a lot of intermediate memory, could cache poorly + +#ifndef STBI_NO_JPEG + +// huffman decoding acceleration +#define FAST_BITS 9 // larger handles more cases; smaller stomps less cache + +typedef struct +{ + stbi_uc fast[1 << FAST_BITS]; + // weirdly, repacking this into AoS is a 10% speed loss, instead of a win + stbi__uint16 code[256]; + stbi_uc values[256]; + stbi_uc size[257]; + unsigned int maxcode[18]; + int delta[17]; // old 'firstsymbol' - old 'firstcode' +} stbi__huffman; + +typedef struct +{ + stbi__context *s; + stbi__huffman huff_dc[4]; + stbi__huffman huff_ac[4]; + stbi__uint16 dequant[4][64]; + stbi__int16 fast_ac[4][1 << FAST_BITS]; + +// sizes for components, interleaved MCUs + int img_h_max, img_v_max; + int img_mcu_x, img_mcu_y; + int img_mcu_w, img_mcu_h; + +// definition of jpeg image component + struct + { + int id; + int h,v; + int tq; + int hd,ha; + int dc_pred; + + int x,y,w2,h2; + stbi_uc *data; + void *raw_data, *raw_coeff; + stbi_uc *linebuf; + short *coeff; // progressive only + int coeff_w, coeff_h; // number of 8x8 coefficient blocks + } img_comp[4]; + + stbi__uint32 code_buffer; // jpeg entropy-coded buffer + int code_bits; // number of valid bits + unsigned char marker; // marker seen while filling entropy buffer + int nomore; // flag if we saw a marker so must stop + + int progressive; + int spec_start; + int spec_end; + int succ_high; + int succ_low; + int eob_run; + int jfif; + int app14_color_transform; // Adobe APP14 tag + int rgb; + + int scan_n, order[4]; + int restart_interval, todo; + +// kernels + void (*idct_block_kernel)(stbi_uc *out, int out_stride, short data[64]); + void (*YCbCr_to_RGB_kernel)(stbi_uc *out, const stbi_uc *y, const stbi_uc *pcb, const stbi_uc *pcr, int count, int step); + stbi_uc *(*resample_row_hv_2_kernel)(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs); +} stbi__jpeg; + +static int stbi__build_huffman(stbi__huffman *h, int *count) +{ + int i,j,k=0; + unsigned int code; + // build size list for each symbol (from JPEG spec) + for (i=0; i < 16; ++i) + for (j=0; j < count[i]; ++j) + h->size[k++] = (stbi_uc) (i+1); + h->size[k] = 0; + + // compute actual symbols (from jpeg spec) + code = 0; + k = 0; + for(j=1; j <= 16; ++j) { + // compute delta to add to code to compute symbol id + h->delta[j] = k - code; + if (h->size[k] == j) { + while (h->size[k] == j) + h->code[k++] = (stbi__uint16) (code++); + if (code-1 >= (1u << j)) return stbi__err("bad code lengths","Corrupt JPEG"); + } + // compute largest code + 1 for this size, preshifted as needed later + h->maxcode[j] = code << (16-j); + code <<= 1; + } + h->maxcode[j] = 0xffffffff; + + // build non-spec acceleration table; 255 is flag for not-accelerated + memset(h->fast, 255, 1 << FAST_BITS); + for (i=0; i < k; ++i) { + int s = h->size[i]; + if (s <= FAST_BITS) { + int c = h->code[i] << (FAST_BITS-s); + int m = 1 << (FAST_BITS-s); + for (j=0; j < m; ++j) { + h->fast[c+j] = (stbi_uc) i; + } + } + } + return 1; +} + +// build a table that decodes both magnitude and value of small ACs in +// one go. +static void stbi__build_fast_ac(stbi__int16 *fast_ac, stbi__huffman *h) +{ + int i; + for (i=0; i < (1 << FAST_BITS); ++i) { + stbi_uc fast = h->fast[i]; + fast_ac[i] = 0; + if (fast < 255) { + int rs = h->values[fast]; + int run = (rs >> 4) & 15; + int magbits = rs & 15; + int len = h->size[fast]; + + if (magbits && len + magbits <= FAST_BITS) { + // magnitude code followed by receive_extend code + int k = ((i << len) & ((1 << FAST_BITS) - 1)) >> (FAST_BITS - magbits); + int m = 1 << (magbits - 1); + if (k < m) k += (~0U << magbits) + 1; + // if the result is small enough, we can fit it in fast_ac table + if (k >= -128 && k <= 127) + fast_ac[i] = (stbi__int16) ((k * 256) + (run * 16) + (len + magbits)); + } + } + } +} + +static void stbi__grow_buffer_unsafe(stbi__jpeg *j) +{ + do { + unsigned int b = j->nomore ? 0 : stbi__get8(j->s); + if (b == 0xff) { + int c = stbi__get8(j->s); + while (c == 0xff) c = stbi__get8(j->s); // consume fill bytes + if (c != 0) { + j->marker = (unsigned char) c; + j->nomore = 1; + return; + } + } + j->code_buffer |= b << (24 - j->code_bits); + j->code_bits += 8; + } while (j->code_bits <= 24); +} + +// (1 << n) - 1 +static const stbi__uint32 stbi__bmask[17]={0,1,3,7,15,31,63,127,255,511,1023,2047,4095,8191,16383,32767,65535}; + +// decode a jpeg huffman value from the bitstream +stbi_inline static int stbi__jpeg_huff_decode(stbi__jpeg *j, stbi__huffman *h) +{ + unsigned int temp; + int c,k; + + if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); + + // look at the top FAST_BITS and determine what symbol ID it is, + // if the code is <= FAST_BITS + c = (j->code_buffer >> (32 - FAST_BITS)) & ((1 << FAST_BITS)-1); + k = h->fast[c]; + if (k < 255) { + int s = h->size[k]; + if (s > j->code_bits) + return -1; + j->code_buffer <<= s; + j->code_bits -= s; + return h->values[k]; + } + + // naive test is to shift the code_buffer down so k bits are + // valid, then test against maxcode. To speed this up, we've + // preshifted maxcode left so that it has (16-k) 0s at the + // end; in other words, regardless of the number of bits, it + // wants to be compared against something shifted to have 16; + // that way we don't need to shift inside the loop. + temp = j->code_buffer >> 16; + for (k=FAST_BITS+1 ; ; ++k) + if (temp < h->maxcode[k]) + break; + if (k == 17) { + // error! code not found + j->code_bits -= 16; + return -1; + } + + if (k > j->code_bits) + return -1; + + // convert the huffman code to the symbol id + c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k]; + STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]); + + // convert the id to a symbol + j->code_bits -= k; + j->code_buffer <<= k; + return h->values[c]; +} + +// bias[n] = (-1<code_bits < n) stbi__grow_buffer_unsafe(j); + + sgn = (stbi__int32)j->code_buffer >> 31; // sign bit is always in MSB + k = stbi_lrot(j->code_buffer, n); + if (n < 0 || n >= (int) (sizeof(stbi__bmask)/sizeof(*stbi__bmask))) return 0; + j->code_buffer = k & ~stbi__bmask[n]; + k &= stbi__bmask[n]; + j->code_bits -= n; + return k + (stbi__jbias[n] & ~sgn); +} + +// get some unsigned bits +stbi_inline static int stbi__jpeg_get_bits(stbi__jpeg *j, int n) +{ + unsigned int k; + if (j->code_bits < n) stbi__grow_buffer_unsafe(j); + k = stbi_lrot(j->code_buffer, n); + j->code_buffer = k & ~stbi__bmask[n]; + k &= stbi__bmask[n]; + j->code_bits -= n; + return k; +} + +stbi_inline static int stbi__jpeg_get_bit(stbi__jpeg *j) +{ + unsigned int k; + if (j->code_bits < 1) stbi__grow_buffer_unsafe(j); + k = j->code_buffer; + j->code_buffer <<= 1; + --j->code_bits; + return k & 0x80000000; +} + +// given a value that's at position X in the zigzag stream, +// where does it appear in the 8x8 matrix coded as row-major? +static const stbi_uc stbi__jpeg_dezigzag[64+15] = +{ + 0, 1, 8, 16, 9, 2, 3, 10, + 17, 24, 32, 25, 18, 11, 4, 5, + 12, 19, 26, 33, 40, 48, 41, 34, + 27, 20, 13, 6, 7, 14, 21, 28, + 35, 42, 49, 56, 57, 50, 43, 36, + 29, 22, 15, 23, 30, 37, 44, 51, + 58, 59, 52, 45, 38, 31, 39, 46, + 53, 60, 61, 54, 47, 55, 62, 63, + // let corrupt input sample past end + 63, 63, 63, 63, 63, 63, 63, 63, + 63, 63, 63, 63, 63, 63, 63 +}; + +// decode one 64-entry block-- +static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman *hdc, stbi__huffman *hac, stbi__int16 *fac, int b, stbi__uint16 *dequant) +{ + int diff,dc,k; + int t; + + if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); + t = stbi__jpeg_huff_decode(j, hdc); + if (t < 0) return stbi__err("bad huffman code","Corrupt JPEG"); + + // 0 all the ac values now so we can do it 32-bits at a time + memset(data,0,64*sizeof(data[0])); + + diff = t ? stbi__extend_receive(j, t) : 0; + dc = j->img_comp[b].dc_pred + diff; + j->img_comp[b].dc_pred = dc; + data[0] = (short) (dc * dequant[0]); + + // decode AC components, see JPEG spec + k = 1; + do { + unsigned int zig; + int c,r,s; + if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); + c = (j->code_buffer >> (32 - FAST_BITS)) & ((1 << FAST_BITS)-1); + r = fac[c]; + if (r) { // fast-AC path + k += (r >> 4) & 15; // run + s = r & 15; // combined length + j->code_buffer <<= s; + j->code_bits -= s; + // decode into unzigzag'd location + zig = stbi__jpeg_dezigzag[k++]; + data[zig] = (short) ((r >> 8) * dequant[zig]); + } else { + int rs = stbi__jpeg_huff_decode(j, hac); + if (rs < 0) return stbi__err("bad huffman code","Corrupt JPEG"); + s = rs & 15; + r = rs >> 4; + if (s == 0) { + if (rs != 0xf0) break; // end block + k += 16; + } else { + k += r; + // decode into unzigzag'd location + zig = stbi__jpeg_dezigzag[k++]; + data[zig] = (short) (stbi__extend_receive(j,s) * dequant[zig]); + } + } + } while (k < 64); + return 1; +} + +static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__huffman *hdc, int b) +{ + int diff,dc; + int t; + if (j->spec_end != 0) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); + + if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); + + if (j->succ_high == 0) { + // first scan for DC coefficient, must be first + memset(data,0,64*sizeof(data[0])); // 0 all the ac values now + t = stbi__jpeg_huff_decode(j, hdc); + if (t == -1) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); + diff = t ? stbi__extend_receive(j, t) : 0; + + dc = j->img_comp[b].dc_pred + diff; + j->img_comp[b].dc_pred = dc; + data[0] = (short) (dc << j->succ_low); + } else { + // refinement scan for DC coefficient + if (stbi__jpeg_get_bit(j)) + data[0] += (short) (1 << j->succ_low); + } + return 1; +} + +// @OPTIMIZE: store non-zigzagged during the decode passes, +// and only de-zigzag when dequantizing +static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__huffman *hac, stbi__int16 *fac) +{ + int k; + if (j->spec_start == 0) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); + + if (j->succ_high == 0) { + int shift = j->succ_low; + + if (j->eob_run) { + --j->eob_run; + return 1; + } + + k = j->spec_start; + do { + unsigned int zig; + int c,r,s; + if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); + c = (j->code_buffer >> (32 - FAST_BITS)) & ((1 << FAST_BITS)-1); + r = fac[c]; + if (r) { // fast-AC path + k += (r >> 4) & 15; // run + s = r & 15; // combined length + j->code_buffer <<= s; + j->code_bits -= s; + zig = stbi__jpeg_dezigzag[k++]; + data[zig] = (short) ((r >> 8) << shift); + } else { + int rs = stbi__jpeg_huff_decode(j, hac); + if (rs < 0) return stbi__err("bad huffman code","Corrupt JPEG"); + s = rs & 15; + r = rs >> 4; + if (s == 0) { + if (r < 15) { + j->eob_run = (1 << r); + if (r) + j->eob_run += stbi__jpeg_get_bits(j, r); + --j->eob_run; + break; + } + k += 16; + } else { + k += r; + zig = stbi__jpeg_dezigzag[k++]; + data[zig] = (short) (stbi__extend_receive(j,s) << shift); + } + } + } while (k <= j->spec_end); + } else { + // refinement scan for these AC coefficients + + short bit = (short) (1 << j->succ_low); + + if (j->eob_run) { + --j->eob_run; + for (k = j->spec_start; k <= j->spec_end; ++k) { + short *p = &data[stbi__jpeg_dezigzag[k]]; + if (*p != 0) + if (stbi__jpeg_get_bit(j)) + if ((*p & bit)==0) { + if (*p > 0) + *p += bit; + else + *p -= bit; + } + } + } else { + k = j->spec_start; + do { + int r,s; + int rs = stbi__jpeg_huff_decode(j, hac); // @OPTIMIZE see if we can use the fast path here, advance-by-r is so slow, eh + if (rs < 0) return stbi__err("bad huffman code","Corrupt JPEG"); + s = rs & 15; + r = rs >> 4; + if (s == 0) { + if (r < 15) { + j->eob_run = (1 << r) - 1; + if (r) + j->eob_run += stbi__jpeg_get_bits(j, r); + r = 64; // force end of block + } else { + // r=15 s=0 should write 16 0s, so we just do + // a run of 15 0s and then write s (which is 0), + // so we don't have to do anything special here + } + } else { + if (s != 1) return stbi__err("bad huffman code", "Corrupt JPEG"); + // sign bit + if (stbi__jpeg_get_bit(j)) + s = bit; + else + s = -bit; + } + + // advance by r + while (k <= j->spec_end) { + short *p = &data[stbi__jpeg_dezigzag[k++]]; + if (*p != 0) { + if (stbi__jpeg_get_bit(j)) + if ((*p & bit)==0) { + if (*p > 0) + *p += bit; + else + *p -= bit; + } + } else { + if (r == 0) { + *p = (short) s; + break; + } + --r; + } + } + } while (k <= j->spec_end); + } + } + return 1; +} + +// take a -128..127 value and stbi__clamp it and convert to 0..255 +stbi_inline static stbi_uc stbi__clamp(int x) +{ + // trick to use a single test to catch both cases + if ((unsigned int) x > 255) { + if (x < 0) return 0; + if (x > 255) return 255; + } + return (stbi_uc) x; +} + +#define stbi__f2f(x) ((int) (((x) * 4096 + 0.5))) +#define stbi__fsh(x) ((x) * 4096) + +// derived from jidctint -- DCT_ISLOW +#define STBI__IDCT_1D(s0,s1,s2,s3,s4,s5,s6,s7) \ + int t0,t1,t2,t3,p1,p2,p3,p4,p5,x0,x1,x2,x3; \ + p2 = s2; \ + p3 = s6; \ + p1 = (p2+p3) * stbi__f2f(0.5411961f); \ + t2 = p1 + p3*stbi__f2f(-1.847759065f); \ + t3 = p1 + p2*stbi__f2f( 0.765366865f); \ + p2 = s0; \ + p3 = s4; \ + t0 = stbi__fsh(p2+p3); \ + t1 = stbi__fsh(p2-p3); \ + x0 = t0+t3; \ + x3 = t0-t3; \ + x1 = t1+t2; \ + x2 = t1-t2; \ + t0 = s7; \ + t1 = s5; \ + t2 = s3; \ + t3 = s1; \ + p3 = t0+t2; \ + p4 = t1+t3; \ + p1 = t0+t3; \ + p2 = t1+t2; \ + p5 = (p3+p4)*stbi__f2f( 1.175875602f); \ + t0 = t0*stbi__f2f( 0.298631336f); \ + t1 = t1*stbi__f2f( 2.053119869f); \ + t2 = t2*stbi__f2f( 3.072711026f); \ + t3 = t3*stbi__f2f( 1.501321110f); \ + p1 = p5 + p1*stbi__f2f(-0.899976223f); \ + p2 = p5 + p2*stbi__f2f(-2.562915447f); \ + p3 = p3*stbi__f2f(-1.961570560f); \ + p4 = p4*stbi__f2f(-0.390180644f); \ + t3 += p1+p4; \ + t2 += p2+p3; \ + t1 += p2+p4; \ + t0 += p1+p3; + +static void stbi__idct_block(stbi_uc *out, int out_stride, short data[64]) +{ + int i,val[64],*v=val; + stbi_uc *o; + short *d = data; + + // columns + for (i=0; i < 8; ++i,++d, ++v) { + // if all zeroes, shortcut -- this avoids dequantizing 0s and IDCTing + if (d[ 8]==0 && d[16]==0 && d[24]==0 && d[32]==0 + && d[40]==0 && d[48]==0 && d[56]==0) { + // no shortcut 0 seconds + // (1|2|3|4|5|6|7)==0 0 seconds + // all separate -0.047 seconds + // 1 && 2|3 && 4|5 && 6|7: -0.047 seconds + int dcterm = d[0]*4; + v[0] = v[8] = v[16] = v[24] = v[32] = v[40] = v[48] = v[56] = dcterm; + } else { + STBI__IDCT_1D(d[ 0],d[ 8],d[16],d[24],d[32],d[40],d[48],d[56]) + // constants scaled things up by 1<<12; let's bring them back + // down, but keep 2 extra bits of precision + x0 += 512; x1 += 512; x2 += 512; x3 += 512; + v[ 0] = (x0+t3) >> 10; + v[56] = (x0-t3) >> 10; + v[ 8] = (x1+t2) >> 10; + v[48] = (x1-t2) >> 10; + v[16] = (x2+t1) >> 10; + v[40] = (x2-t1) >> 10; + v[24] = (x3+t0) >> 10; + v[32] = (x3-t0) >> 10; + } + } + + for (i=0, v=val, o=out; i < 8; ++i,v+=8,o+=out_stride) { + // no fast case since the first 1D IDCT spread components out + STBI__IDCT_1D(v[0],v[1],v[2],v[3],v[4],v[5],v[6],v[7]) + // constants scaled things up by 1<<12, plus we had 1<<2 from first + // loop, plus horizontal and vertical each scale by sqrt(8) so together + // we've got an extra 1<<3, so 1<<17 total we need to remove. + // so we want to round that, which means adding 0.5 * 1<<17, + // aka 65536. Also, we'll end up with -128 to 127 that we want + // to encode as 0..255 by adding 128, so we'll add that before the shift + x0 += 65536 + (128<<17); + x1 += 65536 + (128<<17); + x2 += 65536 + (128<<17); + x3 += 65536 + (128<<17); + // tried computing the shifts into temps, or'ing the temps to see + // if any were out of range, but that was slower + o[0] = stbi__clamp((x0+t3) >> 17); + o[7] = stbi__clamp((x0-t3) >> 17); + o[1] = stbi__clamp((x1+t2) >> 17); + o[6] = stbi__clamp((x1-t2) >> 17); + o[2] = stbi__clamp((x2+t1) >> 17); + o[5] = stbi__clamp((x2-t1) >> 17); + o[3] = stbi__clamp((x3+t0) >> 17); + o[4] = stbi__clamp((x3-t0) >> 17); + } +} + +#ifdef STBI_SSE2 +// sse2 integer IDCT. not the fastest possible implementation but it +// produces bit-identical results to the generic C version so it's +// fully "transparent". +static void stbi__idct_simd(stbi_uc *out, int out_stride, short data[64]) +{ + // This is constructed to match our regular (generic) integer IDCT exactly. + __m128i row0, row1, row2, row3, row4, row5, row6, row7; + __m128i tmp; + + // dot product constant: even elems=x, odd elems=y + #define dct_const(x,y) _mm_setr_epi16((x),(y),(x),(y),(x),(y),(x),(y)) + + // out(0) = c0[even]*x + c0[odd]*y (c0, x, y 16-bit, out 32-bit) + // out(1) = c1[even]*x + c1[odd]*y + #define dct_rot(out0,out1, x,y,c0,c1) \ + __m128i c0##lo = _mm_unpacklo_epi16((x),(y)); \ + __m128i c0##hi = _mm_unpackhi_epi16((x),(y)); \ + __m128i out0##_l = _mm_madd_epi16(c0##lo, c0); \ + __m128i out0##_h = _mm_madd_epi16(c0##hi, c0); \ + __m128i out1##_l = _mm_madd_epi16(c0##lo, c1); \ + __m128i out1##_h = _mm_madd_epi16(c0##hi, c1) + + // out = in << 12 (in 16-bit, out 32-bit) + #define dct_widen(out, in) \ + __m128i out##_l = _mm_srai_epi32(_mm_unpacklo_epi16(_mm_setzero_si128(), (in)), 4); \ + __m128i out##_h = _mm_srai_epi32(_mm_unpackhi_epi16(_mm_setzero_si128(), (in)), 4) + + // wide add + #define dct_wadd(out, a, b) \ + __m128i out##_l = _mm_add_epi32(a##_l, b##_l); \ + __m128i out##_h = _mm_add_epi32(a##_h, b##_h) + + // wide sub + #define dct_wsub(out, a, b) \ + __m128i out##_l = _mm_sub_epi32(a##_l, b##_l); \ + __m128i out##_h = _mm_sub_epi32(a##_h, b##_h) + + // butterfly a/b, add bias, then shift by "s" and pack + #define dct_bfly32o(out0, out1, a,b,bias,s) \ + { \ + __m128i abiased_l = _mm_add_epi32(a##_l, bias); \ + __m128i abiased_h = _mm_add_epi32(a##_h, bias); \ + dct_wadd(sum, abiased, b); \ + dct_wsub(dif, abiased, b); \ + out0 = _mm_packs_epi32(_mm_srai_epi32(sum_l, s), _mm_srai_epi32(sum_h, s)); \ + out1 = _mm_packs_epi32(_mm_srai_epi32(dif_l, s), _mm_srai_epi32(dif_h, s)); \ + } + + // 8-bit interleave step (for transposes) + #define dct_interleave8(a, b) \ + tmp = a; \ + a = _mm_unpacklo_epi8(a, b); \ + b = _mm_unpackhi_epi8(tmp, b) + + // 16-bit interleave step (for transposes) + #define dct_interleave16(a, b) \ + tmp = a; \ + a = _mm_unpacklo_epi16(a, b); \ + b = _mm_unpackhi_epi16(tmp, b) + + #define dct_pass(bias,shift) \ + { \ + /* even part */ \ + dct_rot(t2e,t3e, row2,row6, rot0_0,rot0_1); \ + __m128i sum04 = _mm_add_epi16(row0, row4); \ + __m128i dif04 = _mm_sub_epi16(row0, row4); \ + dct_widen(t0e, sum04); \ + dct_widen(t1e, dif04); \ + dct_wadd(x0, t0e, t3e); \ + dct_wsub(x3, t0e, t3e); \ + dct_wadd(x1, t1e, t2e); \ + dct_wsub(x2, t1e, t2e); \ + /* odd part */ \ + dct_rot(y0o,y2o, row7,row3, rot2_0,rot2_1); \ + dct_rot(y1o,y3o, row5,row1, rot3_0,rot3_1); \ + __m128i sum17 = _mm_add_epi16(row1, row7); \ + __m128i sum35 = _mm_add_epi16(row3, row5); \ + dct_rot(y4o,y5o, sum17,sum35, rot1_0,rot1_1); \ + dct_wadd(x4, y0o, y4o); \ + dct_wadd(x5, y1o, y5o); \ + dct_wadd(x6, y2o, y5o); \ + dct_wadd(x7, y3o, y4o); \ + dct_bfly32o(row0,row7, x0,x7,bias,shift); \ + dct_bfly32o(row1,row6, x1,x6,bias,shift); \ + dct_bfly32o(row2,row5, x2,x5,bias,shift); \ + dct_bfly32o(row3,row4, x3,x4,bias,shift); \ + } + + __m128i rot0_0 = dct_const(stbi__f2f(0.5411961f), stbi__f2f(0.5411961f) + stbi__f2f(-1.847759065f)); + __m128i rot0_1 = dct_const(stbi__f2f(0.5411961f) + stbi__f2f( 0.765366865f), stbi__f2f(0.5411961f)); + __m128i rot1_0 = dct_const(stbi__f2f(1.175875602f) + stbi__f2f(-0.899976223f), stbi__f2f(1.175875602f)); + __m128i rot1_1 = dct_const(stbi__f2f(1.175875602f), stbi__f2f(1.175875602f) + stbi__f2f(-2.562915447f)); + __m128i rot2_0 = dct_const(stbi__f2f(-1.961570560f) + stbi__f2f( 0.298631336f), stbi__f2f(-1.961570560f)); + __m128i rot2_1 = dct_const(stbi__f2f(-1.961570560f), stbi__f2f(-1.961570560f) + stbi__f2f( 3.072711026f)); + __m128i rot3_0 = dct_const(stbi__f2f(-0.390180644f) + stbi__f2f( 2.053119869f), stbi__f2f(-0.390180644f)); + __m128i rot3_1 = dct_const(stbi__f2f(-0.390180644f), stbi__f2f(-0.390180644f) + stbi__f2f( 1.501321110f)); + + // rounding biases in column/row passes, see stbi__idct_block for explanation. + __m128i bias_0 = _mm_set1_epi32(512); + __m128i bias_1 = _mm_set1_epi32(65536 + (128<<17)); + + // load + row0 = _mm_load_si128((const __m128i *) (data + 0*8)); + row1 = _mm_load_si128((const __m128i *) (data + 1*8)); + row2 = _mm_load_si128((const __m128i *) (data + 2*8)); + row3 = _mm_load_si128((const __m128i *) (data + 3*8)); + row4 = _mm_load_si128((const __m128i *) (data + 4*8)); + row5 = _mm_load_si128((const __m128i *) (data + 5*8)); + row6 = _mm_load_si128((const __m128i *) (data + 6*8)); + row7 = _mm_load_si128((const __m128i *) (data + 7*8)); + + // column pass + dct_pass(bias_0, 10); + + { + // 16bit 8x8 transpose pass 1 + dct_interleave16(row0, row4); + dct_interleave16(row1, row5); + dct_interleave16(row2, row6); + dct_interleave16(row3, row7); + + // transpose pass 2 + dct_interleave16(row0, row2); + dct_interleave16(row1, row3); + dct_interleave16(row4, row6); + dct_interleave16(row5, row7); + + // transpose pass 3 + dct_interleave16(row0, row1); + dct_interleave16(row2, row3); + dct_interleave16(row4, row5); + dct_interleave16(row6, row7); + } + + // row pass + dct_pass(bias_1, 17); + + { + // pack + __m128i p0 = _mm_packus_epi16(row0, row1); // a0a1a2a3...a7b0b1b2b3...b7 + __m128i p1 = _mm_packus_epi16(row2, row3); + __m128i p2 = _mm_packus_epi16(row4, row5); + __m128i p3 = _mm_packus_epi16(row6, row7); + + // 8bit 8x8 transpose pass 1 + dct_interleave8(p0, p2); // a0e0a1e1... + dct_interleave8(p1, p3); // c0g0c1g1... + + // transpose pass 2 + dct_interleave8(p0, p1); // a0c0e0g0... + dct_interleave8(p2, p3); // b0d0f0h0... + + // transpose pass 3 + dct_interleave8(p0, p2); // a0b0c0d0... + dct_interleave8(p1, p3); // a4b4c4d4... + + // store + _mm_storel_epi64((__m128i *) out, p0); out += out_stride; + _mm_storel_epi64((__m128i *) out, _mm_shuffle_epi32(p0, 0x4e)); out += out_stride; + _mm_storel_epi64((__m128i *) out, p2); out += out_stride; + _mm_storel_epi64((__m128i *) out, _mm_shuffle_epi32(p2, 0x4e)); out += out_stride; + _mm_storel_epi64((__m128i *) out, p1); out += out_stride; + _mm_storel_epi64((__m128i *) out, _mm_shuffle_epi32(p1, 0x4e)); out += out_stride; + _mm_storel_epi64((__m128i *) out, p3); out += out_stride; + _mm_storel_epi64((__m128i *) out, _mm_shuffle_epi32(p3, 0x4e)); + } + +#undef dct_const +#undef dct_rot +#undef dct_widen +#undef dct_wadd +#undef dct_wsub +#undef dct_bfly32o +#undef dct_interleave8 +#undef dct_interleave16 +#undef dct_pass +} + +#endif // STBI_SSE2 + +#ifdef STBI_NEON + +// NEON integer IDCT. should produce bit-identical +// results to the generic C version. +static void stbi__idct_simd(stbi_uc *out, int out_stride, short data[64]) +{ + int16x8_t row0, row1, row2, row3, row4, row5, row6, row7; + + int16x4_t rot0_0 = vdup_n_s16(stbi__f2f(0.5411961f)); + int16x4_t rot0_1 = vdup_n_s16(stbi__f2f(-1.847759065f)); + int16x4_t rot0_2 = vdup_n_s16(stbi__f2f( 0.765366865f)); + int16x4_t rot1_0 = vdup_n_s16(stbi__f2f( 1.175875602f)); + int16x4_t rot1_1 = vdup_n_s16(stbi__f2f(-0.899976223f)); + int16x4_t rot1_2 = vdup_n_s16(stbi__f2f(-2.562915447f)); + int16x4_t rot2_0 = vdup_n_s16(stbi__f2f(-1.961570560f)); + int16x4_t rot2_1 = vdup_n_s16(stbi__f2f(-0.390180644f)); + int16x4_t rot3_0 = vdup_n_s16(stbi__f2f( 0.298631336f)); + int16x4_t rot3_1 = vdup_n_s16(stbi__f2f( 2.053119869f)); + int16x4_t rot3_2 = vdup_n_s16(stbi__f2f( 3.072711026f)); + int16x4_t rot3_3 = vdup_n_s16(stbi__f2f( 1.501321110f)); + +#define dct_long_mul(out, inq, coeff) \ + int32x4_t out##_l = vmull_s16(vget_low_s16(inq), coeff); \ + int32x4_t out##_h = vmull_s16(vget_high_s16(inq), coeff) + +#define dct_long_mac(out, acc, inq, coeff) \ + int32x4_t out##_l = vmlal_s16(acc##_l, vget_low_s16(inq), coeff); \ + int32x4_t out##_h = vmlal_s16(acc##_h, vget_high_s16(inq), coeff) + +#define dct_widen(out, inq) \ + int32x4_t out##_l = vshll_n_s16(vget_low_s16(inq), 12); \ + int32x4_t out##_h = vshll_n_s16(vget_high_s16(inq), 12) + +// wide add +#define dct_wadd(out, a, b) \ + int32x4_t out##_l = vaddq_s32(a##_l, b##_l); \ + int32x4_t out##_h = vaddq_s32(a##_h, b##_h) + +// wide sub +#define dct_wsub(out, a, b) \ + int32x4_t out##_l = vsubq_s32(a##_l, b##_l); \ + int32x4_t out##_h = vsubq_s32(a##_h, b##_h) + +// butterfly a/b, then shift using "shiftop" by "s" and pack +#define dct_bfly32o(out0,out1, a,b,shiftop,s) \ + { \ + dct_wadd(sum, a, b); \ + dct_wsub(dif, a, b); \ + out0 = vcombine_s16(shiftop(sum_l, s), shiftop(sum_h, s)); \ + out1 = vcombine_s16(shiftop(dif_l, s), shiftop(dif_h, s)); \ + } + +#define dct_pass(shiftop, shift) \ + { \ + /* even part */ \ + int16x8_t sum26 = vaddq_s16(row2, row6); \ + dct_long_mul(p1e, sum26, rot0_0); \ + dct_long_mac(t2e, p1e, row6, rot0_1); \ + dct_long_mac(t3e, p1e, row2, rot0_2); \ + int16x8_t sum04 = vaddq_s16(row0, row4); \ + int16x8_t dif04 = vsubq_s16(row0, row4); \ + dct_widen(t0e, sum04); \ + dct_widen(t1e, dif04); \ + dct_wadd(x0, t0e, t3e); \ + dct_wsub(x3, t0e, t3e); \ + dct_wadd(x1, t1e, t2e); \ + dct_wsub(x2, t1e, t2e); \ + /* odd part */ \ + int16x8_t sum15 = vaddq_s16(row1, row5); \ + int16x8_t sum17 = vaddq_s16(row1, row7); \ + int16x8_t sum35 = vaddq_s16(row3, row5); \ + int16x8_t sum37 = vaddq_s16(row3, row7); \ + int16x8_t sumodd = vaddq_s16(sum17, sum35); \ + dct_long_mul(p5o, sumodd, rot1_0); \ + dct_long_mac(p1o, p5o, sum17, rot1_1); \ + dct_long_mac(p2o, p5o, sum35, rot1_2); \ + dct_long_mul(p3o, sum37, rot2_0); \ + dct_long_mul(p4o, sum15, rot2_1); \ + dct_wadd(sump13o, p1o, p3o); \ + dct_wadd(sump24o, p2o, p4o); \ + dct_wadd(sump23o, p2o, p3o); \ + dct_wadd(sump14o, p1o, p4o); \ + dct_long_mac(x4, sump13o, row7, rot3_0); \ + dct_long_mac(x5, sump24o, row5, rot3_1); \ + dct_long_mac(x6, sump23o, row3, rot3_2); \ + dct_long_mac(x7, sump14o, row1, rot3_3); \ + dct_bfly32o(row0,row7, x0,x7,shiftop,shift); \ + dct_bfly32o(row1,row6, x1,x6,shiftop,shift); \ + dct_bfly32o(row2,row5, x2,x5,shiftop,shift); \ + dct_bfly32o(row3,row4, x3,x4,shiftop,shift); \ + } + + // load + row0 = vld1q_s16(data + 0*8); + row1 = vld1q_s16(data + 1*8); + row2 = vld1q_s16(data + 2*8); + row3 = vld1q_s16(data + 3*8); + row4 = vld1q_s16(data + 4*8); + row5 = vld1q_s16(data + 5*8); + row6 = vld1q_s16(data + 6*8); + row7 = vld1q_s16(data + 7*8); + + // add DC bias + row0 = vaddq_s16(row0, vsetq_lane_s16(1024, vdupq_n_s16(0), 0)); + + // column pass + dct_pass(vrshrn_n_s32, 10); + + // 16bit 8x8 transpose + { +// these three map to a single VTRN.16, VTRN.32, and VSWP, respectively. +// whether compilers actually get this is another story, sadly. +#define dct_trn16(x, y) { int16x8x2_t t = vtrnq_s16(x, y); x = t.val[0]; y = t.val[1]; } +#define dct_trn32(x, y) { int32x4x2_t t = vtrnq_s32(vreinterpretq_s32_s16(x), vreinterpretq_s32_s16(y)); x = vreinterpretq_s16_s32(t.val[0]); y = vreinterpretq_s16_s32(t.val[1]); } +#define dct_trn64(x, y) { int16x8_t x0 = x; int16x8_t y0 = y; x = vcombine_s16(vget_low_s16(x0), vget_low_s16(y0)); y = vcombine_s16(vget_high_s16(x0), vget_high_s16(y0)); } + + // pass 1 + dct_trn16(row0, row1); // a0b0a2b2a4b4a6b6 + dct_trn16(row2, row3); + dct_trn16(row4, row5); + dct_trn16(row6, row7); + + // pass 2 + dct_trn32(row0, row2); // a0b0c0d0a4b4c4d4 + dct_trn32(row1, row3); + dct_trn32(row4, row6); + dct_trn32(row5, row7); + + // pass 3 + dct_trn64(row0, row4); // a0b0c0d0e0f0g0h0 + dct_trn64(row1, row5); + dct_trn64(row2, row6); + dct_trn64(row3, row7); + +#undef dct_trn16 +#undef dct_trn32 +#undef dct_trn64 + } + + // row pass + // vrshrn_n_s32 only supports shifts up to 16, we need + // 17. so do a non-rounding shift of 16 first then follow + // up with a rounding shift by 1. + dct_pass(vshrn_n_s32, 16); + + { + // pack and round + uint8x8_t p0 = vqrshrun_n_s16(row0, 1); + uint8x8_t p1 = vqrshrun_n_s16(row1, 1); + uint8x8_t p2 = vqrshrun_n_s16(row2, 1); + uint8x8_t p3 = vqrshrun_n_s16(row3, 1); + uint8x8_t p4 = vqrshrun_n_s16(row4, 1); + uint8x8_t p5 = vqrshrun_n_s16(row5, 1); + uint8x8_t p6 = vqrshrun_n_s16(row6, 1); + uint8x8_t p7 = vqrshrun_n_s16(row7, 1); + + // again, these can translate into one instruction, but often don't. +#define dct_trn8_8(x, y) { uint8x8x2_t t = vtrn_u8(x, y); x = t.val[0]; y = t.val[1]; } +#define dct_trn8_16(x, y) { uint16x4x2_t t = vtrn_u16(vreinterpret_u16_u8(x), vreinterpret_u16_u8(y)); x = vreinterpret_u8_u16(t.val[0]); y = vreinterpret_u8_u16(t.val[1]); } +#define dct_trn8_32(x, y) { uint32x2x2_t t = vtrn_u32(vreinterpret_u32_u8(x), vreinterpret_u32_u8(y)); x = vreinterpret_u8_u32(t.val[0]); y = vreinterpret_u8_u32(t.val[1]); } + + // sadly can't use interleaved stores here since we only write + // 8 bytes to each scan line! + + // 8x8 8-bit transpose pass 1 + dct_trn8_8(p0, p1); + dct_trn8_8(p2, p3); + dct_trn8_8(p4, p5); + dct_trn8_8(p6, p7); + + // pass 2 + dct_trn8_16(p0, p2); + dct_trn8_16(p1, p3); + dct_trn8_16(p4, p6); + dct_trn8_16(p5, p7); + + // pass 3 + dct_trn8_32(p0, p4); + dct_trn8_32(p1, p5); + dct_trn8_32(p2, p6); + dct_trn8_32(p3, p7); + + // store + vst1_u8(out, p0); out += out_stride; + vst1_u8(out, p1); out += out_stride; + vst1_u8(out, p2); out += out_stride; + vst1_u8(out, p3); out += out_stride; + vst1_u8(out, p4); out += out_stride; + vst1_u8(out, p5); out += out_stride; + vst1_u8(out, p6); out += out_stride; + vst1_u8(out, p7); + +#undef dct_trn8_8 +#undef dct_trn8_16 +#undef dct_trn8_32 + } + +#undef dct_long_mul +#undef dct_long_mac +#undef dct_widen +#undef dct_wadd +#undef dct_wsub +#undef dct_bfly32o +#undef dct_pass +} + +#endif // STBI_NEON + +#define STBI__MARKER_none 0xff +// if there's a pending marker from the entropy stream, return that +// otherwise, fetch from the stream and get a marker. if there's no +// marker, return 0xff, which is never a valid marker value +static stbi_uc stbi__get_marker(stbi__jpeg *j) +{ + stbi_uc x; + if (j->marker != STBI__MARKER_none) { x = j->marker; j->marker = STBI__MARKER_none; return x; } + x = stbi__get8(j->s); + if (x != 0xff) return STBI__MARKER_none; + while (x == 0xff) + x = stbi__get8(j->s); // consume repeated 0xff fill bytes + return x; +} + +// in each scan, we'll have scan_n components, and the order +// of the components is specified by order[] +#define STBI__RESTART(x) ((x) >= 0xd0 && (x) <= 0xd7) + +// after a restart interval, stbi__jpeg_reset the entropy decoder and +// the dc prediction +static void stbi__jpeg_reset(stbi__jpeg *j) +{ + j->code_bits = 0; + j->code_buffer = 0; + j->nomore = 0; + j->img_comp[0].dc_pred = j->img_comp[1].dc_pred = j->img_comp[2].dc_pred = j->img_comp[3].dc_pred = 0; + j->marker = STBI__MARKER_none; + j->todo = j->restart_interval ? j->restart_interval : 0x7fffffff; + j->eob_run = 0; + // no more than 1<<31 MCUs if no restart_interal? that's plenty safe, + // since we don't even allow 1<<30 pixels +} + +static int stbi__parse_entropy_coded_data(stbi__jpeg *z) +{ + stbi__jpeg_reset(z); + if (!z->progressive) { + if (z->scan_n == 1) { + int i,j; + STBI_SIMD_ALIGN(short, data[64]); + int n = z->order[0]; + // non-interleaved data, we just need to process one block at a time, + // in trivial scanline order + // number of blocks to do just depends on how many actual "pixels" this + // component has, independent of interleaved MCU blocking and such + int w = (z->img_comp[n].x+7) >> 3; + int h = (z->img_comp[n].y+7) >> 3; + for (j=0; j < h; ++j) { + for (i=0; i < w; ++i) { + int ha = z->img_comp[n].ha; + if (!stbi__jpeg_decode_block(z, data, z->huff_dc+z->img_comp[n].hd, z->huff_ac+ha, z->fast_ac[ha], n, z->dequant[z->img_comp[n].tq])) return 0; + z->idct_block_kernel(z->img_comp[n].data+z->img_comp[n].w2*j*8+i*8, z->img_comp[n].w2, data); + // every data block is an MCU, so countdown the restart interval + if (--z->todo <= 0) { + if (z->code_bits < 24) stbi__grow_buffer_unsafe(z); + // if it's NOT a restart, then just bail, so we get corrupt data + // rather than no data + if (!STBI__RESTART(z->marker)) return 1; + stbi__jpeg_reset(z); + } + } + } + return 1; + } else { // interleaved + int i,j,k,x,y; + STBI_SIMD_ALIGN(short, data[64]); + for (j=0; j < z->img_mcu_y; ++j) { + for (i=0; i < z->img_mcu_x; ++i) { + // scan an interleaved mcu... process scan_n components in order + for (k=0; k < z->scan_n; ++k) { + int n = z->order[k]; + // scan out an mcu's worth of this component; that's just determined + // by the basic H and V specified for the component + for (y=0; y < z->img_comp[n].v; ++y) { + for (x=0; x < z->img_comp[n].h; ++x) { + int x2 = (i*z->img_comp[n].h + x)*8; + int y2 = (j*z->img_comp[n].v + y)*8; + int ha = z->img_comp[n].ha; + if (!stbi__jpeg_decode_block(z, data, z->huff_dc+z->img_comp[n].hd, z->huff_ac+ha, z->fast_ac[ha], n, z->dequant[z->img_comp[n].tq])) return 0; + z->idct_block_kernel(z->img_comp[n].data+z->img_comp[n].w2*y2+x2, z->img_comp[n].w2, data); + } + } + } + // after all interleaved components, that's an interleaved MCU, + // so now count down the restart interval + if (--z->todo <= 0) { + if (z->code_bits < 24) stbi__grow_buffer_unsafe(z); + if (!STBI__RESTART(z->marker)) return 1; + stbi__jpeg_reset(z); + } + } + } + return 1; + } + } else { + if (z->scan_n == 1) { + int i,j; + int n = z->order[0]; + // non-interleaved data, we just need to process one block at a time, + // in trivial scanline order + // number of blocks to do just depends on how many actual "pixels" this + // component has, independent of interleaved MCU blocking and such + int w = (z->img_comp[n].x+7) >> 3; + int h = (z->img_comp[n].y+7) >> 3; + for (j=0; j < h; ++j) { + for (i=0; i < w; ++i) { + short *data = z->img_comp[n].coeff + 64 * (i + j * z->img_comp[n].coeff_w); + if (z->spec_start == 0) { + if (!stbi__jpeg_decode_block_prog_dc(z, data, &z->huff_dc[z->img_comp[n].hd], n)) + return 0; + } else { + int ha = z->img_comp[n].ha; + if (!stbi__jpeg_decode_block_prog_ac(z, data, &z->huff_ac[ha], z->fast_ac[ha])) + return 0; + } + // every data block is an MCU, so countdown the restart interval + if (--z->todo <= 0) { + if (z->code_bits < 24) stbi__grow_buffer_unsafe(z); + if (!STBI__RESTART(z->marker)) return 1; + stbi__jpeg_reset(z); + } + } + } + return 1; + } else { // interleaved + int i,j,k,x,y; + for (j=0; j < z->img_mcu_y; ++j) { + for (i=0; i < z->img_mcu_x; ++i) { + // scan an interleaved mcu... process scan_n components in order + for (k=0; k < z->scan_n; ++k) { + int n = z->order[k]; + // scan out an mcu's worth of this component; that's just determined + // by the basic H and V specified for the component + for (y=0; y < z->img_comp[n].v; ++y) { + for (x=0; x < z->img_comp[n].h; ++x) { + int x2 = (i*z->img_comp[n].h + x); + int y2 = (j*z->img_comp[n].v + y); + short *data = z->img_comp[n].coeff + 64 * (x2 + y2 * z->img_comp[n].coeff_w); + if (!stbi__jpeg_decode_block_prog_dc(z, data, &z->huff_dc[z->img_comp[n].hd], n)) + return 0; + } + } + } + // after all interleaved components, that's an interleaved MCU, + // so now count down the restart interval + if (--z->todo <= 0) { + if (z->code_bits < 24) stbi__grow_buffer_unsafe(z); + if (!STBI__RESTART(z->marker)) return 1; + stbi__jpeg_reset(z); + } + } + } + return 1; + } + } +} + +static void stbi__jpeg_dequantize(short *data, stbi__uint16 *dequant) +{ + int i; + for (i=0; i < 64; ++i) + data[i] *= dequant[i]; +} + +static void stbi__jpeg_finish(stbi__jpeg *z) +{ + if (z->progressive) { + // dequantize and idct the data + int i,j,n; + for (n=0; n < z->s->img_n; ++n) { + int w = (z->img_comp[n].x+7) >> 3; + int h = (z->img_comp[n].y+7) >> 3; + for (j=0; j < h; ++j) { + for (i=0; i < w; ++i) { + short *data = z->img_comp[n].coeff + 64 * (i + j * z->img_comp[n].coeff_w); + stbi__jpeg_dequantize(data, z->dequant[z->img_comp[n].tq]); + z->idct_block_kernel(z->img_comp[n].data+z->img_comp[n].w2*j*8+i*8, z->img_comp[n].w2, data); + } + } + } + } +} + +static int stbi__process_marker(stbi__jpeg *z, int m) +{ + int L; + switch (m) { + case STBI__MARKER_none: // no marker found + return stbi__err("expected marker","Corrupt JPEG"); + + case 0xDD: // DRI - specify restart interval + if (stbi__get16be(z->s) != 4) return stbi__err("bad DRI len","Corrupt JPEG"); + z->restart_interval = stbi__get16be(z->s); + return 1; + + case 0xDB: // DQT - define quantization table + L = stbi__get16be(z->s)-2; + while (L > 0) { + int q = stbi__get8(z->s); + int p = q >> 4, sixteen = (p != 0); + int t = q & 15,i; + if (p != 0 && p != 1) return stbi__err("bad DQT type","Corrupt JPEG"); + if (t > 3) return stbi__err("bad DQT table","Corrupt JPEG"); + + for (i=0; i < 64; ++i) + z->dequant[t][stbi__jpeg_dezigzag[i]] = (stbi__uint16)(sixteen ? stbi__get16be(z->s) : stbi__get8(z->s)); + L -= (sixteen ? 129 : 65); + } + return L==0; + + case 0xC4: // DHT - define huffman table + L = stbi__get16be(z->s)-2; + while (L > 0) { + stbi_uc *v; + int sizes[16],i,n=0; + int q = stbi__get8(z->s); + int tc = q >> 4; + int th = q & 15; + if (tc > 1 || th > 3) return stbi__err("bad DHT header","Corrupt JPEG"); + for (i=0; i < 16; ++i) { + sizes[i] = stbi__get8(z->s); + n += sizes[i]; + } + L -= 17; + if (tc == 0) { + if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0; + v = z->huff_dc[th].values; + } else { + if (!stbi__build_huffman(z->huff_ac+th, sizes)) return 0; + v = z->huff_ac[th].values; + } + for (i=0; i < n; ++i) + v[i] = stbi__get8(z->s); + if (tc != 0) + stbi__build_fast_ac(z->fast_ac[th], z->huff_ac + th); + L -= n; + } + return L==0; + } + + // check for comment block or APP blocks + if ((m >= 0xE0 && m <= 0xEF) || m == 0xFE) { + L = stbi__get16be(z->s); + if (L < 2) { + if (m == 0xFE) + return stbi__err("bad COM len","Corrupt JPEG"); + else + return stbi__err("bad APP len","Corrupt JPEG"); + } + L -= 2; + + if (m == 0xE0 && L >= 5) { // JFIF APP0 segment + static const unsigned char tag[5] = {'J','F','I','F','\0'}; + int ok = 1; + int i; + for (i=0; i < 5; ++i) + if (stbi__get8(z->s) != tag[i]) + ok = 0; + L -= 5; + if (ok) + z->jfif = 1; + } else if (m == 0xEE && L >= 12) { // Adobe APP14 segment + static const unsigned char tag[6] = {'A','d','o','b','e','\0'}; + int ok = 1; + int i; + for (i=0; i < 6; ++i) + if (stbi__get8(z->s) != tag[i]) + ok = 0; + L -= 6; + if (ok) { + stbi__get8(z->s); // version + stbi__get16be(z->s); // flags0 + stbi__get16be(z->s); // flags1 + z->app14_color_transform = stbi__get8(z->s); // color transform + L -= 6; + } + } + + stbi__skip(z->s, L); + return 1; + } + + return stbi__err("unknown marker","Corrupt JPEG"); +} + +// after we see SOS +static int stbi__process_scan_header(stbi__jpeg *z) +{ + int i; + int Ls = stbi__get16be(z->s); + z->scan_n = stbi__get8(z->s); + if (z->scan_n < 1 || z->scan_n > 4 || z->scan_n > (int) z->s->img_n) return stbi__err("bad SOS component count","Corrupt JPEG"); + if (Ls != 6+2*z->scan_n) return stbi__err("bad SOS len","Corrupt JPEG"); + for (i=0; i < z->scan_n; ++i) { + int id = stbi__get8(z->s), which; + int q = stbi__get8(z->s); + for (which = 0; which < z->s->img_n; ++which) + if (z->img_comp[which].id == id) + break; + if (which == z->s->img_n) return 0; // no match + z->img_comp[which].hd = q >> 4; if (z->img_comp[which].hd > 3) return stbi__err("bad DC huff","Corrupt JPEG"); + z->img_comp[which].ha = q & 15; if (z->img_comp[which].ha > 3) return stbi__err("bad AC huff","Corrupt JPEG"); + z->order[i] = which; + } + + { + int aa; + z->spec_start = stbi__get8(z->s); + z->spec_end = stbi__get8(z->s); // should be 63, but might be 0 + aa = stbi__get8(z->s); + z->succ_high = (aa >> 4); + z->succ_low = (aa & 15); + if (z->progressive) { + if (z->spec_start > 63 || z->spec_end > 63 || z->spec_start > z->spec_end || z->succ_high > 13 || z->succ_low > 13) + return stbi__err("bad SOS", "Corrupt JPEG"); + } else { + if (z->spec_start != 0) return stbi__err("bad SOS","Corrupt JPEG"); + if (z->succ_high != 0 || z->succ_low != 0) return stbi__err("bad SOS","Corrupt JPEG"); + z->spec_end = 63; + } + } + + return 1; +} + +static int stbi__free_jpeg_components(stbi__jpeg *z, int ncomp, int why) +{ + int i; + for (i=0; i < ncomp; ++i) { + if (z->img_comp[i].raw_data) { + STBI_FREE(z->img_comp[i].raw_data); + z->img_comp[i].raw_data = NULL; + z->img_comp[i].data = NULL; + } + if (z->img_comp[i].raw_coeff) { + STBI_FREE(z->img_comp[i].raw_coeff); + z->img_comp[i].raw_coeff = 0; + z->img_comp[i].coeff = 0; + } + if (z->img_comp[i].linebuf) { + STBI_FREE(z->img_comp[i].linebuf); + z->img_comp[i].linebuf = NULL; + } + } + return why; +} + +static int stbi__process_frame_header(stbi__jpeg *z, int scan) +{ + stbi__context *s = z->s; + int Lf,p,i,q, h_max=1,v_max=1,c; + Lf = stbi__get16be(s); if (Lf < 11) return stbi__err("bad SOF len","Corrupt JPEG"); // JPEG + p = stbi__get8(s); if (p != 8) return stbi__err("only 8-bit","JPEG format not supported: 8-bit only"); // JPEG baseline + s->img_y = stbi__get16be(s); if (s->img_y == 0) return stbi__err("no header height", "JPEG format not supported: delayed height"); // Legal, but we don't handle it--but neither does IJG + s->img_x = stbi__get16be(s); if (s->img_x == 0) return stbi__err("0 width","Corrupt JPEG"); // JPEG requires + if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + c = stbi__get8(s); + if (c != 3 && c != 1 && c != 4) return stbi__err("bad component count","Corrupt JPEG"); + s->img_n = c; + for (i=0; i < c; ++i) { + z->img_comp[i].data = NULL; + z->img_comp[i].linebuf = NULL; + } + + if (Lf != 8+3*s->img_n) return stbi__err("bad SOF len","Corrupt JPEG"); + + z->rgb = 0; + for (i=0; i < s->img_n; ++i) { + static const unsigned char rgb[3] = { 'R', 'G', 'B' }; + z->img_comp[i].id = stbi__get8(s); + if (s->img_n == 3 && z->img_comp[i].id == rgb[i]) + ++z->rgb; + q = stbi__get8(s); + z->img_comp[i].h = (q >> 4); if (!z->img_comp[i].h || z->img_comp[i].h > 4) return stbi__err("bad H","Corrupt JPEG"); + z->img_comp[i].v = q & 15; if (!z->img_comp[i].v || z->img_comp[i].v > 4) return stbi__err("bad V","Corrupt JPEG"); + z->img_comp[i].tq = stbi__get8(s); if (z->img_comp[i].tq > 3) return stbi__err("bad TQ","Corrupt JPEG"); + } + + if (scan != STBI__SCAN_load) return 1; + + if (!stbi__mad3sizes_valid(s->img_x, s->img_y, s->img_n, 0)) return stbi__err("too large", "Image too large to decode"); + + for (i=0; i < s->img_n; ++i) { + if (z->img_comp[i].h > h_max) h_max = z->img_comp[i].h; + if (z->img_comp[i].v > v_max) v_max = z->img_comp[i].v; + } + + // compute interleaved mcu info + z->img_h_max = h_max; + z->img_v_max = v_max; + z->img_mcu_w = h_max * 8; + z->img_mcu_h = v_max * 8; + // these sizes can't be more than 17 bits + z->img_mcu_x = (s->img_x + z->img_mcu_w-1) / z->img_mcu_w; + z->img_mcu_y = (s->img_y + z->img_mcu_h-1) / z->img_mcu_h; + + for (i=0; i < s->img_n; ++i) { + // number of effective pixels (e.g. for non-interleaved MCU) + z->img_comp[i].x = (s->img_x * z->img_comp[i].h + h_max-1) / h_max; + z->img_comp[i].y = (s->img_y * z->img_comp[i].v + v_max-1) / v_max; + // to simplify generation, we'll allocate enough memory to decode + // the bogus oversized data from using interleaved MCUs and their + // big blocks (e.g. a 16x16 iMCU on an image of width 33); we won't + // discard the extra data until colorspace conversion + // + // img_mcu_x, img_mcu_y: <=17 bits; comp[i].h and .v are <=4 (checked earlier) + // so these muls can't overflow with 32-bit ints (which we require) + z->img_comp[i].w2 = z->img_mcu_x * z->img_comp[i].h * 8; + z->img_comp[i].h2 = z->img_mcu_y * z->img_comp[i].v * 8; + z->img_comp[i].coeff = 0; + z->img_comp[i].raw_coeff = 0; + z->img_comp[i].linebuf = NULL; + z->img_comp[i].raw_data = stbi__malloc_mad2(z->img_comp[i].w2, z->img_comp[i].h2, 15); + if (z->img_comp[i].raw_data == NULL) + return stbi__free_jpeg_components(z, i+1, stbi__err("outofmem", "Out of memory")); + // align blocks for idct using mmx/sse + z->img_comp[i].data = (stbi_uc*) (((size_t) z->img_comp[i].raw_data + 15) & ~15); + if (z->progressive) { + // w2, h2 are multiples of 8 (see above) + z->img_comp[i].coeff_w = z->img_comp[i].w2 / 8; + z->img_comp[i].coeff_h = z->img_comp[i].h2 / 8; + z->img_comp[i].raw_coeff = stbi__malloc_mad3(z->img_comp[i].w2, z->img_comp[i].h2, sizeof(short), 15); + if (z->img_comp[i].raw_coeff == NULL) + return stbi__free_jpeg_components(z, i+1, stbi__err("outofmem", "Out of memory")); + z->img_comp[i].coeff = (short*) (((size_t) z->img_comp[i].raw_coeff + 15) & ~15); + } + } + + return 1; +} + +// use comparisons since in some cases we handle more than one case (e.g. SOF) +#define stbi__DNL(x) ((x) == 0xdc) +#define stbi__SOI(x) ((x) == 0xd8) +#define stbi__EOI(x) ((x) == 0xd9) +#define stbi__SOF(x) ((x) == 0xc0 || (x) == 0xc1 || (x) == 0xc2) +#define stbi__SOS(x) ((x) == 0xda) + +#define stbi__SOF_progressive(x) ((x) == 0xc2) + +static int stbi__decode_jpeg_header(stbi__jpeg *z, int scan) +{ + int m; + z->jfif = 0; + z->app14_color_transform = -1; // valid values are 0,1,2 + z->marker = STBI__MARKER_none; // initialize cached marker to empty + m = stbi__get_marker(z); + if (!stbi__SOI(m)) return stbi__err("no SOI","Corrupt JPEG"); + if (scan == STBI__SCAN_type) return 1; + m = stbi__get_marker(z); + while (!stbi__SOF(m)) { + if (!stbi__process_marker(z,m)) return 0; + m = stbi__get_marker(z); + while (m == STBI__MARKER_none) { + // some files have extra padding after their blocks, so ok, we'll scan + if (stbi__at_eof(z->s)) return stbi__err("no SOF", "Corrupt JPEG"); + m = stbi__get_marker(z); + } + } + z->progressive = stbi__SOF_progressive(m); + if (!stbi__process_frame_header(z, scan)) return 0; + return 1; +} + +// decode image to YCbCr format +static int stbi__decode_jpeg_image(stbi__jpeg *j) +{ + int m; + for (m = 0; m < 4; m++) { + j->img_comp[m].raw_data = NULL; + j->img_comp[m].raw_coeff = NULL; + } + j->restart_interval = 0; + if (!stbi__decode_jpeg_header(j, STBI__SCAN_load)) return 0; + m = stbi__get_marker(j); + while (!stbi__EOI(m)) { + if (stbi__SOS(m)) { + if (!stbi__process_scan_header(j)) return 0; + if (!stbi__parse_entropy_coded_data(j)) return 0; + if (j->marker == STBI__MARKER_none ) { + // handle 0s at the end of image data from IP Kamera 9060 + while (!stbi__at_eof(j->s)) { + int x = stbi__get8(j->s); + if (x == 255) { + j->marker = stbi__get8(j->s); + break; + } + } + // if we reach eof without hitting a marker, stbi__get_marker() below will fail and we'll eventually return 0 + } + } else if (stbi__DNL(m)) { + int Ld = stbi__get16be(j->s); + stbi__uint32 NL = stbi__get16be(j->s); + if (Ld != 4) return stbi__err("bad DNL len", "Corrupt JPEG"); + if (NL != j->s->img_y) return stbi__err("bad DNL height", "Corrupt JPEG"); + } else { + if (!stbi__process_marker(j, m)) return 0; + } + m = stbi__get_marker(j); + } + if (j->progressive) + stbi__jpeg_finish(j); + return 1; +} + +// static jfif-centered resampling (across block boundaries) + +typedef stbi_uc *(*resample_row_func)(stbi_uc *out, stbi_uc *in0, stbi_uc *in1, + int w, int hs); + +#define stbi__div4(x) ((stbi_uc) ((x) >> 2)) + +static stbi_uc *resample_row_1(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + STBI_NOTUSED(out); + STBI_NOTUSED(in_far); + STBI_NOTUSED(w); + STBI_NOTUSED(hs); + return in_near; +} + +static stbi_uc* stbi__resample_row_v_2(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + // need to generate two samples vertically for every one in input + int i; + STBI_NOTUSED(hs); + for (i=0; i < w; ++i) + out[i] = stbi__div4(3*in_near[i] + in_far[i] + 2); + return out; +} + +static stbi_uc* stbi__resample_row_h_2(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + // need to generate two samples horizontally for every one in input + int i; + stbi_uc *input = in_near; + + if (w == 1) { + // if only one sample, can't do any interpolation + out[0] = out[1] = input[0]; + return out; + } + + out[0] = input[0]; + out[1] = stbi__div4(input[0]*3 + input[1] + 2); + for (i=1; i < w-1; ++i) { + int n = 3*input[i]+2; + out[i*2+0] = stbi__div4(n+input[i-1]); + out[i*2+1] = stbi__div4(n+input[i+1]); + } + out[i*2+0] = stbi__div4(input[w-2]*3 + input[w-1] + 2); + out[i*2+1] = input[w-1]; + + STBI_NOTUSED(in_far); + STBI_NOTUSED(hs); + + return out; +} + +#define stbi__div16(x) ((stbi_uc) ((x) >> 4)) + +static stbi_uc *stbi__resample_row_hv_2(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + // need to generate 2x2 samples for every one in input + int i,t0,t1; + if (w == 1) { + out[0] = out[1] = stbi__div4(3*in_near[0] + in_far[0] + 2); + return out; + } + + t1 = 3*in_near[0] + in_far[0]; + out[0] = stbi__div4(t1+2); + for (i=1; i < w; ++i) { + t0 = t1; + t1 = 3*in_near[i]+in_far[i]; + out[i*2-1] = stbi__div16(3*t0 + t1 + 8); + out[i*2 ] = stbi__div16(3*t1 + t0 + 8); + } + out[w*2-1] = stbi__div4(t1+2); + + STBI_NOTUSED(hs); + + return out; +} + +#if defined(STBI_SSE2) || defined(STBI_NEON) +static stbi_uc *stbi__resample_row_hv_2_simd(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + // need to generate 2x2 samples for every one in input + int i=0,t0,t1; + + if (w == 1) { + out[0] = out[1] = stbi__div4(3*in_near[0] + in_far[0] + 2); + return out; + } + + t1 = 3*in_near[0] + in_far[0]; + // process groups of 8 pixels for as long as we can. + // note we can't handle the last pixel in a row in this loop + // because we need to handle the filter boundary conditions. + for (; i < ((w-1) & ~7); i += 8) { +#if defined(STBI_SSE2) + // load and perform the vertical filtering pass + // this uses 3*x + y = 4*x + (y - x) + __m128i zero = _mm_setzero_si128(); + __m128i farb = _mm_loadl_epi64((__m128i *) (in_far + i)); + __m128i nearb = _mm_loadl_epi64((__m128i *) (in_near + i)); + __m128i farw = _mm_unpacklo_epi8(farb, zero); + __m128i nearw = _mm_unpacklo_epi8(nearb, zero); + __m128i diff = _mm_sub_epi16(farw, nearw); + __m128i nears = _mm_slli_epi16(nearw, 2); + __m128i curr = _mm_add_epi16(nears, diff); // current row + + // horizontal filter works the same based on shifted vers of current + // row. "prev" is current row shifted right by 1 pixel; we need to + // insert the previous pixel value (from t1). + // "next" is current row shifted left by 1 pixel, with first pixel + // of next block of 8 pixels added in. + __m128i prv0 = _mm_slli_si128(curr, 2); + __m128i nxt0 = _mm_srli_si128(curr, 2); + __m128i prev = _mm_insert_epi16(prv0, t1, 0); + __m128i next = _mm_insert_epi16(nxt0, 3*in_near[i+8] + in_far[i+8], 7); + + // horizontal filter, polyphase implementation since it's convenient: + // even pixels = 3*cur + prev = cur*4 + (prev - cur) + // odd pixels = 3*cur + next = cur*4 + (next - cur) + // note the shared term. + __m128i bias = _mm_set1_epi16(8); + __m128i curs = _mm_slli_epi16(curr, 2); + __m128i prvd = _mm_sub_epi16(prev, curr); + __m128i nxtd = _mm_sub_epi16(next, curr); + __m128i curb = _mm_add_epi16(curs, bias); + __m128i even = _mm_add_epi16(prvd, curb); + __m128i odd = _mm_add_epi16(nxtd, curb); + + // interleave even and odd pixels, then undo scaling. + __m128i int0 = _mm_unpacklo_epi16(even, odd); + __m128i int1 = _mm_unpackhi_epi16(even, odd); + __m128i de0 = _mm_srli_epi16(int0, 4); + __m128i de1 = _mm_srli_epi16(int1, 4); + + // pack and write output + __m128i outv = _mm_packus_epi16(de0, de1); + _mm_storeu_si128((__m128i *) (out + i*2), outv); +#elif defined(STBI_NEON) + // load and perform the vertical filtering pass + // this uses 3*x + y = 4*x + (y - x) + uint8x8_t farb = vld1_u8(in_far + i); + uint8x8_t nearb = vld1_u8(in_near + i); + int16x8_t diff = vreinterpretq_s16_u16(vsubl_u8(farb, nearb)); + int16x8_t nears = vreinterpretq_s16_u16(vshll_n_u8(nearb, 2)); + int16x8_t curr = vaddq_s16(nears, diff); // current row + + // horizontal filter works the same based on shifted vers of current + // row. "prev" is current row shifted right by 1 pixel; we need to + // insert the previous pixel value (from t1). + // "next" is current row shifted left by 1 pixel, with first pixel + // of next block of 8 pixels added in. + int16x8_t prv0 = vextq_s16(curr, curr, 7); + int16x8_t nxt0 = vextq_s16(curr, curr, 1); + int16x8_t prev = vsetq_lane_s16(t1, prv0, 0); + int16x8_t next = vsetq_lane_s16(3*in_near[i+8] + in_far[i+8], nxt0, 7); + + // horizontal filter, polyphase implementation since it's convenient: + // even pixels = 3*cur + prev = cur*4 + (prev - cur) + // odd pixels = 3*cur + next = cur*4 + (next - cur) + // note the shared term. + int16x8_t curs = vshlq_n_s16(curr, 2); + int16x8_t prvd = vsubq_s16(prev, curr); + int16x8_t nxtd = vsubq_s16(next, curr); + int16x8_t even = vaddq_s16(curs, prvd); + int16x8_t odd = vaddq_s16(curs, nxtd); + + // undo scaling and round, then store with even/odd phases interleaved + uint8x8x2_t o; + o.val[0] = vqrshrun_n_s16(even, 4); + o.val[1] = vqrshrun_n_s16(odd, 4); + vst2_u8(out + i*2, o); +#endif + + // "previous" value for next iter + t1 = 3*in_near[i+7] + in_far[i+7]; + } + + t0 = t1; + t1 = 3*in_near[i] + in_far[i]; + out[i*2] = stbi__div16(3*t1 + t0 + 8); + + for (++i; i < w; ++i) { + t0 = t1; + t1 = 3*in_near[i]+in_far[i]; + out[i*2-1] = stbi__div16(3*t0 + t1 + 8); + out[i*2 ] = stbi__div16(3*t1 + t0 + 8); + } + out[w*2-1] = stbi__div4(t1+2); + + STBI_NOTUSED(hs); + + return out; +} +#endif + +static stbi_uc *stbi__resample_row_generic(stbi_uc *out, stbi_uc *in_near, stbi_uc *in_far, int w, int hs) +{ + // resample with nearest-neighbor + int i,j; + STBI_NOTUSED(in_far); + for (i=0; i < w; ++i) + for (j=0; j < hs; ++j) + out[i*hs+j] = in_near[i]; + return out; +} + +// this is a reduced-precision calculation of YCbCr-to-RGB introduced +// to make sure the code produces the same results in both SIMD and scalar +#define stbi__float2fixed(x) (((int) ((x) * 4096.0f + 0.5f)) << 8) +static void stbi__YCbCr_to_RGB_row(stbi_uc *out, const stbi_uc *y, const stbi_uc *pcb, const stbi_uc *pcr, int count, int step) +{ + int i; + for (i=0; i < count; ++i) { + int y_fixed = (y[i] << 20) + (1<<19); // rounding + int r,g,b; + int cr = pcr[i] - 128; + int cb = pcb[i] - 128; + r = y_fixed + cr* stbi__float2fixed(1.40200f); + g = y_fixed + (cr*-stbi__float2fixed(0.71414f)) + ((cb*-stbi__float2fixed(0.34414f)) & 0xffff0000); + b = y_fixed + cb* stbi__float2fixed(1.77200f); + r >>= 20; + g >>= 20; + b >>= 20; + if ((unsigned) r > 255) { if (r < 0) r = 0; else r = 255; } + if ((unsigned) g > 255) { if (g < 0) g = 0; else g = 255; } + if ((unsigned) b > 255) { if (b < 0) b = 0; else b = 255; } + out[0] = (stbi_uc)r; + out[1] = (stbi_uc)g; + out[2] = (stbi_uc)b; + out[3] = 255; + out += step; + } +} + +#if defined(STBI_SSE2) || defined(STBI_NEON) +static void stbi__YCbCr_to_RGB_simd(stbi_uc *out, stbi_uc const *y, stbi_uc const *pcb, stbi_uc const *pcr, int count, int step) +{ + int i = 0; + +#ifdef STBI_SSE2 + // step == 3 is pretty ugly on the final interleave, and i'm not convinced + // it's useful in practice (you wouldn't use it for textures, for example). + // so just accelerate step == 4 case. + if (step == 4) { + // this is a fairly straightforward implementation and not super-optimized. + __m128i signflip = _mm_set1_epi8(-0x80); + __m128i cr_const0 = _mm_set1_epi16( (short) ( 1.40200f*4096.0f+0.5f)); + __m128i cr_const1 = _mm_set1_epi16( - (short) ( 0.71414f*4096.0f+0.5f)); + __m128i cb_const0 = _mm_set1_epi16( - (short) ( 0.34414f*4096.0f+0.5f)); + __m128i cb_const1 = _mm_set1_epi16( (short) ( 1.77200f*4096.0f+0.5f)); + __m128i y_bias = _mm_set1_epi8((char) (unsigned char) 128); + __m128i xw = _mm_set1_epi16(255); // alpha channel + + for (; i+7 < count; i += 8) { + // load + __m128i y_bytes = _mm_loadl_epi64((__m128i *) (y+i)); + __m128i cr_bytes = _mm_loadl_epi64((__m128i *) (pcr+i)); + __m128i cb_bytes = _mm_loadl_epi64((__m128i *) (pcb+i)); + __m128i cr_biased = _mm_xor_si128(cr_bytes, signflip); // -128 + __m128i cb_biased = _mm_xor_si128(cb_bytes, signflip); // -128 + + // unpack to short (and left-shift cr, cb by 8) + __m128i yw = _mm_unpacklo_epi8(y_bias, y_bytes); + __m128i crw = _mm_unpacklo_epi8(_mm_setzero_si128(), cr_biased); + __m128i cbw = _mm_unpacklo_epi8(_mm_setzero_si128(), cb_biased); + + // color transform + __m128i yws = _mm_srli_epi16(yw, 4); + __m128i cr0 = _mm_mulhi_epi16(cr_const0, crw); + __m128i cb0 = _mm_mulhi_epi16(cb_const0, cbw); + __m128i cb1 = _mm_mulhi_epi16(cbw, cb_const1); + __m128i cr1 = _mm_mulhi_epi16(crw, cr_const1); + __m128i rws = _mm_add_epi16(cr0, yws); + __m128i gwt = _mm_add_epi16(cb0, yws); + __m128i bws = _mm_add_epi16(yws, cb1); + __m128i gws = _mm_add_epi16(gwt, cr1); + + // descale + __m128i rw = _mm_srai_epi16(rws, 4); + __m128i bw = _mm_srai_epi16(bws, 4); + __m128i gw = _mm_srai_epi16(gws, 4); + + // back to byte, set up for transpose + __m128i brb = _mm_packus_epi16(rw, bw); + __m128i gxb = _mm_packus_epi16(gw, xw); + + // transpose to interleave channels + __m128i t0 = _mm_unpacklo_epi8(brb, gxb); + __m128i t1 = _mm_unpackhi_epi8(brb, gxb); + __m128i o0 = _mm_unpacklo_epi16(t0, t1); + __m128i o1 = _mm_unpackhi_epi16(t0, t1); + + // store + _mm_storeu_si128((__m128i *) (out + 0), o0); + _mm_storeu_si128((__m128i *) (out + 16), o1); + out += 32; + } + } +#endif + +#ifdef STBI_NEON + // in this version, step=3 support would be easy to add. but is there demand? + if (step == 4) { + // this is a fairly straightforward implementation and not super-optimized. + uint8x8_t signflip = vdup_n_u8(0x80); + int16x8_t cr_const0 = vdupq_n_s16( (short) ( 1.40200f*4096.0f+0.5f)); + int16x8_t cr_const1 = vdupq_n_s16( - (short) ( 0.71414f*4096.0f+0.5f)); + int16x8_t cb_const0 = vdupq_n_s16( - (short) ( 0.34414f*4096.0f+0.5f)); + int16x8_t cb_const1 = vdupq_n_s16( (short) ( 1.77200f*4096.0f+0.5f)); + + for (; i+7 < count; i += 8) { + // load + uint8x8_t y_bytes = vld1_u8(y + i); + uint8x8_t cr_bytes = vld1_u8(pcr + i); + uint8x8_t cb_bytes = vld1_u8(pcb + i); + int8x8_t cr_biased = vreinterpret_s8_u8(vsub_u8(cr_bytes, signflip)); + int8x8_t cb_biased = vreinterpret_s8_u8(vsub_u8(cb_bytes, signflip)); + + // expand to s16 + int16x8_t yws = vreinterpretq_s16_u16(vshll_n_u8(y_bytes, 4)); + int16x8_t crw = vshll_n_s8(cr_biased, 7); + int16x8_t cbw = vshll_n_s8(cb_biased, 7); + + // color transform + int16x8_t cr0 = vqdmulhq_s16(crw, cr_const0); + int16x8_t cb0 = vqdmulhq_s16(cbw, cb_const0); + int16x8_t cr1 = vqdmulhq_s16(crw, cr_const1); + int16x8_t cb1 = vqdmulhq_s16(cbw, cb_const1); + int16x8_t rws = vaddq_s16(yws, cr0); + int16x8_t gws = vaddq_s16(vaddq_s16(yws, cb0), cr1); + int16x8_t bws = vaddq_s16(yws, cb1); + + // undo scaling, round, convert to byte + uint8x8x4_t o; + o.val[0] = vqrshrun_n_s16(rws, 4); + o.val[1] = vqrshrun_n_s16(gws, 4); + o.val[2] = vqrshrun_n_s16(bws, 4); + o.val[3] = vdup_n_u8(255); + + // store, interleaving r/g/b/a + vst4_u8(out, o); + out += 8*4; + } + } +#endif + + for (; i < count; ++i) { + int y_fixed = (y[i] << 20) + (1<<19); // rounding + int r,g,b; + int cr = pcr[i] - 128; + int cb = pcb[i] - 128; + r = y_fixed + cr* stbi__float2fixed(1.40200f); + g = y_fixed + cr*-stbi__float2fixed(0.71414f) + ((cb*-stbi__float2fixed(0.34414f)) & 0xffff0000); + b = y_fixed + cb* stbi__float2fixed(1.77200f); + r >>= 20; + g >>= 20; + b >>= 20; + if ((unsigned) r > 255) { if (r < 0) r = 0; else r = 255; } + if ((unsigned) g > 255) { if (g < 0) g = 0; else g = 255; } + if ((unsigned) b > 255) { if (b < 0) b = 0; else b = 255; } + out[0] = (stbi_uc)r; + out[1] = (stbi_uc)g; + out[2] = (stbi_uc)b; + out[3] = 255; + out += step; + } +} +#endif + +// set up the kernels +static void stbi__setup_jpeg(stbi__jpeg *j) +{ + j->idct_block_kernel = stbi__idct_block; + j->YCbCr_to_RGB_kernel = stbi__YCbCr_to_RGB_row; + j->resample_row_hv_2_kernel = stbi__resample_row_hv_2; + +#ifdef STBI_SSE2 + if (stbi__sse2_available()) { + j->idct_block_kernel = stbi__idct_simd; + j->YCbCr_to_RGB_kernel = stbi__YCbCr_to_RGB_simd; + j->resample_row_hv_2_kernel = stbi__resample_row_hv_2_simd; + } +#endif + +#ifdef STBI_NEON + j->idct_block_kernel = stbi__idct_simd; + j->YCbCr_to_RGB_kernel = stbi__YCbCr_to_RGB_simd; + j->resample_row_hv_2_kernel = stbi__resample_row_hv_2_simd; +#endif +} + +// clean up the temporary component buffers +static void stbi__cleanup_jpeg(stbi__jpeg *j) +{ + stbi__free_jpeg_components(j, j->s->img_n, 0); +} + +typedef struct +{ + resample_row_func resample; + stbi_uc *line0,*line1; + int hs,vs; // expansion factor in each axis + int w_lores; // horizontal pixels pre-expansion + int ystep; // how far through vertical expansion we are + int ypos; // which pre-expansion row we're on +} stbi__resample; + +// fast 0..255 * 0..255 => 0..255 rounded multiplication +static stbi_uc stbi__blinn_8x8(stbi_uc x, stbi_uc y) +{ + unsigned int t = x*y + 128; + return (stbi_uc) ((t + (t >>8)) >> 8); +} + +static stbi_uc *load_jpeg_image(stbi__jpeg *z, int *out_x, int *out_y, int *comp, int req_comp) +{ + int n, decode_n, is_rgb; + z->s->img_n = 0; // make stbi__cleanup_jpeg safe + + // validate req_comp + if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error"); + + // load a jpeg image from whichever source, but leave in YCbCr format + if (!stbi__decode_jpeg_image(z)) { stbi__cleanup_jpeg(z); return NULL; } + + // determine actual number of components to generate + n = req_comp ? req_comp : z->s->img_n >= 3 ? 3 : 1; + + is_rgb = z->s->img_n == 3 && (z->rgb == 3 || (z->app14_color_transform == 0 && !z->jfif)); + + if (z->s->img_n == 3 && n < 3 && !is_rgb) + decode_n = 1; + else + decode_n = z->s->img_n; + + // resample and color-convert + { + int k; + unsigned int i,j; + stbi_uc *output; + stbi_uc *coutput[4] = { NULL, NULL, NULL, NULL }; + + stbi__resample res_comp[4]; + + for (k=0; k < decode_n; ++k) { + stbi__resample *r = &res_comp[k]; + + // allocate line buffer big enough for upsampling off the edges + // with upsample factor of 4 + z->img_comp[k].linebuf = (stbi_uc *) stbi__malloc(z->s->img_x + 3); + if (!z->img_comp[k].linebuf) { stbi__cleanup_jpeg(z); return stbi__errpuc("outofmem", "Out of memory"); } + + r->hs = z->img_h_max / z->img_comp[k].h; + r->vs = z->img_v_max / z->img_comp[k].v; + r->ystep = r->vs >> 1; + r->w_lores = (z->s->img_x + r->hs-1) / r->hs; + r->ypos = 0; + r->line0 = r->line1 = z->img_comp[k].data; + + if (r->hs == 1 && r->vs == 1) r->resample = resample_row_1; + else if (r->hs == 1 && r->vs == 2) r->resample = stbi__resample_row_v_2; + else if (r->hs == 2 && r->vs == 1) r->resample = stbi__resample_row_h_2; + else if (r->hs == 2 && r->vs == 2) r->resample = z->resample_row_hv_2_kernel; + else r->resample = stbi__resample_row_generic; + } + + // can't error after this so, this is safe + output = (stbi_uc *) stbi__malloc_mad3(n, z->s->img_x, z->s->img_y, 1); + if (!output) { stbi__cleanup_jpeg(z); return stbi__errpuc("outofmem", "Out of memory"); } + + // now go ahead and resample + for (j=0; j < z->s->img_y; ++j) { + stbi_uc *out = output + n * z->s->img_x * j; + for (k=0; k < decode_n; ++k) { + stbi__resample *r = &res_comp[k]; + int y_bot = r->ystep >= (r->vs >> 1); + coutput[k] = r->resample(z->img_comp[k].linebuf, + y_bot ? r->line1 : r->line0, + y_bot ? r->line0 : r->line1, + r->w_lores, r->hs); + if (++r->ystep >= r->vs) { + r->ystep = 0; + r->line0 = r->line1; + if (++r->ypos < z->img_comp[k].y) + r->line1 += z->img_comp[k].w2; + } + } + if (n >= 3) { + stbi_uc *y = coutput[0]; + if (z->s->img_n == 3) { + if (is_rgb) { + for (i=0; i < z->s->img_x; ++i) { + out[0] = y[i]; + out[1] = coutput[1][i]; + out[2] = coutput[2][i]; + out[3] = 255; + out += n; + } + } else { + z->YCbCr_to_RGB_kernel(out, y, coutput[1], coutput[2], z->s->img_x, n); + } + } else if (z->s->img_n == 4) { + if (z->app14_color_transform == 0) { // CMYK + for (i=0; i < z->s->img_x; ++i) { + stbi_uc m = coutput[3][i]; + out[0] = stbi__blinn_8x8(coutput[0][i], m); + out[1] = stbi__blinn_8x8(coutput[1][i], m); + out[2] = stbi__blinn_8x8(coutput[2][i], m); + out[3] = 255; + out += n; + } + } else if (z->app14_color_transform == 2) { // YCCK + z->YCbCr_to_RGB_kernel(out, y, coutput[1], coutput[2], z->s->img_x, n); + for (i=0; i < z->s->img_x; ++i) { + stbi_uc m = coutput[3][i]; + out[0] = stbi__blinn_8x8(255 - out[0], m); + out[1] = stbi__blinn_8x8(255 - out[1], m); + out[2] = stbi__blinn_8x8(255 - out[2], m); + out += n; + } + } else { // YCbCr + alpha? Ignore the fourth channel for now + z->YCbCr_to_RGB_kernel(out, y, coutput[1], coutput[2], z->s->img_x, n); + } + } else + for (i=0; i < z->s->img_x; ++i) { + out[0] = out[1] = out[2] = y[i]; + out[3] = 255; // not used if n==3 + out += n; + } + } else { + if (is_rgb) { + if (n == 1) + for (i=0; i < z->s->img_x; ++i) + *out++ = stbi__compute_y(coutput[0][i], coutput[1][i], coutput[2][i]); + else { + for (i=0; i < z->s->img_x; ++i, out += 2) { + out[0] = stbi__compute_y(coutput[0][i], coutput[1][i], coutput[2][i]); + out[1] = 255; + } + } + } else if (z->s->img_n == 4 && z->app14_color_transform == 0) { + for (i=0; i < z->s->img_x; ++i) { + stbi_uc m = coutput[3][i]; + stbi_uc r = stbi__blinn_8x8(coutput[0][i], m); + stbi_uc g = stbi__blinn_8x8(coutput[1][i], m); + stbi_uc b = stbi__blinn_8x8(coutput[2][i], m); + out[0] = stbi__compute_y(r, g, b); + out[1] = 255; + out += n; + } + } else if (z->s->img_n == 4 && z->app14_color_transform == 2) { + for (i=0; i < z->s->img_x; ++i) { + out[0] = stbi__blinn_8x8(255 - coutput[0][i], coutput[3][i]); + out[1] = 255; + out += n; + } + } else { + stbi_uc *y = coutput[0]; + if (n == 1) + for (i=0; i < z->s->img_x; ++i) out[i] = y[i]; + else + for (i=0; i < z->s->img_x; ++i) { *out++ = y[i]; *out++ = 255; } + } + } + } + stbi__cleanup_jpeg(z); + *out_x = z->s->img_x; + *out_y = z->s->img_y; + if (comp) *comp = z->s->img_n >= 3 ? 3 : 1; // report original components, not output + return output; + } +} + +static void *stbi__jpeg_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + unsigned char* result; + stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg)); + STBI_NOTUSED(ri); + j->s = s; + stbi__setup_jpeg(j); + result = load_jpeg_image(j, x,y,comp,req_comp); + STBI_FREE(j); + return result; +} + +static int stbi__jpeg_test(stbi__context *s) +{ + int r; + stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg)); + j->s = s; + stbi__setup_jpeg(j); + r = stbi__decode_jpeg_header(j, STBI__SCAN_type); + stbi__rewind(s); + STBI_FREE(j); + return r; +} + +static int stbi__jpeg_info_raw(stbi__jpeg *j, int *x, int *y, int *comp) +{ + if (!stbi__decode_jpeg_header(j, STBI__SCAN_header)) { + stbi__rewind( j->s ); + return 0; + } + if (x) *x = j->s->img_x; + if (y) *y = j->s->img_y; + if (comp) *comp = j->s->img_n >= 3 ? 3 : 1; + return 1; +} + +static int stbi__jpeg_info(stbi__context *s, int *x, int *y, int *comp) +{ + int result; + stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg))); + j->s = s; + result = stbi__jpeg_info_raw(j, x, y, comp); + STBI_FREE(j); + return result; +} +#endif + +// public domain zlib decode v0.2 Sean Barrett 2006-11-18 +// simple implementation +// - all input must be provided in an upfront buffer +// - all output is written to a single output buffer (can malloc/realloc) +// performance +// - fast huffman + +#ifndef STBI_NO_ZLIB + +// fast-way is faster to check than jpeg huffman, but slow way is slower +#define STBI__ZFAST_BITS 9 // accelerate all cases in default tables +#define STBI__ZFAST_MASK ((1 << STBI__ZFAST_BITS) - 1) + +// zlib-style huffman encoding +// (jpegs packs from left, zlib from right, so can't share code) +typedef struct +{ + stbi__uint16 fast[1 << STBI__ZFAST_BITS]; + stbi__uint16 firstcode[16]; + int maxcode[17]; + stbi__uint16 firstsymbol[16]; + stbi_uc size[288]; + stbi__uint16 value[288]; +} stbi__zhuffman; + +stbi_inline static int stbi__bitreverse16(int n) +{ + n = ((n & 0xAAAA) >> 1) | ((n & 0x5555) << 1); + n = ((n & 0xCCCC) >> 2) | ((n & 0x3333) << 2); + n = ((n & 0xF0F0) >> 4) | ((n & 0x0F0F) << 4); + n = ((n & 0xFF00) >> 8) | ((n & 0x00FF) << 8); + return n; +} + +stbi_inline static int stbi__bit_reverse(int v, int bits) +{ + STBI_ASSERT(bits <= 16); + // to bit reverse n bits, reverse 16 and shift + // e.g. 11 bits, bit reverse and shift away 5 + return stbi__bitreverse16(v) >> (16-bits); +} + +static int stbi__zbuild_huffman(stbi__zhuffman *z, const stbi_uc *sizelist, int num) +{ + int i,k=0; + int code, next_code[16], sizes[17]; + + // DEFLATE spec for generating codes + memset(sizes, 0, sizeof(sizes)); + memset(z->fast, 0, sizeof(z->fast)); + for (i=0; i < num; ++i) + ++sizes[sizelist[i]]; + sizes[0] = 0; + for (i=1; i < 16; ++i) + if (sizes[i] > (1 << i)) + return stbi__err("bad sizes", "Corrupt PNG"); + code = 0; + for (i=1; i < 16; ++i) { + next_code[i] = code; + z->firstcode[i] = (stbi__uint16) code; + z->firstsymbol[i] = (stbi__uint16) k; + code = (code + sizes[i]); + if (sizes[i]) + if (code-1 >= (1 << i)) return stbi__err("bad codelengths","Corrupt PNG"); + z->maxcode[i] = code << (16-i); // preshift for inner loop + code <<= 1; + k += sizes[i]; + } + z->maxcode[16] = 0x10000; // sentinel + for (i=0; i < num; ++i) { + int s = sizelist[i]; + if (s) { + int c = next_code[s] - z->firstcode[s] + z->firstsymbol[s]; + stbi__uint16 fastv = (stbi__uint16) ((s << 9) | i); + z->size [c] = (stbi_uc ) s; + z->value[c] = (stbi__uint16) i; + if (s <= STBI__ZFAST_BITS) { + int j = stbi__bit_reverse(next_code[s],s); + while (j < (1 << STBI__ZFAST_BITS)) { + z->fast[j] = fastv; + j += (1 << s); + } + } + ++next_code[s]; + } + } + return 1; +} + +// zlib-from-memory implementation for PNG reading +// because PNG allows splitting the zlib stream arbitrarily, +// and it's annoying structurally to have PNG call ZLIB call PNG, +// we require PNG read all the IDATs and combine them into a single +// memory buffer + +typedef struct +{ + stbi_uc *zbuffer, *zbuffer_end; + int num_bits; + stbi__uint32 code_buffer; + + char *zout; + char *zout_start; + char *zout_end; + int z_expandable; + + stbi__zhuffman z_length, z_distance; +} stbi__zbuf; + +stbi_inline static int stbi__zeof(stbi__zbuf *z) +{ + return (z->zbuffer >= z->zbuffer_end); +} + +stbi_inline static stbi_uc stbi__zget8(stbi__zbuf *z) +{ + return stbi__zeof(z) ? 0 : *z->zbuffer++; +} + +static void stbi__fill_bits(stbi__zbuf *z) +{ + do { + if (z->code_buffer >= (1U << z->num_bits)) { + z->zbuffer = z->zbuffer_end; /* treat this as EOF so we fail. */ + return; + } + z->code_buffer |= (unsigned int) stbi__zget8(z) << z->num_bits; + z->num_bits += 8; + } while (z->num_bits <= 24); +} + +stbi_inline static unsigned int stbi__zreceive(stbi__zbuf *z, int n) +{ + unsigned int k; + if (z->num_bits < n) stbi__fill_bits(z); + k = z->code_buffer & ((1 << n) - 1); + z->code_buffer >>= n; + z->num_bits -= n; + return k; +} + +static int stbi__zhuffman_decode_slowpath(stbi__zbuf *a, stbi__zhuffman *z) +{ + int b,s,k; + // not resolved by fast table, so compute it the slow way + // use jpeg approach, which requires MSbits at top + k = stbi__bit_reverse(a->code_buffer, 16); + for (s=STBI__ZFAST_BITS+1; ; ++s) + if (k < z->maxcode[s]) + break; + if (s >= 16) return -1; // invalid code! + // code size is s, so: + b = (k >> (16-s)) - z->firstcode[s] + z->firstsymbol[s]; + if (b >= sizeof (z->size)) return -1; // some data was corrupt somewhere! + if (z->size[b] != s) return -1; // was originally an assert, but report failure instead. + a->code_buffer >>= s; + a->num_bits -= s; + return z->value[b]; +} + +stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z) +{ + int b,s; + if (a->num_bits < 16) { + if (stbi__zeof(a)) { + return -1; /* report error for unexpected end of data. */ + } + stbi__fill_bits(a); + } + b = z->fast[a->code_buffer & STBI__ZFAST_MASK]; + if (b) { + s = b >> 9; + a->code_buffer >>= s; + a->num_bits -= s; + return b & 511; + } + return stbi__zhuffman_decode_slowpath(a, z); +} + +static int stbi__zexpand(stbi__zbuf *z, char *zout, int n) // need to make room for n bytes +{ + char *q; + unsigned int cur, limit, old_limit; + z->zout = zout; + if (!z->z_expandable) return stbi__err("output buffer limit","Corrupt PNG"); + cur = (unsigned int) (z->zout - z->zout_start); + limit = old_limit = (unsigned) (z->zout_end - z->zout_start); + if (UINT_MAX - cur < (unsigned) n) return stbi__err("outofmem", "Out of memory"); + while (cur + n > limit) { + if(limit > UINT_MAX / 2) return stbi__err("outofmem", "Out of memory"); + limit *= 2; + } + q = (char *) STBI_REALLOC_SIZED(z->zout_start, old_limit, limit); + STBI_NOTUSED(old_limit); + if (q == NULL) return stbi__err("outofmem", "Out of memory"); + z->zout_start = q; + z->zout = q + cur; + z->zout_end = q + limit; + return 1; +} + +static const int stbi__zlength_base[31] = { + 3,4,5,6,7,8,9,10,11,13, + 15,17,19,23,27,31,35,43,51,59, + 67,83,99,115,131,163,195,227,258,0,0 }; + +static const int stbi__zlength_extra[31]= +{ 0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0,0,0 }; + +static const int stbi__zdist_base[32] = { 1,2,3,4,5,7,9,13,17,25,33,49,65,97,129,193, +257,385,513,769,1025,1537,2049,3073,4097,6145,8193,12289,16385,24577,0,0}; + +static const int stbi__zdist_extra[32] = +{ 0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13}; + +static int stbi__parse_huffman_block(stbi__zbuf *a) +{ + char *zout = a->zout; + for(;;) { + int z = stbi__zhuffman_decode(a, &a->z_length); + if (z < 256) { + if (z < 0) return stbi__err("bad huffman code","Corrupt PNG"); // error in huffman codes + if (zout >= a->zout_end) { + if (!stbi__zexpand(a, zout, 1)) return 0; + zout = a->zout; + } + *zout++ = (char) z; + } else { + stbi_uc *p; + int len,dist; + if (z == 256) { + a->zout = zout; + return 1; + } + z -= 257; + len = stbi__zlength_base[z]; + if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]); + z = stbi__zhuffman_decode(a, &a->z_distance); + if (z < 0) return stbi__err("bad huffman code","Corrupt PNG"); + dist = stbi__zdist_base[z]; + if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]); + if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG"); + if (zout + len > a->zout_end) { + if (!stbi__zexpand(a, zout, len)) return 0; + zout = a->zout; + } + p = (stbi_uc *) (zout - dist); + if (dist == 1) { // run of one byte; common in images. + stbi_uc v = *p; + if (len) { do *zout++ = v; while (--len); } + } else { + if (len) { do *zout++ = *p++; while (--len); } + } + } + } +} + +static int stbi__compute_huffman_codes(stbi__zbuf *a) +{ + static const stbi_uc length_dezigzag[19] = { 16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15 }; + stbi__zhuffman z_codelength; + stbi_uc lencodes[286+32+137];//padding for maximum single op + stbi_uc codelength_sizes[19]; + int i,n; + + int hlit = stbi__zreceive(a,5) + 257; + int hdist = stbi__zreceive(a,5) + 1; + int hclen = stbi__zreceive(a,4) + 4; + int ntot = hlit + hdist; + + memset(codelength_sizes, 0, sizeof(codelength_sizes)); + for (i=0; i < hclen; ++i) { + int s = stbi__zreceive(a,3); + codelength_sizes[length_dezigzag[i]] = (stbi_uc) s; + } + if (!stbi__zbuild_huffman(&z_codelength, codelength_sizes, 19)) return 0; + + n = 0; + while (n < ntot) { + int c = stbi__zhuffman_decode(a, &z_codelength); + if (c < 0 || c >= 19) return stbi__err("bad codelengths", "Corrupt PNG"); + if (c < 16) + lencodes[n++] = (stbi_uc) c; + else { + stbi_uc fill = 0; + if (c == 16) { + c = stbi__zreceive(a,2)+3; + if (n == 0) return stbi__err("bad codelengths", "Corrupt PNG"); + fill = lencodes[n-1]; + } else if (c == 17) { + c = stbi__zreceive(a,3)+3; + } else if (c == 18) { + c = stbi__zreceive(a,7)+11; + } else { + return stbi__err("bad codelengths", "Corrupt PNG"); + } + if (ntot - n < c) return stbi__err("bad codelengths", "Corrupt PNG"); + memset(lencodes+n, fill, c); + n += c; + } + } + if (n != ntot) return stbi__err("bad codelengths","Corrupt PNG"); + if (!stbi__zbuild_huffman(&a->z_length, lencodes, hlit)) return 0; + if (!stbi__zbuild_huffman(&a->z_distance, lencodes+hlit, hdist)) return 0; + return 1; +} + +static int stbi__parse_uncompressed_block(stbi__zbuf *a) +{ + stbi_uc header[4]; + int len,nlen,k; + if (a->num_bits & 7) + stbi__zreceive(a, a->num_bits & 7); // discard + // drain the bit-packed data into header + k = 0; + while (a->num_bits > 0) { + header[k++] = (stbi_uc) (a->code_buffer & 255); // suppress MSVC run-time check + a->code_buffer >>= 8; + a->num_bits -= 8; + } + if (a->num_bits < 0) return stbi__err("zlib corrupt","Corrupt PNG"); + // now fill header the normal way + while (k < 4) + header[k++] = stbi__zget8(a); + len = header[1] * 256 + header[0]; + nlen = header[3] * 256 + header[2]; + if (nlen != (len ^ 0xffff)) return stbi__err("zlib corrupt","Corrupt PNG"); + if (a->zbuffer + len > a->zbuffer_end) return stbi__err("read past buffer","Corrupt PNG"); + if (a->zout + len > a->zout_end) + if (!stbi__zexpand(a, a->zout, len)) return 0; + memcpy(a->zout, a->zbuffer, len); + a->zbuffer += len; + a->zout += len; + return 1; +} + +static int stbi__parse_zlib_header(stbi__zbuf *a) +{ + int cmf = stbi__zget8(a); + int cm = cmf & 15; + /* int cinfo = cmf >> 4; */ + int flg = stbi__zget8(a); + if (stbi__zeof(a)) return stbi__err("bad zlib header","Corrupt PNG"); // zlib spec + if ((cmf*256+flg) % 31 != 0) return stbi__err("bad zlib header","Corrupt PNG"); // zlib spec + if (flg & 32) return stbi__err("no preset dict","Corrupt PNG"); // preset dictionary not allowed in png + if (cm != 8) return stbi__err("bad compression","Corrupt PNG"); // DEFLATE required for png + // window = 1 << (8 + cinfo)... but who cares, we fully buffer output + return 1; +} + +static const stbi_uc stbi__zdefault_length[288] = +{ + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, + 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, + 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, + 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, + 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, + 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 7,7,7,7,7,7,7,7,8,8,8,8,8,8,8,8 +}; +static const stbi_uc stbi__zdefault_distance[32] = +{ + 5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5,5 +}; +/* +Init algorithm: +{ + int i; // use <= to match clearly with spec + for (i=0; i <= 143; ++i) stbi__zdefault_length[i] = 8; + for ( ; i <= 255; ++i) stbi__zdefault_length[i] = 9; + for ( ; i <= 279; ++i) stbi__zdefault_length[i] = 7; + for ( ; i <= 287; ++i) stbi__zdefault_length[i] = 8; + + for (i=0; i <= 31; ++i) stbi__zdefault_distance[i] = 5; +} +*/ + +static int stbi__parse_zlib(stbi__zbuf *a, int parse_header) +{ + int final, type; + if (parse_header) + if (!stbi__parse_zlib_header(a)) return 0; + a->num_bits = 0; + a->code_buffer = 0; + do { + final = stbi__zreceive(a,1); + type = stbi__zreceive(a,2); + if (type == 0) { + if (!stbi__parse_uncompressed_block(a)) return 0; + } else if (type == 3) { + return 0; + } else { + if (type == 1) { + // use fixed code lengths + if (!stbi__zbuild_huffman(&a->z_length , stbi__zdefault_length , 288)) return 0; + if (!stbi__zbuild_huffman(&a->z_distance, stbi__zdefault_distance, 32)) return 0; + } else { + if (!stbi__compute_huffman_codes(a)) return 0; + } + if (!stbi__parse_huffman_block(a)) return 0; + } + } while (!final); + return 1; +} + +static int stbi__do_zlib(stbi__zbuf *a, char *obuf, int olen, int exp, int parse_header) +{ + a->zout_start = obuf; + a->zout = obuf; + a->zout_end = obuf + olen; + a->z_expandable = exp; + + return stbi__parse_zlib(a, parse_header); +} + +STBIDEF char *stbi_zlib_decode_malloc_guesssize(const char *buffer, int len, int initial_size, int *outlen) +{ + stbi__zbuf a; + char *p = (char *) stbi__malloc(initial_size); + if (p == NULL) return NULL; + a.zbuffer = (stbi_uc *) buffer; + a.zbuffer_end = (stbi_uc *) buffer + len; + if (stbi__do_zlib(&a, p, initial_size, 1, 1)) { + if (outlen) *outlen = (int) (a.zout - a.zout_start); + return a.zout_start; + } else { + STBI_FREE(a.zout_start); + return NULL; + } +} + +STBIDEF char *stbi_zlib_decode_malloc(char const *buffer, int len, int *outlen) +{ + return stbi_zlib_decode_malloc_guesssize(buffer, len, 16384, outlen); +} + +STBIDEF char *stbi_zlib_decode_malloc_guesssize_headerflag(const char *buffer, int len, int initial_size, int *outlen, int parse_header) +{ + stbi__zbuf a; + char *p = (char *) stbi__malloc(initial_size); + if (p == NULL) return NULL; + a.zbuffer = (stbi_uc *) buffer; + a.zbuffer_end = (stbi_uc *) buffer + len; + if (stbi__do_zlib(&a, p, initial_size, 1, parse_header)) { + if (outlen) *outlen = (int) (a.zout - a.zout_start); + return a.zout_start; + } else { + STBI_FREE(a.zout_start); + return NULL; + } +} + +STBIDEF int stbi_zlib_decode_buffer(char *obuffer, int olen, char const *ibuffer, int ilen) +{ + stbi__zbuf a; + a.zbuffer = (stbi_uc *) ibuffer; + a.zbuffer_end = (stbi_uc *) ibuffer + ilen; + if (stbi__do_zlib(&a, obuffer, olen, 0, 1)) + return (int) (a.zout - a.zout_start); + else + return -1; +} + +STBIDEF char *stbi_zlib_decode_noheader_malloc(char const *buffer, int len, int *outlen) +{ + stbi__zbuf a; + char *p = (char *) stbi__malloc(16384); + if (p == NULL) return NULL; + a.zbuffer = (stbi_uc *) buffer; + a.zbuffer_end = (stbi_uc *) buffer+len; + if (stbi__do_zlib(&a, p, 16384, 1, 0)) { + if (outlen) *outlen = (int) (a.zout - a.zout_start); + return a.zout_start; + } else { + STBI_FREE(a.zout_start); + return NULL; + } +} + +STBIDEF int stbi_zlib_decode_noheader_buffer(char *obuffer, int olen, const char *ibuffer, int ilen) +{ + stbi__zbuf a; + a.zbuffer = (stbi_uc *) ibuffer; + a.zbuffer_end = (stbi_uc *) ibuffer + ilen; + if (stbi__do_zlib(&a, obuffer, olen, 0, 0)) + return (int) (a.zout - a.zout_start); + else + return -1; +} +#endif + +// public domain "baseline" PNG decoder v0.10 Sean Barrett 2006-11-18 +// simple implementation +// - only 8-bit samples +// - no CRC checking +// - allocates lots of intermediate memory +// - avoids problem of streaming data between subsystems +// - avoids explicit window management +// performance +// - uses stb_zlib, a PD zlib implementation with fast huffman decoding + +#ifndef STBI_NO_PNG +typedef struct +{ + stbi__uint32 length; + stbi__uint32 type; +} stbi__pngchunk; + +static stbi__pngchunk stbi__get_chunk_header(stbi__context *s) +{ + stbi__pngchunk c; + c.length = stbi__get32be(s); + c.type = stbi__get32be(s); + return c; +} + +static int stbi__check_png_header(stbi__context *s) +{ + static const stbi_uc png_sig[8] = { 137,80,78,71,13,10,26,10 }; + int i; + for (i=0; i < 8; ++i) + if (stbi__get8(s) != png_sig[i]) return stbi__err("bad png sig","Not a PNG"); + return 1; +} + +typedef struct +{ + stbi__context *s; + stbi_uc *idata, *expanded, *out; + int depth; +} stbi__png; + + +enum { + STBI__F_none=0, + STBI__F_sub=1, + STBI__F_up=2, + STBI__F_avg=3, + STBI__F_paeth=4, + // synthetic filters used for first scanline to avoid needing a dummy row of 0s + STBI__F_avg_first, + STBI__F_paeth_first +}; + +static stbi_uc first_row_filter[5] = +{ + STBI__F_none, + STBI__F_sub, + STBI__F_none, + STBI__F_avg_first, + STBI__F_paeth_first +}; + +static int stbi__paeth(int a, int b, int c) +{ + int p = a + b - c; + int pa = abs(p-a); + int pb = abs(p-b); + int pc = abs(p-c); + if (pa <= pb && pa <= pc) return a; + if (pb <= pc) return b; + return c; +} + +static const stbi_uc stbi__depth_scale_table[9] = { 0, 0xff, 0x55, 0, 0x11, 0,0,0, 0x01 }; + +// create the png data from post-deflated data +static int stbi__create_png_image_raw(stbi__png *a, stbi_uc *raw, stbi__uint32 raw_len, int out_n, stbi__uint32 x, stbi__uint32 y, int depth, int color) +{ + int bytes = (depth == 16? 2 : 1); + stbi__context *s = a->s; + stbi__uint32 i,j,stride = x*out_n*bytes; + stbi__uint32 img_len, img_width_bytes; + int k; + int img_n = s->img_n; // copy it into a local for later + + int output_bytes = out_n*bytes; + int filter_bytes = img_n*bytes; + int width = x; + + STBI_ASSERT(out_n == s->img_n || out_n == s->img_n+1); + a->out = (stbi_uc *) stbi__malloc_mad3(x, y, output_bytes, 0); // extra bytes to write off the end into + if (!a->out) return stbi__err("outofmem", "Out of memory"); + + if (!stbi__mad3sizes_valid(img_n, x, depth, 7)) return stbi__err("too large", "Corrupt PNG"); + img_width_bytes = (((img_n * x * depth) + 7) >> 3); + img_len = (img_width_bytes + 1) * y; + + // we used to check for exact match between raw_len and img_len on non-interlaced PNGs, + // but issue #276 reported a PNG in the wild that had extra data at the end (all zeros), + // so just check for raw_len < img_len always. + if (raw_len < img_len) return stbi__err("not enough pixels","Corrupt PNG"); + + for (j=0; j < y; ++j) { + stbi_uc *cur = a->out + stride*j; + stbi_uc *prior; + int filter = *raw++; + + if (filter > 4) + return stbi__err("invalid filter","Corrupt PNG"); + + if (depth < 8) { + if (img_width_bytes > x) return stbi__err("invalid width","Corrupt PNG"); + cur += x*out_n - img_width_bytes; // store output to the rightmost img_len bytes, so we can decode in place + filter_bytes = 1; + width = img_width_bytes; + } + prior = cur - stride; // bugfix: need to compute this after 'cur +=' computation above + + // if first row, use special filter that doesn't sample previous row + if (j == 0) filter = first_row_filter[filter]; + + // handle first byte explicitly + for (k=0; k < filter_bytes; ++k) { + switch (filter) { + case STBI__F_none : cur[k] = raw[k]; break; + case STBI__F_sub : cur[k] = raw[k]; break; + case STBI__F_up : cur[k] = STBI__BYTECAST(raw[k] + prior[k]); break; + case STBI__F_avg : cur[k] = STBI__BYTECAST(raw[k] + (prior[k]>>1)); break; + case STBI__F_paeth : cur[k] = STBI__BYTECAST(raw[k] + stbi__paeth(0,prior[k],0)); break; + case STBI__F_avg_first : cur[k] = raw[k]; break; + case STBI__F_paeth_first: cur[k] = raw[k]; break; + } + } + + if (depth == 8) { + if (img_n != out_n) + cur[img_n] = 255; // first pixel + raw += img_n; + cur += out_n; + prior += out_n; + } else if (depth == 16) { + if (img_n != out_n) { + cur[filter_bytes] = 255; // first pixel top byte + cur[filter_bytes+1] = 255; // first pixel bottom byte + } + raw += filter_bytes; + cur += output_bytes; + prior += output_bytes; + } else { + raw += 1; + cur += 1; + prior += 1; + } + + // this is a little gross, so that we don't switch per-pixel or per-component + if (depth < 8 || img_n == out_n) { + int nk = (width - 1)*filter_bytes; + #define STBI__CASE(f) \ + case f: \ + for (k=0; k < nk; ++k) + switch (filter) { + // "none" filter turns into a memcpy here; make that explicit. + case STBI__F_none: memcpy(cur, raw, nk); break; + STBI__CASE(STBI__F_sub) { cur[k] = STBI__BYTECAST(raw[k] + cur[k-filter_bytes]); } break; + STBI__CASE(STBI__F_up) { cur[k] = STBI__BYTECAST(raw[k] + prior[k]); } break; + STBI__CASE(STBI__F_avg) { cur[k] = STBI__BYTECAST(raw[k] + ((prior[k] + cur[k-filter_bytes])>>1)); } break; + STBI__CASE(STBI__F_paeth) { cur[k] = STBI__BYTECAST(raw[k] + stbi__paeth(cur[k-filter_bytes],prior[k],prior[k-filter_bytes])); } break; + STBI__CASE(STBI__F_avg_first) { cur[k] = STBI__BYTECAST(raw[k] + (cur[k-filter_bytes] >> 1)); } break; + STBI__CASE(STBI__F_paeth_first) { cur[k] = STBI__BYTECAST(raw[k] + stbi__paeth(cur[k-filter_bytes],0,0)); } break; + } + #undef STBI__CASE + raw += nk; + } else { + STBI_ASSERT(img_n+1 == out_n); + #define STBI__CASE(f) \ + case f: \ + for (i=x-1; i >= 1; --i, cur[filter_bytes]=255,raw+=filter_bytes,cur+=output_bytes,prior+=output_bytes) \ + for (k=0; k < filter_bytes; ++k) + switch (filter) { + STBI__CASE(STBI__F_none) { cur[k] = raw[k]; } break; + STBI__CASE(STBI__F_sub) { cur[k] = STBI__BYTECAST(raw[k] + cur[k- output_bytes]); } break; + STBI__CASE(STBI__F_up) { cur[k] = STBI__BYTECAST(raw[k] + prior[k]); } break; + STBI__CASE(STBI__F_avg) { cur[k] = STBI__BYTECAST(raw[k] + ((prior[k] + cur[k- output_bytes])>>1)); } break; + STBI__CASE(STBI__F_paeth) { cur[k] = STBI__BYTECAST(raw[k] + stbi__paeth(cur[k- output_bytes],prior[k],prior[k- output_bytes])); } break; + STBI__CASE(STBI__F_avg_first) { cur[k] = STBI__BYTECAST(raw[k] + (cur[k- output_bytes] >> 1)); } break; + STBI__CASE(STBI__F_paeth_first) { cur[k] = STBI__BYTECAST(raw[k] + stbi__paeth(cur[k- output_bytes],0,0)); } break; + } + #undef STBI__CASE + + // the loop above sets the high byte of the pixels' alpha, but for + // 16 bit png files we also need the low byte set. we'll do that here. + if (depth == 16) { + cur = a->out + stride*j; // start at the beginning of the row again + for (i=0; i < x; ++i,cur+=output_bytes) { + cur[filter_bytes+1] = 255; + } + } + } + } + + // we make a separate pass to expand bits to pixels; for performance, + // this could run two scanlines behind the above code, so it won't + // intefere with filtering but will still be in the cache. + if (depth < 8) { + for (j=0; j < y; ++j) { + stbi_uc *cur = a->out + stride*j; + stbi_uc *in = a->out + stride*j + x*out_n - img_width_bytes; + // unpack 1/2/4-bit into a 8-bit buffer. allows us to keep the common 8-bit path optimal at minimal cost for 1/2/4-bit + // png guarante byte alignment, if width is not multiple of 8/4/2 we'll decode dummy trailing data that will be skipped in the later loop + stbi_uc scale = (color == 0) ? stbi__depth_scale_table[depth] : 1; // scale grayscale values to 0..255 range + + // note that the final byte might overshoot and write more data than desired. + // we can allocate enough data that this never writes out of memory, but it + // could also overwrite the next scanline. can it overwrite non-empty data + // on the next scanline? yes, consider 1-pixel-wide scanlines with 1-bit-per-pixel. + // so we need to explicitly clamp the final ones + + if (depth == 4) { + for (k=x*img_n; k >= 2; k-=2, ++in) { + *cur++ = scale * ((*in >> 4) ); + *cur++ = scale * ((*in ) & 0x0f); + } + if (k > 0) *cur++ = scale * ((*in >> 4) ); + } else if (depth == 2) { + for (k=x*img_n; k >= 4; k-=4, ++in) { + *cur++ = scale * ((*in >> 6) ); + *cur++ = scale * ((*in >> 4) & 0x03); + *cur++ = scale * ((*in >> 2) & 0x03); + *cur++ = scale * ((*in ) & 0x03); + } + if (k > 0) *cur++ = scale * ((*in >> 6) ); + if (k > 1) *cur++ = scale * ((*in >> 4) & 0x03); + if (k > 2) *cur++ = scale * ((*in >> 2) & 0x03); + } else if (depth == 1) { + for (k=x*img_n; k >= 8; k-=8, ++in) { + *cur++ = scale * ((*in >> 7) ); + *cur++ = scale * ((*in >> 6) & 0x01); + *cur++ = scale * ((*in >> 5) & 0x01); + *cur++ = scale * ((*in >> 4) & 0x01); + *cur++ = scale * ((*in >> 3) & 0x01); + *cur++ = scale * ((*in >> 2) & 0x01); + *cur++ = scale * ((*in >> 1) & 0x01); + *cur++ = scale * ((*in ) & 0x01); + } + if (k > 0) *cur++ = scale * ((*in >> 7) ); + if (k > 1) *cur++ = scale * ((*in >> 6) & 0x01); + if (k > 2) *cur++ = scale * ((*in >> 5) & 0x01); + if (k > 3) *cur++ = scale * ((*in >> 4) & 0x01); + if (k > 4) *cur++ = scale * ((*in >> 3) & 0x01); + if (k > 5) *cur++ = scale * ((*in >> 2) & 0x01); + if (k > 6) *cur++ = scale * ((*in >> 1) & 0x01); + } + if (img_n != out_n) { + int q; + // insert alpha = 255 + cur = a->out + stride*j; + if (img_n == 1) { + for (q=x-1; q >= 0; --q) { + cur[q*2+1] = 255; + cur[q*2+0] = cur[q]; + } + } else { + STBI_ASSERT(img_n == 3); + for (q=x-1; q >= 0; --q) { + cur[q*4+3] = 255; + cur[q*4+2] = cur[q*3+2]; + cur[q*4+1] = cur[q*3+1]; + cur[q*4+0] = cur[q*3+0]; + } + } + } + } + } else if (depth == 16) { + // force the image data from big-endian to platform-native. + // this is done in a separate pass due to the decoding relying + // on the data being untouched, but could probably be done + // per-line during decode if care is taken. + stbi_uc *cur = a->out; + stbi__uint16 *cur16 = (stbi__uint16*)cur; + + for(i=0; i < x*y*out_n; ++i,cur16++,cur+=2) { + *cur16 = (cur[0] << 8) | cur[1]; + } + } + + return 1; +} + +static int stbi__create_png_image(stbi__png *a, stbi_uc *image_data, stbi__uint32 image_data_len, int out_n, int depth, int color, int interlaced) +{ + int bytes = (depth == 16 ? 2 : 1); + int out_bytes = out_n * bytes; + stbi_uc *final; + int p; + if (!interlaced) + return stbi__create_png_image_raw(a, image_data, image_data_len, out_n, a->s->img_x, a->s->img_y, depth, color); + + // de-interlacing + final = (stbi_uc *) stbi__malloc_mad3(a->s->img_x, a->s->img_y, out_bytes, 0); + for (p=0; p < 7; ++p) { + int xorig[] = { 0,4,0,2,0,1,0 }; + int yorig[] = { 0,0,4,0,2,0,1 }; + int xspc[] = { 8,8,4,4,2,2,1 }; + int yspc[] = { 8,8,8,4,4,2,2 }; + int i,j,x,y; + // pass1_x[4] = 0, pass1_x[5] = 1, pass1_x[12] = 1 + x = (a->s->img_x - xorig[p] + xspc[p]-1) / xspc[p]; + y = (a->s->img_y - yorig[p] + yspc[p]-1) / yspc[p]; + if (x && y) { + stbi__uint32 img_len = ((((a->s->img_n * x * depth) + 7) >> 3) + 1) * y; + if (!stbi__create_png_image_raw(a, image_data, image_data_len, out_n, x, y, depth, color)) { + STBI_FREE(final); + return 0; + } + for (j=0; j < y; ++j) { + for (i=0; i < x; ++i) { + int out_y = j*yspc[p]+yorig[p]; + int out_x = i*xspc[p]+xorig[p]; + memcpy(final + out_y*a->s->img_x*out_bytes + out_x*out_bytes, + a->out + (j*x+i)*out_bytes, out_bytes); + } + } + STBI_FREE(a->out); + image_data += img_len; + image_data_len -= img_len; + } + } + a->out = final; + + return 1; +} + +static int stbi__compute_transparency(stbi__png *z, stbi_uc tc[3], int out_n) +{ + stbi__context *s = z->s; + stbi__uint32 i, pixel_count = s->img_x * s->img_y; + stbi_uc *p = z->out; + + // compute color-based transparency, assuming we've + // already got 255 as the alpha value in the output + STBI_ASSERT(out_n == 2 || out_n == 4); + + if (out_n == 2) { + for (i=0; i < pixel_count; ++i) { + p[1] = (p[0] == tc[0] ? 0 : 255); + p += 2; + } + } else { + for (i=0; i < pixel_count; ++i) { + if (p[0] == tc[0] && p[1] == tc[1] && p[2] == tc[2]) + p[3] = 0; + p += 4; + } + } + return 1; +} + +static int stbi__compute_transparency16(stbi__png *z, stbi__uint16 tc[3], int out_n) +{ + stbi__context *s = z->s; + stbi__uint32 i, pixel_count = s->img_x * s->img_y; + stbi__uint16 *p = (stbi__uint16*) z->out; + + // compute color-based transparency, assuming we've + // already got 65535 as the alpha value in the output + STBI_ASSERT(out_n == 2 || out_n == 4); + + if (out_n == 2) { + for (i = 0; i < pixel_count; ++i) { + p[1] = (p[0] == tc[0] ? 0 : 65535); + p += 2; + } + } else { + for (i = 0; i < pixel_count; ++i) { + if (p[0] == tc[0] && p[1] == tc[1] && p[2] == tc[2]) + p[3] = 0; + p += 4; + } + } + return 1; +} + +static int stbi__expand_png_palette(stbi__png *a, stbi_uc *palette, int len, int pal_img_n) +{ + stbi__uint32 i, pixel_count = a->s->img_x * a->s->img_y; + stbi_uc *p, *temp_out, *orig = a->out; + + p = (stbi_uc *) stbi__malloc_mad2(pixel_count, pal_img_n, 0); + if (p == NULL) return stbi__err("outofmem", "Out of memory"); + + // between here and free(out) below, exitting would leak + temp_out = p; + + if (pal_img_n == 3) { + for (i=0; i < pixel_count; ++i) { + int n = orig[i]*4; + p[0] = palette[n ]; + p[1] = palette[n+1]; + p[2] = palette[n+2]; + p += 3; + } + } else { + for (i=0; i < pixel_count; ++i) { + int n = orig[i]*4; + p[0] = palette[n ]; + p[1] = palette[n+1]; + p[2] = palette[n+2]; + p[3] = palette[n+3]; + p += 4; + } + } + STBI_FREE(a->out); + a->out = temp_out; + + STBI_NOTUSED(len); + + return 1; +} + +static int stbi__unpremultiply_on_load = 0; +static int stbi__de_iphone_flag = 0; + +STBIDEF void stbi_set_unpremultiply_on_load(int flag_true_if_should_unpremultiply) +{ + stbi__unpremultiply_on_load = flag_true_if_should_unpremultiply; +} + +STBIDEF void stbi_convert_iphone_png_to_rgb(int flag_true_if_should_convert) +{ + stbi__de_iphone_flag = flag_true_if_should_convert; +} + +static void stbi__de_iphone(stbi__png *z) +{ + stbi__context *s = z->s; + stbi__uint32 i, pixel_count = s->img_x * s->img_y; + stbi_uc *p = z->out; + + if (s->img_out_n == 3) { // convert bgr to rgb + for (i=0; i < pixel_count; ++i) { + stbi_uc t = p[0]; + p[0] = p[2]; + p[2] = t; + p += 3; + } + } else { + STBI_ASSERT(s->img_out_n == 4); + if (stbi__unpremultiply_on_load) { + // convert bgr to rgb and unpremultiply + for (i=0; i < pixel_count; ++i) { + stbi_uc a = p[3]; + stbi_uc t = p[0]; + if (a) { + stbi_uc half = a / 2; + p[0] = (p[2] * 255 + half) / a; + p[1] = (p[1] * 255 + half) / a; + p[2] = ( t * 255 + half) / a; + } else { + p[0] = p[2]; + p[2] = t; + } + p += 4; + } + } else { + // convert bgr to rgb + for (i=0; i < pixel_count; ++i) { + stbi_uc t = p[0]; + p[0] = p[2]; + p[2] = t; + p += 4; + } + } + } +} + +#define STBI__PNG_TYPE(a,b,c,d) (((unsigned) (a) << 24) + ((unsigned) (b) << 16) + ((unsigned) (c) << 8) + (unsigned) (d)) + +static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp) +{ + stbi_uc palette[1024], pal_img_n=0; + stbi_uc has_trans=0, tc[3]={0}; + stbi__uint16 tc16[3]; + stbi__uint32 ioff=0, idata_limit=0, i, pal_len=0; + int first=1,k,interlace=0, color=0, is_iphone=0; + stbi__context *s = z->s; + + z->expanded = NULL; + z->idata = NULL; + z->out = NULL; + + if (!stbi__check_png_header(s)) return 0; + + if (scan == STBI__SCAN_type) return 1; + + for (;;) { + stbi__pngchunk c = stbi__get_chunk_header(s); + switch (c.type) { + case STBI__PNG_TYPE('C','g','B','I'): + is_iphone = 1; + stbi__skip(s, c.length); + break; + case STBI__PNG_TYPE('I','H','D','R'): { + int comp,filter; + if (!first) return stbi__err("multiple IHDR","Corrupt PNG"); + first = 0; + if (c.length != 13) return stbi__err("bad IHDR len","Corrupt PNG"); + s->img_x = stbi__get32be(s); + s->img_y = stbi__get32be(s); + if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + z->depth = stbi__get8(s); if (z->depth != 1 && z->depth != 2 && z->depth != 4 && z->depth != 8 && z->depth != 16) return stbi__err("1/2/4/8/16-bit only","PNG not supported: 1/2/4/8/16-bit only"); + color = stbi__get8(s); if (color > 6) return stbi__err("bad ctype","Corrupt PNG"); + if (color == 3 && z->depth == 16) return stbi__err("bad ctype","Corrupt PNG"); + if (color == 3) pal_img_n = 3; else if (color & 1) return stbi__err("bad ctype","Corrupt PNG"); + comp = stbi__get8(s); if (comp) return stbi__err("bad comp method","Corrupt PNG"); + filter= stbi__get8(s); if (filter) return stbi__err("bad filter method","Corrupt PNG"); + interlace = stbi__get8(s); if (interlace>1) return stbi__err("bad interlace method","Corrupt PNG"); + if (!s->img_x || !s->img_y) return stbi__err("0-pixel image","Corrupt PNG"); + if (!pal_img_n) { + s->img_n = (color & 2 ? 3 : 1) + (color & 4 ? 1 : 0); + if ((1 << 30) / s->img_x / s->img_n < s->img_y) return stbi__err("too large", "Image too large to decode"); + if (scan == STBI__SCAN_header) return 1; + } else { + // if paletted, then pal_n is our final components, and + // img_n is # components to decompress/filter. + s->img_n = 1; + if ((1 << 30) / s->img_x / 4 < s->img_y) return stbi__err("too large","Corrupt PNG"); + // if SCAN_header, have to scan to see if we have a tRNS + } + break; + } + + case STBI__PNG_TYPE('P','L','T','E'): { + if (first) return stbi__err("first not IHDR", "Corrupt PNG"); + if (c.length > 256*3) return stbi__err("invalid PLTE","Corrupt PNG"); + pal_len = c.length / 3; + if (pal_len * 3 != c.length) return stbi__err("invalid PLTE","Corrupt PNG"); + for (i=0; i < pal_len; ++i) { + palette[i*4+0] = stbi__get8(s); + palette[i*4+1] = stbi__get8(s); + palette[i*4+2] = stbi__get8(s); + palette[i*4+3] = 255; + } + break; + } + + case STBI__PNG_TYPE('t','R','N','S'): { + if (first) return stbi__err("first not IHDR", "Corrupt PNG"); + if (z->idata) return stbi__err("tRNS after IDAT","Corrupt PNG"); + if (pal_img_n) { + if (scan == STBI__SCAN_header) { s->img_n = 4; return 1; } + if (pal_len == 0) return stbi__err("tRNS before PLTE","Corrupt PNG"); + if (c.length > pal_len) return stbi__err("bad tRNS len","Corrupt PNG"); + pal_img_n = 4; + for (i=0; i < c.length; ++i) + palette[i*4+3] = stbi__get8(s); + } else { + if (!(s->img_n & 1)) return stbi__err("tRNS with alpha","Corrupt PNG"); + if (c.length != (stbi__uint32) s->img_n*2) return stbi__err("bad tRNS len","Corrupt PNG"); + has_trans = 1; + if (z->depth == 16) { + for (k = 0; k < s->img_n; ++k) tc16[k] = (stbi__uint16)stbi__get16be(s); // copy the values as-is + } else { + for (k = 0; k < s->img_n; ++k) tc[k] = (stbi_uc)(stbi__get16be(s) & 255) * stbi__depth_scale_table[z->depth]; // non 8-bit images will be larger + } + } + break; + } + + case STBI__PNG_TYPE('I','D','A','T'): { + if (first) return stbi__err("first not IHDR", "Corrupt PNG"); + if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG"); + if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; } + if ((int)(ioff + c.length) < (int)ioff) return 0; + if (ioff + c.length > idata_limit) { + stbi__uint32 idata_limit_old = idata_limit; + stbi_uc *p; + if (idata_limit == 0) idata_limit = c.length > 4096 ? c.length : 4096; + while (ioff + c.length > idata_limit) + idata_limit *= 2; + STBI_NOTUSED(idata_limit_old); + p = (stbi_uc *) STBI_REALLOC_SIZED(z->idata, idata_limit_old, idata_limit); if (p == NULL) return stbi__err("outofmem", "Out of memory"); + z->idata = p; + } + if (!stbi__getn(s, z->idata+ioff,c.length)) return stbi__err("outofdata","Corrupt PNG"); + ioff += c.length; + break; + } + + case STBI__PNG_TYPE('I','E','N','D'): { + stbi__uint32 raw_len, bpl; + if (first) return stbi__err("first not IHDR", "Corrupt PNG"); + if (scan != STBI__SCAN_load) return 1; + if (z->idata == NULL) return stbi__err("no IDAT","Corrupt PNG"); + // initial guess for decoded data size to avoid unnecessary reallocs + bpl = (s->img_x * z->depth + 7) / 8; // bytes per line, per component + raw_len = bpl * s->img_y * s->img_n /* pixels */ + s->img_y /* filter mode per row */; + z->expanded = (stbi_uc *) stbi_zlib_decode_malloc_guesssize_headerflag((char *) z->idata, ioff, raw_len, (int *) &raw_len, !is_iphone); + if (z->expanded == NULL) return 0; // zlib should set error + STBI_FREE(z->idata); z->idata = NULL; + if ((req_comp == s->img_n+1 && req_comp != 3 && !pal_img_n) || has_trans) + s->img_out_n = s->img_n+1; + else + s->img_out_n = s->img_n; + if (!stbi__create_png_image(z, z->expanded, raw_len, s->img_out_n, z->depth, color, interlace)) return 0; + if (has_trans) { + if (z->depth == 16) { + if (!stbi__compute_transparency16(z, tc16, s->img_out_n)) return 0; + } else { + if (!stbi__compute_transparency(z, tc, s->img_out_n)) return 0; + } + } + if (is_iphone && stbi__de_iphone_flag && s->img_out_n > 2) + stbi__de_iphone(z); + if (pal_img_n) { + // pal_img_n == 3 or 4 + s->img_n = pal_img_n; // record the actual colors we had + s->img_out_n = pal_img_n; + if (req_comp >= 3) s->img_out_n = req_comp; + if (!stbi__expand_png_palette(z, palette, pal_len, s->img_out_n)) + return 0; + } else if (has_trans) { + // non-paletted image with tRNS -> source image has (constant) alpha + ++s->img_n; + } + STBI_FREE(z->expanded); z->expanded = NULL; + // end of PNG chunk, read and skip CRC + stbi__get32be(s); + return 1; + } + + default: + // if critical, fail + if (first) return stbi__err("first not IHDR", "Corrupt PNG"); + if ((c.type & (1 << 29)) == 0) { + #ifndef STBI_NO_FAILURE_STRINGS + // not threadsafe + static char invalid_chunk[] = "XXXX PNG chunk not known"; + invalid_chunk[0] = STBI__BYTECAST(c.type >> 24); + invalid_chunk[1] = STBI__BYTECAST(c.type >> 16); + invalid_chunk[2] = STBI__BYTECAST(c.type >> 8); + invalid_chunk[3] = STBI__BYTECAST(c.type >> 0); + #endif + return stbi__err(invalid_chunk, "PNG not supported: unknown PNG chunk type"); + } + stbi__skip(s, c.length); + break; + } + // end of PNG chunk, read and skip CRC + stbi__get32be(s); + } +} + +static void *stbi__do_png(stbi__png *p, int *x, int *y, int *n, int req_comp, stbi__result_info *ri) +{ + void *result=NULL; + if (req_comp < 0 || req_comp > 4) return stbi__errpuc("bad req_comp", "Internal error"); + if (stbi__parse_png_file(p, STBI__SCAN_load, req_comp)) { + if (p->depth <= 8) + ri->bits_per_channel = 8; + else if (p->depth == 16) + ri->bits_per_channel = 16; + else + return stbi__errpuc("bad bits_per_channel", "PNG not supported: unsupported color depth"); + result = p->out; + p->out = NULL; + if (req_comp && req_comp != p->s->img_out_n) { + if (ri->bits_per_channel == 8) + result = stbi__convert_format((unsigned char *) result, p->s->img_out_n, req_comp, p->s->img_x, p->s->img_y); + else + result = stbi__convert_format16((stbi__uint16 *) result, p->s->img_out_n, req_comp, p->s->img_x, p->s->img_y); + p->s->img_out_n = req_comp; + if (result == NULL) return result; + } + *x = p->s->img_x; + *y = p->s->img_y; + if (n) *n = p->s->img_n; + } + STBI_FREE(p->out); p->out = NULL; + STBI_FREE(p->expanded); p->expanded = NULL; + STBI_FREE(p->idata); p->idata = NULL; + + return result; +} + +static void *stbi__png_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + stbi__png p; + p.s = s; + return stbi__do_png(&p, x,y,comp,req_comp, ri); +} + +static int stbi__png_test(stbi__context *s) +{ + int r; + r = stbi__check_png_header(s); + stbi__rewind(s); + return r; +} + +static int stbi__png_info_raw(stbi__png *p, int *x, int *y, int *comp) +{ + if (!stbi__parse_png_file(p, STBI__SCAN_header, 0)) { + stbi__rewind( p->s ); + return 0; + } + if (x) *x = p->s->img_x; + if (y) *y = p->s->img_y; + if (comp) *comp = p->s->img_n; + return 1; +} + +static int stbi__png_info(stbi__context *s, int *x, int *y, int *comp) +{ + stbi__png p; + p.s = s; + return stbi__png_info_raw(&p, x, y, comp); +} + +static int stbi__png_is16(stbi__context *s) +{ + stbi__png p; + p.s = s; + if (!stbi__png_info_raw(&p, NULL, NULL, NULL)) + return 0; + if (p.depth != 16) { + stbi__rewind(p.s); + return 0; + } + return 1; +} +#endif + +// Microsoft/Windows BMP image + +#ifndef STBI_NO_BMP +static int stbi__bmp_test_raw(stbi__context *s) +{ + int r; + int sz; + if (stbi__get8(s) != 'B') return 0; + if (stbi__get8(s) != 'M') return 0; + stbi__get32le(s); // discard filesize + stbi__get16le(s); // discard reserved + stbi__get16le(s); // discard reserved + stbi__get32le(s); // discard data offset + sz = stbi__get32le(s); + r = (sz == 12 || sz == 40 || sz == 56 || sz == 108 || sz == 124); + return r; +} + +static int stbi__bmp_test(stbi__context *s) +{ + int r = stbi__bmp_test_raw(s); + stbi__rewind(s); + return r; +} + + +// returns 0..31 for the highest set bit +static int stbi__high_bit(unsigned int z) +{ + int n=0; + if (z == 0) return -1; + if (z >= 0x10000) { n += 16; z >>= 16; } + if (z >= 0x00100) { n += 8; z >>= 8; } + if (z >= 0x00010) { n += 4; z >>= 4; } + if (z >= 0x00004) { n += 2; z >>= 2; } + if (z >= 0x00002) { n += 1;/* >>= 1;*/ } + return n; +} + +static int stbi__bitcount(unsigned int a) +{ + a = (a & 0x55555555) + ((a >> 1) & 0x55555555); // max 2 + a = (a & 0x33333333) + ((a >> 2) & 0x33333333); // max 4 + a = (a + (a >> 4)) & 0x0f0f0f0f; // max 8 per 4, now 8 bits + a = (a + (a >> 8)); // max 16 per 8 bits + a = (a + (a >> 16)); // max 32 per 8 bits + return a & 0xff; +} + +// extract an arbitrarily-aligned N-bit value (N=bits) +// from v, and then make it 8-bits long and fractionally +// extend it to full full range. +static int stbi__shiftsigned(unsigned int v, int shift, int bits) +{ + static unsigned int mul_table[9] = { + 0, + 0xff/*0b11111111*/, 0x55/*0b01010101*/, 0x49/*0b01001001*/, 0x11/*0b00010001*/, + 0x21/*0b00100001*/, 0x41/*0b01000001*/, 0x81/*0b10000001*/, 0x01/*0b00000001*/, + }; + static unsigned int shift_table[9] = { + 0, 0,0,1,0,2,4,6,0, + }; + if (shift < 0) + v <<= -shift; + else + v >>= shift; + STBI_ASSERT(v < 256); + v >>= (8-bits); + STBI_ASSERT(bits >= 0 && bits <= 8); + return (int) ((unsigned) v * mul_table[bits]) >> shift_table[bits]; +} + +typedef struct +{ + int bpp, offset, hsz; + unsigned int mr,mg,mb,ma, all_a; + int extra_read; +} stbi__bmp_data; + +static void *stbi__bmp_parse_header(stbi__context *s, stbi__bmp_data *info) +{ + int hsz; + if (stbi__get8(s) != 'B' || stbi__get8(s) != 'M') return stbi__errpuc("not BMP", "Corrupt BMP"); + stbi__get32le(s); // discard filesize + stbi__get16le(s); // discard reserved + stbi__get16le(s); // discard reserved + info->offset = stbi__get32le(s); + info->hsz = hsz = stbi__get32le(s); + info->mr = info->mg = info->mb = info->ma = 0; + info->extra_read = 14; + + if (info->offset < 0) return stbi__errpuc("bad BMP", "bad BMP"); + + if (hsz != 12 && hsz != 40 && hsz != 56 && hsz != 108 && hsz != 124) return stbi__errpuc("unknown BMP", "BMP type not supported: unknown"); + if (hsz == 12) { + s->img_x = stbi__get16le(s); + s->img_y = stbi__get16le(s); + } else { + s->img_x = stbi__get32le(s); + s->img_y = stbi__get32le(s); + } + if (stbi__get16le(s) != 1) return stbi__errpuc("bad BMP", "bad BMP"); + info->bpp = stbi__get16le(s); + if (hsz != 12) { + int compress = stbi__get32le(s); + if (compress == 1 || compress == 2) return stbi__errpuc("BMP RLE", "BMP type not supported: RLE"); + stbi__get32le(s); // discard sizeof + stbi__get32le(s); // discard hres + stbi__get32le(s); // discard vres + stbi__get32le(s); // discard colorsused + stbi__get32le(s); // discard max important + if (hsz == 40 || hsz == 56) { + if (hsz == 56) { + stbi__get32le(s); + stbi__get32le(s); + stbi__get32le(s); + stbi__get32le(s); + } + if (info->bpp == 16 || info->bpp == 32) { + if (compress == 0) { + if (info->bpp == 32) { + info->mr = 0xffu << 16; + info->mg = 0xffu << 8; + info->mb = 0xffu << 0; + info->ma = 0xffu << 24; + info->all_a = 0; // if all_a is 0 at end, then we loaded alpha channel but it was all 0 + } else { + info->mr = 31u << 10; + info->mg = 31u << 5; + info->mb = 31u << 0; + } + } else if (compress == 3) { + info->mr = stbi__get32le(s); + info->mg = stbi__get32le(s); + info->mb = stbi__get32le(s); + info->extra_read += 12; + // not documented, but generated by photoshop and handled by mspaint + if (info->mr == info->mg && info->mg == info->mb) { + // ?!?!? + return stbi__errpuc("bad BMP", "bad BMP"); + } + } else + return stbi__errpuc("bad BMP", "bad BMP"); + } + } else { + int i; + if (hsz != 108 && hsz != 124) + return stbi__errpuc("bad BMP", "bad BMP"); + info->mr = stbi__get32le(s); + info->mg = stbi__get32le(s); + info->mb = stbi__get32le(s); + info->ma = stbi__get32le(s); + stbi__get32le(s); // discard color space + for (i=0; i < 12; ++i) + stbi__get32le(s); // discard color space parameters + if (hsz == 124) { + stbi__get32le(s); // discard rendering intent + stbi__get32le(s); // discard offset of profile data + stbi__get32le(s); // discard size of profile data + stbi__get32le(s); // discard reserved + } + } + } + return (void *) 1; +} + + +static void *stbi__bmp_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + stbi_uc *out; + unsigned int mr=0,mg=0,mb=0,ma=0, all_a; + stbi_uc pal[256][4]; + int psize=0,i,j,width; + int flip_vertically, pad, target; + stbi__bmp_data info; + STBI_NOTUSED(ri); + + info.all_a = 255; + if (stbi__bmp_parse_header(s, &info) == NULL) + return NULL; // error code already set + + flip_vertically = ((int) s->img_y) > 0; + s->img_y = abs((int) s->img_y); + + if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + + mr = info.mr; + mg = info.mg; + mb = info.mb; + ma = info.ma; + all_a = info.all_a; + + if (info.hsz == 12) { + if (info.bpp < 24) + psize = (info.offset - info.extra_read - 24) / 3; + } else { + if (info.bpp < 16) + psize = (info.offset - info.extra_read - info.hsz) >> 2; + } + if (psize == 0) { + STBI_ASSERT(info.offset == s->callback_already_read + (int) (s->img_buffer - s->img_buffer_original)); + if (info.offset != s->callback_already_read + (s->img_buffer - s->buffer_start)) { + return stbi__errpuc("bad offset", "Corrupt BMP"); + } + } + + if (info.bpp == 24 && ma == 0xff000000) + s->img_n = 3; + else + s->img_n = ma ? 4 : 3; + if (req_comp && req_comp >= 3) // we can directly decode 3 or 4 + target = req_comp; + else + target = s->img_n; // if they want monochrome, we'll post-convert + + // sanity-check size + if (!stbi__mad3sizes_valid(target, s->img_x, s->img_y, 0)) + return stbi__errpuc("too large", "Corrupt BMP"); + + out = (stbi_uc *) stbi__malloc_mad3(target, s->img_x, s->img_y, 0); + if (!out) return stbi__errpuc("outofmem", "Out of memory"); + if (info.bpp < 16) { + int z=0; + if (psize == 0 || psize > 256) { STBI_FREE(out); return stbi__errpuc("invalid", "Corrupt BMP"); } + for (i=0; i < psize; ++i) { + pal[i][2] = stbi__get8(s); + pal[i][1] = stbi__get8(s); + pal[i][0] = stbi__get8(s); + if (info.hsz != 12) stbi__get8(s); + pal[i][3] = 255; + } + stbi__skip(s, info.offset - info.extra_read - info.hsz - psize * (info.hsz == 12 ? 3 : 4)); + if (info.bpp == 1) width = (s->img_x + 7) >> 3; + else if (info.bpp == 4) width = (s->img_x + 1) >> 1; + else if (info.bpp == 8) width = s->img_x; + else { STBI_FREE(out); return stbi__errpuc("bad bpp", "Corrupt BMP"); } + pad = (-width)&3; + if (info.bpp == 1) { + for (j=0; j < (int) s->img_y; ++j) { + int bit_offset = 7, v = stbi__get8(s); + for (i=0; i < (int) s->img_x; ++i) { + int color = (v>>bit_offset)&0x1; + out[z++] = pal[color][0]; + out[z++] = pal[color][1]; + out[z++] = pal[color][2]; + if (target == 4) out[z++] = 255; + if (i+1 == (int) s->img_x) break; + if((--bit_offset) < 0) { + bit_offset = 7; + v = stbi__get8(s); + } + } + stbi__skip(s, pad); + } + } else { + for (j=0; j < (int) s->img_y; ++j) { + for (i=0; i < (int) s->img_x; i += 2) { + int v=stbi__get8(s),v2=0; + if (info.bpp == 4) { + v2 = v & 15; + v >>= 4; + } + out[z++] = pal[v][0]; + out[z++] = pal[v][1]; + out[z++] = pal[v][2]; + if (target == 4) out[z++] = 255; + if (i+1 == (int) s->img_x) break; + v = (info.bpp == 8) ? stbi__get8(s) : v2; + out[z++] = pal[v][0]; + out[z++] = pal[v][1]; + out[z++] = pal[v][2]; + if (target == 4) out[z++] = 255; + } + stbi__skip(s, pad); + } + } + } else { + int rshift=0,gshift=0,bshift=0,ashift=0,rcount=0,gcount=0,bcount=0,acount=0; + int z = 0; + int easy=0; + stbi__skip(s, info.offset - info.extra_read - info.hsz); + if (info.bpp == 24) width = 3 * s->img_x; + else if (info.bpp == 16) width = 2*s->img_x; + else /* bpp = 32 and pad = 0 */ width=0; + pad = (-width) & 3; + if (info.bpp == 24) { + easy = 1; + } else if (info.bpp == 32) { + if (mb == 0xff && mg == 0xff00 && mr == 0x00ff0000 && ma == 0xff000000) + easy = 2; + } + if (!easy) { + if (!mr || !mg || !mb) { STBI_FREE(out); return stbi__errpuc("bad masks", "Corrupt BMP"); } + // right shift amt to put high bit in position #7 + rshift = stbi__high_bit(mr)-7; rcount = stbi__bitcount(mr); + gshift = stbi__high_bit(mg)-7; gcount = stbi__bitcount(mg); + bshift = stbi__high_bit(mb)-7; bcount = stbi__bitcount(mb); + ashift = stbi__high_bit(ma)-7; acount = stbi__bitcount(ma); + if (rcount > 8 || gcount > 8 || bcount > 8 || acount > 8) { STBI_FREE(out); return stbi__errpuc("bad masks", "Corrupt BMP"); } + } + for (j=0; j < (int) s->img_y; ++j) { + if (easy) { + for (i=0; i < (int) s->img_x; ++i) { + unsigned char a; + out[z+2] = stbi__get8(s); + out[z+1] = stbi__get8(s); + out[z+0] = stbi__get8(s); + z += 3; + a = (easy == 2 ? stbi__get8(s) : 255); + all_a |= a; + if (target == 4) out[z++] = a; + } + } else { + int bpp = info.bpp; + for (i=0; i < (int) s->img_x; ++i) { + stbi__uint32 v = (bpp == 16 ? (stbi__uint32) stbi__get16le(s) : stbi__get32le(s)); + unsigned int a; + out[z++] = STBI__BYTECAST(stbi__shiftsigned(v & mr, rshift, rcount)); + out[z++] = STBI__BYTECAST(stbi__shiftsigned(v & mg, gshift, gcount)); + out[z++] = STBI__BYTECAST(stbi__shiftsigned(v & mb, bshift, bcount)); + a = (ma ? stbi__shiftsigned(v & ma, ashift, acount) : 255); + all_a |= a; + if (target == 4) out[z++] = STBI__BYTECAST(a); + } + } + stbi__skip(s, pad); + } + } + + // if alpha channel is all 0s, replace with all 255s + if (target == 4 && all_a == 0) + for (i=4*s->img_x*s->img_y-1; i >= 0; i -= 4) + out[i] = 255; + + if (flip_vertically) { + stbi_uc t; + for (j=0; j < (int) s->img_y>>1; ++j) { + stbi_uc *p1 = out + j *s->img_x*target; + stbi_uc *p2 = out + (s->img_y-1-j)*s->img_x*target; + for (i=0; i < (int) s->img_x*target; ++i) { + t = p1[i]; p1[i] = p2[i]; p2[i] = t; + } + } + } + + if (req_comp && req_comp != target) { + out = stbi__convert_format(out, target, req_comp, s->img_x, s->img_y); + if (out == NULL) return out; // stbi__convert_format frees input on failure + } + + *x = s->img_x; + *y = s->img_y; + if (comp) *comp = s->img_n; + return out; +} +#endif + +// Targa Truevision - TGA +// by Jonathan Dummer +#ifndef STBI_NO_TGA +// returns STBI_rgb or whatever, 0 on error +static int stbi__tga_get_comp(int bits_per_pixel, int is_grey, int* is_rgb16) +{ + // only RGB or RGBA (incl. 16bit) or grey allowed + if (is_rgb16) *is_rgb16 = 0; + switch(bits_per_pixel) { + case 8: return STBI_grey; + case 16: if(is_grey) return STBI_grey_alpha; + // fallthrough + case 15: if(is_rgb16) *is_rgb16 = 1; + return STBI_rgb; + case 24: // fallthrough + case 32: return bits_per_pixel/8; + default: return 0; + } +} + +static int stbi__tga_info(stbi__context *s, int *x, int *y, int *comp) +{ + int tga_w, tga_h, tga_comp, tga_image_type, tga_bits_per_pixel, tga_colormap_bpp; + int sz, tga_colormap_type; + stbi__get8(s); // discard Offset + tga_colormap_type = stbi__get8(s); // colormap type + if( tga_colormap_type > 1 ) { + stbi__rewind(s); + return 0; // only RGB or indexed allowed + } + tga_image_type = stbi__get8(s); // image type + if ( tga_colormap_type == 1 ) { // colormapped (paletted) image + if (tga_image_type != 1 && tga_image_type != 9) { + stbi__rewind(s); + return 0; + } + stbi__skip(s,4); // skip index of first colormap entry and number of entries + sz = stbi__get8(s); // check bits per palette color entry + if ( (sz != 8) && (sz != 15) && (sz != 16) && (sz != 24) && (sz != 32) ) { + stbi__rewind(s); + return 0; + } + stbi__skip(s,4); // skip image x and y origin + tga_colormap_bpp = sz; + } else { // "normal" image w/o colormap - only RGB or grey allowed, +/- RLE + if ( (tga_image_type != 2) && (tga_image_type != 3) && (tga_image_type != 10) && (tga_image_type != 11) ) { + stbi__rewind(s); + return 0; // only RGB or grey allowed, +/- RLE + } + stbi__skip(s,9); // skip colormap specification and image x/y origin + tga_colormap_bpp = 0; + } + tga_w = stbi__get16le(s); + if( tga_w < 1 ) { + stbi__rewind(s); + return 0; // test width + } + tga_h = stbi__get16le(s); + if( tga_h < 1 ) { + stbi__rewind(s); + return 0; // test height + } + tga_bits_per_pixel = stbi__get8(s); // bits per pixel + stbi__get8(s); // ignore alpha bits + if (tga_colormap_bpp != 0) { + if((tga_bits_per_pixel != 8) && (tga_bits_per_pixel != 16)) { + // when using a colormap, tga_bits_per_pixel is the size of the indexes + // I don't think anything but 8 or 16bit indexes makes sense + stbi__rewind(s); + return 0; + } + tga_comp = stbi__tga_get_comp(tga_colormap_bpp, 0, NULL); + } else { + tga_comp = stbi__tga_get_comp(tga_bits_per_pixel, (tga_image_type == 3) || (tga_image_type == 11), NULL); + } + if(!tga_comp) { + stbi__rewind(s); + return 0; + } + if (x) *x = tga_w; + if (y) *y = tga_h; + if (comp) *comp = tga_comp; + return 1; // seems to have passed everything +} + +static int stbi__tga_test(stbi__context *s) +{ + int res = 0; + int sz, tga_color_type; + stbi__get8(s); // discard Offset + tga_color_type = stbi__get8(s); // color type + if ( tga_color_type > 1 ) goto errorEnd; // only RGB or indexed allowed + sz = stbi__get8(s); // image type + if ( tga_color_type == 1 ) { // colormapped (paletted) image + if (sz != 1 && sz != 9) goto errorEnd; // colortype 1 demands image type 1 or 9 + stbi__skip(s,4); // skip index of first colormap entry and number of entries + sz = stbi__get8(s); // check bits per palette color entry + if ( (sz != 8) && (sz != 15) && (sz != 16) && (sz != 24) && (sz != 32) ) goto errorEnd; + stbi__skip(s,4); // skip image x and y origin + } else { // "normal" image w/o colormap + if ( (sz != 2) && (sz != 3) && (sz != 10) && (sz != 11) ) goto errorEnd; // only RGB or grey allowed, +/- RLE + stbi__skip(s,9); // skip colormap specification and image x/y origin + } + if ( stbi__get16le(s) < 1 ) goto errorEnd; // test width + if ( stbi__get16le(s) < 1 ) goto errorEnd; // test height + sz = stbi__get8(s); // bits per pixel + if ( (tga_color_type == 1) && (sz != 8) && (sz != 16) ) goto errorEnd; // for colormapped images, bpp is size of an index + if ( (sz != 8) && (sz != 15) && (sz != 16) && (sz != 24) && (sz != 32) ) goto errorEnd; + + res = 1; // if we got this far, everything's good and we can return 1 instead of 0 + +errorEnd: + stbi__rewind(s); + return res; +} + +// read 16bit value and convert to 24bit RGB +static void stbi__tga_read_rgb16(stbi__context *s, stbi_uc* out) +{ + stbi__uint16 px = (stbi__uint16)stbi__get16le(s); + stbi__uint16 fiveBitMask = 31; + // we have 3 channels with 5bits each + int r = (px >> 10) & fiveBitMask; + int g = (px >> 5) & fiveBitMask; + int b = px & fiveBitMask; + // Note that this saves the data in RGB(A) order, so it doesn't need to be swapped later + out[0] = (stbi_uc)((r * 255)/31); + out[1] = (stbi_uc)((g * 255)/31); + out[2] = (stbi_uc)((b * 255)/31); + + // some people claim that the most significant bit might be used for alpha + // (possibly if an alpha-bit is set in the "image descriptor byte") + // but that only made 16bit test images completely translucent.. + // so let's treat all 15 and 16bit TGAs as RGB with no alpha. +} + +static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + // read in the TGA header stuff + int tga_offset = stbi__get8(s); + int tga_indexed = stbi__get8(s); + int tga_image_type = stbi__get8(s); + int tga_is_RLE = 0; + int tga_palette_start = stbi__get16le(s); + int tga_palette_len = stbi__get16le(s); + int tga_palette_bits = stbi__get8(s); + int tga_x_origin = stbi__get16le(s); + int tga_y_origin = stbi__get16le(s); + int tga_width = stbi__get16le(s); + int tga_height = stbi__get16le(s); + int tga_bits_per_pixel = stbi__get8(s); + int tga_comp, tga_rgb16=0; + int tga_inverted = stbi__get8(s); + // int tga_alpha_bits = tga_inverted & 15; // the 4 lowest bits - unused (useless?) + // image data + unsigned char *tga_data; + unsigned char *tga_palette = NULL; + int i, j; + unsigned char raw_data[4] = {0}; + int RLE_count = 0; + int RLE_repeating = 0; + int read_next_pixel = 1; + STBI_NOTUSED(ri); + STBI_NOTUSED(tga_x_origin); // @TODO + STBI_NOTUSED(tga_y_origin); // @TODO + + if (tga_height > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + if (tga_width > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + + // do a tiny bit of precessing + if ( tga_image_type >= 8 ) + { + tga_image_type -= 8; + tga_is_RLE = 1; + } + tga_inverted = 1 - ((tga_inverted >> 5) & 1); + + // If I'm paletted, then I'll use the number of bits from the palette + if ( tga_indexed ) tga_comp = stbi__tga_get_comp(tga_palette_bits, 0, &tga_rgb16); + else tga_comp = stbi__tga_get_comp(tga_bits_per_pixel, (tga_image_type == 3), &tga_rgb16); + + if(!tga_comp) // shouldn't really happen, stbi__tga_test() should have ensured basic consistency + return stbi__errpuc("bad format", "Can't find out TGA pixelformat"); + + // tga info + *x = tga_width; + *y = tga_height; + if (comp) *comp = tga_comp; + + if (!stbi__mad3sizes_valid(tga_width, tga_height, tga_comp, 0)) + return stbi__errpuc("too large", "Corrupt TGA"); + + tga_data = (unsigned char*)stbi__malloc_mad3(tga_width, tga_height, tga_comp, 0); + if (!tga_data) return stbi__errpuc("outofmem", "Out of memory"); + + // skip to the data's starting position (offset usually = 0) + stbi__skip(s, tga_offset ); + + if ( !tga_indexed && !tga_is_RLE && !tga_rgb16 ) { + for (i=0; i < tga_height; ++i) { + int row = tga_inverted ? tga_height -i - 1 : i; + stbi_uc *tga_row = tga_data + row*tga_width*tga_comp; + stbi__getn(s, tga_row, tga_width * tga_comp); + } + } else { + // do I need to load a palette? + if ( tga_indexed) + { + if (tga_palette_len == 0) { /* you have to have at least one entry! */ + STBI_FREE(tga_data); + return stbi__errpuc("bad palette", "Corrupt TGA"); + } + + // any data to skip? (offset usually = 0) + stbi__skip(s, tga_palette_start ); + // load the palette + tga_palette = (unsigned char*)stbi__malloc_mad2(tga_palette_len, tga_comp, 0); + if (!tga_palette) { + STBI_FREE(tga_data); + return stbi__errpuc("outofmem", "Out of memory"); + } + if (tga_rgb16) { + stbi_uc *pal_entry = tga_palette; + STBI_ASSERT(tga_comp == STBI_rgb); + for (i=0; i < tga_palette_len; ++i) { + stbi__tga_read_rgb16(s, pal_entry); + pal_entry += tga_comp; + } + } else if (!stbi__getn(s, tga_palette, tga_palette_len * tga_comp)) { + STBI_FREE(tga_data); + STBI_FREE(tga_palette); + return stbi__errpuc("bad palette", "Corrupt TGA"); + } + } + // load the data + for (i=0; i < tga_width * tga_height; ++i) + { + // if I'm in RLE mode, do I need to get a RLE stbi__pngchunk? + if ( tga_is_RLE ) + { + if ( RLE_count == 0 ) + { + // yep, get the next byte as a RLE command + int RLE_cmd = stbi__get8(s); + RLE_count = 1 + (RLE_cmd & 127); + RLE_repeating = RLE_cmd >> 7; + read_next_pixel = 1; + } else if ( !RLE_repeating ) + { + read_next_pixel = 1; + } + } else + { + read_next_pixel = 1; + } + // OK, if I need to read a pixel, do it now + if ( read_next_pixel ) + { + // load however much data we did have + if ( tga_indexed ) + { + // read in index, then perform the lookup + int pal_idx = (tga_bits_per_pixel == 8) ? stbi__get8(s) : stbi__get16le(s); + if ( pal_idx >= tga_palette_len ) { + // invalid index + pal_idx = 0; + } + pal_idx *= tga_comp; + for (j = 0; j < tga_comp; ++j) { + raw_data[j] = tga_palette[pal_idx+j]; + } + } else if(tga_rgb16) { + STBI_ASSERT(tga_comp == STBI_rgb); + stbi__tga_read_rgb16(s, raw_data); + } else { + // read in the data raw + for (j = 0; j < tga_comp; ++j) { + raw_data[j] = stbi__get8(s); + } + } + // clear the reading flag for the next pixel + read_next_pixel = 0; + } // end of reading a pixel + + // copy data + for (j = 0; j < tga_comp; ++j) + tga_data[i*tga_comp+j] = raw_data[j]; + + // in case we're in RLE mode, keep counting down + --RLE_count; + } + // do I need to invert the image? + if ( tga_inverted ) + { + for (j = 0; j*2 < tga_height; ++j) + { + int index1 = j * tga_width * tga_comp; + int index2 = (tga_height - 1 - j) * tga_width * tga_comp; + for (i = tga_width * tga_comp; i > 0; --i) + { + unsigned char temp = tga_data[index1]; + tga_data[index1] = tga_data[index2]; + tga_data[index2] = temp; + ++index1; + ++index2; + } + } + } + // clear my palette, if I had one + if ( tga_palette != NULL ) + { + STBI_FREE( tga_palette ); + } + } + + // swap RGB - if the source data was RGB16, it already is in the right order + if (tga_comp >= 3 && !tga_rgb16) + { + unsigned char* tga_pixel = tga_data; + for (i=0; i < tga_width * tga_height; ++i) + { + unsigned char temp = tga_pixel[0]; + tga_pixel[0] = tga_pixel[2]; + tga_pixel[2] = temp; + tga_pixel += tga_comp; + } + } + + // convert to target component count + if (req_comp && req_comp != tga_comp) + tga_data = stbi__convert_format(tga_data, tga_comp, req_comp, tga_width, tga_height); + + // the things I do to get rid of an error message, and yet keep + // Microsoft's C compilers happy... [8^( + tga_palette_start = tga_palette_len = tga_palette_bits = + tga_x_origin = tga_y_origin = 0; + STBI_NOTUSED(tga_palette_start); + // OK, done + return tga_data; +} +#endif + +// ************************************************************************************************* +// Photoshop PSD loader -- PD by Thatcher Ulrich, integration by Nicolas Schulz, tweaked by STB + +#ifndef STBI_NO_PSD +static int stbi__psd_test(stbi__context *s) +{ + int r = (stbi__get32be(s) == 0x38425053); + stbi__rewind(s); + return r; +} + +static int stbi__psd_decode_rle(stbi__context *s, stbi_uc *p, int pixelCount) +{ + int count, nleft, len; + + count = 0; + while ((nleft = pixelCount - count) > 0) { + len = stbi__get8(s); + if (len == 128) { + // No-op. + } else if (len < 128) { + // Copy next len+1 bytes literally. + len++; + if (len > nleft) return 0; // corrupt data + count += len; + while (len) { + *p = stbi__get8(s); + p += 4; + len--; + } + } else if (len > 128) { + stbi_uc val; + // Next -len+1 bytes in the dest are replicated from next source byte. + // (Interpret len as a negative 8-bit int.) + len = 257 - len; + if (len > nleft) return 0; // corrupt data + val = stbi__get8(s); + count += len; + while (len) { + *p = val; + p += 4; + len--; + } + } + } + + return 1; +} + +static void *stbi__psd_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri, int bpc) +{ + int pixelCount; + int channelCount, compression; + int channel, i; + int bitdepth; + int w,h; + stbi_uc *out; + STBI_NOTUSED(ri); + + // Check identifier + if (stbi__get32be(s) != 0x38425053) // "8BPS" + return stbi__errpuc("not PSD", "Corrupt PSD image"); + + // Check file type version. + if (stbi__get16be(s) != 1) + return stbi__errpuc("wrong version", "Unsupported version of PSD image"); + + // Skip 6 reserved bytes. + stbi__skip(s, 6 ); + + // Read the number of channels (R, G, B, A, etc). + channelCount = stbi__get16be(s); + if (channelCount < 0 || channelCount > 16) + return stbi__errpuc("wrong channel count", "Unsupported number of channels in PSD image"); + + // Read the rows and columns of the image. + h = stbi__get32be(s); + w = stbi__get32be(s); + + if (h > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + if (w > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + + // Make sure the depth is 8 bits. + bitdepth = stbi__get16be(s); + if (bitdepth != 8 && bitdepth != 16) + return stbi__errpuc("unsupported bit depth", "PSD bit depth is not 8 or 16 bit"); + + // Make sure the color mode is RGB. + // Valid options are: + // 0: Bitmap + // 1: Grayscale + // 2: Indexed color + // 3: RGB color + // 4: CMYK color + // 7: Multichannel + // 8: Duotone + // 9: Lab color + if (stbi__get16be(s) != 3) + return stbi__errpuc("wrong color format", "PSD is not in RGB color format"); + + // Skip the Mode Data. (It's the palette for indexed color; other info for other modes.) + stbi__skip(s,stbi__get32be(s) ); + + // Skip the image resources. (resolution, pen tool paths, etc) + stbi__skip(s, stbi__get32be(s) ); + + // Skip the reserved data. + stbi__skip(s, stbi__get32be(s) ); + + // Find out if the data is compressed. + // Known values: + // 0: no compression + // 1: RLE compressed + compression = stbi__get16be(s); + if (compression > 1) + return stbi__errpuc("bad compression", "PSD has an unknown compression format"); + + // Check size + if (!stbi__mad3sizes_valid(4, w, h, 0)) + return stbi__errpuc("too large", "Corrupt PSD"); + + // Create the destination image. + + if (!compression && bitdepth == 16 && bpc == 16) { + out = (stbi_uc *) stbi__malloc_mad3(8, w, h, 0); + ri->bits_per_channel = 16; + } else + out = (stbi_uc *) stbi__malloc(4 * w*h); + + if (!out) return stbi__errpuc("outofmem", "Out of memory"); + pixelCount = w*h; + + // Initialize the data to zero. + //memset( out, 0, pixelCount * 4 ); + + // Finally, the image data. + if (compression) { + // RLE as used by .PSD and .TIFF + // Loop until you get the number of unpacked bytes you are expecting: + // Read the next source byte into n. + // If n is between 0 and 127 inclusive, copy the next n+1 bytes literally. + // Else if n is between -127 and -1 inclusive, copy the next byte -n+1 times. + // Else if n is 128, noop. + // Endloop + + // The RLE-compressed data is preceded by a 2-byte data count for each row in the data, + // which we're going to just skip. + stbi__skip(s, h * channelCount * 2 ); + + // Read the RLE data by channel. + for (channel = 0; channel < 4; channel++) { + stbi_uc *p; + + p = out+channel; + if (channel >= channelCount) { + // Fill this channel with default data. + for (i = 0; i < pixelCount; i++, p += 4) + *p = (channel == 3 ? 255 : 0); + } else { + // Read the RLE data. + if (!stbi__psd_decode_rle(s, p, pixelCount)) { + STBI_FREE(out); + return stbi__errpuc("corrupt", "bad RLE data"); + } + } + } + + } else { + // We're at the raw image data. It's each channel in order (Red, Green, Blue, Alpha, ...) + // where each channel consists of an 8-bit (or 16-bit) value for each pixel in the image. + + // Read the data by channel. + for (channel = 0; channel < 4; channel++) { + if (channel >= channelCount) { + // Fill this channel with default data. + if (bitdepth == 16 && bpc == 16) { + stbi__uint16 *q = ((stbi__uint16 *) out) + channel; + stbi__uint16 val = channel == 3 ? 65535 : 0; + for (i = 0; i < pixelCount; i++, q += 4) + *q = val; + } else { + stbi_uc *p = out+channel; + stbi_uc val = channel == 3 ? 255 : 0; + for (i = 0; i < pixelCount; i++, p += 4) + *p = val; + } + } else { + if (ri->bits_per_channel == 16) { // output bpc + stbi__uint16 *q = ((stbi__uint16 *) out) + channel; + for (i = 0; i < pixelCount; i++, q += 4) + *q = (stbi__uint16) stbi__get16be(s); + } else { + stbi_uc *p = out+channel; + if (bitdepth == 16) { // input bpc + for (i = 0; i < pixelCount; i++, p += 4) + *p = (stbi_uc) (stbi__get16be(s) >> 8); + } else { + for (i = 0; i < pixelCount; i++, p += 4) + *p = stbi__get8(s); + } + } + } + } + } + + // remove weird white matte from PSD + if (channelCount >= 4) { + if (ri->bits_per_channel == 16) { + for (i=0; i < w*h; ++i) { + stbi__uint16 *pixel = (stbi__uint16 *) out + 4*i; + if (pixel[3] != 0 && pixel[3] != 65535) { + float a = pixel[3] / 65535.0f; + float ra = 1.0f / a; + float inv_a = 65535.0f * (1 - ra); + pixel[0] = (stbi__uint16) (pixel[0]*ra + inv_a); + pixel[1] = (stbi__uint16) (pixel[1]*ra + inv_a); + pixel[2] = (stbi__uint16) (pixel[2]*ra + inv_a); + } + } + } else { + for (i=0; i < w*h; ++i) { + unsigned char *pixel = out + 4*i; + if (pixel[3] != 0 && pixel[3] != 255) { + float a = pixel[3] / 255.0f; + float ra = 1.0f / a; + float inv_a = 255.0f * (1 - ra); + pixel[0] = (unsigned char) (pixel[0]*ra + inv_a); + pixel[1] = (unsigned char) (pixel[1]*ra + inv_a); + pixel[2] = (unsigned char) (pixel[2]*ra + inv_a); + } + } + } + } + + // convert to desired output format + if (req_comp && req_comp != 4) { + if (ri->bits_per_channel == 16) + out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, 4, req_comp, w, h); + else + out = stbi__convert_format(out, 4, req_comp, w, h); + if (out == NULL) return out; // stbi__convert_format frees input on failure + } + + if (comp) *comp = 4; + *y = h; + *x = w; + + return out; +} +#endif + +// ************************************************************************************************* +// Softimage PIC loader +// by Tom Seddon +// +// See http://softimage.wiki.softimage.com/index.php/INFO:_PIC_file_format +// See http://ozviz.wasp.uwa.edu.au/~pbourke/dataformats/softimagepic/ + +#ifndef STBI_NO_PIC +static int stbi__pic_is4(stbi__context *s,const char *str) +{ + int i; + for (i=0; i<4; ++i) + if (stbi__get8(s) != (stbi_uc)str[i]) + return 0; + + return 1; +} + +static int stbi__pic_test_core(stbi__context *s) +{ + int i; + + if (!stbi__pic_is4(s,"\x53\x80\xF6\x34")) + return 0; + + for(i=0;i<84;++i) + stbi__get8(s); + + if (!stbi__pic_is4(s,"PICT")) + return 0; + + return 1; +} + +typedef struct +{ + stbi_uc size,type,channel; +} stbi__pic_packet; + +static stbi_uc *stbi__readval(stbi__context *s, int channel, stbi_uc *dest) +{ + int mask=0x80, i; + + for (i=0; i<4; ++i, mask>>=1) { + if (channel & mask) { + if (stbi__at_eof(s)) return stbi__errpuc("bad file","PIC file too short"); + dest[i]=stbi__get8(s); + } + } + + return dest; +} + +static void stbi__copyval(int channel,stbi_uc *dest,const stbi_uc *src) +{ + int mask=0x80,i; + + for (i=0;i<4; ++i, mask>>=1) + if (channel&mask) + dest[i]=src[i]; +} + +static stbi_uc *stbi__pic_load_core(stbi__context *s,int width,int height,int *comp, stbi_uc *result) +{ + int act_comp=0,num_packets=0,y,chained; + stbi__pic_packet packets[10]; + + // this will (should...) cater for even some bizarre stuff like having data + // for the same channel in multiple packets. + do { + stbi__pic_packet *packet; + + if (num_packets==sizeof(packets)/sizeof(packets[0])) + return stbi__errpuc("bad format","too many packets"); + + packet = &packets[num_packets++]; + + chained = stbi__get8(s); + packet->size = stbi__get8(s); + packet->type = stbi__get8(s); + packet->channel = stbi__get8(s); + + act_comp |= packet->channel; + + if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (reading packets)"); + if (packet->size != 8) return stbi__errpuc("bad format","packet isn't 8bpp"); + } while (chained); + + *comp = (act_comp & 0x10 ? 4 : 3); // has alpha channel? + + for(y=0; ytype) { + default: + return stbi__errpuc("bad format","packet has bad compression type"); + + case 0: {//uncompressed + int x; + + for(x=0;xchannel,dest)) + return 0; + break; + } + + case 1://Pure RLE + { + int left=width, i; + + while (left>0) { + stbi_uc count,value[4]; + + count=stbi__get8(s); + if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (pure read count)"); + + if (count > left) + count = (stbi_uc) left; + + if (!stbi__readval(s,packet->channel,value)) return 0; + + for(i=0; ichannel,dest,value); + left -= count; + } + } + break; + + case 2: {//Mixed RLE + int left=width; + while (left>0) { + int count = stbi__get8(s), i; + if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (mixed read count)"); + + if (count >= 128) { // Repeated + stbi_uc value[4]; + + if (count==128) + count = stbi__get16be(s); + else + count -= 127; + if (count > left) + return stbi__errpuc("bad file","scanline overrun"); + + if (!stbi__readval(s,packet->channel,value)) + return 0; + + for(i=0;ichannel,dest,value); + } else { // Raw + ++count; + if (count>left) return stbi__errpuc("bad file","scanline overrun"); + + for(i=0;ichannel,dest)) + return 0; + } + left-=count; + } + break; + } + } + } + } + + return result; +} + +static void *stbi__pic_load(stbi__context *s,int *px,int *py,int *comp,int req_comp, stbi__result_info *ri) +{ + stbi_uc *result; + int i, x,y, internal_comp; + STBI_NOTUSED(ri); + + if (!comp) comp = &internal_comp; + + for (i=0; i<92; ++i) + stbi__get8(s); + + x = stbi__get16be(s); + y = stbi__get16be(s); + + if (y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + if (x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + + if (stbi__at_eof(s)) return stbi__errpuc("bad file","file too short (pic header)"); + if (!stbi__mad3sizes_valid(x, y, 4, 0)) return stbi__errpuc("too large", "PIC image too large to decode"); + + stbi__get32be(s); //skip `ratio' + stbi__get16be(s); //skip `fields' + stbi__get16be(s); //skip `pad' + + // intermediate buffer is RGBA + result = (stbi_uc *) stbi__malloc_mad3(x, y, 4, 0); + memset(result, 0xff, x*y*4); + + if (!stbi__pic_load_core(s,x,y,comp, result)) { + STBI_FREE(result); + result=0; + } + *px = x; + *py = y; + if (req_comp == 0) req_comp = *comp; + result=stbi__convert_format(result,4,req_comp,x,y); + + return result; +} + +static int stbi__pic_test(stbi__context *s) +{ + int r = stbi__pic_test_core(s); + stbi__rewind(s); + return r; +} +#endif + +// ************************************************************************************************* +// GIF loader -- public domain by Jean-Marc Lienher -- simplified/shrunk by stb + +#ifndef STBI_NO_GIF +typedef struct +{ + stbi__int16 prefix; + stbi_uc first; + stbi_uc suffix; +} stbi__gif_lzw; + +typedef struct +{ + int w,h; + stbi_uc *out; // output buffer (always 4 components) + stbi_uc *background; // The current "background" as far as a gif is concerned + stbi_uc *history; + int flags, bgindex, ratio, transparent, eflags; + stbi_uc pal[256][4]; + stbi_uc lpal[256][4]; + stbi__gif_lzw codes[8192]; + stbi_uc *color_table; + int parse, step; + int lflags; + int start_x, start_y; + int max_x, max_y; + int cur_x, cur_y; + int line_size; + int delay; +} stbi__gif; + +static int stbi__gif_test_raw(stbi__context *s) +{ + int sz; + if (stbi__get8(s) != 'G' || stbi__get8(s) != 'I' || stbi__get8(s) != 'F' || stbi__get8(s) != '8') return 0; + sz = stbi__get8(s); + if (sz != '9' && sz != '7') return 0; + if (stbi__get8(s) != 'a') return 0; + return 1; +} + +static int stbi__gif_test(stbi__context *s) +{ + int r = stbi__gif_test_raw(s); + stbi__rewind(s); + return r; +} + +static void stbi__gif_parse_colortable(stbi__context *s, stbi_uc pal[256][4], int num_entries, int transp) +{ + int i; + for (i=0; i < num_entries; ++i) { + pal[i][2] = stbi__get8(s); + pal[i][1] = stbi__get8(s); + pal[i][0] = stbi__get8(s); + pal[i][3] = transp == i ? 0 : 255; + } +} + +static int stbi__gif_header(stbi__context *s, stbi__gif *g, int *comp, int is_info) +{ + stbi_uc version; + if (stbi__get8(s) != 'G' || stbi__get8(s) != 'I' || stbi__get8(s) != 'F' || stbi__get8(s) != '8') + return stbi__err("not GIF", "Corrupt GIF"); + + version = stbi__get8(s); + if (version != '7' && version != '9') return stbi__err("not GIF", "Corrupt GIF"); + if (stbi__get8(s) != 'a') return stbi__err("not GIF", "Corrupt GIF"); + + stbi__g_failure_reason = ""; + g->w = stbi__get16le(s); + g->h = stbi__get16le(s); + g->flags = stbi__get8(s); + g->bgindex = stbi__get8(s); + g->ratio = stbi__get8(s); + g->transparent = -1; + + if (g->w > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + if (g->h > STBI_MAX_DIMENSIONS) return stbi__err("too large","Very large image (corrupt?)"); + + if (comp != 0) *comp = 4; // can't actually tell whether it's 3 or 4 until we parse the comments + + if (is_info) return 1; + + if (g->flags & 0x80) + stbi__gif_parse_colortable(s,g->pal, 2 << (g->flags & 7), -1); + + return 1; +} + +static int stbi__gif_info_raw(stbi__context *s, int *x, int *y, int *comp) +{ + stbi__gif* g = (stbi__gif*) stbi__malloc(sizeof(stbi__gif)); + if (!stbi__gif_header(s, g, comp, 1)) { + STBI_FREE(g); + stbi__rewind( s ); + return 0; + } + if (x) *x = g->w; + if (y) *y = g->h; + STBI_FREE(g); + return 1; +} + +static void stbi__out_gif_code(stbi__gif *g, stbi__uint16 code) +{ + stbi_uc *p, *c; + int idx; + + // recurse to decode the prefixes, since the linked-list is backwards, + // and working backwards through an interleaved image would be nasty + if (g->codes[code].prefix >= 0) + stbi__out_gif_code(g, g->codes[code].prefix); + + if (g->cur_y >= g->max_y) return; + + idx = g->cur_x + g->cur_y; + p = &g->out[idx]; + g->history[idx / 4] = 1; + + c = &g->color_table[g->codes[code].suffix * 4]; + if (c[3] > 128) { // don't render transparent pixels; + p[0] = c[2]; + p[1] = c[1]; + p[2] = c[0]; + p[3] = c[3]; + } + g->cur_x += 4; + + if (g->cur_x >= g->max_x) { + g->cur_x = g->start_x; + g->cur_y += g->step; + + while (g->cur_y >= g->max_y && g->parse > 0) { + g->step = (1 << g->parse) * g->line_size; + g->cur_y = g->start_y + (g->step >> 1); + --g->parse; + } + } +} + +static stbi_uc *stbi__process_gif_raster(stbi__context *s, stbi__gif *g) +{ + stbi_uc lzw_cs; + stbi__int32 len, init_code; + stbi__uint32 first; + stbi__int32 codesize, codemask, avail, oldcode, bits, valid_bits, clear; + stbi__gif_lzw *p; + + lzw_cs = stbi__get8(s); + if (lzw_cs > 12) return NULL; + clear = 1 << lzw_cs; + first = 1; + codesize = lzw_cs + 1; + codemask = (1 << codesize) - 1; + bits = 0; + valid_bits = 0; + for (init_code = 0; init_code < clear; init_code++) { + g->codes[init_code].prefix = -1; + g->codes[init_code].first = (stbi_uc) init_code; + g->codes[init_code].suffix = (stbi_uc) init_code; + } + + // support no starting clear code + avail = clear+2; + oldcode = -1; + + len = 0; + for(;;) { + if (valid_bits < codesize) { + if (len == 0) { + len = stbi__get8(s); // start new block + if (len == 0) + return g->out; + } + --len; + bits |= (stbi__int32) stbi__get8(s) << valid_bits; + valid_bits += 8; + } else { + stbi__int32 code = bits & codemask; + bits >>= codesize; + valid_bits -= codesize; + // @OPTIMIZE: is there some way we can accelerate the non-clear path? + if (code == clear) { // clear code + codesize = lzw_cs + 1; + codemask = (1 << codesize) - 1; + avail = clear + 2; + oldcode = -1; + first = 0; + } else if (code == clear + 1) { // end of stream code + stbi__skip(s, len); + while ((len = stbi__get8(s)) > 0) + stbi__skip(s,len); + return g->out; + } else if (code <= avail) { + if (first) { + return stbi__errpuc("no clear code", "Corrupt GIF"); + } + + if (oldcode >= 0) { + p = &g->codes[avail++]; + if (avail > 8192) { + return stbi__errpuc("too many codes", "Corrupt GIF"); + } + + p->prefix = (stbi__int16) oldcode; + p->first = g->codes[oldcode].first; + p->suffix = (code == avail) ? p->first : g->codes[code].first; + } else if (code == avail) + return stbi__errpuc("illegal code in raster", "Corrupt GIF"); + + stbi__out_gif_code(g, (stbi__uint16) code); + + if ((avail & codemask) == 0 && avail <= 0x0FFF) { + codesize++; + codemask = (1 << codesize) - 1; + } + + oldcode = code; + } else { + return stbi__errpuc("illegal code in raster", "Corrupt GIF"); + } + } + } +} + +// this function is designed to support animated gifs, although stb_image doesn't support it +// two back is the image from two frames ago, used for a very specific disposal format +static stbi_uc *stbi__gif_load_next(stbi__context *s, stbi__gif *g, int *comp, int req_comp, stbi_uc *two_back) +{ + int dispose; + int first_frame; + int pi; + int pcount; + STBI_NOTUSED(req_comp); + + // on first frame, any non-written pixels get the background colour (non-transparent) + first_frame = 0; + if (g->out == 0) { + if (!stbi__gif_header(s, g, comp,0)) return 0; // stbi__g_failure_reason set by stbi__gif_header + if (!stbi__mad3sizes_valid(4, g->w, g->h, 0)) + return stbi__errpuc("too large", "GIF image is too large"); + pcount = g->w * g->h; + g->out = (stbi_uc *) stbi__malloc(4 * pcount); + g->background = (stbi_uc *) stbi__malloc(4 * pcount); + g->history = (stbi_uc *) stbi__malloc(pcount); + if (!g->out || !g->background || !g->history) + return stbi__errpuc("outofmem", "Out of memory"); + + // image is treated as "transparent" at the start - ie, nothing overwrites the current background; + // background colour is only used for pixels that are not rendered first frame, after that "background" + // color refers to the color that was there the previous frame. + memset(g->out, 0x00, 4 * pcount); + memset(g->background, 0x00, 4 * pcount); // state of the background (starts transparent) + memset(g->history, 0x00, pcount); // pixels that were affected previous frame + first_frame = 1; + } else { + // second frame - how do we dispose of the previous one? + dispose = (g->eflags & 0x1C) >> 2; + pcount = g->w * g->h; + + if ((dispose == 3) && (two_back == 0)) { + dispose = 2; // if I don't have an image to revert back to, default to the old background + } + + if (dispose == 3) { // use previous graphic + for (pi = 0; pi < pcount; ++pi) { + if (g->history[pi]) { + memcpy( &g->out[pi * 4], &two_back[pi * 4], 4 ); + } + } + } else if (dispose == 2) { + // restore what was changed last frame to background before that frame; + for (pi = 0; pi < pcount; ++pi) { + if (g->history[pi]) { + memcpy( &g->out[pi * 4], &g->background[pi * 4], 4 ); + } + } + } else { + // This is a non-disposal case eithe way, so just + // leave the pixels as is, and they will become the new background + // 1: do not dispose + // 0: not specified. + } + + // background is what out is after the undoing of the previou frame; + memcpy( g->background, g->out, 4 * g->w * g->h ); + } + + // clear my history; + memset( g->history, 0x00, g->w * g->h ); // pixels that were affected previous frame + + for (;;) { + int tag = stbi__get8(s); + switch (tag) { + case 0x2C: /* Image Descriptor */ + { + stbi__int32 x, y, w, h; + stbi_uc *o; + + x = stbi__get16le(s); + y = stbi__get16le(s); + w = stbi__get16le(s); + h = stbi__get16le(s); + if (((x + w) > (g->w)) || ((y + h) > (g->h))) + return stbi__errpuc("bad Image Descriptor", "Corrupt GIF"); + + g->line_size = g->w * 4; + g->start_x = x * 4; + g->start_y = y * g->line_size; + g->max_x = g->start_x + w * 4; + g->max_y = g->start_y + h * g->line_size; + g->cur_x = g->start_x; + g->cur_y = g->start_y; + + // if the width of the specified rectangle is 0, that means + // we may not see *any* pixels or the image is malformed; + // to make sure this is caught, move the current y down to + // max_y (which is what out_gif_code checks). + if (w == 0) + g->cur_y = g->max_y; + + g->lflags = stbi__get8(s); + + if (g->lflags & 0x40) { + g->step = 8 * g->line_size; // first interlaced spacing + g->parse = 3; + } else { + g->step = g->line_size; + g->parse = 0; + } + + if (g->lflags & 0x80) { + stbi__gif_parse_colortable(s,g->lpal, 2 << (g->lflags & 7), g->eflags & 0x01 ? g->transparent : -1); + g->color_table = (stbi_uc *) g->lpal; + } else if (g->flags & 0x80) { + g->color_table = (stbi_uc *) g->pal; + } else + return stbi__errpuc("missing color table", "Corrupt GIF"); + + o = stbi__process_gif_raster(s, g); + if (!o) return NULL; + + // if this was the first frame, + pcount = g->w * g->h; + if (first_frame && (g->bgindex > 0)) { + // if first frame, any pixel not drawn to gets the background color + for (pi = 0; pi < pcount; ++pi) { + if (g->history[pi] == 0) { + g->pal[g->bgindex][3] = 255; // just in case it was made transparent, undo that; It will be reset next frame if need be; + memcpy( &g->out[pi * 4], &g->pal[g->bgindex], 4 ); + } + } + } + + return o; + } + + case 0x21: // Comment Extension. + { + int len; + int ext = stbi__get8(s); + if (ext == 0xF9) { // Graphic Control Extension. + len = stbi__get8(s); + if (len == 4) { + g->eflags = stbi__get8(s); + g->delay = 10 * stbi__get16le(s); // delay - 1/100th of a second, saving as 1/1000ths. + + // unset old transparent + if (g->transparent >= 0) { + g->pal[g->transparent][3] = 255; + } + if (g->eflags & 0x01) { + g->transparent = stbi__get8(s); + if (g->transparent >= 0) { + g->pal[g->transparent][3] = 0; + } + } else { + // don't need transparent + stbi__skip(s, 1); + g->transparent = -1; + } + } else { + stbi__skip(s, len); + break; + } + } + while ((len = stbi__get8(s)) != 0) { + stbi__skip(s, len); + } + break; + } + + case 0x3B: // gif stream termination code + return (stbi_uc *) s; // using '1' causes warning on some compilers + + default: + return stbi__errpuc("unknown code", "Corrupt GIF"); + } + } +} + +static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y, int *z, int *comp, int req_comp) +{ + if (stbi__gif_test(s)) { + int layers = 0; + stbi_uc *u = 0; + stbi_uc *out = 0; + stbi_uc *two_back = 0; + stbi__gif g; + int stride; + int out_size = 0; + int delays_size = 0; + memset(&g, 0, sizeof(g)); + if (delays) { + *delays = 0; + } + + do { + u = stbi__gif_load_next(s, &g, comp, req_comp, two_back); + if (u == (stbi_uc *) s) u = 0; // end of animated gif marker + + if (u) { + *x = g.w; + *y = g.h; + ++layers; + stride = g.w * g.h * 4; + + if (out) { + void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride ); + if (NULL == tmp) { + STBI_FREE(g.out); + STBI_FREE(g.history); + STBI_FREE(g.background); + return stbi__errpuc("outofmem", "Out of memory"); + } + else { + out = (stbi_uc*) tmp; + out_size = layers * stride; + } + + if (delays) { + *delays = (int*) STBI_REALLOC_SIZED( *delays, delays_size, sizeof(int) * layers ); + delays_size = layers * sizeof(int); + } + } else { + out = (stbi_uc*)stbi__malloc( layers * stride ); + out_size = layers * stride; + if (delays) { + *delays = (int*) stbi__malloc( layers * sizeof(int) ); + delays_size = layers * sizeof(int); + } + } + memcpy( out + ((layers - 1) * stride), u, stride ); + if (layers >= 2) { + two_back = out - 2 * stride; + } + + if (delays) { + (*delays)[layers - 1U] = g.delay; + } + } + } while (u != 0); + + // free temp buffer; + STBI_FREE(g.out); + STBI_FREE(g.history); + STBI_FREE(g.background); + + // do the final conversion after loading everything; + if (req_comp && req_comp != 4) + out = stbi__convert_format(out, 4, req_comp, layers * g.w, g.h); + + *z = layers; + return out; + } else { + return stbi__errpuc("not GIF", "Image was not as a gif type."); + } +} + +static void *stbi__gif_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + stbi_uc *u = 0; + stbi__gif g; + memset(&g, 0, sizeof(g)); + STBI_NOTUSED(ri); + + u = stbi__gif_load_next(s, &g, comp, req_comp, 0); + if (u == (stbi_uc *) s) u = 0; // end of animated gif marker + if (u) { + *x = g.w; + *y = g.h; + + // moved conversion to after successful load so that the same + // can be done for multiple frames. + if (req_comp && req_comp != 4) + u = stbi__convert_format(u, 4, req_comp, g.w, g.h); + } else if (g.out) { + // if there was an error and we allocated an image buffer, free it! + STBI_FREE(g.out); + } + + // free buffers needed for multiple frame loading; + STBI_FREE(g.history); + STBI_FREE(g.background); + + return u; +} + +static int stbi__gif_info(stbi__context *s, int *x, int *y, int *comp) +{ + return stbi__gif_info_raw(s,x,y,comp); +} +#endif + +// ************************************************************************************************* +// Radiance RGBE HDR loader +// originally by Nicolas Schulz +#ifndef STBI_NO_HDR +static int stbi__hdr_test_core(stbi__context *s, const char *signature) +{ + int i; + for (i=0; signature[i]; ++i) + if (stbi__get8(s) != signature[i]) + return 0; + stbi__rewind(s); + return 1; +} + +static int stbi__hdr_test(stbi__context* s) +{ + int r = stbi__hdr_test_core(s, "#?RADIANCE\n"); + stbi__rewind(s); + if(!r) { + r = stbi__hdr_test_core(s, "#?RGBE\n"); + stbi__rewind(s); + } + return r; +} + +#define STBI__HDR_BUFLEN 1024 +static char *stbi__hdr_gettoken(stbi__context *z, char *buffer) +{ + int len=0; + char c = '\0'; + + c = (char) stbi__get8(z); + + while (!stbi__at_eof(z) && c != '\n') { + buffer[len++] = c; + if (len == STBI__HDR_BUFLEN-1) { + // flush to end of line + while (!stbi__at_eof(z) && stbi__get8(z) != '\n') + ; + break; + } + c = (char) stbi__get8(z); + } + + buffer[len] = 0; + return buffer; +} + +static void stbi__hdr_convert(float *output, stbi_uc *input, int req_comp) +{ + if ( input[3] != 0 ) { + float f1; + // Exponent + f1 = (float) ldexp(1.0f, input[3] - (int)(128 + 8)); + if (req_comp <= 2) + output[0] = (input[0] + input[1] + input[2]) * f1 / 3; + else { + output[0] = input[0] * f1; + output[1] = input[1] * f1; + output[2] = input[2] * f1; + } + if (req_comp == 2) output[1] = 1; + if (req_comp == 4) output[3] = 1; + } else { + switch (req_comp) { + case 4: output[3] = 1; /* fallthrough */ + case 3: output[0] = output[1] = output[2] = 0; + break; + case 2: output[1] = 1; /* fallthrough */ + case 1: output[0] = 0; + break; + } + } +} + +static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + char buffer[STBI__HDR_BUFLEN]; + char *token; + int valid = 0; + int width, height; + stbi_uc *scanline; + float *hdr_data; + int len; + unsigned char count, value; + int i, j, k, c1,c2, z; + const char *headerToken; + STBI_NOTUSED(ri); + + // Check identifier + headerToken = stbi__hdr_gettoken(s,buffer); + if (strcmp(headerToken, "#?RADIANCE") != 0 && strcmp(headerToken, "#?RGBE") != 0) + return stbi__errpf("not HDR", "Corrupt HDR image"); + + // Parse header + for(;;) { + token = stbi__hdr_gettoken(s,buffer); + if (token[0] == 0) break; + if (strcmp(token, "FORMAT=32-bit_rle_rgbe") == 0) valid = 1; + } + + if (!valid) return stbi__errpf("unsupported format", "Unsupported HDR format"); + + // Parse width and height + // can't use sscanf() if we're not using stdio! + token = stbi__hdr_gettoken(s,buffer); + if (strncmp(token, "-Y ", 3)) return stbi__errpf("unsupported data layout", "Unsupported HDR format"); + token += 3; + height = (int) strtol(token, &token, 10); + while (*token == ' ') ++token; + if (strncmp(token, "+X ", 3)) return stbi__errpf("unsupported data layout", "Unsupported HDR format"); + token += 3; + width = (int) strtol(token, NULL, 10); + + if (height > STBI_MAX_DIMENSIONS) return stbi__errpf("too large","Very large image (corrupt?)"); + if (width > STBI_MAX_DIMENSIONS) return stbi__errpf("too large","Very large image (corrupt?)"); + + *x = width; + *y = height; + + if (comp) *comp = 3; + if (req_comp == 0) req_comp = 3; + + if (!stbi__mad4sizes_valid(width, height, req_comp, sizeof(float), 0)) + return stbi__errpf("too large", "HDR image is too large"); + + // Read data + hdr_data = (float *) stbi__malloc_mad4(width, height, req_comp, sizeof(float), 0); + if (!hdr_data) + return stbi__errpf("outofmem", "Out of memory"); + + // Load image data + // image data is stored as some number of sca + if ( width < 8 || width >= 32768) { + // Read flat data + for (j=0; j < height; ++j) { + for (i=0; i < width; ++i) { + stbi_uc rgbe[4]; + main_decode_loop: + stbi__getn(s, rgbe, 4); + stbi__hdr_convert(hdr_data + j * width * req_comp + i * req_comp, rgbe, req_comp); + } + } + } else { + // Read RLE-encoded data + scanline = NULL; + + for (j = 0; j < height; ++j) { + c1 = stbi__get8(s); + c2 = stbi__get8(s); + len = stbi__get8(s); + if (c1 != 2 || c2 != 2 || (len & 0x80)) { + // not run-length encoded, so we have to actually use THIS data as a decoded + // pixel (note this can't be a valid pixel--one of RGB must be >= 128) + stbi_uc rgbe[4]; + rgbe[0] = (stbi_uc) c1; + rgbe[1] = (stbi_uc) c2; + rgbe[2] = (stbi_uc) len; + rgbe[3] = (stbi_uc) stbi__get8(s); + stbi__hdr_convert(hdr_data, rgbe, req_comp); + i = 1; + j = 0; + STBI_FREE(scanline); + goto main_decode_loop; // yes, this makes no sense + } + len <<= 8; + len |= stbi__get8(s); + if (len != width) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("invalid decoded scanline length", "corrupt HDR"); } + if (scanline == NULL) { + scanline = (stbi_uc *) stbi__malloc_mad2(width, 4, 0); + if (!scanline) { + STBI_FREE(hdr_data); + return stbi__errpf("outofmem", "Out of memory"); + } + } + + for (k = 0; k < 4; ++k) { + int nleft; + i = 0; + while ((nleft = width - i) > 0) { + count = stbi__get8(s); + if (count > 128) { + // Run + value = stbi__get8(s); + count -= 128; + if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } + for (z = 0; z < count; ++z) + scanline[i++ * 4 + k] = value; + } else { + // Dump + if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } + for (z = 0; z < count; ++z) + scanline[i++ * 4 + k] = stbi__get8(s); + } + } + } + for (i=0; i < width; ++i) + stbi__hdr_convert(hdr_data+(j*width + i)*req_comp, scanline + i*4, req_comp); + } + if (scanline) + STBI_FREE(scanline); + } + + return hdr_data; +} + +static int stbi__hdr_info(stbi__context *s, int *x, int *y, int *comp) +{ + char buffer[STBI__HDR_BUFLEN]; + char *token; + int valid = 0; + int dummy; + + if (!x) x = &dummy; + if (!y) y = &dummy; + if (!comp) comp = &dummy; + + if (stbi__hdr_test(s) == 0) { + stbi__rewind( s ); + return 0; + } + + for(;;) { + token = stbi__hdr_gettoken(s,buffer); + if (token[0] == 0) break; + if (strcmp(token, "FORMAT=32-bit_rle_rgbe") == 0) valid = 1; + } + + if (!valid) { + stbi__rewind( s ); + return 0; + } + token = stbi__hdr_gettoken(s,buffer); + if (strncmp(token, "-Y ", 3)) { + stbi__rewind( s ); + return 0; + } + token += 3; + *y = (int) strtol(token, &token, 10); + while (*token == ' ') ++token; + if (strncmp(token, "+X ", 3)) { + stbi__rewind( s ); + return 0; + } + token += 3; + *x = (int) strtol(token, NULL, 10); + *comp = 3; + return 1; +} +#endif // STBI_NO_HDR + +#ifndef STBI_NO_BMP +static int stbi__bmp_info(stbi__context *s, int *x, int *y, int *comp) +{ + void *p; + stbi__bmp_data info; + + info.all_a = 255; + p = stbi__bmp_parse_header(s, &info); + stbi__rewind( s ); + if (p == NULL) + return 0; + if (x) *x = s->img_x; + if (y) *y = s->img_y; + if (comp) { + if (info.bpp == 24 && info.ma == 0xff000000) + *comp = 3; + else + *comp = info.ma ? 4 : 3; + } + return 1; +} +#endif + +#ifndef STBI_NO_PSD +static int stbi__psd_info(stbi__context *s, int *x, int *y, int *comp) +{ + int channelCount, dummy, depth; + if (!x) x = &dummy; + if (!y) y = &dummy; + if (!comp) comp = &dummy; + if (stbi__get32be(s) != 0x38425053) { + stbi__rewind( s ); + return 0; + } + if (stbi__get16be(s) != 1) { + stbi__rewind( s ); + return 0; + } + stbi__skip(s, 6); + channelCount = stbi__get16be(s); + if (channelCount < 0 || channelCount > 16) { + stbi__rewind( s ); + return 0; + } + *y = stbi__get32be(s); + *x = stbi__get32be(s); + depth = stbi__get16be(s); + if (depth != 8 && depth != 16) { + stbi__rewind( s ); + return 0; + } + if (stbi__get16be(s) != 3) { + stbi__rewind( s ); + return 0; + } + *comp = 4; + return 1; +} + +static int stbi__psd_is16(stbi__context *s) +{ + int channelCount, depth; + if (stbi__get32be(s) != 0x38425053) { + stbi__rewind( s ); + return 0; + } + if (stbi__get16be(s) != 1) { + stbi__rewind( s ); + return 0; + } + stbi__skip(s, 6); + channelCount = stbi__get16be(s); + if (channelCount < 0 || channelCount > 16) { + stbi__rewind( s ); + return 0; + } + (void) stbi__get32be(s); + (void) stbi__get32be(s); + depth = stbi__get16be(s); + if (depth != 16) { + stbi__rewind( s ); + return 0; + } + return 1; +} +#endif + +#ifndef STBI_NO_PIC +static int stbi__pic_info(stbi__context *s, int *x, int *y, int *comp) +{ + int act_comp=0,num_packets=0,chained,dummy; + stbi__pic_packet packets[10]; + + if (!x) x = &dummy; + if (!y) y = &dummy; + if (!comp) comp = &dummy; + + if (!stbi__pic_is4(s,"\x53\x80\xF6\x34")) { + stbi__rewind(s); + return 0; + } + + stbi__skip(s, 88); + + *x = stbi__get16be(s); + *y = stbi__get16be(s); + if (stbi__at_eof(s)) { + stbi__rewind( s); + return 0; + } + if ( (*x) != 0 && (1 << 28) / (*x) < (*y)) { + stbi__rewind( s ); + return 0; + } + + stbi__skip(s, 8); + + do { + stbi__pic_packet *packet; + + if (num_packets==sizeof(packets)/sizeof(packets[0])) + return 0; + + packet = &packets[num_packets++]; + chained = stbi__get8(s); + packet->size = stbi__get8(s); + packet->type = stbi__get8(s); + packet->channel = stbi__get8(s); + act_comp |= packet->channel; + + if (stbi__at_eof(s)) { + stbi__rewind( s ); + return 0; + } + if (packet->size != 8) { + stbi__rewind( s ); + return 0; + } + } while (chained); + + *comp = (act_comp & 0x10 ? 4 : 3); + + return 1; +} +#endif + +// ************************************************************************************************* +// Portable Gray Map and Portable Pixel Map loader +// by Ken Miller +// +// PGM: http://netpbm.sourceforge.net/doc/pgm.html +// PPM: http://netpbm.sourceforge.net/doc/ppm.html +// +// Known limitations: +// Does not support comments in the header section +// Does not support ASCII image data (formats P2 and P3) +// Does not support 16-bit-per-channel + +#ifndef STBI_NO_PNM + +static int stbi__pnm_test(stbi__context *s) +{ + char p, t; + p = (char) stbi__get8(s); + t = (char) stbi__get8(s); + if (p != 'P' || (t != '5' && t != '6')) { + stbi__rewind( s ); + return 0; + } + return 1; +} + +static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req_comp, stbi__result_info *ri) +{ + stbi_uc *out; + STBI_NOTUSED(ri); + + if (!stbi__pnm_info(s, (int *)&s->img_x, (int *)&s->img_y, (int *)&s->img_n)) + return 0; + + if (s->img_y > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + if (s->img_x > STBI_MAX_DIMENSIONS) return stbi__errpuc("too large","Very large image (corrupt?)"); + + *x = s->img_x; + *y = s->img_y; + if (comp) *comp = s->img_n; + + if (!stbi__mad3sizes_valid(s->img_n, s->img_x, s->img_y, 0)) + return stbi__errpuc("too large", "PNM too large"); + + out = (stbi_uc *) stbi__malloc_mad3(s->img_n, s->img_x, s->img_y, 0); + if (!out) return stbi__errpuc("outofmem", "Out of memory"); + stbi__getn(s, out, s->img_n * s->img_x * s->img_y); + + if (req_comp && req_comp != s->img_n) { + out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y); + if (out == NULL) return out; // stbi__convert_format frees input on failure + } + return out; +} + +static int stbi__pnm_isspace(char c) +{ + return c == ' ' || c == '\t' || c == '\n' || c == '\v' || c == '\f' || c == '\r'; +} + +static void stbi__pnm_skip_whitespace(stbi__context *s, char *c) +{ + for (;;) { + while (!stbi__at_eof(s) && stbi__pnm_isspace(*c)) + *c = (char) stbi__get8(s); + + if (stbi__at_eof(s) || *c != '#') + break; + + while (!stbi__at_eof(s) && *c != '\n' && *c != '\r' ) + *c = (char) stbi__get8(s); + } +} + +static int stbi__pnm_isdigit(char c) +{ + return c >= '0' && c <= '9'; +} + +static int stbi__pnm_getinteger(stbi__context *s, char *c) +{ + int value = 0; + + while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) { + value = value*10 + (*c - '0'); + *c = (char) stbi__get8(s); + } + + return value; +} + +static int stbi__pnm_info(stbi__context *s, int *x, int *y, int *comp) +{ + int maxv, dummy; + char c, p, t; + + if (!x) x = &dummy; + if (!y) y = &dummy; + if (!comp) comp = &dummy; + + stbi__rewind(s); + + // Get identifier + p = (char) stbi__get8(s); + t = (char) stbi__get8(s); + if (p != 'P' || (t != '5' && t != '6')) { + stbi__rewind(s); + return 0; + } + + *comp = (t == '6') ? 3 : 1; // '5' is 1-component .pgm; '6' is 3-component .ppm + + c = (char) stbi__get8(s); + stbi__pnm_skip_whitespace(s, &c); + + *x = stbi__pnm_getinteger(s, &c); // read width + stbi__pnm_skip_whitespace(s, &c); + + *y = stbi__pnm_getinteger(s, &c); // read height + stbi__pnm_skip_whitespace(s, &c); + + maxv = stbi__pnm_getinteger(s, &c); // read max value + + if (maxv > 255) + return stbi__err("max value > 255", "PPM image not 8-bit"); + else + return 1; +} +#endif + +static int stbi__info_main(stbi__context *s, int *x, int *y, int *comp) +{ + #ifndef STBI_NO_JPEG + if (stbi__jpeg_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_PNG + if (stbi__png_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_GIF + if (stbi__gif_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_BMP + if (stbi__bmp_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_PSD + if (stbi__psd_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_PIC + if (stbi__pic_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_PNM + if (stbi__pnm_info(s, x, y, comp)) return 1; + #endif + + #ifndef STBI_NO_HDR + if (stbi__hdr_info(s, x, y, comp)) return 1; + #endif + + // test tga last because it's a crappy test! + #ifndef STBI_NO_TGA + if (stbi__tga_info(s, x, y, comp)) + return 1; + #endif + return stbi__err("unknown image type", "Image not of any known type, or corrupt"); +} + +static int stbi__is_16_main(stbi__context *s) +{ + #ifndef STBI_NO_PNG + if (stbi__png_is16(s)) return 1; + #endif + + #ifndef STBI_NO_PSD + if (stbi__psd_is16(s)) return 1; + #endif + + return 0; +} + +#ifndef STBI_NO_STDIO +STBIDEF int stbi_info(char const *filename, int *x, int *y, int *comp) +{ + FILE *f = stbi__fopen(filename, "rb"); + int result; + if (!f) return stbi__err("can't fopen", "Unable to open file"); + result = stbi_info_from_file(f, x, y, comp); + fclose(f); + return result; +} + +STBIDEF int stbi_info_from_file(FILE *f, int *x, int *y, int *comp) +{ + int r; + stbi__context s; + long pos = ftell(f); + stbi__start_file(&s, f); + r = stbi__info_main(&s,x,y,comp); + fseek(f,pos,SEEK_SET); + return r; +} + +STBIDEF int stbi_is_16_bit(char const *filename) +{ + FILE *f = stbi__fopen(filename, "rb"); + int result; + if (!f) return stbi__err("can't fopen", "Unable to open file"); + result = stbi_is_16_bit_from_file(f); + fclose(f); + return result; +} + +STBIDEF int stbi_is_16_bit_from_file(FILE *f) +{ + int r; + stbi__context s; + long pos = ftell(f); + stbi__start_file(&s, f); + r = stbi__is_16_main(&s); + fseek(f,pos,SEEK_SET); + return r; +} +#endif // !STBI_NO_STDIO + +STBIDEF int stbi_info_from_memory(stbi_uc const *buffer, int len, int *x, int *y, int *comp) +{ + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__info_main(&s,x,y,comp); +} + +STBIDEF int stbi_info_from_callbacks(stbi_io_callbacks const *c, void *user, int *x, int *y, int *comp) +{ + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *) c, user); + return stbi__info_main(&s,x,y,comp); +} + +STBIDEF int stbi_is_16_bit_from_memory(stbi_uc const *buffer, int len) +{ + stbi__context s; + stbi__start_mem(&s,buffer,len); + return stbi__is_16_main(&s); +} + +STBIDEF int stbi_is_16_bit_from_callbacks(stbi_io_callbacks const *c, void *user) +{ + stbi__context s; + stbi__start_callbacks(&s, (stbi_io_callbacks *) c, user); + return stbi__is_16_main(&s); +} + +#endif // STB_IMAGE_IMPLEMENTATION + +/* + revision history: + 2.20 (2019-02-07) support utf8 filenames in Windows; fix warnings and platform ifdefs + 2.19 (2018-02-11) fix warning + 2.18 (2018-01-30) fix warnings + 2.17 (2018-01-29) change sbti__shiftsigned to avoid clang -O2 bug + 1-bit BMP + *_is_16_bit api + avoid warnings + 2.16 (2017-07-23) all functions have 16-bit variants; + STBI_NO_STDIO works again; + compilation fixes; + fix rounding in unpremultiply; + optimize vertical flip; + disable raw_len validation; + documentation fixes + 2.15 (2017-03-18) fix png-1,2,4 bug; now all Imagenet JPGs decode; + warning fixes; disable run-time SSE detection on gcc; + uniform handling of optional "return" values; + thread-safe initialization of zlib tables + 2.14 (2017-03-03) remove deprecated STBI_JPEG_OLD; fixes for Imagenet JPGs + 2.13 (2016-11-29) add 16-bit API, only supported for PNG right now + 2.12 (2016-04-02) fix typo in 2.11 PSD fix that caused crashes + 2.11 (2016-04-02) allocate large structures on the stack + remove white matting for transparent PSD + fix reported channel count for PNG & BMP + re-enable SSE2 in non-gcc 64-bit + support RGB-formatted JPEG + read 16-bit PNGs (only as 8-bit) + 2.10 (2016-01-22) avoid warning introduced in 2.09 by STBI_REALLOC_SIZED + 2.09 (2016-01-16) allow comments in PNM files + 16-bit-per-pixel TGA (not bit-per-component) + info() for TGA could break due to .hdr handling + info() for BMP to shares code instead of sloppy parse + can use STBI_REALLOC_SIZED if allocator doesn't support realloc + code cleanup + 2.08 (2015-09-13) fix to 2.07 cleanup, reading RGB PSD as RGBA + 2.07 (2015-09-13) fix compiler warnings + partial animated GIF support + limited 16-bpc PSD support + #ifdef unused functions + bug with < 92 byte PIC,PNM,HDR,TGA + 2.06 (2015-04-19) fix bug where PSD returns wrong '*comp' value + 2.05 (2015-04-19) fix bug in progressive JPEG handling, fix warning + 2.04 (2015-04-15) try to re-enable SIMD on MinGW 64-bit + 2.03 (2015-04-12) extra corruption checking (mmozeiko) + stbi_set_flip_vertically_on_load (nguillemot) + fix NEON support; fix mingw support + 2.02 (2015-01-19) fix incorrect assert, fix warning + 2.01 (2015-01-17) fix various warnings; suppress SIMD on gcc 32-bit without -msse2 + 2.00b (2014-12-25) fix STBI_MALLOC in progressive JPEG + 2.00 (2014-12-25) optimize JPG, including x86 SSE2 & NEON SIMD (ryg) + progressive JPEG (stb) + PGM/PPM support (Ken Miller) + STBI_MALLOC,STBI_REALLOC,STBI_FREE + GIF bugfix -- seemingly never worked + STBI_NO_*, STBI_ONLY_* + 1.48 (2014-12-14) fix incorrectly-named assert() + 1.47 (2014-12-14) 1/2/4-bit PNG support, both direct and paletted (Omar Cornut & stb) + optimize PNG (ryg) + fix bug in interlaced PNG with user-specified channel count (stb) + 1.46 (2014-08-26) + fix broken tRNS chunk (colorkey-style transparency) in non-paletted PNG + 1.45 (2014-08-16) + fix MSVC-ARM internal compiler error by wrapping malloc + 1.44 (2014-08-07) + various warning fixes from Ronny Chevalier + 1.43 (2014-07-15) + fix MSVC-only compiler problem in code changed in 1.42 + 1.42 (2014-07-09) + don't define _CRT_SECURE_NO_WARNINGS (affects user code) + fixes to stbi__cleanup_jpeg path + added STBI_ASSERT to avoid requiring assert.h + 1.41 (2014-06-25) + fix search&replace from 1.36 that messed up comments/error messages + 1.40 (2014-06-22) + fix gcc struct-initialization warning + 1.39 (2014-06-15) + fix to TGA optimization when req_comp != number of components in TGA; + fix to GIF loading because BMP wasn't rewinding (whoops, no GIFs in my test suite) + add support for BMP version 5 (more ignored fields) + 1.38 (2014-06-06) + suppress MSVC warnings on integer casts truncating values + fix accidental rename of 'skip' field of I/O + 1.37 (2014-06-04) + remove duplicate typedef + 1.36 (2014-06-03) + convert to header file single-file library + if de-iphone isn't set, load iphone images color-swapped instead of returning NULL + 1.35 (2014-05-27) + various warnings + fix broken STBI_SIMD path + fix bug where stbi_load_from_file no longer left file pointer in correct place + fix broken non-easy path for 32-bit BMP (possibly never used) + TGA optimization by Arseny Kapoulkine + 1.34 (unknown) + use STBI_NOTUSED in stbi__resample_row_generic(), fix one more leak in tga failure case + 1.33 (2011-07-14) + make stbi_is_hdr work in STBI_NO_HDR (as specified), minor compiler-friendly improvements + 1.32 (2011-07-13) + support for "info" function for all supported filetypes (SpartanJ) + 1.31 (2011-06-20) + a few more leak fixes, bug in PNG handling (SpartanJ) + 1.30 (2011-06-11) + added ability to load files via callbacks to accomidate custom input streams (Ben Wenger) + removed deprecated format-specific test/load functions + removed support for installable file formats (stbi_loader) -- would have been broken for IO callbacks anyway + error cases in bmp and tga give messages and don't leak (Raymond Barbiero, grisha) + fix inefficiency in decoding 32-bit BMP (David Woo) + 1.29 (2010-08-16) + various warning fixes from Aurelien Pocheville + 1.28 (2010-08-01) + fix bug in GIF palette transparency (SpartanJ) + 1.27 (2010-08-01) + cast-to-stbi_uc to fix warnings + 1.26 (2010-07-24) + fix bug in file buffering for PNG reported by SpartanJ + 1.25 (2010-07-17) + refix trans_data warning (Won Chun) + 1.24 (2010-07-12) + perf improvements reading from files on platforms with lock-heavy fgetc() + minor perf improvements for jpeg + deprecated type-specific functions so we'll get feedback if they're needed + attempt to fix trans_data warning (Won Chun) + 1.23 fixed bug in iPhone support + 1.22 (2010-07-10) + removed image *writing* support + stbi_info support from Jetro Lauha + GIF support from Jean-Marc Lienher + iPhone PNG-extensions from James Brown + warning-fixes from Nicolas Schulz and Janez Zemva (i.stbi__err. Janez (U+017D)emva) + 1.21 fix use of 'stbi_uc' in header (reported by jon blow) + 1.20 added support for Softimage PIC, by Tom Seddon + 1.19 bug in interlaced PNG corruption check (found by ryg) + 1.18 (2008-08-02) + fix a threading bug (local mutable static) + 1.17 support interlaced PNG + 1.16 major bugfix - stbi__convert_format converted one too many pixels + 1.15 initialize some fields for thread safety + 1.14 fix threadsafe conversion bug + header-file-only version (#define STBI_HEADER_FILE_ONLY before including) + 1.13 threadsafe + 1.12 const qualifiers in the API + 1.11 Support installable IDCT, colorspace conversion routines + 1.10 Fixes for 64-bit (don't use "unsigned long") + optimized upsampling by Fabian "ryg" Giesen + 1.09 Fix format-conversion for PSD code (bad global variables!) + 1.08 Thatcher Ulrich's PSD code integrated by Nicolas Schulz + 1.07 attempt to fix C++ warning/errors again + 1.06 attempt to fix C++ warning/errors again + 1.05 fix TGA loading to return correct *comp and use good luminance calc + 1.04 default float alpha is 1, not 255; use 'void *' for stbi_image_free + 1.03 bugfixes to STBI_NO_STDIO, STBI_NO_HDR + 1.02 support for (subset of) HDR files, float interface for preferred access to them + 1.01 fix bug: possible bug in handling right-side up bmps... not sure + fix bug: the stbi__bmp_load() and stbi__tga_load() functions didn't work at all + 1.00 interface to zlib that skips zlib header + 0.99 correct handling of alpha in palette + 0.98 TGA loader by lonesock; dynamically add loaders (untested) + 0.97 jpeg errors on too large a file; also catch another malloc failure + 0.96 fix detection of invalid v value - particleman@mollyrocket forum + 0.95 during header scan, seek to markers in case of padding + 0.94 STBI_NO_STDIO to disable stdio usage; rename all #defines the same + 0.93 handle jpegtran output; verbose errors + 0.92 read 4,8,16,24,32-bit BMP files of several formats + 0.91 output 24-bit Windows 3.0 BMP files + 0.90 fix a few more warnings; bump version number to approach 1.0 + 0.61 bugfixes due to Marc LeBlanc, Christopher Lloyd + 0.60 fix compiling as c++ + 0.59 fix warnings: merge Dave Moore's -Wall fixes + 0.58 fix bug: zlib uncompressed mode len/nlen was wrong endian + 0.57 fix bug: jpg last huffman symbol before marker was >9 bits but less than 16 available + 0.56 fix bug: zlib uncompressed mode len vs. nlen + 0.55 fix bug: restart_interval not initialized to 0 + 0.54 allow NULL for 'int *comp' + 0.53 fix bug in png 3->4; speedup png decoding + 0.52 png handles req_comp=3,4 directly; minor cleanup; jpeg comments + 0.51 obey req_comp requests, 1-component jpegs return as 1-component, + on 'test' only check type, not whether we support this variant + 0.50 (2006-11-19) + first released version +*/ + + +/* +------------------------------------------------------------------------------ +This software is available under 2 licenses -- choose whichever you prefer. +------------------------------------------------------------------------------ +ALTERNATIVE A - MIT License +Copyright (c) 2017 Sean Barrett +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +------------------------------------------------------------------------------ +ALTERNATIVE B - Public Domain (www.unlicense.org) +This is free and unencumbered software released into the public domain. +Anyone is free to copy, modify, publish, use, compile, sell, or distribute this +software, either in source code form or as a compiled binary, for any purpose, +commercial or non-commercial, and by any means. +In jurisdictions that recognize copyright laws, the author or authors of this +software dedicate any and all copyright interest in the software to the public +domain. We make this dedication for the benefit of the public at large and to +the detriment of our heirs and successors. We intend this dedication to be an +overt act of relinquishment in perpetuity of all present and future rights to +this software under copyright law. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN +ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +------------------------------------------------------------------------------ +*/ \ No newline at end of file diff --git a/fuzzers/qemufuzzer/Cargo.toml b/fuzzers/qemufuzzer/Cargo.toml deleted file mode 100644 index b9f8e8c9b9..0000000000 --- a/fuzzers/qemufuzzer/Cargo.toml +++ /dev/null @@ -1,23 +0,0 @@ -[package] -name = "qemufuzzer" -version = "0.1.0" -authors = ["Andrea Fioraldi "] -edition = "2018" - -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html - -[features] -default = ["std"] -std = [] - -[profile.release] -lto = true -codegen-units = 1 -opt-level = 3 -debug = true - -[dependencies] -afl = { path = "../../afl/" } - -[lib] -crate-type = ["staticlib", "cdylib"] diff --git a/fuzzers/qemufuzzer/build.sh b/fuzzers/qemufuzzer/build.sh deleted file mode 100755 index bb656dfac9..0000000000 --- a/fuzzers/qemufuzzer/build.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -cargo build --release - -git submodule init -git submodule update qemu_fuzz - -cd qemu-fuzz - -./build_qemu_fuzz.sh ../target/release/libqemufuzzer.a - -cp build/qemu-x86_64 ../qemu_fuzz diff --git a/fuzzers/qemufuzzer/qemu-fuzz b/fuzzers/qemufuzzer/qemu-fuzz deleted file mode 160000 index 6f719f6aed..0000000000 --- a/fuzzers/qemufuzzer/qemu-fuzz +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 6f719f6aedc9c199d7b99ef42c532a9a20605ff3 diff --git a/fuzzers/qemufuzzer/qemu_fuzz b/fuzzers/qemufuzzer/qemu_fuzz deleted file mode 100644 index 5fab602273..0000000000 Binary files a/fuzzers/qemufuzzer/qemu_fuzz and /dev/null differ diff --git a/fuzzers/qemufuzzer/src/lib.rs b/fuzzers/qemufuzzer/src/lib.rs deleted file mode 100644 index 4413e0f67e..0000000000 --- a/fuzzers/qemufuzzer/src/lib.rs +++ /dev/null @@ -1,102 +0,0 @@ -#![cfg_attr(not(feature = "std"), no_std)] - -extern crate alloc; - -use afl::corpus::InMemoryCorpus; -use afl::engines::Engine; -use afl::engines::Fuzzer; -use afl::engines::State; -use afl::engines::StdFuzzer; -use afl::events::{LlmpEventManager, SimpleStats}; -use afl::executors::inmemory::InProcessExecutor; -use afl::executors::{Executor, ExitKind}; -use afl::feedbacks::MaxMapFeedback; -use afl::generators::RandPrintablesGenerator; -use afl::mutators::scheduled::HavocBytesMutator; -use afl::mutators::HasMaxSize; -use afl::observers::VariableMapObserver; -use afl::stages::mutational::StdMutationalStage; -use afl::tuples::tuple_list; -use afl::utils::StdRand; - -use core::cmp::min; - -mod regs; -use regs::*; - -const FUZZ_MAP_SIZE: usize = 1048576; - -type TargetULong = u64; - -extern "C" { - fn fuzz_run_target(regs: *const x86_64_regs); - fn fuzz_write_mem(addr: TargetULong, buf: *const u8, size: usize); - // fn fuzz_read_mem(addr: TargetULong, buf: *const u8, size: usize); - - static fuzz_start_regs: x86_64_regs; - static mut fuzz_hitcounts_map: [u8; FUZZ_MAP_SIZE]; - static mut fuzz_edges_id: usize; -} - -fn harness(_executor: &dyn Executor, buf: &[u8]) -> ExitKind { - unsafe { - let mut regs = fuzz_start_regs.clone(); - let len = min(buf.len(), 4096); - regs.rsi = len as u64; - fuzz_write_mem(regs.rdi, buf.as_ptr(), len); - fuzz_run_target(®s); - } - ExitKind::Ok -} - -const NAME_COV_MAP: &str = "cov_map"; - -#[no_mangle] -pub extern "C" fn fuzz_main_loop() { - let mut rand = StdRand::new(0); - - let mut corpus = InMemoryCorpus::new(); - let mut generator = RandPrintablesGenerator::new(32); - - let stats = SimpleStats::new(|s| println!("{}", s)); - let mut mgr = LlmpEventManager::new_on_port_std(1337, stats).unwrap(); - if mgr.is_broker() { - println!("Doing broker things."); - mgr.broker_loop().unwrap(); - } - println!("We're a client, let's fuzz :)"); - - let edges_observer = - VariableMapObserver::new(&NAME_COV_MAP, unsafe { &mut fuzz_hitcounts_map }, unsafe { - &fuzz_edges_id - }); - let edges_feedback = MaxMapFeedback::new_with_observer(&NAME_COV_MAP, &edges_observer); - - let executor = InProcessExecutor::new("QEMUFuzzer", harness, tuple_list!(edges_observer))?; - let mut state = State::new(tuple_list!(edges_feedback)); - - let mut engine = Engine::new(executor); - - state - .generate_initial_inputs( - &mut rand, - &mut corpus, - &mut generator, - &mut engine, - &mut mgr, - 4, - ) - .expect("Failed to load initial inputs"); - - let mut mutator = HavocBytesMutator::new_default(); - mutator.set_max_size(4096); - - let stage = StdMutationalStage::new(mutator); - let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); - - fuzzer - .fuzz_loop(&mut rand, &mut state, &mut corpus, &mut engine, &mut mgr) - .expect("Fuzzer fatal error"); - #[cfg(feature = "std")] - println!("OK"); -} diff --git a/fuzzers/qemufuzzer/src/regs.rs b/fuzzers/qemufuzzer/src/regs.rs deleted file mode 100644 index bf6fe27bec..0000000000 --- a/fuzzers/qemufuzzer/src/regs.rs +++ /dev/null @@ -1,107 +0,0 @@ -/* Generated by hand by Fioraldi bindgen */ - -#[repr(C)] -#[derive(Copy, Clone)] -pub struct x86_regs { - pub eax: u32, - pub ebx: u32, - pub ecx: u32, - pub edx: u32, - pub edi: u32, - pub esi: u32, - pub ebp: u32, - pub eip: u32, - pub esp: u32, - pub eflags: u32, - pub xmm_regs: [[u8; 8usize]; 16usize], -} - -#[repr(C)] -#[derive(Copy, Clone)] -pub struct x86_64_regs { - pub rax: u64, - pub rbx: u64, - pub rcx: u64, - pub rdx: u64, - pub rdi: u64, - pub rsi: u64, - pub rbp: u64, - pub r8: u64, - pub r9: u64, - pub r10: u64, - pub r11: u64, - pub r12: u64, - pub r13: u64, - pub r14: u64, - pub r15: u64, - pub rip: u64, - pub rsp: u64, - pub rflags: u64, - pub zmm_regs: [[u8; 32usize]; 64usize], -} - -#[repr(C)] -#[derive(Copy, Clone)] -pub struct arm_regs { - pub r0: u32, - pub r1: u32, - pub r2: u32, - pub r3: u32, - pub r4: u32, - pub r5: u32, - pub r6: u32, - pub r7: u32, - pub r8: u32, - pub r9: u32, - pub r10: u32, - pub r11: u32, - pub r12: u32, - pub r13: u32, - pub r14: u32, - pub r15: u32, - pub cpsr: u32, - pub vfp_zregs: [[u8; 32usize]; 16usize], - pub vfp_xregs: [u32; 16usize], -} - -#[repr(C)] -#[derive(Copy, Clone)] -pub struct arm64_regs { - pub x0: u64, - pub x1: u64, - pub x2: u64, - pub x3: u64, - pub x4: u64, - pub x5: u64, - pub x6: u64, - pub x7: u64, - pub x8: u64, - pub x9: u64, - pub x10: u64, - pub x11: u64, - pub x12: u64, - pub x13: u64, - pub x14: u64, - pub x15: u64, - pub x16: u64, - pub x17: u64, - pub x18: u64, - pub x19: u64, - pub x20: u64, - pub x21: u64, - pub x22: u64, - pub x23: u64, - pub x24: u64, - pub x25: u64, - pub x26: u64, - pub x27: u64, - pub x28: u64, - pub x29: u64, - pub x30: u64, - pub x31: u64, - pub pc: u64, - pub cpsr: u32, - pub vfp_zregs: [[u8; 32usize]; 256usize], - pub vfp_pregs: [[u8; 17usize]; 32usize], - pub vfp_xregs: [u32; 16usize], -} diff --git a/fuzzers/qemufuzzer/test/test.c b/fuzzers/qemufuzzer/test/test.c deleted file mode 100755 index 04d002b2ae..0000000000 --- a/fuzzers/qemufuzzer/test/test.c +++ /dev/null @@ -1,43 +0,0 @@ -#include -#include - -int target_func(const uint8_t *buf, size_t size) { - - /*printf("BUF (%ld): ", size); - for (int i = 0; i < size; i++) { - printf("%02X", buf[i]); - } - printf("\n");*/ - - if (size == 0) return 0; - - switch (buf[0]) { - - case 1: - if (buf[1] == 0x44) { - //__builtin_trap(); - return 8; - } - - break; - case 0xff: - if (buf[2] == 0xff) { - if (buf[1] == 0x44) { - //*(char *)(0xdeadbeef) = 1; - return 9; - } - } - - break; - default: - break; - - } - - return 1; - -} - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return target_func(Data, Size); -} diff --git a/libafl/Cargo.toml b/libafl/Cargo.toml index fbaefb34af..9d0466b2d5 100644 --- a/libafl/Cargo.toml +++ b/libafl/Cargo.toml @@ -2,6 +2,11 @@ name = "libafl" version = "0.1.0" authors = ["Andrea Fioraldi ", "Dominik Maier "] +description = "Slot your own fuzzers together and extend their features using Rust" +documentation = "https://docs.rs/libafl" +repository = "https://github.com/AFLplusplus/LibAFL/" +license = "MIT OR Apache-2.0" +keywords = ["fuzzing", "testing", "security"] edition = "2018" build = "build.rs" @@ -13,7 +18,6 @@ ahash = "0.6.1" # another hash fxhash = "0.2.1" # yet another hash xxhash-rust = { version = "0.8.0", features = ["const_xxh3", "xxh3"] } # xxh3 hashing for rust serde_json = "1.0.60" - num_cpus = "1.0" # cpu count, for llmp example [[bench]] @@ -30,12 +34,13 @@ harness = false #debug = true [features] -default = ["std", "anymapdbg", "derive"] +default = ["std", "anymap_debug", "derive", "llmp_compression"] std = [] # print, sharedmap, ... support -runtime = [] # a runtime for clang inmem-executor -anymapdbg = ["serde_json"] # uses serde_json to Debug the anymap trait. Disable for smaller footprint. +anymap_debug = ["serde_json"] # uses serde_json to Debug the anymap trait. Disable for smaller footprint. derive = ["libafl_derive"] # provide derive(SerdeAny) macro. llmp_small_maps = [] # reduces initial map size for llmp +llmp_debug = ["backtrace"] # Enables debug output for LLMP +llmp_compression = [] #llmp compression using GZip [[example]] name = "llmp_test" @@ -46,7 +51,7 @@ required-features = ["std"] tuple_list = "0.1.2" hashbrown = { version = "0.9", features = ["serde", "ahash-compile-time-rng"] } # A faster hashmap, nostd compatible num = "*" -xxhash-rust = { version = "0.8.0", features = ["xxh3"] } # xxh3 hashing for rust +xxhash-rust = { version = "0.8.0", features = ["xxh3", "const_xxh3"] } # xxh3 hashing for rust serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib erased-serde = "0.3.12" postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat @@ -54,13 +59,22 @@ static_assertions = "1.1.0" ctor = "*" libafl_derive = { version = "*", optional = true, path = "../libafl_derive" } serde_json = { version = "1.0", optional = true, default-features = false, features = ["alloc"] } # an easy way to debug print SerdeAnyMap -#TODO: for llmp brotli = { version = "3.3.0", default-features = false } # brotli compression +compression = { version = "0.1.5" } num_enum = "0.5.1" +spin = "0.9.0" + +[target.'cfg(target_os = "android")'.dependencies] +backtrace = { version = "0.3", optional = true, default-features = false, features = ["std", "libbacktrace"] } # for llmp_debug + +[target.'cfg(not(target_os = "android"))'.dependencies] +backtrace = { version = "0.3", optional = true } # for llmp_debug [target.'cfg(unix)'.dependencies] libc = "0.2" # For (*nix) libc nix = "0.20.0" uds = "0.2.3" +lock_api = "0.4.3" +regex = "1.4.5" [target.'cfg(windows)'.dependencies] windows = "0.4.0" diff --git a/libafl/build.rs b/libafl/build.rs index ff4a614f3d..f1bf264c6b 100644 --- a/libafl/build.rs +++ b/libafl/build.rs @@ -1,3 +1,5 @@ +//! special handling to build and link libafl + fn main() { #[cfg(target_os = "windows")] windows::build!( diff --git a/libafl/examples/llmp_test/main.rs b/libafl/examples/llmp_test/main.rs index fcb03d3872..9b6cde1ecb 100644 --- a/libafl/examples/llmp_test/main.rs +++ b/libafl/examples/llmp_test/main.rs @@ -11,7 +11,10 @@ use std::{thread, time}; use libafl::bolts::llmp::Tag; #[cfg(all(unix, feature = "std"))] use libafl::{ - bolts::{llmp, shmem::UnixShMem}, + bolts::{ + llmp, + shmem::{ShMemProvider, StdShMemProvider}, + }, Error, }; @@ -21,7 +24,8 @@ const _TAG_1MEG_V1: Tag = 0xB1111161; #[cfg(all(unix, feature = "std"))] fn adder_loop(port: u16) -> ! { - let mut client = llmp::LlmpClient::::create_attach_to_tcp(port).unwrap(); + let shmem_provider = StdShMemProvider::new().unwrap(); + let mut client = llmp::LlmpClient::create_attach_to_tcp(shmem_provider, port).unwrap(); let mut last_result: u32 = 0; let mut current_result: u32 = 0; loop { @@ -63,7 +67,8 @@ fn adder_loop(port: u16) -> ! { #[cfg(all(unix, feature = "std"))] fn large_msg_loop(port: u16) -> ! { - let mut client = llmp::LlmpClient::::create_attach_to_tcp(port).unwrap(); + let mut client = + llmp::LlmpClient::create_attach_to_tcp(StdShMemProvider::new().unwrap(), port).unwrap(); let meg_buf = [1u8; 1 << 20]; @@ -78,6 +83,7 @@ fn large_msg_loop(port: u16) -> ! { fn broker_message_hook( client_id: u32, tag: llmp::Tag, + _flags: llmp::Flag, message: &[u8], ) -> Result { match tag { @@ -124,7 +130,7 @@ fn main() { match mode.as_str() { "broker" => { - let mut broker = llmp::LlmpBroker::::new().unwrap(); + let mut broker = llmp::LlmpBroker::new(StdShMemProvider::new().unwrap()).unwrap(); broker .launch_listener(llmp::Listener::Tcp( std::net::TcpListener::bind(format!("127.0.0.1:{}", port)).unwrap(), @@ -133,7 +139,9 @@ fn main() { broker.loop_forever(&mut broker_message_hook, Some(Duration::from_millis(5))) } "ctr" => { - let mut client = llmp::LlmpClient::::create_attach_to_tcp(port).unwrap(); + let mut client = + llmp::LlmpClient::create_attach_to_tcp(StdShMemProvider::new().unwrap(), port) + .unwrap(); let mut counter: u32 = 0; loop { counter = counter.wrapping_add(1); diff --git a/libafl/src/bolts/bindings.rs b/libafl/src/bolts/bindings.rs index a3fa41413e..1a4dad811f 100644 --- a/libafl/src/bolts/bindings.rs +++ b/libafl/src/bolts/bindings.rs @@ -1,2 +1,4 @@ +//! Generated bindings + #[cfg(all(windows, feature = "std"))] ::windows::include_bindings!(); diff --git a/libafl/src/bolts/compress.rs b/libafl/src/bolts/compress.rs new file mode 100644 index 0000000000..1da1f84cb8 --- /dev/null +++ b/libafl/src/bolts/compress.rs @@ -0,0 +1,75 @@ +//! Compression of events passed between a broker and clients. +//! Currently we use the gzip compression algorithm for its fast decompression performance. + +#[cfg(feature = "llmp_compression")] +use crate::Error; +use alloc::vec::Vec; +use compression::prelude::*; +use core::fmt::Debug; + +/// Compression for your stream compression needs. +#[derive(Debug)] +pub struct GzipCompressor { + /// If less bytes than threshold are being passed to `compress`, the payload is not getting compressed. + threshold: usize, +} + +impl GzipCompressor { + /// If the buffer is at lest larger as large as the `threshold` value, we compress the buffer. + /// When given a `threshold` of `0`, the `GzipCompressor` will always compress. + pub fn new(threshold: usize) -> Self { + GzipCompressor { threshold } + } +} + +impl GzipCompressor { + /// Compression. + /// If the buffer is smaller than the threshold of this compressor, `None` will be returned. + /// Else, the buffer is compressed. + pub fn compress(&self, buf: &[u8]) -> Result>, Error> { + if buf.len() >= self.threshold { + //compress if the buffer is large enough + let compressed = buf + .iter() + .cloned() + .encode(&mut GZipEncoder::new(), Action::Finish) + .collect::, _>>()?; + Ok(Some(compressed)) + } else { + Ok(None) + } + } + + /// Decompression. + /// Flag is used to indicate if it's compressed or not + pub fn decompress(&self, buf: &[u8]) -> Result, Error> { + Ok(buf + .iter() + .cloned() + .decode(&mut GZipDecoder::new()) + .collect::, _>>()?) + } +} + +#[cfg(test)] +mod tests { + use crate::bolts::compress::GzipCompressor; + + #[test] + fn test_compression() { + let compressor = GzipCompressor::new(1); + assert!( + compressor + .decompress(&compressor.compress(&[1u8; 1024]).unwrap().unwrap()) + .unwrap() + == vec![1u8; 1024] + ); + } + + #[test] + fn test_threshold() { + let compressor = GzipCompressor::new(1024); + assert!(compressor.compress(&[1u8; 1023]).unwrap().is_none()); + assert!(compressor.compress(&[1u8; 1024]).unwrap().is_some()); + } +} diff --git a/libafl/src/bolts/llmp.rs b/libafl/src/bolts/llmp.rs index bb71eeb574..565f6c769c 100644 --- a/libafl/src/bolts/llmp.rs +++ b/libafl/src/bolts/llmp.rs @@ -64,45 +64,23 @@ use core::{ use serde::{Deserialize, Serialize}; #[cfg(feature = "std")] use std::{ - env, fs, + env, io::{Read, Write}, net::{SocketAddr, TcpListener, TcpStream}, thread, }; -#[cfg(all(feature = "std", unix))] -use nix::{ - cmsg_space, - sys::{ - socket::{recvmsg, sendmsg, ControlMessage, ControlMessageOwned, MsgFlags}, - uio::IoVec, - }, -}; - -#[cfg(all(feature = "std", unix))] -use std::{ - ffi::CStr, - os::unix::{ - self, - net::{UnixListener, UnixStream}, - {io::AsRawFd, prelude::RawFd}, - }, -}; - -#[cfg(all(feature = "std", unix))] -use libc::c_char; +#[cfg(all(feature = "llmp_debug", feature = "std"))] +use backtrace::Backtrace; #[cfg(unix)] -use uds::{UnixListenerExt, UnixSocketAddr, UnixStreamExt}; - -#[cfg(unix)] -use crate::bolts::os::unix_signals::{c_void, setup_signal_handler, siginfo_t, Handler, Signal}; +use crate::bolts::os::unix_signals::{setup_signal_handler, siginfo_t, Handler, Signal}; use crate::{ - bolts::shmem::{ShMem, ShMemDescription}, + bolts::shmem::{ShMem, ShMemDescription, ShMemId, ShMemProvider}, Error, }; - -use super::shmem::HasFd; +#[cfg(unix)] +use libc::ucontext_t; /// We'll start off with 256 megabyte maps per fuzzer client #[cfg(not(feature = "llmp_small_maps"))] @@ -126,6 +104,9 @@ const LLMP_TAG_NEW_SHM_CLIENT: Tag = 0xC11E471; /// The sender on this map is exiting (if broker exits, clients should exit gracefully); const LLMP_TAG_EXITING: Tag = 0x13C5171; +pub const LLMP_FLAG_INITIALIZED: Flag = 0x0; +pub const LLMP_FLAG_COMPRESSED: Flag = 0x1; + /// An env var of this value indicates that the set value was a NULL PTR const _NULL_ENV_STR: &str = "_NULL"; @@ -146,20 +127,38 @@ static mut GLOBAL_SIGHANDLER_STATE: LlmpBrokerSignalHandler = LlmpBrokerSignalHa /// TAGs used thorughout llmp pub type Tag = u32; +pub type Flag = u64; + +/// This is for the server the broker will spawn. +/// If an llmp connection is local - use sharedmaps +/// or remote (broker2broker) - forwarded via tcp +pub enum TcpRequest { + LocalClientHello { shmem: ShMemDescription }, + RemoteBrokerHello, + RemoteNewMessage { tag: Tag, payload: Vec }, +} + +/// Responses for requests to the server. +pub enum TcpResponse { + LocalClientAccepted { + client_id: u32, + shmem: ShMemDescription, + }, + RemoteBrokerAccepted { + broker_id: u32, + hostname: String, + }, +} /// Abstraction for listeners #[cfg(feature = "std")] pub enum Listener { Tcp(TcpListener), - #[cfg(unix)] - Unix(UnixListener), } #[cfg(feature = "std")] pub enum ListenerStream { Tcp(TcpStream, SocketAddr), - #[cfg(unix)] - Unix(UnixStream, unix::net::SocketAddr), Empty(), } @@ -174,27 +173,19 @@ impl Listener { ListenerStream::Empty() } }, - #[cfg(unix)] - Listener::Unix(inner) => match inner.accept() { - Ok(res) => ListenerStream::Unix(res.0, res.1), - Err(err) => { - dbg!("Ignoring failed accept", err); - ListenerStream::Empty() - } - }, } } } /// Get sharedmem from a page #[inline] -unsafe fn shmem2page_mut(afl_shmem: &mut SH) -> *mut LlmpPage { +unsafe fn shmem2page_mut(afl_shmem: &mut SHM) -> *mut LlmpPage { afl_shmem.map_mut().as_mut_ptr() as *mut LlmpPage } /// Get sharedmem from a page #[inline] -unsafe fn shmem2page(afl_shmem: &SH) -> *const LlmpPage { +unsafe fn shmem2page(afl_shmem: &SHM) -> *const LlmpPage { afl_shmem.map().as_ptr() as *const LlmpPage } @@ -242,16 +233,20 @@ fn msg_offset_from_env(env_name: &str) -> Result, Error> { fn new_map_size(max_alloc: usize) -> usize { max( max_alloc * 2 + EOP_MSG_SIZE + LLMP_PAGE_HEADER_LEN, - LLMP_CFG_INITIAL_MAP_SIZE, + LLMP_CFG_INITIAL_MAP_SIZE - 1, ) .next_power_of_two() } /// Initialize a new llmp_page. size should be relative to /// llmp_page->messages -unsafe fn _llmp_page_init(shmem: &mut SH, sender: u32, allow_reinit: bool) { - let map_size = shmem.map().len(); +unsafe fn _llmp_page_init(shmem: &mut SHM, sender: u32, allow_reinit: bool) { + #[cfg(all(feature = "llmp_debug", feature = "std"))] + dbg!("_llmp_page_init: shmem {}", &shmem); + let map_size = shmem.len(); let page = shmem2page_mut(shmem); + #[cfg(all(feature = "llmp_debug", feature = "std"))] + dbg!("_llmp_page_init: page {}", *page); if (*page).magic == PAGE_INITIALIZED_MAGIC && !allow_reinit { panic!( "Tried to initialize page {:?} twice (for shmem {:?})", @@ -269,12 +264,13 @@ unsafe fn _llmp_page_init(shmem: &mut SH, sender: u32, allow_reinit: (*(*page).messages.as_mut_ptr()).tag = LLMP_TAG_UNSET; ptr::write_volatile(&mut (*page).save_to_unmap, 0); ptr::write_volatile(&mut (*page).sender_dead, 0); + assert!((*page).size_total != 0); } /// Get the next pointer and make sure it's in the current page, and has enough space. #[inline] -unsafe fn llmp_next_msg_ptr_checked( - map: &mut LlmpSharedMap, +unsafe fn llmp_next_msg_ptr_checked( + map: &mut LlmpSharedMap, last_msg: *const LlmpMsg, alloc_size: usize, ) -> Result<*mut LlmpMsg, Error> { @@ -331,6 +327,8 @@ pub struct LlmpMsg { pub tag: Tag, /// Sender of this messge pub sender: u32, + /// flags, currently only used for indicating compression + pub flags: Flag, /// The message ID, unique per page pub message_id: u64, /// Buffer length as specified by the user @@ -352,7 +350,7 @@ impl LlmpMsg { /// Gets the buffer from this message as slice, with the corrent length. #[inline] - pub fn as_slice(&self, map: &mut LlmpSharedMap) -> Result<&[u8], Error> { + pub fn as_slice(&self, map: &mut LlmpSharedMap) -> Result<&[u8], Error> { unsafe { if self.in_map(map) { Ok(self.as_slice_unsafe()) @@ -364,7 +362,7 @@ impl LlmpMsg { /// Returns true, if the pointer is, indeed, in the page of this shared map. #[inline] - pub fn in_map(&self, map: &mut LlmpSharedMap) -> bool { + pub fn in_map(&self, map: &mut LlmpSharedMap) -> bool { unsafe { let map_size = map.shmem.map().len(); let buf_ptr = self.buf.as_ptr(); @@ -383,39 +381,40 @@ impl LlmpMsg { } /// An Llmp instance -#[derive(Clone, Debug)] -pub enum LlmpConnection +#[derive(Debug)] +pub enum LlmpConnection where - SH: ShMem, + SP: ShMemProvider + 'static, { /// A broker and a thread using this tcp background thread - IsBroker { broker: LlmpBroker }, + IsBroker { broker: LlmpBroker }, /// A client, connected to the port - IsClient { client: LlmpClient }, + IsClient { client: LlmpClient }, } -impl LlmpConnection +impl LlmpConnection where - SH: ShMem, + SP: ShMemProvider, { #[cfg(feature = "std")] /// Creates either a broker, if the tcp port is not bound, or a client, connected to this port. - pub fn on_port(port: u16) -> Result { + pub fn on_port(shmem_provider: SP, port: u16) -> Result { match TcpListener::bind(format!("127.0.0.1:{}", port)) { Ok(listener) => { // We got the port. We are the broker! :) dbg!("We're the broker"); - let mut broker = LlmpBroker::new()?; + let mut broker = LlmpBroker::new(shmem_provider)?; let _listener_thread = broker.launch_listener(Listener::Tcp(listener))?; Ok(LlmpConnection::IsBroker { broker }) } Err(e) => { + println!("error: {:?}", e); match e.kind() { std::io::ErrorKind::AddrInUse => { // We are the client :) dbg!("We're the client", e); Ok(LlmpConnection::IsClient { - client: LlmpClient::create_attach_to_tcp(port)?, + client: LlmpClient::create_attach_to_tcp(shmem_provider, port)?, }) } _ => Err(Error::File(e)), @@ -434,10 +433,11 @@ where /// Recreate an existing client from the stored description pub fn existing_client_from_description( + shmem_provider: SP, description: &LlmpClientDescription, - ) -> Result, Error> { + ) -> Result, Error> { Ok(LlmpConnection::IsClient { - client: LlmpClient::existing_client_from_description(description)?, + client: LlmpClient::existing_client_from_description(shmem_provider, description)?, }) } @@ -448,34 +448,11 @@ where LlmpConnection::IsClient { client } => client.send_buf(tag, buf), } } -} -impl LlmpConnection -where - SH: ShMem + HasFd, -{ - #[cfg(all(feature = "std", unix))] - pub fn on_domain_socket(filename: &str) -> Result { - match UnixListener::bind_unix_addr(&UnixSocketAddr::new(filename).unwrap()) { - Ok(listener) => { - dbg!("We're the broker"); - let mut broker = LlmpBroker::new()?; - broker.socket_name = Some(filename.to_string()); - let _listener_thread = broker.launch_listener(Listener::Unix(listener))?; - Ok(LlmpConnection::IsBroker { broker }) - } - Err(e) => { - match e.kind() { - std::io::ErrorKind::AddrInUse => { - // We are the client :) - dbg!("We're the client", e); - Ok(LlmpConnection::IsClient { - client: LlmpClient::create_attach_to_unix(filename)?, - }) - } - _ => Err(Error::File(e)), - } - } + pub fn send_buf_with_flags(&mut self, tag: Tag, buf: &[u8], flags: Flag) -> Result<(), Error> { + match self { + LlmpConnection::IsBroker { broker } => broker.send_buf_with_flags(tag, flags, buf), + LlmpConnection::IsClient { client } => client.send_buf_with_flags(tag, flags, buf), } } } @@ -520,10 +497,10 @@ struct LlmpPayloadSharedMapInfo { } /// Sending end on a (unidirectional) sharedmap channel -#[derive(Clone, Debug)] -pub struct LlmpSender +#[derive(Debug)] +pub struct LlmpSender where - SH: ShMem, + SP: ShMemProvider, { /// ID of this sender. Only used in the broker. pub id: u32, @@ -531,29 +508,31 @@ where /// If null, a new page (just) started. pub last_msg_sent: *const LlmpMsg, /// A vec of page wrappers, each containing an intialized AfShmem - pub out_maps: Vec>, + pub out_maps: Vec>, /// If true, pages will never be pruned. /// The broker uses this feature. /// By keeping the message history around, /// new clients may join at any time in the future. pub keep_pages_forever: bool, + shmem_provider: SP, } -/// An actor on the sendin part of the shared map -impl LlmpSender +/// An actor on the sending part of the shared map +impl LlmpSender where - SH: ShMem, + SP: ShMemProvider, { - pub fn new(id: u32, keep_pages_forever: bool) -> Result { + pub fn new(mut shmem_provider: SP, id: u32, keep_pages_forever: bool) -> Result { Ok(Self { id, last_msg_sent: ptr::null_mut(), out_maps: vec![LlmpSharedMap::new( 0, - SH::new_map(new_map_size(LLMP_CFG_INITIAL_MAP_SIZE))?, + shmem_provider.new_map(LLMP_CFG_INITIAL_MAP_SIZE)?, )], // drop pages to the broker if it already read them keep_pages_forever, + shmem_provider, }) } @@ -569,9 +548,13 @@ where /// Reattach to a vacant out_map, to with a previous sender stored the information in an env before. #[cfg(feature = "std")] - pub fn on_existing_from_env(env_name: &str) -> Result { + pub fn on_existing_from_env(mut shmem_provider: SP, env_name: &str) -> Result { let msg_sent_offset = msg_offset_from_env(env_name)?; - Self::on_existing_map(SH::existing_from_env(env_name)?, msg_sent_offset) + Self::on_existing_map( + shmem_provider.clone(), + shmem_provider.existing_from_env(env_name)?, + msg_sent_offset, + ) } /// Store the info to this sender to env. @@ -607,7 +590,8 @@ where /// It is essential, that the receiver (or someone else) keeps a pointer to this map /// else reattach will get a new, empty page, from the OS, or fail. pub fn on_existing_map( - current_out_map: SH, + shmem_provider: SP, + current_out_map: SP::Mem, last_msg_sent_offset: Option, ) -> Result { let mut out_map = LlmpSharedMap::existing(current_out_map); @@ -622,6 +606,7 @@ where out_maps: vec![out_map], // drop pages to the broker if it already read them keep_pages_forever: false, + shmem_provider, }) } @@ -663,7 +648,10 @@ where if (*ret).tag == LLMP_TAG_UNINITIALIZED { panic!("Did not call send() on last message!"); } - (*ret).buf_len_padded = size_of::() as u64; + (*ret).buf_len = size_of::() as u64; + + // We don't need to pad the EOP message: it'll always be the last in this page. + (*ret).buf_len_padded = (*ret).buf_len; (*ret).message_id = if !last_msg.is_null() { (*last_msg).message_id + 1 } else { @@ -683,6 +671,11 @@ where let map = self.out_maps.last_mut().unwrap(); let page = map.page_mut(); let last_msg = self.last_msg_sent; + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!( + "Allocating {} (>={}) bytes on page {:?} / map {:?} (last msg: {:?})", + complete_msg_size, buf_len, page, &map, last_msg + ); /* DBG("XXX complete_msg_size %lu (h: %lu)\n", complete_msg_size, sizeof(llmp_message)); */ /* In case we don't have enough space, make sure the next page will be large * enough */ @@ -701,19 +694,28 @@ where buf_len_padded = llmp_align(base_addr + complete_msg_size) - base_addr - size_of::(); complete_msg_size = buf_len_padded + size_of::(); - /* DBG("XXX complete_msg_size NEW %lu\n", complete_msg_size); */ /* Still space for the new message plus the additional "we're full" message? */ + + #[cfg(all(feature = "llmp_debug", feature = "std"))] + dbg!( + page, + (*page), + (*page).size_used, + complete_msg_size, + EOP_MSG_SIZE, + (*page).size_total + ); if (*page).size_used + complete_msg_size + EOP_MSG_SIZE > (*page).size_total { /* We're full. */ return None; } /* We need to start with 1 for ids, as current message id is initialized * with 0... */ - (*ret).message_id = if !last_msg.is_null() { - (*last_msg).message_id + 1 - } else { + (*ret).message_id = if last_msg.is_null() { 1 + } else { + (*last_msg).message_id + 1 } } else if (*page).current_msg_id != (*last_msg).message_id { /* Oops, wrong usage! */ @@ -736,7 +738,7 @@ where #[cfg(feature = "std")] return None; #[cfg(not(feature = "std"))] - panic!(&format!("Unexpected error allocing new msg {:?}", e)); + panic!("Unexpected error allocing new msg {:?}", e); } }; (*ret).message_id = (*last_msg).message_id + 1 @@ -769,6 +771,8 @@ where /// It will be read by the consuming threads (broker->clients or client->broker) #[inline(never)] // Not inlined to make cpu-level reodering (hopefully?) improbable unsafe fn send(&mut self, msg: *mut LlmpMsg) -> Result<(), Error> { + // dbg!("Sending msg {:?}", msg); + if self.last_msg_sent == msg { panic!("Message sent twice!"); } @@ -792,16 +796,42 @@ where /// listener about it using a EOP message. unsafe fn handle_out_eop(&mut self) -> Result<(), Error> { + #[cfg(all(feature = "llmp_debug", feature = "std"))] + { + #[cfg(debug_assertions)] + let bt = Backtrace::new(); + #[cfg(not(debug_assertions))] + let bt = ""; + let shm = self.out_maps.last().unwrap(); + println!( + "LLMP_DEBUG: End of page reached for map {} with len {}, sending EOP, bt: {:?}", + shm.shmem.id().to_string(), + shm.shmem.len(), + bt + ); + } + let old_map = self.out_maps.last_mut().unwrap().page_mut(); + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!("New Map Size {}", new_map_size((*old_map).max_alloc_size)); + // Create a new shard page. let mut new_map_shmem = LlmpSharedMap::new( (*old_map).sender, - SH::new_map(new_map_size((*old_map).max_alloc_size))?, + self.shmem_provider + .new_map(new_map_size((*old_map).max_alloc_size))?, ); let mut new_map = new_map_shmem.page_mut(); + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!("got new map at: {:?}", new_map); + ptr::write_volatile(&mut (*new_map).current_msg_id, (*old_map).current_msg_id); + + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!("Setting max alloc size: {:?}", (*old_map).max_alloc_size); + (*new_map).max_alloc_size = (*old_map).max_alloc_size; /* On the old map, place a last message linking to the new map for the clients * to consume */ @@ -809,21 +839,24 @@ where (*out).sender = (*old_map).sender; let mut end_of_page_msg = (*out).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; - (*end_of_page_msg).map_size = new_map_shmem.shmem.map().len(); - (*end_of_page_msg).shm_str = *new_map_shmem.shmem.shm_slice(); - - // We never sent a msg on the new buf */ - self.last_msg_sent = ptr::null_mut(); + (*end_of_page_msg).map_size = new_map_shmem.shmem.len(); + (*end_of_page_msg).shm_str = *new_map_shmem.shmem.id().as_slice(); /* Send the last msg on the old buf */ self.send(out)?; + // Set the new page as current page. + self.out_maps.push(new_map_shmem); + // We never sent a msg on the new buf */ + self.last_msg_sent = ptr::null_mut(); + + // If we want to get red if old pages, (client to broker), do that now if !self.keep_pages_forever { + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!("pruning"); self.prune_old_pages(); } - self.out_maps.push(new_map_shmem); - Ok(()) } @@ -838,6 +871,9 @@ where self.handle_out_eop()?; } + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!("Handled out eop"); + match unsafe { self.alloc_next_if_space(buf_len) } { Some(msg) => Ok(msg), None => Err(Error::Unknown(format!( @@ -875,6 +911,30 @@ where unsafe { let msg = self.alloc_next(buf.len())?; (*msg).tag = tag; + (*msg).flags = LLMP_FLAG_INITIALIZED; + buf.as_ptr() + .copy_to_nonoverlapping((*msg).buf.as_mut_ptr(), buf.len()); + self.send(msg) + } + } + + pub fn send_buf_with_flags(&mut self, tag: Tag, flags: Flag, buf: &[u8]) -> Result<(), Error> { + // Make sure we don't reuse already allocated tags + if tag == LLMP_TAG_NEW_SHM_CLIENT + || tag == LLMP_TAG_END_OF_PAGE + || tag == LLMP_TAG_UNINITIALIZED + || tag == LLMP_TAG_UNSET + { + return Err(Error::Unknown(format!( + "Reserved tag supplied to send_buf ({:#X})", + tag + ))); + } + + unsafe { + let msg = self.alloc_next(buf.len())?; + (*msg).tag = tag; + (*msg).flags = flags; buf.as_ptr() .copy_to_nonoverlapping((*msg).buf.as_mut_ptr(), buf.len()); self.send(msg) @@ -896,37 +956,44 @@ where } // Create this client on an existing map from the given description. acquired with `self.describe` - pub fn on_existing_from_description(description: &LlmpDescription) -> Result { + pub fn on_existing_from_description( + mut shmem_provider: SP, + description: &LlmpDescription, + ) -> Result { Self::on_existing_map( - SH::existing_from_description(&description.shmem)?, + shmem_provider.clone(), + shmem_provider.from_description(description.shmem)?, description.last_message_offset, ) } } /// Receiving end on a (unidirectional) sharedmap channel -#[derive(Clone, Debug)] -pub struct LlmpReceiver +#[derive(Debug)] +pub struct LlmpReceiver where - SH: ShMem, + SP: ShMemProvider, { pub id: u32, /// Pointer to the last meg this received pub last_msg_recvd: *const LlmpMsg, + /// The shmem provider + pub shmem_provider: SP, /// current page. After EOP, this gets replaced with the new one - pub current_recv_map: LlmpSharedMap, + pub current_recv_map: LlmpSharedMap, } /// Receiving end of an llmp channel -impl LlmpReceiver +impl LlmpReceiver where - SH: ShMem, + SP: ShMemProvider, { /// Reattach to a vacant recv_map, to with a previous sender stored the information in an env before. #[cfg(feature = "std")] - pub fn on_existing_from_env(env_name: &str) -> Result { + pub fn on_existing_from_env(mut shmem_provider: SP, env_name: &str) -> Result { Self::on_existing_map( - SH::existing_from_env(env_name)?, + shmem_provider.clone(), + shmem_provider.existing_from_env(env_name)?, msg_offset_from_env(env_name)?, ) } @@ -944,7 +1011,8 @@ where /// It is essential, that the sender (or someone else) keeps a pointer to the sender_map /// else reattach will get a new, empty page, from the OS, or fail. pub fn on_existing_map( - current_sender_map: SH, + shmem_provider: SP, + current_sender_map: SP::Mem, last_msg_recvd_offset: Option, ) -> Result { let mut current_recv_map = LlmpSharedMap::existing(current_sender_map); @@ -957,6 +1025,7 @@ where id: 0, current_recv_map, last_msg_recvd, + shmem_provider, }) } @@ -966,7 +1035,7 @@ where unsafe fn recv(&mut self) -> Result, Error> { /* DBG("recv %p %p\n", page, last_msg); */ compiler_fence(Ordering::SeqCst); - let page = self.current_recv_map.page_mut(); + let mut page = self.current_recv_map.page_mut(); let last_msg = self.last_msg_recvd; let current_msg_id = ptr::read_volatile(&(*page).current_msg_id); @@ -1004,34 +1073,44 @@ where } LLMP_TAG_END_OF_PAGE => { #[cfg(feature = "std")] - dbg!("Got end of page, allocing next"); + println!("Received end of page, allocating next"); // Handle end of page if (*msg).buf_len < size_of::() as u64 { panic!( - "Illegal message length for EOP (is {}, expected {})", + "Illegal message length for EOP (is {}/{}, expected {})", + (*msg).buf_len, (*msg).buf_len_padded, size_of::() ); } let pageinfo = (*msg).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; - /* We can reuse the map mem space, no need to free and calloc. - However, the pageinfo points to the map we're about to unmap. - Clone the contents first to be safe (probably fine in rust eitner way). */ + /* The pageinfo points to the map we're about to unmap. + Copy the contents first to be safe (probably fine in rust either way). */ let pageinfo_cpy = *pageinfo; + // Set last msg we received to null (as the map may no longer exist) + self.last_msg_recvd = ptr::null(); + // Mark the old page save to unmap, in case we didn't so earlier. ptr::write_volatile(&mut (*page).save_to_unmap, 1); + // Map the new page. The old one should be unmapped by Drop - self.current_recv_map = LlmpSharedMap::existing(SH::existing_from_shm_slice( - &pageinfo_cpy.shm_str, - pageinfo_cpy.map_size, - )?); + self.current_recv_map = + LlmpSharedMap::existing(self.shmem_provider.from_id_and_size( + ShMemId::from_slice(&pageinfo_cpy.shm_str), + pageinfo_cpy.map_size, + )?); + page = self.current_recv_map.page_mut(); // Mark the new page save to unmap also (it's mapped by us, the broker now) ptr::write_volatile(&mut (*page).save_to_unmap, 1); - #[cfg(feature = "std")] - dbg!("Got a new recv map", self.current_recv_map.shmem.shm_str()); + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!( + "LLMP_DEBUG: Got a new recv map {} with len {:?}", + self.current_recv_map.shmem.id().to_string(), + self.current_recv_map.shmem.len() + ); // After we mapped the new page, return the next message, if available return self.recv(); } @@ -1070,13 +1149,24 @@ where } /// Returns the next message, tag, buf, if avaliable, else None + #[allow(clippy::type_complexity)] #[inline] - pub fn recv_buf(&mut self) -> Result, Error> { + pub fn recv_buf(&mut self) -> Result, Error> { + if let Some((sender, tag, _flags, buf)) = self.recv_buf_with_flags()? { + Ok(Some((sender, tag, buf))) + } else { + Ok(None) + } + } + + #[inline] + pub fn recv_buf_with_flags(&mut self) -> Result, Error> { unsafe { Ok(match self.recv()? { Some(msg) => Some(( (*msg).sender, (*msg).tag, + (*msg).flags, (*msg).as_slice(&mut self.current_recv_map)?, )), None => None, @@ -1086,7 +1176,7 @@ where /// Returns the next sender, tag, buf, looping until it becomes available #[inline] - pub fn recv_buf_blocking(&mut self) -> Result<(u32, u32, &[u8]), Error> { + pub fn recv_buf_blocking(&mut self) -> Result<(u32, Tag, &[u8]), Error> { unsafe { let msg = self.recv_blocking()?; Ok(( @@ -1112,9 +1202,13 @@ where } // Create this client on an existing map from the given description. acquired with `self.describe` - pub fn on_existing_from_description(description: &LlmpDescription) -> Result { + pub fn on_existing_from_description( + mut shmem_provider: SP, + description: &LlmpDescription, + ) -> Result { Self::on_existing_map( - SH::existing_from_description(&description.shmem)?, + shmem_provider.clone(), + shmem_provider.from_description(description.shmem)?, description.last_message_offset, ) } @@ -1122,24 +1216,31 @@ where /// A page wrapper #[derive(Clone, Debug)] -pub struct LlmpSharedMap +pub struct LlmpSharedMap where - SH: ShMem, + SHM: ShMem, { /// Shmem containg the actual (unsafe) page, /// shared between one LlmpSender and one LlmpReceiver - pub shmem: SH, + pub shmem: SHM, } // TODO: May be obsolete /// The page struct, placed on a shared mem instance. /// A thin wrapper around a ShMem implementation, with special Llmp funcs -impl LlmpSharedMap +impl LlmpSharedMap where - SH: ShMem, + SHM: ShMem, { /// Creates a new page, initializing the passed shared mem struct - pub fn new(sender: u32, mut new_map: SH) -> Self { + pub fn new(sender: u32, mut new_map: SHM) -> Self { + #[cfg(all(feature = "llmp_debug", feature = "std"))] + println!( + "LLMP_DEBUG: Initializing map on {} with size {}", + new_map.id().to_string(), + new_map.len() + ); + unsafe { _llmp_page_init(&mut new_map, sender, false); } @@ -1147,7 +1248,21 @@ where } /// Maps and wraps an existing - pub fn existing(existing_map: SH) -> Self { + pub fn existing(existing_map: SHM) -> Self { + #[cfg(all(feature = "llmp_debug", feature = "std"))] + //{ + //#[cfg(debug_assertions)] + //let bt = Backtrace::new(); + //#[cfg(not(debug_assertions))] + //let bt = ""; + dbg!( + "LLMP_DEBUG: Using existing map {} with size {}", + existing_map.id().to_string(), + existing_map.len(), + //bt + ); + //} + let ret = Self { shmem: existing_map, }; @@ -1155,6 +1270,8 @@ where if (*ret.page()).magic != PAGE_INITIALIZED_MAGIC { panic!("Map was not priviously initialized at {:?}", &ret.shmem); } + #[cfg(all(feature = "llmp_debug", feature = "std"))] + dbg!("PAGE: {}", *ret.page()); } ret } @@ -1185,6 +1302,7 @@ where /// Will return IllegalArgument error if msg is not on page. /// # Safety /// This dereferences msg, make sure to pass a proper pointer to it. + #[allow(clippy::cast_sign_loss)] pub unsafe fn msg_to_offset(&self, msg: *const LlmpMsg) -> Result { let page = self.page(); if llmp_msg_in_page(page, msg) { @@ -1228,41 +1346,41 @@ where /// Gets this message from this page, at the indicated offset. /// Will return IllegalArgument error if the offset is out of bounds. pub fn msg_from_offset(&mut self, offset: u64) -> Result<*mut LlmpMsg, Error> { + let offset = offset as usize; unsafe { let page = self.page_mut(); let page_size = self.shmem.map().len() - size_of::(); - if offset as isize > page_size as isize { + if offset > page_size { Err(Error::IllegalArgument(format!( "Msg offset out of bounds (size: {}, requested offset: {})", page_size, offset ))) } else { - Ok( - ((*page).messages.as_mut_ptr() as *mut u8).offset(offset as isize) - as *mut LlmpMsg, - ) + Ok(((*page).messages.as_mut_ptr() as *mut u8).add(offset) as *mut LlmpMsg) } } } } /// The broker (node 0) -#[derive(Clone, Debug)] -pub struct LlmpBroker +#[derive(Debug)] +pub struct LlmpBroker where - SH: ShMem, + SP: ShMemProvider + 'static, { /// Broadcast map from broker to all clients - pub llmp_out: LlmpSender, + pub llmp_out: LlmpSender, /// Users of Llmp can add message handlers in the broker. /// This allows us to intercept messages right in the broker /// This keeps the out map clean. - pub llmp_clients: Vec>, + pub llmp_clients: Vec>, /// This is the socket name, when unix domain sockets are used. socket_name: Option, /// This flag is used to indicate that shutdown has been requested by the SIGINT and SIGTERM /// handlers shutting_down: bool, + /// The ShMemProvider to use + shmem_provider: SP, } #[cfg(unix)] @@ -1270,9 +1388,9 @@ pub struct LlmpBrokerSignalHandler { shutting_down: bool, } -#[cfg(all(unix))] +#[cfg(unix)] impl Handler for LlmpBrokerSignalHandler { - fn handle(&mut self, _signal: Signal, _info: siginfo_t, _void: c_void) { + fn handle(&mut self, _signal: Signal, _info: siginfo_t, _context: &mut ucontext_t) { unsafe { ptr::write_volatile(&mut self.shutting_down, true) }; } @@ -1283,27 +1401,30 @@ impl Handler for LlmpBrokerSignalHandler { /// The broker forwards all messages to its own bus-like broadcast map. /// It may intercept messages passing through. -impl LlmpBroker +impl LlmpBroker where - SH: ShMem, + SP: ShMemProvider, { /// Create and initialize a new llmp_broker - pub fn new() -> Result { - let broker = LlmpBroker { + pub fn new(mut shmem_provider: SP) -> Result { + Ok(LlmpBroker { llmp_out: LlmpSender { id: 0, last_msg_sent: ptr::null_mut(), - out_maps: vec![LlmpSharedMap::new(0, SH::new_map(new_map_size(0))?)], + out_maps: vec![LlmpSharedMap::new( + 0, + shmem_provider.new_map(new_map_size(0))?, + )], // Broker never cleans up the pages so that new // clients may join at any time keep_pages_forever: true, + shmem_provider: shmem_provider.clone(), }, llmp_clients: vec![], socket_name: None, shutting_down: false, - }; - - Ok(broker) + shmem_provider, + }) } /// Allocate the next message on the outgoing map @@ -1313,7 +1434,7 @@ where /// Registers a new client for the given sharedmap str and size. /// Returns the id of the new client in broker.client_map - pub fn register_client(&mut self, mut client_page: LlmpSharedMap) { + pub fn register_client(&mut self, mut client_page: LlmpSharedMap) { // Tell the client it may unmap this page now. client_page.mark_save_to_unmap(); @@ -1322,6 +1443,7 @@ where id, current_recv_map: client_page, last_msg_recvd: ptr::null_mut(), + shmem_provider: self.shmem_provider.clone(), }); } @@ -1333,7 +1455,8 @@ where If we should need zero copy, we could instead post a link to the original msg with the map_id and offset. */ let actual_size = (*out).buf_len_padded; - msg.copy_to_nonoverlapping(out, size_of::() + (*msg).buf_len_padded as usize); + let complete_size = actual_size as usize + size_of::(); + (msg as *const u8).copy_to_nonoverlapping(out as *mut u8, complete_size); (*out).buf_len_padded = actual_size; /* We need to replace the message ID with our own */ if let Err(e) = self.llmp_out.send(out) { @@ -1348,7 +1471,7 @@ where #[inline] pub fn once(&mut self, on_new_msg: &mut F) -> Result<(), Error> where - F: FnMut(u32, Tag, &[u8]) -> Result, + F: FnMut(u32, Tag, Flag, &[u8]) -> Result, { compiler_fence(Ordering::SeqCst); for i in 0..self.llmp_clients.len() { @@ -1362,6 +1485,7 @@ where /// Internal function, returns true when shuttdown is requested by a `SIGINT` signal #[inline] #[cfg(unix)] + #[allow(clippy::unused_self)] fn is_shutting_down(&self) -> bool { unsafe { ptr::read_volatile(&GLOBAL_SIGHANDLER_STATE.shutting_down) } } @@ -1378,7 +1502,7 @@ where /// 5 millis of sleep can't hurt to keep busywait not at 100% pub fn loop_forever(&mut self, on_new_msg: &mut F, sleep_time: Option) where - F: FnMut(u32, Tag, &[u8]) -> Result, + F: FnMut(u32, Tag, Flag, &[u8]) -> Result, { #[cfg(unix)] if let Err(_e) = unsafe { setup_signal_handler(&mut GLOBAL_SIGHANDLER_STATE) } { @@ -1415,6 +1539,10 @@ where self.llmp_out.send_buf(tag, buf) } + pub fn send_buf_with_flags(&mut self, tag: Tag, flags: Flag, buf: &[u8]) -> Result<(), Error> { + self.llmp_out.send_buf_with_flags(tag, flags, buf) + } + #[cfg(feature = "std")] /// Launches a thread using a tcp listener socket, on which new clients may connect to this broker /// Does so on the given port. @@ -1434,132 +1562,78 @@ where // to read from the initial map id. let client_out_map_mem = &self.llmp_out.out_maps.first().unwrap().shmem; - let broadcast_str_initial = *client_out_map_mem.shm_slice(); + let broadcast_map_description = postcard::to_allocvec(&client_out_map_mem.description())?; + + let mut incoming_map_description_serialized = vec![0u8; broadcast_map_description.len()]; let llmp_tcp_id = self.llmp_clients.len() as u32; // Tcp out map sends messages from background thread tcp server to foreground client let tcp_out_map = LlmpSharedMap::new( llmp_tcp_id, - SH::new_map(new_map_size(LLMP_CFG_INITIAL_MAP_SIZE))?, + self.shmem_provider.new_map(LLMP_CFG_INITIAL_MAP_SIZE)?, ); - let tcp_out_map_str = tcp_out_map.shmem.shm_str(); - let tcp_out_map_size = tcp_out_map.shmem.map().len(); + let shmem_id = tcp_out_map.shmem.id(); + let tcp_out_map_str = *shmem_id.as_slice(); + let tcp_out_map_size = tcp_out_map.shmem.len(); self.register_client(tcp_out_map); + let mut shmem_provider_clone = self.shmem_provider.clone(); + Ok(thread::spawn(move || { + shmem_provider_clone.post_fork(); + // Clone so we get a new connection to the AshmemServer if we are using + // ServedShMemProvider let mut new_client_sender = LlmpSender { id: 0, last_msg_sent: ptr::null_mut(), out_maps: vec![LlmpSharedMap::existing( - SH::existing_from_shm_str(&tcp_out_map_str, tcp_out_map_size).unwrap(), + shmem_provider_clone + .from_id_and_size(ShMemId::from_slice(&tcp_out_map_str), tcp_out_map_size) + .unwrap(), )], // drop pages to the broker if it already read them keep_pages_forever: false, + shmem_provider: shmem_provider_clone.clone(), }; loop { match listener.accept() { ListenerStream::Tcp(mut stream, addr) => { dbg!("New connection", addr, stream.peer_addr().unwrap()); - match stream.write(&broadcast_str_initial) { + match stream.write(&broadcast_map_description) { Ok(_) => {} // fire & forget Err(e) => { dbg!("Could not send to shmap to client", e); continue; } }; - let mut new_client_map_str: [u8; 20] = Default::default(); - match stream.read_exact(&mut new_client_map_str) { + match stream.read_exact(&mut incoming_map_description_serialized) { Ok(()) => (), Err(e) => { dbg!("Ignoring failed read from client", e); continue; } }; - unsafe { - let msg = new_client_sender - .alloc_next(size_of::()) - .expect("Could not allocate a new message in shared map."); - (*msg).tag = LLMP_TAG_NEW_SHM_CLIENT; - let pageinfo = (*msg).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; - (*pageinfo).shm_str = new_client_map_str; - (*pageinfo).map_size = LLMP_CFG_INITIAL_MAP_SIZE; - match new_client_sender.send(msg) { - Ok(()) => (), - Err(e) => println!("Error forwarding client on map: {:?}", e), - }; + if let Ok(incoming_map_description) = postcard::from_bytes::( + &incoming_map_description_serialized, + ) { + unsafe { + let msg = new_client_sender + .alloc_next(size_of::()) + .expect("Could not allocate a new message in shared map."); + (*msg).tag = LLMP_TAG_NEW_SHM_CLIENT; + let pageinfo = + (*msg).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; + (*pageinfo).shm_str = *incoming_map_description.id.as_slice(); + (*pageinfo).map_size = incoming_map_description.size; + match new_client_sender.send(msg) { + Ok(()) => (), + Err(e) => println!("Error forwarding client on map: {:?}", e), + }; + } } } - #[cfg(unix)] - ListenerStream::Unix(stream, addr) => unsafe { - dbg!("New connection", addr); - - let broadcast_fd_initial: i32 = - CStr::from_ptr(broadcast_str_initial.as_ptr() as *const c_char) - .to_string_lossy() - .into_owned() - .parse() - .unwrap_or_else(|_| { - panic!( - "ShmId is not a valid int file descriptor: {:?}", - broadcast_str_initial - ) - }); - - match sendmsg( - stream.as_raw_fd(), - &[IoVec::from_slice(b"\x00")], - &[ControlMessage::ScmRights(&[broadcast_fd_initial])], - MsgFlags::empty(), - None, - ) { - Ok(_) => {} - Err(err) => { - dbg!("Error sending fd over stream: {}", err); - continue; - } - }; - - let mut buf = [0u8; 5]; - let mut cmsgspace = cmsg_space!([RawFd; 1]); - let msg = recvmsg( - stream.as_raw_fd(), - &[IoVec::from_mut_slice(&mut buf[..])], - Some(&mut cmsgspace), - MsgFlags::empty(), - ) - .unwrap(); - - for cmsg in msg.cmsgs() { - if let ControlMessageOwned::ScmRights(fds) = cmsg { - for fd in fds { - let mut fdstr = [0u8; 20]; - match write!(&mut fdstr[..], "{}", fd) { - Ok(_) => {} - Err(_) => { - dbg!("error converting fd to string"); - } - } - - let msg = new_client_sender - .alloc_next(size_of::()) - .expect("Could not allocate a new message in shared map."); - (*msg).tag = LLMP_TAG_NEW_SHM_CLIENT; - let pageinfo = - (*msg).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; - (*pageinfo).shm_str = fdstr; - (*pageinfo).map_size = LLMP_CFG_INITIAL_MAP_SIZE; - match new_client_sender.send(msg) { - Ok(()) => (), - Err(e) => { - println!("Error forwarding client on map: {:?}", e) - } - }; - } - } - } - }, ListenerStream::Empty() => { continue; } @@ -1572,7 +1646,7 @@ where #[inline] unsafe fn handle_new_msgs(&mut self, client_id: u32, on_new_msg: &mut F) -> Result<(), Error> where - F: FnMut(u32, Tag, &[u8]) -> Result, + F: FnMut(u32, Tag, Flag, &[u8]) -> Result, { let mut next_id = self.llmp_clients.len() as u32; @@ -1606,7 +1680,10 @@ where } else { let pageinfo = (*msg).buf.as_mut_ptr() as *mut LlmpPayloadSharedMapInfo; - match SH::existing_from_shm_slice(&(*pageinfo).shm_str, (*pageinfo).map_size) { + match self.shmem_provider.from_id_and_size( + ShMemId::from_slice(&(*pageinfo).shm_str), + (*pageinfo).map_size, + ) { Ok(new_map) => { let mut new_page = LlmpSharedMap::existing(new_map); let id = next_id; @@ -1616,6 +1693,7 @@ where id, current_recv_map: new_page, last_msg_recvd: ptr::null_mut(), + shmem_provider: self.shmem_provider.clone(), }); } Err(e) => { @@ -1635,7 +1713,9 @@ where let map = &mut self.llmp_clients[client_id as usize].current_recv_map; let msg_buf = (*msg).as_slice(map)?; - if let LlmpMsgHookResult::Handled = (on_new_msg)(client_id, (*msg).tag, msg_buf)? { + if let LlmpMsgHookResult::Handled = + (on_new_msg)(client_id, (*msg).tag, (*msg).flags, msg_buf)? + { should_forward_msg = false }; if should_forward_msg { @@ -1646,24 +1726,6 @@ where } } -#[cfg(feature = "std")] -impl Drop for LlmpBroker -where - SH: ShMem, -{ - fn drop(&mut self) { - match &self.socket_name { - Some(name) => match fs::remove_file(&name) { - Ok(_) => {} - Err(err) => { - dbg!("failed to close socket: {}", err); - } - }, - None => {} - } - } -} - /// A restorable client description #[derive(Clone, Copy, Debug, Serialize, Deserialize)] pub struct LlmpClientDescription { @@ -1674,44 +1736,63 @@ pub struct LlmpClientDescription { } /// Client side of LLMP -#[derive(Clone, Debug)] -pub struct LlmpClient +#[derive(Debug)] +pub struct LlmpClient where - SH: ShMem, + SP: ShMemProvider, { + shmem_provider: SP, /// Outgoing channel to the broker - pub sender: LlmpSender, + pub sender: LlmpSender, /// Incoming (broker) broadcast map - pub receiver: LlmpReceiver, + pub receiver: LlmpReceiver, } /// `n` clients connect to a broker. They share an outgoing map with the broker, /// and get incoming messages from the shared broker bus -impl LlmpClient +impl LlmpClient where - SH: ShMem, + SP: ShMemProvider, { /// Reattach to a vacant client map. /// It is essential, that the broker (or someone else) kept a pointer to the out_map /// else reattach will get a new, empty page, from the OS, or fail + #[allow(clippy::needless_pass_by_value)] pub fn on_existing_map( - current_out_map: SH, - last_msg_sent_offset: Option, - current_broker_map: SH, + shmem_provider: SP, + _current_out_map: SP::Mem, + _last_msg_sent_offset: Option, + current_broker_map: SP::Mem, last_msg_recvd_offset: Option, ) -> Result { Ok(Self { - receiver: LlmpReceiver::on_existing_map(current_broker_map, last_msg_recvd_offset)?, - sender: LlmpSender::on_existing_map(current_out_map, last_msg_sent_offset)?, + receiver: LlmpReceiver::on_existing_map( + shmem_provider.clone(), + current_broker_map.clone(), + last_msg_recvd_offset, + )?, + sender: LlmpSender::on_existing_map( + shmem_provider.clone(), + current_broker_map, + last_msg_recvd_offset, + )?, + shmem_provider, }) } /// Recreate this client from a previous client.to_env #[cfg(feature = "std")] - pub fn on_existing_from_env(env_name: &str) -> Result { + pub fn on_existing_from_env(shmem_provider: SP, env_name: &str) -> Result { Ok(Self { - sender: LlmpSender::on_existing_from_env(&format!("{}_SENDER", env_name))?, - receiver: LlmpReceiver::on_existing_from_env(&format!("{}_RECEIVER", env_name))?, + sender: LlmpSender::on_existing_from_env( + shmem_provider.clone(), + &format!("{}_SENDER", env_name), + )?, + receiver: LlmpReceiver::on_existing_from_env( + shmem_provider.clone(), + &format!("{}_RECEIVER", env_name), + )?, + shmem_provider, }) } @@ -1733,11 +1814,19 @@ where /// Create an existing client from description fn existing_client_from_description( + shmem_provider: SP, description: &LlmpClientDescription, ) -> Result { Ok(Self { - sender: LlmpSender::on_existing_from_description(&description.sender)?, - receiver: LlmpReceiver::on_existing_from_description(&description.receiver)?, + sender: LlmpSender::on_existing_from_description( + shmem_provider.clone(), + &description.sender, + )?, + receiver: LlmpReceiver::on_existing_from_description( + shmem_provider.clone(), + &description.receiver, + )?, + shmem_provider, }) } @@ -1753,24 +1842,29 @@ where } /// Creates a new LlmpClient - pub fn new(initial_broker_map: LlmpSharedMap) -> Result { + pub fn new( + mut shmem_provider: SP, + initial_broker_map: LlmpSharedMap, + ) -> Result { Ok(Self { sender: LlmpSender { id: 0, last_msg_sent: ptr::null_mut(), - out_maps: vec![LlmpSharedMap::new( - 0, - SH::new_map(new_map_size(LLMP_CFG_INITIAL_MAP_SIZE))?, - )], + out_maps: vec![LlmpSharedMap::new(0, { + shmem_provider.new_map(LLMP_CFG_INITIAL_MAP_SIZE)? + })], // drop pages to the broker if it already read them keep_pages_forever: false, + shmem_provider: shmem_provider.clone(), }, receiver: LlmpReceiver { id: 0, current_recv_map: initial_broker_map, last_msg_recvd: ptr::null_mut(), + shmem_provider: shmem_provider.clone(), }, + shmem_provider, }) } @@ -1786,6 +1880,10 @@ where self.sender.send_buf(tag, buf) } + pub fn send_buf_with_flags(&mut self, tag: Tag, flags: Flag, buf: &[u8]) -> Result<(), Error> { + self.sender.send_buf_with_flags(tag, flags, buf) + } + /// Informs the broker about a new client in town, with the given map id pub fn send_client_added_msg( &mut self, @@ -1833,109 +1931,56 @@ where } /// Returns the next message, tag, buf, if avaliable, else None + #[allow(clippy::type_complexity)] #[inline] - pub fn recv_buf(&mut self) -> Result, Error> { + pub fn recv_buf(&mut self) -> Result, Error> { self.receiver.recv_buf() } /// Receives a buf from the broker, looping until a messages becomes avaliable #[inline] - pub fn recv_buf_blocking(&mut self) -> Result<(u32, u32, &[u8]), Error> { + pub fn recv_buf_blocking(&mut self) -> Result<(u32, Tag, &[u8]), Error> { self.receiver.recv_buf_blocking() } + pub fn recv_buf_with_flags(&mut self) -> Result, Error> { + self.receiver.recv_buf_with_flags() + } + #[cfg(feature = "std")] /// Creates a new LlmpClient, reading the map id and len from env - pub fn create_using_env(env_var: &str) -> Result { - Self::new(LlmpSharedMap::existing(SH::existing_from_env(env_var)?)) + pub fn create_using_env(mut shmem_provider: SP, env_var: &str) -> Result { + let map = LlmpSharedMap::existing(shmem_provider.existing_from_env(env_var)?); + Self::new(shmem_provider, map) } #[cfg(feature = "std")] /// Create a LlmpClient, getting the ID from a given port - pub fn create_attach_to_tcp(port: u16) -> Result { + pub fn create_attach_to_tcp(mut shmem_provider: SP, port: u16) -> Result { let mut stream = TcpStream::connect(format!("127.0.0.1:{}", port))?; println!("Connected to port {}", port); - let mut new_broker_map_str: [u8; 20] = Default::default(); + // First, get the serialized description size by serializing a dummy. + let dummy_description = ShMemDescription { + size: 0, + id: ShMemId::default(), + }; + let mut new_broker_map_str = postcard::to_allocvec(&dummy_description)?; + stream.read_exact(&mut new_broker_map_str)?; - let ret = Self::new(LlmpSharedMap::existing(SH::existing_from_shm_slice( - &new_broker_map_str, - LLMP_CFG_INITIAL_MAP_SIZE, - )?))?; + let broker_map_description: ShMemDescription = postcard::from_bytes(&new_broker_map_str)?; - stream.write_all(ret.sender.out_maps.first().unwrap().shmem.shm_slice())?; + let map = LlmpSharedMap::existing(shmem_provider.from_description(broker_map_description)?); + let ret = Self::new(shmem_provider, map)?; + + let own_map_description_bytes = + postcard::to_allocvec(&ret.sender.out_maps.first().unwrap().shmem.description())?; + stream.write_all(&own_map_description_bytes)?; Ok(ret) } } -/// `n` clients connect to a broker. They share an outgoing map with the broker, -/// and get incoming messages from the shared broker bus -/// If the Shm has a fd, we can attach to it. -impl LlmpClient -where - SH: ShMem + HasFd, -{ - #[cfg(all(unix, feature = "std"))] - /// Create a LlmpClient, getting the ID from a given filename - pub fn create_attach_to_unix(filename: &str) -> Result { - let stream = UnixStream::connect_to_unix_addr(&UnixSocketAddr::new(filename).unwrap())?; - println!("Connected to socket {}", filename); - - let mut buf = [0u8; 5]; - let mut cmsgspace = cmsg_space!([RawFd; 1]); - let msg = recvmsg( - stream.as_raw_fd(), - &[IoVec::from_mut_slice(&mut buf[..])], - Some(&mut cmsgspace), - MsgFlags::empty(), - ) - .unwrap(); - - for cmsg in msg.cmsgs() { - if let ControlMessageOwned::ScmRights(fds) = cmsg { - for fd in fds { - let mut fdstr = [0u8; 20]; - match write!(&mut fdstr[..], "{}", fd) { - Ok(_) => {} - Err(_) => { - dbg!("error converting fd to string"); - } - } - - let ret = Self::new(LlmpSharedMap::existing(SH::existing_from_shm_slice( - &fdstr, - LLMP_CFG_INITIAL_MAP_SIZE, - )?))?; - - match sendmsg( - stream.as_raw_fd(), - &[IoVec::from_slice(b"\x00")], - &[ControlMessage::ScmRights(&[ret - .sender - .out_maps - .first() - .unwrap() - .shmem - .shm_id()])], - MsgFlags::empty(), - None, - ) { - Ok(_) => {} - Err(err) => { - dbg!("Error sending fd over stream {}", err); - continue; - } - }; - return Ok(ret); - } - } - } - - panic!("Didn't receive a file descriptor from the broker!"); - } -} - #[cfg(test)] #[cfg(all(unix, feature = "std"))] mod tests { @@ -1949,17 +1994,18 @@ mod tests { Tag, }; - use crate::bolts::shmem::UnixShMem; + use crate::bolts::shmem::{ShMemProvider, StdShMemProvider}; #[test] pub fn llmp_connection() { - let mut broker = match LlmpConnection::::on_port(1337).unwrap() { + let shmem_provider = StdShMemProvider::new().unwrap(); + let mut broker = match LlmpConnection::on_port(shmem_provider.clone(), 1337).unwrap() { IsClient { client: _ } => panic!("Could not bind to port as broker"), IsBroker { broker } => broker, }; // Add the first client (2nd, actually, because of the tcp listener client) - let mut client = match LlmpConnection::::on_port(1337).unwrap() { + let mut client = match LlmpConnection::on_port(shmem_provider.clone(), 1337).unwrap() { IsBroker { broker: _ } => panic!("Second connect should be a client!"), IsClient { client } => client, }; @@ -1967,7 +2013,7 @@ mod tests { // Give the (background) tcp thread a few millis to post the message sleep(Duration::from_millis(100)); broker - .once(&mut |_sender_id, _tag, _msg| Ok(ForwardToClients)) + .once(&mut |_sender_id, _tag, _flags, _msg| Ok(ForwardToClients)) .unwrap(); let tag: Tag = 0x1337; @@ -1976,6 +2022,7 @@ mod tests { client.send_buf(tag, &arr).unwrap(); client.to_env("_ENV_TEST").unwrap(); + #[cfg(all(feature = "llmp_debug", feature = "std"))] dbg!(std::env::vars()); for (key, value) in std::env::vars_os() { @@ -1983,13 +2030,13 @@ mod tests { } /* recreate the client from env, check if it still works */ - client = LlmpClient::::on_existing_from_env("_ENV_TEST").unwrap(); + client = LlmpClient::on_existing_from_env(shmem_provider, "_ENV_TEST").unwrap(); client.send_buf(tag, &arr).unwrap(); // Forward stuff to clients broker - .once(&mut |_sender_id, _tag, _msg| Ok(ForwardToClients)) + .once(&mut |_sender_id, _tag, _flags, _msg| Ok(ForwardToClients)) .unwrap(); let (_sender_id, tag2, arr2) = client.recv_buf_blocking().unwrap(); assert_eq!(tag, tag2); diff --git a/libafl/src/bolts/mod.rs b/libafl/src/bolts/mod.rs index 86c761710b..62c8830b95 100644 --- a/libafl/src/bolts/mod.rs +++ b/libafl/src/bolts/mod.rs @@ -1,6 +1,10 @@ //! Bolts are no conceptual fuzzing elements, but they keep libafl-based fuzzers together. pub mod bindings; + +#[cfg(feature = "llmp_compression")] +pub mod compress; + pub mod llmp; pub mod os; pub mod ownedref; diff --git a/libafl/src/bolts/os/ashmem_server.rs b/libafl/src/bolts/os/ashmem_server.rs new file mode 100644 index 0000000000..03d3f77e63 --- /dev/null +++ b/libafl/src/bolts/os/ashmem_server.rs @@ -0,0 +1,436 @@ +/*! +On Android, we can only share maps between processes by serializing fds over sockets. +Hence, the `ashmem_server` keeps track of existing maps, creates new maps for clients, +and forwards them over unix domain sockets. +*/ + +use crate::{ + bolts::shmem::{ + unix_shmem::ashmem::{AshmemShMem, AshmemShMemProvider}, + ShMem, ShMemDescription, ShMemId, ShMemProvider, + }, + Error, +}; +use core::mem::ManuallyDrop; +use hashbrown::HashMap; +use serde::{Deserialize, Serialize}; +use std::{ + cell::RefCell, + io::{Read, Write}, + rc::Rc, + sync::{Arc, Condvar, Mutex}, +}; + +#[cfg(all(feature = "std", unix))] +use nix::poll::{poll, PollFd, PollFlags}; + +#[cfg(all(feature = "std", unix))] +use std::{ + os::unix::{ + io::{AsRawFd, RawFd}, + net::{UnixListener, UnixStream}, + }, + thread, +}; + +#[cfg(all(unix, feature = "std"))] +use uds::{UnixListenerExt, UnixSocketAddr, UnixStreamExt}; + +const ASHMEM_SERVER_NAME: &str = "@ashmem_server"; + +#[derive(Debug)] +pub struct ServedShMemProvider { + stream: UnixStream, + inner: AshmemShMemProvider, + id: i32, +} + +#[derive(Clone, Debug)] +pub struct ServedShMem { + inner: ManuallyDrop, + server_fd: i32, +} + +impl ShMem for ServedShMem { + fn id(&self) -> ShMemId { + let client_id = self.inner.id(); + ShMemId::from_string(&format!("{}:{}", self.server_fd, client_id.to_string())) + } + + fn len(&self) -> usize { + self.inner.len() + } + + fn map(&self) -> &[u8] { + self.inner.map() + } + + fn map_mut(&mut self) -> &mut [u8] { + self.inner.map_mut() + } +} + +impl ServedShMemProvider { + /// Send a request to the server, and wait for a response + #[allow(clippy::similar_names)] // id and fd + fn send_receive(&mut self, request: AshmemRequest) -> (i32, i32) { + let body = postcard::to_allocvec(&request).unwrap(); + + let header = (body.len() as u32).to_be_bytes(); + let mut message = header.to_vec(); + message.extend(body); + + self.stream + .write_all(&message) + .expect("Failed to send message"); + + let mut shm_slice = [0u8; 20]; + let mut fd_buf = [-1; 1]; + self.stream + .recv_fds(&mut shm_slice, &mut fd_buf) + .expect("Did not receive a response"); + + let server_id = ShMemId::from_slice(&shm_slice); + let server_id_str = server_id.to_string(); + let server_fd: i32 = server_id_str.parse().unwrap(); + (server_fd, fd_buf[0]) + } +} + +impl Default for ServedShMemProvider { + fn default() -> Self { + Self::new().unwrap() + } +} + +impl Clone for ServedShMemProvider { + fn clone(&self) -> Self { + Self::new().unwrap() + } +} + +impl ShMemProvider for ServedShMemProvider { + type Mem = ServedShMem; + + /// Connect to the server and return a new ServedShMemProvider + fn new() -> Result { + let mut res = Self { + stream: UnixStream::connect_to_unix_addr( + &UnixSocketAddr::new(ASHMEM_SERVER_NAME).unwrap(), + )?, + inner: AshmemShMemProvider::new()?, + id: -1, + }; + let (id, _) = res.send_receive(AshmemRequest::Hello(None)); + res.id = id; + Ok(res) + } + fn new_map(&mut self, map_size: usize) -> Result { + let (server_fd, client_fd) = self.send_receive(AshmemRequest::NewMap(map_size)); + + Ok(ServedShMem { + inner: ManuallyDrop::new( + self.inner + .from_id_and_size(ShMemId::from_string(&format!("{}", client_fd)), map_size)?, + ), + server_fd, + }) + } + + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result { + let parts = id.to_string().split(':').collect::>(); + let server_id_str = parts.get(0).unwrap(); + let (server_fd, client_fd) = self.send_receive(AshmemRequest::ExistingMap( + ShMemDescription::from_string_and_size(server_id_str, size), + )); + Ok(ServedShMem { + inner: ManuallyDrop::new( + self.inner + .from_id_and_size(ShMemId::from_string(&format!("{}", client_fd)), size)?, + ), + server_fd, + }) + } + + fn post_fork(&mut self) { + self.stream = + UnixStream::connect_to_unix_addr(&UnixSocketAddr::new(ASHMEM_SERVER_NAME).unwrap()) + .expect("Unable to reconnect to the ashmem service"); + let (id, _) = self.send_receive(AshmemRequest::Hello(Some(self.id))); + self.id = id; + } + + fn release_map(&mut self, map: &mut Self::Mem) { + let (refcount, _) = self.send_receive(AshmemRequest::Deregister(map.server_fd)); + if refcount == 0 { + unsafe { + ManuallyDrop::drop(&mut map.inner); + } + } + } +} + +/// A request sent to the ShMem server to receive a fd to a shared map +#[derive(Copy, Clone, Debug, Serialize, Deserialize)] +pub enum AshmemRequest { + /// Register a new map with a given size. + NewMap(usize), + /// Another client already has a map with this description mapped. + ExistingMap(ShMemDescription), + /// A client tells us it unregisters the previously allocated map + Deregister(i32), + /// A message that tells us hello, and optionally which other client we were created from, we + /// return a client id. + Hello(Option), +} + +#[derive(Debug)] +struct AshmemClient { + stream: UnixStream, + maps: HashMap>>>, +} + +impl AshmemClient { + fn new(stream: UnixStream) -> Self { + Self { + stream, + maps: HashMap::new(), + } + } +} + +#[derive(Debug)] +pub struct AshmemService { + provider: AshmemShMemProvider, + clients: HashMap, + all_maps: HashMap>>, +} + +#[derive(Debug)] +enum AshmemResponse { + Mapping(Rc>), + Id(i32), + RefCount(u32), +} + +impl AshmemService { + /// Create a new AshMem service + fn new() -> Result { + Ok(AshmemService { + provider: AshmemShMemProvider::new()?, + clients: HashMap::new(), + all_maps: HashMap::new(), + }) + } + + /// Read and handle the client request, send the answer over unix fd. + fn handle_request(&mut self, client_id: RawFd) -> Result { + let request = self.read_request(client_id)?; + + //println!("got ashmem client: {}, request:{:?}", client_id, request); + // Handle the client request + let response = match request { + AshmemRequest::Hello(other_id) => { + if let Some(other_id) = other_id { + if other_id != client_id { + // remove temporarily + let other_client = self.clients.remove(&other_id); + let client = self.clients.get_mut(&client_id).unwrap(); + for (id, map) in other_client.as_ref().unwrap().maps.iter() { + client.maps.insert(*id, map.clone()); + } + self.clients.insert(other_id, other_client.unwrap()); + } + }; + Ok(AshmemResponse::Id(client_id)) + } + AshmemRequest::NewMap(map_size) => Ok(AshmemResponse::Mapping(Rc::new(RefCell::new( + self.provider.new_map(map_size)?, + )))), + AshmemRequest::ExistingMap(description) => { + let client = self.clients.get_mut(&client_id).unwrap(); + if client.maps.contains_key(&description.id.to_int()) { + Ok(AshmemResponse::Mapping( + client + .maps + .get_mut(&description.id.to_int()) + .as_mut() + .unwrap() + .first() + .as_mut() + .unwrap() + .clone(), + )) + } else if self.all_maps.contains_key(&description.id.to_int()) { + Ok(AshmemResponse::Mapping( + self.all_maps + .get_mut(&description.id.to_int()) + .unwrap() + .clone(), + )) + } else { + let new_rc = + Rc::new(RefCell::new(self.provider.from_description(description)?)); + self.all_maps + .insert(description.id.to_int(), new_rc.clone()); + Ok(AshmemResponse::Mapping(new_rc)) + } + } + AshmemRequest::Deregister(map_id) => { + let client = self.clients.get_mut(&client_id).unwrap(); + let map = client.maps.entry(map_id).or_default().pop().unwrap(); + Ok(AshmemResponse::RefCount(Rc::strong_count(&map) as u32)) + } + }; + //println!("send ashmem client: {}, response: {:?}", client_id, &response); + + response + } + + fn read_request(&mut self, client_id: RawFd) -> Result { + let client = self.clients.get_mut(&client_id).unwrap(); + + // Always receive one be u32 of size, then the command. + let mut size_bytes = [0u8; 4]; + client.stream.read_exact(&mut size_bytes)?; + let size = u32::from_be_bytes(size_bytes); + let mut bytes = vec![]; + bytes.resize(size as usize, 0u8); + client + .stream + .read_exact(&mut bytes) + .expect("Failed to read message body"); + let request: AshmemRequest = postcard::from_bytes(&bytes)?; + + Ok(request) + } + fn handle_client(&mut self, client_id: RawFd) -> Result<(), Error> { + let response = self.handle_request(client_id)?; + + match response { + AshmemResponse::Mapping(mapping) => { + let id = mapping.borrow().id(); + let server_fd: i32 = id.to_string().parse().unwrap(); + let client = self.clients.get_mut(&client_id).unwrap(); + client + .stream + .send_fds(&id.to_string().as_bytes(), &[server_fd])?; + client.maps.entry(server_fd).or_default().push(mapping); + } + AshmemResponse::Id(id) => { + let client = self.clients.get_mut(&client_id).unwrap(); + client.stream.send_fds(&id.to_string().as_bytes(), &[])?; + } + AshmemResponse::RefCount(refcount) => { + let client = self.clients.get_mut(&client_id).unwrap(); + client + .stream + .send_fds(&refcount.to_string().as_bytes(), &[])?; + } + } + Ok(()) + } + + /// Create a new AshmemService, then listen and service incoming connections in a new thread. + pub fn start() -> Result>, Error> { + #[allow(clippy::mutex_atomic)] + let syncpair = Arc::new((Mutex::new(false), Condvar::new())); + let childsyncpair = Arc::clone(&syncpair); + let join_handle = + thread::spawn(move || Self::new()?.listen(ASHMEM_SERVER_NAME, &childsyncpair)); + + let (lock, cvar) = &*syncpair; + let mut started = lock.lock().unwrap(); + while !*started { + started = cvar.wait(started).unwrap(); + } + + Ok(join_handle) + } + + /// Listen on a filename (or abstract name) for new connections and serve them. This function + /// should not return. + fn listen( + &mut self, + filename: &str, + syncpair: &Arc<(Mutex, Condvar)>, + ) -> Result<(), Error> { + let listener = if let Ok(listener) = + UnixListener::bind_unix_addr(&UnixSocketAddr::new(filename)?) + { + listener + } else { + let (lock, cvar) = &**syncpair; + *lock.lock().unwrap() = true; + cvar.notify_one(); + return Err(Error::Unknown( + "The server appears to already be running. We are probably a client".to_string(), + )); + }; + let mut poll_fds: Vec = vec![PollFd::new( + listener.as_raw_fd(), + PollFlags::POLLIN | PollFlags::POLLRDNORM | PollFlags::POLLRDBAND, + )]; + + let (lock, cvar) = &**syncpair; + *lock.lock().unwrap() = true; + cvar.notify_one(); + + loop { + match poll(&mut poll_fds, -1) { + Ok(num_fds) if num_fds > 0 => (), + Ok(_) => continue, + Err(e) => { + println!("Error polling for activity: {:?}", e); + continue; + } + }; + let copied_poll_fds: Vec = poll_fds.iter().copied().collect(); + for poll_fd in copied_poll_fds { + let revents = poll_fd.revents().expect("revents should not be None"); + let raw_polled_fd = + unsafe { *((&poll_fd as *const PollFd) as *const libc::pollfd) }.fd; + if revents.contains(PollFlags::POLLHUP) { + poll_fds.remove(poll_fds.iter().position(|item| *item == poll_fd).unwrap()); + self.clients.remove(&raw_polled_fd); + } else if revents.contains(PollFlags::POLLIN) { + if self.clients.contains_key(&raw_polled_fd) { + match self.handle_client(raw_polled_fd) { + Ok(()) => (), + Err(e) => { + dbg!("Ignoring failed read from client", e, poll_fd); + continue; + } + }; + } else { + let (stream, addr) = match listener.accept_unix_addr() { + Ok(stream_val) => stream_val, + Err(e) => { + println!("Error accepting client: {:?}", e); + continue; + } + }; + + println!("Recieved connection from {:?}", addr); + let pollfd = PollFd::new( + stream.as_raw_fd(), + PollFlags::POLLIN | PollFlags::POLLRDNORM | PollFlags::POLLRDBAND, + ); + poll_fds.push(pollfd); + let client = AshmemClient::new(stream); + let client_id = client.stream.as_raw_fd(); + self.clients.insert(client_id, client); + match self.handle_client(client_id) { + Ok(()) => (), + Err(e) => { + dbg!("Ignoring failed read from client", e); + } + }; + } + } else { + //println!("Unknown revents flags: {:?}", revents); + } + } + } + } +} diff --git a/libafl/src/bolts/os/mod.rs b/libafl/src/bolts/os/mod.rs index 7a45acb215..6aacc14fd8 100644 --- a/libafl/src/bolts/os/mod.rs +++ b/libafl/src/bolts/os/mod.rs @@ -1,3 +1,8 @@ +//! Operating System specific abstractions + +#[cfg(all(unix, feature = "std"))] +pub mod ashmem_server; + #[cfg(unix)] pub mod unix_signals; #[cfg(windows)] diff --git a/libafl/src/bolts/os/unix_signals.rs b/libafl/src/bolts/os/unix_signals.rs index 8248306a45..0254b32657 100644 --- a/libafl/src/bolts/os/unix_signals.rs +++ b/libafl/src/bolts/os/unix_signals.rs @@ -1,3 +1,4 @@ +//! Signal handling for unix use alloc::vec::Vec; use core::{ cell::UnsafeCell, @@ -12,9 +13,9 @@ use core::{ use std::ffi::CString; use libc::{ - c_int, malloc, sigaction, sigaltstack, sigemptyset, stack_t, SA_NODEFER, SA_ONSTACK, - SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, SIGPIPE, - SIGQUIT, SIGSEGV, SIGTERM, SIGUSR2, + c_int, malloc, sigaction, sigaltstack, sigemptyset, stack_t, ucontext_t, SA_NODEFER, + SA_ONSTACK, SA_SIGINFO, SIGABRT, SIGALRM, SIGBUS, SIGFPE, SIGHUP, SIGILL, SIGINT, SIGKILL, + SIGPIPE, SIGQUIT, SIGSEGV, SIGTERM, SIGTRAP, SIGUSR2, }; use num_enum::{IntoPrimitive, TryFromPrimitive}; @@ -24,6 +25,7 @@ pub use libc::{c_void, siginfo_t}; #[derive(IntoPrimitive, TryFromPrimitive, Clone, Copy)] #[repr(i32)] +#[allow(clippy::clippy::pub_enum_variant_names)] pub enum Signal { SigAbort = SIGABRT, SigBus = SIGBUS, @@ -38,6 +40,7 @@ pub enum Signal { SigQuit = SIGQUIT, SigTerm = SIGTERM, SigInterrupt = SIGINT, + SigTrap = SIGTRAP, } pub static CRASH_SIGNALS: &[Signal] = &[ @@ -75,6 +78,7 @@ impl Display for Signal { Signal::SigQuit => write!(f, "SIGQUIT")?, Signal::SigTerm => write!(f, "SIGTERM")?, Signal::SigInterrupt => write!(f, "SIGINT")?, + Signal::SigTrap => write!(f, "SIGTRAP")?, }; Ok(()) @@ -83,7 +87,7 @@ impl Display for Signal { pub trait Handler { /// Handle a signal - fn handle(&mut self, signal: Signal, info: siginfo_t, _void: c_void); + fn handle(&mut self, signal: Signal, info: siginfo_t, _context: &mut ucontext_t); /// Return a list of signals to handle fn signals(&self) -> Vec; } @@ -111,7 +115,7 @@ static mut SIGNAL_HANDLERS: [Option; 32] = [ /// # Safety /// This should be somewhat safe to call for signals previously registered, /// unless the signal handlers registered using [setup_signal_handler] are broken. -unsafe fn handle_signal(sig: c_int, info: siginfo_t, void: c_void) { +unsafe fn handle_signal(sig: c_int, info: siginfo_t, void: *mut c_void) { let signal = &Signal::try_from(sig).unwrap(); let handler = { match &SIGNAL_HANDLERS[*signal as usize] { @@ -119,7 +123,7 @@ unsafe fn handle_signal(sig: c_int, info: siginfo_t, void: c_void) { None => return, } }; - handler.handle(*signal, info, void); + handler.handle(*signal, info, &mut *(void as *mut ucontext_t)); } /// Setup signal handlers in a somewhat rusty way. diff --git a/libafl/src/bolts/os/windows_exceptions.rs b/libafl/src/bolts/os/windows_exceptions.rs index ed43a04c00..98bd392863 100644 --- a/libafl/src/bolts/os/windows_exceptions.rs +++ b/libafl/src/bolts/os/windows_exceptions.rs @@ -1,3 +1,5 @@ +//! Exception handling for Windows + pub use crate::bolts::bindings::windows::win32::debug::EXCEPTION_POINTERS; use crate::{bolts::bindings::windows::win32::debug::SetUnhandledExceptionFilter, Error}; @@ -7,6 +9,7 @@ use core::{ cell::UnsafeCell, convert::TryFrom, fmt::{self, Display, Formatter}, + ptr, ptr::write_volatile, sync::atomic::{compiler_fence, Ordering}, }; @@ -14,10 +17,21 @@ use std::os::raw::{c_long, c_void}; use num_enum::{IntoPrimitive, TryFromPrimitive}; -const EXCEPTION_CONTINUE_EXECUTION: c_long = -1; +//const EXCEPTION_CONTINUE_EXECUTION: c_long = -1; //const EXCEPTION_CONTINUE_SEARCH: c_long = 0; const EXCEPTION_EXECUTE_HANDLER: c_long = 1; +// From https://github.com/Alexpux/mingw-w64/blob/master/mingw-w64-headers/crt/signal.h +pub const SIGINT: i32 = 2; +pub const SIGILL: i32 = 4; +pub const SIGABRT_COMPAT: i32 = 6; +pub const SIGFPE: i32 = 8; +pub const SIGSEGV: i32 = 11; +pub const SIGTERM: i32 = 15; +pub const SIGBREAK: i32 = 21; +pub const SIGABRT: i32 = 22; +pub const SIGABRT2: i32 = 22; + // From https://github.com/wine-mirror/wine/blob/master/include/winnt.h#L611 pub const STATUS_WAIT_0: u32 = 0x00000000; pub const STATUS_ABANDONED_WAIT_0: u32 = 0x00000080; @@ -274,6 +288,24 @@ static mut EXCEPTION_HANDLERS: [Option; 64] = [ None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, ]; +unsafe fn internal_handle_exception( + exception_code: ExceptionCode, + exception_pointers: *mut EXCEPTION_POINTERS, +) -> i32 { + let index = EXCEPTION_CODES_MAPPING + .iter() + .position(|x| *x == exception_code) + .unwrap(); + match &EXCEPTION_HANDLERS[index] { + Some(handler_holder) => { + let handler = &mut **handler_holder.handler.get(); + handler.handle(exception_code, exception_pointers); + EXCEPTION_EXECUTE_HANDLER + } + None => EXCEPTION_EXECUTE_HANDLER, + } +} + type NativeHandlerType = extern "system" fn(*mut EXCEPTION_POINTERS) -> c_long; static mut PREVIOUS_HANDLER: Option = None; @@ -287,18 +319,8 @@ unsafe extern "system" fn handle_exception(exception_pointers: *mut EXCEPTION_PO .unwrap() .exception_code; let exception_code = ExceptionCode::try_from(code).unwrap(); - let index = EXCEPTION_CODES_MAPPING - .iter() - .position(|x| *x == exception_code) - .unwrap(); - let ret = match &EXCEPTION_HANDLERS[index] { - Some(handler_holder) => { - let handler = &mut **handler_holder.handler.get(); - handler.handle(exception_code, exception_pointers); - EXCEPTION_EXECUTE_HANDLER - } - None => EXCEPTION_EXECUTE_HANDLER, - }; + // println!("Received {}", exception_code); + let ret = internal_handle_exception(exception_code, exception_pointers); if let Some(prev_handler) = PREVIOUS_HANDLER { prev_handler(exception_pointers) } else { @@ -306,10 +328,26 @@ unsafe extern "system" fn handle_exception(exception_pointers: *mut EXCEPTION_PO } } +type NativeSignalHandlerType = unsafe extern "C" fn(i32); +extern "C" { + fn signal(signum: i32, func: NativeSignalHandlerType) -> *const c_void; +} + +unsafe extern "C" fn handle_signal(_signum: i32) { + // println!("Received signal {}", _signum); + internal_handle_exception(ExceptionCode::AssertionFailure, ptr::null_mut()); +} + /// Setup Win32 exception handlers in a somewhat rusty way. +/// # Safety +/// Exception handlers are usually ugly, handle with care! pub unsafe fn setup_exception_handler(handler: &mut T) -> Result<(), Error> { let exceptions = handler.exceptions(); + let mut catch_assertions = false; for exception_code in exceptions { + if exception_code == ExceptionCode::AssertionFailure { + catch_assertions = true; + } let index = EXCEPTION_CODES_MAPPING .iter() .position(|x| *x == exception_code) @@ -322,7 +360,9 @@ pub unsafe fn setup_exception_handler(handler: &mut T) -> ); } compiler_fence(Ordering::SeqCst); - + if catch_assertions { + signal(SIGABRT, handle_signal); + } if let Some(prev) = SetUnhandledExceptionFilter(Some(core::mem::transmute( handle_exception as *const c_void, ))) { diff --git a/libafl/src/bolts/ownedref.rs b/libafl/src/bolts/ownedref.rs index 979f3fb00d..149773b822 100644 --- a/libafl/src/bolts/ownedref.rs +++ b/libafl/src/bolts/ownedref.rs @@ -5,66 +5,102 @@ use alloc::{boxed::Box, vec::Vec}; use core::{clone::Clone, fmt::Debug}; use serde::{Deserialize, Deserializer, Serialize, Serializer}; +/// Trait to convert into an Owned type +pub trait IntoOwned { + fn is_owned(&self) -> bool; + + fn into_owned(self) -> Self; +} + /// Wrap a reference and convert to a Box on serialize #[derive(Clone, Debug)] -pub enum Ptr<'a, T: 'a + ?Sized> { +pub enum OwnedRef<'a, T> +where + T: 'a + ?Sized, +{ Ref(&'a T), Owned(Box), } -impl<'a, T: 'a + ?Sized + Serialize> Serialize for Ptr<'a, T> { +impl<'a, T> Serialize for OwnedRef<'a, T> +where + T: 'a + ?Sized + Serialize, +{ fn serialize(&self, se: S) -> Result where S: Serializer, { match self { - Ptr::Ref(r) => r.serialize(se), - Ptr::Owned(b) => b.serialize(se), + OwnedRef::Ref(r) => r.serialize(se), + OwnedRef::Owned(b) => b.serialize(se), } } } -impl<'de, 'a, T: 'a + ?Sized> Deserialize<'de> for Ptr<'a, T> +impl<'de, 'a, T> Deserialize<'de> for OwnedRef<'a, T> where + T: 'a + ?Sized, Box: Deserialize<'de>, { fn deserialize(deserializer: D) -> Result where D: Deserializer<'de>, { - Deserialize::deserialize(deserializer).map(Ptr::Owned) + Deserialize::deserialize(deserializer).map(OwnedRef::Owned) } } -impl<'a, T: Sized> AsRef for Ptr<'a, T> { +impl<'a, T> AsRef for OwnedRef<'a, T> +where + T: Sized, +{ fn as_ref(&self) -> &T { match self { - Ptr::Ref(r) => r, - Ptr::Owned(v) => v.as_ref(), + OwnedRef::Ref(r) => r, + OwnedRef::Owned(v) => v.as_ref(), + } + } +} + +impl<'a, T> IntoOwned for OwnedRef<'a, T> +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedRef::Ref(_) => false, + OwnedRef::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedRef::Ref(r) => OwnedRef::Owned(Box::new(r.clone())), + OwnedRef::Owned(v) => OwnedRef::Owned(v), } } } /// Wrap a mutable reference and convert to a Box on serialize #[derive(Debug)] -pub enum PtrMut<'a, T: 'a + ?Sized> { +pub enum OwnedRefMut<'a, T: 'a + ?Sized> { Ref(&'a mut T), Owned(Box), } -impl<'a, T: 'a + ?Sized + Serialize> Serialize for PtrMut<'a, T> { +impl<'a, T: 'a + ?Sized + Serialize> Serialize for OwnedRefMut<'a, T> { fn serialize(&self, se: S) -> Result where S: Serializer, { match self { - PtrMut::Ref(r) => r.serialize(se), - PtrMut::Owned(b) => b.serialize(se), + OwnedRefMut::Ref(r) => r.serialize(se), + OwnedRefMut::Owned(b) => b.serialize(se), } } } -impl<'de, 'a, T: 'a + ?Sized> Deserialize<'de> for PtrMut<'a, T> +impl<'de, 'a, T: 'a + ?Sized> Deserialize<'de> for OwnedRefMut<'a, T> where Box: Deserialize<'de>, { @@ -72,48 +108,67 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(deserializer).map(PtrMut::Owned) + Deserialize::deserialize(deserializer).map(OwnedRefMut::Owned) } } -impl<'a, T: Sized> AsRef for PtrMut<'a, T> { +impl<'a, T: Sized> AsRef for OwnedRefMut<'a, T> { fn as_ref(&self) -> &T { match self { - PtrMut::Ref(r) => r, - PtrMut::Owned(v) => v.as_ref(), + OwnedRefMut::Ref(r) => r, + OwnedRefMut::Owned(v) => v.as_ref(), } } } -impl<'a, T: Sized> AsMut for PtrMut<'a, T> { +impl<'a, T: Sized> AsMut for OwnedRefMut<'a, T> { fn as_mut(&mut self) -> &mut T { match self { - PtrMut::Ref(r) => r, - PtrMut::Owned(v) => v.as_mut(), + OwnedRefMut::Ref(r) => r, + OwnedRefMut::Owned(v) => v.as_mut(), + } + } +} + +impl<'a, T> IntoOwned for OwnedRefMut<'a, T> +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedRefMut::Ref(_) => false, + OwnedRefMut::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedRefMut::Ref(r) => OwnedRefMut::Owned(Box::new(r.clone())), + OwnedRefMut::Owned(v) => OwnedRefMut::Owned(v), } } } /// Wrap a slice and convert to a Vec on serialize #[derive(Clone, Debug)] -pub enum Slice<'a, T: 'a + Sized> { +pub enum OwnedSlice<'a, T: 'a + Sized> { Ref(&'a [T]), Owned(Vec), } -impl<'a, T: 'a + Sized + Serialize> Serialize for Slice<'a, T> { +impl<'a, T: 'a + Sized + Serialize> Serialize for OwnedSlice<'a, T> { fn serialize(&self, se: S) -> Result where S: Serializer, { match self { - Slice::Ref(r) => r.serialize(se), - Slice::Owned(b) => b.serialize(se), + OwnedSlice::Ref(r) => r.serialize(se), + OwnedSlice::Owned(b) => b.serialize(se), } } } -impl<'de, 'a, T: 'a + Sized> Deserialize<'de> for Slice<'a, T> +impl<'de, 'a, T: 'a + Sized> Deserialize<'de> for OwnedSlice<'a, T> where Vec: Deserialize<'de>, { @@ -121,39 +176,58 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(deserializer).map(Slice::Owned) + Deserialize::deserialize(deserializer).map(OwnedSlice::Owned) } } -impl<'a, T: Sized> Slice<'a, T> { +impl<'a, T: Sized> OwnedSlice<'a, T> { pub fn as_slice(&self) -> &[T] { match self { - Slice::Ref(r) => r, - Slice::Owned(v) => v.as_slice(), + OwnedSlice::Ref(r) => r, + OwnedSlice::Owned(v) => v.as_slice(), + } + } +} + +impl<'a, T> IntoOwned for OwnedSlice<'a, T> +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedSlice::Ref(_) => false, + OwnedSlice::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedSlice::Ref(r) => OwnedSlice::Owned(r.to_vec()), + OwnedSlice::Owned(v) => OwnedSlice::Owned(v), } } } /// Wrap a mutable slice and convert to a Vec on serialize #[derive(Debug)] -pub enum SliceMut<'a, T: 'a + Sized> { +pub enum OwnedSliceMut<'a, T: 'a + Sized> { Ref(&'a mut [T]), Owned(Vec), } -impl<'a, T: 'a + Sized + Serialize> Serialize for SliceMut<'a, T> { +impl<'a, T: 'a + Sized + Serialize> Serialize for OwnedSliceMut<'a, T> { fn serialize(&self, se: S) -> Result where S: Serializer, { match self { - SliceMut::Ref(r) => r.serialize(se), - SliceMut::Owned(b) => b.serialize(se), + OwnedSliceMut::Ref(r) => r.serialize(se), + OwnedSliceMut::Owned(b) => b.serialize(se), } } } -impl<'de, 'a, T: 'a + Sized> Deserialize<'de> for SliceMut<'a, T> +impl<'de, 'a, T: 'a + Sized> Deserialize<'de> for OwnedSliceMut<'a, T> where Vec: Deserialize<'de>, { @@ -161,34 +235,53 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(deserializer).map(SliceMut::Owned) + Deserialize::deserialize(deserializer).map(OwnedSliceMut::Owned) } } -impl<'a, T: Sized> SliceMut<'a, T> { +impl<'a, T: Sized> OwnedSliceMut<'a, T> { pub fn as_slice(&self) -> &[T] { match self { - SliceMut::Ref(r) => r, - SliceMut::Owned(v) => v.as_slice(), + OwnedSliceMut::Ref(r) => r, + OwnedSliceMut::Owned(v) => v.as_slice(), } } - pub fn as_mut_slice(&mut self) -> &[T] { + pub fn as_mut_slice(&mut self) -> &mut [T] { match self { - SliceMut::Ref(r) => r, - SliceMut::Owned(v) => v.as_mut_slice(), + OwnedSliceMut::Ref(r) => r, + OwnedSliceMut::Owned(v) => v.as_mut_slice(), + } + } +} + +impl<'a, T> IntoOwned for OwnedSliceMut<'a, T> +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedSliceMut::Ref(_) => false, + OwnedSliceMut::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedSliceMut::Ref(r) => OwnedSliceMut::Owned(r.to_vec()), + OwnedSliceMut::Owned(v) => OwnedSliceMut::Owned(v), } } } /// Wrap a C-style pointer and convert to a Box on serialize #[derive(Clone, Debug)] -pub enum Cptr { - Cptr(*const T), +pub enum OwnedPtr { + Ptr(*const T), Owned(Box), } -impl Serialize for Cptr { +impl Serialize for OwnedPtr { fn serialize(&self, se: S) -> Result where S: Serializer, @@ -197,7 +290,7 @@ impl Serialize for Cptr { } } -impl<'de, T: Sized + serde::de::DeserializeOwned> Deserialize<'de> for Cptr +impl<'de, T: Sized + serde::de::DeserializeOwned> Deserialize<'de> for OwnedPtr where Vec: Deserialize<'de>, { @@ -205,27 +298,46 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(de).map(Cptr::Owned) + Deserialize::deserialize(de).map(OwnedPtr::Owned) } } -impl AsRef for Cptr { +impl AsRef for OwnedPtr { fn as_ref(&self) -> &T { match self { - Cptr::Cptr(p) => unsafe { p.as_ref().unwrap() }, - Cptr::Owned(v) => v.as_ref(), + OwnedPtr::Ptr(p) => unsafe { p.as_ref().unwrap() }, + OwnedPtr::Owned(v) => v.as_ref(), + } + } +} + +impl IntoOwned for OwnedPtr +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedPtr::Ptr(_) => false, + OwnedPtr::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedPtr::Ptr(p) => unsafe { OwnedPtr::Owned(Box::new(p.as_ref().unwrap().clone())) }, + OwnedPtr::Owned(v) => OwnedPtr::Owned(v), } } } /// Wrap a C-style mutable pointer and convert to a Box on serialize #[derive(Clone, Debug)] -pub enum CptrMut { - Cptr(*mut T), +pub enum OwnedPtrMut { + Ptr(*mut T), Owned(Box), } -impl Serialize for CptrMut { +impl Serialize for OwnedPtrMut { fn serialize(&self, se: S) -> Result where S: Serializer, @@ -234,7 +346,7 @@ impl Serialize for CptrMut { } } -impl<'de, T: Sized + serde::de::DeserializeOwned> Deserialize<'de> for CptrMut +impl<'de, T: Sized + serde::de::DeserializeOwned> Deserialize<'de> for OwnedPtrMut where Vec: Deserialize<'de>, { @@ -242,36 +354,57 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(de).map(CptrMut::Owned) + Deserialize::deserialize(de).map(OwnedPtrMut::Owned) } } -impl AsRef for CptrMut { +impl AsRef for OwnedPtrMut { fn as_ref(&self) -> &T { match self { - CptrMut::Cptr(p) => unsafe { p.as_ref().unwrap() }, - CptrMut::Owned(b) => b.as_ref(), + OwnedPtrMut::Ptr(p) => unsafe { p.as_ref().unwrap() }, + OwnedPtrMut::Owned(b) => b.as_ref(), } } } -impl AsMut for CptrMut { +impl AsMut for OwnedPtrMut { fn as_mut(&mut self) -> &mut T { match self { - CptrMut::Cptr(p) => unsafe { p.as_mut().unwrap() }, - CptrMut::Owned(b) => b.as_mut(), + OwnedPtrMut::Ptr(p) => unsafe { p.as_mut().unwrap() }, + OwnedPtrMut::Owned(b) => b.as_mut(), + } + } +} + +impl IntoOwned for OwnedPtrMut +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedPtrMut::Ptr(_) => false, + OwnedPtrMut::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedPtrMut::Ptr(p) => unsafe { + OwnedPtrMut::Owned(Box::new(p.as_ref().unwrap().clone())) + }, + OwnedPtrMut::Owned(v) => OwnedPtrMut::Owned(v), } } } /// Wrap a C-style pointer to an array (with size= and convert to a Vec on serialize #[derive(Clone, Debug)] -pub enum Array { - Cptr((*const T, usize)), +pub enum OwnedArrayPtr { + ArrayPtr((*const T, usize)), Owned(Vec), } -impl Serialize for Array { +impl Serialize for OwnedArrayPtr { fn serialize(&self, se: S) -> Result where S: Serializer, @@ -280,7 +413,7 @@ impl Serialize for Array { } } -impl<'de, T: Sized + Serialize> Deserialize<'de> for Array +impl<'de, T: Sized + Serialize> Deserialize<'de> for OwnedArrayPtr where Vec: Deserialize<'de>, { @@ -288,27 +421,48 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(de).map(Array::Owned) + Deserialize::deserialize(de).map(OwnedArrayPtr::Owned) } } -impl Array { +impl OwnedArrayPtr { pub fn as_slice(&self) -> &[T] { match self { - Array::Cptr(p) => unsafe { core::slice::from_raw_parts(p.0, p.1) }, - Array::Owned(v) => v.as_slice(), + OwnedArrayPtr::ArrayPtr(p) => unsafe { core::slice::from_raw_parts(p.0, p.1) }, + OwnedArrayPtr::Owned(v) => v.as_slice(), + } + } +} + +impl IntoOwned for OwnedArrayPtr +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedArrayPtr::ArrayPtr(_) => false, + OwnedArrayPtr::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedArrayPtr::ArrayPtr(p) => unsafe { + OwnedArrayPtr::Owned(core::slice::from_raw_parts(p.0, p.1).to_vec()) + }, + OwnedArrayPtr::Owned(v) => OwnedArrayPtr::Owned(v), } } } /// Wrap a C-style mutable pointer to an array (with size= and convert to a Vec on serialize #[derive(Clone, Debug)] -pub enum ArrayMut { - Cptr((*mut T, usize)), +pub enum OwnedArrayPtrMut { + ArrayPtr((*mut T, usize)), Owned(Vec), } -impl Serialize for ArrayMut { +impl Serialize for OwnedArrayPtrMut { fn serialize(&self, se: S) -> Result where S: Serializer, @@ -317,7 +471,7 @@ impl Serialize for ArrayMut { } } -impl<'de, T: Sized + Serialize> Deserialize<'de> for ArrayMut +impl<'de, T: Sized + Serialize> Deserialize<'de> for OwnedArrayPtrMut where Vec: Deserialize<'de>, { @@ -325,22 +479,43 @@ where where D: Deserializer<'de>, { - Deserialize::deserialize(de).map(ArrayMut::Owned) + Deserialize::deserialize(de).map(OwnedArrayPtrMut::Owned) } } -impl ArrayMut { +impl OwnedArrayPtrMut { pub fn as_slice(&self) -> &[T] { match self { - ArrayMut::Cptr(p) => unsafe { core::slice::from_raw_parts(p.0, p.1) }, - ArrayMut::Owned(v) => v.as_slice(), + OwnedArrayPtrMut::ArrayPtr(p) => unsafe { core::slice::from_raw_parts(p.0, p.1) }, + OwnedArrayPtrMut::Owned(v) => v.as_slice(), } } pub fn as_mut_slice(&mut self) -> &mut [T] { match self { - ArrayMut::Cptr(p) => unsafe { core::slice::from_raw_parts_mut(p.0, p.1) }, - ArrayMut::Owned(v) => v.as_mut_slice(), + OwnedArrayPtrMut::ArrayPtr(p) => unsafe { core::slice::from_raw_parts_mut(p.0, p.1) }, + OwnedArrayPtrMut::Owned(v) => v.as_mut_slice(), + } + } +} + +impl IntoOwned for OwnedArrayPtrMut +where + T: Sized + Clone, +{ + fn is_owned(&self) -> bool { + match self { + OwnedArrayPtrMut::ArrayPtr(_) => false, + OwnedArrayPtrMut::Owned(_) => true, + } + } + + fn into_owned(self) -> Self { + match self { + OwnedArrayPtrMut::ArrayPtr(p) => unsafe { + OwnedArrayPtrMut::Owned(core::slice::from_raw_parts(p.0, p.1).to_vec()) + }, + OwnedArrayPtrMut::Owned(v) => OwnedArrayPtrMut::Owned(v), } } } diff --git a/libafl/src/bolts/serdeany.rs b/libafl/src/bolts/serdeany.rs index 50e3d6034f..8782238756 100644 --- a/libafl/src/bolts/serdeany.rs +++ b/libafl/src/bolts/serdeany.rs @@ -5,9 +5,6 @@ use serde::{Deserialize, Deserializer, Serialize, Serializer}; use alloc::boxed::Box; use core::any::{Any, TypeId}; -#[cfg(feature = "anymap_debug")] -use serde_json; - // yolo pub fn pack_type_id(id: u64) -> TypeId { @@ -181,15 +178,15 @@ macro_rules! create_serde_registry_for_trait { } } - #[cfg(fature = "anymapdbg")] + #[cfg(feature = "anymap_debug")] impl fmt::Debug for SerdeAnyMap { fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { let json = serde_json::to_string(&self); - write!(f, "SerdeAnyMap: [{}]", json) + write!(f, "SerdeAnyMap: [{:?}]", json) } } - #[cfg(not(fature = "anymapdbg"))] + #[cfg(not(feature = "anymap_debug"))] impl fmt::Debug for SerdeAnyMap { fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { write!(f, "SerdeAnymap with {} elements", self.len()) @@ -277,7 +274,7 @@ macro_rules! create_serde_registry_for_trait { None => None, Some(h) => h .get(&xxhash_rust::xxh3::xxh3_64(name.as_bytes())) - .map(|x| x.as_ref()), + .map(AsRef::as_ref), } } @@ -304,7 +301,7 @@ macro_rules! create_serde_registry_for_trait { None => None, Some(h) => h .get_mut(&xxhash_rust::xxh3::xxh3_64(name.as_bytes())) - .map(|x| x.as_mut()), + .map(AsMut::as_mut), } } @@ -496,10 +493,11 @@ macro_rules! create_serde_registry_for_trait { create_serde_registry_for_trait!(serdeany_registry, crate::bolts::serdeany::SerdeAny); pub use serdeany_registry::*; +#[cfg(feature = "std")] #[macro_export] macro_rules! impl_serdeany { ($struct_name:ident) => { - impl crate::bolts::serdeany::SerdeAny for $struct_name { + impl $crate::bolts::serdeany::SerdeAny for $struct_name { fn as_any(&self) -> &dyn core::any::Any { self } @@ -510,10 +508,25 @@ macro_rules! impl_serdeany { } #[allow(non_snake_case)] - #[cfg(feature = "std")] - #[ctor] + #[$crate::ctor] fn $struct_name() { - crate::bolts::serdeany::RegistryBuilder::register::<$struct_name>(); + $crate::bolts::serdeany::RegistryBuilder::register::<$struct_name>(); + } + }; +} + +#[cfg(not(feature = "std"))] +#[macro_export] +macro_rules! impl_serdeany { + ($struct_name:ident) => { + impl $crate::bolts::serdeany::SerdeAny for $struct_name { + fn as_any(&self) -> &dyn core::any::Any { + self + } + + fn as_any_mut(&mut self) -> &mut dyn core::any::Any { + self + } } }; } diff --git a/libafl/src/bolts/shmem.rs b/libafl/src/bolts/shmem.rs index 2d832da7e9..2b64dfc04f 100644 --- a/libafl/src/bolts/shmem.rs +++ b/libafl/src/bolts/shmem.rs @@ -2,17 +2,40 @@ // too.) #[cfg(all(feature = "std", unix))] -pub use unix_shmem::UnixShMem; +pub use unix_shmem::{UnixShMem, UnixShMemProvider}; +#[cfg(all(feature = "std", unix))] +pub type OsShMemProvider = UnixShMemProvider; +#[cfg(all(feature = "std", unix))] +pub type OsShMem = UnixShMem; #[cfg(all(windows, feature = "std"))] -pub use shmem::Win32ShMem; +pub use win32_shmem::{Win32ShMem, Win32ShMemProvider}; +#[cfg(all(windows, feature = "std"))] +pub type OsShMemProvider = Win32ShMemProvider; +#[cfg(all(windows, feature = "std"))] +pub type OsShMem = Win32ShMem; + +#[cfg(target_os = "android")] +use crate::bolts::os::ashmem_server::ServedShMemProvider; +#[cfg(target_os = "android")] +pub type StdShMemProvider = RcShMemProvider; +#[cfg(target_os = "android")] +pub type StdShMem = RcShMem; + +#[cfg(all(feature = "std", not(target_os = "android")))] +pub type StdShMemProvider = OsShMemProvider; +#[cfg(all(feature = "std", not(target_os = "android")))] +pub type StdShMem = OsShMem; -use alloc::string::{String, ToString}; use core::fmt::Debug; use serde::{Deserialize, Serialize}; #[cfg(feature = "std")] use std::env; +use alloc::{rc::Rc, string::ToString}; +use core::cell::RefCell; +use core::mem::ManuallyDrop; + use crate::Error; /// Description of a shared map. @@ -20,430 +43,630 @@ use crate::Error; #[derive(Copy, Clone, Debug, Serialize, Deserialize)] pub struct ShMemDescription { /// Size of this map - size: usize, - /// of name of this map, as fixed 20 bytes c-string - str_bytes: [u8; 20], + pub size: usize, + /// Id of this map + pub id: ShMemId, } -/// A Shared map -pub trait ShMem: Sized + Debug { - /// Creates a new map with the given size - fn new_map(map_size: usize) -> Result; +impl ShMemDescription { + pub fn from_string_and_size(string: &str, size: usize) -> Self { + Self { + size, + id: ShMemId::from_string(string), + } + } +} - /// Creates a new reference to the same map - fn clone_ref(old_ref: &Self) -> Result { - Self::existing_from_shm_slice(old_ref.shm_slice(), old_ref.map().len()) +/// An id associated with a given shared memory mapping (ShMem), which can be used to +/// establish shared-mappings between proccesses. +#[derive(Copy, Clone, Debug, Serialize, Deserialize, PartialEq, Eq, Hash, Default)] +pub struct ShMemId { + id: [u8; 20], +} + +impl ShMemId { + /// Create a new id from a fixed-size string + pub fn from_slice(slice: &[u8; 20]) -> Self { + Self { id: *slice } } - /// Creates a nes variable with the given name, strigified to 20 bytes. - fn existing_from_shm_slice(map_str_bytes: &[u8; 20], map_size: usize) -> Result; + /// Create a new id from an int + pub fn from_int(val: i32) -> Self { + Self::from_string(&val.to_string()) + } - /// Initialize from a shm_str with fixed len of 20 - fn existing_from_shm_str(shm_str: &str, map_size: usize) -> Result { + /// Create a new id from a string + pub fn from_string(val: &str) -> Self { let mut slice: [u8; 20] = [0; 20]; - for (i, val) in shm_str.as_bytes().iter().enumerate() { + for (i, val) in val.as_bytes().iter().enumerate() { slice[i] = *val; } - Self::existing_from_shm_slice(&slice, map_size) + Self { id: slice } } - /// The string to identify this shm - fn shm_str(&self) -> String { - let bytes = self.shm_slice(); - let eof_pos = bytes.iter().position(|&c| c == 0).unwrap(); - alloc::str::from_utf8(&bytes[..eof_pos]) - .unwrap() - .to_string() + /// Get the id as a fixed-length slice + pub fn as_slice(&self) -> &[u8; 20] { + &self.id } - /// Let's just fix this to a large enough buf - fn shm_slice(&self) -> &[u8; 20]; + /// Get a string representation of this id + pub fn to_string(&self) -> &str { + let eof_pos = self.id.iter().position(|&c| c == 0).unwrap(); + alloc::str::from_utf8(&self.id[..eof_pos]).unwrap() + } + + /// Get an integer representation of this id + pub fn to_int(&self) -> i32 { + let id: i32 = self.to_string().parse().unwrap(); + id + } +} + +pub trait ShMem: Sized + Debug + Clone { + /// Get the id of this shared memory mapping + fn id(&self) -> ShMemId; + + /// Get the size of this mapping + fn len(&self) -> usize; + + /// Check if the mapping is empty + fn is_empty(&self) -> bool { + self.len() == 0 + } + + /// Get the description of the shared memory mapping + fn description(&self) -> ShMemDescription { + ShMemDescription { + size: self.len(), + id: self.id(), + } + } /// The actual shared map, in memory fn map(&self) -> &[u8]; /// The actual shared map, mutable fn map_mut(&mut self) -> &mut [u8]; - - /// Describe this shared map in a recreatable fashion - fn description(&self) -> ShMemDescription { - ShMemDescription { - size: self.map().len(), - str_bytes: *self.shm_slice(), - } - } - - /// Create a map from a map description - fn existing_from_description(description: &ShMemDescription) -> Result { - Self::existing_from_shm_slice(&description.str_bytes, description.size) - } - + /// /// Write this map's config to env #[cfg(feature = "std")] fn write_to_env(&self, env_name: &str) -> Result<(), Error> { - let map_size = self.map().len(); + let map_size = self.len(); let map_size_env = format!("{}_SIZE", env_name); - env::set_var(env_name, self.shm_str()); + env::set_var(env_name, self.id().to_string()); env::set_var(map_size_env, format!("{}", map_size)); Ok(()) } +} + +pub trait ShMemProvider: Send + Clone + Default + Debug { + type Mem: ShMem; + + /// Create a new instance of the provider + fn new() -> Result; + + /// Create a new shared memory mapping + fn new_map(&mut self, map_size: usize) -> Result; + + /// Get a mapping given its id and size + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result; + + /// Get a mapping given a description + fn from_description(&mut self, description: ShMemDescription) -> Result { + self.from_id_and_size(description.id, description.size) + } + + fn clone_ref(&mut self, mapping: &Self::Mem) -> Result { + self.from_id_and_size(mapping.id(), mapping.len()) + } /// Reads an existing map config from env vars, then maps it #[cfg(feature = "std")] - fn existing_from_env(env_name: &str) -> Result { + fn existing_from_env(&mut self, env_name: &str) -> Result { let map_shm_str = env::var(env_name)?; let map_size = str::parse::(&env::var(format!("{}_SIZE", env_name))?)?; - Self::existing_from_shm_str(&map_shm_str, map_size) + self.from_description(ShMemDescription::from_string_and_size( + &map_shm_str, + map_size, + )) + } + + /// This method should be called after a fork or thread creation event, allowing the ShMem to + /// reset thread specific info. + fn post_fork(&mut self) { + // do nothing + } + + /// Release the resources associated with the given ShMem + fn release_map(&mut self, _map: &mut Self::Mem) { + // do nothing } } -/// shared maps that have an id can use this trait -pub trait HasFd { - /// Retrieve the id of this shared map - fn shm_id(&self) -> i32; +#[derive(Debug, Clone)] +pub struct RcShMem { + internal: ManuallyDrop, + provider: Rc>, +} + +impl ShMem for RcShMem +where + T: ShMemProvider + alloc::fmt::Debug, +{ + fn id(&self) -> ShMemId { + self.internal.id() + } + + fn len(&self) -> usize { + self.internal.len() + } + + fn map(&self) -> &[u8] { + self.internal.map() + } + + fn map_mut(&mut self) -> &mut [u8] { + self.internal.map_mut() + } +} + +impl Drop for RcShMem { + fn drop(&mut self) { + self.provider.borrow_mut().release_map(&mut self.internal) + } +} + +#[derive(Debug, Clone)] +pub struct RcShMemProvider { + internal: Rc>, +} + +unsafe impl Send for RcShMemProvider {} + +impl ShMemProvider for RcShMemProvider +where + T: ShMemProvider + alloc::fmt::Debug, +{ + type Mem = RcShMem; + + fn new() -> Result { + Ok(Self { + internal: Rc::new(RefCell::new(T::new()?)), + }) + } + + fn new_map(&mut self, map_size: usize) -> Result { + Ok(Self::Mem { + internal: ManuallyDrop::new(self.internal.borrow_mut().new_map(map_size)?), + provider: self.internal.clone(), + }) + } + + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result { + Ok(Self::Mem { + internal: ManuallyDrop::new(self.internal.borrow_mut().from_id_and_size(id, size)?), + provider: self.internal.clone(), + }) + } + + fn release_map(&mut self, map: &mut Self::Mem) { + self.internal.borrow_mut().release_map(&mut map.internal) + } + + fn clone_ref(&mut self, mapping: &Self::Mem) -> Result { + Ok(Self::Mem { + internal: ManuallyDrop::new(self.internal.borrow_mut().clone_ref(&mapping.internal)?), + provider: self.internal.clone(), + }) + } + + fn post_fork(&mut self) { + self.internal.borrow_mut().post_fork() + } +} + +impl Default for RcShMemProvider +where + T: ShMemProvider + alloc::fmt::Debug, +{ + fn default() -> Self { + Self::new().unwrap() + } } #[cfg(all(unix, feature = "std"))] pub mod unix_shmem { - use core::{mem::size_of, ptr, slice}; - use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_ushort, c_void}; #[cfg(target_os = "android")] - use libc::{off_t, size_t, MAP_SHARED, O_RDWR, PROT_READ, PROT_WRITE}; - use std::ffi::CStr; + pub type UnixShMemProvider = ashmem::AshmemShMemProvider; #[cfg(target_os = "android")] - use std::ffi::CString; + pub type UnixShMem = ashmem::AshmemShMem; + #[cfg(not(target_os = "android"))] + pub type UnixShMemProvider = default::CommonUnixShMemProvider; + #[cfg(not(target_os = "android"))] + pub type UnixShMem = ashmem::AshmemShMem; - use crate::Error; + #[cfg(all(unix, feature = "std", not(target_os = "android")))] + mod default { + use core::{ptr, slice}; + use libc::{c_int, c_long, c_uchar, c_uint, c_ulong, c_ushort, c_void}; - use super::{HasFd, ShMem}; + use crate::Error; - #[cfg(unix)] - extern "C" { - #[cfg(feature = "std")] - fn snprintf(_: *mut c_char, _: c_ulong, _: *const c_char, _: ...) -> c_int; - #[cfg(feature = "std")] - fn strncpy(_: *mut c_char, _: *const c_char, _: c_ulong) -> *mut c_char; - #[cfg(all(feature = "std", not(target_os = "android")))] - fn shmctl(__shmid: c_int, __cmd: c_int, __buf: *mut shmid_ds) -> c_int; - #[cfg(all(feature = "std", not(target_os = "android")))] - fn shmget(__key: c_int, __size: c_ulong, __shmflg: c_int) -> c_int; - #[cfg(all(feature = "std", not(target_os = "android")))] - fn shmat(__shmid: c_int, __shmaddr: *const c_void, __shmflg: c_int) -> *mut c_void; - #[cfg(all(feature = "std", target_os = "android"))] - fn ioctl(fd: c_int, request: c_long, ...) -> c_int; - #[cfg(all(feature = "std", target_os = "android"))] - fn open(path: *const c_char, oflag: c_int, ...) -> c_int; - #[cfg(all(feature = "std", target_os = "android"))] - fn close(fd: c_int) -> c_int; - #[cfg(all(feature = "std", target_os = "android"))] - fn mmap( - addr: *mut c_void, - len: size_t, - prot: c_int, - flags: c_int, - fd: c_int, - offset: off_t, - ) -> *mut c_void; + use super::super::{ShMem, ShMemId, ShMemProvider}; - } - - #[cfg(target_os = "android")] - #[derive(Copy, Clone)] - #[repr(C)] - struct ashmem_pin { - pub offset: c_uint, - pub len: c_uint, - } - - #[cfg(target_os = "android")] - const ASHMEM_GET_SIZE: c_long = 0x00007704; - #[cfg(target_os = "android")] - const ASHMEM_UNPIN: c_long = 0x40087708; - #[cfg(target_os = "android")] - const ASHMEM_SET_NAME: c_long = 0x41007701; - #[cfg(target_os = "android")] - const ASHMEM_SET_SIZE: c_long = 0x40087703; - #[cfg(target_os = "android")] - const ASHMEM_DEVICE: &str = "/dev/ashmem"; - - #[cfg(target_os = "android")] - unsafe fn shmctl(__shmid: c_int, __cmd: c_int, _buf: *mut shmid_ds) -> c_int { - if __cmd == 0 { - let length = ioctl(__shmid, ASHMEM_GET_SIZE); - - let ap = ashmem_pin { - offset: 0, - len: length as u32, - }; - - let ret = ioctl(__shmid, ASHMEM_UNPIN, &ap); - close(__shmid); - ret - } else { - 0 - } - } - - #[cfg(target_os = "android")] - unsafe fn shmget(__key: c_int, __size: c_ulong, __shmflg: c_int) -> c_int { - let boot_id = std::fs::read_to_string("/proc/sys/kernel/random/boot_id").unwrap(); - - let path = CString::new(format!("{}{}", ASHMEM_DEVICE, boot_id).trim()) - .expect("CString::new failed!"); - let fd = open(path.as_ptr(), O_RDWR); - - let mut ourkey: [c_char; 20] = [0; 20]; - snprintf( - ourkey.as_mut_ptr() as *mut c_char, - size_of::<[c_char; 20]>() as c_ulong, - b"%d\x00" as *const u8 as *const c_char, - if __key == 0 { fd } else { __key }, - ); - - if ioctl(fd, ASHMEM_SET_NAME, &ourkey) != 0 { - close(fd); - return 0; - }; - - if ioctl(fd, ASHMEM_SET_SIZE, __size) != 0 { - close(fd); - return 0; - }; - - fd - } - - #[cfg(target_os = "android")] - unsafe fn shmat(__shmid: c_int, __shmaddr: *const c_void, __shmflg: c_int) -> *mut c_void { - let size = ioctl(__shmid, ASHMEM_GET_SIZE); - if size < 0 { - return 0 as *mut c_void; + #[cfg(unix)] + #[derive(Copy, Clone)] + #[repr(C)] + struct ipc_perm { + pub __key: c_int, + pub uid: c_uint, + pub gid: c_uint, + pub cuid: c_uint, + pub cgid: c_uint, + pub mode: c_ushort, + pub __pad1: c_ushort, + pub __seq: c_ushort, + pub __pad2: c_ushort, + pub __glibc_reserved1: c_ulong, + pub __glibc_reserved2: c_ulong, } - let ptr = mmap( - 0 as *mut c_void, - size as usize, - PROT_READ | PROT_WRITE, - MAP_SHARED, - __shmid, - 0, - ); - if ptr == usize::MAX as *mut c_void { - return 0 as *mut c_void; + #[cfg(unix)] + #[derive(Copy, Clone)] + #[repr(C)] + struct shmid_ds { + pub shm_perm: ipc_perm, + pub shm_segsz: c_ulong, + pub shm_atime: c_long, + pub shm_dtime: c_long, + pub shm_ctime: c_long, + pub shm_cpid: c_int, + pub shm_lpid: c_int, + pub shm_nattch: c_ulong, + pub __glibc_reserved4: c_ulong, + pub __glibc_reserved5: c_ulong, } - ptr - } + extern "C" { + fn shmctl(__shmid: c_int, __cmd: c_int, __buf: *mut shmid_ds) -> c_int; + fn shmget(__key: c_int, __size: c_ulong, __shmflg: c_int) -> c_int; + fn shmat(__shmid: c_int, __shmaddr: *const c_void, __shmflg: c_int) -> *mut c_void; + } - #[cfg(unix)] - #[derive(Copy, Clone)] - #[repr(C)] - struct ipc_perm { - pub __key: c_int, - pub uid: c_uint, - pub gid: c_uint, - pub cuid: c_uint, - pub cgid: c_uint, - pub mode: c_ushort, - pub __pad1: c_ushort, - pub __seq: c_ushort, - pub __pad2: c_ushort, - pub __glibc_reserved1: c_ulong, - pub __glibc_reserved2: c_ulong, - } - - #[cfg(unix)] - #[derive(Copy, Clone)] - #[repr(C)] - struct shmid_ds { - pub shm_perm: ipc_perm, - pub shm_segsz: c_ulong, - pub shm_atime: c_long, - pub shm_dtime: c_long, - pub shm_ctime: c_long, - pub shm_cpid: c_int, - pub shm_lpid: c_int, - pub shm_nattch: c_ulong, - pub __glibc_reserved4: c_ulong, - pub __glibc_reserved5: c_ulong, - } - - /// The default Sharedmap impl for unix using shmctl & shmget - #[cfg(unix)] - #[derive(Clone, Debug)] - pub struct UnixShMem { - pub shm_str: [u8; 20], - pub shm_id: c_int, - pub map: *mut u8, - pub map_size: usize, - } - - #[cfg(unix)] - impl ShMem for UnixShMem { - fn existing_from_shm_slice( - map_str_bytes: &[u8; 20], + /// The default sharedmap impl for unix using shmctl & shmget + #[derive(Clone, Debug)] + pub struct CommonUnixShMem { + id: ShMemId, + map: *mut u8, map_size: usize, - ) -> Result { - unsafe { - let str_bytes = map_str_bytes as *const [u8; 20] as *const libc::c_char; - Self::from_str(CStr::from_ptr(str_bytes), map_size) + } + + impl CommonUnixShMem { + /// Create a new shared memory mapping, using shmget/shmat + pub fn new(map_size: usize) -> Result { + unsafe { + let os_id = shmget(0, map_size as c_ulong, 0o1000 | 0o2000 | 0o600); + + if os_id < 0_i32 { + return Err(Error::Unknown(format!("Failed to allocate a shared mapping of size {} - check OS limits (i.e shmall, shmmax)", map_size))); + } + + let map = shmat(os_id, ptr::null(), 0) as *mut c_uchar; + + if map as c_int == -1 || map.is_null() { + shmctl(os_id, 0, ptr::null_mut()); + return Err(Error::Unknown( + "Failed to map the shared mapping".to_string(), + )); + } + + Ok(Self { + id: ShMemId::from_int(os_id), + map, + map_size, + }) + } + } + + /// Get a UnixShMem of the existing shared memory mapping identified by id + pub fn from_id_and_size(id: ShMemId, map_size: usize) -> Result { + unsafe { + let map = shmat(id.to_int(), ptr::null(), 0) as *mut c_uchar; + + if map == usize::MAX as *mut c_void as *mut c_uchar || map.is_null() { + return Err(Error::Unknown( + "Failed to map the shared mapping".to_string(), + )); + } + + Ok(Self { id, map, map_size }) + } } } - fn new_map(map_size: usize) -> Result { - Self::new(map_size) + #[cfg(unix)] + impl ShMem for CommonUnixShMem { + fn id(&self) -> ShMemId { + self.id + } + + fn len(&self) -> usize { + self.map_size + } + + fn map(&self) -> &[u8] { + unsafe { slice::from_raw_parts(self.map, self.map_size) } + } + + fn map_mut(&mut self) -> &mut [u8] { + unsafe { slice::from_raw_parts_mut(self.map, self.map_size) } + } } - fn shm_slice(&self) -> &[u8; 20] { - &self.shm_str + /// Drop implementation for UnixShMem, which cleans up the mapping + #[cfg(unix)] + impl Drop for CommonUnixShMem { + fn drop(&mut self) { + unsafe { + shmctl(self.id.to_int(), 0, ptr::null_mut()); + } + } } - fn map(&self) -> &[u8] { - unsafe { slice::from_raw_parts(self.map, self.map_size) } + /// A ShMemProvider which uses shmget/shmat/shmctl to provide shared memory mappings. + #[cfg(unix)] + #[derive(Clone, Debug)] + pub struct CommonUnixShMemProvider {} + + unsafe impl Send for CommonUnixShMemProvider {} + + #[cfg(unix)] + impl Default for CommonUnixShMemProvider { + fn default() -> Self { + Self::new().unwrap() + } } - fn map_mut(&mut self) -> &mut [u8] { - unsafe { slice::from_raw_parts_mut(self.map, self.map_size) } - } - } + /// Implement ShMemProvider for UnixShMemProvider + #[cfg(unix)] + impl ShMemProvider for CommonUnixShMemProvider { + type Mem = CommonUnixShMem; - impl HasFd for UnixShMem { - fn shm_id(&self) -> i32 { - self.shm_id - } - } + fn new() -> Result { + Ok(Self {}) + } + fn new_map(&mut self, map_size: usize) -> Result { + CommonUnixShMem::new(map_size) + } - /// Deinit sharedmaps on drop - impl Drop for UnixShMem { - fn drop(&mut self) { - unsafe { - unix_shmem_deinit(self); + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result { + CommonUnixShMem::from_id_and_size(id, size) } } } - /// Create an uninitialized shmap - #[cfg(unix)] - const fn unix_shmem_unitialized() -> UnixShMem { - UnixShMem { - shm_str: [0; 20], - shm_id: -1, - map: 0 as *mut c_uchar, - map_size: 0, - } - } + #[cfg(all(unix, feature = "std"))] + pub mod ashmem { + use core::slice; + use libc::{ + c_char, c_int, c_long, c_uint, c_void, off_t, size_t, MAP_SHARED, O_RDWR, PROT_READ, + PROT_WRITE, + }; + use std::ffi::CString; - #[cfg(unix)] - impl UnixShMem { - pub fn from_str(shm_str: &CStr, map_size: usize) -> Result { - let mut ret = unix_shmem_unitialized(); - let map = unsafe { unix_shmem_by_str(&mut ret, shm_str, map_size) }; - if !map.is_null() { - Ok(ret) - } else { - Err(Error::Unknown(format!( - "Could not allocate map with id {:?} and size {}", - shm_str, map_size - ))) + use crate::Error; + + use super::super::{ShMem, ShMemId, ShMemProvider}; + + extern "C" { + fn ioctl(fd: c_int, request: c_long, ...) -> c_int; + fn open(path: *const c_char, oflag: c_int, ...) -> c_int; + fn close(fd: c_int) -> c_int; + fn mmap( + addr: *mut c_void, + len: size_t, + prot: c_int, + flags: c_int, + fd: c_int, + offset: off_t, + ) -> *mut c_void; + + } + + /// An ashmem based impl for linux/android + #[cfg(unix)] + #[derive(Clone, Debug)] + pub struct AshmemShMem { + id: ShMemId, + map: *mut u8, + map_size: usize, + } + + #[derive(Copy, Clone)] + #[repr(C)] + struct ashmem_pin { + pub offset: c_uint, + pub len: c_uint, + } + + const ASHMEM_GET_SIZE: c_long = 0x00007704; + const ASHMEM_UNPIN: c_long = 0x40087708; + //const ASHMEM_SET_NAME: c_long = 0x41007701; + const ASHMEM_SET_SIZE: c_long = 0x40087703; + + impl AshmemShMem { + /// Create a new shared memory mapping, using shmget/shmat + pub fn new(map_size: usize) -> Result { + unsafe { + let device_path = CString::new( + if let Ok(boot_id) = + std::fs::read_to_string("/proc/sys/kernel/random/boot_id") + { + format!("{}{}", "/dev/ashmem", boot_id).trim().to_string() + } else { + "/dev/ashmem".to_string() + }, + ) + .unwrap(); + + let fd = open(device_path.as_ptr(), O_RDWR); + if fd == -1 { + return Err(Error::Unknown(format!( + "Failed to open the ashmem device at {:?}", + device_path + ))); + } + + //if ioctl(fd, ASHMEM_SET_NAME, name) != 0 { + //close(fd); + //return Err(Error::Unknown("Failed to set the ashmem mapping's name".to_string())); + //}; + + if ioctl(fd, ASHMEM_SET_SIZE, map_size) != 0 { + close(fd); + return Err(Error::Unknown( + "Failed to set the ashmem mapping's size".to_string(), + )); + }; + + let map = mmap( + std::ptr::null_mut(), + map_size, + PROT_READ | PROT_WRITE, + MAP_SHARED, + fd, + 0, + ); + if map == usize::MAX as *mut c_void { + close(fd); + return Err(Error::Unknown( + "Failed to map the ashmem mapping".to_string(), + )); + } + + Ok(Self { + id: ShMemId::from_string(&format!("{}", fd)), + map: map as *mut u8, + map_size, + }) + } + } + + /// Get a UnixShMem of the existing shared memory mapping identified by id + pub fn from_id_and_size(id: ShMemId, map_size: usize) -> Result { + unsafe { + let fd: i32 = id.to_string().parse().unwrap(); + #[allow(clippy::cast_sign_loss)] + if ioctl(fd, ASHMEM_GET_SIZE) as u32 as usize != map_size { + return Err(Error::Unknown( + "The mapping's size differs from the requested size".to_string(), + )); + }; + + let map = mmap( + std::ptr::null_mut(), + map_size, + PROT_READ | PROT_WRITE, + MAP_SHARED, + fd, + 0, + ); + if map == usize::MAX as *mut c_void { + close(fd); + return Err(Error::Unknown( + "Failed to map the ashmem mapping".to_string(), + )); + } + + Ok(Self { + id, + map: map as *mut u8, + map_size, + }) + } } } - pub fn new(map_size: usize) -> Result { - let mut ret = unix_shmem_unitialized(); - let map = unsafe { unix_shmem_init(&mut ret, map_size) }; - if !map.is_null() { - Ok(ret) - } else { - Err(Error::Unknown(format!( - "Could not allocate map of size {}", - map_size - ))) + #[cfg(unix)] + impl ShMem for AshmemShMem { + fn id(&self) -> ShMemId { + self.id + } + + fn len(&self) -> usize { + self.map_size + } + + fn map(&self) -> &[u8] { + unsafe { slice::from_raw_parts(self.map, self.map_size) } + } + + fn map_mut(&mut self) -> &mut [u8] { + unsafe { slice::from_raw_parts_mut(self.map, self.map_size) } } } - } - /// Deinitialize this shmem instance - unsafe fn unix_shmem_deinit(shm: *mut UnixShMem) { - if shm.is_null() || (*shm).map.is_null() { - /* Serialized map id */ - // Not set or not initialized; - return; - } - (*shm).shm_str[0_usize] = 0u8; - shmctl((*shm).shm_id, 0 as c_int, ptr::null_mut()); - (*shm).map = ptr::null_mut(); - } + /// Drop implementation for AshmemShMem, which cleans up the mapping + #[cfg(unix)] + impl Drop for AshmemShMem { + fn drop(&mut self) { + unsafe { + let fd: i32 = self.id.to_string().parse().unwrap(); - /// Functions to create Shared memory region, for observation channels and - /// opening inputs and stuff. - unsafe fn unix_shmem_init(shm: *mut UnixShMem, map_size: usize) -> *mut c_uchar { - (*shm).map_size = map_size; - (*shm).map = ptr::null_mut(); - (*shm).shm_id = shmget( - 0 as c_int, - map_size as c_ulong, - 0o1000 as c_int | 0o2000 as c_int | 0o600 as c_int, - ); - if (*shm).shm_id < 0 as c_int { - (*shm).shm_str[0] = 0u8; - return ptr::null_mut(); - } - snprintf( - (*shm).shm_str.as_mut_ptr() as *mut c_char, - size_of::<[c_char; 20]>() as c_ulong, - b"%d\x00" as *const u8 as *const c_char, - (*shm).shm_id, - ); - (*shm).shm_str - [(size_of::<[c_char; 20]>() as c_ulong).wrapping_sub(1 as c_int as c_ulong) as usize] = - 0u8; - (*shm).map = shmat((*shm).shm_id, ptr::null(), 0 as c_int) as *mut c_uchar; - if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar || (*shm).map.is_null() { - shmctl((*shm).shm_id, 0 as c_int, ptr::null_mut()); - (*shm).shm_id = -(1 as c_int); - (*shm).shm_str[0 as c_int as usize] = 0u8; - return ptr::null_mut(); - } - (*shm).map - } + #[allow(clippy::cast_sign_loss)] + let length = ioctl(fd, ASHMEM_GET_SIZE) as u32; - /// Uses a shmap id string to open a shared map - unsafe fn unix_shmem_by_str( - shm: *mut UnixShMem, - shm_str: &CStr, - map_size: usize, - ) -> *mut c_uchar { - if shm.is_null() || shm_str.to_bytes().is_empty() || map_size == 0 { - return ptr::null_mut(); + let ap = ashmem_pin { + offset: 0, + len: length, + }; + + ioctl(fd, ASHMEM_UNPIN, &ap); + close(fd); + } + } } - (*shm).map = ptr::null_mut(); - (*shm).map_size = map_size; - strncpy( - (*shm).shm_str.as_mut_ptr() as *mut c_char, - shm_str.as_ptr() as *const c_char, - (size_of::<[c_char; 20]>() as c_ulong).wrapping_sub(1 as c_int as c_ulong), - ); - (*shm).shm_id = shm_str - .to_str() - .unwrap_or_else(|_| panic!("illegal shm_str {:?}", shm_str)) - .parse::() - .unwrap(); - (*shm).map = shmat((*shm).shm_id, ptr::null(), 0 as c_int) as *mut c_uchar; - if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar { - (*shm).map = ptr::null_mut(); - (*shm).map_size = 0; - (*shm).shm_str[0] = 0u8; - return ptr::null_mut(); + + /// A ShMemProvider which uses ashmem to provide shared memory mappings. + #[cfg(unix)] + #[derive(Clone, Debug)] + pub struct AshmemShMemProvider {} + + unsafe impl Send for AshmemShMemProvider {} + + #[cfg(unix)] + impl Default for AshmemShMemProvider { + fn default() -> Self { + Self::new().unwrap() + } + } + + /// Implement ShMemProvider for AshmemShMemProvider + #[cfg(unix)] + impl ShMemProvider for AshmemShMemProvider { + type Mem = AshmemShMem; + + fn new() -> Result { + Ok(Self {}) + } + + fn new_map(&mut self, map_size: usize) -> Result { + let mapping = AshmemShMem::new(map_size)?; + Ok(mapping) + } + + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result { + AshmemShMem::from_id_and_size(id, size) + } } - (*shm).map } } #[cfg(all(feature = "std", windows))] -pub mod shmem { +pub mod win32_shmem { - use super::ShMem; + use super::{ShMem, ShMemId, ShMemProvider}; use crate::{ bolts::bindings::{ windows::win32::system_services::{ @@ -456,6 +679,7 @@ pub mod shmem { }; use core::{ffi::c_void, ptr, slice}; + use std::convert::TryInto; use uuid::Uuid; const INVALID_HANDLE_VALUE: isize = -1; @@ -464,26 +688,89 @@ pub mod shmem { /// The default Sharedmap impl for windows using shmctl & shmget #[derive(Clone, Debug)] pub struct Win32ShMem { - pub shm_str: [u8; 20], - pub handle: HANDLE, - pub map: *mut u8, - pub map_size: usize, + id: ShMemId, + handle: HANDLE, + map: *mut u8, + map_size: usize, + } + + impl Win32ShMem { + fn new_map(map_size: usize) -> Result { + unsafe { + let uuid = Uuid::new_v4(); + let mut map_str = format!("libafl_{}", uuid.to_simple()); + let map_str_bytes = map_str.as_mut_vec(); + map_str_bytes[19] = 0; // Trucate to size 20 + let handle = CreateFileMappingA( + HANDLE(INVALID_HANDLE_VALUE), + ptr::null_mut(), + PAGE_TYPE::PAGE_READWRITE, + 0, + map_size as u32, + PSTR(map_str_bytes.as_mut_ptr()), + ); + if handle == HANDLE(0) { + return Err(Error::Unknown(format!( + "Cannot create shared memory {}", + String::from_utf8_lossy(map_str_bytes) + ))); + } + let map = MapViewOfFile(handle, FILE_MAP_ALL_ACCESS, 0, 0, map_size) as *mut u8; + if map == ptr::null_mut() { + return Err(Error::Unknown(format!( + "Cannot map shared memory {}", + String::from_utf8_lossy(map_str_bytes) + ))); + } + + Ok(Self { + id: ShMemId::from_slice(&map_str_bytes[0..20].try_into().unwrap()), + handle, + map, + map_size, + }) + } + } + + fn from_id_and_size(id: ShMemId, map_size: usize) -> Result { + unsafe { + let map_str_bytes = id.id; + + let handle = OpenFileMappingA( + FILE_MAP_ALL_ACCESS, + BOOL(0), + PSTR(&map_str_bytes as *const u8 as *mut u8), + ); + if handle == HANDLE(0) { + return Err(Error::Unknown(format!( + "Cannot open shared memory {}", + String::from_utf8_lossy(&map_str_bytes) + ))); + } + let map = MapViewOfFile(handle, FILE_MAP_ALL_ACCESS, 0, 0, map_size) as *mut u8; + if map.is_null() { + return Err(Error::Unknown(format!( + "Cannot map shared memory {}", + String::from_utf8_lossy(&map_str_bytes) + ))); + } + Ok(Self { + id, + handle, + map, + map_size, + }) + } + } } impl ShMem for Win32ShMem { - fn existing_from_shm_slice( - map_str_bytes: &[u8; 20], - map_size: usize, - ) -> Result { - Self::from_str(map_str_bytes, map_size) + fn id(&self) -> ShMemId { + self.id } - fn new_map(map_size: usize) -> Result { - Self::new(map_size) - } - - fn shm_slice(&self) -> &[u8; 20] { - &self.shm_str + fn len(&self) -> usize { + self.map_size } fn map(&self) -> &[u8] { @@ -505,100 +792,29 @@ pub mod shmem { } } - impl Win32ShMem { - pub fn from_str(map_str_bytes: &[u8; 20], map_size: usize) -> Result { - unsafe { - let handle = OpenFileMappingA( - FILE_MAP_ALL_ACCESS, - BOOL(0), - PSTR(map_str_bytes as *const u8 as *mut u8), - ); - if handle == HANDLE(0) { - return Err(Error::Unknown(format!( - "Cannot open shared memory {}", - String::from_utf8_lossy(map_str_bytes) - ))); - } - let map = - MapViewOfFile(handle.clone(), FILE_MAP_ALL_ACCESS, 0, 0, map_size) as *mut u8; - if map == ptr::null_mut() { - return Err(Error::Unknown(format!( - "Cannot map shared memory {}", - String::from_utf8_lossy(map_str_bytes) - ))); - } - let mut ret = Self { - shm_str: [0; 20], - handle: handle, - map: map, - map_size: map_size, - }; - ret.shm_str.clone_from_slice(map_str_bytes); - Ok(ret) - } + /// A ShMemProvider which uses win32 functions to provide shared memory mappings. + #[derive(Clone, Debug)] + pub struct Win32ShMemProvider {} + + impl Default for Win32ShMemProvider { + fn default() -> Self { + Self::new().unwrap() + } + } + + /// Implement ShMemProvider for Win32ShMemProvider + impl ShMemProvider for Win32ShMemProvider { + type Mem = Win32ShMem; + + fn new() -> Result { + Ok(Self {}) + } + fn new_map(&mut self, map_size: usize) -> Result { + Win32ShMem::new_map(map_size) } - pub fn new(map_size: usize) -> Result { - unsafe { - let uuid = Uuid::new_v4(); - let mut map_str = format!("libafl_{}", uuid.to_simple()); - let map_str_bytes = map_str.as_mut_vec(); - map_str_bytes[19] = 0; // Trucate to size 20 - let handle = CreateFileMappingA( - HANDLE(INVALID_HANDLE_VALUE), - ptr::null_mut(), - PAGE_TYPE::PAGE_READWRITE, - 0, - map_size as u32, - PSTR(map_str_bytes.as_mut_ptr()), - ); - if handle == HANDLE(0) { - return Err(Error::Unknown(format!( - "Cannot create shared memory {}", - String::from_utf8_lossy(map_str_bytes) - ))); - } - let map = - MapViewOfFile(handle.clone(), FILE_MAP_ALL_ACCESS, 0, 0, map_size) as *mut u8; - if map == ptr::null_mut() { - return Err(Error::Unknown(format!( - "Cannot map shared memory {}", - String::from_utf8_lossy(map_str_bytes) - ))); - } - let mut ret = Self { - shm_str: [0; 20], - handle: handle, - map: map, - map_size: map_size, - }; - ret.shm_str.clone_from_slice(&map_str_bytes[0..20]); - Ok(ret) - } + fn from_id_and_size(&mut self, id: ShMemId, size: usize) -> Result { + Win32ShMem::from_id_and_size(id, size) } } } - -#[cfg(test)] -mod tests { - - #[cfg(all(unix, feature = "std"))] - use super::{ShMem, UnixShMem}; - - #[cfg(all(unix, feature = "std"))] - #[test] - fn test_str_conversions() { - let mut shm_str: [u8; 20] = [0; 20]; - shm_str[0] = 'A' as u8; - shm_str[1] = 'B' as u8; - shm_str[2] = 'C' as u8; - let faux_shmem = UnixShMem { - shm_id: 0, - shm_str, - map: 0 as *mut u8, - map_size: 20, - }; - let str = faux_shmem.shm_str(); - assert_eq!(str, "ABC"); - } -} diff --git a/libafl/src/bolts/tuples.rs b/libafl/src/bolts/tuples.rs index c44f74102d..6fcd58c13f 100644 --- a/libafl/src/bolts/tuples.rs +++ b/libafl/src/bolts/tuples.rs @@ -4,7 +4,11 @@ pub use tuple_list::{tuple_list, tuple_list_type, TupleList}; use core::any::TypeId; +use xxhash_rust::const_xxh3::xxh3_64; + pub trait HasLen { + const LEN: usize; + fn len(&self) -> usize; fn is_empty(&self) -> bool { self.len() == 0 @@ -12,6 +16,8 @@ pub trait HasLen { } impl HasLen for () { + const LEN: usize = 0; + fn len(&self) -> usize { 0 } @@ -19,13 +25,61 @@ impl HasLen for () { impl HasLen for (Head, Tail) where - Tail: TupleList + HasLen, + Tail: HasLen, { + const LEN: usize = 1 + Tail::LEN; + fn len(&self) -> usize { 1 + self.1.len() } } +pub trait HasNameId { + fn const_name(&self) -> &'static str; + + fn name_id(&self) -> u64 { + xxh3_64(self.const_name().as_bytes()) + } +} + +pub trait HasNameIdTuple: HasLen { + fn get_const_name(&self, index: usize) -> Option<&'static str>; + + fn get_name_id(&self, index: usize) -> Option; +} + +impl HasNameIdTuple for () { + fn get_const_name(&self, _index: usize) -> Option<&'static str> { + None + } + + fn get_name_id(&self, _index: usize) -> Option { + None + } +} + +impl HasNameIdTuple for (Head, Tail) +where + Head: 'static + HasNameId, + Tail: HasNameIdTuple, +{ + fn get_const_name(&self, index: usize) -> Option<&'static str> { + if index == 0 { + Some(self.0.const_name()) + } else { + self.1.get_const_name(index - 1) + } + } + + fn get_name_id(&self, index: usize) -> Option { + if index == 0 { + Some(self.0.name_id()) + } else { + self.1.get_name_id(index - 1) + } + } +} + pub trait MatchFirstType { fn match_first_type(&self) -> Option<&T>; fn match_first_type_mut(&mut self) -> Option<&mut T>; @@ -43,7 +97,7 @@ impl MatchFirstType for () { impl MatchFirstType for (Head, Tail) where Head: 'static, - Tail: TupleList + MatchFirstType, + Tail: MatchFirstType, { fn match_first_type(&self) -> Option<&T> { if TypeId::of::() == TypeId::of::() { @@ -75,7 +129,7 @@ impl MatchType for () { impl MatchType for (Head, Tail) where Head: 'static, - Tail: TupleList + MatchType, + Tail: MatchType, { fn match_type(&self, f: fn(t: &T)) { if TypeId::of::() == TypeId::of::() { @@ -98,6 +152,30 @@ pub trait Named { fn name(&self) -> &str; } +pub trait NamedTuple: HasLen { + fn get_name(&self, index: usize) -> Option<&str>; +} + +impl NamedTuple for () { + fn get_name(&self, _index: usize) -> Option<&str> { + None + } +} + +impl NamedTuple for (Head, Tail) +where + Head: 'static + Named, + Tail: NamedTuple, +{ + fn get_name(&self, index: usize) -> Option<&str> { + if index == 0 { + Some(self.0.name()) + } else { + self.1.get_name(index - 1) + } + } +} + pub trait MatchNameAndType { fn match_name_type(&self, name: &str) -> Option<&T>; fn match_name_type_mut(&mut self, name: &str) -> Option<&mut T>; @@ -115,7 +193,7 @@ impl MatchNameAndType for () { impl MatchNameAndType for (Head, Tail) where Head: 'static + Named, - Tail: TupleList + MatchNameAndType, + Tail: MatchNameAndType, { fn match_name_type(&self, name: &str) -> Option<&T> { if TypeId::of::() == TypeId::of::() && name == self.0.name() { diff --git a/libafl/src/corpus/minimizer.rs b/libafl/src/corpus/minimizer.rs index 475688909b..e4f12f95a1 100644 --- a/libafl/src/corpus/minimizer.rs +++ b/libafl/src/corpus/minimizer.rs @@ -150,6 +150,8 @@ where C: Corpus, R: Rand, { + /// Update the `Corpus` score using the `MinimizerCorpusScheduler` + #[allow(clippy::unused_self)] pub fn update_score(&self, state: &mut S, idx: usize) -> Result<(), Error> { // Create a new top rated meta if not existing if state.metadata().get::().is_none() { @@ -194,16 +196,18 @@ where Ok(()) } + /// Cull the `Corpus` using the `MinimizerCorpusScheduler` + #[allow(clippy::unused_self)] pub fn cull(&self, state: &mut S) -> Result<(), Error> { - if state.metadata().get::().is_none() { - return Ok(()); - } - let mut acc = HashSet::new(); - let top_rated = state.metadata().get::().unwrap(); + let top_rated = match state.metadata().get::() { + None => return Ok(()), + Some(val) => val, + }; - for key in top_rated.map.keys() { + let mut acc = HashSet::new(); + + for (key, idx) in &top_rated.map { if !acc.contains(key) { - let idx = top_rated.map.get(key).unwrap(); let mut entry = state.corpus().get(*idx)?.borrow_mut(); let meta = entry.metadata().get::().ok_or_else(|| { Error::KeyNotFound(format!( diff --git a/libafl/src/corpus/ondisk.rs b/libafl/src/corpus/ondisk.rs index f9ca34d1e4..a71d3d8f7c 100644 --- a/libafl/src/corpus/ondisk.rs +++ b/libafl/src/corpus/ondisk.rs @@ -5,9 +5,21 @@ use core::cell::RefCell; use serde::{Deserialize, Serialize}; #[cfg(feature = "std")] -use std::{fs, path::PathBuf}; +use std::{fs, fs::File, io::Write, path::PathBuf}; -use crate::{corpus::Corpus, corpus::Testcase, inputs::Input, Error}; +use crate::{corpus::Corpus, corpus::Testcase, inputs::Input, state::HasMetadata, Error}; + +/// Options for the the format of the on-disk metadata +#[cfg(feature = "std")] +#[derive(Debug, Clone, Serialize, Deserialize)] +pub enum OnDiskMetadataFormat { + /// A binary-encoded postcard + Postcard, + /// JSON + Json, + /// JSON formatted for readability + JsonPretty, +} /// A corpus able to store testcases to disk, and load them from disk, when they are being used. #[cfg(feature = "std")] @@ -20,6 +32,7 @@ where entries: Vec>>, current: Option, dir_path: PathBuf, + meta_format: Option, } impl Corpus for OnDiskCorpus @@ -41,6 +54,17 @@ where let filename_str = filename.to_str().expect("Invalid Path"); testcase.set_filename(filename_str.into()); }; + if self.meta_format.is_some() { + let filename = testcase.filename().as_ref().unwrap().to_owned() + ".metadata"; + let mut file = File::create(filename)?; + + let serialized = match self.meta_format.as_ref().unwrap() { + OnDiskMetadataFormat::Postcard => postcard::to_allocvec(testcase.metadata())?, + OnDiskMetadataFormat::Json => serde_json::to_vec(testcase.metadata())?, + OnDiskMetadataFormat::JsonPretty => serde_json::to_vec_pretty(testcase.metadata())?, + }; + file.write_all(&serialized)?; + } testcase .store_input() .expect("Could not save testcase to disk"); @@ -99,6 +123,22 @@ where entries: vec![], current: None, dir_path, + meta_format: None, + }) + } + + /// Creates the OnDiskCorpus specifying the type of metatada to be saved to disk. + /// Will error, if `std::fs::create_dir_all` failed for `dir_path`. + pub fn new_save_meta( + dir_path: PathBuf, + meta_format: Option, + ) -> Result { + fs::create_dir_all(&dir_path)?; + Ok(Self { + entries: vec![], + current: None, + dir_path, + meta_format, }) } } diff --git a/libafl/src/corpus/testcase.rs b/libafl/src/corpus/testcase.rs index eea9fd01ac..bae9860ed6 100644 --- a/libafl/src/corpus/testcase.rs +++ b/libafl/src/corpus/testcase.rs @@ -217,14 +217,15 @@ where self.cached_len = Some(l); l } - None => match self.cached_len { - Some(l) => l, - None => { + None => { + if let Some(l) = self.cached_len { + l + } else { let l = self.load_input()?.len(); self.cached_len = Some(l); l } - }, + } }) } } diff --git a/libafl/src/events/llmp.rs b/libafl/src/events/llmp.rs index c8984d0dad..90fd00f864 100644 --- a/libafl/src/events/llmp.rs +++ b/libafl/src/events/llmp.rs @@ -1,3 +1,5 @@ +//! LLMP-backed event manager for scalable multi-processed fuzzing + use alloc::{string::ToString, vec::Vec}; use core::{marker::PhantomData, time::Duration}; use serde::{de::DeserializeOwned, Serialize}; @@ -6,20 +8,15 @@ use serde::{de::DeserializeOwned, Serialize}; use core::ptr::read_volatile; #[cfg(feature = "std")] -use crate::bolts::llmp::LlmpReceiver; +use crate::bolts::{ + llmp::{LlmpClient, LlmpReceiver}, + shmem::StdShMemProvider, +}; -#[cfg(all(feature = "std", windows))] -use crate::utils::startable_self; - -#[cfg(all(feature = "std", unix))] -use crate::utils::{fork, ForkResult}; - -#[cfg(all(feature = "std", unix))] -use crate::bolts::shmem::UnixShMem; use crate::{ bolts::{ - llmp::{self, LlmpClient, LlmpClientDescription, LlmpSender, Tag}, - shmem::{HasFd, ShMem}, + llmp::{self, Flag, LlmpClientDescription, LlmpSender, Tag}, + shmem::ShMemProvider, }, corpus::CorpusScheduler, events::{BrokerEventResult, Event, EventManager}, @@ -32,6 +29,21 @@ use crate::{ Error, }; +#[cfg(feature = "llmp_compression")] +use crate::bolts::{ + compress::GzipCompressor, + llmp::{LLMP_FLAG_COMPRESSED, LLMP_FLAG_INITIALIZED}, +}; + +#[cfg(all(feature = "std", windows))] +use crate::utils::startable_self; + +#[cfg(all(feature = "std", unix))] +use crate::utils::{fork, ForkResult}; + +#[cfg(all(feature = "std", target_os = "android"))] +use crate::bolts::os::ashmem_server::AshmemService; + /// Forward this to the client const _LLMP_TAG_EVENT_TO_CLIENT: llmp::Tag = 0x2C11E471; /// Only handle this in the broker @@ -39,57 +51,35 @@ const _LLMP_TAG_EVENT_TO_BROKER: llmp::Tag = 0x2B80438; /// Handle in both /// const LLMP_TAG_EVENT_TO_BOTH: llmp::Tag = 0x2B0741; - const _LLMP_TAG_RESTART: llmp::Tag = 0x8357A87; const _LLMP_TAG_NO_RESTART: llmp::Tag = 0x57A7EE71; -#[derive(Clone, Debug)] -pub struct LlmpEventManager +#[derive(Debug)] +pub struct LlmpEventManager where I: Input, S: IfInteresting, - SH: ShMem, + SP: ShMemProvider + 'static, ST: Stats, //CE: CustomEvent, { stats: Option, - llmp: llmp::LlmpConnection, + llmp: llmp::LlmpConnection, + #[cfg(feature = "llmp_compression")] + compressor: GzipCompressor, + phantom: PhantomData<(I, S)>, } -#[cfg(feature = "std")] -#[cfg(unix)] -impl LlmpEventManager +/// The minimum buffer size at which to compress LLMP IPC messages. +#[cfg(feature = "llmp_compression")] +const COMPRESS_THRESHOLD: usize = 1024; + +impl Drop for LlmpEventManager where I: Input, S: IfInteresting, - ST: Stats, -{ - /// Create llmp on a port - /// If the port is not yet bound, it will act as broker - /// Else, it will act as client. - #[cfg(feature = "std")] - pub fn new_on_port_std(stats: ST, port: u16) -> Result { - Ok(Self { - stats: Some(stats), - llmp: llmp::LlmpConnection::on_port(port)?, - phantom: PhantomData, - }) - } - - /// If a client respawns, it may reuse the existing connection, previously stored by LlmpClient::to_env - /// Std uses UnixShMem. - #[cfg(feature = "std")] - pub fn existing_client_from_env_std(env_name: &str) -> Result { - Self::existing_client_from_env(env_name) - } -} - -impl Drop for LlmpEventManager -where - I: Input, - S: IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, { /// LLMP clients will have to wait until their pages are mapped by somebody. @@ -98,33 +88,37 @@ where } } -impl LlmpEventManager +impl LlmpEventManager where I: Input, S: IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, { /// Create llmp on a port /// If the port is not yet bound, it will act as broker /// Else, it will act as client. #[cfg(feature = "std")] - pub fn new_on_port(stats: ST, port: u16) -> Result { + pub fn new_on_port(shmem_provider: SP, stats: ST, port: u16) -> Result { Ok(Self { stats: Some(stats), - llmp: llmp::LlmpConnection::on_port(port)?, + llmp: llmp::LlmpConnection::on_port(shmem_provider, port)?, + #[cfg(feature = "llmp_compression")] + compressor: GzipCompressor::new(COMPRESS_THRESHOLD), phantom: PhantomData, }) } /// If a client respawns, it may reuse the existing connection, previously stored by LlmpClient::to_env #[cfg(feature = "std")] - pub fn existing_client_from_env(env_name: &str) -> Result { + pub fn existing_client_from_env(shmem_provider: SP, env_name: &str) -> Result { Ok(Self { stats: None, llmp: llmp::LlmpConnection::IsClient { - client: LlmpClient::on_existing_from_env(env_name)?, + client: LlmpClient::on_existing_from_env(shmem_provider, env_name)?, }, + #[cfg(feature = "llmp_compression")] + compressor: GzipCompressor::new(COMPRESS_THRESHOLD), // Inserting a nop-stats element here so rust won't complain. // In any case, the client won't currently use it. phantom: PhantomData, @@ -138,26 +132,23 @@ where /// Create an existing client from description pub fn existing_client_from_description( + shmem_provider: SP, description: &LlmpClientDescription, ) -> Result { Ok(Self { stats: None, - llmp: llmp::LlmpConnection::existing_client_from_description(description)?, + llmp: llmp::LlmpConnection::existing_client_from_description( + shmem_provider, + description, + )?, + #[cfg(feature = "llmp_compression")] + compressor: GzipCompressor::new(COMPRESS_THRESHOLD), // Inserting a nop-stats element here so rust won't complain. // In any case, the client won't currently use it. phantom: PhantomData, }) } - /// A client on an existing map - pub fn for_client(client: LlmpClient) -> Self { - Self { - stats: None, - llmp: llmp::LlmpConnection::IsClient { client }, - phantom: PhantomData, - } - } - /// Write the config for a client eventmgr to env vars, a new client can reattach using existing_client_from_env #[cfg(feature = "std")] pub fn to_env(&self, env_name: &str) { @@ -179,10 +170,24 @@ where match &mut self.llmp { llmp::LlmpConnection::IsBroker { broker } => { let stats = self.stats.as_mut().unwrap(); + #[cfg(feature = "llmp_compression")] + let compressor = &self.compressor; broker.loop_forever( - &mut |sender_id: u32, tag: Tag, msg: &[u8]| { + &mut |sender_id: u32, tag: Tag, _flags: Flag, msg: &[u8]| { if tag == LLMP_TAG_EVENT_TO_BOTH { - let event: Event = postcard::from_bytes(msg)?; + #[cfg(not(feature = "llmp_compression"))] + let event_bytes = msg; + #[cfg(feature = "llmp_compression")] + let compressed; + #[cfg(feature = "llmp_compression")] + let event_bytes = + if _flags & LLMP_FLAG_COMPRESSED == LLMP_FLAG_COMPRESSED { + compressed = compressor.decompress(msg)?; + &compressed + } else { + msg + }; + let event: Event = postcard::from_bytes(event_bytes)?; match Self::handle_in_broker(stats, sender_id, &event)? { BrokerEventResult::Forward => { Ok(llmp::LlmpMsgHookResult::ForwardToClients) @@ -205,6 +210,7 @@ where } /// Handle arriving events in the broker + #[allow(clippy::unnecessary_wraps)] fn handle_in_broker( stats: &mut ST, sender_id: u32, @@ -256,6 +262,7 @@ where } // Handle arriving events in the client + #[allow(clippy::unused_self)] fn handle_in_client( &mut self, state: &mut S, @@ -285,7 +292,7 @@ where let observers: OT = postcard::from_bytes(&observers_buf)?; // TODO include ExitKind in NewTestcase - let fitness = state.is_interesting(&input, &observers, ExitKind::Ok)?; + let fitness = state.is_interesting(&input, &observers, &ExitKind::Ok)?; if fitness > 0 && state .add_if_interesting(&input, fitness, scheduler)? @@ -304,28 +311,11 @@ where } } -impl LlmpEventManager +impl EventManager for LlmpEventManager where I: Input, S: IfInteresting, - SH: ShMem + HasFd, - ST: Stats, -{ - #[cfg(all(feature = "std", unix))] - pub fn new_on_domain_socket(stats: ST, filename: &str) -> Result { - Ok(Self { - stats: Some(stats), - llmp: llmp::LlmpConnection::on_domain_socket(filename)?, - phantom: PhantomData, - }) - } -} - -impl EventManager for LlmpEventManager -where - I: Input, - S: IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, //CE: CustomEvent, { /// The llmp client needs to wait until a broker mapped all pages, before shutting down. @@ -352,11 +342,22 @@ where let mut events = vec![]; match &mut self.llmp { llmp::LlmpConnection::IsClient { client } => { - while let Some((sender_id, tag, msg)) = client.recv_buf()? { + while let Some((sender_id, tag, _flags, msg)) = client.recv_buf_with_flags()? { if tag == _LLMP_TAG_EVENT_TO_BROKER { panic!("EVENT_TO_BROKER parcel should not have arrived in the client!"); } - let event: Event = postcard::from_bytes(msg)?; + #[cfg(not(feature = "llmp_compression"))] + let event_bytes = msg; + #[cfg(feature = "llmp_compression")] + let compressed; + #[cfg(feature = "llmp_compression")] + let event_bytes = if _flags & LLMP_FLAG_COMPRESSED == LLMP_FLAG_COMPRESSED { + compressed = self.compressor.decompress(msg)?; + &compressed + } else { + msg + }; + let event: Event = postcard::from_bytes(event_bytes)?; events.push((sender_id, event)); } } @@ -372,6 +373,27 @@ where Ok(count) } + #[cfg(feature = "llmp_compression")] + fn fire(&mut self, _state: &mut S, event: Event) -> Result<(), Error> { + let serialized = postcard::to_allocvec(&event)?; + let flags: Flag = LLMP_FLAG_INITIALIZED; + + match self.compressor.compress(&serialized)? { + Some(comp_buf) => { + self.llmp.send_buf_with_flags( + LLMP_TAG_EVENT_TO_BOTH, + &comp_buf, + flags | LLMP_FLAG_COMPRESSED, + )?; + } + None => { + self.llmp.send_buf(LLMP_TAG_EVENT_TO_BOTH, &serialized)?; + } + } + Ok(()) + } + + #[cfg(not(feature = "llmp_compression"))] fn fire(&mut self, _state: &mut S, event: Event) -> Result<(), Error> { let serialized = postcard::to_allocvec(&event)?; self.llmp.send_buf(LLMP_TAG_EVENT_TO_BOTH, &serialized)?; @@ -382,57 +404,59 @@ where /// Serialize the current state and corpus during an executiont to bytes. /// On top, add the current llmp event manager instance to be restored /// This method is needed when the fuzzer run crashes and has to restart. -pub fn serialize_state_mgr( +pub fn serialize_state_mgr( state: &S, - mgr: &LlmpEventManager, + mgr: &LlmpEventManager, ) -> Result, Error> where I: Input, S: Serialize + IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, { Ok(postcard::to_allocvec(&(&state, &mgr.describe()?))?) } /// Deserialize the state and corpus tuple, previously serialized with `serialize_state_corpus(...)` -pub fn deserialize_state_mgr( +#[allow(clippy::type_complexity)] +pub fn deserialize_state_mgr( + shmem_provider: SP, state_corpus_serialized: &[u8], -) -> Result<(S, LlmpEventManager), Error> +) -> Result<(S, LlmpEventManager), Error> where I: Input, S: DeserializeOwned + IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, { let tuple: (S, _) = postcard::from_bytes(&state_corpus_serialized)?; Ok(( tuple.0, - LlmpEventManager::existing_client_from_description(&tuple.1)?, + LlmpEventManager::existing_client_from_description(shmem_provider, &tuple.1)?, )) } /// A manager that can restart on the fly, storing states in-between (in `on_resatrt`) -#[derive(Clone, Debug)] -pub struct LlmpRestartingEventManager +#[derive(Debug)] +pub struct LlmpRestartingEventManager where I: Input, S: IfInteresting, - SH: ShMem, + SP: ShMemProvider + 'static, ST: Stats, //CE: CustomEvent, { /// The embedded llmp event manager - llmp_mgr: LlmpEventManager, + llmp_mgr: LlmpEventManager, /// The sender to serialize the state for the next runner - sender: LlmpSender, + sender: LlmpSender, } -impl EventManager for LlmpRestartingEventManager +impl EventManager for LlmpRestartingEventManager where I: Input, S: IfInteresting + Serialize, - SH: ShMem, + SP: ShMemProvider, ST: Stats, //CE: CustomEvent, { /// The llmp client needs to wait until a broker mapped all pages, before shutting down. @@ -477,117 +501,157 @@ const _ENV_FUZZER_RECEIVER: &str = &"_AFL_ENV_FUZZER_RECEIVER"; /// The llmp (2 way) connection from a fuzzer to the broker (broadcasting all other fuzzer messages) const _ENV_FUZZER_BROKER_CLIENT_INITIAL: &str = &"_AFL_ENV_FUZZER_BROKER_CLIENT"; -impl LlmpRestartingEventManager +impl LlmpRestartingEventManager where I: Input, S: IfInteresting, - SH: ShMem, + SP: ShMemProvider, ST: Stats, //CE: CustomEvent, { /// Create a new runner, the executed child doing the actual fuzzing. - pub fn new(llmp_mgr: LlmpEventManager, sender: LlmpSender) -> Self { + pub fn new(llmp_mgr: LlmpEventManager, sender: LlmpSender) -> Self { Self { llmp_mgr, sender } } /// Get the sender - pub fn sender(&self) -> &LlmpSender { + pub fn sender(&self) -> &LlmpSender { &self.sender } /// Get the sender (mut) - pub fn sender_mut(&mut self) -> &mut LlmpSender { + pub fn sender_mut(&mut self) -> &mut LlmpSender { &mut self.sender } } +#[cfg(feature = "std")] +#[allow(clippy::type_complexity)] +pub fn setup_restarting_mgr_std( + //mgr: &mut LlmpEventManager, + stats: ST, + broker_port: u16, +) -> Result< + ( + Option, + LlmpRestartingEventManager, + ), + Error, +> +where + I: Input, + S: DeserializeOwned + IfInteresting, + ST: Stats, +{ + #[cfg(target_os = "android")] + AshmemService::start().expect("Error starting Ashmem Service"); + + setup_restarting_mgr(StdShMemProvider::new()?, stats, broker_port) +} + /// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`. /// The restarter will start a new process each time the child crashes or timeouts. #[cfg(feature = "std")] -pub fn setup_restarting_mgr( +#[allow( + clippy::unnecessary_operation, + clippy::type_complexity, + clippy::similar_names +)] // for { mgr = LlmpEventManager... } +pub fn setup_restarting_mgr( + mut shmem_provider: SP, //mgr: &mut LlmpEventManager, stats: ST, broker_port: u16, -) -> Result<(Option, LlmpRestartingEventManager), Error> +) -> Result<(Option, LlmpRestartingEventManager), Error> where I: Input, S: DeserializeOwned + IfInteresting, - SH: ShMem + HasFd, // Todo: HasFd is only needed for Android + SP: ShMemProvider, ST: Stats, { - let mut mgr; + let mut mgr = + LlmpEventManager::::new_on_port(shmem_provider.clone(), stats, broker_port)?; // We start ourself as child process to actually fuzz - let (sender, mut receiver) = if std::env::var(_ENV_FUZZER_SENDER).is_err() { - #[cfg(target_os = "android")] - { - let path = std::env::current_dir()?; - mgr = LlmpEventManager::::new_on_domain_socket(stats, "\x00llmp_socket")?; - }; - #[cfg(not(target_os = "android"))] - { - mgr = LlmpEventManager::::new_on_port(stats, broker_port)? - }; - + let (sender, mut receiver, mut new_shmem_provider) = if std::env::var(_ENV_FUZZER_SENDER) + .is_err() + { if mgr.is_broker() { // Yep, broker. Just loop here. println!("Doing broker things. Run this tool again to start fuzzing in a client."); mgr.broker_loop()?; return Err(Error::ShuttingDown); - } else { - // We are the fuzzer respawner in a llmp client - mgr.to_env(_ENV_FUZZER_BROKER_CLIENT_INITIAL); + } - // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. - let sender = LlmpSender::new(0, false)?; - let receiver = LlmpReceiver::on_existing_map( - SH::clone_ref(&sender.out_maps.last().unwrap().shmem)?, - None, - )?; - // Store the information to a map. - sender.to_env(_ENV_FUZZER_SENDER)?; - receiver.to_env(_ENV_FUZZER_RECEIVER)?; + // We are the fuzzer respawner in a llmp client + mgr.to_env(_ENV_FUZZER_BROKER_CLIENT_INITIAL); - let mut ctr: u64 = 0; - // Client->parent loop - loop { - dbg!("Spawning next client (id {})", ctr); + // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. + let sender = { LlmpSender::new(shmem_provider.clone(), 0, false)? }; - // On Unix, we fork (todo: measure if that is actually faster.) + let map = { shmem_provider.clone_ref(&sender.out_maps.last().unwrap().shmem)? }; + let receiver = LlmpReceiver::on_existing_map(shmem_provider.clone(), map, None)?; + // Store the information to a map. + sender.to_env(_ENV_FUZZER_SENDER)?; + receiver.to_env(_ENV_FUZZER_RECEIVER)?; + + let mut ctr: u64 = 0; + // Client->parent loop + loop { + dbg!("Spawning next client (id {})", ctr); + + // On Unix, we fork (todo: measure if that is actually faster.) + #[cfg(unix)] + let child_status = match unsafe { fork() }? { + ForkResult::Parent(handle) => handle.status(), + ForkResult::Child => break (sender, receiver, shmem_provider), + }; + + // On windows, we spawn ourself again + #[cfg(windows)] + let child_status = startable_self()?.status()?; + + if unsafe { read_volatile(&(*receiver.current_recv_map.page()).size_used) } == 0 { #[cfg(unix)] - let _ = match unsafe { fork() }? { - ForkResult::Parent(handle) => handle.status(), - ForkResult::Child => break (sender, receiver), - }; - - // On windows, we spawn ourself again - #[cfg(windows)] - startable_self()?.status()?; - - if unsafe { read_volatile(&(*receiver.current_recv_map.page()).size_used) } == 0 { - // Storing state in the last round did not work - panic!("Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client!"); + if child_status == 137 { + // Out of Memory, see https://tldp.org/LDP/abs/html/exitcodes.html + // and https://github.com/AFLplusplus/LibAFL/issues/32 for discussion. + panic!("Fuzzer-respawner: The fuzzed target crashed with an out of memory error! Fix your harness, or switch to another executor (for example, a forkserver)."); } - ctr = ctr.wrapping_add(1); + // Storing state in the last round did not work + panic!("Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! (Child exited with: {})", child_status); } + + ctr = ctr.wrapping_add(1); } } else { // We are the newly started fuzzing instance, first, connect to our own restore map. // A sender and a receiver for single communication + // Clone so we get a new connection to the AshmemServer if we are using + // ServedShMemProvider + shmem_provider.post_fork(); ( - LlmpSender::::on_existing_from_env(_ENV_FUZZER_SENDER)?, - LlmpReceiver::::on_existing_from_env(_ENV_FUZZER_RECEIVER)?, + LlmpSender::on_existing_from_env(shmem_provider.clone(), _ENV_FUZZER_SENDER)?, + LlmpReceiver::on_existing_from_env(shmem_provider.clone(), _ENV_FUZZER_RECEIVER)?, + shmem_provider, ) }; + new_shmem_provider.post_fork(); + println!("We're a client, let's fuzz :)"); + for (var, val) in std::env::vars() { + println!("ENV VARS: {:?}: {:?}", var, val); + } + // If we're restarting, deserialize the old state. let (state, mut mgr) = match receiver.recv_buf()? { None => { println!("First run. Let's set it all up"); // Mgr to send and receive msgs from/to all other fuzzer instances - let client_mgr = LlmpEventManager::::existing_client_from_env( + let client_mgr = LlmpEventManager::::existing_client_from_env( + new_shmem_provider, _ENV_FUZZER_BROKER_CLIENT_INITIAL, )?; @@ -596,7 +660,8 @@ where // Restoring from a previous run, deserialize state and corpus. Some((_sender, _tag, msg)) => { println!("Subsequent run. Let's load all data from shmem (received {} bytes from previous instance)", msg.len()); - let (state, mgr): (S, LlmpEventManager) = deserialize_state_mgr(&msg)?; + let (state, mgr): (S, LlmpEventManager) = + deserialize_state_mgr(new_shmem_provider, &msg)?; (Some(state), LlmpRestartingEventManager::new(mgr, sender)) } diff --git a/libafl/src/events/mod.rs b/libafl/src/events/mod.rs index 01cb94038d..b2c089a699 100644 --- a/libafl/src/events/mod.rs +++ b/libafl/src/events/mod.rs @@ -246,7 +246,7 @@ mod tests { #[test] fn test_event_serde() { - let obv = StdMapObserver::new("test", unsafe { &mut MAP }); + let obv = StdMapObserver::new("test", unsafe { &mut MAP }, unsafe { MAP.len() }); let map = tuple_list!(obv); let observers_buf = postcard::to_allocvec(&map).unwrap(); diff --git a/libafl/src/events/simple.rs b/libafl/src/events/simple.rs index ab0d88cab3..89e9ae23b0 100644 --- a/libafl/src/events/simple.rs +++ b/libafl/src/events/simple.rs @@ -73,6 +73,7 @@ where } // Handle arriving events in the broker + #[allow(clippy::unnecessary_wraps)] fn handle_in_broker(stats: &mut ST, event: &Event) -> Result { match event { Event::NewTestcase { @@ -83,8 +84,12 @@ where time, executions, } => { - stats.client_stats_mut()[0].update_corpus_size(*corpus_size as u64); - stats.client_stats_mut()[0].update_executions(*executions as u64, *time); + stats + .client_stats_mut_for(0) + .update_corpus_size(*corpus_size as u64); + stats + .client_stats_mut_for(0) + .update_executions(*executions as u64, *time); stats.display(event.name().to_string()); Ok(BrokerEventResult::Handled) } @@ -94,12 +99,16 @@ where phantom: _, } => { // TODO: The stats buffer should be added on client add. - stats.client_stats_mut()[0].update_executions(*executions as u64, *time); + stats + .client_stats_mut_for(0) + .update_executions(*executions as u64, *time); stats.display(event.name().to_string()); Ok(BrokerEventResult::Handled) } Event::Objective { objective_size } => { - stats.client_stats_mut()[0].update_objective_size(*objective_size as u64); + stats + .client_stats_mut_for(0) + .update_objective_size(*objective_size as u64); stats.display(event.name().to_string()); Ok(BrokerEventResult::Handled) } @@ -117,6 +126,7 @@ where } // Handle arriving events in the client + #[allow(clippy::needless_pass_by_value, clippy::unused_self)] fn handle_in_client(&mut self, _state: &mut S, event: Event) -> Result<(), Error> { Err(Error::Unknown(format!( "Received illegal message that message should not have arrived: {:?}.", diff --git a/libafl/src/executors/inprocess.rs b/libafl/src/executors/inprocess.rs index fa42f0da9a..0b21ca6745 100644 --- a/libafl/src/executors/inprocess.rs +++ b/libafl/src/executors/inprocess.rs @@ -25,26 +25,25 @@ use crate::{ Error, }; -/// The inmem executor harness -type HarnessFunction = fn(&E, &[u8]) -> ExitKind; - /// The inmem executor simply calls a target function, then returns afterwards. -pub struct InProcessExecutor +pub struct InProcessExecutor<'a, H, I, OT> where + H: FnMut(&[u8]) -> ExitKind, I: Input + HasTargetBytes, OT: ObserversTuple, { /// The name of this executor instance, to address it from other components name: &'static str, /// The harness function, being executed for each fuzzing loop execution - harness_fn: HarnessFunction, + harness_fn: &'a mut H, /// The observers, observing each run observers: OT, phantom: PhantomData, } -impl Executor for InProcessExecutor +impl<'a, H, I, OT> Executor for InProcessExecutor<'a, H, I, OT> where + H: FnMut(&[u8]) -> ExitKind, I: Input + HasTargetBytes, OT: ObserversTuple, { @@ -95,7 +94,7 @@ where #[inline] fn run_target(&mut self, input: &I) -> Result { let bytes = input.target_bytes(); - let ret = (self.harness_fn)(self, bytes.as_slice()); + let ret = (self.harness_fn)(bytes.as_slice()); Ok(ret) } @@ -126,8 +125,9 @@ where } } -impl Named for InProcessExecutor +impl<'a, H, I, OT> Named for InProcessExecutor<'a, H, I, OT> where + H: FnMut(&[u8]) -> ExitKind, I: Input + HasTargetBytes, OT: ObserversTuple, { @@ -136,8 +136,9 @@ where } } -impl HasObservers for InProcessExecutor +impl<'a, H, I, OT> HasObservers for InProcessExecutor<'a, H, I, OT> where + H: FnMut(&[u8]) -> ExitKind, I: Input + HasTargetBytes, OT: ObserversTuple, { @@ -152,8 +153,9 @@ where } } -impl InProcessExecutor +impl<'a, H, I, OT> InProcessExecutor<'a, H, I, OT> where + H: FnMut(&[u8]) -> ExitKind, I: Input + HasTargetBytes, OT: ObserversTuple, { @@ -166,7 +168,7 @@ where /// This may return an error on unix, if signal handler setup fails pub fn new( name: &'static str, - harness_fn: HarnessFunction, + harness_fn: &'a mut H, observers: OT, _state: &mut S, _event_mgr: &mut EM, @@ -215,13 +217,25 @@ where phantom: PhantomData, }) } + + /// Retrieve the harness function. + #[inline] + pub fn harness(&self) -> &H { + self.harness_fn + } + + /// Retrieve the harness function for a mutable reference. + #[inline] + pub fn harness_mut(&mut self) -> &mut H { + self.harness_fn + } } #[cfg(unix)] mod unix_signal_handler { use alloc::vec::Vec; use core::ptr; - use libc::{c_void, siginfo_t}; + use libc::{c_void, siginfo_t, ucontext_t}; #[cfg(feature = "std")] use std::io::{stdout, Write}; @@ -259,8 +273,8 @@ mod unix_signal_handler { pub event_mgr_ptr: *mut c_void, pub observers_ptr: *const c_void, pub current_input_ptr: *const c_void, - pub crash_handler: unsafe fn(Signal, siginfo_t, c_void, data: &mut Self), - pub timeout_handler: unsafe fn(Signal, siginfo_t, c_void, data: &mut Self), + pub crash_handler: unsafe fn(Signal, siginfo_t, &mut ucontext_t, data: &mut Self), + pub timeout_handler: unsafe fn(Signal, siginfo_t, &mut ucontext_t, data: &mut Self), } unsafe impl Send for InProcessExecutorHandlerData {} @@ -269,21 +283,21 @@ mod unix_signal_handler { unsafe fn nop_handler( _signal: Signal, _info: siginfo_t, - _void: c_void, + _context: &mut ucontext_t, _data: &mut InProcessExecutorHandlerData, ) { } #[cfg(unix)] impl Handler for InProcessExecutorHandlerData { - fn handle(&mut self, signal: Signal, info: siginfo_t, void: c_void) { + fn handle(&mut self, signal: Signal, info: siginfo_t, context: &mut ucontext_t) { unsafe { let data = &mut GLOBAL_STATE; match signal { Signal::SigUser2 | Signal::SigAlarm => { - (data.timeout_handler)(signal, info, void, data) + (data.timeout_handler)(signal, info, context, data) } - _ => (data.crash_handler)(signal, info, void, data), + _ => (data.crash_handler)(signal, info, context, data), } } } @@ -298,6 +312,7 @@ mod unix_signal_handler { Signal::SigFloatingPointException, Signal::SigIllegalInstruction, Signal::SigSegmentationFault, + Signal::SigTrap, ] } } @@ -306,7 +321,7 @@ mod unix_signal_handler { pub unsafe fn inproc_timeout_handler( _signal: Signal, _info: siginfo_t, - _void: c_void, + _context: &mut ucontext_t, data: &mut InProcessExecutorHandlerData, ) where EM: EventManager, @@ -334,7 +349,7 @@ mod unix_signal_handler { let obj_fitness = state .objectives_mut() - .is_interesting_all(&input, observers, ExitKind::Timeout) + .is_interesting_all(&input, observers, &ExitKind::Timeout) .expect("In timeout handler objectives failure."); if obj_fitness > 0 { state @@ -368,7 +383,7 @@ mod unix_signal_handler { pub unsafe fn inproc_crash_handler( _signal: Signal, _info: siginfo_t, - _void: c_void, + _context: &mut ucontext_t, data: &mut InProcessExecutorHandlerData, ) where EM: EventManager, @@ -378,6 +393,10 @@ mod unix_signal_handler { S: HasObjectives + HasSolutions, I: Input + HasTargetBytes, { + #[cfg(all(target_os = "android", target_arch = "aarch64"))] + let _context = *(((_context as *mut _ as *mut c_void as usize) + 128) as *mut c_void + as *mut ucontext_t); + #[cfg(feature = "std")] println!("Crashed with {}", _signal); if !data.current_input_ptr.is_null() { @@ -387,6 +406,45 @@ mod unix_signal_handler { #[cfg(feature = "std")] println!("Child crashed!"); + + #[cfg(all( + feature = "std", + any(target_os = "linux", target_os = "android"), + target_arch = "aarch64" + ))] + { + use crate::utils::find_mapping_for_address; + println!("{:━^100}", " CRASH "); + println!( + "Received signal {} at 0x{:016x}, fault address: 0x{:016x}", + _signal, _context.uc_mcontext.pc, _context.uc_mcontext.fault_address + ); + if let Ok((start, _, _, path)) = + find_mapping_for_address(_context.uc_mcontext.pc as usize) + { + println!( + "pc is at offset 0x{:08x} in {}", + _context.uc_mcontext.pc as usize - start, + path + ); + } + + println!("{:━^100}", " REGISTERS "); + for reg in 0..31 { + print!( + "x{:02}: 0x{:016x} ", + reg, _context.uc_mcontext.regs[reg as usize] + ); + if reg % 4 == 3 { + println!(); + } + } + println!("pc : 0x{:016x} ", _context.uc_mcontext.pc); + + //println!("{:━^100}", " BACKTRACE "); + //println!("{:?}", backtrace::Backtrace::new()) + } + #[cfg(feature = "std")] let _ = stdout().flush(); @@ -396,7 +454,7 @@ mod unix_signal_handler { let obj_fitness = state .objectives_mut() - .is_interesting_all(&input, observers, ExitKind::Crash) + .is_interesting_all(&input, observers, &ExitKind::Crash) .expect("In crash handler objectives failure."); if obj_fitness > 0 { let new_input = input.clone(); @@ -560,7 +618,7 @@ mod windows_exception_handler { let obj_fitness = state .objectives_mut() - .is_interesting_all(&input, observers, ExitKind::Crash) + .is_interesting_all(&input, observers, &ExitKind::Crash) .expect("In crash handler objectives failure."); if obj_fitness > 0 { let new_input = input.clone(); @@ -627,19 +685,15 @@ mod tests { use crate::{ bolts::tuples::tuple_list, executors::{Executor, ExitKind, InProcessExecutor}, - inputs::Input, + inputs::NopInput, }; - fn test_harness_fn_nop, I: Input>(_executor: &E, _buf: &[u8]) -> ExitKind { - ExitKind::Ok - } - #[test] fn test_inmem_exec() { - use crate::inputs::NopInput; + let mut harness = |_buf: &[u8]| ExitKind::Ok; - let mut in_process_executor = InProcessExecutor:: { - harness_fn: test_harness_fn_nop, + let mut in_process_executor = InProcessExecutor::<_, NopInput, ()> { + harness_fn: &mut harness, observers: tuple_list!(), name: "main", phantom: PhantomData, diff --git a/libafl/src/executors/mod.rs b/libafl/src/executors/mod.rs index a5ee692469..08b26ed602 100644 --- a/libafl/src/executors/mod.rs +++ b/libafl/src/executors/mod.rs @@ -4,27 +4,29 @@ pub mod inprocess; pub use inprocess::InProcessExecutor; pub mod timeout; pub use timeout::TimeoutExecutor; -#[cfg(feature = "runtime")] -pub mod runtime; -use core::cmp::PartialEq; use core::marker::PhantomData; use crate::{ - bolts::tuples::Named, + bolts::{serdeany::SerdeAny, tuples::Named}, events::EventManager, inputs::{HasTargetBytes, Input}, observers::ObserversTuple, Error, }; +use alloc::boxed::Box; + +pub trait CustomExitKind: core::fmt::Debug + SerdeAny + 'static {} + /// How an execution finished. -#[derive(Debug, Clone, PartialEq)] +#[derive(Debug)] pub enum ExitKind { Ok, Crash, - OOM, + Oom, Timeout, + Custom(Box), } pub trait HasObservers @@ -51,7 +53,7 @@ where } /// A simple executor that does nothing. -/// If intput len is 0, run_target will return Err +/// If intput len is 0, `run_target` will return Err struct NopExecutor { phantom: PhantomData, } diff --git a/libafl/src/executors/runtime.rs b/libafl/src/executors/runtime.rs deleted file mode 100644 index 1b7de09d80..0000000000 --- a/libafl/src/executors/runtime.rs +++ /dev/null @@ -1,57 +0,0 @@ -//! A sancov runtime to update a simple u8 map with coverage-information during fuzzing - -//#![feature(asm)] - -/// The map size used by this instance. -const MAP_SIZE: usize = 65536; - -#[no_mangle] -pub static mut __lafl_dummy_map: [u8; MAP_SIZE] = [0; MAP_SIZE]; -#[no_mangle] -pub static mut __lafl_edges_map: *mut u8 = unsafe { __lafl_dummy_map.as_ptr() as *mut _ }; -#[no_mangle] -pub static mut __lafl_cmp_map: *mut u8 = unsafe { __lafl_dummy_map.as_ptr() as *mut _ }; -#[no_mangle] -pub static mut __lafl_max_edges_size: u32 = 0; - -/// Called for each branch the target program takes. -#[no_mangle] -#[inline] -pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: &u32) { - let ref mut trace_byte = *__lafl_edges_map.offset(*guard as isize); - /* TODO: translate to RUST inline ASM once it's stable (neverzero) - #[cfg(any(target_arch = "x86", target_arch = "x86_64"))] - asm! volatile( \ - "addb $1, (%0, %1, 1)\n" \ - "adcb $0, (%0, %1, 1)\n" \ - : /* no out */ \ - : "r"(afl_area_ptr), "r"(loc) \ - : "memory", "eax") - - #[cfg(not(any(target_arch = "x86", target_arch = "x86_64")))] - */ - - // Make sure we wrap to 0, not zero, it's empirically proven to be better for fuzzing. - let added = (*trace_byte as u16) + 1; - *trace_byte = (added as u8) + (added >> 8) as u8; - - //*trace_byte = (*trace_byte).wrapping_add(1); -} - -/// Called when the target program starts -#[no_mangle] -#[inline] -pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_init(mut start: *mut u32, stop: *mut u32) { - if start == stop || *start != 0 { - return; - } - __lafl_max_edges_size = __lafl_max_edges_size.wrapping_add(1); - let fresh1 = start; - start = start.offset(1); - *fresh1 = __lafl_max_edges_size & (MAP_SIZE - 1) as u32; - while start < stop { - __lafl_max_edges_size = __lafl_max_edges_size.wrapping_add(1); - *start = __lafl_max_edges_size & (MAP_SIZE - 1) as u32; - start = start.offset(1) - } -} diff --git a/libafl/src/executors/timeout.rs b/libafl/src/executors/timeout.rs index 6acb753032..0b428aa855 100644 --- a/libafl/src/executors/timeout.rs +++ b/libafl/src/executors/timeout.rs @@ -1,4 +1,4 @@ -//! A TimeoutExecutor set a timeout before each target run +//! A `TimeoutExecutor` sets a timeout before each target run use core::{marker::PhantomData, time::Duration}; @@ -91,6 +91,10 @@ where phantom: PhantomData, } } + + pub fn inner(&mut self) -> &mut E { + &mut self.executor + } } impl Executor for TimeoutExecutor @@ -126,6 +130,11 @@ where null_mut(), ); } + #[cfg(windows)] + { + // TODO + let _ = self.exec_tmout.as_millis(); + } self.executor.pre_exec(_state, _event_mgr, _input) } @@ -155,6 +164,10 @@ where null_mut(), ); } + #[cfg(windows)] + { + // TODO + } self.executor.post_exec(_state, _event_mgr, _input) } diff --git a/libafl/src/feedbacks/map.rs b/libafl/src/feedbacks/map.rs index 2f7e71fb3c..89374e154d 100644 --- a/libafl/src/feedbacks/map.rs +++ b/libafl/src/feedbacks/map.rs @@ -1,3 +1,5 @@ +//! Map feedback, maximizing or minimizing maps, for example the afl-style map observer. + use alloc::{ string::{String, ToString}, vec::Vec, @@ -152,7 +154,7 @@ where &mut self, _input: &I, observers: &OT, - _exit_kind: ExitKind, + _exit_kind: &ExitKind, ) -> Result { let mut interesting = 0; // TODO optimize @@ -259,7 +261,7 @@ where R: Reducer, O: MapObserver + Observer, { - /// Create new MapFeedback + /// Create new `MapFeedback` pub fn new(name: &'static str, map_size: usize) -> Self { Self { history_map: vec![T::default(); map_size], @@ -270,7 +272,7 @@ where } } - /// Create new MapFeedback for the observer type. + /// Create new `MapFeedback` for the observer type. pub fn new_with_observer(map_observer: &O) -> Self { Self { history_map: vec![T::default(); map_observer.map().len()], @@ -281,7 +283,7 @@ where } } - /// Create new MapFeedback specifying if it must track indexes of novelties + /// Create new `MapFeedback` specifying if it must track indexes of novelties pub fn new_track( name: &'static str, map_size: usize, @@ -297,7 +299,7 @@ where } } - /// Create new MapFeedback for the observer type if it must track indexes of novelties + /// Create new `MapFeedback` for the observer type if it must track indexes of novelties pub fn new_with_observer_track( map_observer: &O, track_indexes: bool, @@ -319,7 +321,7 @@ where R: Reducer, O: MapObserver, { - /// Create new MapFeedback using a map observer, and a map. + /// Create new `MapFeedback` using a map observer, and a map. /// The map can be shared. pub fn with_history_map(name: &'static str, history_map: Vec) -> Self { Self { diff --git a/libafl/src/feedbacks/mod.rs b/libafl/src/feedbacks/mod.rs index 5a156539eb..6cb8261383 100644 --- a/libafl/src/feedbacks/mod.rs +++ b/libafl/src/feedbacks/mod.rs @@ -7,7 +7,7 @@ pub use map::*; use serde::{Deserialize, Serialize}; use crate::{ - bolts::tuples::{Named, TupleList}, + bolts::tuples::Named, corpus::Testcase, executors::ExitKind, inputs::Input, @@ -24,12 +24,12 @@ pub trait Feedback: Named + serde::Serialize + serde::de::DeserializeOwned + where I: Input, { - /// is_interesting should return the "Interestingness" from 0 to 255 (percent times 2.55) + /// `is_interesting ` should return the "Interestingness" from 0 to 255 (percent times 2.55) fn is_interesting( &mut self, input: &I, observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result; /// Append to the testcase the generated metadata in case of a new corpus item @@ -54,7 +54,7 @@ where &mut self, input: &I, observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result; /// Write metadata for this testcase @@ -73,7 +73,7 @@ where &mut self, _: &I, _: &OT, - _: ExitKind, + _: &ExitKind, ) -> Result { Ok(0) } @@ -92,16 +92,16 @@ where impl FeedbacksTuple for (Head, Tail) where Head: Feedback, - Tail: FeedbacksTuple + TupleList, + Tail: FeedbacksTuple, I: Input, { fn is_interesting_all( &mut self, input: &I, observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result { - Ok(self.0.is_interesting(input, observers, exit_kind.clone())? + Ok(self.0.is_interesting(input, observers, exit_kind)? + self.1.is_interesting_all(input, observers, exit_kind)?) } @@ -128,9 +128,9 @@ where &mut self, _input: &I, _observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result { - if exit_kind == ExitKind::Crash { + if let ExitKind::Crash = exit_kind { Ok(1) } else { Ok(0) @@ -168,9 +168,9 @@ where &mut self, _input: &I, _observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result { - if exit_kind == ExitKind::Timeout { + if let ExitKind::Timeout = exit_kind { Ok(1) } else { Ok(0) @@ -211,7 +211,7 @@ where &mut self, _input: &I, observers: &OT, - _exit_kind: ExitKind, + _exit_kind: &ExitKind, ) -> Result { let observer = observers.match_first_type::().unwrap(); self.exec_time = *observer.last_runtime(); diff --git a/libafl/src/fuzzer.rs b/libafl/src/fuzzer.rs index b65587d205..e1eeb08c06 100644 --- a/libafl/src/fuzzer.rs +++ b/libafl/src/fuzzer.rs @@ -1,3 +1,5 @@ +//! The `Fuzzer` is the main struct for a fuzz campaign. + use crate::{ corpus::CorpusScheduler, events::{Event, EventManager}, @@ -6,10 +8,15 @@ use crate::{ observers::ObserversTuple, stages::StagesTuple, state::HasExecutions, - utils::{current_milliseconds, current_time}, + utils::current_time, Error, }; -use core::marker::PhantomData; + +use alloc::string::ToString; +use core::{marker::PhantomData, time::Duration}; + +/// Send a stats update all 6 (or more) seconds +const STATS_TIMEOUT_DEFAULT: Duration = Duration::from_millis(6 * 1000); /// Holds a set of stages pub trait HasStages @@ -37,10 +44,87 @@ where } /// The main fuzzer trait. -pub trait Fuzzer { - fn fuzz_one(&self, state: &mut S, executor: &mut E, manager: &mut EM) -> Result; +pub trait Fuzzer { + /// Fuzz for a single iteration + /// Returns the index of the last fuzzed corpus item + /// + /// If you use this fn in a restarting scenario to only run for `n` iterations, + /// before exiting, make sure you call `event_mgr.on_restart(&mut state)?;`. + /// This way, the state will be available in the next, respawned, iteration. + fn fuzz_one( + &mut self, + state: &mut S, + executor: &mut E, + manager: &mut EM, + scheduler: &CS, + ) -> Result; - fn fuzz_loop(&self, state: &mut S, executor: &mut E, manager: &mut EM) -> Result; + /// Fuzz forever (or until stopped) + fn fuzz_loop( + &mut self, + state: &mut S, + executor: &mut E, + manager: &mut EM, + scheduler: &CS, + ) -> Result { + let mut last = current_time(); + let stats_timeout = STATS_TIMEOUT_DEFAULT; + loop { + self.fuzz_one(state, executor, manager, scheduler)?; + last = Self::maybe_report_stats(state, manager, last, stats_timeout)?; + } + } + + /// Fuzz for n iterations + /// Returns the index of the last fuzzed corpus item + /// + /// If you use this fn in a restarting scenario to only run for `n` iterations, + /// before exiting, make sure you call `event_mgr.on_restart(&mut state)?;`. + /// This way, the state will be available in the next, respawned, iteration. + fn fuzz_loop_for( + &mut self, + state: &mut S, + executor: &mut E, + manager: &mut EM, + scheduler: &CS, + iters: u64, + ) -> Result + where + EM: EventManager, + I: Input, + { + if iters == 0 { + return Err(Error::IllegalArgument( + "Cannot fuzz for 0 iterations!".to_string(), + )); + } + + let mut ret = 0; + let mut last = current_time(); + let stats_timeout = STATS_TIMEOUT_DEFAULT; + + for _ in 0..iters { + ret = self.fuzz_one(state, executor, manager, scheduler)?; + last = Self::maybe_report_stats(state, manager, last, stats_timeout)?; + } + + // If we would assume the fuzzer loop will always exit after this, we could do this here: + // manager.on_restart(state)?; + // But as the state may grow to a few megabytes, + // for now we won' and the user has to do it (unless we find a way to do this on `Drop`). + + Ok(ret) + } + + /// Given the last time, if `stats_timeout` seconds passed, send off an info/stats/heartbeat message to the broker. + /// Returns the new `last` time (so the old one, unless `stats_timeout` time has passed and stats have been sent) + /// Will return an Error, if the stats could not be sent. + fn maybe_report_stats( + state: &mut S, + manager: &mut EM, + last: Duration, + stats_timeout: Duration, + ) -> Result; } /// Your default fuzzer instance, for everyday use. @@ -53,9 +137,8 @@ where EM: EventManager, I: Input, { - scheduler: CS, stages: ST, - phantom: PhantomData<(E, EM, I, OT, S)>, + phantom: PhantomData<(CS, E, EM, I, OT, S)>, } impl HasStages for StdFuzzer @@ -75,6 +158,7 @@ where } } +/* impl HasCorpusScheduler for StdFuzzer where CS: CorpusScheduler, @@ -91,8 +175,9 @@ where &mut self.scheduler } } +*/ -impl Fuzzer for StdFuzzer +impl Fuzzer for StdFuzzer where CS: CorpusScheduler, S: HasExecutions, @@ -102,33 +187,45 @@ where OT: ObserversTuple, I: Input, { - fn fuzz_one(&self, state: &mut S, executor: &mut E, manager: &mut EM) -> Result { - let idx = self.scheduler().next(state)?; - - self.stages() - .perform_all(state, executor, manager, self.scheduler(), idx)?; - - manager.process(state, executor, self.scheduler())?; - Ok(idx) + #[inline] + fn maybe_report_stats( + state: &mut S, + manager: &mut EM, + last: Duration, + stats_timeout: Duration, + ) -> Result { + let cur = current_time(); + if cur - last > stats_timeout { + //println!("Fire {:?} {:?} {:?}", cur, last, stats_timeout); + manager.fire( + state, + Event::UpdateStats { + executions: *state.executions(), + time: cur, + phantom: PhantomData, + }, + )?; + Ok(cur) + } else { + if cur.as_millis() % 1000 == 0 {} + Ok(last) + } } - fn fuzz_loop(&self, state: &mut S, executor: &mut E, manager: &mut EM) -> Result { - let mut last = current_milliseconds(); - loop { - self.fuzz_one(state, executor, manager)?; - let cur = current_milliseconds(); - if cur - last > 60 * 100 { - last = cur; - manager.fire( - state, - Event::UpdateStats { - executions: *state.executions(), - time: current_time(), - phantom: PhantomData, - }, - )? - } - } + fn fuzz_one( + &mut self, + state: &mut S, + executor: &mut E, + manager: &mut EM, + scheduler: &CS, + ) -> Result { + let idx = scheduler.next(state)?; + + self.stages_mut() + .perform_all(state, executor, manager, scheduler, idx)?; + + manager.process(state, executor, scheduler)?; + Ok(idx) } } @@ -140,9 +237,8 @@ where EM: EventManager, I: Input, { - pub fn new(scheduler: CS, stages: ST) -> Self { + pub fn new(stages: ST) -> Self { Self { - scheduler, stages, phantom: PhantomData, } diff --git a/libafl/src/generators/mod.rs b/libafl/src/generators/mod.rs index f42a6c175a..b12cb76003 100644 --- a/libafl/src/generators/mod.rs +++ b/libafl/src/generators/mod.rs @@ -48,7 +48,7 @@ where Ok(BytesInput::new(random_bytes)) } - /// Generates up to DUMMY_BYTES_MAX non-random dummy bytes (0) + /// Generates up to `DUMMY_BYTES_MAX` non-random dummy bytes (0) fn generate_dummy(&self) -> BytesInput { let size = min(self.max_size, DUMMY_BYTES_MAX); BytesInput::new(vec![0; size]) @@ -90,10 +90,10 @@ where Ok(BytesInput::new(random_bytes)) } - /// Generates up to DUMMY_BYTES_MAX non-random dummy bytes (0) + /// Generates up to `DUMMY_BYTES_MAX` non-random dummy bytes (0) fn generate_dummy(&self) -> BytesInput { let size = min(self.max_size, DUMMY_BYTES_MAX); - BytesInput::new(vec![0u8; size]) + BytesInput::new(vec![0_u8; size]) } } diff --git a/libafl/src/inputs/bytes.rs b/libafl/src/inputs/bytes.rs index 5840e783be..345f1a67da 100644 --- a/libafl/src/inputs/bytes.rs +++ b/libafl/src/inputs/bytes.rs @@ -1,11 +1,22 @@ -//! The BytesInput is the "normal" input, a map of bytes, that can be sent directly to the client +//! The `BytesInput` is the "normal" input, a map of bytes, that can be sent directly to the client //! (As opposed to other, more abstract, imputs, like an Grammar-Based AST Input) use alloc::{borrow::ToOwned, rc::Rc, vec::Vec}; use core::{cell::RefCell, convert::From}; use serde::{Deserialize, Serialize}; +#[cfg(feature = "std")] +use std::{ + fs::File, + io::{Read, Write}, + path::Path, +}; -use crate::inputs::{HasBytesVec, HasLen, HasTargetBytes, Input, TargetBytes}; +#[cfg(feature = "std")] +use crate::Error; +use crate::{ + bolts::ownedref::OwnedSlice, + inputs::{HasBytesVec, HasLen, HasTargetBytes, Input}, +}; /// A bytes input is the basic input #[derive(Serialize, Deserialize, Clone, Debug, Default, PartialEq, Eq)] @@ -14,12 +25,35 @@ pub struct BytesInput { bytes: Vec, } -impl Input for BytesInput {} +impl Input for BytesInput { + #[cfg(feature = "std")] + /// Write this input to the file + fn to_file

(&self, path: P) -> Result<(), Error> + where + P: AsRef, + { + let mut file = File::create(path)?; + file.write_all(&self.bytes)?; + Ok(()) + } + + /// Load the contents of this input from a file + #[cfg(feature = "std")] + fn from_file

(path: P) -> Result + where + P: AsRef, + { + let mut file = File::open(path)?; + let mut bytes: Vec = vec![]; + file.read_to_end(&mut bytes)?; + Ok(BytesInput::new(bytes)) + } +} /// Rc Ref-cell from Input -impl Into>> for BytesInput { - fn into(self) -> Rc> { - Rc::new(RefCell::new(self)) +impl From for Rc> { + fn from(input: BytesInput) -> Self { + Rc::new(RefCell::new(input)) } } @@ -37,8 +71,8 @@ impl HasBytesVec for BytesInput { impl HasTargetBytes for BytesInput { #[inline] - fn target_bytes(&self) -> TargetBytes { - TargetBytes::Ref(&self.bytes) + fn target_bytes(&self) -> OwnedSlice { + OwnedSlice::Ref(&self.bytes) } } diff --git a/libafl/src/inputs/mod.rs b/libafl/src/inputs/mod.rs index cb409ed408..5f920b1496 100644 --- a/libafl/src/inputs/mod.rs +++ b/libafl/src/inputs/mod.rs @@ -14,7 +14,7 @@ use std::{ use serde::{Deserialize, Serialize}; -use crate::Error; +use crate::{bolts::ownedref::OwnedSlice, Error}; /// An input for the target pub trait Input: Clone + serde::Serialize + serde::de::DeserializeOwned + Debug { @@ -60,22 +60,8 @@ pub trait Input: Clone + serde::Serialize + serde::de::DeserializeOwned + Debug pub struct NopInput {} impl Input for NopInput {} impl HasTargetBytes for NopInput { - fn target_bytes(&self) -> TargetBytes { - TargetBytes::Owned(vec![0]) - } -} - -pub enum TargetBytes<'a> { - Ref(&'a [u8]), - Owned(Vec), -} - -impl<'a> TargetBytes<'a> { - pub fn as_slice(&self) -> &[u8] { - match self { - TargetBytes::Ref(r) => r, - TargetBytes::Owned(v) => v.as_slice(), - } + fn target_bytes(&self) -> OwnedSlice { + OwnedSlice::Owned(vec![0]) } } @@ -84,7 +70,7 @@ impl<'a> TargetBytes<'a> { /// Instead, it can be used as bytes input for a target pub trait HasTargetBytes { /// Target bytes, that can be written to a target - fn target_bytes(&self) -> TargetBytes; + fn target_bytes(&self) -> OwnedSlice; } /// Contains an internal bytes Vector diff --git a/libafl/src/lib.rs b/libafl/src/lib.rs index 55170850ad..421506380d 100644 --- a/libafl/src/lib.rs +++ b/libafl/src/lib.rs @@ -9,8 +9,9 @@ extern crate alloc; #[macro_use] extern crate static_assertions; #[cfg(feature = "std")] -#[macro_use] extern crate ctor; +#[cfg(feature = "std")] +pub use ctor::ctor; // Re-export derive(SerdeAny) #[cfg(feature = "libafl_derive")] @@ -49,6 +50,9 @@ use std::{env::VarError, io, num::ParseIntError, string::FromUtf8Error}; pub enum Error { /// Serialization error Serialize(String), + /// Compression error + #[cfg(feature = "llmp_compression")] + Compression(String), /// File related error #[cfg(feature = "std")] File(io::Error), @@ -76,6 +80,8 @@ impl fmt::Display for Error { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { Self::Serialize(s) => write!(f, "Error in Serialization: `{0}`", &s), + #[cfg(feature = "llmp_compression")] + Self::Compression(s) => write!(f, "Error in Compression: `{0}`", &s), #[cfg(feature = "std")] Self::File(err) => write!(f, "File IO failed: {:?}", &err), Self::EmptyOptional(s) => write!(f, "Optional value `{0}` was not set", &s), @@ -100,6 +106,21 @@ impl From for Error { } } +#[cfg(feature = "llmp_compression")] +impl From for Error { + fn from(err: compression::prelude::CompressionError) -> Self { + Self::Compression(format!("{:?}", err)) + } +} + +/// Stringify the json serializer error +#[cfg(feature = "std")] +impl From for Error { + fn from(err: serde_json::Error) -> Self { + Self::Serialize(format!("{:?}", err)) + } +} + /// Create an AFL Error from io Error #[cfg(feature = "std")] impl From for Error { @@ -137,9 +158,9 @@ mod tests { use crate::{ bolts::tuples::tuple_list, corpus::{Corpus, InMemoryCorpus, RandCorpusScheduler, Testcase}, - executors::{Executor, ExitKind, InProcessExecutor}, - inputs::{BytesInput, Input}, - mutators::{mutation_bitflip, ComposedByMutations, StdScheduledMutator}, + executors::{ExitKind, InProcessExecutor}, + inputs::BytesInput, + mutators::{mutations::BitFlipMutator, StdScheduledMutator}, stages::StdMutationalStage, state::{HasCorpus, State}, stats::SimpleStats, @@ -150,10 +171,6 @@ mod tests { #[cfg(feature = "std")] use crate::events::SimpleEventManager; - fn harness, I: Input>(_executor: &E, _buf: &[u8]) -> ExitKind { - ExitKind::Ok - } - #[test] fn test_fuzzer() { let rand = StdRand::with_seed(0); @@ -175,9 +192,10 @@ mod tests { }); let mut event_manager = SimpleEventManager::new(stats); + let mut harness = |_buf: &[u8]| ExitKind::Ok; let mut executor = InProcessExecutor::new( "main", - harness, + &mut harness, tuple_list!(), //Box::new(|_, _, _, _, _| ()), &mut state, @@ -185,14 +203,14 @@ mod tests { ) .unwrap(); - let mut mutator = StdScheduledMutator::new(); - mutator.add_mutation(mutation_bitflip); + let mutator = StdScheduledMutator::new(tuple_list!(BitFlipMutator::new())); let stage = StdMutationalStage::new(mutator); - let fuzzer = StdFuzzer::new(RandCorpusScheduler::new(), tuple_list!(stage)); + let scheduler = RandCorpusScheduler::new(); + let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); for i in 0..1000 { fuzzer - .fuzz_one(&mut state, &mut executor, &mut event_manager) + .fuzz_one(&mut state, &mut executor, &mut event_manager, &scheduler) .expect(&format!("Error in iter {}", i)); } diff --git a/libafl/src/mutators/mod.rs b/libafl/src/mutators/mod.rs index e0eaf420ea..878beaa3dc 100644 --- a/libafl/src/mutators/mod.rs +++ b/libafl/src/mutators/mod.rs @@ -7,11 +7,24 @@ pub use mutations::*; pub mod token_mutations; pub use token_mutations::*; -use crate::{inputs::Input, Error}; +use crate::{ + bolts::tuples::{HasLen, Named}, + inputs::Input, + Error, +}; // TODO mutator stats method that produces something that can be sent with the NewTestcase event // We can use it to report which mutations generated the testcase in the broker logs +/// The result of a mutation. +/// If the mutation got skipped, the target +/// will not be executed with the returned input. +#[derive(Clone, Copy, Debug, PartialEq)] +pub enum MutationResult { + Mutated, + Skipped, +} + /// A mutator takes input, and mutates it. /// Simple as that. pub trait Mutator @@ -19,15 +32,158 @@ where I: Input, { /// Mutate a given input - fn mutate(&self, state: &mut S, input: &mut I, stage_idx: i32) -> Result<(), Error>; + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result; /// Post-process given the outcome of the execution fn post_exec( - &self, + &mut self, _state: &mut S, - _is_interesting: u32, _stage_idx: i32, + _corpus_idx: Option, ) -> Result<(), Error> { Ok(()) } } + +pub trait MutatorsTuple: HasLen +where + I: Input, +{ + fn mutate_all( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result; + + fn post_exec_all( + &mut self, + state: &mut S, + stage_idx: i32, + corpus_idx: Option, + ) -> Result<(), Error>; + + fn get_and_mutate( + &mut self, + index: usize, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result; + + fn get_and_post_exec( + &mut self, + index: usize, + state: &mut S, + stage_idx: i32, + corpus_idx: Option, + ) -> Result<(), Error>; +} + +impl MutatorsTuple for () +where + I: Input, +{ + fn mutate_all( + &mut self, + _state: &mut S, + _input: &mut I, + _stage_idx: i32, + ) -> Result { + Ok(MutationResult::Skipped) + } + + fn post_exec_all( + &mut self, + _state: &mut S, + _stage_idx: i32, + _corpus_idx: Option, + ) -> Result<(), Error> { + Ok(()) + } + + fn get_and_mutate( + &mut self, + _index: usize, + _state: &mut S, + _input: &mut I, + _stage_idx: i32, + ) -> Result { + Ok(MutationResult::Skipped) + } + + fn get_and_post_exec( + &mut self, + _index: usize, + _state: &mut S, + _stage_idx: i32, + _corpus_idx: Option, + ) -> Result<(), Error> { + Ok(()) + } +} + +impl MutatorsTuple for (Head, Tail) +where + Head: Mutator + Named, + Tail: MutatorsTuple, + I: Input, +{ + fn mutate_all( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + let r = self.0.mutate(state, input, stage_idx)?; + if self.1.mutate_all(state, input, stage_idx)? == MutationResult::Mutated { + Ok(MutationResult::Mutated) + } else { + Ok(r) + } + } + + fn post_exec_all( + &mut self, + state: &mut S, + stage_idx: i32, + corpus_idx: Option, + ) -> Result<(), Error> { + self.0.post_exec(state, stage_idx, corpus_idx)?; + self.1.post_exec_all(state, stage_idx, corpus_idx) + } + + fn get_and_mutate( + &mut self, + index: usize, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + if index == 0 { + self.0.mutate(state, input, stage_idx) + } else { + self.1.get_and_mutate(index - 1, state, input, stage_idx) + } + } + + fn get_and_post_exec( + &mut self, + index: usize, + state: &mut S, + stage_idx: i32, + corpus_idx: Option, + ) -> Result<(), Error> { + if index == 0 { + self.0.post_exec(state, stage_idx, corpus_idx) + } else { + self.1 + .get_and_post_exec(index - 1, state, stage_idx, corpus_idx) + } + } +} diff --git a/libafl/src/mutators/mutations.rs b/libafl/src/mutators/mutations.rs index 041c4b057a..7ee4b4963b 100644 --- a/libafl/src/mutators/mutations.rs +++ b/libafl/src/mutators/mutations.rs @@ -1,42 +1,20 @@ //! A wide variety of mutations used during fuzzing. use crate::{ + bolts::tuples::Named, corpus::Corpus, inputs::{HasBytesVec, Input}, + mutators::{MutationResult, Mutator}, state::{HasCorpus, HasMaxSize, HasRand}, utils::Rand, Error, }; use alloc::{borrow::ToOwned, vec::Vec}; -use core::cmp::{max, min}; - -/// The result of a mutation. -/// If the mutation got skipped, the target -/// will not be executed with the returned input. -#[derive(Clone, Copy, Debug)] -pub enum MutationResult { - Mutated, - Skipped, -} - -// TODO maybe the mutator arg is not needed -/// The generic function type that identifies mutations -pub type MutationFunction = fn(&mut S, &mut I) -> Result; - -pub trait ComposedByMutations -where - I: Input, -{ - /// Get a mutation by index - fn mutation_by_idx(&self, index: usize) -> MutationFunction; - - /// Get the number of mutations - fn mutations_count(&self) -> usize; - - /// Add a mutation - fn add_mutation(&mut self, mutation: MutationFunction); -} +use core::{ + cmp::{max, min}, + marker::PhantomData, +}; /// Mem move in the own vec #[inline] @@ -66,7 +44,7 @@ pub fn buffer_copy(dst: &mut [u8], src: &[u8], from: usize, to: usize, len: usiz /// A simple buffer_set. /// The compiler does the heavy lifting. -/// see https://stackoverflow.com/a/51732799/1345238 +/// see #[inline] fn buffer_set(data: &mut [u8], from: usize, len: usize, val: u8) { debug_assert!(from + len <= data.len()); @@ -112,578 +90,1533 @@ const INTERESTING_32: [i32; 27] = [ ]; /// Bitflip mutation for inputs with a bytes vector -pub fn mutation_bitflip(state: &mut S, input: &mut I) -> Result +#[derive(Default)] +pub struct BitFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BitFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let bit = state.rand_mut().below((input.bytes().len() << 3) as u64) as usize; + unsafe { + // Moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(bit >> 3) ^= (128u8 >> (bit & 7)) as u8; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for BitFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "BitFlipMutator" + } +} + +impl BitFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byteflip mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) ^= 0xff; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteFlipMutator" + } +} + +impl ByteFlipMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte increment mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteIncMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteIncMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx); + *ptr = (*ptr).wrapping_add(1); + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteIncMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteIncMutator" + } +} + +impl ByteIncMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte decrement mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteDecMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteDecMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx); + *ptr = (*ptr).wrapping_sub(1); + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteDecMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteDecMutator" + } +} + +impl ByteDecMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte negate mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteNegMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteNegMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) = !(*input.bytes().get_unchecked(idx)); + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteNegMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteNegMutator" + } +} + +impl ByteNegMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte random mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteRandMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteRandMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) = state.rand_mut().below(256) as u8; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteRandMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteRandMutator" + } +} + +impl ByteRandMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte add mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8; + let num = 1 + state.rand_mut().below(ARITH_MAX) as u8; + match state.rand_mut().below(2) { + 0 => *ptr = (*ptr).wrapping_add(num), + _ => *ptr = (*ptr).wrapping_sub(num), + }; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteAddMutator" + } +} + +impl ByteAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Word add mutation for inputs with a bytes vector +#[derive(Default)] +pub struct WordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for WordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().len() < 2 { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64 - 1) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; + let num = 1 + state.rand_mut().below(ARITH_MAX) as u16; + match state.rand_mut().below(4) { + 0 => *ptr = (*ptr).wrapping_add(num), + 1 => *ptr = (*ptr).wrapping_sub(num), + 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for WordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "WordAddMutator" + } +} + +impl WordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Dword add mutation for inputs with a bytes vector +#[derive(Default)] +pub struct DwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for DwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().len() < 4 { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64 - 3) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; + let num = 1 + state.rand_mut().below(ARITH_MAX) as u32; + match state.rand_mut().below(4) { + 0 => *ptr = (*ptr).wrapping_add(num), + 1 => *ptr = (*ptr).wrapping_sub(num), + 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for DwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "DwordAddMutator" + } +} + +impl DwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Qword add mutation for inputs with a bytes vector +#[derive(Default)] +pub struct QwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for QwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().len() < 8 { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64 - 7) as usize; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u64; + let num = 1 + state.rand_mut().below(ARITH_MAX) as u64; + match state.rand_mut().below(4) { + 0 => *ptr = (*ptr).wrapping_add(num), + 1 => *ptr = (*ptr).wrapping_sub(num), + 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for QwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "QwordAddMutator" + } +} + +impl QwordAddMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Byte interesting mutation for inputs with a bytes vector +#[derive(Default)] +pub struct ByteInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for ByteInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + #[allow(clippy::cast_sign_loss)] + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().is_empty() { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; + let val = + INTERESTING_8[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u8; + unsafe { + // Moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) = val; + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for ByteInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "ByteInterestingMutator" + } +} + +impl ByteInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Word interesting mutation for inputs with a bytes vector +#[derive(Default)] +pub struct WordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for WordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + #[allow(clippy::cast_sign_loss)] + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().len() < 2 { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64 - 1) as usize; + let val = + INTERESTING_16[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u16; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; + if state.rand_mut().below(2) == 0 { + *ptr = val; + } else { + *ptr = val.swap_bytes(); + } + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for WordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "WordInterestingMutator" + } +} + +impl WordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Dword interesting mutation for inputs with a bytes vector +#[derive(Default)] +pub struct DwordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for DwordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + #[allow(clippy::cast_sign_loss)] + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + if input.bytes().len() < 4 { + Ok(MutationResult::Skipped) + } else { + let idx = state.rand_mut().below(input.bytes().len() as u64 - 3) as usize; + let val = + INTERESTING_32[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u32; + unsafe { + // Moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; + if state.rand_mut().below(2) == 0 { + *ptr = val; + } else { + *ptr = val.swap_bytes(); + } + } + Ok(MutationResult::Mutated) + } + } +} + +impl Named for DwordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "DwordInterestingMutator" + } +} + +impl DwordInterestingMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Bytes delete mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesDeleteMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BytesDeleteMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size <= 2 { + return Ok(MutationResult::Skipped); + } + + let off = state.rand_mut().below(size as u64) as usize; + let len = state.rand_mut().below((size - off) as u64) as usize; + input.bytes_mut().drain(off..off + len); + + Ok(MutationResult::Mutated) + } +} + +impl Named for BytesDeleteMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "BytesDeleteMutator" + } +} + +impl BytesDeleteMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Bytes expand mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesExpandMutator where I: Input + HasBytesVec, S: HasRand + HasMaxSize, R: Rand, { - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let bit = state.rand_mut().below((input.bytes().len() << 3) as u64) as usize; - unsafe { - // Moar speed, no bound check - *input.bytes_mut().get_unchecked_mut(bit >> 3) ^= (128 >> (bit & 7)) as u8; - } - Ok(MutationResult::Mutated) - } + phantom: PhantomData<(I, R, S)>, } -pub fn mutation_byteflip(state: &mut S, input: &mut I) -> Result +impl Mutator for BytesExpandMutator where I: Input + HasBytesVec, - S: HasRand, + S: HasRand + HasMaxSize, R: Rand, { - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - *input.bytes_mut().get_unchecked_mut(idx) ^= 0xff; - } - Ok(MutationResult::Mutated) - } -} + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let max_size = state.max_size(); + let size = input.bytes().len(); + let off = state.rand_mut().below((size + 1) as u64) as usize; + let mut len = 1 + state.rand_mut().below(16) as usize; -pub fn mutation_byteinc(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx); - *ptr = (*ptr).wrapping_add(1); - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_bytedec(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx); - *ptr = (*ptr).wrapping_sub(1); - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_byteneg(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - *input.bytes_mut().get_unchecked_mut(idx) = !(*input.bytes().get_unchecked(idx)); - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_byterand(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - *input.bytes_mut().get_unchecked_mut(idx) = state.rand_mut().below(256) as u8; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_byteadd(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8; - let num = 1 + state.rand_mut().below(ARITH_MAX) as u8; - match state.rand_mut().below(2) { - 0 => *ptr = (*ptr).wrapping_add(num), - _ => *ptr = (*ptr).wrapping_sub(num), - }; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_wordadd(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().len() < 2 { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64 - 1) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; - let num = 1 + state.rand_mut().below(ARITH_MAX) as u16; - match state.rand_mut().below(4) { - 0 => *ptr = (*ptr).wrapping_add(num), - 1 => *ptr = (*ptr).wrapping_sub(num), - 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), - _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), - }; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_dwordadd(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().len() < 4 { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64 - 3) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; - let num = 1 + state.rand_mut().below(ARITH_MAX) as u32; - match state.rand_mut().below(4) { - 0 => *ptr = (*ptr).wrapping_add(num), - 1 => *ptr = (*ptr).wrapping_sub(num), - 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), - _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), - }; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_qwordadd(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().len() < 8 { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64 - 7) as usize; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u64; - let num = 1 + state.rand_mut().below(ARITH_MAX) as u64; - match state.rand_mut().below(4) { - 0 => *ptr = (*ptr).wrapping_add(num), - 1 => *ptr = (*ptr).wrapping_sub(num), - 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(), - _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(), - }; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_byteinteresting( - state: &mut S, - input: &mut I, -) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().is_empty() { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64) as usize; - let val = INTERESTING_8[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u8; - unsafe { - // Moar speed, no bound check - *input.bytes_mut().get_unchecked_mut(idx) = val; - } - Ok(MutationResult::Mutated) - } -} - -pub fn mutation_wordinteresting( - state: &mut S, - input: &mut I, -) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - if input.bytes().len() < 2 { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64 - 1) as usize; - let val = - INTERESTING_16[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u16; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; - if state.rand_mut().below(2) == 0 { - *ptr = val; + if size + len > max_size { + if max_size > size { + len = max_size - size; } else { - *ptr = val.swap_bytes(); + return Ok(MutationResult::Skipped); } } + + input.bytes_mut().resize(size + len, 0); + buffer_self_copy(input.bytes_mut(), off, off + len, size - off); + Ok(MutationResult::Mutated) } } -pub fn mutation_dwordinteresting( - state: &mut S, - input: &mut I, -) -> Result +impl Named for BytesExpandMutator where I: Input + HasBytesVec, - S: HasRand, + S: HasRand + HasMaxSize, R: Rand, { - if input.bytes().len() < 4 { - Ok(MutationResult::Skipped) - } else { - let idx = state.rand_mut().below(input.bytes().len() as u64 - 3) as usize; - let val = - INTERESTING_32[state.rand_mut().below(INTERESTING_8.len() as u64) as usize] as u32; - unsafe { - // Moar speed, no bound check - let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; - if state.rand_mut().below(2) == 0 { - *ptr = val; + fn name(&self) -> &str { + "BytesExpandMutator" + } +} + +impl BytesExpandMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Bytes insert mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesInsertMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BytesInsertMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let max_size = state.max_size(); + let size = input.bytes().len(); + if size == 0 { + return Ok(MutationResult::Skipped); + } + let off = state.rand_mut().below((size + 1) as u64) as usize; + let mut len = 1 + state.rand_mut().below(16) as usize; + + if size + len > max_size { + if max_size > size { + len = max_size - size; } else { - *ptr = val.swap_bytes(); + return Ok(MutationResult::Skipped); } } + + let val = input.bytes()[state.rand_mut().below(size as u64) as usize]; + + input.bytes_mut().resize(size + len, 0); + buffer_self_copy(input.bytes_mut(), off, off + len, size - off); + buffer_set(input.bytes_mut(), off, len, val); + Ok(MutationResult::Mutated) } } -pub fn mutation_bytesdelete(state: &mut S, input: &mut I) -> Result -where - I: Input + HasBytesVec, - S: HasRand, - R: Rand, -{ - let size = input.bytes().len(); - if size <= 2 { - return Ok(MutationResult::Skipped); - } - - let off = state.rand_mut().below(size as u64) as usize; - let len = state.rand_mut().below((size - off) as u64) as usize; - input.bytes_mut().drain(off..off + len); - - Ok(MutationResult::Mutated) -} - -pub fn mutation_bytesexpand(state: &mut S, input: &mut I) -> Result +impl Named for BytesInsertMutator where I: Input + HasBytesVec, S: HasRand + HasMaxSize, R: Rand, { - let max_size = state.max_size(); - let size = input.bytes().len(); - let off = state.rand_mut().below((size + 1) as u64) as usize; - let mut len = 1 + state.rand_mut().below(16) as usize; - - if size + len > max_size { - if max_size > size { - len = max_size - size; - } else { - return Ok(MutationResult::Skipped); - } + fn name(&self) -> &str { + "BytesInsertMutator" } - - input.bytes_mut().resize(size + len, 0); - buffer_self_copy(input.bytes_mut(), off, off + len, size - off); - - Ok(MutationResult::Mutated) } -pub fn mutation_bytesinsert(state: &mut S, input: &mut I) -> Result +impl BytesInsertMutator where I: Input + HasBytesVec, S: HasRand + HasMaxSize, R: Rand, { - let max_size = state.max_size(); - let size = input.bytes().len(); - if size == 0 { - return Ok(MutationResult::Skipped); - } - let off = state.rand_mut().below((size + 1) as u64) as usize; - let mut len = 1 + state.rand_mut().below(16) as usize; - - if size + len > max_size { - if max_size > size { - len = max_size - size; - } else { - return Ok(MutationResult::Skipped); + pub fn new() -> Self { + Self { + phantom: PhantomData, } } - - let val = input.bytes()[state.rand_mut().below(size as u64) as usize]; - - input.bytes_mut().resize(size + len, 0); - buffer_self_copy(input.bytes_mut(), off, off + len, size - off); - buffer_set(input.bytes_mut(), off, len, val); - - Ok(MutationResult::Mutated) } -pub fn mutation_bytesrandinsert( - state: &mut S, - input: &mut I, -) -> Result +/// Bytes random insert mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesRandInsertMutator where I: Input + HasBytesVec, S: HasRand + HasMaxSize, R: Rand, { - let max_size = state.max_size(); - let size = input.bytes().len(); - let off = state.rand_mut().below((size + 1) as u64) as usize; - let mut len = 1 + state.rand_mut().below(16) as usize; + phantom: PhantomData<(I, R, S)>, +} - if size + len > max_size { - if max_size > size { - len = max_size - size; - } else { - return Ok(MutationResult::Skipped); +impl Mutator for BytesRandInsertMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let max_size = state.max_size(); + let size = input.bytes().len(); + let off = state.rand_mut().below((size + 1) as u64) as usize; + let mut len = 1 + state.rand_mut().below(16) as usize; + + if size + len > max_size { + if max_size > size { + len = max_size - size; + } else { + return Ok(MutationResult::Skipped); + } + } + + let val = state.rand_mut().below(256) as u8; + + input.bytes_mut().resize(size + len, 0); + buffer_self_copy(input.bytes_mut(), off, off + len, size - off); + buffer_set(input.bytes_mut(), off, len, val); + + Ok(MutationResult::Mutated) + } +} + +impl Named for BytesRandInsertMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + fn name(&self) -> &str { + "BytesRandInsertMutator" + } +} + +impl BytesRandInsertMutator +where + I: Input + HasBytesVec, + S: HasRand + HasMaxSize, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, } } - - let val = state.rand_mut().below(256) as u8; - - input.bytes_mut().resize(size + len, 0); - buffer_self_copy(input.bytes_mut(), off, off + len, size - off); - buffer_set(input.bytes_mut(), off, len, val); - - Ok(MutationResult::Mutated) } -pub fn mutation_bytesset(state: &mut S, input: &mut I) -> Result +/// Bytes set mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesSetMutator where I: Input + HasBytesVec, S: HasRand, R: Rand, { - let size = input.bytes().len(); - if size == 0 { - return Ok(MutationResult::Skipped); - } - let off = state.rand_mut().below(size as u64) as usize; - let len = 1 + state.rand_mut().below(min(16, size - off) as u64) as usize; - - let val = input.bytes()[state.rand_mut().below(size as u64) as usize]; - - buffer_set(input.bytes_mut(), off, len, val); - - Ok(MutationResult::Mutated) + phantom: PhantomData<(I, R, S)>, } -pub fn mutation_bytesrandset(state: &mut S, input: &mut I) -> Result +impl Mutator for BytesSetMutator where I: Input + HasBytesVec, S: HasRand, R: Rand, { - let size = input.bytes().len(); - if size == 0 { - return Ok(MutationResult::Skipped); + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size == 0 { + return Ok(MutationResult::Skipped); + } + let off = state.rand_mut().below(size as u64) as usize; + let len = 1 + state.rand_mut().below(min(16, size - off) as u64) as usize; + + let val = input.bytes()[state.rand_mut().below(size as u64) as usize]; + + buffer_set(input.bytes_mut(), off, len, val); + + Ok(MutationResult::Mutated) } - let off = state.rand_mut().below(size as u64) as usize; - let len = 1 + state.rand_mut().below(min(16, size - off) as u64) as usize; - - let val = state.rand_mut().below(256) as u8; - - buffer_set(input.bytes_mut(), off, len, val); - - Ok(MutationResult::Mutated) } -pub fn mutation_bytescopy(state: &mut S, input: &mut I) -> Result +impl Named for BytesSetMutator where I: Input + HasBytesVec, S: HasRand, R: Rand, { - let size = input.bytes().len(); - if size <= 1 { - return Ok(MutationResult::Skipped); + fn name(&self) -> &str { + "BytesSetMutator" } - - let from = state.rand_mut().below(input.bytes().len() as u64) as usize; - let to = state.rand_mut().below(input.bytes().len() as u64) as usize; - let len = 1 + state.rand_mut().below((size - max(from, to)) as u64) as usize; - - buffer_self_copy(input.bytes_mut(), from, to, len); - - Ok(MutationResult::Mutated) } -pub fn mutation_bytesswap(state: &mut S, input: &mut I) -> Result +impl BytesSetMutator where I: Input + HasBytesVec, S: HasRand, R: Rand, { - let size = input.bytes().len(); - if size <= 1 { - return Ok(MutationResult::Skipped); + pub fn new() -> Self { + Self { + phantom: PhantomData, + } } - - let first = state.rand_mut().below(input.bytes().len() as u64) as usize; - let second = state.rand_mut().below(input.bytes().len() as u64) as usize; - let len = 1 + state.rand_mut().below((size - max(first, second)) as u64) as usize; - - let tmp = input.bytes()[first..(first + len)].to_vec(); - buffer_self_copy(input.bytes_mut(), second, first, len); - buffer_copy(input.bytes_mut(), &tmp, 0, second, len); - - Ok(MutationResult::Mutated) } -/// Crossover insert mutation -pub fn mutation_crossover_insert( - state: &mut S, - input: &mut I, -) -> Result +/// Bytes random set mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesRandSetMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BytesRandSetMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size == 0 { + return Ok(MutationResult::Skipped); + } + let off = state.rand_mut().below(size as u64) as usize; + let len = 1 + state.rand_mut().below(min(16, size - off) as u64) as usize; + + let val = state.rand_mut().below(256) as u8; + + buffer_set(input.bytes_mut(), off, len, val); + + Ok(MutationResult::Mutated) + } +} + +impl Named for BytesRandSetMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "BytesRandSetMutator" + } +} + +impl BytesRandSetMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Bytes copy mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesCopyMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BytesCopyMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size <= 1 { + return Ok(MutationResult::Skipped); + } + + let from = state.rand_mut().below(input.bytes().len() as u64) as usize; + let to = state.rand_mut().below(input.bytes().len() as u64) as usize; + let len = 1 + state.rand_mut().below((size - max(from, to)) as u64) as usize; + + buffer_self_copy(input.bytes_mut(), from, to, len); + + Ok(MutationResult::Mutated) + } +} + +impl Named for BytesCopyMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "BytesCopyMutator" + } +} + +impl BytesCopyMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Bytes swap mutation for inputs with a bytes vector +#[derive(Default)] +pub struct BytesSwapMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for BytesSwapMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size <= 1 { + return Ok(MutationResult::Skipped); + } + + let first = state.rand_mut().below(input.bytes().len() as u64) as usize; + let second = state.rand_mut().below(input.bytes().len() as u64) as usize; + let len = 1 + state.rand_mut().below((size - max(first, second)) as u64) as usize; + + let tmp = input.bytes()[first..(first + len)].to_vec(); + buffer_self_copy(input.bytes_mut(), second, first, len); + buffer_copy(input.bytes_mut(), &tmp, 0, second, len); + + Ok(MutationResult::Mutated) + } +} + +impl Named for BytesSwapMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + fn name(&self) -> &str { + "BytesSwapMutator" + } +} + +impl BytesSwapMutator +where + I: Input + HasBytesVec, + S: HasRand, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Crossover insert mutation for inputs with a bytes vector +#[derive(Default)] +pub struct CrossoverInsertMutator where C: Corpus, I: Input + HasBytesVec, R: Rand, S: HasRand + HasCorpus + HasMaxSize, { - let size = input.bytes().len(); - - // We don't want to use the testcase we're already using for splicing - let count = state.corpus().count(); - let idx = state.rand_mut().below(count as u64) as usize; - if let Some(cur) = state.corpus().current() { - if idx == *cur { - return Ok(MutationResult::Skipped); - } - } - - let other_size = state - .corpus() - .get(idx)? - .borrow_mut() - .load_input()? - .bytes() - .len(); - if other_size < 2 { - return Ok(MutationResult::Skipped); - } - - let max_size = state.max_size(); - let from = state.rand_mut().below(other_size as u64) as usize; - let to = state.rand_mut().below(size as u64) as usize; - let mut len = state.rand_mut().below((other_size - from) as u64) as usize; - - let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); - let other = other_testcase.load_input()?; - - if size + len > max_size { - if max_size > size { - len = max_size - size; - } else { - return Ok(MutationResult::Skipped); - } - } - - input.bytes_mut().resize(size + len, 0); - buffer_self_copy(input.bytes_mut(), to, to + len, size - to); - buffer_copy(input.bytes_mut(), other.bytes(), from, to, len); - - Ok(MutationResult::Mutated) + phantom: PhantomData<(C, I, R, S)>, } -/// Crossover replace mutation -pub fn mutation_crossover_replace( - state: &mut S, - input: &mut I, -) -> Result +impl Mutator for CrossoverInsertMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus + HasMaxSize, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + + // We don't want to use the testcase we're already using for splicing + let count = state.corpus().count(); + let idx = state.rand_mut().below(count as u64) as usize; + if let Some(cur) = state.corpus().current() { + if idx == *cur { + return Ok(MutationResult::Skipped); + } + } + + let other_size = state + .corpus() + .get(idx)? + .borrow_mut() + .load_input()? + .bytes() + .len(); + if other_size < 2 { + return Ok(MutationResult::Skipped); + } + + let max_size = state.max_size(); + let from = state.rand_mut().below(other_size as u64) as usize; + let to = state.rand_mut().below(size as u64) as usize; + let mut len = state.rand_mut().below((other_size - from) as u64) as usize; + + let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); + let other = other_testcase.load_input()?; + + if size + len > max_size { + if max_size > size { + len = max_size - size; + } else { + return Ok(MutationResult::Skipped); + } + } + + input.bytes_mut().resize(size + len, 0); + buffer_self_copy(input.bytes_mut(), to, to + len, size - to); + buffer_copy(input.bytes_mut(), other.bytes(), from, to, len); + + Ok(MutationResult::Mutated) + } +} + +impl Named for CrossoverInsertMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus + HasMaxSize, +{ + fn name(&self) -> &str { + "CrossoverInsertMutator" + } +} + +impl CrossoverInsertMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus + HasMaxSize, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +/// Crossover replace mutation for inputs with a bytes vector +#[derive(Default)] +pub struct CrossoverReplaceMutator where C: Corpus, I: Input + HasBytesVec, R: Rand, S: HasRand + HasCorpus, { - let size = input.bytes().len(); + phantom: PhantomData<(C, I, R, S)>, +} - // We don't want to use the testcase we're already using for splicing - let count = state.corpus().count(); - let idx = state.rand_mut().below(count as u64) as usize; - if let Some(cur) = state.corpus().current() { - if idx == *cur { +impl Mutator for CrossoverReplaceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + + // We don't want to use the testcase we're already using for splicing + let count = state.corpus().count(); + let idx = state.rand_mut().below(count as u64) as usize; + if let Some(cur) = state.corpus().current() { + if idx == *cur { + return Ok(MutationResult::Skipped); + } + } + + let other_size = state + .corpus() + .get(idx)? + .borrow_mut() + .load_input()? + .bytes() + .len(); + if other_size < 2 { return Ok(MutationResult::Skipped); } + + let from = state.rand_mut().below(other_size as u64) as usize; + let len = state.rand_mut().below(min(other_size - from, size) as u64) as usize; + let to = state.rand_mut().below((size - len) as u64) as usize; + + let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); + let other = other_testcase.load_input()?; + + buffer_copy(input.bytes_mut(), other.bytes(), from, to, len); + + Ok(MutationResult::Mutated) } +} - let other_size = state - .corpus() - .get(idx)? - .borrow_mut() - .load_input()? - .bytes() - .len(); - if other_size < 2 { - return Ok(MutationResult::Skipped); +impl Named for CrossoverReplaceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + fn name(&self) -> &str { + "CrossoverReplaceMutator" } +} - let from = state.rand_mut().below(other_size as u64) as usize; - let len = state.rand_mut().below(min(other_size - from, size) as u64) as usize; - let to = state.rand_mut().below((size - len) as u64) as usize; - - let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); - let other = other_testcase.load_input()?; - - buffer_copy(input.bytes_mut(), other.bytes(), from, to, len); - - Ok(MutationResult::Mutated) +impl CrossoverReplaceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } } /// Returns the first and last diff position between the given vectors, stopping at the min len @@ -702,52 +1635,95 @@ fn locate_diffs(this: &[u8], other: &[u8]) -> (i64, i64) { (first_diff, last_diff) } -/// Splicing mutation from AFL -pub fn mutation_splice(state: &mut S, input: &mut I) -> Result +/// Splice mutation for inputs with a bytes vector +#[derive(Default)] +pub struct SpliceMutator where C: Corpus, I: Input + HasBytesVec, R: Rand, S: HasRand + HasCorpus, { - // We don't want to use the testcase we're already using for splicing - let count = state.corpus().count(); - let idx = state.rand_mut().below(count as u64) as usize; - if let Some(cur) = state.corpus().current() { - if idx == *cur { - return Ok(MutationResult::Skipped); - } - } + phantom: PhantomData<(C, I, R, S)>, +} - let (first_diff, last_diff) = { - let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); - let other = other_testcase.load_input()?; - - let mut counter = 0; - loop { - let (f, l) = locate_diffs(input.bytes(), other.bytes()); - - if f != l && f >= 0 && l >= 2 { - break (f, l); - } - if counter == 3 { +impl Mutator for SpliceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + #[allow(clippy::cast_sign_loss)] + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + // We don't want to use the testcase we're already using for splicing + let count = state.corpus().count(); + let idx = state.rand_mut().below(count as u64) as usize; + if let Some(cur) = state.corpus().current() { + if idx == *cur { return Ok(MutationResult::Skipped); } - counter += 1; } - }; - let split_at = state - .rand_mut() - .between(first_diff as u64, last_diff as u64) as usize; + let (first_diff, last_diff) = { + let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); + let other = other_testcase.load_input()?; - let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); - let other = other_testcase.load_input()?; - input - .bytes_mut() - .splice(split_at.., other.bytes()[split_at..].iter().cloned()); + let mut counter: u32 = 0; + loop { + let (f, l) = locate_diffs(input.bytes(), other.bytes()); - Ok(MutationResult::Mutated) + if f != l && f >= 0 && l >= 2 { + break (f as u64, l as u64); + } + if counter == 3 { + return Ok(MutationResult::Skipped); + } + counter += 1; + } + }; + + let split_at = state.rand_mut().between(first_diff, last_diff) as usize; + + let mut other_testcase = state.corpus().get(idx)?.borrow_mut(); + let other = other_testcase.load_input()?; + input + .bytes_mut() + .splice(split_at.., other.bytes()[split_at..].iter().cloned()); + + Ok(MutationResult::Mutated) + } +} + +impl Named for SpliceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + fn name(&self) -> &str { + "SpliceMutator" + } +} + +impl SpliceMutator +where + C: Corpus, + I: Input + HasBytesVec, + R: Rand, + S: HasRand + HasCorpus, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } } // Converts a hex u8 to its u8 value: 'A' -> 10 etc. @@ -801,13 +1777,50 @@ mod tests { use super::*; use crate::{ + bolts::tuples::tuple_list, + bolts::tuples::HasLen, corpus::{Corpus, InMemoryCorpus}, inputs::BytesInput, - mutators::{mutation_tokeninsert, mutation_tokenreplace}, - state::State, + mutators::MutatorsTuple, + state::{HasMetadata, State}, utils::StdRand, }; + fn test_mutations() -> impl MutatorsTuple + where + I: Input + HasBytesVec, + S: HasRand + HasCorpus + HasMetadata + HasMaxSize, + C: Corpus, + R: Rand, + { + tuple_list!( + BitFlipMutator::new(), + ByteFlipMutator::new(), + ByteIncMutator::new(), + ByteDecMutator::new(), + ByteNegMutator::new(), + ByteRandMutator::new(), + ByteAddMutator::new(), + WordAddMutator::new(), + DwordAddMutator::new(), + QwordAddMutator::new(), + ByteInterestingMutator::new(), + WordInterestingMutator::new(), + DwordInterestingMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesExpandMutator::new(), + BytesInsertMutator::new(), + BytesRandInsertMutator::new(), + BytesSetMutator::new(), + BytesRandSetMutator::new(), + BytesCopyMutator::new(), + BytesSwapMutator::new(), + ) + } + #[test] fn test_mutators() { let mut inputs = vec![ @@ -829,43 +1842,16 @@ mod tests { let mut state = State::new(rand, corpus, (), InMemoryCorpus::new(), ()); - let mut mutations: Vec> = vec![]; - - mutations.push(mutation_bitflip); - mutations.push(mutation_byteflip); - mutations.push(mutation_byteinc); - mutations.push(mutation_bytedec); - mutations.push(mutation_byteneg); - mutations.push(mutation_byterand); - mutations.push(mutation_byteadd); - mutations.push(mutation_wordadd); - mutations.push(mutation_dwordadd); - mutations.push(mutation_qwordadd); - mutations.push(mutation_byteinteresting); - mutations.push(mutation_wordinteresting); - mutations.push(mutation_dwordinteresting); - - mutations.push(mutation_bytesdelete); - mutations.push(mutation_bytesdelete); - mutations.push(mutation_bytesdelete); - mutations.push(mutation_bytesdelete); - mutations.push(mutation_bytesexpand); - mutations.push(mutation_bytesinsert); - mutations.push(mutation_bytesrandinsert); - mutations.push(mutation_bytesset); - mutations.push(mutation_bytesrandset); - mutations.push(mutation_bytescopy); - mutations.push(mutation_bytesswap); - - mutations.push(mutation_tokeninsert); - mutations.push(mutation_tokenreplace); - + let mut mutations = test_mutations(); for _ in 0..2 { let mut new_testcases = vec![]; - for mutation in &mutations { + for idx in 0..(mutations.len()) { for input in inputs.iter() { let mut mutant = input.clone(); - match mutation(&mut state, &mut mutant).unwrap() { + match mutations + .get_and_mutate(idx, &mut state, &mut mutant, 0) + .unwrap() + { MutationResult::Mutated => new_testcases.push(mutant), MutationResult::Skipped => (), }; diff --git a/libafl/src/mutators/scheduled.rs b/libafl/src/mutators/scheduled.rs index 2c309d46df..2a7e3f4b99 100644 --- a/libafl/src/mutators/scheduled.rs +++ b/libafl/src/mutators/scheduled.rs @@ -1,108 +1,163 @@ +//! The `ScheduledMutator` schedules multiple mutations internally. + +use alloc::string::String; use alloc::vec::Vec; use core::{ - default::Default, fmt::{self, Debug}, marker::PhantomData, }; +use serde::{Deserialize, Serialize}; use crate::{ + bolts::tuples::{tuple_list, NamedTuple}, corpus::Corpus, inputs::{HasBytesVec, Input}, - mutators::Mutator, + mutators::{MutationResult, Mutator, MutatorsTuple}, state::{HasCorpus, HasMaxSize, HasMetadata, HasRand}, - utils::Rand, + utils::{AsSlice, Rand}, Error, }; pub use crate::mutators::mutations::*; pub use crate::mutators::token_mutations::*; -pub trait ScheduledMutator: Mutator + ComposedByMutations +#[derive(Serialize, Deserialize)] +pub struct MutationsMetadata { + pub list: Vec, +} + +crate::impl_serdeany!(MutationsMetadata); + +impl AsSlice for MutationsMetadata { + fn as_slice(&self) -> &[String] { + self.list.as_slice() + } +} + +impl MutationsMetadata { + pub fn new(list: Vec) -> Self { + Self { list } + } +} + +pub trait ComposedByMutations where I: Input, + MT: MutatorsTuple, +{ + /// Get the mutations + fn mutations(&self) -> &MT; + + // Get the mutations (mut) + fn mutations_mut(&mut self) -> &mut MT; +} + +pub trait ScheduledMutator: ComposedByMutations + Mutator +where + I: Input, + MT: MutatorsTuple, { /// Compute the number of iterations used to apply stacked mutations fn iterations(&self, state: &mut S, input: &I) -> u64; /// Get the next mutation to apply - fn schedule(&self, mutations_count: usize, state: &mut S, input: &I) -> usize; + fn schedule(&self, state: &mut S, input: &I) -> usize; /// New default implementation for mutate /// Implementations must forward mutate() to this method - fn scheduled_mutate(&self, state: &mut S, input: &mut I, _stage_idx: i32) -> Result<(), Error> { + fn scheduled_mutate( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + let mut r = MutationResult::Skipped; let num = self.iterations(state, input); for _ in 0..num { - let idx = self.schedule(self.mutations_count(), state, input); - self.mutation_by_idx(idx)(state, input)?; + let idx = self.schedule(state, input); + let outcome = self + .mutations_mut() + .get_and_mutate(idx, state, input, stage_idx)?; + if outcome == MutationResult::Mutated { + r = MutationResult::Mutated; + } } - Ok(()) + Ok(r) } } -pub struct StdScheduledMutator +pub struct StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { - mutations: Vec>, - phantom: PhantomData, + mutations: MT, + phantom: PhantomData<(I, R, S)>, } -impl Debug for StdScheduledMutator +impl Debug for StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!( f, - "StdScheduledMutator with {} Mutations for Input type {}", + "StdScheduledMutator with {} mutations for Input type {}", self.mutations.len(), core::any::type_name::() ) } } -impl Mutator for StdScheduledMutator +impl Mutator for StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { - fn mutate(&self, state: &mut S, input: &mut I, _stage_idx: i32) -> Result<(), Error> { - self.scheduled_mutate(state, input, _stage_idx) + #[inline] + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + self.scheduled_mutate(state, input, stage_idx) } } -impl ComposedByMutations for StdScheduledMutator +impl ComposedByMutations for StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { + /// Get the mutations #[inline] - fn mutation_by_idx(&self, index: usize) -> MutationFunction { - self.mutations[index] + fn mutations(&self) -> &MT { + &self.mutations } + // Get the mutations (mut) #[inline] - fn mutations_count(&self) -> usize { - self.mutations.len() - } - - #[inline] - fn add_mutation(&mut self, mutation: MutationFunction) { - self.mutations.push(mutation) + fn mutations_mut(&mut self) -> &mut MT { + &mut self.mutations } } -impl ScheduledMutator for StdScheduledMutator +impl ScheduledMutator for StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { /// Compute the number of iterations used to apply stacked mutations fn iterations(&self, state: &mut S, _: &I) -> u64 { @@ -110,28 +165,21 @@ where } /// Get the next mutation to apply - fn schedule(&self, mutations_count: usize, state: &mut S, _: &I) -> usize { - debug_assert!(mutations_count > 0); - state.rand_mut().below(mutations_count as u64) as usize + fn schedule(&self, state: &mut S, _: &I) -> usize { + debug_assert!(!self.mutations().is_empty()); + state.rand_mut().below(self.mutations().len() as u64) as usize } } -impl StdScheduledMutator +impl StdScheduledMutator where I: Input, - S: HasRand, + MT: MutatorsTuple, R: Rand, + S: HasRand, { - /// Create a new StdScheduledMutator instance without mutations and corpus - pub fn new() -> Self { - Self { - mutations: vec![], - phantom: PhantomData, - } - } - /// Create a new StdScheduledMutator instance specifying mutations - pub fn with_mutations(mutations: Vec>) -> Self { + pub fn new(mutations: MT) -> Self { StdScheduledMutator { mutations, phantom: PhantomData, @@ -139,132 +187,200 @@ where } } -impl Default for StdScheduledMutator +/// Get the mutations that compose the Havoc mutator +pub fn havoc_mutations() -> impl MutatorsTuple where - I: Input, - S: HasRand, + I: Input + HasBytesVec, + S: HasRand + HasCorpus + HasMetadata + HasMaxSize, + C: Corpus, R: Rand, { - fn default() -> Self { - Self::new() + tuple_list!( + BitFlipMutator::new(), + ByteFlipMutator::new(), + ByteIncMutator::new(), + ByteDecMutator::new(), + ByteNegMutator::new(), + ByteRandMutator::new(), + ByteAddMutator::new(), + WordAddMutator::new(), + DwordAddMutator::new(), + QwordAddMutator::new(), + ByteInterestingMutator::new(), + WordInterestingMutator::new(), + DwordInterestingMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesDeleteMutator::new(), + BytesExpandMutator::new(), + BytesInsertMutator::new(), + BytesRandInsertMutator::new(), + BytesSetMutator::new(), + BytesRandSetMutator::new(), + BytesCopyMutator::new(), + BytesSwapMutator::new(), + TokenInsert::new(), + TokenReplace::new(), + CrossoverInsertMutator::new(), + CrossoverReplaceMutator::new(), + ) +} + +//wraps around StdScheduledMutator +pub struct LoggerScheduledMutator +where + C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, + R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, +{ + scheduled: SM, + mutation_log: Vec, + phantom: PhantomData<(C, I, MT, R, S)>, +} + +impl Debug for LoggerScheduledMutator +where + C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, + R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, +{ + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + write!( + f, + "LoggerScheduledMutator with {} mutations for Input type {}", + self.scheduled.mutations().len(), + core::any::type_name::() + ) } } -/// Schedule some selected byte level mutations given a ScheduledMutator type -#[derive(Clone, Debug)] -pub struct HavocBytesMutator +impl Mutator for LoggerScheduledMutator where - SM: ScheduledMutator, - I: Input + HasBytesVec, - S: HasRand + HasCorpus + HasMetadata + HasMaxSize, C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, { - scheduled: SM, - phantom: PhantomData<(C, I, R, S)>, -} + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + self.scheduled_mutate(state, input, stage_idx) + } -impl Mutator for HavocBytesMutator -where - SM: ScheduledMutator, - I: Input + HasBytesVec, - S: HasRand + HasCorpus + HasMetadata + HasMaxSize, - C: Corpus, - R: Rand, -{ - /// Mutate bytes - fn mutate(&self, state: &mut S, input: &mut I, stage_idx: i32) -> Result<(), Error> { - self.scheduled.mutate(state, input, stage_idx)?; - /*let num = self.scheduled.iterations(state, input); - for _ in 0..num { - let idx = self.scheduled.schedule(14, state, input); - let mutation = match idx { - 0 => mutation_bitflip, - 1 => mutation_byteflip, - 2 => mutation_byteinc, - 3 => mutation_bytedec, - 4 => mutation_byteneg, - 5 => mutation_byterand, - - 6 => mutation_byteadd, - 7 => mutation_wordadd, - 8 => mutation_dwordadd, - 9 => mutation_byteinteresting, - 10 => mutation_wordinteresting, - 11 => mutation_dwordinteresting, - _ => mutation_splice, - }; - mutation(self, state, input)?; - }*/ + fn post_exec( + &mut self, + state: &mut S, + _stage_idx: i32, + corpus_idx: Option, + ) -> Result<(), Error> { + if let Some(idx) = corpus_idx { + let mut testcase = (*state.corpus_mut().get(idx)?).borrow_mut(); + let mut log = Vec::::new(); + while let Some(idx) = self.mutation_log.pop() { + let name = String::from(self.scheduled.mutations().get_name(idx).unwrap()); // TODO maybe return an Error on None + log.push(name) + } + let meta = MutationsMetadata::new(log); + testcase.add_metadata(meta); + }; + // Always reset the log for each run + self.mutation_log.clear(); Ok(()) } } -impl HavocBytesMutator +impl ComposedByMutations + for LoggerScheduledMutator where - SM: ScheduledMutator, - I: Input + HasBytesVec, - S: HasRand + HasCorpus + HasMetadata + HasMaxSize, C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, { - /// Create a new HavocBytesMutator instance given a ScheduledMutator to wrap - pub fn new(mut scheduled: SM) -> Self { - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_splice); - Self { - scheduled, - phantom: PhantomData, - } + #[inline] + fn mutations(&self) -> &MT { + self.scheduled.mutations() + } + + #[inline] + fn mutations_mut(&mut self) -> &mut MT { + self.scheduled.mutations_mut() } } -impl Default for HavocBytesMutator> +impl ScheduledMutator for LoggerScheduledMutator where - I: Input + HasBytesVec, - S: HasRand + HasCorpus + HasMetadata + HasMaxSize, C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, { - /// Create a new HavocBytesMutator instance wrapping StdScheduledMutator - fn default() -> Self { - let mut scheduled = StdScheduledMutator::::new(); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_byteflip); - scheduled.add_mutation(mutation_byteinc); - scheduled.add_mutation(mutation_bytedec); - scheduled.add_mutation(mutation_byteneg); - scheduled.add_mutation(mutation_byterand); + /// Compute the number of iterations used to apply stacked mutations + fn iterations(&self, state: &mut S, _: &I) -> u64 { + 1 << (1 + state.rand_mut().below(6)) + } - scheduled.add_mutation(mutation_byteadd); - scheduled.add_mutation(mutation_wordadd); - scheduled.add_mutation(mutation_dwordadd); - scheduled.add_mutation(mutation_qwordadd); - scheduled.add_mutation(mutation_byteinteresting); - scheduled.add_mutation(mutation_wordinteresting); - scheduled.add_mutation(mutation_dwordinteresting); + /// Get the next mutation to apply + fn schedule(&self, state: &mut S, _: &I) -> usize { + debug_assert!(!self.scheduled.mutations().is_empty()); + state + .rand_mut() + .below(self.scheduled.mutations().len() as u64) as usize + } - scheduled.add_mutation(mutation_bytesdelete); - scheduled.add_mutation(mutation_bytesdelete); - scheduled.add_mutation(mutation_bytesdelete); - scheduled.add_mutation(mutation_bytesdelete); - scheduled.add_mutation(mutation_bytesexpand); - scheduled.add_mutation(mutation_bytesinsert); - scheduled.add_mutation(mutation_bytesrandinsert); - scheduled.add_mutation(mutation_bytesset); - scheduled.add_mutation(mutation_bytesrandset); - scheduled.add_mutation(mutation_bytescopy); - scheduled.add_mutation(mutation_bytesswap); + fn scheduled_mutate( + &mut self, + state: &mut S, + input: &mut I, + stage_idx: i32, + ) -> Result { + let mut r = MutationResult::Skipped; + let num = self.iterations(state, input); + self.mutation_log.clear(); + for _ in 0..num { + let idx = self.schedule(state, input); + self.mutation_log.push(idx); + let outcome = self + .mutations_mut() + .get_and_mutate(idx, state, input, stage_idx)?; + if outcome == MutationResult::Mutated { + r = MutationResult::Mutated; + } + } + Ok(r) + } +} - scheduled.add_mutation(mutation_tokeninsert); - scheduled.add_mutation(mutation_tokenreplace); - - scheduled.add_mutation(mutation_crossover_insert); - scheduled.add_mutation(mutation_crossover_replace); - //scheduled.add_mutation(mutation_splice); - - HavocBytesMutator { +impl LoggerScheduledMutator +where + C: Corpus, + I: Input, + MT: MutatorsTuple + NamedTuple, + R: Rand, + S: HasRand + HasCorpus, + SM: ScheduledMutator, +{ + /// Create a new StdScheduledMutator instance without mutations and corpus + pub fn new(scheduled: SM) -> Self { + Self { scheduled, + mutation_log: vec![], phantom: PhantomData, } } @@ -276,7 +392,8 @@ mod tests { corpus::{Corpus, InMemoryCorpus, Testcase}, inputs::{BytesInput, HasBytesVec}, mutators::{ - scheduled::{mutation_splice, HavocBytesMutator, StdScheduledMutator}, + mutations::SpliceMutator, + scheduled::{havoc_mutations, StdScheduledMutator}, Mutator, }, state::State, @@ -302,7 +419,8 @@ mod tests { rand.set_seed(5); - mutation_splice(&mut state, &mut input).unwrap(); + let mut splice = SpliceMutator::new(); + splice.mutate(&mut state, &mut input, 0).unwrap(); #[cfg(feature = "std")] println!("{:?}", input.bytes()); @@ -330,7 +448,7 @@ mod tests { let mut state = State::new(rand, corpus, (), InMemoryCorpus::new(), ()); - let havoc = HavocBytesMutator::new(StdScheduledMutator::new()); + let mut havoc = StdScheduledMutator::new(havoc_mutations()); assert_eq!(input, input_prior); diff --git a/libafl/src/mutators/token_mutations.rs b/libafl/src/mutators/token_mutations.rs index 90741b2f97..90b76bb58d 100644 --- a/libafl/src/mutators/token_mutations.rs +++ b/libafl/src/mutators/token_mutations.rs @@ -1,6 +1,8 @@ //! Tokens are what afl calls extras or dictionaries. //! They may be inserted as part of mutations during fuzzing. - +use alloc::vec::Vec; +use core::marker::PhantomData; +use serde::{Deserialize, Serialize}; #[cfg(feature = "std")] use std::{ fs::File, @@ -10,17 +12,16 @@ use std::{ use crate::{ inputs::{HasBytesVec, Input}, - mutators::*, + mutators::{buffer_self_copy, mutations, MutationResult, Mutator, Named}, state::{HasMaxSize, HasMetadata, HasRand}, utils::Rand, Error, }; - -use alloc::vec::Vec; -use serde::{Deserialize, Serialize}; - use mutations::buffer_copy; +#[cfg(feature = "std")] +use crate::mutators::str_decode; + /// A state metadata holding a list of tokens #[derive(Serialize, Deserialize)] pub struct Tokens { @@ -49,6 +50,7 @@ impl Tokens { /// Adds a token to a dictionary, checking it is not a duplicate /// Returns `false` if the token was already present and did not get added. + #[allow(clippy::ptr_arg)] pub fn add_token(&mut self, token: &Vec) -> bool { if self.token_vec.contains(token) { return false; @@ -81,7 +83,7 @@ impl Tokens { } let pos_quote = match line.find('\"') { Some(x) => x, - _ => return Err(Error::IllegalArgument("Illegal line: ".to_owned() + line)), + None => return Err(Error::IllegalArgument("Illegal line: ".to_owned() + line)), }; if line.chars().nth(line.len() - 1) != Some('"') { return Err(Error::IllegalArgument("Illegal line: ".to_owned() + line)); @@ -90,7 +92,7 @@ impl Tokens { // extract item let item = match line.get(pos_quote + 1..line.len() - 1) { Some(x) => x, - _ => return Err(Error::IllegalArgument("Illegal line: ".to_owned() + line)), + None => return Err(Error::IllegalArgument("Illegal line: ".to_owned() + line)), }; if item.is_empty() { continue; @@ -121,84 +123,164 @@ impl Tokens { } } -/// Insert a dictionary token -pub fn mutation_tokeninsert(state: &mut S, input: &mut I) -> Result +#[derive(Default)] +pub struct TokenInsert where I: Input + HasBytesVec, S: HasMetadata + HasRand + HasMaxSize, R: Rand, { - let max_size = state.max_size(); - let tokens_len = { - let meta = state.metadata().get::(); - if meta.is_none() { - return Ok(MutationResult::Skipped); - } - if meta.unwrap().tokens().is_empty() { - return Ok(MutationResult::Skipped); - } - meta.unwrap().tokens().len() - }; - let token_idx = state.rand_mut().below(tokens_len as u64) as usize; - - let size = input.bytes().len(); - let off = state.rand_mut().below((size + 1) as u64) as usize; - - let meta = state.metadata().get::().unwrap(); - let token = &meta.tokens()[token_idx]; - let mut len = token.len(); - - if size + len > max_size { - if max_size > size { - len = max_size - size; - } else { - return Ok(MutationResult::Skipped); - } - } - - input.bytes_mut().resize(size + len, 0); - buffer_self_copy(input.bytes_mut(), off, off + len, size - off); - buffer_copy(input.bytes_mut(), token, 0, off, len); - - Ok(MutationResult::Mutated) + phantom: PhantomData<(I, R, S)>, } -/// Overwrite with a dictionary token -pub fn mutation_tokenreplace(state: &mut S, input: &mut I) -> Result +impl Mutator for TokenInsert where I: Input + HasBytesVec, - S: HasMetadata + HasRand, + S: HasMetadata + HasRand + HasMaxSize, R: Rand, { - let size = input.bytes().len(); - if size == 0 { - return Ok(MutationResult::Skipped); - } + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let max_size = state.max_size(); + let tokens_len = { + let meta = state.metadata().get::(); + if meta.is_none() { + return Ok(MutationResult::Skipped); + } + if meta.unwrap().tokens().is_empty() { + return Ok(MutationResult::Skipped); + } + meta.unwrap().tokens().len() + }; + let token_idx = state.rand_mut().below(tokens_len as u64) as usize; - let tokens_len = { - let meta = state.metadata().get::(); - if meta.is_none() { + let size = input.bytes().len(); + let off = state.rand_mut().below((size + 1) as u64) as usize; + + let meta = state.metadata().get::().unwrap(); + let token = &meta.tokens()[token_idx]; + let mut len = token.len(); + + if size + len > max_size { + if max_size > size { + len = max_size - size; + } else { + return Ok(MutationResult::Skipped); + } + } + + input.bytes_mut().resize(size + len, 0); + buffer_self_copy(input.bytes_mut(), off, off + len, size - off); + buffer_copy(input.bytes_mut(), token, 0, off, len); + + Ok(MutationResult::Mutated) + } +} + +impl Named for TokenInsert +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + fn name(&self) -> &str { + "TokenInsert" + } +} + +impl TokenInsert +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } +} + +#[derive(Default)] +pub struct TokenReplace +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + phantom: PhantomData<(I, R, S)>, +} + +impl Mutator for TokenReplace +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + fn mutate( + &mut self, + state: &mut S, + input: &mut I, + _stage_idx: i32, + ) -> Result { + let size = input.bytes().len(); + if size == 0 { return Ok(MutationResult::Skipped); } - if meta.unwrap().tokens().is_empty() { - return Ok(MutationResult::Skipped); + + let tokens_len = { + let meta = state.metadata().get::(); + if meta.is_none() { + return Ok(MutationResult::Skipped); + } + if meta.unwrap().tokens().is_empty() { + return Ok(MutationResult::Skipped); + } + meta.unwrap().tokens().len() + }; + let token_idx = state.rand_mut().below(tokens_len as u64) as usize; + + let off = state.rand_mut().below(size as u64) as usize; + + let meta = state.metadata().get::().unwrap(); + let token = &meta.tokens()[token_idx]; + let mut len = token.len(); + if off + len > size { + len = size - off; } - meta.unwrap().tokens().len() - }; - let token_idx = state.rand_mut().below(tokens_len as u64) as usize; - let off = state.rand_mut().below(size as u64) as usize; + buffer_copy(input.bytes_mut(), token, 0, off, len); - let meta = state.metadata().get::().unwrap(); - let token = &meta.tokens()[token_idx]; - let mut len = token.len(); - if off + len > size { - len = size - off; + Ok(MutationResult::Mutated) } +} - buffer_copy(input.bytes_mut(), token, 0, off, len); +impl Named for TokenReplace +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + fn name(&self) -> &str { + "TokenReplace" + } +} - Ok(MutationResult::Mutated) +impl TokenReplace +where + I: Input + HasBytesVec, + S: HasMetadata + HasRand + HasMaxSize, + R: Rand, +{ + pub fn new() -> Self { + Self { + phantom: PhantomData, + } + } } #[cfg(test)] @@ -206,6 +288,7 @@ mod tests { #[cfg(feature = "std")] use std::fs; + #[cfg(feature = "std")] use super::Tokens; #[cfg(feature = "std")] diff --git a/libafl/src/observers/map.rs b/libafl/src/observers/map.rs index 141f75f02d..2188105f55 100644 --- a/libafl/src/observers/map.rs +++ b/libafl/src/observers/map.rs @@ -1,9 +1,14 @@ -use alloc::string::{String, ToString}; +//! The `MapObserver` provides access a map, usually injected into the target + +use alloc::{ + string::{String, ToString}, + vec::Vec, +}; use serde::{Deserialize, Serialize}; use crate::{ bolts::{ - ownedref::{ArrayMut, Cptr}, + ownedref::{OwnedArrayPtrMut, OwnedPtr}, tuples::Named, }, observers::Observer, @@ -53,11 +58,12 @@ where /// A well-known example is the AFL-Style coverage map. #[derive(Serialize, Deserialize, Clone, Debug)] #[serde(bound = "T: serde::de::DeserializeOwned")] +#[allow(clippy::unsafe_derive_deserialize)] pub struct StdMapObserver where T: Default + Copy + 'static + serde::Serialize + serde::de::DeserializeOwned, { - map: ArrayMut, + map: OwnedArrayPtrMut, initial: T, name: String, } @@ -117,10 +123,21 @@ where T: Default + Copy + 'static + serde::Serialize + serde::de::DeserializeOwned, { /// Creates a new MapObserver - pub fn new(name: &'static str, map: &'static mut [T]) -> Self { + pub fn new(name: &'static str, map: &'static mut [T], len: usize) -> Self { + assert!(map.len() >= len); let initial = if map.is_empty() { T::default() } else { map[0] }; Self { - map: ArrayMut::Cptr((map.as_mut_ptr(), map.len())), + map: OwnedArrayPtrMut::ArrayPtr((map.as_mut_ptr(), len)), + name: name.to_string(), + initial, + } + } + + /// Creates a new MapObserver with an owned map + pub fn new_owned(name: &'static str, map: Vec) -> Self { + let initial = if map.is_empty() { T::default() } else { map[0] }; + Self { + map: OwnedArrayPtrMut::Owned(map), name: name.to_string(), initial, } @@ -132,7 +149,7 @@ where pub unsafe fn new_from_ptr(name: &'static str, map_ptr: *mut T, len: usize) -> Self { let initial = if len > 0 { *map_ptr } else { T::default() }; StdMapObserver { - map: ArrayMut::Cptr((map_ptr, len)), + map: OwnedArrayPtrMut::ArrayPtr((map_ptr, len)), name: name.to_string(), initial, } @@ -142,12 +159,13 @@ where /// Overlooking a variable bitmap #[derive(Serialize, Deserialize, Clone, Debug)] #[serde(bound = "T: serde::de::DeserializeOwned")] +#[allow(clippy::unsafe_derive_deserialize)] pub struct VariableMapObserver where T: Default + Copy + 'static + serde::Serialize + serde::de::DeserializeOwned, { - map: ArrayMut, - size: Cptr, + map: OwnedArrayPtrMut, + size: OwnedPtr, initial: T, name: String, } @@ -212,11 +230,11 @@ where T: Default + Copy + 'static + serde::Serialize + serde::de::DeserializeOwned, { /// Creates a new MapObserver - pub fn new(name: &'static str, map: &'static mut [T], size: &usize) -> Self { + pub fn new(name: &'static str, map: &'static mut [T], size: *const usize) -> Self { let initial = if map.is_empty() { T::default() } else { map[0] }; Self { - map: ArrayMut::Cptr((map.as_mut_ptr(), map.len())), - size: Cptr::Cptr(size as *const _), + map: OwnedArrayPtrMut::ArrayPtr((map.as_mut_ptr(), map.len())), + size: OwnedPtr::Ptr(size), name: name.into(), initial, } @@ -233,8 +251,8 @@ where ) -> Self { let initial = if max_len > 0 { *map_ptr } else { T::default() }; VariableMapObserver { - map: ArrayMut::Cptr((map_ptr, max_len)), - size: Cptr::Cptr(size_ptr), + map: OwnedArrayPtrMut::ArrayPtr((map_ptr, max_len)), + size: OwnedPtr::Ptr(size_ptr), name: name.into(), initial, } diff --git a/libafl/src/observers/mod.rs b/libafl/src/observers/mod.rs index 7404ceeeb9..2ff66ca5fc 100644 --- a/libafl/src/observers/mod.rs +++ b/libafl/src/observers/mod.rs @@ -1,3 +1,5 @@ +//! Observers give insights about runs of a target, such as coverage, timing, stack depth, and more. + pub mod map; pub use map::*; @@ -9,7 +11,7 @@ use core::time::Duration; use serde::{Deserialize, Serialize}; use crate::{ - bolts::tuples::{MatchFirstType, MatchNameAndType, MatchType, Named, TupleList}, + bolts::tuples::{MatchFirstType, MatchNameAndType, MatchType, Named}, utils::current_time, Error, }; @@ -75,7 +77,7 @@ impl ObserversTuple for () { impl ObserversTuple for (Head, Tail) where Head: Observer, - Tail: ObserversTuple + TupleList, + Tail: ObserversTuple, { fn pre_exec_all(&mut self) -> Result<(), Error> { self.0.pre_exec()?; @@ -145,7 +147,7 @@ mod tests { fn test_observer_serde() { let obv = tuple_list!( TimeObserver::new("time"), - StdMapObserver::new("map", unsafe { &mut MAP }) + StdMapObserver::new("map", unsafe { &mut MAP }, unsafe { MAP.len() }) ); let vec = postcard::to_allocvec(&obv).unwrap(); println!("{:?}", vec); diff --git a/libafl/src/stages/mod.rs b/libafl/src/stages/mod.rs index 6d91508a58..b324779990 100644 --- a/libafl/src/stages/mod.rs +++ b/libafl/src/stages/mod.rs @@ -18,7 +18,7 @@ where { /// Run the stage fn perform( - &self, + &mut self, state: &mut S, executor: &mut E, manager: &mut EM, @@ -34,7 +34,7 @@ where I: Input, { fn perform_all( - &self, + &mut self, state: &mut S, executor: &mut E, manager: &mut EM, @@ -49,7 +49,14 @@ where E: Executor, I: Input, { - fn perform_all(&self, _: &mut S, _: &mut E, _: &mut EM, _: &CS, _: usize) -> Result<(), Error> { + fn perform_all( + &mut self, + _: &mut S, + _: &mut E, + _: &mut EM, + _: &CS, + _: usize, + ) -> Result<(), Error> { Ok(()) } } @@ -63,7 +70,7 @@ where I: Input, { fn perform_all( - &self, + &mut self, state: &mut S, executor: &mut E, manager: &mut EM, diff --git a/libafl/src/stages/mutational.rs b/libafl/src/stages/mutational.rs index cd872b3462..0809f938d8 100644 --- a/libafl/src/stages/mutational.rs +++ b/libafl/src/stages/mutational.rs @@ -39,8 +39,9 @@ where fn iterations(&self, state: &mut S) -> usize; /// Runs this (mutational) stage for the given testcase + #[allow(clippy::clippy::cast_possible_wrap)] // more than i32 stages on 32 bit system - highly unlikely... fn perform_mutational( - &self, + &mut self, state: &mut S, executor: &mut E, manager: &mut EM, @@ -55,11 +56,10 @@ where .borrow_mut() .load_input()? .clone(); - self.mutator().mutate(state, &mut input_mut, i as i32)?; + self.mutator_mut().mutate(state, &mut input_mut, i as i32)?; + let (_, corpus_idx) = state.evaluate_input(input_mut, executor, manager, scheduler)?; - let fitness = state.evaluate_input(input_mut, executor, manager, scheduler)?; - - self.mutator().post_exec(state, fitness, i as i32)?; + self.mutator_mut().post_exec(state, i as i32, corpus_idx)?; } Ok(()) } @@ -82,6 +82,7 @@ where R: Rand, { mutator: M, + #[allow(clippy::type_complexity)] phantom: PhantomData<(C, CS, E, EM, I, OT, R, S)>, } @@ -131,7 +132,7 @@ where { #[inline] fn perform( - &self, + &mut self, state: &mut S, executor: &mut E, manager: &mut EM, diff --git a/libafl/src/state/mod.rs b/libafl/src/state/mod.rs index 5f4cf154f5..cd295ff9ea 100644 --- a/libafl/src/state/mod.rs +++ b/libafl/src/state/mod.rs @@ -25,7 +25,7 @@ use crate::{ use crate::inputs::bytes::BytesInput; /// The maximum size of a testcase -pub const DEFAULT_MAX_SIZE: usize = 1048576; +pub const DEFAULT_MAX_SIZE: usize = 1_048_576; /// Trait for elements offering a corpus pub trait HasCorpus @@ -169,7 +169,7 @@ where &mut self, input: &I, observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result where OT: ObserversTuple; @@ -198,7 +198,7 @@ where executor: &mut E, manager: &mut EM, scheduler: &CS, - ) -> Result + ) -> Result<(u32, Option), Error> where E: Executor + HasObservers, OT: ObserversTuple, @@ -448,14 +448,13 @@ where &mut self, input: &I, observers: &OT, - exit_kind: ExitKind, + exit_kind: &ExitKind, ) -> Result where OT: ObserversTuple, { - Ok(self - .feedbacks_mut() - .is_interesting_all(input, observers, exit_kind)?) + self.feedbacks_mut() + .is_interesting_all(input, observers, exit_kind) } /// Adds this input to the corpus, if it's intersting, and return the index @@ -499,7 +498,7 @@ where executor: &mut E, manager: &mut EM, scheduler: &CS, - ) -> Result + ) -> Result<(u32, Option), Error> where E: Executor + HasObservers, OT: ObserversTuple, @@ -512,13 +511,15 @@ where if is_solution { // If the input is a solution, add it to the respective corpus - self.solutions_mut().add(Testcase::new(input.clone()))?; + let mut testcase = Testcase::new(input.clone()); + self.objectives_mut().append_metadata_all(&mut testcase)?; + self.solutions_mut().add(testcase)?; + } else { + self.objectives_mut().discard_metadata_all(&input)?; } - if self - .add_if_interesting(&input, fitness, scheduler)? - .is_some() - { + let corpus_idx = self.add_if_interesting(&input, fitness, scheduler)?; + if corpus_idx.is_some() { let observers_buf = manager.serialize_observers(observers)?; manager.fire( self, @@ -533,7 +534,7 @@ where )?; } - Ok(fitness) + Ok((fitness, corpus_idx)) } } @@ -653,13 +654,13 @@ where executor.post_exec_observers()?; let observers = executor.observers(); - let fitness = - self.feedbacks_mut() - .is_interesting_all(&input, observers, exit_kind.clone())?; + let fitness = self + .feedbacks_mut() + .is_interesting_all(&input, observers, &exit_kind)?; let is_solution = self .objectives_mut() - .is_interesting_all(&input, observers, exit_kind)? + .is_interesting_all(&input, observers, &exit_kind)? > 0; Ok((fitness, is_solution)) } @@ -683,7 +684,7 @@ where let mut added = 0; for _ in 0..num { let input = generator.generate(self.rand_mut())?; - let fitness = self.evaluate_input(input, executor, manager, scheduler)?; + let (fitness, _) = self.evaluate_input(input, executor, manager, scheduler)?; if fitness > 0 { added += 1; } diff --git a/libafl/src/stats/mod.rs b/libafl/src/stats/mod.rs index 6a0883c707..6b673922a5 100644 --- a/libafl/src/stats/mod.rs +++ b/libafl/src/stats/mod.rs @@ -50,6 +50,7 @@ impl ClientStats { } /// Get the calculated executions per second for this client + #[allow(clippy::cast_sign_loss, clippy::cast_precision_loss)] pub fn execs_per_sec(&mut self, cur_time: time::Duration) -> u64 { if self.executions == 0 { return 0; @@ -97,14 +98,14 @@ pub trait Stats { fn corpus_size(&self) -> u64 { self.client_stats() .iter() - .fold(0u64, |acc, x| acc + x.corpus_size) + .fold(0_u64, |acc, x| acc + x.corpus_size) } /// Amount of elements in the objectives (combined for all children) fn objective_size(&self) -> u64 { self.client_stats() .iter() - .fold(0u64, |acc, x| acc + x.objective_size) + .fold(0_u64, |acc, x| acc + x.objective_size) } /// Total executions @@ -112,7 +113,7 @@ pub trait Stats { fn total_execs(&mut self) -> u64 { self.client_stats() .iter() - .fold(0u64, |acc, x| acc + x.executions) + .fold(0_u64, |acc, x| acc + x.executions) } /// Executions per second @@ -121,7 +122,7 @@ pub trait Stats { let cur_time = current_time(); self.client_stats_mut() .iter_mut() - .fold(0u64, |acc, x| acc + x.execs_per_sec(cur_time)) + .fold(0_u64, |acc, x| acc + x.execs_per_sec(cur_time)) } /// The client stats for a specific id, creating new if it doesn't exist @@ -130,7 +131,7 @@ pub trait Stats { for _ in client_stat_count..(client_id + 1) as usize { self.client_stats_mut().push(ClientStats { last_window_time: current_time(), - ..Default::default() + ..ClientStats::default() }) } &mut self.client_stats_mut()[client_id as usize] diff --git a/libafl/src/utils.rs b/libafl/src/utils.rs index 27fcb93115..3a24a26cb8 100644 --- a/libafl/src/utils.rs +++ b/libafl/src/utils.rs @@ -160,28 +160,16 @@ pub fn current_time() -> time::Duration { time::Duration::from_millis(1) } -#[cfg(feature = "std")] -#[inline] /// Gets current nanoseconds since UNIX_EPOCH +#[inline] pub fn current_nanos() -> u64 { - SystemTime::now() - .duration_since(UNIX_EPOCH) - .unwrap() - .as_nanos() as u64 + current_time().as_nanos() as u64 } -#[cfg(feature = "std")] /// Gets current milliseconds since UNIX_EPOCH +#[inline] pub fn current_milliseconds() -> u64 { - SystemTime::now() - .duration_since(UNIX_EPOCH) - .unwrap() - .as_millis() as u64 -} - -#[cfg(not(feature = "std"))] -pub fn current_milliseconds() -> u64 { - 1000 + current_time().as_millis() as u64 } /// XXH3 Based, hopefully speedy, rnd implementation @@ -191,6 +179,7 @@ pub struct Xoshiro256StarRand { } impl Rand for Xoshiro256StarRand { + #[allow(clippy::unreadable_literal)] fn set_seed(&mut self, seed: u64) { self.rand_seed[0] = xxh3_64_with_seed(&HASH_CONST.to_le_bytes(), seed); self.rand_seed[1] = self.rand_seed[0] ^ 0x1234567890abcdef; @@ -235,6 +224,7 @@ pub struct XorShift64Rand { } impl Rand for XorShift64Rand { + #[allow(clippy::unreadable_literal)] fn set_seed(&mut self, seed: u64) { self.rand_seed = seed ^ 0x1234567890abcdef; } @@ -266,11 +256,13 @@ pub struct Lehmer64Rand { } impl Rand for Lehmer64Rand { + #[allow(clippy::unreadable_literal)] fn set_seed(&mut self, seed: u64) { - self.rand_seed = (seed as u128) ^ 0x1234567890abcdef; + self.rand_seed = u128::from(seed) ^ 0x1234567890abcdef; } #[inline] + #[allow(clippy::unreadable_literal)] fn next(&mut self) -> u64 { self.rand_seed *= 0xda942042e4dd58b5; (self.rand_seed >> 64) as u64 @@ -315,6 +307,7 @@ impl Rand for RomuTrioRand { } #[inline] + #[allow(clippy::unreadable_literal)] fn next(&mut self) -> u64 { let xp = self.x_state; let yp = self.y_state; @@ -351,6 +344,7 @@ impl Rand for RomuDuoJrRand { } #[inline] + #[allow(clippy::unreadable_literal)] fn next(&mut self) -> u64 { let xp = self.x_state; self.x_state = 15241094284759029579u64.wrapping_mul(self.y_state); @@ -408,7 +402,7 @@ impl ChildHandle { } #[cfg(unix)] -/// The ForkResult +/// The `ForkResult` (result of a fork) pub enum ForkResult { Parent(ChildHandle), Child, @@ -444,6 +438,77 @@ pub fn startable_self() -> Result { Ok(startable) } +/// Allows one to walk the mappings in /proc/self/maps, caling a callback function for each +/// mapping. +/// If the callback returns true, we stop the walk. +#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] +pub fn walk_self_maps(visitor: &mut dyn FnMut(usize, usize, String, String) -> bool) { + use regex::Regex; + use std::{ + fs::File, + io::{BufRead, BufReader}, + }; + let re = Regex::new(r"^(?P[0-9a-f]{8,16})-(?P[0-9a-f]{8,16}) (?P[-rwxp]{4}) (?P[0-9a-f]{8}) [0-9a-f]+:[0-9a-f]+ [0-9]+\s+(?P.*)$") + .unwrap(); + + let mapsfile = File::open("/proc/self/maps").expect("Unable to open /proc/self/maps"); + + for line in BufReader::new(mapsfile).lines() { + let line = line.unwrap(); + if let Some(caps) = re.captures(&line) { + if visitor( + usize::from_str_radix(caps.name("start").unwrap().as_str(), 16).unwrap(), + usize::from_str_radix(caps.name("end").unwrap().as_str(), 16).unwrap(), + caps.name("perm").unwrap().as_str().to_string(), + caps.name("path").unwrap().as_str().to_string(), + ) { + break; + }; + } + } +} + +/// Get the start and end address, permissions and path of the mapping containing a particular address +#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] +pub fn find_mapping_for_address(address: usize) -> Result<(usize, usize, String, String), Error> { + let mut result = (0, 0, "".to_string(), "".to_string()); + walk_self_maps(&mut |start, end, permissions, path| { + if start <= address && address < end { + result = (start, end, permissions, path); + true + } else { + false + } + }); + + if result.0 != 0 { + Ok(result) + } else { + Err(Error::Unknown( + "Couldn't find a mapping for this address".to_string(), + )) + } +} + +/// Get the start and end address of the mapping containing with a particular path +#[cfg(all(feature = "std", any(target_os = "linux", target_os = "android")))] +pub fn find_mapping_for_path(libpath: &str) -> (usize, usize) { + let mut libstart = 0; + let mut libend = 0; + walk_self_maps(&mut |start, end, _permissions, path| { + if libpath == path { + if libstart == 0 { + libstart = start; + } + + libend = end; + } + false + }); + + (libstart, libend) +} + #[cfg(test)] mod tests { //use xxhash_rust::xxh3::xxh3_64_with_seed; diff --git a/libafl_cc/Cargo.toml b/libafl_cc/Cargo.toml new file mode 100644 index 0000000000..ff93f13e4e --- /dev/null +++ b/libafl_cc/Cargo.toml @@ -0,0 +1,14 @@ +[package] +name = "libafl_cc" +version = "0.1.0" +authors = ["Andrea Fioraldi "] +description = "Commodity library to wrap compilers and link LibAFL" +documentation = "https://docs.rs/libafl_cc" +repository = "https://github.com/AFLplusplus/LibAFL/" +license = "MIT OR Apache-2.0" +keywords = ["fuzzing", "testing", "compiler"] +edition = "2018" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] diff --git a/libafl_cc/src/lib.rs b/libafl_cc/src/lib.rs new file mode 100644 index 0000000000..87fcb27117 --- /dev/null +++ b/libafl_cc/src/lib.rs @@ -0,0 +1,229 @@ +//! Compiler Wrapper from `LibAFL` + +use std::{process::Command, string::String, vec::Vec}; + +/// `LibAFL` CC Error Type +#[derive(Debug)] +pub enum Error { + /// CC Wrapper called with invalid arguments + InvalidArguments(String), + /// Io error occurred + Io(std::io::Error), + /// Something else happened + Unknown(String), +} + +// TODO macOS +/// extension for static libraries +#[cfg(windows)] +pub const LIB_EXT: &str = "lib"; +/// extension for static libraries +#[cfg(not(windows))] +pub const LIB_EXT: &str = "a"; + +/// prefix for static libraries +#[cfg(windows)] +pub const LIB_PREFIX: &str = ""; +/// prefix for static libraries +#[cfg(not(windows))] +pub const LIB_PREFIX: &str = "lib"; + +/// Wrap a compiler hijacking its arguments +pub trait CompilerWrapper { + /// Set the wrapper arguments parsing a command line set of arguments + fn from_args(&mut self, args: &[String]) -> Result<&'_ mut Self, Error>; + + /// Add a compiler argument + fn add_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error>; + + /// Add a compiler argument only when compiling + fn add_cc_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error>; + + /// Add a compiler argument only when linking + fn add_link_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error>; + + /// Command to run the compiler + fn command(&mut self) -> Result, Error>; + + /// Get if in linking mode + fn is_linking(&self) -> bool; + + /// Run the compiler + fn run(&mut self) -> Result<(), Error> { + let args = self.command()?; + dbg!(&args); + if args.is_empty() { + return Err(Error::InvalidArguments( + "The number of arguments cannot be 0".into(), + )); + } + let status = match Command::new(&args[0]).args(&args[1..]).status() { + Ok(s) => s, + Err(e) => return Err(Error::Io(e)), + }; + dbg!(status); + Ok(()) + } +} + +/// Wrap Clang +#[allow(clippy::struct_excessive_bools)] +pub struct ClangWrapper { + optimize: bool, + wrapped_cc: String, + wrapped_cxx: String, + + name: String, + is_cpp: bool, + linking: bool, + x_set: bool, + bit_mode: u32, + + base_args: Vec, + cc_args: Vec, + link_args: Vec, +} + +#[allow(clippy::match_same_arms)] // for the linking = false wip for "shared" +impl CompilerWrapper for ClangWrapper { + fn from_args<'a>(&'a mut self, args: &[String]) -> Result<&'a mut Self, Error> { + let mut new_args = vec![]; + if args.is_empty() { + return Err(Error::InvalidArguments( + "The number of arguments cannot be 0".to_string(), + )); + } + + if args.len() == 1 { + return Err(Error::InvalidArguments( + "LibAFL Compiler wrapper - no commands specified. Use me as compiler.".to_string(), + )); + } + + self.name = args[0].clone(); + // Detect C++ compiler looking at the wrapper name + self.is_cpp = self.is_cpp || self.name.ends_with("++"); + + // Sancov flag + // new_args.push("-fsanitize-coverage=trace-pc-guard".into()); + + let mut linking = true; + // Detect stray -v calls from ./configure scripts. + if args.len() > 1 && args[1] == "-v" { + linking = false; + } + + for arg in &args[1..] { + match arg.as_str() { + "-x" => self.x_set = true, + "-m32" => self.bit_mode = 32, + "-m64" => self.bit_mode = 64, + "-c" | "-S" | "-E" => linking = false, + "-shared" => linking = false, // TODO dynamic list? + "-Wl,-z,defs" | "-Wl,--no-undefined" => continue, + _ => (), + }; + new_args.push(arg.clone()); + } + self.linking = linking; + + if self.optimize { + new_args.push("-g".into()); + new_args.push("-O3".into()); + new_args.push("-funroll-loops".into()); + } + + // Fuzzing define common among tools + new_args.push("-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1".into()); + + self.base_args = new_args; + Ok(self) + } + + fn add_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error> { + self.base_args.push(arg); + Ok(self) + } + + fn add_cc_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error> { + self.cc_args.push(arg); + Ok(self) + } + + fn add_link_arg(&mut self, arg: String) -> Result<&'_ mut Self, Error> { + self.link_args.push(arg); + Ok(self) + } + + fn command(&mut self) -> Result, Error> { + let mut args = vec![]; + if self.is_cpp { + args.push(self.wrapped_cxx.clone()); + } else { + args.push(self.wrapped_cc.clone()); + } + args.extend_from_slice(self.base_args.as_slice()); + if self.linking { + if self.x_set { + args.push("-x".into()); + args.push("none".into()); + } + + args.extend_from_slice(self.link_args.as_slice()); + } else { + args.extend_from_slice(self.cc_args.as_slice()); + } + + Ok(args) + } + + fn is_linking(&self) -> bool { + self.linking + } +} + +impl ClangWrapper { + /// Create a new Clang Wrapper + #[must_use] + pub fn new(wrapped_cc: &str, wrapped_cxx: &str) -> Self { + Self { + optimize: true, + wrapped_cc: wrapped_cc.into(), + wrapped_cxx: wrapped_cxx.into(), + name: "".into(), + is_cpp: false, + linking: false, + x_set: false, + bit_mode: 0, + base_args: vec![], + cc_args: vec![], + link_args: vec![], + } + } + + /// Disable optimizations + pub fn dont_optimize(&mut self) -> &'_ mut Self { + self.optimize = false; + self + } + + /// set cpp mode + pub fn is_cpp(&mut self) -> &'_ mut Self { + self.is_cpp = true; + self + } +} + +#[cfg(test)] +mod tests { + use crate::{ClangWrapper, CompilerWrapper}; + + #[test] + fn test_clang_version() { + ClangWrapper::new("clang", "clang++") + .from_args(&["my-clang".into(), "-v".into()]) + .unwrap() + .run() + .unwrap(); + } +} diff --git a/libafl_derive/Cargo.toml b/libafl_derive/Cargo.toml index 5f9cb2861a..059c5aa758 100644 --- a/libafl_derive/Cargo.toml +++ b/libafl_derive/Cargo.toml @@ -2,6 +2,11 @@ name = "libafl_derive" version = "0.1.0" authors = ["Andrea Fioraldi "] +description = "Derive proc-macro crate for LibAFL" +documentation = "https://docs.rs/libafl_derive" +repository = "https://github.com/AFLplusplus/LibAFL/" +license = "MIT OR Apache-2.0" +keywords = ["fuzzing", "testing"] edition = "2018" [lib] diff --git a/libafl_frida/Cargo.toml b/libafl_frida/Cargo.toml new file mode 100644 index 0000000000..92a082e53a --- /dev/null +++ b/libafl_frida/Cargo.toml @@ -0,0 +1,33 @@ +[package] +name = "libafl_frida" +version = "0.1.0" +authors = ["s1341 "] +edition = "2018" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[build-dependencies] +cc = { version = "1.0", features = ["parallel"] } + +[dependencies] +libafl = { path = "../libafl", version = "0.1.0", features = ["std", "libafl_derive"] } +libafl_targets = { path = "../libafl_targets", version = "0.1.0" } +nix = "0.20.0" +libc = "0.2.92" +hashbrown = "0.11" +libloading = "0.7.0" +rangemap = "0.1.10" +frida-gum = { version = "0.4.0", features = [ "auto-download", "backtrace", "event-sink", "invocation-listener"] } +frida-gum-sys = { version = "0.2.4", features = [ "auto-download", "event-sink", "invocation-listener"] } +regex = "1.4" +dynasmrt = "1.0.1" +capstone = "0.8.0" +color-backtrace ={ version = "0.5", features = [ "resolve-modules" ] } +termcolor = "1.1.2" +serde = "1.0" +backtrace = { version = "0.3.58", default-features = false, features = ["std", "serde"] } +num-traits = "0.2.14" +seahash = "4.1.0" + +[target.'cfg(unix)'.dependencies] +gothook = { version = "0.1" } diff --git a/libafl_frida/build.rs b/libafl_frida/build.rs new file mode 100644 index 0000000000..ebd77b48cc --- /dev/null +++ b/libafl_frida/build.rs @@ -0,0 +1,5 @@ +// build.rs + +fn main() { + cc::Build::new().file("src/gettls.c").compile("libgettls.a"); +} diff --git a/libafl_frida/src/asan_rt.rs b/libafl_frida/src/asan_rt.rs new file mode 100644 index 0000000000..80d243f50f --- /dev/null +++ b/libafl_frida/src/asan_rt.rs @@ -0,0 +1,1928 @@ +use hashbrown::HashMap; +use libafl::{ + bolts::{ownedref::OwnedPtr, tuples::Named}, + corpus::Testcase, + executors::{CustomExitKind, ExitKind}, + feedbacks::Feedback, + inputs::{HasTargetBytes, Input}, + observers::{Observer, ObserversTuple}, + state::HasMetadata, + utils::{find_mapping_for_address, walk_self_maps}, + Error, SerdeAny, +}; +use nix::{ + libc::{memmove, memset}, + sys::mman::{mmap, MapFlags, ProtFlags}, +}; + +use backtrace::Backtrace; +use capstone::{ + arch::{arm64::Arm64OperandType, ArchOperand::Arm64Operand, BuildsCapstone}, + Capstone, Insn, +}; +use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity}; +use dynasmrt::{dynasm, DynasmApi, DynasmLabelApi}; +#[cfg(unix)] +use gothook::GotHookLibrary; +use libc::{_SC_PAGESIZE, getrlimit64, rlimit64, sysconf}; +use rangemap::RangeSet; +use serde::{Deserialize, Serialize}; +use std::{ + cell::{RefCell, RefMut}, + ffi::c_void, + io::{self, Write}, + rc::Rc, +}; +use termcolor::{Color, ColorSpec, WriteColor}; + +use crate::FridaOptions; + +extern "C" { + fn __register_frame(begin: *mut c_void); +} + +static mut ALLOCATOR_SINGLETON: Option> = None; + +struct Allocator { + runtime: Rc>, + page_size: usize, + shadow_offset: usize, + shadow_bit: usize, + pre_allocated_shadow: bool, + allocations: HashMap, + shadow_pages: RangeSet, + allocation_queue: HashMap>, + largest_allocation: usize, +} + +macro_rules! map_to_shadow { + ($self:expr, $address:expr) => { + (($address >> 3) + $self.shadow_offset) & ((1 << ($self.shadow_bit + 1)) - 1) + }; +} + +#[derive(Clone, Debug, Default, Serialize, Deserialize)] +struct AllocationMetadata { + address: usize, + size: usize, + actual_size: usize, + allocation_site_backtrace: Option, + release_site_backtrace: Option, + freed: bool, + is_malloc_zero: bool, +} + +impl Allocator { + fn setup(runtime: Rc>) { + let ret = unsafe { sysconf(_SC_PAGESIZE) }; + if ret < 0 { + panic!("Failed to read pagesize {:?}", io::Error::last_os_error()); + } + #[allow(clippy::cast_sign_loss)] + let page_size = ret as usize; + // probe to find a usable shadow bit: + let mut shadow_bit: usize = 0; + for try_shadow_bit in &[46usize, 36usize] { + let addr: usize = 1 << try_shadow_bit; + if unsafe { + mmap( + addr as *mut c_void, + page_size, + ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, + MapFlags::MAP_PRIVATE | MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_NORESERVE, + -1, + 0, + ) + } + .is_ok() + { + shadow_bit = *try_shadow_bit; + break; + } + } + assert!(shadow_bit != 0); + + // attempt to pre-map the entire shadow-memory space + let addr: usize = 1 << shadow_bit; + let pre_allocated_shadow = unsafe { + mmap( + addr as *mut c_void, + addr + addr, + ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_NORESERVE, + -1, + 0, + ) + } + .is_ok(); + + let allocator = Self { + runtime, + page_size, + pre_allocated_shadow, + shadow_offset: 1 << shadow_bit, + shadow_bit, + allocations: HashMap::new(), + shadow_pages: RangeSet::new(), + allocation_queue: HashMap::new(), + largest_allocation: 0, + }; + unsafe { + ALLOCATOR_SINGLETON = Some(RefCell::new(allocator)); + } + } + + pub fn get() -> RefMut<'static, Allocator> { + unsafe { + ALLOCATOR_SINGLETON + .as_mut() + .unwrap() + .try_borrow_mut() + .unwrap() + } + } + + pub fn init(runtime: Rc>) { + Self::setup(runtime); + } + + #[inline] + fn round_up_to_page(&self, size: usize) -> usize { + ((size + self.page_size) / self.page_size) * self.page_size + } + + #[inline] + fn round_down_to_page(&self, value: usize) -> usize { + (value / self.page_size) * self.page_size + } + + fn find_smallest_fit(&mut self, size: usize) -> Option { + let mut current_size = size; + while current_size <= self.largest_allocation { + if self.allocation_queue.contains_key(¤t_size) { + if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop() { + return Some(metadata); + } + } + current_size *= 2; + } + None + } + + pub unsafe fn alloc(&mut self, size: usize, _alignment: usize) -> *mut c_void { + let mut is_malloc_zero = false; + let size = if size == 0 { + println!("zero-sized allocation!"); + is_malloc_zero = true; + 16 + } else { + size + }; + if size > (1 << 30) { + panic!("Allocation is too large: 0x{:x}", size); + } + let rounded_up_size = self.round_up_to_page(size); + + let metadata = if let Some(mut metadata) = self.find_smallest_fit(rounded_up_size) + { + //println!("reusing allocation at {:x}, (actual mapping starts at {:x}) size {:x}", metadata.address, metadata.address - self.page_size, size); + metadata.is_malloc_zero = is_malloc_zero; + metadata.size = size; + if self + .runtime + .borrow() + .options + .enable_asan_allocation_backtraces + { + metadata.allocation_site_backtrace = Some(Backtrace::new_unresolved()); + } + metadata + } else { + let mapping = match mmap( + std::ptr::null_mut(), + rounded_up_size, + ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_PRIVATE, + -1, + 0, + ) { + Ok(mapping) => mapping as usize, + Err(err) => { + println!("An error occurred while mapping memory: {:?}", err); + return std::ptr::null_mut(); + } + }; + + self.map_shadow_for_region( + mapping, + mapping + rounded_up_size, + false, + ); + + let mut metadata = AllocationMetadata { + address: mapping, + size, + actual_size: rounded_up_size, + ..AllocationMetadata::default() + }; + + if self + .runtime + .borrow() + .options + .enable_asan_allocation_backtraces + { + metadata.allocation_site_backtrace = Some(Backtrace::new_unresolved()); + } + + metadata + }; + + self.largest_allocation = std::cmp::max(self.largest_allocation, metadata.actual_size); + // unpoison the shadow memory for the allocation itself + Self::unpoison(map_to_shadow!(self, metadata.address), size); + let address = metadata.address as *mut c_void; + + self.allocations.insert(metadata.address, metadata); + //println!("serving address: {:?}, size: {:x}", address, size); + address + } + + pub unsafe fn release(&mut self, ptr: *mut c_void) { + let mut metadata = if let Some(metadata) = self.allocations.get_mut(&(ptr as usize)) { + metadata + } else { + if !ptr.is_null() { + // TODO: report this as an observer + self.runtime + .borrow_mut() + .report_error(AsanError::UnallocatedFree((ptr as usize, Backtrace::new()))); + } + return; + }; + + if metadata.freed { + self.runtime + .borrow_mut() + .report_error(AsanError::DoubleFree(( + ptr as usize, + metadata.clone(), + Backtrace::new(), + ))); + } + let shadow_mapping_start = map_to_shadow!(self, ptr as usize); + + metadata.freed = true; + if self + .runtime + .borrow() + .options + .enable_asan_allocation_backtraces + { + metadata.release_site_backtrace = Some(Backtrace::new_unresolved()); + } + + // poison the shadow memory for the allocation + Self::poison(shadow_mapping_start, metadata.size); + } + + pub fn find_metadata( + &mut self, + ptr: usize, + hint_base: usize, + ) -> Option<&mut AllocationMetadata> { + let mut metadatas: Vec<&mut AllocationMetadata> = self.allocations.values_mut().collect(); + metadatas.sort_by(|a, b| a.address.cmp(&b.address)); + let mut offset_to_closest = i64::max_value(); + let mut closest = None; + for metadata in metadatas { + println!("{:#x}", metadata.address); + let new_offset = if hint_base == metadata.address { + (ptr as i64 - metadata.address as i64).abs() + } else { + std::cmp::min( + offset_to_closest, + (ptr as i64 - metadata.address as i64).abs(), + ) + }; + if new_offset < offset_to_closest { + offset_to_closest = new_offset; + closest = Some(metadata); + } + } + closest + } + + pub fn reset(&mut self) { + for (address, mut allocation) in self.allocations.drain() { + // First poison the memory. + Self::poison(map_to_shadow!(self, address), allocation.size); + + // Reset the allocaiton metadata object + allocation.size = 0; + allocation.freed = false; + allocation.allocation_site_backtrace = None; + allocation.release_site_backtrace = None; + + // Move the allocation from the allocations to the to-be-allocated queues + self.allocation_queue + .entry(allocation.actual_size) + .or_default() + .push(allocation); + } + } + + pub fn get_usable_size(&self, ptr: *mut c_void) -> usize { + match self.allocations.get(&(ptr as usize)) { + Some(metadata) => metadata.size, + None => { + panic!( + "Attempted to get_usable_size on a pointer ({:?}) which was not allocated!", + ptr + ); + } + } + } + + fn unpoison(start: usize, size: usize) { + //println!("unpoisoning {:x} for {:x}", start, size / 8 + 1); + unsafe { + //println!("memset: {:?}", start as *mut c_void); + memset(start as *mut c_void, 0xff, size / 8); + + let remainder = size % 8; + if remainder > 0 { + //println!("remainder: {:x}, offset: {:x}", remainder, start + size / 8); + memset( + (start + size / 8) as *mut c_void, + (0xff << (8 - remainder)) & 0xff, + 1, + ); + } + } + } + + fn poison(start: usize, size: usize) { + //println!("poisoning {:x} for {:x}", start, size / 8 + 1); + unsafe { + //println!("memset: {:?}", start as *mut c_void); + memset(start as *mut c_void, 0x00, size / 8); + + let remainder = size % 8; + if remainder > 0 { + //println!("remainder: {:x}, offset: {:x}", remainder, start + size / 8); + memset((start + size / 8) as *mut c_void, 0x00, 1); + } + } + } + + /// Map shadow memory for a region, and optionally unpoison it + pub fn map_shadow_for_region( + &mut self, + start: usize, + end: usize, + unpoison: bool, + ) -> (usize, usize) { + //println!("start: {:x}, end {:x}, size {:x}", start, end, end - start); + + let shadow_mapping_start = map_to_shadow!(self, start); + + if !self.pre_allocated_shadow { + let shadow_start = self.round_down_to_page(shadow_mapping_start); + let shadow_end = + self.round_up_to_page((end - start) / 8) + self.page_size + shadow_start; + for range in self.shadow_pages.gaps(&(shadow_start..shadow_end)) { + //println!("range: {:x}-{:x}, pagesize: {}", range.start, range.end, self.page_size); + unsafe { + mmap( + range.start as *mut c_void, + range.end - range.start, + ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE, + -1, + 0, + ) + .expect("An error occurred while mapping shadow memory"); + } + } + + self.shadow_pages.insert(shadow_start..shadow_end); + } + + //println!("shadow_mapping_start: {:x}, shadow_size: {:x}", shadow_mapping_start, (end - start) / 8); + if unpoison { + Self::unpoison(shadow_mapping_start, end - start); + } + + (shadow_mapping_start, (end - start) / 8) + } +} + +/// Hook for malloc. +pub extern "C" fn asan_malloc(size: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, 0x8) } +} + +/// Hook for new. +pub extern "C" fn asan_new(size: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, 0x8) } +} + +/// Hook for new. +pub extern "C" fn asan_new_nothrow(size: usize, _nothrow: *const c_void) -> *mut c_void { + unsafe { Allocator::get().alloc(size, 0x8) } +} + +/// Hook for new with alignment. +pub extern "C" fn asan_new_aligned(size: usize, alignment: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, alignment) } +} + +/// Hook for new with alignment. +pub extern "C" fn asan_new_aligned_nothrow( + size: usize, + alignment: usize, + _nothrow: *const c_void, +) -> *mut c_void { + unsafe { Allocator::get().alloc(size, alignment) } +} + +/// Hook for pvalloc +pub extern "C" fn asan_pvalloc(size: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, 0x8) } +} + +/// Hook for valloc +pub extern "C" fn asan_valloc(size: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, 0x8) } +} + +/// Hook for calloc +pub extern "C" fn asan_calloc(nmemb: usize, size: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size * nmemb, 0x8) } +} + +/// Hook for realloc +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_realloc(ptr: *mut c_void, size: usize) -> *mut c_void { + let mut allocator = Allocator::get(); + let ret = allocator.alloc(size, 0x8); + if ptr != std::ptr::null_mut() { + memmove(ret, ptr, allocator.get_usable_size(ptr)); + } + allocator.release(ptr); + ret +} + +/// Hook for free +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_free(ptr: *mut c_void) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete(ptr: *mut c_void) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete_ulong(ptr: *mut c_void, _ulong: u64) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete_ulong_aligned( + ptr: *mut c_void, + _ulong: u64, + _nothrow: *const c_void, +) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete_aligned(ptr: *mut c_void, _alignment: usize) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete_nothrow(ptr: *mut c_void, _nothrow: *const c_void) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for delete +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_delete_aligned_nothrow( + ptr: *mut c_void, + _alignment: usize, + _nothrow: *const c_void, +) { + if ptr != std::ptr::null_mut() { + Allocator::get().release(ptr); + } +} + +/// Hook for malloc_usable_size +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_malloc_usable_size(ptr: *mut c_void) -> usize { + Allocator::get().get_usable_size(ptr) +} + +/// Hook for memalign +pub extern "C" fn asan_memalign(size: usize, alignment: usize) -> *mut c_void { + unsafe { Allocator::get().alloc(size, alignment) } +} + +/// Hook for posix_memalign +/// +/// # Safety +/// This function is inherently unsafe, as it takes a raw pointer +pub unsafe extern "C" fn asan_posix_memalign( + pptr: *mut *mut c_void, + size: usize, + alignment: usize, +) -> i32 { + *pptr = Allocator::get().alloc(size, alignment); + 0 +} + +/// Hook for mallinfo +pub extern "C" fn asan_mallinfo() -> *mut c_void { + std::ptr::null_mut() +} + +/// Get the current thread's TLS address +extern "C" { + fn get_tls_ptr() -> *const c_void; +} + +pub struct AsanRuntime { + regs: [usize; 32], + blob_check_mem_byte: Option>, + blob_check_mem_halfword: Option>, + blob_check_mem_dword: Option>, + blob_check_mem_qword: Option>, + blob_check_mem_16bytes: Option>, + blob_check_mem_3bytes: Option>, + blob_check_mem_6bytes: Option>, + blob_check_mem_12bytes: Option>, + blob_check_mem_24bytes: Option>, + blob_check_mem_32bytes: Option>, + blob_check_mem_48bytes: Option>, + blob_check_mem_64bytes: Option>, + stalked_addresses: HashMap, + options: FridaOptions, +} + +#[derive(Debug, Clone, Serialize, Deserialize)] +struct AsanReadWriteError { + registers: [usize; 32], + pc: usize, + fault: (u16, u16, usize, usize), + metadata: AllocationMetadata, + backtrace: Backtrace, +} + +#[derive(Debug, Clone, Serialize, Deserialize, SerdeAny)] +enum AsanError { + OobRead(AsanReadWriteError), + OobWrite(AsanReadWriteError), + ReadAfterFree(AsanReadWriteError), + WriteAfterFree(AsanReadWriteError), + DoubleFree((usize, AllocationMetadata, Backtrace)), + UnallocatedFree((usize, Backtrace)), + Unknown(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)), + Leak((usize, AllocationMetadata)), + StackOobRead(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)), + StackOobWrite(([usize; 32], usize, (u16, u16, usize, usize), Backtrace)), +} + +impl AsanError { + fn description(&self) -> &str { + match self { + AsanError::OobRead(_) => "heap out-of-bounds read", + AsanError::OobWrite(_) => "heap out-of-bounds write", + AsanError::DoubleFree(_) => "double-free", + AsanError::UnallocatedFree(_) => "unallocated-free", + AsanError::WriteAfterFree(_) => "heap use-after-free write", + AsanError::ReadAfterFree(_) => "heap use-after-free read", + AsanError::Unknown(_) => "heap unknown", + AsanError::Leak(_) => "memory-leak", + AsanError::StackOobRead(_) => "stack out-of-bounds read", + AsanError::StackOobWrite(_) => "stack out-of-bounds write", + } + } +} + +#[derive(Debug, Clone, Serialize, Deserialize, SerdeAny)] +pub struct AsanErrors { + errors: Vec, +} + +impl AsanErrors { + fn new() -> Self { + Self { errors: Vec::new() } + } + + pub fn clear(&mut self) { + self.errors.clear() + } + + pub fn len(&self) -> usize { + self.errors.len() + } + + pub fn is_empty(&self) -> bool { + self.errors.is_empty() + } +} +impl CustomExitKind for AsanErrors {} + +impl AsanRuntime { + pub fn new(options: FridaOptions) -> Rc> { + let res = Rc::new(RefCell::new(Self { + regs: [0; 32], + blob_check_mem_byte: None, + blob_check_mem_halfword: None, + blob_check_mem_dword: None, + blob_check_mem_qword: None, + blob_check_mem_16bytes: None, + blob_check_mem_3bytes: None, + blob_check_mem_6bytes: None, + blob_check_mem_12bytes: None, + blob_check_mem_24bytes: None, + blob_check_mem_32bytes: None, + blob_check_mem_48bytes: None, + blob_check_mem_64bytes: None, + stalked_addresses: HashMap::new(), + options, + })); + Allocator::init(res.clone()); + res + } + /// Initialize the runtime so that it is read for action. Take care not to move the runtime + /// instance after this function has been called, as the generated blobs would become + /// invalid! + pub fn init(&mut self, modules_to_instrument: &[&str]) { + // workaround frida's frida-gum-allocate-near bug: + unsafe { + for _ in 0..512 { + mmap( + std::ptr::null_mut(), + 128 * 1024, + ProtFlags::PROT_NONE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_PRIVATE, + -1, + 0, + ) + .expect("Failed to map dummy regions for frida workaround"); + mmap( + std::ptr::null_mut(), + 4 * 1024 * 1024, + ProtFlags::PROT_NONE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_PRIVATE, + -1, + 0, + ) + .expect("Failed to map dummy regions for frida workaround"); + } + } + + unsafe { + ASAN_ERRORS = Some(AsanErrors::new()); + } + + self.generate_instrumentation_blobs(); + self.unpoison_all_existing_memory(); + for module_name in modules_to_instrument { + #[cfg(unix)] + self.hook_library(module_name); + } + } + + /// Reset all allocations so that they can be reused for new allocation requests. + pub fn reset_allocations(&self) { + Allocator::get().reset(); + } + + /// Check if the test leaked any memory and report it if so. + pub fn check_for_leaks(&mut self) { + for metadata in Allocator::get().allocations.values_mut() { + if !metadata.freed { + self.report_error(AsanError::Leak((metadata.address, metadata.clone()))); + } + } + } + + pub fn errors(&mut self) -> &Option { + unsafe { &ASAN_ERRORS } + } + + /// Make sure the specified memory is unpoisoned + pub fn unpoison(&self, address: usize, size: usize) { + Allocator::get().map_shadow_for_region(address, address + size, true); + } + + /// Add a stalked address to real address mapping. + //#[inline] + pub fn add_stalked_address(&mut self, stalked: usize, real: usize) { + self.stalked_addresses.insert(stalked, real); + } + + pub fn real_address_for_stalked(&self, stalked: usize) -> Option<&usize> { + self.stalked_addresses.get(&stalked) + } + + /// Unpoison all the memory that is currently mapped with read/write permissions. + fn unpoison_all_existing_memory(&self) { + let mut allocator = Allocator::get(); + walk_self_maps(&mut |start, end, permissions, _path| { + if permissions.as_bytes()[0] == b'r' || permissions.as_bytes()[1] == b'w' { + if allocator.pre_allocated_shadow && start == 1 << allocator.shadow_bit { + return false; + } + allocator.map_shadow_for_region(start, end, true); + } + false + }); + } + + /// Register the current thread with the runtime, implementing shadow memory for its stack and + /// tls mappings. + pub fn register_thread(&self) { + let mut allocator = Allocator::get(); + let (stack_start, stack_end) = Self::current_stack(); + println!("current stack: {:#016x}-{:#016x}", stack_start, stack_end); + allocator.map_shadow_for_region(stack_start, stack_end, true); + + //let (tls_start, tls_end) = Self::current_tls(); + //allocator.map_shadow_for_region(tls_start, tls_end, true); + //println!( + //"registering thread with stack {:x}:{:x} and tls {:x}:{:x}", + //stack_start as usize, stack_end as usize, tls_start as usize, tls_end as usize + //); + } + + /// Determine the stack start, end for the currently running thread + pub fn current_stack() -> (usize, usize) { + let stack_var = 0xeadbeef; + let stack_address = &stack_var as *const _ as *const c_void as usize; + let (start, end, _, _) = find_mapping_for_address(stack_address).unwrap(); + + let mut stack_rlimit = rlimit64 { rlim_cur: 0, rlim_max: 0 }; + assert!(unsafe { getrlimit64(3, &mut stack_rlimit as *mut rlimit64 ) } == 0); + + println!("stack_rlimit: {:?}", stack_rlimit); + + let max_start = end - stack_rlimit.rlim_cur as usize; + + if start != max_start { + let mapping = unsafe { + mmap( + max_start as *mut c_void, + start - max_start, + ProtFlags::PROT_READ | ProtFlags::PROT_WRITE, + MapFlags::MAP_ANONYMOUS | MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE | MapFlags::MAP_STACK, + -1, + 0, + ) + }; + assert!(mapping.unwrap() as usize == max_start); + } + (max_start, end) + } + + /// Determine the tls start, end for the currently running thread + fn current_tls() -> (usize, usize) { + let tls_address = unsafe { get_tls_ptr() } as usize; + + let (start, end, _, _) = find_mapping_for_address(tls_address).unwrap(); + (start, end) + } + + /// Locate the target library and hook it's memory allocation functions + #[cfg(unix)] + fn hook_library(&mut self, path: &str) { + let target_lib = GotHookLibrary::new(path, false); + + // shadow the library itself, allowing all accesses + Allocator::get().map_shadow_for_region(target_lib.start(), target_lib.end(), true); + + unsafe { + // Hook all the memory allocator functions + target_lib.hook_function("malloc", asan_malloc as *const c_void); + target_lib.hook_function("_Znam", asan_new as *const c_void); + target_lib.hook_function("_ZnamRKSt9nothrow_t", asan_new_nothrow as *const c_void); + target_lib.hook_function("_ZnamSt11align_val_t", asan_new_aligned as *const c_void); + target_lib.hook_function( + "_ZnamSt11align_val_tRKSt9nothrow_t", + asan_new_aligned_nothrow as *const c_void, + ); + target_lib.hook_function("_Znwm", asan_new as *const c_void); + target_lib.hook_function("_ZnwmRKSt9nothrow_t", asan_new_nothrow as *const c_void); + target_lib.hook_function("_ZnwmSt11align_val_t", asan_new_aligned as *const c_void); + target_lib.hook_function( + "_ZnwmSt11align_val_tRKSt9nothrow_t", + asan_new_aligned_nothrow as *const c_void, + ); + + target_lib.hook_function("_ZdaPv", asan_delete as *const c_void); + target_lib.hook_function("_ZdaPvm", asan_delete_ulong as *const c_void); + target_lib.hook_function( + "_ZdaPvmSt11align_val_t", + asan_delete_ulong_aligned as *const c_void, + ); + target_lib.hook_function("_ZdaPvRKSt9nothrow_t", asan_delete_nothrow as *const c_void); + target_lib.hook_function( + "_ZdaPvSt11align_val_t", + asan_delete_aligned as *const c_void, + ); + target_lib.hook_function( + "_ZdaPvSt11align_val_tRKSt9nothrow_t", + asan_delete_aligned_nothrow as *const c_void, + ); + + target_lib.hook_function("_ZdlPv", asan_delete as *const c_void); + target_lib.hook_function("_ZdlPvm", asan_delete_ulong as *const c_void); + target_lib.hook_function( + "_ZdlPvmSt11align_val_t", + asan_delete_ulong_aligned as *const c_void, + ); + target_lib.hook_function("_ZdlPvRKSt9nothrow_t", asan_delete_nothrow as *const c_void); + target_lib.hook_function( + "_ZdlPvSt11align_val_t", + asan_delete_aligned as *const c_void, + ); + target_lib.hook_function( + "_ZdlPvSt11align_val_tRKSt9nothrow_t", + asan_delete_aligned_nothrow as *const c_void, + ); + + target_lib.hook_function("calloc", asan_calloc as *const c_void); + target_lib.hook_function("pvalloc", asan_pvalloc as *const c_void); + target_lib.hook_function("valloc", asan_valloc as *const c_void); + target_lib.hook_function("realloc", asan_realloc as *const c_void); + target_lib.hook_function("free", asan_free as *const c_void); + target_lib.hook_function("memalign", asan_memalign as *const c_void); + target_lib.hook_function("posix_memalign", asan_posix_memalign as *const c_void); + target_lib.hook_function( + "malloc_usable_size", + asan_malloc_usable_size as *const c_void, + ); + } + } + + extern "C" fn handle_trap(&mut self) { + let mut actual_pc = self.regs[31]; + actual_pc = match self.stalked_addresses.get(&actual_pc) { + Some(addr) => *addr, + None => actual_pc, + }; + + let cs = Capstone::new() + .arm64() + .mode(capstone::arch::arm64::ArchMode::Arm) + .detail(true) + .build() + .unwrap(); + + let instructions = cs + .disasm_count( + unsafe { std::slice::from_raw_parts(actual_pc as *mut u8, 24) }, + actual_pc as u64, + 3, + ) + .unwrap(); + let instructions = instructions.iter().collect::>(); + let mut insn = instructions.first().unwrap(); + if insn.mnemonic().unwrap() == "msr" && insn.op_str().unwrap() == "nzcv, x0" { + insn = instructions.get(2).unwrap(); + actual_pc = insn.address() as usize; + } + + let detail = cs.insn_detail(&insn).unwrap(); + let arch_detail = detail.arch_detail(); + let (mut base_reg, mut index_reg, displacement) = + if let Arm64Operand(arm64operand) = arch_detail.operands().last().unwrap() { + if let Arm64OperandType::Mem(opmem) = arm64operand.op_type { + (opmem.base().0, opmem.index().0, opmem.disp()) + } else { + (0, 0, 0) + } + } else { + (0, 0, 0) + }; + + if capstone::arch::arm64::Arm64Reg::ARM64_REG_X0 as u16 <= base_reg + && base_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_X28 as u16 + { + base_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_X0 as u16; + } else if base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_X29 as u16 { + base_reg = 29u16; + } else if base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_X30 as u16 { + base_reg = 30u16; + } else if base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_SP as u16 + || base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_WSP as u16 + || base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_XZR as u16 + || base_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_WZR as u16 + { + base_reg = 31u16; + } else if capstone::arch::arm64::Arm64Reg::ARM64_REG_W0 as u16 <= base_reg + && base_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_W30 as u16 + { + base_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_W0 as u16; + } else if capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16 <= base_reg + && base_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_S31 as u16 + { + base_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16; + } + + let mut fault_address = + (self.regs[base_reg as usize] as isize + displacement as isize) as usize; + + if index_reg != 0 { + if capstone::arch::arm64::Arm64Reg::ARM64_REG_X0 as u16 <= index_reg + && index_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_X28 as u16 + { + index_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_X0 as u16; + } else if index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_X29 as u16 { + index_reg = 29u16; + } else if index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_X30 as u16 { + index_reg = 30u16; + } else if index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_SP as u16 + || index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_WSP as u16 + || index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_XZR as u16 + || index_reg == capstone::arch::arm64::Arm64Reg::ARM64_REG_WZR as u16 + { + index_reg = 31u16; + } else if capstone::arch::arm64::Arm64Reg::ARM64_REG_W0 as u16 <= index_reg + && index_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_W30 as u16 + { + index_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_W0 as u16; + } else if capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16 <= index_reg + && index_reg <= capstone::arch::arm64::Arm64Reg::ARM64_REG_S31 as u16 + { + index_reg -= capstone::arch::arm64::Arm64Reg::ARM64_REG_S0 as u16; + } + fault_address += self.regs[index_reg as usize] as usize; + } else { + index_reg = 0xffff + } + + let backtrace = Backtrace::new(); + + let (stack_start, stack_end) = Self::current_stack(); + let error = if fault_address >= stack_start && fault_address < stack_end { + if insn.mnemonic().unwrap().starts_with('l') { + AsanError::StackOobRead(( + self.regs, + actual_pc, + (base_reg, index_reg, displacement as usize, fault_address), + backtrace, + )) + } else { + AsanError::StackOobWrite(( + self.regs, + actual_pc, + (base_reg, index_reg, displacement as usize, fault_address), + backtrace, + )) + } + } else { + let mut allocator = Allocator::get(); + if let Some(metadata) = + allocator.find_metadata(fault_address, self.regs[base_reg as usize]) + { + let asan_readwrite_error = AsanReadWriteError { + registers: self.regs, + pc: actual_pc, + fault: (base_reg, index_reg, displacement as usize, fault_address), + metadata: metadata.clone(), + backtrace, + }; + if insn.mnemonic().unwrap().starts_with('l') { + if metadata.freed { + AsanError::ReadAfterFree(asan_readwrite_error) + } else { + AsanError::OobRead(asan_readwrite_error) + } + } else if metadata.freed { + AsanError::WriteAfterFree(asan_readwrite_error) + } else { + AsanError::OobWrite(asan_readwrite_error) + } + } else { + AsanError::Unknown(( + self.regs, + actual_pc, + (base_reg, index_reg, displacement as usize, fault_address), + backtrace, + )) + } + }; + self.report_error(error); + } + + fn report_error(&mut self, error: AsanError) { + unsafe { + ASAN_ERRORS.as_mut().unwrap().errors.push(error.clone()); + } + + let mut out_stream = default_output_stream(); + let output = out_stream.as_mut(); + + let backtrace_printer = BacktracePrinter::new() + .clear_frame_filters() + .print_addresses(true) + .verbosity(Verbosity::Full) + .add_frame_filter(Box::new(|frames| { + frames.retain( + |x| matches!(&x.name, Some(n) if !n.starts_with("libafl_frida::asan_rt::")), + ) + })); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " Memory error detected! ").unwrap(); + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + write!(output, "{}", error.description()).unwrap(); + match error { + AsanError::OobRead(mut error) + | AsanError::OobWrite(mut error) + | AsanError::ReadAfterFree(mut error) + | AsanError::WriteAfterFree(mut error) => { + let (basereg, indexreg, _displacement, fault_address) = error.fault; + + if let Ok((start, _, _, path)) = find_mapping_for_address(error.pc) { + writeln!( + output, + " at 0x{:x} ({}:0x{:04x}), faulting address 0x{:x}", + error.pc, + path, + error.pc - start, + fault_address + ) + .unwrap(); + } else { + writeln!( + output, + " at 0x{:x}, faulting address 0x{:x}", + error.pc, fault_address + ) + .unwrap(); + } + output.reset().unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " REGISTERS ").unwrap(); + for reg in 0..=30 { + if reg == basereg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + } else if reg == indexreg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Yellow))) + .unwrap(); + } + write!( + output, + "x{:02}: 0x{:016x} ", + reg, error.registers[reg as usize] + ) + .unwrap(); + output.reset().unwrap(); + if reg % 4 == 3 { + writeln!(output).unwrap(); + } + } + writeln!(output, "pc : 0x{:016x} ", error.pc).unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " CODE ").unwrap(); + let mut cs = Capstone::new() + .arm64() + .mode(capstone::arch::arm64::ArchMode::Arm) + .build() + .unwrap(); + cs.set_skipdata(true).expect("failed to set skipdata"); + + let start_pc = error.pc - 4 * 5; + for insn in cs + .disasm_count( + unsafe { std::slice::from_raw_parts(start_pc as *mut u8, 4 * 11) }, + start_pc as u64, + 11, + ) + .expect("failed to disassemble instructions") + .iter() + { + if insn.address() as usize == error.pc { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + writeln!(output, "\t => {}", insn).unwrap(); + output.reset().unwrap(); + } else { + writeln!(output, "\t {}", insn).unwrap(); + } + } + backtrace_printer + .print_trace(&error.backtrace, output) + .unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " ALLOCATION INFO ").unwrap(); + let offset: i64 = fault_address as i64 - error.metadata.address as i64; + let direction = if offset > 0 { "right" } else { "left" }; + writeln!( + output, + "access is {} to the {} of the 0x{:x} byte allocation at 0x{:x}", + offset, direction, error.metadata.size, error.metadata.address + ) + .unwrap(); + + if error.metadata.is_malloc_zero { + writeln!(output, "allocation was zero-sized").unwrap(); + } + + if let Some(backtrace) = error.metadata.allocation_site_backtrace.as_mut() { + writeln!(output, "allocation site backtrace:").unwrap(); + backtrace.resolve(); + backtrace_printer.print_trace(backtrace, output).unwrap(); + } + + if error.metadata.freed { + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " FREE INFO ").unwrap(); + if let Some(backtrace) = error.metadata.release_site_backtrace.as_mut() { + writeln!(output, "free site backtrace:").unwrap(); + backtrace.resolve(); + backtrace_printer.print_trace(backtrace, output).unwrap(); + } + } + } + AsanError::Unknown((registers, pc, fault, backtrace)) => { + let (basereg, indexreg, _displacement, fault_address) = fault; + + if let Ok((start, _, _, path)) = find_mapping_for_address(pc) { + writeln!( + output, + " at 0x{:x} ({}:0x{:04x}), faulting address 0x{:x}", + pc, + path, + pc - start, + fault_address + ) + .unwrap(); + } else { + writeln!( + output, + " at 0x{:x}, faulting address 0x{:x}", + pc, fault_address + ) + .unwrap(); + } + output.reset().unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " REGISTERS ").unwrap(); + for reg in 0..=30 { + if reg == basereg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + } else if reg == indexreg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Yellow))) + .unwrap(); + } + write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg as usize]).unwrap(); + output.reset().unwrap(); + if reg % 4 == 3 { + writeln!(output).unwrap(); + } + } + writeln!(output, "pc : 0x{:016x} ", pc).unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " CODE ").unwrap(); + let mut cs = Capstone::new() + .arm64() + .mode(capstone::arch::arm64::ArchMode::Arm) + .build() + .unwrap(); + cs.set_skipdata(true).expect("failed to set skipdata"); + + let start_pc = pc - 4 * 5; + for insn in cs + .disasm_count( + unsafe { std::slice::from_raw_parts(start_pc as *mut u8, 4 * 11) }, + start_pc as u64, + 11, + ) + .expect("failed to disassemble instructions") + .iter() + { + if insn.address() as usize == pc { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + writeln!(output, "\t => {}", insn).unwrap(); + output.reset().unwrap(); + } else { + writeln!(output, "\t {}", insn).unwrap(); + } + } + backtrace_printer.print_trace(&backtrace, output).unwrap(); + } + AsanError::DoubleFree((ptr, mut metadata, backtrace)) => { + writeln!(output, " of {:?}", ptr).unwrap(); + output.reset().unwrap(); + backtrace_printer.print_trace(&backtrace, output).unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " ALLOCATION INFO ").unwrap(); + writeln!( + output, + "allocation at 0x{:x}, with size 0x{:x}", + metadata.address, metadata.size + ) + .unwrap(); + if metadata.is_malloc_zero { + writeln!(output, "allocation was zero-sized").unwrap(); + } + + if let Some(backtrace) = metadata.allocation_site_backtrace.as_mut() { + writeln!(output, "allocation site backtrace:").unwrap(); + backtrace.resolve(); + backtrace_printer.print_trace(backtrace, output).unwrap(); + } + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " FREE INFO ").unwrap(); + if let Some(backtrace) = metadata.release_site_backtrace.as_mut() { + writeln!(output, "previous free site backtrace:").unwrap(); + backtrace.resolve(); + backtrace_printer.print_trace(backtrace, output).unwrap(); + } + } + AsanError::UnallocatedFree((ptr, backtrace)) => { + writeln!(output, " of {:#016x}", ptr).unwrap(); + output.reset().unwrap(); + backtrace_printer.print_trace(&backtrace, output).unwrap(); + } + AsanError::Leak((ptr, mut metadata)) => { + writeln!(output, " of {:#016x}", ptr).unwrap(); + output.reset().unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " ALLOCATION INFO ").unwrap(); + writeln!( + output, + "allocation at 0x{:x}, with size 0x{:x}", + metadata.address, metadata.size + ) + .unwrap(); + if metadata.is_malloc_zero { + writeln!(output, "allocation was zero-sized").unwrap(); + } + + if let Some(backtrace) = metadata.allocation_site_backtrace.as_mut() { + writeln!(output, "allocation site backtrace:").unwrap(); + backtrace.resolve(); + backtrace_printer.print_trace(backtrace, output).unwrap(); + } + } + AsanError::StackOobRead((registers, pc, fault, backtrace)) + | AsanError::StackOobWrite((registers, pc, fault, backtrace)) => { + let (basereg, indexreg, _displacement, fault_address) = fault; + + if let Ok((start, _, _, path)) = find_mapping_for_address(pc) { + writeln!( + output, + " at 0x{:x} ({}:0x{:04x}), faulting address 0x{:x}", + pc, + path, + pc - start, + fault_address + ) + .unwrap(); + } else { + writeln!( + output, + " at 0x{:x}, faulting address 0x{:x}", + pc, fault_address + ) + .unwrap(); + } + output.reset().unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " REGISTERS ").unwrap(); + for reg in 0..=30 { + if reg == basereg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + } else if reg == indexreg { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Yellow))) + .unwrap(); + } + write!(output, "x{:02}: 0x{:016x} ", reg, registers[reg as usize]).unwrap(); + output.reset().unwrap(); + if reg % 4 == 3 { + writeln!(output).unwrap(); + } + } + writeln!(output, "pc : 0x{:016x} ", pc).unwrap(); + + #[allow(clippy::non_ascii_literal)] + writeln!(output, "{:━^100}", " CODE ").unwrap(); + let mut cs = Capstone::new() + .arm64() + .mode(capstone::arch::arm64::ArchMode::Arm) + .build() + .unwrap(); + cs.set_skipdata(true).expect("failed to set skipdata"); + + let start_pc = pc - 4 * 5; + for insn in cs + .disasm_count( + unsafe { std::slice::from_raw_parts(start_pc as *mut u8, 4 * 11) }, + start_pc as u64, + 11, + ) + .expect("failed to disassemble instructions") + .iter() + { + if insn.address() as usize == pc { + output + .set_color(ColorSpec::new().set_fg(Some(Color::Red))) + .unwrap(); + writeln!(output, "\t => {}", insn).unwrap(); + output.reset().unwrap(); + } else { + writeln!(output, "\t {}", insn).unwrap(); + } + } + backtrace_printer.print_trace(&backtrace, output).unwrap(); + } + }; + + if !self.options.asan_continue_after_error() { + panic!("Crashing target!"); + } + } + + /// Generate the instrumentation blobs for the current arch. + #[allow(clippy::similar_names)] // We allow things like dword and qword + fn generate_instrumentation_blobs(&mut self) { + let shadow_bit = Allocator::get().shadow_bit as u32; + macro_rules! shadow_check { + ($ops:ident, $bit:expr) => {dynasm!($ops + ; .arch aarch64 + //; brk #5 + ; b >skip_report + + ; report: + ; brk 0x11 + ; stp x29, x30, [sp, #-0x10]! + ; mov x29, sp + + ; ldr x0, >self_regs_addr + ; stp x2, x3, [x0, #0x10] + ; stp x4, x5, [x0, #0x20] + ; stp x6, x7, [x0, #0x30] + ; stp x8, x9, [x0, #0x40] + ; stp x10, x11, [x0, #0x50] + ; stp x12, x13, [x0, #0x60] + ; stp x14, x15, [x0, #0x70] + ; stp x16, x17, [x0, #0x80] + ; stp x18, x19, [x0, #0x90] + ; stp x20, x21, [x0, #0xa0] + ; stp x22, x23, [x0, #0xb0] + ; stp x24, x25, [x0, #0xc0] + ; stp x26, x27, [x0, #0xd0] + ; stp x28, x29, [x0, #0xe0] + ; stp x30, xzr, [x0, #0xf0] + ; mov x28, x0 + ; .dword (0xd53b4218u32 as i32) // mrs x24, nzcv + //; ldp x0, x1, [sp], #144 + ; ldp x0, x1, [sp, 0x10] + ; stp x0, x1, [x28] + + ; adr x25, >done + ; str x25, [x28, 0xf8] + + ; adr x25, eh_frame_fde + ; adr x27, >fde_address + ; ldr w26, [x27] + ; cmp w26, #0x0 + ; b.ne >skip_register + ; sub x25, x25, x27 + ; str w25, [x27] + ; ldr x1, >register_frame_func + //; brk #11 + ; blr x1 + ; skip_register: + ; ldr x0, >self_addr + ; ldr x1, >trap_func + ; blr x1 + + ; .dword (0xd51b4218u32 as i32) // msr nzcv, x24 + ; ldr x0, >self_regs_addr + ; ldp x2, x3, [x0, #0x10] + ; ldp x4, x5, [x0, #0x20] + ; ldp x6, x7, [x0, #0x30] + ; ldp x8, x9, [x0, #0x40] + ; ldp x10, x11, [x0, #0x50] + ; ldp x12, x13, [x0, #0x60] + ; ldp x14, x15, [x0, #0x70] + ; ldp x16, x17, [x0, #0x80] + ; ldp x18, x19, [x0, #0x90] + ; ldp x20, x21, [x0, #0xa0] + ; ldp x22, x23, [x0, #0xb0] + ; ldp x24, x25, [x0, #0xc0] + ; ldp x26, x27, [x0, #0xd0] + ; ldp x28, x29, [x0, #0xe0] + ; ldp x30, xzr, [x0, #0xf0] + + ; ldp x29, x30, [sp], #0x10 + ; b >done + ; self_addr: + ; .qword self as *mut _ as *mut c_void as i64 + ; self_regs_addr: + ; .qword &mut self.regs as *mut _ as *mut c_void as i64 + ; trap_func: + ; .qword AsanRuntime::handle_trap as *mut c_void as i64 + ; register_frame_func: + ; .qword __register_frame as *mut c_void as i64 + ; eh_frame_cie: + ; .dword 0x14 + ; .dword 0x00 + ; .dword 0x00527a01 + ; .dword 0x011e7c01 + ; .dword 0x001f0c1b + ; eh_frame_fde: + ; .dword 0x14 + ; .dword 0x18 + ; fde_address: + ; .dword 0x0 // <-- address offset goes here + ; .dword 0x104 + //advance_loc 12 + //def_cfa r29 (x29) at offset 16 + //offset r30 (x30) at cfa-8 + //offset r29 (x29) at cfa-16 + ; .dword 0x1d0c4c00 + ; .dword (0x9d029e10 as u32 as i32) + ; .dword 0x04 + // empty next FDE: + ; .dword 0x0 + ; .dword 0x0 + + ; skip_report: + ; mov x1, #1 + ; add x1, xzr, x1, lsl #shadow_bit + ; add x1, x1, x0, lsr #3 + ; ubfx x1, x1, #0, #(shadow_bit + 2) + ; ldrh w1, [x1, #0] + ; and x0, x0, #7 + ; rev16 w1, w1 + ; rbit w1, w1 + ; lsr x1, x1, #16 + ; lsr x1, x1, x0 + ; tbnz x1, #$bit, >done + ; b {dynasm!($ops + ; .arch aarch64 + ; b >skip_report + + ; report: + ; brk 0x22 + ; stp x29, x30, [sp, #-0x10]! + ; mov x29, sp + + ; ldr x0, >self_regs_addr + ; stp x2, x3, [x0, #0x10] + ; stp x4, x5, [x0, #0x20] + ; stp x6, x7, [x0, #0x30] + ; stp x8, x9, [x0, #0x40] + ; stp x10, x11, [x0, #0x50] + ; stp x12, x13, [x0, #0x60] + ; stp x14, x15, [x0, #0x70] + ; stp x16, x17, [x0, #0x80] + ; stp x18, x19, [x0, #0x90] + ; stp x20, x21, [x0, #0xa0] + ; stp x22, x23, [x0, #0xb0] + ; stp x24, x25, [x0, #0xc0] + ; stp x26, x27, [x0, #0xd0] + ; stp x28, x29, [x0, #0xe0] + ; stp x30, xzr, [x0, #0xf0] + ; mov x28, x0 + ; .dword (0xd53b4218u32 as i32) // mrs x24, nzcv + ; ldp x0, x1, [sp, 0x10] + ; stp x0, x1, [x28] + + ; adr x25, >done + ; add x25, x25, 4 + ; str x25, [x28, 0xf8] + + ; adr x25, eh_frame_fde + ; adr x27, >fde_address + ; ldr w26, [x27] + ; cmp w26, #0x0 + ; b.ne >skip_register + ; sub x25, x25, x27 + ; str w25, [x27] + ; ldr x1, >register_frame_func + //; brk #11 + ; blr x1 + ; skip_register: + ; ldr x0, >self_addr + ; ldr x1, >trap_func + ; blr x1 + + ; .dword (0xd51b4218u32 as i32) // msr nzcv, x24 + ; ldr x0, >self_regs_addr + ; ldp x2, x3, [x0, #0x10] + ; ldp x4, x5, [x0, #0x20] + ; ldp x6, x7, [x0, #0x30] + ; ldp x8, x9, [x0, #0x40] + ; ldp x10, x11, [x0, #0x50] + ; ldp x12, x13, [x0, #0x60] + ; ldp x14, x15, [x0, #0x70] + ; ldp x16, x17, [x0, #0x80] + ; ldp x18, x19, [x0, #0x90] + ; ldp x20, x21, [x0, #0xa0] + ; ldp x22, x23, [x0, #0xb0] + ; ldp x24, x25, [x0, #0xc0] + ; ldp x26, x27, [x0, #0xd0] + ; ldp x28, x29, [x0, #0xe0] + ; ldp x30, xzr, [x0, #0xf0] + + ; ldp x29, x30, [sp], #0x10 + ; b >done + ; self_addr: + ; .qword self as *mut _ as *mut c_void as i64 + ; self_regs_addr: + ; .qword &mut self.regs as *mut _ as *mut c_void as i64 + ; trap_func: + ; .qword AsanRuntime::handle_trap as *mut c_void as i64 + ; register_frame_func: + ; .qword __register_frame as *mut c_void as i64 + ; eh_frame_cie: + ; .dword 0x14 + ; .dword 0x00 + ; .dword 0x00527a01 + ; .dword 0x011e7c01 + ; .dword 0x001f0c1b + ; eh_frame_fde: + ; .dword 0x14 + ; .dword 0x18 + ; fde_address: + ; .dword 0x0 // <-- address offset goes here + ; .dword 0x104 + //advance_loc 12 + //def_cfa r29 (x29) at offset 16 + //offset r30 (x30) at cfa-8 + //offset r29 (x29) at cfa-16 + ; .dword 0x1d0c4c00 + ; .dword (0x9d029e10 as u32 as i32) + ; .dword 0x04 + // empty next FDE: + ; .dword 0x0 + ; .dword 0x0 + + + ; skip_report: + ; mov x1, #1 + ; add x1, xzr, x1, lsl #shadow_bit + ; add x1, x1, x0, lsr #3 + ; ubfx x1, x1, #0, #(shadow_bit + 2) + ; ldrh w1, [x1, #0] + ; and x0, x0, #7 + ; rev16 w1, w1 + ; rbit w1, w1 + ; lsr x1, x1, #16 + ; lsr x1, x1, x0 + ; .dword -717536768 // 0xd53b4200 //mrs x0, NZCV + ; and x1, x1, #$val + ; cmp x1, #$val + ; b.eq >done + ; b ::new(0); + shadow_check!(ops_check_mem_byte, 0); + self.blob_check_mem_byte = Some(ops_check_mem_byte.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_halfword = + dynasmrt::VecAssembler::::new(0); + shadow_check!(ops_check_mem_halfword, 1); + self.blob_check_mem_halfword = Some( + ops_check_mem_halfword + .finalize() + .unwrap() + .into_boxed_slice(), + ); + + let mut ops_check_mem_dword = + dynasmrt::VecAssembler::::new(0); + shadow_check!(ops_check_mem_dword, 2); + self.blob_check_mem_dword = + Some(ops_check_mem_dword.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_qword = + dynasmrt::VecAssembler::::new(0); + shadow_check!(ops_check_mem_qword, 3); + self.blob_check_mem_qword = + Some(ops_check_mem_qword.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_16bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check!(ops_check_mem_16bytes, 4); + self.blob_check_mem_16bytes = + Some(ops_check_mem_16bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_3bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_3bytes, 3); + self.blob_check_mem_3bytes = + Some(ops_check_mem_3bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_6bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_6bytes, 6); + self.blob_check_mem_6bytes = + Some(ops_check_mem_6bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_12bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_12bytes, 12); + self.blob_check_mem_12bytes = + Some(ops_check_mem_12bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_24bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_24bytes, 24); + self.blob_check_mem_24bytes = + Some(ops_check_mem_24bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_32bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_32bytes, 32); + self.blob_check_mem_32bytes = + Some(ops_check_mem_32bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_48bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_48bytes, 48); + self.blob_check_mem_48bytes = + Some(ops_check_mem_48bytes.finalize().unwrap().into_boxed_slice()); + + let mut ops_check_mem_64bytes = + dynasmrt::VecAssembler::::new(0); + shadow_check_exact!(ops_check_mem_64bytes, 64); + self.blob_check_mem_64bytes = + Some(ops_check_mem_64bytes.finalize().unwrap().into_boxed_slice()); + } + + /// Get the blob which checks a byte access + #[inline] + pub fn blob_check_mem_byte(&self) -> &[u8] { + self.blob_check_mem_byte.as_ref().unwrap() + } + + /// Get the blob which checks a halfword access + #[inline] + pub fn blob_check_mem_halfword(&self) -> &[u8] { + self.blob_check_mem_halfword.as_ref().unwrap() + } + + /// Get the blob which checks a dword access + #[inline] + pub fn blob_check_mem_dword(&self) -> &[u8] { + self.blob_check_mem_dword.as_ref().unwrap() + } + + /// Get the blob which checks a qword access + #[inline] + pub fn blob_check_mem_qword(&self) -> &[u8] { + self.blob_check_mem_qword.as_ref().unwrap() + } + + /// Get the blob which checks a 16 byte access + #[inline] + pub fn blob_check_mem_16bytes(&self) -> &[u8] { + self.blob_check_mem_16bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 3 byte access + #[inline] + pub fn blob_check_mem_3bytes(&self) -> &[u8] { + self.blob_check_mem_3bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 6 byte access + #[inline] + pub fn blob_check_mem_6bytes(&self) -> &[u8] { + self.blob_check_mem_6bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 12 byte access + #[inline] + pub fn blob_check_mem_12bytes(&self) -> &[u8] { + self.blob_check_mem_12bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 24 byte access + #[inline] + pub fn blob_check_mem_24bytes(&self) -> &[u8] { + self.blob_check_mem_24bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 32 byte access + #[inline] + pub fn blob_check_mem_32bytes(&self) -> &[u8] { + self.blob_check_mem_32bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 48 byte access + #[inline] + pub fn blob_check_mem_48bytes(&self) -> &[u8] { + self.blob_check_mem_48bytes.as_ref().unwrap() + } + + /// Get the blob which checks a 64 byte access + #[inline] + pub fn blob_check_mem_64bytes(&self) -> &[u8] { + self.blob_check_mem_64bytes.as_ref().unwrap() + } +} + +pub static mut ASAN_ERRORS: Option = None; + +#[derive(Serialize, Deserialize)] +#[allow(clippy::unsafe_derive_deserialize)] +pub struct AsanErrorsObserver { + errors: OwnedPtr>, +} + +impl Observer for AsanErrorsObserver { + fn pre_exec(&mut self) -> Result<(), Error> { + unsafe { + if ASAN_ERRORS.is_some() { + ASAN_ERRORS.as_mut().unwrap().clear(); + } + } + + Ok(()) + } +} + +impl Named for AsanErrorsObserver { + #[inline] + fn name(&self) -> &str { + "AsanErrorsObserver" + } +} + +impl AsanErrorsObserver { + pub fn new(errors: &'static Option) -> Self { + Self { + errors: OwnedPtr::Ptr(errors as *const Option), + } + } + + pub fn new_owned(errors: Option) -> Self { + Self { + errors: OwnedPtr::Owned(Box::new(errors)), + } + } + + pub fn new_from_ptr(errors: *const Option) -> Self { + Self { + errors: OwnedPtr::Ptr(errors), + } + } + + pub fn errors(&self) -> Option<&AsanErrors> { + match &self.errors { + OwnedPtr::Ptr(p) => unsafe { p.as_ref().unwrap().as_ref() }, + OwnedPtr::Owned(b) => b.as_ref().as_ref(), + } + } +} + +#[derive(Serialize, Deserialize, Clone, Debug)] +pub struct AsanErrorsFeedback { + errors: Option, +} + +impl Feedback for AsanErrorsFeedback +where + I: Input + HasTargetBytes, +{ + fn is_interesting( + &mut self, + _input: &I, + observers: &OT, + _exit_kind: &ExitKind, + ) -> Result { + let observer = observers + .match_first_type::() + .expect("An AsanErrorsFeedback needs an AsanErrorsObserver"); + match observer.errors() { + None => Ok(0), + Some(errors) => { + if !errors.errors.is_empty() { + self.errors = Some(errors.clone()); + Ok(1) + } else { + Ok(0) + } + } + } + } + + fn append_metadata(&mut self, testcase: &mut Testcase) -> Result<(), Error> { + if let Some(errors) = &self.errors { + testcase.add_metadata(errors.clone()); + } + + Ok(()) + } + + fn discard_metadata(&mut self, _input: &I) -> Result<(), Error> { + self.errors = None; + Ok(()) + } +} + +impl Named for AsanErrorsFeedback { + #[inline] + fn name(&self) -> &str { + "AsanErrorsFeedback" + } +} + +impl AsanErrorsFeedback { + pub fn new() -> Self { + Self { errors: None } + } +} + +impl Default for AsanErrorsFeedback { + fn default() -> Self { + Self::new() + } +} diff --git a/libafl_frida/src/gettls.c b/libafl_frida/src/gettls.c new file mode 100644 index 0000000000..ba14df7489 --- /dev/null +++ b/libafl_frida/src/gettls.c @@ -0,0 +1,9 @@ +#ifdef _MSC_VER +__declspec( thread ) int i = 0; +#else +__thread int i = 0; +#endif + +void * get_tls_ptr() { + return (void*)&i; +} diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs new file mode 100644 index 0000000000..589f270b40 --- /dev/null +++ b/libafl_frida/src/helper.rs @@ -0,0 +1,655 @@ +use libafl::inputs::{HasTargetBytes, Input}; + +#[cfg(any(target_os = "linux", target_os = "android"))] +use libafl::utils::find_mapping_for_path; + +use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter}; + +#[cfg(target_arch = "aarch64")] +use capstone::arch::{arm64::{Arm64OperandType, Arm64Extender, Arm64Shift}, ArchOperand::Arm64Operand}; +use capstone::{ + arch::{self, BuildsCapstone}, + Capstone, Insn, +}; + +use core::cell::RefCell; +#[cfg(target_arch = "x86_64")] +use frida_gum::instruction_writer::X86Register; +#[cfg(target_arch = "aarch64")] +use frida_gum::instruction_writer::{Aarch64Register, IndexMode}; +use frida_gum::{ + instruction_writer::InstructionWriter, + stalker::{StalkerOutput, Transformer}, + CpuContext, +}; +use frida_gum::{Gum, Module, PageProtection}; +use num_traits::cast::FromPrimitive; + +use rangemap::RangeMap; +use std::rc::Rc; + +use crate::{asan_rt::AsanRuntime, FridaOptions}; + +/// An helper that feeds FridaInProcessExecutor with user-supplied instrumentation +pub trait FridaHelper<'a> { + fn transformer(&self) -> &Transformer<'a>; + + fn register_thread(&self); + + fn pre_exec(&mut self, input: &I); + + fn post_exec(&mut self, input: &I); + + fn stalker_enabled(&self) -> bool; + + fn map_ptr(&mut self) -> *mut u8; +} + +pub const MAP_SIZE: usize = 64 * 1024; + +/// An helper that feeds FridaInProcessExecutor with edge-coverage instrumentation +pub struct FridaInstrumentationHelper<'a> { + map: [u8; MAP_SIZE], + previous_pc: [u64; 1], + current_log_impl: u64, + /// Transformer that has to be passed to FridaInProcessExecutor + transformer: Option>, + capstone: Capstone, + asan_runtime: Rc>, + ranges: RangeMap, + options: FridaOptions, + drcov_basic_blocks: Vec, +} + +impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { + fn transformer(&self) -> &Transformer<'a> { + self.transformer.as_ref().unwrap() + } + + /// Register the current thread with the FridaInstrumentationHelper + fn register_thread(&self) { + self.asan_runtime.borrow().register_thread(); + } + + fn pre_exec(&mut self, input: &I) { + let target_bytes = input.target_bytes(); + let slice = target_bytes.as_slice(); + //println!("target_bytes: {:02x?}", slice); + self.asan_runtime + .borrow() + .unpoison(slice.as_ptr() as usize, slice.len()); + } + + fn post_exec(&mut self, input: &I) { + if self.options.drcov_enabled() { + let filename = format!( + "./coverage/{:016x}.drcov", + seahash::hash(input.target_bytes().as_slice()) + ); + DrCovWriter::new(&filename, &self.ranges, &mut self.drcov_basic_blocks).write(); + } + + if self.options.asan_enabled() { + if self.options.asan_detect_leaks() { + self.asan_runtime.borrow_mut().check_for_leaks(); + } + self.asan_runtime.borrow_mut().reset_allocations(); + } + } + + fn stalker_enabled(&self) -> bool { + self.options.stalker_enabled() + } + + fn map_ptr(&mut self) -> *mut u8 { + self.map.as_mut_ptr() + } +} + +/// Helper function to get the size of a module's CODE section from frida +pub fn get_module_size(module_name: &str) -> usize { + let mut code_size = 0; + let code_size_ref = &mut code_size; + Module::enumerate_ranges(module_name, PageProtection::ReadExecute, move |details| { + *code_size_ref = details.memory_range().size() as usize; + true + }); + + code_size +} + +/// A minimal maybe_log implementation. We insert this into the transformed instruction stream +/// every time we need a copy that is within a direct branch of the start of the transformed basic +/// block. +#[cfg(target_arch = "x86_64")] +const MAYBE_LOG_CODE: [u8; 47] = [ + 0x9c, /* pushfq */ + 0x50, /* push rax */ + 0x51, /* push rcx */ + 0x52, /* push rdx */ + 0x48, 0x8d, 0x05, 0x24, 0x00, 0x00, 0x00, /* lea rax, sym._afl_area_ptr_ptr */ + 0x48, 0x8b, 0x00, /* mov rax, qword [rax] */ + 0x48, 0x8d, 0x0d, 0x22, 0x00, 0x00, 0x00, /* lea rcx, sym.previous_pc */ + 0x48, 0x8b, 0x11, /* mov rdx, qword [rcx] */ + 0x48, 0x8b, 0x12, /* mov rdx, qword [rdx] */ + 0x48, 0x31, 0xfa, /* xor rdx, rdi */ + 0xfe, 0x04, 0x10, /* inc byte [rax + rdx] */ + 0x48, 0xd1, 0xef, /* shr rdi, 1 */ + 0x48, 0x8b, 0x01, /* mov rax, qword [rcx] */ + 0x48, 0x89, 0x38, /* mov qword [rax], rdi */ + 0x5a, /* pop rdx */ + 0x59, /* pop rcx */ + 0x58, /* pop rax */ + 0x9d, /* popfq */ + 0xc3, /* ret */ + + /* Read-only data goes here: */ + /* uint8_t* afl_area_ptr */ + /* uint64_t* afl_prev_loc_ptr */ +]; + +#[cfg(target_arch = "aarch64")] +const MAYBE_LOG_CODE: [u8; 60] = [ + // __afl_area_ptr[current_pc ^ previous_pc]++; + // previous_pc = current_pc >> 1; + 0xE1, 0x0B, 0xBF, 0xA9, // stp x1, x2, [sp, -0x10]! + 0xE3, 0x13, 0xBF, 0xA9, // stp x3, x4, [sp, -0x10]! + // x0 = current_pc + 0xa1, 0x01, 0x00, 0x58, // ldr x1, #0x30, =__afl_area_ptr + 0x82, 0x01, 0x00, 0x58, // ldr x2, #0x38, =&previous_pc + 0x44, 0x00, 0x40, 0xf9, // ldr x4, [x2] (=previous_pc) + // __afl_area_ptr[current_pc ^ previous_pc]++; + 0x84, 0x00, 0x00, 0xca, // eor x4, x4, x0 + 0x84, 0x3c, 0x40, 0x92, // and x4, x4, 0xffff (=MAP_SIZE - 1) + //0x20, 0x13, 0x20, 0xd4, + 0x23, 0x68, 0x64, 0xf8, // ldr x3, [x1, x4] + 0x63, 0x04, 0x00, 0x91, // add x3, x3, #1 + 0x23, 0x68, 0x24, 0xf8, // str x3, [x1, x4] + // previous_pc = current_pc >> 1; + 0xe0, 0x07, 0x40, 0x8b, // add x0, xzr, x0, LSR #1 + 0x40, 0x00, 0x00, 0xf9, // str x0, [x2] + 0xE3, 0x13, 0xc1, 0xA8, // ldp x3, x4, [sp], #0x10 + 0xE1, 0x0B, 0xc1, 0xA8, // ldp x1, x2, [sp], #0x10 + 0xC0, 0x03, 0x5F, 0xD6, // ret + + // &afl_area_ptr + // &afl_prev_loc_ptr +]; + +#[cfg(target_arch = "aarch64")] +fn get_pc(context: &CpuContext) -> usize { + context.pc() as usize +} + +#[cfg(target_arch = "x86_64")] +fn get_pc(context: &CpuContext) -> usize { + context.rip() as usize +} + +/// The implementation of the FridaInstrumentationHelper +impl<'a> FridaInstrumentationHelper<'a> { + /// Constructor function to create a new FridaInstrumentationHelper, given a module_name. + pub fn new( + gum: &'a Gum, + options: FridaOptions, + _harness_module_name: &str, + modules_to_instrument: &'a [&str], + ) -> Self { + let mut helper = Self { + map: [0u8; MAP_SIZE], + previous_pc: [0u64; 1], + current_log_impl: 0, + transformer: None, + capstone: Capstone::new() + .arm64() + .mode(arch::arm64::ArchMode::Arm) + .detail(true) + .build() + .expect("Failed to create Capstone object"), + asan_runtime: AsanRuntime::new(options), + ranges: RangeMap::new(), + options, + drcov_basic_blocks: vec![], + }; + + if options.stalker_enabled() { + for (id, module_name) in modules_to_instrument.iter().enumerate() { + let (lib_start, lib_end) = find_mapping_for_path(module_name); + println!("including range {:x}-{:x} for {}", lib_start, lib_end, module_name); + helper + .ranges + .insert(lib_start..lib_end, (id as u16, module_name)); + } + + if helper.options.drcov_enabled() { + std::fs::create_dir_all("./coverage") + .expect("failed to create directory for coverage files"); + } + + let transformer = Transformer::from_callback(gum, |basic_block, output| { + let mut first = true; + for instruction in basic_block { + let instr = instruction.instr(); + let address = instr.address(); + //println!("address: {:x} contains: {:?}", address, helper.ranges.contains(&(address as usize))); + if helper.ranges.contains_key(&(address as usize)) { + if first { + first = false; + //println!("block @ {:x} transformed to {:x}", address, output.writer().pc()); + if helper.options.coverage_enabled() { + helper.emit_coverage_mapping(address, &output); + } + if helper.options.drcov_enabled() { + instruction.put_callout(|context| { + let real_address = match helper + .asan_runtime + .borrow() + .real_address_for_stalked(get_pc(&context)) + { + Some(address) => *address, + None => get_pc(&context), + }; + //let (range, (id, name)) = helper.ranges.get_key_value(&real_address).unwrap(); + //println!("{}:0x{:016x}", name, real_address - range.start); + helper + .drcov_basic_blocks + .push(DrCovBasicBlock::new(real_address, real_address + 4)); + }) + } + } + + if helper.options.asan_enabled() { + #[cfg(not(target_arch = "aarch64"))] + todo!("Implement ASAN for non-aarch64 targets"); + #[cfg(target_arch = "aarch64")] + if let Ok((basereg, indexreg, displacement, width, shift, extender)) = + helper.is_interesting_instruction(address, instr) + { + helper.emit_shadow_check( + address, + &output, + basereg, + indexreg, + displacement, + width, + shift, + extender, + ); + } + } + if helper.options.asan_enabled() || helper.options.drcov_enabled() { + helper.asan_runtime.borrow_mut().add_stalked_address( + output.writer().pc() as usize - 4, + address as usize, + ); + } + } + instruction.keep() + } + }); + helper.transformer = Some(transformer); + if helper.options.asan_enabled() || helper.options.drcov_enabled() { + helper.asan_runtime.borrow_mut().init(modules_to_instrument); + } + } + helper + } + + #[cfg(target_arch = "aarch64")] + #[inline] + fn get_writer_register(&self, reg: capstone::RegId) -> Aarch64Register { + let regint: u16 = reg.0; + Aarch64Register::from_u32(regint as u32).unwrap() + } + + #[cfg(target_arch = "aarch64")] + #[inline] + fn emit_shadow_check( + &self, + _address: u64, + output: &StalkerOutput, + basereg: capstone::RegId, + indexreg: capstone::RegId, + displacement: i32, + width: u32, + shift: Arm64Shift, + extender: Arm64Extender, + ) { + let writer = output.writer(); + + let basereg = self.get_writer_register(basereg); + let indexreg = if indexreg.0 != 0 { + Some(self.get_writer_register(indexreg)) + } else { + None + }; + + //writer.put_brk_imm(1); + + // Preserve x0, x1: + writer.put_stp_reg_reg_reg_offset( + Aarch64Register::X0, + Aarch64Register::X1, + Aarch64Register::Sp, + -(16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i32) as i64, + IndexMode::PreAdjust, + ); + + // Make sure the base register is copied into x0 + match basereg { + Aarch64Register::X0 | Aarch64Register::W0 => {} + Aarch64Register::X1 | Aarch64Register::W1 => { + writer.put_mov_reg_reg(Aarch64Register::X0, Aarch64Register::X1); + } + _ => { + if !writer.put_mov_reg_reg(Aarch64Register::X0, basereg) { + writer.put_mov_reg_reg(Aarch64Register::W0, basereg); + } + } + } + + // Make sure the index register is copied into x1 + if indexreg.is_some() { + if let Some(indexreg) = indexreg { + match indexreg { + Aarch64Register::X0 | Aarch64Register::W0 => { + writer.put_ldr_reg_reg_offset( + Aarch64Register::X1, + Aarch64Register::Sp, + 0u64, + ); + } + Aarch64Register::X1 | Aarch64Register::W1 => {} + _ => { + if !writer.put_mov_reg_reg(Aarch64Register::X1, indexreg) { + writer.put_mov_reg_reg(Aarch64Register::W1, indexreg); + } + } + } + } + + if let (Arm64Extender::ARM64_EXT_INVALID, Arm64Shift::Invalid) = (extender, shift) { + writer.put_add_reg_reg_reg( + Aarch64Register::X0, + Aarch64Register::X0, + Aarch64Register::X1, + ); + } else { + let extender_encoding: i32 = match extender { + Arm64Extender::ARM64_EXT_UXTB => 0b000, + Arm64Extender::ARM64_EXT_UXTH => 0b001, + Arm64Extender::ARM64_EXT_UXTW => 0b010, + Arm64Extender::ARM64_EXT_UXTX => 0b011, + Arm64Extender::ARM64_EXT_SXTB => 0b100, + Arm64Extender::ARM64_EXT_SXTH => 0b101, + Arm64Extender::ARM64_EXT_SXTW => 0b110, + Arm64Extender::ARM64_EXT_SXTX => 0b111, + _ => -1, + }; + let (shift_encoding, shift_amount): (i32, u32) = match shift { + Arm64Shift::Lsl(amount) => (0b00, amount), + Arm64Shift::Lsr(amount) => (0b01, amount), + Arm64Shift::Asr(amount) => (0b10, amount), + _ => (-1, 0), + }; + + if extender_encoding != -1 && shift_amount < 0b1000 { + // emit add extended register: https://developer.arm.com/documentation/ddi0602/latest/Base-Instructions/ADD--extended-register---Add--extended-register-- + writer.put_bytes(&(0x8b210000 | ((extender_encoding as u32) << 13) | (shift_amount << 10)).to_le_bytes()); + } else if shift_encoding != -1 { + writer.put_bytes(&(0x8b010000 | ((shift_encoding as u32) << 22) | (shift_amount << 10)).to_le_bytes()); + } else { + panic!("extender: {:?}, shift: {:?}", extender, shift); + } + + + }; + } + + let displacement = displacement + + if basereg == Aarch64Register::Sp { + 16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i32 + } else { + 0 + }; + + #[allow(clippy::comparison_chain)] + if displacement < 0 { + if displacement > -4096 { + // Subtract the displacement into x0 + writer.put_sub_reg_reg_imm( + Aarch64Register::X0, + Aarch64Register::X0, + displacement.abs() as u64, + ); + } else { + let displacement_hi = displacement.abs() / 4096; + let displacement_lo = displacement.abs() % 4096; + writer.put_bytes(&(0xd1400000u32 | ((displacement_hi as u32) << 10)).to_le_bytes()); + writer.put_sub_reg_reg_imm( + Aarch64Register::X0, + Aarch64Register::X0, + displacement_lo as u64, + ); + } + } else if displacement > 0 { + if displacement < 4096 { + // Add the displacement into x0 + writer.put_add_reg_reg_imm( + Aarch64Register::X0, + Aarch64Register::X0, + displacement as u64, + ); + } else { + let displacement_hi = displacement / 4096; + let displacement_lo = displacement % 4096; + writer.put_bytes(&(0x91400000u32 | ((displacement_hi as u32) << 10)).to_le_bytes()); + writer.put_add_reg_reg_imm( + Aarch64Register::X0, + Aarch64Register::X0, + displacement_lo as u64, + ); + } + } + // Insert the check_shadow_mem code blob + match width { + 1 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_byte()), + 2 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_halfword()), + 3 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_3bytes()), + 4 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_dword()), + 6 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_6bytes()), + 8 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_qword()), + 12 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_12bytes()), + 16 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_16bytes()), + 24 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_24bytes()), + 32 => writer.put_bytes(&self.asan_runtime.borrow().blob_check_mem_32bytes()), + _ => false, + }; + + // Restore x0, x1 + assert!(writer.put_ldp_reg_reg_reg_offset( + Aarch64Register::X0, + Aarch64Register::X1, + Aarch64Register::Sp, + 16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i64, + IndexMode::PostAdjust, + )); + } + + #[cfg(target_arch = "aarch64")] + #[inline] + fn get_instruction_width(&self, instr: &Insn, operands: &Vec) -> u32 { + use capstone::arch::arm64::Arm64Insn as I; + use capstone::arch::arm64::Arm64Reg as R; + use capstone::arch::arm64::Arm64Vas as V; + + let num_registers = match instr.id().0.into() { + I::ARM64_INS_STP + | I::ARM64_INS_STXP + | I::ARM64_INS_STNP + | I::ARM64_INS_STLXP + | I::ARM64_INS_LDP + | I::ARM64_INS_LDXP + | I::ARM64_INS_LDNP => 2, + _ => 1, + }; + + let mnemonic = instr.mnemonic().unwrap(); + match mnemonic.as_bytes().last().unwrap() { + b'b' => return 1, + b'h' => return 2, + b'w' => return 4 * num_registers, + _ => (), + } + + if let Arm64Operand(operand) = operands.first().unwrap() { + if operand.vas != V::ARM64_VAS_INVALID { + let count_byte: u32 = if mnemonic.starts_with("st") || mnemonic.starts_with("ld") { + mnemonic.chars().nth(2).unwrap().to_digit(10).unwrap() + } else { + 1 + }; + + return match operand.vas { + V::ARM64_VAS_1B => 1 * count_byte, + V::ARM64_VAS_1H => 2 * count_byte, + V::ARM64_VAS_4B | V::ARM64_VAS_1S | V::ARM64_VAS_1D | V::ARM64_VAS_2H => { + 4 * count_byte + } + V::ARM64_VAS_8B + | V::ARM64_VAS_4H + | V::ARM64_VAS_2S + | V::ARM64_VAS_2D + | V::ARM64_VAS_1Q => 8 * count_byte, + V::ARM64_VAS_8H | V::ARM64_VAS_4S | V::ARM64_VAS_16B => 16 * count_byte, + V::ARM64_VAS_INVALID => { + panic!("should not be reached"); + } + }; + } else if let Arm64OperandType::Reg(operand) = operand.op_type { + match operand.0 as u32 { + R::ARM64_REG_W0..=R::ARM64_REG_W30 + | R::ARM64_REG_WZR + | R::ARM64_REG_WSP + | R::ARM64_REG_S0..=R::ARM64_REG_S31 => return 4 * num_registers, + R::ARM64_REG_D0..=R::ARM64_REG_D31 => return 8 * num_registers, + R::ARM64_REG_Q0..=R::ARM64_REG_Q31 => return 16, + _ => (), + } + }; + }; + + 8 * num_registers + } + + #[cfg(target_arch = "aarch64")] + #[inline] + fn is_interesting_instruction( + &self, + _address: u64, + instr: &Insn, + ) -> Result<(capstone::RegId, capstone::RegId, i32, u32, Arm64Shift, Arm64Extender), ()> { + // We have to ignore these instructions. Simulating them with their side effects is + // complex, to say the least. + match instr.mnemonic().unwrap() { + "ldaxr" | "stlxr" | "ldxr" | "stxr" | "ldar" | "stlr" | "ldarb" | "ldarh" | "ldaxp" + | "ldaxrb" | "ldaxrh" | "stlrb" | "stlrh" | "stlxp" | "stlxrb" | "stlxrh" | "ldxrb" + | "ldxrh" | "stxrb" | "stxrh" => return Err(()), + _ => (), + } + + let operands = self + .capstone + .insn_detail(instr) + .unwrap() + .arch_detail() + .operands(); + if operands.len() < 2 { + return Err(()); + } + + if let Arm64Operand(arm64operand) = operands.last().unwrap() { + if let Arm64OperandType::Mem(opmem) = arm64operand.op_type { + return Ok(( + opmem.base(), + opmem.index(), + opmem.disp(), + self.get_instruction_width(instr, &operands), + arm64operand.shift, + arm64operand.ext, + )); + } + } + + Err(()) + } + + #[inline] + fn emit_coverage_mapping(&mut self, address: u64, output: &StalkerOutput) { + let writer = output.writer(); + if self.current_log_impl == 0 + || !writer.can_branch_directly_to(self.current_log_impl) + || !writer.can_branch_directly_between(writer.pc() + 128, self.current_log_impl) + { + let after_log_impl = writer.code_offset() + 1; + + #[cfg(target_arch = "x86_64")] + writer.put_jmp_near_label(after_log_impl); + #[cfg(target_arch = "aarch64")] + writer.put_b_label(after_log_impl); + + self.current_log_impl = writer.pc(); + writer.put_bytes(&MAYBE_LOG_CODE); + let prev_loc_pointer = self.previous_pc.as_ptr() as usize; + let map_pointer = self.map.as_ptr() as usize; + + writer.put_bytes(&map_pointer.to_ne_bytes()); + writer.put_bytes(&prev_loc_pointer.to_ne_bytes()); + + writer.put_label(after_log_impl); + } + #[cfg(target_arch = "x86_64")] + { + println!("here"); + writer.put_lea_reg_reg_offset( + X86Register::Rsp, + X86Register::Rsp, + -(frida_gum_sys::GUM_RED_ZONE_SIZE as i32), + ); + writer.put_push_reg(X86Register::Rdi); + writer.put_mov_reg_address( + X86Register::Rdi, + ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64, + ); + writer.put_call_address(self.current_log_impl); + writer.put_pop_reg(X86Register::Rdi); + writer.put_lea_reg_reg_offset( + X86Register::Rsp, + X86Register::Rsp, + frida_gum_sys::GUM_RED_ZONE_SIZE as i32, + ); + } + #[cfg(target_arch = "aarch64")] + { + writer.put_stp_reg_reg_reg_offset( + Aarch64Register::Lr, + Aarch64Register::X0, + Aarch64Register::Sp, + -(16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i32) as i64, + IndexMode::PreAdjust, + ); + writer.put_ldr_reg_u64( + Aarch64Register::X0, + ((address >> 4) ^ (address << 8)) & (MAP_SIZE - 1) as u64, + ); + writer.put_bl_imm(self.current_log_impl); + writer.put_ldp_reg_reg_reg_offset( + Aarch64Register::Lr, + Aarch64Register::X0, + Aarch64Register::Sp, + 16 + frida_gum_sys::GUM_RED_ZONE_SIZE as i64, + IndexMode::PostAdjust, + ); + } + } +} diff --git a/libafl_frida/src/lib.rs b/libafl_frida/src/lib.rs new file mode 100644 index 0000000000..277aaca000 --- /dev/null +++ b/libafl_frida/src/lib.rs @@ -0,0 +1,123 @@ +pub mod asan_rt; +pub mod helper; + +/// A representation of the various Frida options +#[derive(Clone, Copy, Debug)] +#[allow(clippy::struct_excessive_bools)] +pub struct FridaOptions { + enable_asan: bool, + enable_asan_leak_detection: bool, + enable_asan_continue_after_error: bool, + enable_asan_allocation_backtraces: bool, + enable_coverage: bool, + enable_drcov: bool, +} + +impl FridaOptions { + /// Parse the frida options from the LIBAFL_FRIDA_OPTIONS environment variable. + /// + /// Options are ':' separated, and each options is a 'name=value' string. + pub fn parse_env_options() -> Self { + let mut options = Self::default(); + + if let Ok(env_options) = std::env::var("LIBAFL_FRIDA_OPTIONS") { + for option in env_options.trim().to_lowercase().split(':') { + let (name, mut value) = + option.split_at(option.find('=').expect("Expected a '=' in option string")); + value = value.get(1..).unwrap(); + match name { + "asan" => { + options.enable_asan = value.parse().unwrap(); + + #[cfg(not(target_arch = "aarch64"))] + if options.enable_asan { + panic!("ASAN is not currently supported on targets other than aarch64"); + } + } + "asan-detect-leaks" => { + options.enable_asan_leak_detection = value.parse().unwrap(); + } + "asan-continue-after-error" => { + options.enable_asan_continue_after_error = value.parse().unwrap(); + } + "asan-allocation-backtraces" => { + options.enable_asan_allocation_backtraces = value.parse().unwrap(); + } + "coverage" => { + options.enable_coverage = value.parse().unwrap(); + } + "drcov" => { + options.enable_drcov = value.parse().unwrap(); + #[cfg(not(target_arch = "aarch64"))] + if options.enable_drcov { + panic!( + "DrCov is not currently supported on targets other than aarch64" + ); + } + } + _ => { + panic!("unknown FRIDA option: '{}'", option); + } + } + } + } + + options + } + + /// Is ASAN enabled? + #[inline] + pub fn asan_enabled(self) -> bool { + self.enable_asan + } + + /// Is coverage enabled? + #[inline] + pub fn coverage_enabled(self) -> bool { + self.enable_coverage + } + + /// Is DrCov enabled? + #[inline] + pub fn drcov_enabled(self) -> bool { + self.enable_drcov + } + + /// Should ASAN detect leaks + #[inline] + pub fn asan_detect_leaks(self) -> bool { + self.enable_asan_leak_detection + } + + /// Should ASAN continue after a memory error is detected + #[inline] + pub fn asan_continue_after_error(self) -> bool { + self.enable_asan_continue_after_error + } + + /// Should ASAN gather (and report) allocation-/free-site backtraces + #[inline] + pub fn asan_allocation_backtraces(self) -> bool { + self.enable_asan_allocation_backtraces + } + + /// Whether stalker should be enabled. I.e. whether at least one stalker requiring option is + /// enabled. + #[inline] + pub fn stalker_enabled(self) -> bool { + self.enable_asan || self.enable_coverage || self.enable_drcov + } +} + +impl Default for FridaOptions { + fn default() -> Self { + Self { + enable_asan: false, + enable_asan_leak_detection: false, + enable_asan_continue_after_error: false, + enable_asan_allocation_backtraces: true, + enable_coverage: true, + enable_drcov: false, + } + } +} diff --git a/libafl_targets/Cargo.toml b/libafl_targets/Cargo.toml new file mode 100644 index 0000000000..41cbc55236 --- /dev/null +++ b/libafl_targets/Cargo.toml @@ -0,0 +1,25 @@ +[package] +name = "libafl_targets" +version = "0.1.0" +authors = ["Andrea Fioraldi "] +description = "Common code for target instrumentation that can be used combined with LibAFL" +documentation = "https://docs.rs/libafl_targets" +repository = "https://github.com/AFLplusplus/LibAFL/" +license = "MIT OR Apache-2.0" +keywords = ["fuzzing", "testing"] +edition = "2018" + +[features] +default = [] +pcguard_edges = [] +pcguard_hitcounts = [] +libfuzzer = [] +value_profile = [] +cmplog = [] +pcguard = ["pcguard_hitcounts"] + +[build-dependencies] +cc = { version = "1.0", features = ["parallel"] } + +[dependencies] +rangemap = "0.1.10" diff --git a/libafl_targets/build.rs b/libafl_targets/build.rs new file mode 100644 index 0000000000..3c7d83ccb5 --- /dev/null +++ b/libafl_targets/build.rs @@ -0,0 +1,45 @@ +//! build.rs for `libafl_targets` + +use std::env; +use std::path::Path; + +fn main() { + let out_dir = env::var_os("OUT_DIR").unwrap(); + let out_dir = out_dir.to_string_lossy().to_string(); + //let out_dir_path = Path::new(&out_dir); + let _src_dir = Path::new("src"); + + //std::env::set_var("CC", "clang"); + //std::env::set_var("CXX", "clang++"); + + #[cfg(feature = "libfuzzer")] + { + println!("cargo:rerun-if-changed=src/libfuzzer_compatibility.c"); + + cc::Build::new() + .file(_src_dir.join("libfuzzer_compatibility.c")) + .compile("libfuzzer_compatibility"); + } + + #[cfg(feature = "value_profile")] + { + println!("cargo:rerun-if-changed=src/value_profile.c"); + + cc::Build::new() + .file(_src_dir.join("value_profile.c")) + .compile("value_profile"); + } + + #[cfg(feature = "cmplog")] + { + println!("cargo:rerun-if-changed=src/cmplog.c"); + + cc::Build::new() + .file(_src_dir.join("cmplog.c")) + .compile("cmplog"); + } + + println!("cargo:rustc-link-search=native={}", &out_dir); + + println!("cargo:rerun-if-changed=build.rs"); +} diff --git a/libafl_targets/src/cmplog.c b/libafl_targets/src/cmplog.c new file mode 100644 index 0000000000..c03bfcd14e --- /dev/null +++ b/libafl_targets/src/cmplog.c @@ -0,0 +1,197 @@ +#include + +#define CMPLOG_MAP_W 65536 +#define CMPLOG_MAP_H 32 + +#define CMPLOG_KIND_INS 0 +#define CMPLOG_KIND_RTN 1 + +#ifdef _WIN32 +#define RETADDR (uintptr_t)_ReturnAddress() +#else +#define RETADDR (uintptr_t)__builtin_return_address(0) +#endif + +typedef struct CmpLogHeader { + uint16_t hits; + uint8_t shape; + uint8_t kind; +} CmpLogHeader; + +typedef struct CmpLogOperands { + uint64_t v0; + uint64_t v1; +} CmpLogOperands; + +typedef struct CmpLogMap { + CmpLogHeader headers[CMPLOG_MAP_W]; + CmpLogOperands operands[CMPLOG_MAP_W][CMPLOG_MAP_H]; +} CmpLogMap; + +extern CmpLogMap libafl_cmplog_map; + +extern uint8_t libafl_cmplog_enabled; + +#if defined(__APPLE__) + #pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1 + #pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2 + #pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4 + #pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8 +#elif defined(_MSC_VER) + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp1=__sanitizer_cov_trace_cmp1") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp2=__sanitizer_cov_trace_cmp2") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp4=__sanitizer_cov_trace_cmp4") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp8=__sanitizer_cov_trace_cmp8") +#else +void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1"))); +void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp2"))); +void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp4"))); +void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp8"))); +#endif + + +void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { + + if (!libafl_cmplog_enabled) return; + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= CMPLOG_MAP_W - 1; + + uint16_t hits; + if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { + libafl_cmplog_map.headers[k].kind = CMPLOG_KIND_INS; + libafl_cmplog_map.headers[k].hits = 1; + libafl_cmplog_map.headers[k].shape = 1; + hits = 0; + } else { + hits = libafl_cmplog_map.headers[k].hits++; + if (libafl_cmplog_map.headers[k].shape < 1) { + libafl_cmplog_map.headers[k].shape = 1; + } + } + + hits &= CMPLOG_MAP_H - 1; + libafl_cmplog_map.operands[k][hits].v0 = (uint64_t)arg1; + libafl_cmplog_map.operands[k][hits].v1 = (uint64_t)arg2; + +} + +void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) { + + if (!libafl_cmplog_enabled) return; + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= CMPLOG_MAP_W - 1; + + uint16_t hits; + if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { + libafl_cmplog_map.headers[k].kind = CMPLOG_KIND_INS; + libafl_cmplog_map.headers[k].hits = 1; + libafl_cmplog_map.headers[k].shape = 2; + hits = 0; + } else { + hits = libafl_cmplog_map.headers[k].hits++; + if (libafl_cmplog_map.headers[k].shape < 2) { + libafl_cmplog_map.headers[k].shape = 2; + } + } + + hits &= CMPLOG_MAP_H - 1; + libafl_cmplog_map.operands[k][hits].v0 = (uint64_t)arg1; + libafl_cmplog_map.operands[k][hits].v1 = (uint64_t)arg2; + +} + +void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) { + + if (!libafl_cmplog_enabled) return; + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= CMPLOG_MAP_W - 1; + + uint16_t hits; + if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { + libafl_cmplog_map.headers[k].kind = CMPLOG_KIND_INS; + libafl_cmplog_map.headers[k].hits = 1; + libafl_cmplog_map.headers[k].shape = 4; + hits = 0; + } else { + hits = libafl_cmplog_map.headers[k].hits++; + if (libafl_cmplog_map.headers[k].shape < 4) { + libafl_cmplog_map.headers[k].shape = 4; + } + } + + hits &= CMPLOG_MAP_H - 1; + libafl_cmplog_map.operands[k][hits].v0 = (uint64_t)arg1; + libafl_cmplog_map.operands[k][hits].v1 = (uint64_t)arg2; +} + +void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) { + + if (!libafl_cmplog_enabled) return; + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= CMPLOG_MAP_W - 1; + + uint16_t hits; + if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { + libafl_cmplog_map.headers[k].kind = CMPLOG_KIND_INS; + libafl_cmplog_map.headers[k].hits = 1; + libafl_cmplog_map.headers[k].shape = 8; + hits = 0; + } else { + hits = libafl_cmplog_map.headers[k].hits++; + if (libafl_cmplog_map.headers[k].shape < 8) { + libafl_cmplog_map.headers[k].shape = 8; + } + } + + hits &= CMPLOG_MAP_H - 1; + libafl_cmplog_map.operands[k][hits].v0 = (uint64_t)arg1; + libafl_cmplog_map.operands[k][hits].v1 = (uint64_t)arg2; + +} + +void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { + + if (!libafl_cmplog_enabled) return; + + uint8_t shape = (uint8_t)cases[1]; + if (shape) { + shape /= 8; + } + + for (uint64_t i = 0; i < cases[0]; i++) { + + uintptr_t k = RETADDR + i; + k = (k >> 4) ^ (k << 8); + k &= CMPLOG_MAP_W - 1; + + uint16_t hits; + if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { + libafl_cmplog_map.headers[k].kind = CMPLOG_KIND_INS; + libafl_cmplog_map.headers[k].hits = 1; + libafl_cmplog_map.headers[k].shape = shape; + hits = 0; + } else { + hits = libafl_cmplog_map.headers[k].hits++; + if (libafl_cmplog_map.headers[k].shape < shape) { + libafl_cmplog_map.headers[k].shape = shape; + } + } + + hits &= CMPLOG_MAP_H - 1; + libafl_cmplog_map.operands[k][hits].v0 = val; + libafl_cmplog_map.operands[k][hits].v1 = cases[i + 2]; + + } + +} diff --git a/libafl_targets/src/cmplog.rs b/libafl_targets/src/cmplog.rs new file mode 100644 index 0000000000..c2d997556e --- /dev/null +++ b/libafl_targets/src/cmplog.rs @@ -0,0 +1,43 @@ +// TODO compile time flag +pub const CMPLOG_MAP_W: usize = 65536; +pub const CMPLOG_MAP_H: usize = 32; +pub const CMPLOG_MAP_SIZE: usize = CMPLOG_MAP_W * CMPLOG_MAP_H; + +pub const CMPLOG_KIND_INS: u8 = 0; +pub const CMPLOG_KIND_RTN: u8 = 1; + +#[repr(C)] +#[derive(Debug, Clone, Copy)] +pub struct CmpLogHeader { + hits: u16, + shape: u8, + kind: u8, +} + +#[repr(C)] +#[derive(Debug, Clone, Copy)] +pub struct CmpLogOperands(u64, u64); + +#[repr(C)] +#[derive(Debug, Clone, Copy)] +pub struct CmpLogMap { + headers: [CmpLogHeader; CMPLOG_MAP_W], + operands: [[CmpLogOperands; CMPLOG_MAP_H]; CMPLOG_MAP_W], +} + +#[no_mangle] +pub static mut libafl_cmplog_map: CmpLogMap = CmpLogMap { + headers: [CmpLogHeader { + hits: 0, + shape: 0, + kind: 0, + }; CMPLOG_MAP_W], + operands: [[CmpLogOperands(0, 0); CMPLOG_MAP_H]; CMPLOG_MAP_W], +}; + +pub use libafl_cmplog_map as CMPLOG_MAP; + +#[no_mangle] +pub static mut libafl_cmplog_enabled: u8 = 0; + +pub use libafl_cmplog_enabled as CMPLOG_ENABLED; diff --git a/libafl_targets/src/drcov.rs b/libafl_targets/src/drcov.rs new file mode 100644 index 0000000000..5b65e1549d --- /dev/null +++ b/libafl_targets/src/drcov.rs @@ -0,0 +1,90 @@ +use rangemap::RangeMap; +use std::{ + fs::File, + io::{BufWriter, Write}, +}; + +#[derive(Clone, Copy)] +pub struct DrCovBasicBlock { + start: usize, + end: usize, +} + +pub struct DrCovWriter<'a> { + writer: BufWriter, + module_mapping: &'a RangeMap, + basic_blocks: &'a mut Vec, +} + +#[repr(C)] +struct DrCovBasicBlockEntry { + start: u32, + size: u16, + mod_id: u16, +} + +impl DrCovBasicBlock { + pub fn new(start: usize, end: usize) -> Self { + Self { start, end } + } +} +impl<'a> DrCovWriter<'a> { + pub fn new( + path: &str, + module_mapping: &'a RangeMap, + basic_blocks: &'a mut Vec, + ) -> Self { + Self { + writer: BufWriter::new( + File::create(path).expect("unable to create file for coverage data"), + ), + module_mapping, + basic_blocks, + } + } + + pub fn write(&mut self) { + self.writer + .write_all(b"DRCOV VERSION: 2\nDRCOV FLAVOR: libafl\n") + .unwrap(); + + let modules: Vec<(&std::ops::Range, &(u16, &str))> = + self.module_mapping.iter().collect(); + self.writer + .write_all(format!("Module Table: version 2, count {}\n", modules.len()).as_bytes()) + .unwrap(); + self.writer + .write_all(b"Columns: id, base, end, entry, checksum, timestamp, path\n") + .unwrap(); + for module in modules { + let (range, (id, path)) = module; + self.writer + .write_all( + format!( + "{:03}, 0x{:x}, 0x{:x}, 0x00000000, 0x00000000, 0x00000000, {}\n", + id, range.start, range.end, path + ) + .as_bytes(), + ) + .unwrap(); + } + self.writer + .write_all(format!("BB Table: {} bbs\n", self.basic_blocks.len()).as_bytes()) + .unwrap(); + for block in self.basic_blocks.drain(0..) { + let (range, (id, _)) = self.module_mapping.get_key_value(&block.start).unwrap(); + let basic_block = DrCovBasicBlockEntry { + start: (block.start - range.start) as u32, + size: (block.end - block.start) as u16, + mod_id: *id, + }; + self.writer + .write_all(unsafe { + std::slice::from_raw_parts(&basic_block as *const _ as *const u8, 8) + }) + .unwrap(); + } + + self.writer.flush().unwrap(); + } +} diff --git a/libafl_targets/src/lib.rs b/libafl_targets/src/lib.rs new file mode 100644 index 0000000000..a8322e7431 --- /dev/null +++ b/libafl_targets/src/lib.rs @@ -0,0 +1,26 @@ +//! `libafl_targets` contains runtime code, injected in the target itself during compilation. + +#[cfg(any(feature = "pcguard_edges", feature = "pcguard_hitcounts"))] +pub mod pcguard; +#[cfg(any(feature = "pcguard_edges", feature = "pcguard_hitcounts"))] +pub use pcguard::*; + +#[cfg(feature = "libfuzzer")] +pub mod libfuzzer; +#[cfg(feature = "libfuzzer")] +pub use libfuzzer::*; + +#[cfg(all(feature = "value_profile", feature = "cmplog"))] +compile_error!("the libafl_targets `value_profile` and `cmplog` features are mutually exclusive."); + +#[cfg(feature = "value_profile")] +pub mod value_profile; +#[cfg(feature = "value_profile")] +pub use value_profile::*; + +#[cfg(feature = "cmplog")] +pub mod cmplog; +#[cfg(feature = "cmplog")] +pub use cmplog::*; + +pub mod drcov; diff --git a/libafl_targets/src/libfuzzer.rs b/libafl_targets/src/libfuzzer.rs new file mode 100644 index 0000000000..903f394e50 --- /dev/null +++ b/libafl_targets/src/libfuzzer.rs @@ -0,0 +1,23 @@ +/// We will interact with a C++ target, so use external c functionality +extern "C" { + /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) + fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; + + // libafl_targets_libfuzzer_init calls LLVMFUzzerInitialize() + fn libafl_targets_libfuzzer_init(argc: *const i32, argv: *const *const *const u8) -> i32; +} + +pub fn libfuzzer_initialize(args: &[String]) -> i32 { + let argv: Vec<*const u8> = args.iter().map(|x| x.as_bytes().as_ptr()).collect(); + let argc = argv.len() as i32; + unsafe { + libafl_targets_libfuzzer_init( + &argc as *const i32, + &argv.as_ptr() as *const *const *const u8, + ) + } +} + +pub fn libfuzzer_test_one_input(buf: &[u8]) -> i32 { + unsafe { LLVMFuzzerTestOneInput(buf.as_ptr(), buf.len()) } +} diff --git a/libafl_targets/src/libfuzzer_compatibility.c b/libafl_targets/src/libfuzzer_compatibility.c new file mode 100644 index 0000000000..77a61e9df4 --- /dev/null +++ b/libafl_targets/src/libfuzzer_compatibility.c @@ -0,0 +1,85 @@ +#include +#include +#include + +#define true 1 +#define false 0 + +#ifdef _WIN32 + +#ifdef _MSC_VER +#define LIBFUZZER_MSVC 1 +#else +#define LIBFUZZER_MSVC 0 +#endif // _MSC_VER + +#define EXPORT_FN __declspec(dllexport) + +// From Libfuzzer +// Intermediate macro to ensure the parameter is expanded before stringified. +#define STRINGIFY_(A) #A +#define STRINGIFY(A) STRINGIFY_(A) + +#if LIBFUZZER_MSVC +// Copied from compiler-rt/lib/sanitizer_common/sanitizer_win_defs.h +#if defined(_M_IX86) || defined(__i386__) +#define WIN_SYM_PREFIX "_" +#else +#define WIN_SYM_PREFIX +#endif + +// Declare external functions as having alternativenames, so that we can +// determine if they are not defined. +#define EXTERNAL_FUNC(Name, Default) \ + __pragma(comment(linker, "/alternatename:" WIN_SYM_PREFIX STRINGIFY( \ + Name) "=" WIN_SYM_PREFIX STRINGIFY(Default))) + +#define CHECK_WEAK_FN(Name) ((void*)Name != (void*)&Name##Def) +#else +// Declare external functions as weak to allow them to default to a specified +// function if not defined explicitly. We must use weak symbols because clang's +// support for alternatename is not 100%, see +// https://bugs.llvm.org/show_bug.cgi?id=40218 for more details. +#define EXTERNAL_FUNC(Name, Default) \ + __attribute__((weak, alias(STRINGIFY(Default)))) + +#define CHECK_WEAK_FN(Name) (Name != NULL) +#endif // LIBFUZZER_MSVC + +#define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \ + RETURN_TYPE (*NAME##Def) FUNC_SIG = NULL; \ + EXTERNAL_FUNC(NAME, NAME##Def) RETURN_TYPE NAME FUNC_SIG +#else + +#define EXPORT_FN + +// Declare these symbols as weak to allow them to be optionally defined. +#define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \ + __attribute__((weak, visibility("default"))) RETURN_TYPE NAME FUNC_SIG + +#define CHECK_WEAK_FN(Name) (Name != NULL) +#endif + +EXT_FUNC(LLVMFuzzerInitialize, int, (int *argc, char ***argv), false); +EXT_FUNC(LLVMFuzzerCustomMutator, size_t, + (uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed), + false); +EXT_FUNC(LLVMFuzzerCustomCrossOver, size_t, + (const uint8_t *Data1, size_t Size1, + const uint8_t *Data2, size_t Size2, + uint8_t *Out, size_t MaxOutSize, unsigned int Seed), + false); + +#undef EXT_FUNC + +EXPORT_FN int libafl_targets_has_libfuzzer_init() { + return CHECK_WEAK_FN(LLVMFuzzerInitialize); +} + +EXPORT_FN int libafl_targets_libfuzzer_init(int *argc, char ***argv) { + if (libafl_targets_has_libfuzzer_init()) { + return LLVMFuzzerInitialize(argc, argv); + } else { + return 0; + } +} \ No newline at end of file diff --git a/libafl_targets/src/pcguard.rs b/libafl_targets/src/pcguard.rs new file mode 100644 index 0000000000..b7fff8bd5e --- /dev/null +++ b/libafl_targets/src/pcguard.rs @@ -0,0 +1,38 @@ +#[cfg(all(feature = "pcguard_edges", feature = "pcguard_hitcounts"))] +compile_error!( + "the libafl_targets `pcguard_edges` and `pcguard_hitcounts` features are mutually exclusive." +); + +// TODO compile time flag +pub const EDGES_MAP_SIZE: usize = 65536; + +pub static mut EDGES_MAP: [u8; EDGES_MAP_SIZE] = [0; EDGES_MAP_SIZE]; +//pub static mut CMP_MAP: [u8; EDGES_MAP_SIZE] = [0; EDGES_MAP_SIZE]; +pub static mut MAX_EDGES_NUM: usize = 0; + +#[no_mangle] +pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) { + let pos = *guard as usize; + #[cfg(feature = "pcguard_edges")] + { + *EDGES_MAP.get_unchecked_mut(pos) = 1; + } + #[cfg(feature = "pcguard_hitcounts")] + { + let val = (*EDGES_MAP.get_unchecked(pos) as u8).wrapping_add(1); + *EDGES_MAP.get_unchecked_mut(pos) = val; + } +} + +#[no_mangle] +pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_init(mut start: *mut u32, stop: *mut u32) { + if start == stop || *start != 0 { + return; + } + + while start < stop { + MAX_EDGES_NUM += 1; + *start = (MAX_EDGES_NUM & (EDGES_MAP_SIZE - 1)) as u32; + start = start.offset(1); + } +} diff --git a/libafl_targets/src/value_profile.c b/libafl_targets/src/value_profile.c new file mode 100644 index 0000000000..fb0b45d793 --- /dev/null +++ b/libafl_targets/src/value_profile.c @@ -0,0 +1,118 @@ +#include +#include +#include + +// TODO compile time flag +#define MAP_SIZE 65536 + +extern uint8_t libafl_cmp_map[MAP_SIZE]; + +#ifdef _WIN32 +#define RETADDR (uintptr_t)_ReturnAddress() +#else +#define RETADDR (uintptr_t)__builtin_return_address(0) +#endif + +#ifdef __GNUC__ +#define MAX(a, b) \ + ({ \ + \ + __typeof__(a) _a = (a); \ + __typeof__(b) _b = (b); \ + _a > _b ? _a : _b; \ + \ + }) +#else +#define MAX(a, b) (((a) > (b)) ? (a) : (b)) +#endif + +#ifdef _MSC_VER +#include +#define __builtin_popcount __popcnt +#define __builtin_popcountll __popcnt64 +#endif + +#if defined(__APPLE__) + #pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1 + #pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2 + #pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4 + #pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8 +#elif defined(_MSC_VER) + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp1=__sanitizer_cov_trace_cmp1") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp2=__sanitizer_cov_trace_cmp2") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp4=__sanitizer_cov_trace_cmp4") + #pragma comment(linker, "/alternatename:__sanitizer_cov_trace_const_cmp8=__sanitizer_cov_trace_cmp8") +#else +void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1"))); +void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp2"))); +void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp4"))); +void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) + __attribute__((alias("__sanitizer_cov_trace_cmp8"))); +#endif + +void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); + +} + +void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) { + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); + +} + +void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) { + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); + +} + +void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) { + + uintptr_t k = RETADDR; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcountll(~(arg1 ^ arg2)))); + +} + +void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { + + uintptr_t rt = RETADDR; + if (cases[1] == 64) { + + for (uint64_t i = 0; i < cases[0]; i++) { + + uintptr_t k = rt + i; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcountll(~(val ^ cases[i + 2])))); + + } + + } else { + + for (uint64_t i = 0; i < cases[0]; i++) { + + uintptr_t k = rt + i; + k = (k >> 4) ^ (k << 8); + k &= MAP_SIZE - 1; + libafl_cmp_map[k] = MAX(libafl_cmp_map[k], (__builtin_popcount(~(val ^ cases[i + 2])))); + + } + + } + +} diff --git a/libafl_targets/src/value_profile.rs b/libafl_targets/src/value_profile.rs new file mode 100644 index 0000000000..b5f0d2981c --- /dev/null +++ b/libafl_targets/src/value_profile.rs @@ -0,0 +1,24 @@ +// TODO compile time flag +pub const CMP_MAP_SIZE: usize = 65536; + +#[no_mangle] +pub static mut libafl_cmp_map: [u8; CMP_MAP_SIZE] = [0; CMP_MAP_SIZE]; + +pub use libafl_cmp_map as CMP_MAP; + +/* +extern { + #[link_name = "llvm.returnaddress"] + fn return_address() -> usize; +} + +#[no_mangle] +pub unsafe extern "C" fn __sanitizer_cov_trace_cmp1(arg1: u8, arg2: u8) { + let mut pos = return_address(); + pos = (pos >> 4) ^ (pos << 8); + pos &= CMP_MAP_SIZE - 1; + *CMP_MAP.get_unchecked_mut(pos) = core::cmp::max(*CMP_MAP.get_unchecked(pos), (!(arg1 ^ arg2)).count_ones() as u8); +} +*/ + +// TODO complete when linking to LLVM intrinsic will land to stable Rust