Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(154)

Unified Diff: third_party/afl/src/experimental/post_library/post_library.so.c

Issue 2075883002: Add American Fuzzy Lop (afl) to third_party/afl/ (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Fix nits Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/afl/src/experimental/post_library/post_library.so.c
diff --git a/third_party/afl/src/experimental/post_library/post_library.so.c b/third_party/afl/src/experimental/post_library/post_library.so.c
new file mode 100644
index 0000000000000000000000000000000000000000..5cdee0851ae8a59f944873101bc608c9c2f03318
--- /dev/null
+++ b/third_party/afl/src/experimental/post_library/post_library.so.c
@@ -0,0 +1,119 @@
+/*
+ american fuzzy lop - postprocessor library example
+ --------------------------------------------------
+
+ Written and maintained by Michal Zalewski <lcamtuf@google.com>
+
+ Copyright 2015 Google Inc. All rights reserved.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at:
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Postprocessor libraries can be passed to afl-fuzz to perform final cleanup
+ of any mutated test cases - for example, to fix up checksums in PNG files.
+
+ Please heed the following warnings:
+
+ 1) In almost all cases, it is more productive to comment out checksum logic
+ in the targeted binary (as shown in ../libpng_no_checksum/). One possible
+ exception is the process of fuzzing binary-only software in QEMU mode.
+
+ 2) Use of postprocessors for anything other than checksums is questionable
+ and may cause more harm than good. AFL is normally pretty good about
+ dealing with length fields, magic values, etc.
+
+ 3) Post-processors that do anything non-trivial must be extremely robust to
+ gracefully handle malformed data and other error conditions - otherwise,
+ they will crash and take afl-fuzz down with them. Be wary of reading past
+ *len and of integer overflows when calculating file offsets.
+
+ In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really,
+ honestly know what you're doing =)
+
+ With that out of the way: the postprocessor library is passed to afl-fuzz
+ via AFL_POST_LIBRARY. The library must be compiled with:
+
+ gcc -shared -Wall -O3 post_library.so.c -o post_library.so
+
+ AFL will call the afl_postprocess() function for every mutated output buffer.
+ From there, you have three choices:
+
+ 1) If you don't want to modify the test case, simply return the original
+ buffer pointer ('in_buf').
+
+ 2) If you want to skip this test case altogether and have AFL generate a
+ new one, return NULL. Use this sparingly - it's faster than running
+ the target program with patently useless inputs, but still wastes CPU
+ time.
+
+ 3) If you want to modify the test case, allocate an appropriately-sized
+ buffer, move the data into that buffer, make the necessary changes, and
+ then return the new pointer. You can update *len if necessary, too.
+
+ Note that the buffer will *not* be freed for you. To avoid memory leaks,
+ you need to free it or reuse it on subsequent calls (as shown below).
+
+ *** DO NOT MODIFY THE ORIGINAL 'in_buf' BUFFER. ***
+
+ Aight. The example below shows a simple postprocessor that tries to make
+ sure that all input files start with "GIF89a".
+
+ PS. If you don't like C, you can try out the unix-based wrapper from
+ Ben Nagy instead: https://github.com/bnagy/aflfix
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* Header that must be present at the beginning of every test case: */
+
+#define HEADER "GIF89a"
+
+/* The actual postprocessor routine called by afl-fuzz: */
+
+const unsigned char* afl_postprocess(const unsigned char* in_buf,
+ unsigned int* len) {
+
+ static unsigned char* saved_buf;
+ unsigned char* new_buf;
+
+ /* Skip execution altogether for buffers shorter than 6 bytes (just to
+ show how it's done). We can trust *len to be sane. */
+
+ if (*len < strlen(HEADER)) return NULL;
+
+ /* Do nothing for buffers that already start with the expected header. */
+
+ if (!memcmp(in_buf, HEADER, strlen(HEADER))) return in_buf;
+
+ /* Allocate memory for new buffer, reusing previous allocation if
+ possible. */
+
+ new_buf = realloc(saved_buf, *len);
+
+ /* If we're out of memory, the most graceful thing to do is to return the
+ original buffer and give up on modifying it. Let AFL handle OOM on its
+ own later on. */
+
+ if (!new_buf) return in_buf;
+ saved_buf = new_buf;
+
+ /* Copy the original data to the new location. */
+
+ memcpy(new_buf, in_buf, *len);
+
+ /* Insert the new header. */
+
+ memcpy(new_buf, HEADER, strlen(HEADER));
+
+ /* Return modified buffer. No need to update *len in this particular case,
+ as we're not changing it. */
+
+ return new_buf;
+
+}

Powered by Google App Engine
This is Rietveld 408576698