From ebc886032f9f2568e62f7bf6881c7137c74776a0 Mon Sep 17 00:00:00 2001 From: Addison Crump Date: Wed, 18 Jan 2023 13:53:31 +0100 Subject: [PATCH] Fixes for multiple subtle bugs with grimoire, mutators, and state (#1001) * fix multiple subtle bugs with grimoire, mutators, and state * obey the clippy overlord * grimoire: skip over token after splice * remove extraneous length check --- libafl/src/mutators/grimoire.rs | 30 ++++++++++++++++++------------ libafl/src/stages/mutational.rs | 2 +- libafl/src/stages/power.rs | 2 +- libafl/src/state/mod.rs | 4 ++++ 4 files changed, 24 insertions(+), 14 deletions(-) diff --git a/libafl/src/mutators/grimoire.rs b/libafl/src/mutators/grimoire.rs index a86f337b8a..f7825d0231 100644 --- a/libafl/src/mutators/grimoire.rs +++ b/libafl/src/mutators/grimoire.rs @@ -277,40 +277,46 @@ where 'first: for item in &mut gen[..rand_idx] { if let GeneralizedItem::Bytes(bytes) = item { - if bytes.len() < token_1.len() { - continue; - } let mut i = 0; - while i < bytes.len() - token_1.len() { + while bytes + .len() + .checked_sub(token_1.len()) + .map_or(false, |len| i < len) + { if bytes[i..].starts_with(token_1) { - bytes.splice(i..(i + token_1.len()), token_2.clone()); + bytes.splice(i..(i + token_1.len()), token_2.iter().copied()); mutated = MutationResult::Mutated; if stop_at_first { break 'first; } + i += token_2.len(); + } else { + i += 1; } - i += 1; } } } if mutated == MutationResult::Skipped || !stop_at_first { 'second: for item in &mut gen[rand_idx..] { if let GeneralizedItem::Bytes(bytes) = item { - if bytes.len() < token_1.len() { - continue; - } let mut i = 0; - while i < bytes.len() - token_1.len() { + while bytes + .len() + .checked_sub(token_1.len()) + .map_or(false, |len| i < len) + { if bytes[i..].starts_with(token_1) { - bytes.splice(i..(i + token_1.len()), token_2.clone()); + bytes.splice(i..(i + token_1.len()), token_2.iter().copied()); mutated = MutationResult::Mutated; if stop_at_first { break 'second; } + i += token_2.len(); + } else { + i += 1; } - i += 1; } } } diff --git a/libafl/src/stages/mutational.rs b/libafl/src/stages/mutational.rs index 3629ef4b58..d5120313e5 100644 --- a/libafl/src/stages/mutational.rs +++ b/libafl/src/stages/mutational.rs @@ -117,7 +117,7 @@ where start_timer!(state); let testcase = state.corpus().get(corpus_idx)?.borrow(); - let input = I::try_transform_from(&testcase, state, corpus_idx)?; + let Ok(input) = I::try_transform_from(&testcase, state, corpus_idx) else { return Ok(()); }; drop(testcase); mark_feature_time!(state, PerfFeature::GetInputFromCorpus); diff --git a/libafl/src/stages/power.rs b/libafl/src/stages/power.rs index 056f5884d7..c95382cd0a 100644 --- a/libafl/src/stages/power.rs +++ b/libafl/src/stages/power.rs @@ -83,7 +83,7 @@ where let num = self.iterations(state, corpus_idx)?; let testcase = state.corpus().get(corpus_idx)?.borrow(); - let input = I::try_transform_from(&testcase, state, corpus_idx)?; + let Ok(input) = I::try_transform_from(&testcase, state, corpus_idx) else { return Ok(()); }; drop(testcase); for i in 0..num { diff --git a/libafl/src/state/mod.rs b/libafl/src/state/mod.rs index 8d2cee07f5..b027063c07 100644 --- a/libafl/src/state/mod.rs +++ b/libafl/src/state/mod.rs @@ -367,6 +367,10 @@ where for entry in fs::read_dir(in_dir)? { let entry = entry?; let path = entry.path(); + if path.file_name().unwrap().to_string_lossy().starts_with('.') { + continue; + } + let attributes = fs::metadata(&path); if attributes.is_err() {