fuzzzzz

fuzzers/libfuzzer/src/lib.rs

@@ -61,6 +61,7 @@ pub extern "C" fn afl_libfuzzer_main() {
     //
 
     for i in 0..1000 {
+        println!("Fuzzer corpus iteration #{}", i);
         engine
             .fuzz_one(&mut state)
             .expect(&format!("Error in iter {}", i));

fuzzers/libfuzzer/test/test.c

@@ -1,37 +1,31 @@
 #include <stdio.h>
 #include <stdint.h>
 
-// gcc -shared -o libdemo.so demo-so.c -w
+int target_func(const uint8_t *buf, size_t size) {
-int target_func(char *buf, int size) {
 
-  printf("buffer:%p, size:%p\n", buf, size);
+  printf("BUF (%ld): ", size);
+  for (int i = 0; i < size; i++) {
+      printf("%02X", buf[i]);
+  }
+  printf("\n");
+  
   switch (buf[0]) {
 
     case 1:
-      puts("222");
+      if (buf[1] == 0x44) {
-      if (buf[1] == '\x44') {
+        __builtin_trap();
-
-        puts("null ptr deference");
-        *(char *)(0) = 1;
-
       }
 
       break;
     case 0xff:
-      if (buf[2] == '\xff') {
+      if (buf[2] == 0xff) {
-
+        if (buf[1] == 0x44) {
-        if (buf[1] == '\x44') {
-
-          puts("crash....");
           *(char *)(0xdeadbeef) = 1;
-
         }
-
       }
 
       break;
     default:
-      puts("default action");
       break;
 
   }