From cd191edb802593b821a30cb4514466f6c60d203b Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 7 Dec 2020 16:20:58 +0100 Subject: [PATCH 1/2] moar mutations --- afl/src/mutators/mutations.rs | 447 +++++++++++++++++++++++++++++++++- afl/src/mutators/scheduled.rs | 41 ++-- 2 files changed, 462 insertions(+), 26 deletions(-) diff --git a/afl/src/mutators/mutations.rs b/afl/src/mutators/mutations.rs index 47488ae1f0..6a1eb36614 100644 --- a/afl/src/mutators/mutations.rs +++ b/afl/src/mutators/mutations.rs @@ -30,6 +30,43 @@ where fn add_mutation(&mut self, mutation: MutationFunction); } +const ARITH_MAX: u64 = 35; + +const INTERESTING_8: [i8; 9] = [-128, -1, 0, 1, 16, 32, 64, 100, 127]; +const INTERESTING_16: [i16; 19] = [-128, -1, 0, 1, 16, 32, 64, 100, 127, -32768, -129, 128, 255, 256, 512, 1000, 1024, 4096, 32767]; +const INTERESTING_32: [i32; 27] = [-128, -1, 0, 1, 16, 32, 64, 100, 127, -32768, -129, 128, 255, 256, 512, 1000, 1024, 4096, 32767, -2147483648, -100663046, -32769, 32768, 65535, 65536, 100663045, 2147483647]; + +fn self_mem_move(data: &mut [u8], from: usize, to: usize, len: usize) { + debug_assert!(from + len <= data.len()); + debug_assert!(to + len <= data.len()); + let ptr = data.as_mut_ptr(); + unsafe { + core::ptr::copy(ptr.offset(from as isize), + ptr.offset(to as isize), + len) + } +} + +fn mem_move(dst: &mut [u8], src: &[u8], from: usize, to: usize, len: usize) { + debug_assert!(from + len <= src.len()); + debug_assert!(to + len <= dst.len()); + let dst_ptr = dst.as_mut_ptr(); + let src_ptr = src.as_ptr(); + unsafe { + core::ptr::copy(src_ptr.offset(from as isize), + dst_ptr.offset(to as isize), + len) + } +} + +fn mem_set(data: &mut [u8], from: usize, len: usize, val: u8) { + debug_assert!(from + len <= data.len()); + let ptr = data.as_mut_ptr(); + unsafe { + core::ptr::write_bytes(ptr.offset(from as isize), val, len) + } +} + /// Bitflip mutation for inputs with a bytes vector pub fn mutation_bitflip( _mutator: &mut M, @@ -151,25 +188,236 @@ where } } -/* -pub fn mutation_bytesexpand( - mutator: &mut M, +pub fn mutation_byterand( + _mutator: &mut M, rand: &mut R, _corpus: &C, input: &mut I, ) -> Result where - M: Mutator + HasMaxSize, + M: Mutator, C: Corpus, I: Input + HasBytesVec, R: Rand, { - let len = rand.below(mutator.max_size() as u64) as usize; - - - Ok(MutationResult::Mutated) + if input.bytes().len() == 0 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64) as usize; + unsafe { + // moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) = rand.below(256) as u8; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_byteadd( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8; + let num = 1 + rand.below(ARITH_MAX) as u8; + match rand.below(2) { + 0 => *ptr += num, + _ => *ptr -= num, + }; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_wordadd( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; + let num = 1 + rand.below(ARITH_MAX) as u16; + match rand.below(4) { + 0 => *ptr += num, + 1 => *ptr -= num, + 2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_dwordadd( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; + let num = 1 + rand.below(ARITH_MAX) as u32; + match rand.below(4) { + 0 => *ptr += num, + 1 => *ptr -= num, + 2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_qwordadd( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u64; + let num = 1 + rand.below(ARITH_MAX) as u64; + match rand.below(4) { + 0 => *ptr += num, + 1 => *ptr -= num, + 2 => *ptr = ((*ptr).swap_bytes() + num).swap_bytes(), + _ => *ptr = ((*ptr).swap_bytes() - num).swap_bytes(), + }; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_byteinteresting( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let val = INTERESTING_8[rand.below(INTERESTING_8.len() as u64) as usize] as u8; + unsafe { + // moar speed, no bound check + *input.bytes_mut().get_unchecked_mut(idx) = val; + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_wordinteresting( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let val = INTERESTING_16[rand.below(INTERESTING_8.len() as u64) as usize] as u16; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; + if rand.below(2) == 0 { + *ptr = val; + } else { + *ptr = val.swap_bytes(); + } + } + Ok(MutationResult::Mutated) + } +} + +pub fn mutation_dwordinteresting( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + if input.bytes().len() <= 1 { + Ok(MutationResult::Skipped) + } else { + let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let val = INTERESTING_32[rand.below(INTERESTING_8.len() as u64) as usize] as u32; + unsafe { + // moar speed, no bound check + let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; + if rand.below(2) == 0 { + *ptr = val; + } else { + *ptr = val.swap_bytes(); + } + } + Ok(MutationResult::Mutated) + } } -*/ pub fn mutation_bytesdelete( _mutator: &mut M, @@ -195,6 +443,187 @@ where Ok(MutationResult::Mutated) } +pub fn mutation_bytesexpand( + mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator + HasMaxSize, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + let off = if size == 0 { + 0 + } else { + rand.below(size as u64 -1) + } as usize; + let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; + + input.bytes_mut().resize(size + len, 0); + self_mem_move(input.bytes_mut(), off, off + len, len); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytesinsert( + mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator + HasMaxSize, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + let off = if size == 0 { + 0 + } else { + rand.below(size as u64 -1) + } as usize; + let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; + + let val = input.bytes()[rand.below(size as u64) as usize]; + input.bytes_mut().resize(size + len, 0); + self_mem_move(input.bytes_mut(), off, off + len, len); + mem_set(input.bytes_mut(), off, len, val); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytesrandinsert( + mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator + HasMaxSize, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + let off = if size == 0 { + 0 + } else { + rand.below(size as u64 -1) + } as usize; + let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; + + let val = rand.below(256) as u8; + input.bytes_mut().resize(size + len, 0); + self_mem_move(input.bytes_mut(), off, off + len, len); + mem_set(input.bytes_mut(), off, len, val); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytesset( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + if size == 0 { + return Ok(MutationResult::Skipped); + } + + let val = input.bytes()[rand.below(size as u64) as usize]; + let start = if size == 1 { 0 } else { rand.below(size as u64 -1) as usize }; + let end = rand.below((size - start) as u64) as usize; + mem_set(input.bytes_mut(), start, end - start, val); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytesrandset( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + if size == 0 { + return Ok(MutationResult::Skipped); + } + + let val = rand.below(256) as u8; + let start = if size == 1 { 0 } else { rand.below(size as u64 -1) as usize }; + let end = rand.below((size - start) as u64) as usize; + mem_set(input.bytes_mut(), start, end - start, val); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytescopy( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + if size <= 1 { + return Ok(MutationResult::Skipped); + } + + let from = rand.below(input.bytes().len() as u64 -1) as usize; + let to = rand.below(input.bytes().len() as u64 -1) as usize; + let len = rand.below((size - core::cmp::max(from, to)) as u64) as usize; + + self_mem_move(input.bytes_mut(), from, to, len); + Ok(MutationResult::Mutated) +} + +pub fn mutation_bytesswap( + _mutator: &mut M, + rand: &mut R, + _corpus: &C, + input: &mut I, +) -> Result +where + M: Mutator, + C: Corpus, + I: Input + HasBytesVec, + R: Rand, +{ + let size = input.bytes().len(); + if size <= 1 { + return Ok(MutationResult::Skipped); + } + + let first = rand.below(input.bytes().len() as u64 -1) as usize; + let second = rand.below(input.bytes().len() as u64 -1) as usize; + let len = rand.below((size - core::cmp::max(first, second)) as u64) as usize; + + let tmp = input.bytes()[first..len].to_vec(); + self_mem_move(input.bytes_mut(), second, first, len); + mem_move(input.bytes_mut(), &tmp, 0, second, len); + Ok(MutationResult::Mutated) +} + + + /// Returns the first and last diff position between the given vectors, stopping at the min len fn locate_diffs(this: &[u8], other: &[u8]) -> (i64, i64) { let mut first_diff: i64 = -1; diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index 6508033ae0..bb6f23a05d 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -207,25 +207,32 @@ where scheduled.add_mutation(mutation_byteinc); scheduled.add_mutation(mutation_bytedec); scheduled.add_mutation(mutation_byteneg); + scheduled.add_mutation(mutation_byterand); - //scheduled.add_mutation(mutation_bytesexpand); - //scheduled.add_mutation(mutation_bytesdelete); - //scheduled.add_mutation(mutation_bytesdelete); - //scheduled.add_mutation(mutation_bytesdelete); - //scheduled.add_mutation(mutation_bytesdelete); - - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_bitflip); + scheduled.add_mutation(mutation_byteadd); + scheduled.add_mutation(mutation_wordadd); + scheduled.add_mutation(mutation_dwordadd); + scheduled.add_mutation(mutation_qwordadd); + scheduled.add_mutation(mutation_byteinteresting); + scheduled.add_mutation(mutation_wordinteresting); + scheduled.add_mutation(mutation_dwordinteresting); + + scheduled.add_mutation(mutation_bytesdelete); + scheduled.add_mutation(mutation_bytesdelete); + scheduled.add_mutation(mutation_bytesdelete); + scheduled.add_mutation(mutation_bytesdelete); + scheduled.add_mutation(mutation_bytesexpand); + scheduled.add_mutation(mutation_bytesinsert); + scheduled.add_mutation(mutation_bytesrandinsert); + scheduled.add_mutation(mutation_bytesset); + scheduled.add_mutation(mutation_bytesrandset); + scheduled.add_mutation(mutation_bytescopy); + scheduled.add_mutation(mutation_bytesswap); + + // TODO dictionary and custom dictionary (redqueen etc.) + /*scheduled.add_mutation(mutation_bitflip); scheduled.add_mutation(mutation_bitflip); + scheduled.add_mutation(mutation_bitflip);*/ scheduled.add_mutation(mutation_splice); HavocBytesMutator { From e76323e3cace415c2fd542fdd3add15fd812f877 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 7 Dec 2020 16:21:59 +0100 Subject: [PATCH 2/2] format --- afl/src/mutators/mutations.rs | 96 +++++++++++++++++++++++------------ afl/src/mutators/scheduled.rs | 4 +- 2 files changed, 66 insertions(+), 34 deletions(-) diff --git a/afl/src/mutators/mutations.rs b/afl/src/mutators/mutations.rs index 6a1eb36614..032efc1f9f 100644 --- a/afl/src/mutators/mutations.rs +++ b/afl/src/mutators/mutations.rs @@ -32,19 +32,45 @@ where const ARITH_MAX: u64 = 35; -const INTERESTING_8: [i8; 9] = [-128, -1, 0, 1, 16, 32, 64, 100, 127]; -const INTERESTING_16: [i16; 19] = [-128, -1, 0, 1, 16, 32, 64, 100, 127, -32768, -129, 128, 255, 256, 512, 1000, 1024, 4096, 32767]; -const INTERESTING_32: [i32; 27] = [-128, -1, 0, 1, 16, 32, 64, 100, 127, -32768, -129, 128, 255, 256, 512, 1000, 1024, 4096, 32767, -2147483648, -100663046, -32769, 32768, 65535, 65536, 100663045, 2147483647]; +const INTERESTING_8: [i8; 9] = [-128, -1, 0, 1, 16, 32, 64, 100, 127]; +const INTERESTING_16: [i16; 19] = [ + -128, -1, 0, 1, 16, 32, 64, 100, 127, -32768, -129, 128, 255, 256, 512, 1000, 1024, 4096, 32767, +]; +const INTERESTING_32: [i32; 27] = [ + -128, + -1, + 0, + 1, + 16, + 32, + 64, + 100, + 127, + -32768, + -129, + 128, + 255, + 256, + 512, + 1000, + 1024, + 4096, + 32767, + -2147483648, + -100663046, + -32769, + 32768, + 65535, + 65536, + 100663045, + 2147483647, +]; fn self_mem_move(data: &mut [u8], from: usize, to: usize, len: usize) { debug_assert!(from + len <= data.len()); debug_assert!(to + len <= data.len()); let ptr = data.as_mut_ptr(); - unsafe { - core::ptr::copy(ptr.offset(from as isize), - ptr.offset(to as isize), - len) - } + unsafe { core::ptr::copy(ptr.offset(from as isize), ptr.offset(to as isize), len) } } fn mem_move(dst: &mut [u8], src: &[u8], from: usize, to: usize, len: usize) { @@ -53,18 +79,18 @@ fn mem_move(dst: &mut [u8], src: &[u8], from: usize, to: usize, len: usize) { let dst_ptr = dst.as_mut_ptr(); let src_ptr = src.as_ptr(); unsafe { - core::ptr::copy(src_ptr.offset(from as isize), - dst_ptr.offset(to as isize), - len) + core::ptr::copy( + src_ptr.offset(from as isize), + dst_ptr.offset(to as isize), + len, + ) } } fn mem_set(data: &mut [u8], from: usize, len: usize, val: u8) { debug_assert!(from + len <= data.len()); let ptr = data.as_mut_ptr(); - unsafe { - core::ptr::write_bytes(ptr.offset(from as isize), val, len) - } + unsafe { core::ptr::write_bytes(ptr.offset(from as isize), val, len) } } /// Bitflip mutation for inputs with a bytes vector @@ -227,7 +253,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; unsafe { // moar speed, no bound check let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut u8; @@ -256,7 +282,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; unsafe { // moar speed, no bound check let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u16; @@ -287,7 +313,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; unsafe { // moar speed, no bound check let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u32; @@ -318,7 +344,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; unsafe { // moar speed, no bound check let ptr = input.bytes_mut().get_unchecked_mut(idx) as *mut _ as *mut u64; @@ -349,7 +375,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; let val = INTERESTING_8[rand.below(INTERESTING_8.len() as u64) as usize] as u8; unsafe { // moar speed, no bound check @@ -374,7 +400,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; let val = INTERESTING_16[rand.below(INTERESTING_8.len() as u64) as usize] as u16; unsafe { // moar speed, no bound check @@ -404,7 +430,7 @@ where if input.bytes().len() <= 1 { Ok(MutationResult::Skipped) } else { - let idx = rand.below(input.bytes().len() as u64 -1) as usize; + let idx = rand.below(input.bytes().len() as u64 - 1) as usize; let val = INTERESTING_32[rand.below(INTERESTING_8.len() as u64) as usize] as u32; unsafe { // moar speed, no bound check @@ -459,7 +485,7 @@ where let off = if size == 0 { 0 } else { - rand.below(size as u64 -1) + rand.below(size as u64 - 1) } as usize; let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; @@ -484,7 +510,7 @@ where let off = if size == 0 { 0 } else { - rand.below(size as u64 -1) + rand.below(size as u64 - 1) } as usize; let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; @@ -511,7 +537,7 @@ where let off = if size == 0 { 0 } else { - rand.below(size as u64 -1) + rand.below(size as u64 - 1) } as usize; let len = rand.below(core::cmp::min(16, mutator.max_size() as u64)) as usize; @@ -540,7 +566,11 @@ where } let val = input.bytes()[rand.below(size as u64) as usize]; - let start = if size == 1 { 0 } else { rand.below(size as u64 -1) as usize }; + let start = if size == 1 { + 0 + } else { + rand.below(size as u64 - 1) as usize + }; let end = rand.below((size - start) as u64) as usize; mem_set(input.bytes_mut(), start, end - start, val); Ok(MutationResult::Mutated) @@ -564,7 +594,11 @@ where } let val = rand.below(256) as u8; - let start = if size == 1 { 0 } else { rand.below(size as u64 -1) as usize }; + let start = if size == 1 { + 0 + } else { + rand.below(size as u64 - 1) as usize + }; let end = rand.below((size - start) as u64) as usize; mem_set(input.bytes_mut(), start, end - start, val); Ok(MutationResult::Mutated) @@ -587,8 +621,8 @@ where return Ok(MutationResult::Skipped); } - let from = rand.below(input.bytes().len() as u64 -1) as usize; - let to = rand.below(input.bytes().len() as u64 -1) as usize; + let from = rand.below(input.bytes().len() as u64 - 1) as usize; + let to = rand.below(input.bytes().len() as u64 - 1) as usize; let len = rand.below((size - core::cmp::max(from, to)) as u64) as usize; self_mem_move(input.bytes_mut(), from, to, len); @@ -612,8 +646,8 @@ where return Ok(MutationResult::Skipped); } - let first = rand.below(input.bytes().len() as u64 -1) as usize; - let second = rand.below(input.bytes().len() as u64 -1) as usize; + let first = rand.below(input.bytes().len() as u64 - 1) as usize; + let second = rand.below(input.bytes().len() as u64 - 1) as usize; let len = rand.below((size - core::cmp::max(first, second)) as u64) as usize; let tmp = input.bytes()[first..len].to_vec(); @@ -622,8 +656,6 @@ where Ok(MutationResult::Mutated) } - - /// Returns the first and last diff position between the given vectors, stopping at the min len fn locate_diffs(this: &[u8], other: &[u8]) -> (i64, i64) { let mut first_diff: i64 = -1; diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index bb6f23a05d..eb342a8ad6 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -216,7 +216,7 @@ where scheduled.add_mutation(mutation_byteinteresting); scheduled.add_mutation(mutation_wordinteresting); scheduled.add_mutation(mutation_dwordinteresting); - + scheduled.add_mutation(mutation_bytesdelete); scheduled.add_mutation(mutation_bytesdelete); scheduled.add_mutation(mutation_bytesdelete); @@ -228,7 +228,7 @@ where scheduled.add_mutation(mutation_bytesrandset); scheduled.add_mutation(mutation_bytescopy); scheduled.add_mutation(mutation_bytesswap); - + // TODO dictionary and custom dictionary (redqueen etc.) /*scheduled.add_mutation(mutation_bitflip); scheduled.add_mutation(mutation_bitflip);