SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed libfuzzer, some integer wraps

Browse Source
This commit is contained in:
Dominik Maier 2020-12-22 01:59:47 +01:00
parent eb78c34f9e
commit 7a1bfcaaf9
3 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
afl/src/mutators/mutations.rs
View File

@ -166,7 +166,8 @@ where
let idx = rand.below(input.bytes().len() as u64) as usize; let idx = rand.below(input.bytes().len() as u64) as usize;
unsafe { unsafe {
// moar speed, no bound check // moar speed, no bound check
*input.bytes_mut().get_unchecked_mut(idx) += 1; let ptr = input.bytes_mut().get_unchecked_mut(idx);
*ptr = (*ptr).wrapping_add(1);
} }
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
} }
@ -190,7 +191,8 @@ where
let idx = rand.below(input.bytes().len() as u64) as usize; let idx = rand.below(input.bytes().len() as u64) as usize;
unsafe { unsafe {
// moar speed, no bound check // moar speed, no bound check
*input.bytes_mut().get_unchecked_mut(idx) -= 1; let ptr = input.bytes_mut().get_unchecked_mut(idx);
*ptr = (*ptr).wrapping_sub(1);
} }
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
} }
@ -265,8 +267,8 @@ where
let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8; let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8;
let num = 1 + rand.below(ARITH_MAX) as u8; let num = 1 + rand.below(ARITH_MAX) as u8;
match rand.below(2) { match rand.below(2) {
0 => *ptr += num, 0 => *ptr = (*ptr).wrapping_add(num),
_ => *ptr -= num, _ => *ptr = (*ptr).wrapping_sub(num),
}; };
} }
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
@ -294,10 +296,10 @@ where
let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16;
let num = 1 + rand.below(ARITH_MAX) as u16; let num = 1 + rand.below(ARITH_MAX) as u16;
match rand.below(4) { match rand.below(4) {
0 => *ptr += num, 0 => *ptr = (*ptr).wrapping_add(num),
1 => *ptr -= num, 1 => *ptr = (*ptr).wrapping_sub(num),
2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(), 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(),
_ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(), _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(),
}; };
} }
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
@ -325,10 +327,10 @@ where
let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32;
let num = 1 + rand.below(ARITH_MAX) as u32; let num = 1 + rand.below(ARITH_MAX) as u32;
match rand.below(4) { match rand.below(4) {
0 => *ptr += num, 0 => *ptr = (*ptr).wrapping_add(num),
1 => *ptr -= num, 1 => *ptr = (*ptr).wrapping_sub(num),
2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(), 2 => *ptr = ((*ptr).swap_bytes().wrapping_add(num)).swap_bytes(),
_ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(), _ => *ptr = ((*ptr).swap_bytes().wrapping_sub(num)).swap_bytes(),
}; };
} }
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)

1
fuzzers/libfuzzer_stats/Cargo.toml
View File

@ -19,6 +19,7 @@ debug = true
[build-dependencies] [build-dependencies]
cc = "1.0" cc = "1.0"
num_cpus = "1.0"
[dependencies] [dependencies]
clap = "2.32.0" clap = "2.32.0"

14
fuzzers/libfuzzer_stats/build.rs
View File

@ -19,7 +19,6 @@ fn main() {
.file("./harness.c") .file("./harness.c")
.compile("libfuzzer-sys"); .compile("libfuzzer-sys");
let libpng = format!("{}/libpng-1.6.37", &out_dir); let libpng = format!("{}/libpng-1.6.37", &out_dir);
let libpng_path = Path::new(&libpng); let libpng_path = Path::new(&libpng);
let libpng_tar = format!("{}/libpng-1.6.37.tar.gz", &out_dir); let libpng_tar = format!("{}/libpng-1.6.37.tar.gz", &out_dir);
@ -49,11 +48,14 @@ fn main() {
.unwrap(); .unwrap();
Command::new("make") Command::new("make")
.current_dir(&libpng_path) .current_dir(&libpng_path)
.env("CC", "clang") .arg(&format!("-j{}", num_cpus::get()))
.env("CXX", "clang++") .args(&[
.env("CFLAGS", "-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard") "CC=clang",
.env("LDFLAGS", "-fPIE -fsanitize-coverage=trace-pc-guard") "CXX=clang++",
.env("CXXFLAGS", "-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard") "CFLAGS=-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard",
"LDFLAGS=-fPIE -fsanitize-coverage=trace-pc-guard",
"CXXFLAGS=-D_DEFAULT_SOURCE -fPIE -fsanitize-coverage=trace-pc-guard",
])
.status() .status()
.unwrap(); .unwrap();
} }