fix fuzzbench cmplog ForkServer builder and rtn_extend_encoding buffer copy overflow (#3270)

2025-05-25 00:02:43 +08:00 · 2025-05-25 00:02:43 +08:00 · 9a202acfed
commit 9a202acfed
parent ce63b76558
3 changed files with 7 additions and 3 deletions
--- a/fuzzers/forkserver/fuzzbench_forkserver/src/main.rs
+++ b/fuzzers/forkserver/fuzzbench_forkserver/src/main.rs
@ -365,6 +365,7 @@ fn fuzz(
            .debug_child(debug_child)
            .shmem_provider(&mut shmem_provider)
            .parse_afl_cmdline(arguments)
+            .coverage_map_size(MAP_SIZE)
            .is_persistent(true)
            .timeout(timeout * 10)
            .kill_signal(signal)
--- a/fuzzers/forkserver/fuzzbench_forkserver_cmplog/src/main.rs
+++ b/fuzzers/forkserver/fuzzbench_forkserver_cmplog/src/main.rs
@ -369,6 +369,7 @@ fn fuzz(
            .debug_child(debug_child)
            .shmem_provider(&mut shmem_provider)
            .parse_afl_cmdline(arguments)
+            .coverage_map_size(MAP_SIZE)
            .is_persistent(true)
            // increase timeouts for cmplog
            .timeout(timeout * 10)
--- a/libafl/src/mutators/token_mutations.rs
+++ b/libafl/src/mutators/token_mutations.rs
@ -1301,9 +1301,11 @@ impl AflppRedQueen {
        if copy_len > 0 {
            unsafe {
                for l in 1..=copy_len {
-                    let mut cloned = buf.to_vec();
-                    buffer_copy(&mut cloned, repl, 0, buf_idx, l);
-                    vec.push(cloned);
+                    if l <= repl.len() {
+                        let mut cloned = buf.to_vec();
+                        buffer_copy(&mut cloned, repl, 0, buf_idx, l);
+                        vec.push(cloned);
+                    }
                }
                // vec.push(cloned);
            }