From 51942b605d6fcb22d85c1fe1a845b6ec2839e793 Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Mon, 9 May 2022 13:18:14 +0200
Subject: support post_process's own return buffer

---
 src/afl-fuzz-bitmap.c   |  2 +-
 src/afl-fuzz-cmplog.c   |  2 +-
 src/afl-fuzz-init.c     |  2 +-
 src/afl-fuzz-mutators.c |  2 +-
 src/afl-fuzz-run.c      | 25 ++++++++++++++++---------
 src/afl-sharedmem.c     | 26 ++++++++++++++------------
 6 files changed, 34 insertions(+), 25 deletions(-)

(limited to 'src')

diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 7c2b35d6..26e70d81 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -648,7 +648,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
       if (afl->fsrv.exec_tmout < afl->hang_tmout) {
 
         u8 new_fault;
-        len = write_to_testcase(afl, mem, len, 0);
+        len = write_to_testcase(afl, &mem, len, 0);
         new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout);
         classify_counts(&afl->fsrv);
 
diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c
index 7d94085d..258d9ea7 100644
--- a/src/afl-fuzz-cmplog.c
+++ b/src/afl-fuzz-cmplog.c
@@ -49,7 +49,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
 
   u8 fault;
 
-  write_to_testcase(afl, out_buf, len, 0);
+  write_to_testcase(afl, (void **)&out_buf, len, 0);
 
   fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout);
 
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 05a654c8..6a653a00 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -617,7 +617,7 @@ void read_foreign_testcases(afl_state_t *afl, int first) {
 
         }
 
-        u32 len = write_to_testcase(afl, mem, st.st_size, 1);
+        u32 len = write_to_testcase(afl, (void **)&mem, st.st_size, 1);
         fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
         afl->syncing_party = foreign_name;
         afl->queued_imported += save_if_interesting(afl, mem, len, fault);
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index e78e2dc4..b6aeec63 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -428,7 +428,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
 
     if (likely(retlen)) {
 
-      retlen = write_to_testcase(afl, retbuf, retlen, 0);
+      retlen = write_to_testcase(afl, (void **)&retbuf, retlen, 0);
 
       fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
       ++afl->trim_execs;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index ffba3475..866127be 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -74,7 +74,7 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
    rewound and truncated. */
 
 u32 __attribute__((hot))
-write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
+write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
 
 #ifdef _AFL_DOCUMENT_MUTATIONS
   s32  doc_fd;
@@ -86,7 +86,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
   if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >=
       0) {
 
-    if (write(doc_fd, mem, len) != len)
+    if (write(doc_fd, *mem, len) != len)
       PFATAL("write to mutation file failed: %s", fn);
     close(doc_fd);
 
@@ -97,7 +97,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
   if (unlikely(afl->custom_mutators_count)) {
 
     ssize_t new_size = len;
-    u8 *    new_mem = mem;
+    u8 *    new_mem = *mem;
     u8 *    new_buf = NULL;
 
     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
@@ -130,8 +130,15 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
 
     }
 
+    if (new_mem != *mem) {
+
+      *mem = afl_realloc(mem, new_size);
+      memcpy(*mem, new_mem, new_size);
+
+    }
+
     /* everything as planned. use the potentially new data. */
-    afl_fsrv_write_to_testcase(&afl->fsrv, new_mem, new_size);
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size);
     len = new_size;
 
   } else {
@@ -147,7 +154,7 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len, u32 fix) {
     }
 
     /* boring uncustom. */
-    afl_fsrv_write_to_testcase(&afl->fsrv, mem, len);
+    afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
 
   }
 
@@ -370,7 +377,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
   /* we need a dummy run if this is LTO + cmplog */
   if (unlikely(afl->shm.cmplog_mode)) {
 
-    (void)write_to_testcase(afl, use_mem, q->len, 1);
+    (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
 
     fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
 
@@ -413,7 +420,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
     u64 cksum;
 
-    (void)write_to_testcase(afl, use_mem, q->len, 1);
+    (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
 
     fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
 
@@ -724,7 +731,7 @@ void sync_fuzzers(afl_state_t *afl) {
         /* See what happens. We rely on save_if_interesting() to catch major
            errors and save the test case. */
 
-        (void)write_to_testcase(afl, mem, st.st_size, 1);
+        (void)write_to_testcase(afl, (void **)&mem, st.st_size, 1);
 
         fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
 
@@ -967,7 +974,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
 
   u8 fault;
 
-  len = write_to_testcase(afl, out_buf, len, 0);
+  len = write_to_testcase(afl, (void **)&out_buf, len, 0);
 
   fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
 
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 9e0d7531..b48c6fb3 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -163,34 +163,36 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
   so we do this worse workaround */
   snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
 
-#ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
-  /* trying to get large memory segment optimised and monitorable separately as such */
+  #ifdef SHM_LARGEPAGE_ALLOC_DEFAULT
+  /* trying to get large memory segment optimised and monitorable separately as
+   * such */
   static size_t sizes[4] = {(size_t)-1};
-  static int psizes = 0;
-  int i;
+  static int    psizes = 0;
+  int           i;
   if (sizes[0] == (size_t)-1) { psizes = getpagesizes(sizes, 4); }
 
   /* very unlikely to fail even if the arch supports only two sizes */
   if (likely(psizes > 0)) {
 
-      for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
+    for (i = psizes - 1; shm->g_shm_fd == -1 && i >= 0; --i) {
 
-          if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
+      if (sizes[i] == 0 || map_size % sizes[i]) { continue; }
 
-          shm->g_shm_fd = shm_create_largepage(shm->g_shm_file_path, shmflags, i,
-                             SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
+      shm->g_shm_fd =
+          shm_create_largepage(shm->g_shm_file_path, shmflags, i,
+                               SHM_LARGEPAGE_ALLOC_DEFAULT, DEFAULT_PERMISSION);
 
-      }
+    }
 
   }
-#endif
 
+  #endif
 
   /* create the shared memory segment as if it was a file */
   if (shm->g_shm_fd == -1) {
 
-      shm->g_shm_fd = shm_open(shm->g_shm_file_path, shmflags | O_CREAT,
-                               DEFAULT_PERMISSION);
+    shm->g_shm_fd =
+        shm_open(shm->g_shm_file_path, shmflags | O_CREAT, DEFAULT_PERMISSION);
 
   }
 
-- 
cgit v1.2.3