├── ngiflib └── 75b9920 │ ├── CVE-2022-30857 │ ├── poc │ ├── build.sh │ └── AFG-ngiflib.c-AFG_default-CheckGif.c │ ├── CVE-2022-30858 │ ├── poc │ ├── build.sh │ ├── AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.c │ └── AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.h │ ├── CVE-2021-36530 │ ├── poc │ ├── build.sh │ └── AFG-ngiflib.c-LoadGif-GetByteStr.c │ ├── CVE-2021-36531 │ ├── poc │ ├── build.sh │ └── AFG-ngiflib.c-DecodeGifImg-GetByte.c │ ├── README.md │ └── build.sh ├── tcpreplay ├── 4.2.6 │ ├── CVE-2023-27789 │ │ ├── poc │ │ ├── build.sh │ │ └── AFG-cidr.c-parse_cidr-cidr2cidr.c │ ├── CVE-2023-27787 │ │ ├── cmd.md │ │ ├── poc │ │ ├── build.sh │ │ ├── AFG-xX.c-parse_xX_str-parse_list.c │ │ └── AFG-xX.c-parse_xX_str-parse_list.h │ ├── CVE-2023-27783 │ │ ├── poc │ │ ├── build.sh │ │ └── AFG-jnpr_ether.c-dlt_jnpr_ether_cleanup-tcpedit_dlt_cleanup.c │ ├── CVE-2023-27784 │ │ ├── poc │ │ ├── build.sh │ │ ├── AFG-utils.c-AFG_default-read_hexstring.c │ │ └── AFG-utils.c-AFG_default-read_hexstring.h │ ├── CVE-2023-27785 │ │ ├── poc │ │ ├── build.sh │ │ └── AFG-cidr.c-AFG_default-parse_endpoints.c │ ├── CVE-2023-27786 │ │ ├── poc │ │ ├── build.sh │ │ ├── AFG-mac.c-AFG_default-macinstring.c │ │ └── AFG-mac.c-AFG_default-macinstring.h │ ├── CVE-2023-27788 │ │ ├── poc │ │ ├── build.sh │ │ ├── AFG-portmap.c-parse_portmap-ports2PORT.c │ │ └── AFG-portmap.c-parse_portmap-ports2PORT.h │ ├── README.md │ ├── tcpedit.c.patch │ ├── configure.ac.patch │ ├── build.sh │ └── config.h.in.patch ├── 4.3.4 │ ├── CVE-2021-45387 │ │ ├── poc │ │ ├── build.sh │ │ └── AFG-tree.c-AFG_default-add_tree_ipv4.c │ ├── CVE-2021-45386 │ │ ├── poc │ │ ├── build.sh │ │ ├── build-aflpp.sh │ │ └── AFG-tree.c-AFG_default-add_tree_ipv6.c │ ├── README.md │ └── build.sh └── 4.4.1 │ ├── CVE-2022-25484 │ ├── poc │ ├── build.sh │ └── AFG-tree.c-add_tree_ipv4-packet2tree.c │ ├── README.md │ └── build.sh ├── ffjpeg ├── 627c8a9 │ ├── pr-45 │ │ ├── poc │ │ ├── build.sh │ │ └── AFG-jfif.c-AFG_default-jfif_encode.c │ ├── README.md │ └── build.sh └── 23dffdf │ ├── CVE-2021-45385 │ ├── poc │ ├── build.sh │ └── AFG-jfif.c-AFG_default-jfif_encode.c │ ├── pr-46 │ ├── poc │ ├── build.sh │ └── AFG-jfif.c-AFG_default-jfif_decode.c │ ├── README.md │ ├── make.patch │ └── build.sh ├── jhead └── 0e98605 │ ├── CVE-2022-28550 │ ├── poc │ ├── build.sh │ └── AFG-jhead.c-DoCommand-shellescape.c │ ├── README.md │ └── build.sh ├── libming └── 0.4.8 │ ├── CVE-2023-23051 │ ├── poc │ ├── build.sh │ ├── AFG-action.c-SWFAction_compile-swf5parse.c │ └── AFG-action.c-SWFAction_compile-swf5parse.h │ ├── CVE-2023-23052 │ ├── poc │ ├── build.sh │ └── AFG-makeswf.c-embed_swf-newSWFPrebuiltClip_fromInput.c │ ├── CVE-2023-23053 │ ├── poc │ ├── build.sh │ ├── AFDG-AFDG_default-makeswf_compile_source.c │ └── AFDG-AFDG_default-makeswf_compile_source.h │ ├── CVE-2023-23054 │ ├── poc │ ├── build.sh │ ├── AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.h │ └── AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.c │ ├── README.md │ └── build.sh ├── libtiff └── 4.0.9 │ ├── CVE-2022-34526 │ ├── poc │ └── build.sh │ ├── README.md │ └── build.sh ├── common.sh ├── README.md ├── liblouis └── 3.2.0 │ ├── README.md │ ├── CVE-2023-26767 │ ├── build.sh │ ├── AFG-logging.c-AFG_default-lou_logFile.c │ └── AFG-logging.c-AFG_default-lou_logFile.h │ ├── CVE-2023-26768 │ ├── build.sh │ └── AFG-compileTranslationTable.c-AFG_default-lou_setDataPath.c │ ├── CVE-2023-26769 │ ├── build.sh │ ├── AFG-compileTranslationTable.c-_lou_defaultTableResolver-resolveSubtable.c │ └── poc │ └── build.sh └── .gitignore /ngiflib/75b9920/CVE-2022-30857/poc: -------------------------------------------------------------------------------- 1 | GI -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27789/poc: -------------------------------------------------------------------------------- 1 | 2 | 3 | " 4 | -------------------------------------------------------------------------------- /ffjpeg/627c8a9/pr-45/poc: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30858/poc: -------------------------------------------------------------------------------- 1 | GIF888y88&, -------------------------------------------------------------------------------- /ffjpeg/23dffdf/CVE-2021-45385/poc: -------------------------------------------------------------------------------- 1 | 2 | $$$$$$$$$$ 3 |  -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45387/poc: -------------------------------------------------------------------------------- 1 | R 2 | -------------------------------------------------------------------------------- /ffjpeg/23dffdf/pr-46/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/ffjpeg/23dffdf/pr-46/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27787/cmd.md: -------------------------------------------------------------------------------- 1 | ``` 2 | $ ./AFG-xX.c-parse_xX_str-parse_list -detect_leaks=0 3 | ``` -------------------------------------------------------------------------------- /jhead/0e98605/CVE-2022-28550/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/jhead/0e98605/CVE-2022-28550/poc -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23051/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/libming/0.4.8/CVE-2023-23051/poc -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23052/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/libming/0.4.8/CVE-2023-23052/poc -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23053/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/libming/0.4.8/CVE-2023-23053/poc -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23054/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/libming/0.4.8/CVE-2023-23054/poc -------------------------------------------------------------------------------- /libtiff/4.0.9/CVE-2022-34526/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/libtiff/4.0.9/CVE-2022-34526/poc -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36530/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/ngiflib/75b9920/CVE-2021-36530/poc -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36531/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/ngiflib/75b9920/CVE-2021-36531/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27783/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27783/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27784/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27784/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27785/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27785/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27786/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27786/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27787/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27787/poc -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27788/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.2.6/CVE-2023-27788/poc -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45386/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.3.4/CVE-2021-45386/poc -------------------------------------------------------------------------------- /tcpreplay/4.4.1/CVE-2022-25484/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Marsman1996/AFGen/HEAD/tcpreplay/4.4.1/CVE-2022-25484/poc -------------------------------------------------------------------------------- /common.sh: -------------------------------------------------------------------------------- 1 | MODE="asan" 2 | 3 | export CC="clang -fsanitize=address,fuzzer-no-link -g " 4 | export CXX="clang++ -fsanitize=address,fuzzer-no-link -g " 5 | 6 | JOBS=${JOBS:-"4"} -------------------------------------------------------------------------------- /jhead/0e98605/README.md: -------------------------------------------------------------------------------- 1 | # jhead 0e98605 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /libming/0.4.8/README.md: -------------------------------------------------------------------------------- 1 | # libming 0.4.8 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AFGen 2 | 3 | This repository contains the fuzzing harnesses of the new vulnerabilities found in "AFGen: Whole-Function Fuzzing for Applications and Libraries" (in S&P 2024) -------------------------------------------------------------------------------- /ffjpeg/23dffdf/README.md: -------------------------------------------------------------------------------- 1 | # ffjpeg 23dffdf 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /ffjpeg/627c8a9/README.md: -------------------------------------------------------------------------------- 1 | # ffjpeg 627c8a9 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /liblouis/3.2.0/README.md: -------------------------------------------------------------------------------- 1 | # liblouis 3.2.0 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /tcpreplay/4.2.6/README.md: -------------------------------------------------------------------------------- 1 | # tcpreplay 4.2.6 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /tcpreplay/4.3.4/README.md: -------------------------------------------------------------------------------- 1 | # tcpreplay 4.3.4 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /tcpreplay/4.4.1/README.md: -------------------------------------------------------------------------------- 1 | # tcpreplay 4.4.1 2 | 1. Download and compile the source code with AddressSanitizer: 3 | ``` 4 | $ build.sh 5 | ``` 6 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36530/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-ngiflib.c-LoadGif-GetByteStr.c ../build_asan/libngiflib.a -I../build_asan -I/usr/include/SDL -D_REENTRANT -D_GNU_SOURCE=1 -DNGIFLIBSDL_LOG -Wno-all -o ./harness -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30857/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-ngiflib.c-AFG_default-CheckGif.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ./harness 2 | -------------------------------------------------------------------------------- /libtiff/4.0.9/README.md: -------------------------------------------------------------------------------- 1 | # libtiff 4.0.9 2 | 0. Download the source code of the `libtiff`: 3 | ``` 4 | $ ./fetch.sh 5 | ``` 6 | 1. Compile the source code with AddressSanitizer: 7 | ``` 8 | $ build.sh 9 | ``` 10 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30858/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.c ../build_asan/libngiflib.a -I../build_asan -I/usr/include/SDL -D_REENTRANT -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -Wno-all -o ./harness -lSDL -------------------------------------------------------------------------------- /libtiff/4.0.9/CVE-2022-34526/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-tif_dir.c-AFG_default-_TIFFVGetField.c ../bin_asan/lib/libtiff.a -I../code/libtiff -I../build_asan/libtiff -I../code -DHAVE_CONFIG_H -lwebp -llzma -ljbig -ljpeg -lz -lm -Wno-all -o ./harness 2 | 3 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26767/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-logging.c-AFG_default-lou_logFile.c ../bin_asan/lib/liblouis.a -I../build_asan/gnulib -I../build_asan/liblouis -I../code/gnulib -I../code -I../code/liblouis -DHAVE_CONFIG_H -DTABLESDIR=\"../bin_asan/share/liblouis/tables\" -Wno-all -o ./harness 2 | 3 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23053/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFDG-AFDG_default-makeswf_compile_source.c ../bin_asan/lib/libming.a ../build_asan/util/.libs/libutil.a -I../code/src -I../build_asan/src -I../code/util -I../build_asan/util -fcommon -fPIC -Wno-all -o ./AFDG-AFDG_default-makeswf_compile_source -lz -lpng -lgif 2 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26768/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-compileTranslationTable.c-AFG_default-lou_setDataPath.c ../bin_asan/lib/liblouis.a -I../build_asan/gnulib -I../build_asan/liblouis -I../code/gnulib -I../code -I../code/liblouis -DHAVE_CONFIG_H -DTABLESDIR=\"../build_asan/../bin_asan/share/liblouis/tables\" -Wno-all -o ./harness 2 | 3 | -------------------------------------------------------------------------------- /ffjpeg/23dffdf/pr-46/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-ffjpeg.c-main-jfif_decode.c ../build_asan/src/libffjpeg.a -I../code/src -I../code -Wno-all -o ./AFG-ffjpeg.c-main-jfif_decode 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-jfif.c-AFG_default-jfif_decode.c ../build_asan/src/libffjpeg.a -I../code/src -I../code -Wno-all -o ./harness 4 | 5 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26769/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-compileTranslationTable.c-_lou_defaultTableResolver-resolveSubtable.c ../bin_asan/lib/liblouis.a -I../build_asan/gnulib -I../build_asan/liblouis -I../code/gnulib -I../code -I../code/liblouis -DHAVE_CONFIG_H -DTABLESDIR=\"../build_asan/../bin_asan/share/liblouis/tables\" -Wno-all -o ./harness -------------------------------------------------------------------------------- /ngiflib/75b9920/README.md: -------------------------------------------------------------------------------- 1 | # ngiflib 75b9920 2 | 0. Clone the source code of the `ngiflib`: 3 | ``` 4 | $ git clone https://github.com/miniupnp/ngiflib.git code 5 | $ git -C code checkout 75b99202e4e57acab399ed07b4e8f94eddf1648a 6 | ``` 7 | 1. Compile the source code with AddressSanitizer: 8 | ``` 9 | $ build.sh 10 | ``` 11 | 2. Compile the corresponding fuzz drivers -------------------------------------------------------------------------------- /ffjpeg/23dffdf/CVE-2021-45385/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-ffjpeg.c-main-jfif_encode.c ../build_asan/src/libffjpeg.a -I../code -I../code/src -Wno-all -o ./AFG-ffjpeg.c-main-jfif_encode 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-jfif.c-AFG_default-jfif_encode.c ../build_asan/src/libffjpeg.a -I../code -I../code/src -Wno-all -o ./harness 4 | 5 | -------------------------------------------------------------------------------- /ffjpeg/627c8a9/pr-45/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-ffjpeg.c-main-jfif_encode.c ../build_asan/liblibffjpeg.a -I../code -I../build_normal -Wno-all -o ./AFG-ffjpeg.c-main-jfif_encode 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-jfif.c-AFG_default-jfif_encode.c ../build_asan/liblibffjpeg.a -I../code -I../build_normal -Wno-all -o ./harness 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.4.1/CVE-2022-25484/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-tree.c-add_tree_ipv4-packet2tree.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan -I/usr/include -I/usr/local/include -I../build_asan/src -DTCPPREP -DHAVE_CONFIG_H "-D_U_=__attribute__((unused))" -Wno-all -o ./harness -lpcap 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # folders 2 | code 3 | build_asan 4 | bin_asan 5 | 6 | # files 7 | .DS_Store 8 | crash-* 9 | leak-* 10 | slow-unit-* 11 | AFG_file* 12 | harness 13 | 14 | liblouis/3.2.0/liblouis-3.2.0.tar.gz 15 | libming/0.4.8/ming-0_4_8.tar.gz 16 | libtiff/4.0.9/libtiff-v4.0.9.tar.gz 17 | tcpreplay/09f0774/tcpreplay-4.4.1.tar.gz 18 | tcpreplay/4.2.6/v4.2.6.tar.gz 19 | tcpreplay/0ca82e3/tcpreplay-4.3.4.tar.gz 20 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23054/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.c ../bin_asan/lib/libming.a ../build_asan/util/.libs/libutil.a ../build_asan/src/blocks/.libs/libblock.a ../build_asan/src/actioncompiler/.libs/libactioncompiler.a -I../code/src -I../build_asan/src -I../code/util -fcommon -fPIC -DHAVE_CONFIG_H -DSWF_LITTLE_ENDIAN -Wno-all -o ./harness -lz -lpng -lgif 2 | 3 | 4 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/tcpedit.c.patch: -------------------------------------------------------------------------------- 1 | --- code/src/tcpedit/tcpedit.c 2017-05-16 23:13:43.000000000 +0800 2 | +++ build_asan/src/tcpedit/tcpedit.c 2024-05-30 20:11:52.416415145 +0800 3 | @@ -42,7 +42,7 @@ 4 | #include "lib/sll.h" 5 | #include "dlt.h" 6 | 7 | -tOptDesc *const tcpedit_tcpedit_optDesc_p; 8 | +extern tOptDesc *const tcpedit_tcpedit_optDesc_p; 9 | 10 | /** 11 | * \brief Checks to see if you should make an edit 12 | -------------------------------------------------------------------------------- /jhead/0e98605/CVE-2022-28550/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-jhead.c-DoCommand-shellescape.c ../bin_asan/libjhead.a -I../build_asan -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wno-all -o ./harness 2 | 3 | # clang -g -fsanitize=address,fuzzer ./AFG-jhead.c-AFG_default-shellescape.c ../bin_asan/libjhead.a -I../build_asan -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wno-all -o ./AFG-jhead.c-AFG_default-shellescape 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45386/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-tree.c-AFG_default-add_tree_ipv6.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/usr/local/include -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal/src -I/usr/include -DHAVE_CONFIG_H -DTCPPREP "-D_U_=__attribute__((unused))" -Wno-all -o ./harness -lpcap 2 | 3 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23051/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-action.c-SWFAction_compile-swf5parse.c ../bin_asan/lib/libming.a ../build_asan/util/.libs/libutil.a ../build_asan/src/blocks/.libs/libblock.a ../build_asan/src/actioncompiler/.libs/libactioncompiler.a -I../code/util -I/usr/include/freetype2 -I../build_asan/src -I../code/src -I../build_asan/src/blocks -I../code/src/blocks -fcommon -fPIC -DHAVE_CONFIG_H -DSWF_LITTLE_ENDIAN -Wno-all -o ./harness -lz -lpng -lgif 2 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23052/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-makeswf.c-embed_swf-newSWFPrebuiltClip_fromInput.c ../build_asan/util/makeswf_utils.o ../bin_asan/lib/libming.a ../build_asan/util/.libs/libutil.a ../build_asan/src/blocks/.libs/libblock.a ../build_asan/src/actioncompiler/.libs/libactioncompiler.a -I../code/util -I../build_asan/src -I../build_asan/util -I../build_asan/src/blocks -I/usr/include/freetype2 -I../code/src -I../code/src/blocks -fcommon -fPIC -DHAVE_CONFIG_H -DSWF_LITTLE_ENDIAN -Wno-all -o ./harness -lz -lpng -lgif 2 | -------------------------------------------------------------------------------- /libtiff/4.0.9/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://gitlab.com/libtiff/libtiff/-/archive/v4.0.9/libtiff-v4.0.9.tar.gz 6 | tar -xf libtiff-v4.0.9.tar.gz && mv libtiff-v4.0.9 code 7 | 8 | # compile 9 | CXXFLAGS="${CXXFLAGS}" 10 | 11 | echo "start compiling $PWD with $MODE" 12 | 13 | rm -rf build_$MODE bin_$MODE 14 | mkdir build_$MODE 15 | pushd build_$MODE 16 | 17 | ../code/configure --prefix=$PWD/../bin_$MODE --enable-static --disable-shared 18 | make -j $JOBS || exit 1 19 | 20 | make install || exit 1 21 | 22 | popd 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /liblouis/3.2.0/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://github.com/liblouis/liblouis/releases/download/v3.2.0/liblouis-3.2.0.tar.gz 6 | tar -xf liblouis-3.2.0.tar.gz && mv liblouis-3.2.0 code 7 | 8 | # compile 9 | CXXFLAGS="${CXXFLAGS}" 10 | 11 | echo "start compiling $PWD with $MODE" 12 | 13 | rm -rf build_$MODE bin_$MODE 14 | mkdir build_$MODE 15 | pushd build_$MODE 16 | 17 | ../code/configure --prefix=$PWD/../bin_$MODE --enable-static --disable-shared 18 | make || exit 1 19 | 20 | make install || exit 1 21 | 22 | popd 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /ngiflib/75b9920/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | git clone https://github.com/miniupnp/ngiflib.git code 6 | git -C code checkout 75b99202e4e57acab399ed07b4e8f94eddf1648a 7 | 8 | # compile 9 | echo "start compiling $PWD with $MODE" 10 | 11 | rm -rf build_$MODE bin_$MODE 12 | cp -r code build_$MODE || ( echo "[ERROR]: No code folder find!" && exit 1 ) 13 | pushd build_$MODE 14 | 15 | make 16 | ar cru libngiflib.a *.o 17 | 18 | popd 19 | 20 | mkdir -p bin_$MODE/bin 21 | mkdir -p bin_$MODE/lib 22 | cp build_$MODE/gif2tga bin_$MODE/bin 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /jhead/0e98605/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | git clone https://github.com/Matthias-Wandel/jhead.git code 6 | git -C code checkout 0e98605 7 | 8 | # compile 9 | CXXFLAGS="${CXXFLAGS}" 10 | 11 | echo "start compiling $PWD with $MODE" 12 | 13 | rm -rf build_$MODE bin_$MODE 14 | cp -r code build_$MODE || ( echo "[ERROR]: No code folder find!" && exit 1 ) 15 | pushd build_$MODE 16 | 17 | make || exit 1 18 | 19 | popd 20 | mkdir -p bin_$MODE/bin 21 | cp build_$MODE/jhead bin_$MODE/bin 22 | ar cru bin_$MODE/libjhead.a build_$MODE/obj/*.o 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /tcpreplay/4.3.4/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://github.com/appneta/tcpreplay/releases/download/v4.3.4/tcpreplay-4.3.4.tar.gz 6 | tar -xf tcpreplay-4.3.4.tar.gz && mv tcpreplay-4.3.4 code 7 | 8 | CXXFLAGS="${CXXFLAGS}" 9 | 10 | echo "start compiling $PWD with $MODE" 11 | 12 | rm -rf build_$MODE bin_$MODE 13 | cp -r code build_$MODE 14 | pushd build_$MODE 15 | 16 | ./autogen.sh 17 | ./configure --prefix=$PWD/../bin_$MODE --disable-local-libopts --disable-libopts-install 18 | make -j $JOBS || exit 1 19 | 20 | make install || exit 1 21 | 22 | popd 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /libming/0.4.8/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz 6 | tar -xf ming-0_4_8.tar.gz && mv libming-ming-0_4_8 code 7 | 8 | # compile 9 | CXXFLAGS="${CXXFLAGS}" 10 | 11 | echo "start compiling $PWD with $MODE" 12 | 13 | rm -rf build_$MODE bin_$MODE 14 | cp -r code build_$MODE 15 | pushd build_$MODE 16 | 17 | CFLAGS+=" -fcommon" 18 | export CFLAGS=$CFLAGS 19 | 20 | ./autogen.sh 21 | ./configure --prefix=$PWD/../bin_$MODE --enable-static --disable-shared --disable-freetype 22 | make || exit 1 23 | 24 | make install 25 | 26 | popd 27 | 28 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /tcpreplay/4.4.1/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://github.com/appneta/tcpreplay/releases/download/v4.4.1/tcpreplay-4.4.1.tar.gz 6 | tar -xf tcpreplay-4.4.1.tar.gz && mv tcpreplay-4.4.1 code 7 | 8 | # compile 9 | CFALGS+="-DNDEBUG" 10 | CXXFLAGS="${CXXFLAGS}" 11 | 12 | echo "start compiling $PWD with $MODE" 13 | 14 | rm -rf build_$MODE bin_$MODE 15 | cp -r code build_$MODE 16 | pushd build_$MODE 17 | 18 | ./autogen.sh 19 | ./configure --prefix=$PWD/../bin_$MODE --disable-local-libopts --disable-libopts-install 20 | make -j $JOBS || exit 1 21 | 22 | make install || exit 1 23 | 24 | popd 25 | 26 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /ffjpeg/23dffdf/make.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/Makefile b/src/Makefile 2 | index 0fb5d51..99f658d 100644 3 | --- a/src/Makefile 4 | +++ b/src/Makefile 5 | @@ -1,9 +1,9 @@ 6 | # makefile for ffjpeg project 7 | # written by rockcarry 8 | 9 | -CC = gcc 10 | +CC ?= gcc 11 | AR = ar 12 | -CCFLAGS = -Wall 13 | +CFLAGS = -Wall 14 | 15 | OBJS = \ 16 | color.o \ 17 | @@ -24,10 +24,10 @@ $(LIB) : $(OBJS) 18 | $(AR) rcs $@ $(OBJS) 19 | 20 | %.o : %.c %.h stdefine.h 21 | - $(CC) $(CCFLAGS) -o $@ $< -c 22 | + $(CC) $(CFLAGS) -o $@ $< -c 23 | 24 | $(PROG) : $(PROG).o $(LIB) 25 | - $(CC) $(CCFLAGS) -o $@ $< $(LIB) 26 | + $(CC) $(CFLAGS) -o $@ $< $(LIB) 27 | 28 | clean : 29 | -rm -f *.o 30 | -------------------------------------------------------------------------------- /ffjpeg/23dffdf/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | git clone https://github.com/rockcarry/ffjpeg.git code 6 | git -C code checkout 23dffdfd2507b4de7b9f292ac1a791d68f4fd9a3 7 | patch code/src/Makefile < make.patch 8 | 9 | # compile 10 | CXXFLAGS="${CXXFLAGS}" 11 | 12 | echo "start compiling $PWD with $MODE" 13 | 14 | rm -rf build_$MODE bin_$MODE 15 | cp -r code build_$MODE 16 | pushd build_$MODE 17 | 18 | # cmake ../code -DCMAKE_INSTALL_PREFIX=$PWD/../bin_$MODE -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" 19 | make || exit 1 20 | 21 | popd 22 | mkdir -p bin_$MODE/bin 23 | cp build_$MODE/src/ffjpeg bin_$MODE/bin 24 | 25 | 26 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /ffjpeg/627c8a9/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | git clone https://github.com/rockcarry/ffjpeg.git code 6 | git -C code checkout 627c8a922d699bccc7902c149ff658edc0e47bf9 7 | wget -P ./code https://github.com/rockcarry/ffjpeg/files/2305428/CMakeLists.txt 8 | 9 | # compile 10 | echo "start compiling $PWD with $MODE" 11 | 12 | rm -rf build_$MODE bin_$MODE 13 | mkdir build_$MODE 14 | pushd build_$MODE 15 | 16 | cmake ../code -DCMAKE_INSTALL_PREFIX=$PWD/../bin_$MODE -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" 17 | make || exit 1 18 | 19 | popd 20 | mkdir -p bin_$MODE/bin 21 | cp build_$MODE/ffjpeg bin_$MODE/bin 22 | 23 | 24 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45387/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-tcpprep.c-process_raw_packets-add_tree_ipv4.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/usr/local/include -I../build_asan/src -I/usr/include -I../build_asan "-D_U_=__attribute__((unused))" -DHAVE_CONFIG_H -DTCPPREP -Wno-all -o ./AFG-tcpprep.c-process_raw_packets-add_tree_ipv4 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-tree.c-AFG_default-add_tree_ipv4.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/usr/local/include -I../build_asan/src -I/usr/include -I../build_asan "-D_U_=__attribute__((unused))" -DHAVE_CONFIG_H -DTCPPREP -Wno-all -o ./harness -lpcap 4 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/configure.ac.patch: -------------------------------------------------------------------------------- 1 | --- code/configure.ac 2017-05-16 23:13:43.000000000 +0800 2 | +++ build_asan/configure.ac 2024-05-30 20:38:45.261788692 +0800 3 | @@ -326,13 +326,13 @@ 4 | dnl Checks for library functions. 5 | AC_FUNC_FORK 6 | AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK 7 | -AC_FUNC_MALLOC 8 | + 9 | AC_FUNC_MEMCMP 10 | AC_TYPE_SIGNAL 11 | AC_FUNC_VPRINTF 12 | AC_FUNC_MKTIME 13 | AC_FUNC_MMAP 14 | -AC_FUNC_REALLOC 15 | + 16 | AC_CHECK_MEMBERS([struct timeval.tv_sec]) 17 | AC_CHECK_FUNCS([alarm atexit bzero dup2 gethostbyname getpagesize gettimeofday ctime inet_ntoa memmove memset munmap pow putenv realpath regcomp strdup select socket strcasecmp strchr strcspn strdup strerror strtol strncpy strtoull poll ntohll mmap snprintf vsnprintf strsignal strpbrk strrchr strspn strstr strtoul]) 18 | 19 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . ../../common.sh $1 3 | 4 | # fetch source code 5 | wget https://github.com/appneta/tcpreplay/archive/refs/tags/v4.2.6.tar.gz 6 | tar -xf v4.2.6.tar.gz && mv tcpreplay-4.2.6 code 7 | patch code/src/config.h.in < config.h.in.patch 8 | patch code/src/tcpedit/tcpedit.c < tcpedit.c.patch 9 | patch code/configure.ac < configure.ac.patch 10 | 11 | # compile 12 | CXXFLAGS="${CXXFLAGS}" 13 | 14 | echo "start compiling $PWD with $MODE" 15 | 16 | rm -rf build_$MODE bin_$MODE 17 | cp -r code build_$MODE 18 | pushd build_$MODE 19 | 20 | ./autogen.sh 21 | ./configure --prefix=$PWD/../bin_$MODE --disable-local-libopts --disable-libopts-install --enable-static --disable-shared 22 | make -j $JOBS || exit 1 23 | 24 | make install || exit 1 25 | 26 | popd 27 | 28 | echo "end compiling $PWD with $MODE" -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27787/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-xX.c-parse_xX_str-parse_list.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 2 | 3 | # clang -g -fsanitize=address,fuzzer ./AFG-list.c-AFG_default-parse_list.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-list.c-AFG_default-parse_list 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27786/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-tcpprep.c-process_raw_packets-macinstring.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -DTCPPREP -lpcap -lopts -Wno-all -o ./AFG-tcpprep.c-process_raw_packets-macinstring 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-mac.c-AFG_default-macinstring.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27789/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-cidr.c-parse_cidr-cidr2cidr.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a ../build_asan/src/fragroute/libfragroute.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 2 | 3 | # clang -g -fsanitize=address,fuzzer ./AFG-cidr.c-AFG_default-cidr2cidr.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a ../build_asan/src/fragroute/libfragroute.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-cidr.c-AFG_default-cidr2cidr 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27785/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-parse_args.c-tcpedit_post_args-parse_endpoints.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-parse_args.c-tcpedit_post_args-parse_endpoints 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-cidr.c-AFG_default-parse_endpoints.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 4 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27788/build.sh: -------------------------------------------------------------------------------- 1 | clang -g -fsanitize=address,fuzzer ./AFG-portmap.c-parse_portmap-ports2PORT.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a ../build_asan/src/fragroute/libfragroute.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 2 | 3 | # clang -g -fsanitize=address,fuzzer ./AFG-portmap.c-AFG_default-ports2PORT.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a ../build_asan/src/fragroute/libfragroute.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-portmap.c-AFG_default-ports2PORT 4 | 5 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36531/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ../GetByte/AFG-ngiflib.c-GetGifWord-GetByte.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ../GetByte/AFG-ngiflib.c-GetGifWord-GetByte 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-ngiflib.c-DecodeGifImg-GetByte.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ./harness 4 | 5 | # clang -g -fsanitize=address,fuzzer ../GetByte/AFG-ngiflib.c-LoadGif-GetByte.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ../GetByte/AFG-ngiflib.c-LoadGif-GetByte 6 | 7 | # clang -g -fsanitize=address,fuzzer ../GetByte/AFG-ngiflib.c-GetWord-GetByte.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ../GetByte/AFG-ngiflib.c-GetWord-GetByte 8 | 9 | # clang -g -fsanitize=address,fuzzer ../GetByte/AFG-ngiflib.c-AFG_default-GetByte.c ../build_asan/libngiflib.a -I/usr/include/SDL -I../build_asan -DNGIFLIBSDL_LOG -D_GNU_SOURCE=1 -D_REENTRANT -Wno-all -o ../GetByte/AFG-ngiflib.c-AFG_default-GetByte 10 | 11 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27784/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-user.c-dlt_user_parse_opts-read_hexstring.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src/tcpedit/plugins/dlt_user -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-user.c-dlt_user_parse_opts-read_hexstring 2 | 3 | # clang -g -fsanitize=address,fuzzer ./AFG-utils.c-AFG_default-read_hexstring.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a /opt/disk/marsman/tcpreplay/4.2.6/bin_asan/libfragroute.a -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-utils.c-AFG_default-read_hexstring 4 | 5 | clang -g -fsanitize=address,fuzzer ./AFG-utils.c-AFG_default-read_hexstring.c -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I../build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45386/build-aflpp.sh: -------------------------------------------------------------------------------- 1 | # AFL_LLVM_USE_TRACE_PC=1 AFL_USE_ASAN=1 AFL_LLVM_DICT2FILE=$PWD/AFG-dict-process_raw_packets.dict $AFLPP_PATH/afl-clang-fast /opt/disk/marsman/tcpreplay/0ca82e3/out/add_tree_ipv6/AFG-tcpprep.c-process_raw_packets-add_tree_ipv6.c $AFLPP_PATH/utils/aflpp_driver/libAFLDriver.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libtcpedit.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libcommon.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libstrl.a -I/usr/local/include -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal/src -I/usr/include -Wno-all -o /opt/disk/marsman/tcpreplay/0ca82e3/out/add_tree_ipv6/AFG-tcpprep.c-process_raw_packets-add_tree_ipv6-aflpp 2 | 3 | AFL_LLVM_USE_TRACE_PC=1 AFL_USE_ASAN=1 AFL_LLVM_DICT2FILE=$PWD/AFG-dict-AFG_default.dict $AFLPP_PATH/afl-clang-fast /opt/disk/marsman/tcpreplay/0ca82e3/out/add_tree_ipv6/AFG-tree.c-AFG_default-add_tree_ipv6.c $AFLPP_PATH/utils/aflpp_driver/libAFLDriver.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libtcpedit.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libcommon.a /opt/disk/marsman/tcpreplay/0ca82e3/bin_asan/libstrl.a -I/usr/local/include -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal -I/opt/disk/marsman/tcpreplay/0ca82e3/build_normal/src -I/usr/include -DHAVE_CONFIG_H -DTCPPREP "-D_U_=__attribute__((unused))" -Wno-all -o /opt/disk/marsman/tcpreplay/0ca82e3/out/add_tree_ipv6/AFG-tree.c-AFG_default-add_tree_ipv6-aflpp -lpcap 4 | 5 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27783/build.sh: -------------------------------------------------------------------------------- 1 | # clang -g -fsanitize=address,fuzzer ./AFG-dlt_plugins.c-tcpedit_dlt_init-tcpedit_dlt_cleanup.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-dlt_plugins.c-tcpedit_dlt_init-tcpedit_dlt_cleanup 2 | 3 | clang -g -fsanitize=address,fuzzer ./AFG-jnpr_ether.c-dlt_jnpr_ether_cleanup-tcpedit_dlt_cleanup.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I../build_asan/src/tcpedit/plugins/dlt_jnpr_ether -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./harness 4 | 5 | # clang -g -fsanitize=address,fuzzer ./AFG-dlt_plugins.c-AFG_default-tcpedit_dlt_cleanup.c ../build_asan/src/tcpedit/libtcpedit.a ../build_asan/src/common/libcommon.a ../build_asan/lib/libstrl.a -I../build_asan/src/tcpedit -I/opt/disk/marsman/tcpreplay/4.2.6/build_asan/src -I/usr/include -I../build_asan/src/common -I../build_asan/src/tcpedit/plugins -I../build_asan -I../build_asan/src -I/usr/local/include -DHAVE_CONFIG_H -std=gnu99 "-D_U_=__attribute__((unused))" -lpcap -lopts -Wno-all -o ./AFG-dlt_plugins.c-AFG_default-tcpedit_dlt_cleanup 6 | 7 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23052/AFG-makeswf.c-embed_swf-newSWFPrebuiltClip_fromInput.c: -------------------------------------------------------------------------------- 1 | #include "AFG-makeswf.c-embed_swf-newSWFPrebuiltClip_fromInput.h" 2 | /* This is the copy of /opt/disk/marsman/libming/0.4.8/code/util/makeswf.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[1] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* filename) 15 | { 16 | SWFInput in; 17 | FILE *swf; 18 | if(!(swf = fopen(filename, "rb"))) 19 | return 1; 20 | if(!(in = newSWFInput_file(swf))) 21 | return 1; 22 | newSWFPrebuiltClip_fromInput(in); 23 | } 24 | 25 | #ifdef __cplusplus 26 | extern "C" 27 | #endif 28 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 29 | { 30 | size_t AFG_offset = 0, minimum_size = sizeof(char)*1; 31 | if(Size <= minimum_size) { 32 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 33 | return 0; 34 | } 35 | size_t pt_size = (Size - minimum_size) / 1; 36 | 37 | char * filename; 38 | FILE* AFG_fd_0 = fopen("AFG_file2_0", "w"); 39 | fwrite("FWS", 1, 3, AFG_fd_0); 40 | fwrite(Data+AFG_offset, 1, pt_size, AFG_fd_0); 41 | fclose(AFG_fd_0); 42 | filename = "AFG_file2_0"; 43 | AFG_offset+=pt_size; 44 | 45 | AFG_func(filename); 46 | 47 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 48 | free(AFG_alloc_list[AFG_free_i]); 49 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 50 | fclose(AFG_fopen_list[AFG_free_i]); 51 | AFG_alloc_cnt = 0; 52 | AFG_fopen_cnt = 0; 53 | 54 | return 0; 55 | } 56 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30858/AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.c: -------------------------------------------------------------------------------- 1 | #include "AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.h" 2 | /* This is the copy of /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflibSDL.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[1] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* file) 15 | { 16 | SDL_LoadAnimatedGif(file); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(char)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 1; 39 | 40 | char * file; 41 | FILE* AFG_fd_0 = fopen("AFG_file2_0", "w"); 42 | fwrite(AFG_Data+AFG_offset, 1, pt_size, AFG_fd_0); 43 | fclose(AFG_fd_0); 44 | file = "AFG_file2_0"; 45 | AFG_offset+=pt_size; 46 | 47 | AFG_func(file); 48 | 49 | AFG_fail: 50 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 51 | free(AFG_alloc_list[AFG_free_i]); 52 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 53 | fclose(AFG_fopen_list[AFG_free_i]); 54 | AFG_alloc_cnt = 0; 55 | AFG_fopen_cnt = 0; 56 | 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30857/AFG-ngiflib.c-AFG_default-CheckGif.c: -------------------------------------------------------------------------------- 1 | #include "AFG-ngiflib.c-AFG_default-CheckGif.h" 2 | /* This is the copy of /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflib.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[2] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(unsigned char* b) 15 | { 16 | CheckGif(b); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(unsigned char)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 1; 39 | if (pt_size < sizeof(unsigned char) ) { return -1; } 40 | unsigned char * b; 41 | b = (unsigned char *)malloc(pt_size); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) b; 43 | memcpy((void *)b, AFG_Data+AFG_offset, pt_size); 44 | AFG_offset+=pt_size; 45 | 46 | AFG_func(b); 47 | 48 | AFG_fail: 49 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 50 | free(AFG_alloc_list[AFG_free_i]); 51 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 52 | fclose(AFG_fopen_list[AFG_free_i]); 53 | AFG_alloc_cnt = 0; 54 | AFG_fopen_cnt = 0; 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/config.h.in.patch: -------------------------------------------------------------------------------- 1 | --- code/src/config.h.in 2017-05-16 23:13:43.000000000 +0800 2 | +++ build_asan/src/config.h.in 2024-05-30 20:04:34.000000000 +0800 3 | @@ -232,10 +232,6 @@ 4 | /* Building Linux */ 5 | #undef HAVE_LINUX 6 | 7 | -/* Define to 1 if your system has a GNU libc compatible `malloc' function, and 8 | - to 0 otherwise. */ 9 | -#undef HAVE_MALLOC 10 | - 11 | /* Define to 1 if you have the `memmove' function. */ 12 | #undef HAVE_MEMMOVE 13 | 14 | @@ -344,10 +340,6 @@ 15 | /* Define to 1 if you have the `putenv' function. */ 16 | #undef HAVE_PUTENV 17 | 18 | -/* Define to 1 if your system has a GNU libc compatible `realloc' function, 19 | - and to 0 otherwise. */ 20 | -#undef HAVE_REALLOC 21 | - 22 | /* Define this if we have a functional realpath(3C) */ 23 | #undef HAVE_REALPATH 24 | 25 | @@ -600,8 +592,7 @@ 26 | slash. */ 27 | #undef LSTAT_FOLLOWS_SLASHED_SYMLINK 28 | 29 | -/* Define to the sub-directory in which libtool stores uninstalled libraries. 30 | - */ 31 | +/* Define to the sub-directory where libtool stores uninstalled libraries. */ 32 | #undef LT_OBJDIR 33 | 34 | /* Define to 1 if `major', `minor', and `makedev' are declared in . 35 | @@ -747,18 +738,12 @@ 36 | a type exists and the standard includes do not define it. */ 37 | #undef int8_t 38 | 39 | -/* Define to rpl_malloc if the replacement function should be used. */ 40 | -#undef malloc 41 | - 42 | /* Define to `long int' if does not define. */ 43 | #undef off_t 44 | 45 | /* Define to `int' if does not define. */ 46 | #undef pid_t 47 | 48 | -/* Define to rpl_realloc if the replacement function should be used. */ 49 | -#undef realloc 50 | - 51 | /* Define to `unsigned int' if does not define. */ 52 | #undef size_t 53 | 54 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26768/AFG-compileTranslationTable.c-AFG_default-lou_setDataPath.c: -------------------------------------------------------------------------------- 1 | #include "AFG-compileTranslationTable.c-AFG_default-lou_setDataPath.h" 2 | /* This is the copy of /opt/disk/marsman/liblouis/3.2.0/code/liblouis/compileTranslationTable.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[2] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* path) 15 | { 16 | lou_setDataPath(path); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(char)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 1; 39 | if (pt_size < sizeof(char) ) { return -1; } 40 | char * path; 41 | path = (char *)malloc(pt_size+1); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) path; 43 | memcpy((void *)path, AFG_Data+AFG_offset, pt_size); 44 | path[pt_size] = '\0'; 45 | AFG_offset+=pt_size; 46 | 47 | AFG_func(path); 48 | 49 | AFG_fail: 50 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 51 | free(AFG_alloc_list[AFG_free_i]); 52 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 53 | fclose(AFG_fopen_list[AFG_free_i]); 54 | AFG_alloc_cnt = 0; 55 | AFG_fopen_cnt = 0; 56 | 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26767/AFG-logging.c-AFG_default-lou_logFile.c: -------------------------------------------------------------------------------- 1 | #include "AFG-logging.c-AFG_default-lou_logFile.h" 2 | /* This is the copy of /opt/disk/marsman/liblouis/3.2.0/code/liblouis/logging.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[2] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* fileName) 15 | { 16 | lou_logFile(fileName); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(char)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 1; 39 | 40 | char * fileName; 41 | // FILE* AFG_fd_0 = fopen("AFG_file2_0", "w"); 42 | // fwrite(AFG_Data+AFG_offset, 1, pt_size, AFG_fd_0); 43 | // fclose(AFG_fd_0); 44 | // fileName = "AFG_file2_0"; 45 | // AFG_offset+=pt_size; 46 | 47 | fileName = (char *)malloc(pt_size+1); 48 | AFG_alloc_list[AFG_alloc_cnt++] = fileName; 49 | memcpy(fileName, AFG_Data+AFG_offset, pt_size); 50 | fileName[pt_size] = '\0'; 51 | AFG_offset+=pt_size; 52 | 53 | AFG_func(fileName); 54 | 55 | AFG_fail: 56 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 57 | free(AFG_alloc_list[AFG_free_i]); 58 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 59 | fclose(AFG_fopen_list[AFG_free_i]); 60 | AFG_alloc_cnt = 0; 61 | AFG_fopen_cnt = 0; 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /ffjpeg/23dffdf/CVE-2021-45385/AFG-jfif.c-AFG_default-jfif_encode.c: -------------------------------------------------------------------------------- 1 | #include "AFG-jfif.c-AFG_default-jfif_encode.h" 2 | /* This is the copy of /opt/disk/marsman/ffjpeg/23dffdf/code/src/jfif.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(BMP* pb) 15 | { 16 | jfif_encode(pb); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(BMP)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 2; 39 | 40 | BMP * pb; 41 | pb = (BMP*)malloc(sizeof(BMP)); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) pb; 43 | memcpy((void *)&pb->height, AFG_Data+AFG_offset, sizeof(int)); 44 | AFG_offset+=sizeof(int); 45 | memcpy((void *)&pb->stride, AFG_Data+AFG_offset, sizeof(int)); 46 | AFG_offset+=sizeof(int); 47 | memcpy((void *)&pb->width, AFG_Data+AFG_offset, sizeof(int)); 48 | AFG_offset+=sizeof(int); 49 | pb->pdata = NULL; 50 | 51 | pb->pdata = malloc((size_t)pb->stride * pb->height); 52 | 53 | AFG_func(pb); 54 | 55 | AFG_fail: 56 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 57 | free(AFG_alloc_list[AFG_free_i]); 58 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 59 | fclose(AFG_fopen_list[AFG_free_i]); 60 | AFG_alloc_cnt = 0; 61 | AFG_fopen_cnt = 0; 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23053/AFDG-AFDG_default-makeswf_compile_source.c: -------------------------------------------------------------------------------- 1 | #include "AFDG-AFDG_default-makeswf_compile_source.h" 2 | /* This is the copy of /opt/disk/marsman/libming/0.4.8/code/util/makeswf_utils.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFDG_alloc_list[3] = { NULL }; 10 | int AFDG_alloc_cnt = 0; 11 | FILE* AFDG_fopen_list[1] = { NULL }; 12 | int AFDG_fopen_cnt = 0; 13 | 14 | int AFDG_func(char* filename,char* ppfile,int debug) 15 | { 16 | makeswf_compile_source(filename, ppfile, debug); 17 | return 0; 18 | } 19 | 20 | #ifdef __cplusplus 21 | extern "C" 22 | #endif 23 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 24 | { 25 | size_t AFDG_offset = 0, minimum_size = sizeof(char)*2+sizeof(int)*1; 26 | if(Size <= minimum_size) { 27 | printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 28 | return 0; 29 | } 30 | size_t pt_size = (Size - minimum_size) / 2; 31 | if (pt_size < sizeof(char) ) { return 0; } 32 | char * filename; 33 | filename = (char *)malloc(pt_size+1); 34 | AFDG_alloc_list[AFDG_alloc_cnt++] = (void*) filename; 35 | memcpy((void *)filename, Data+AFDG_offset, pt_size); 36 | AFDG_offset+=pt_size; 37 | filename[pt_size] = '\0'; 38 | char * ppfile; 39 | ppfile = (char *)malloc(pt_size+1); 40 | AFDG_alloc_list[AFDG_alloc_cnt++] = (void*) ppfile; 41 | memcpy((void *)ppfile, Data+AFDG_offset, pt_size); 42 | AFDG_offset+=pt_size; 43 | ppfile[pt_size] = '\0'; 44 | int debug; 45 | memcpy((void *)&debug, Data+AFDG_offset, sizeof(int)); 46 | AFDG_offset+=sizeof(int); 47 | 48 | AFDG_func(filename, ppfile, debug); 49 | 50 | for(int AFDG_free_i = 0; AFDG_free_i < AFDG_alloc_cnt; AFDG_free_i++) 51 | free(AFDG_alloc_list[AFDG_free_i]); 52 | for(int AFDG_free_i = 0; AFDG_free_i < AFDG_fopen_cnt; AFDG_free_i++) 53 | fclose(AFDG_fopen_list[AFDG_free_i]); 54 | AFDG_alloc_cnt = 0; 55 | AFDG_fopen_cnt = 0; 56 | 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /ffjpeg/627c8a9/pr-45/AFG-jfif.c-AFG_default-jfif_encode.c: -------------------------------------------------------------------------------- 1 | #include "AFG-jfif.c-AFG_default-jfif_encode.h" 2 | /* This is the copy of /opt/disk/marsman/ffjpeg/627c8a9/code/jfif.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(BMP* pb) 15 | { 16 | jfif_encode(pb); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(BMP)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 2; 39 | 40 | BMP * pb; 41 | pb = (BMP*)malloc(sizeof(BMP)); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) pb; 43 | memcpy((void *)&pb->height, AFG_Data+AFG_offset, sizeof(int)); 44 | AFG_offset+=sizeof(int); 45 | memcpy((void *)&pb->stride, AFG_Data+AFG_offset, sizeof(int)); 46 | AFG_offset+=sizeof(int); 47 | memcpy((void *)&pb->width, AFG_Data+AFG_offset, sizeof(int)); 48 | AFG_offset+=sizeof(int); 49 | pb->pdata = (void *)malloc(pt_size); 50 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) pb->pdata; 51 | memcpy((void *)pb->pdata, AFG_Data+AFG_offset, pt_size); 52 | AFG_offset+=pt_size; 53 | 54 | AFG_func(pb); 55 | 56 | AFG_fail: 57 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 58 | free(AFG_alloc_list[AFG_free_i]); 59 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 60 | fclose(AFG_fopen_list[AFG_free_i]); 61 | AFG_alloc_cnt = 0; 62 | AFG_fopen_cnt = 0; 63 | 64 | return 0; 65 | } 66 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27786/AFG-mac.c-AFG_default-macinstring.c: -------------------------------------------------------------------------------- 1 | #include "AFG-mac.c-AFG_default-macinstring.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/mac.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* macstring,unsigned char* mac) 15 | { 16 | macinstring(macstring, mac); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(char)*1+sizeof(unsigned char)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 2; 39 | if (pt_size < sizeof(char) || pt_size < sizeof(unsigned char)) { return -1; } 40 | char * macstring; 41 | macstring = (char *)malloc(pt_size+1); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) macstring; 43 | memcpy((void *)macstring, AFG_Data+AFG_offset, pt_size); 44 | macstring[pt_size] = '\0'; 45 | AFG_offset+=pt_size; 46 | unsigned char * mac; 47 | mac = (unsigned char *)malloc(pt_size+1); 48 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) mac; 49 | memcpy((void *)mac, AFG_Data+AFG_offset, pt_size); 50 | mac[pt_size] = '\0'; 51 | AFG_offset+=pt_size; 52 | 53 | AFG_func(macstring, mac); 54 | 55 | AFG_fail: 56 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 57 | free(AFG_alloc_list[AFG_free_i]); 58 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 59 | fclose(AFG_fopen_list[AFG_free_i]); 60 | AFG_alloc_cnt = 0; 61 | AFG_fopen_cnt = 0; 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27789/AFG-cidr.c-parse_cidr-cidr2cidr.c: -------------------------------------------------------------------------------- 1 | #include "AFG-cidr.c-parse_cidr-cidr2cidr.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* cidrin,char* delim) 15 | { 16 | char *network = ((void *)0); 17 | char *token = ((void *)0); 18 | mask_cidr6(&cidrin, delim); 19 | network = strtok_r(cidrin, delim, &token); 20 | cidr2cidr(network); 21 | } 22 | 23 | size_t minimum_size = sizeof(char)*2; 24 | 25 | #ifdef __cplusplus 26 | extern "C" 27 | #endif 28 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 29 | printf("Minimum size is %ld\n", minimum_size); 30 | return 0; 31 | } 32 | #ifdef __cplusplus 33 | extern "C" 34 | #endif 35 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 36 | size_t AFG_offset = 0; 37 | if(Size <= minimum_size) { 38 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 39 | return -1; 40 | } 41 | size_t pt_size = (Size - minimum_size) / 2; 42 | if (pt_size < sizeof(char) ) { return -1; } 43 | char * cidrin; 44 | cidrin = (char *)malloc(pt_size+1); 45 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrin; 46 | memcpy((void *)cidrin, AFG_Data+AFG_offset, pt_size); 47 | cidrin[pt_size] = '\0'; 48 | AFG_offset+=pt_size; 49 | char * delim; 50 | delim = (char *)malloc(pt_size+1); 51 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) delim; 52 | memcpy((void *)delim, AFG_Data+AFG_offset, pt_size); 53 | delim[pt_size] = '\0'; 54 | AFG_offset+=pt_size; 55 | 56 | AFG_func(cidrin, delim); 57 | 58 | AFG_fail: 59 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 60 | free(AFG_alloc_list[AFG_free_i]); 61 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 62 | fclose(AFG_fopen_list[AFG_free_i]); 63 | AFG_alloc_cnt = 0; 64 | AFG_fopen_cnt = 0; 65 | 66 | return 0; 67 | } 68 | -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45387/AFG-tree.c-AFG_default-add_tree_ipv4.c: -------------------------------------------------------------------------------- 1 | #include "AFG-tree.c-AFG_default-add_tree_ipv4.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/0ca82e3/build_normal/src/tree.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | tcpprep_t *tcpprep; 9 | tcpr_data_tree_t treeroot; 10 | 11 | void* AFG_alloc_list[2] = { NULL }; 12 | int AFG_alloc_cnt = 0; 13 | FILE* AFG_fopen_list[1] = { NULL }; 14 | int AFG_fopen_cnt = 0; 15 | 16 | int AFG_func(unsigned long ip,unsigned char* data,int len) 17 | { 18 | add_tree_ipv4(ip, data, len); 19 | return 0; 20 | } 21 | 22 | size_t minimum_size = sizeof(unsigned long)*1+sizeof(unsigned char)*1+sizeof(int)*1; 23 | 24 | #ifdef __cplusplus 25 | extern "C" 26 | #endif 27 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 28 | printf("Minimum size is %ld\n", minimum_size); 29 | return 0; 30 | } 31 | #ifdef __cplusplus 32 | extern "C" 33 | #endif 34 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 35 | size_t AFG_offset = 0; 36 | if(Size <= minimum_size) { 37 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 38 | return -1; 39 | } 40 | size_t pt_size = (Size - minimum_size) / 1; 41 | if (pt_size < sizeof(unsigned char) ) { return -1; } 42 | unsigned long ip; 43 | memcpy((void *)&ip, AFG_Data+AFG_offset, sizeof(unsigned long)); 44 | AFG_offset+=sizeof(unsigned long); 45 | unsigned char * data; 46 | data = (unsigned char *)malloc(pt_size+1); 47 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) data; 48 | memcpy((void *)data, AFG_Data+AFG_offset, pt_size); 49 | memset((void *)(data + pt_size), '\0', 1); 50 | AFG_offset+=pt_size; 51 | int len; 52 | memcpy((void *)&len, AFG_Data+AFG_offset, sizeof(int)); 53 | AFG_offset+=sizeof(int); 54 | 55 | len = pt_size; 56 | 57 | AFG_func(ip, data, len); 58 | 59 | AFG_fail: 60 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 61 | free(AFG_alloc_list[AFG_free_i]); 62 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 63 | fclose(AFG_fopen_list[AFG_free_i]); 64 | AFG_alloc_cnt = 0; 65 | AFG_fopen_cnt = 0; 66 | 67 | return 0; 68 | } 69 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27784/AFG-utils.c-AFG_default-read_hexstring.c: -------------------------------------------------------------------------------- 1 | #include "AFG-utils.c-AFG_default-read_hexstring.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/utils.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* l2string,unsigned char* hex,int hexlen) 15 | { 16 | read_hexstring(l2string, hex, hexlen); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(char)*1+sizeof(unsigned char)*255+sizeof(int)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / 1; 39 | if (pt_size < sizeof(char) || pt_size < sizeof(unsigned char) ) { return -1; } 40 | char * l2string; 41 | l2string = (char *)malloc(pt_size+1); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) l2string; 43 | memcpy((void *)l2string, AFG_Data+AFG_offset, pt_size); 44 | l2string[pt_size] = '\0'; 45 | AFG_offset+=pt_size; 46 | unsigned char * hex; 47 | hex = (unsigned char *)malloc(255+1); 48 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) hex; 49 | memcpy((void *)hex, AFG_Data+AFG_offset, 255); 50 | hex[255] = '\0'; 51 | AFG_offset+=255; 52 | int hexlen; 53 | memcpy((void *)&hexlen, AFG_Data+AFG_offset, sizeof(int)); 54 | AFG_offset+=sizeof(int); 55 | 56 | hexlen = 255; 57 | 58 | 59 | AFG_func(l2string, hex, hexlen); 60 | 61 | AFG_fail: 62 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 63 | free(AFG_alloc_list[AFG_free_i]); 64 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 65 | fclose(AFG_fopen_list[AFG_free_i]); 66 | AFG_alloc_cnt = 0; 67 | AFG_fopen_cnt = 0; 68 | 69 | return 0; 70 | } 71 | -------------------------------------------------------------------------------- /tcpreplay/4.4.1/CVE-2022-25484/AFG-tree.c-add_tree_ipv4-packet2tree.c: -------------------------------------------------------------------------------- 1 | #include "AFG-tree.c-add_tree_ipv4-packet2tree.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/09f0774/build_normal/src/tree.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | tcpprep_t *tcpprep; 9 | tcpr_data_tree_t treeroot; 10 | 11 | void* AFG_alloc_list[2] = { NULL }; 12 | int AFG_alloc_cnt = 0; 13 | FILE* AFG_fopen_list[1] = { NULL }; 14 | int AFG_fopen_cnt = 0; 15 | 16 | int AFG_func(int datalink,int len,unsigned char* data) 17 | { 18 | ((data) ? (void)(0) : __assert_fail("data", "/opt/disk/marsman/tcpreplay/09f0774/build_normal/src/tree.c", 543, __PRETTY_FUNCTION__)); 19 | packet2tree(data, len, datalink); 20 | } 21 | 22 | size_t minimum_size = sizeof(int)*2+sizeof(unsigned char)*1; 23 | 24 | #ifdef __cplusplus 25 | extern "C" 26 | #endif 27 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 28 | printf("Minimum size is %ld\n", minimum_size); 29 | return 0; 30 | } 31 | #ifdef __cplusplus 32 | extern "C" 33 | #endif 34 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 35 | size_t AFG_offset = 0; 36 | if(Size <= minimum_size) { 37 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 38 | return -1; 39 | } 40 | size_t pt_size = (Size - minimum_size) / 1; 41 | if (pt_size < sizeof(unsigned char) ) { return -1; } 42 | int datalink; 43 | memcpy((void *)&datalink, AFG_Data+AFG_offset, sizeof(int)); 44 | AFG_offset+=sizeof(int); 45 | int len; 46 | memcpy((void *)&len, AFG_Data+AFG_offset, sizeof(int)); 47 | AFG_offset+=sizeof(int); 48 | unsigned char * data; 49 | data = (unsigned char *)malloc(pt_size+1); 50 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) data; 51 | memcpy((void *)data, AFG_Data+AFG_offset, pt_size); 52 | memset((void *)(data + pt_size), '\0', 1); 53 | AFG_offset+=pt_size; 54 | 55 | len = pt_size; 56 | 57 | AFG_func(datalink, len, data); 58 | 59 | AFG_fail: 60 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 61 | free(AFG_alloc_list[AFG_free_i]); 62 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 63 | fclose(AFG_fopen_list[AFG_free_i]); 64 | AFG_alloc_cnt = 0; 65 | AFG_fopen_cnt = 0; 66 | 67 | return 0; 68 | } 69 | -------------------------------------------------------------------------------- /tcpreplay/4.3.4/CVE-2021-45386/AFG-tree.c-AFG_default-add_tree_ipv6.c: -------------------------------------------------------------------------------- 1 | #include "AFG-tree.c-AFG_default-add_tree_ipv6.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/0ca82e3/build_normal/src/tree.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | tcpprep_t *tcpprep; 9 | tcpr_data_tree_t treeroot; 10 | 11 | void* AFG_alloc_list[3] = { NULL }; 12 | int AFG_alloc_cnt = 0; 13 | FILE* AFG_fopen_list[1] = { NULL }; 14 | int AFG_fopen_cnt = 0; 15 | 16 | int AFG_func(struct tcpr_in6_addr* addr,unsigned char* data,int len) 17 | { 18 | add_tree_ipv6(addr, data, len); 19 | return 0; 20 | } 21 | 22 | size_t minimum_size = sizeof(unsigned char)*2+sizeof(int)*1+sizeof(struct tcpr_in6_addr)*1+sizeof(unsigned int)*1+sizeof(unsigned short)*1; 23 | 24 | #ifdef __cplusplus 25 | extern "C" 26 | #endif 27 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 28 | printf("Minimum size is %ld\n", minimum_size); 29 | return 0; 30 | } 31 | #ifdef __cplusplus 32 | extern "C" 33 | #endif 34 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 35 | size_t AFG_offset = 0; 36 | if(Size <= minimum_size) { 37 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 38 | return -1; 39 | } 40 | size_t pt_size = (Size - minimum_size) / 2; 41 | if (pt_size < sizeof(unsigned char) ) { return -1; } 42 | struct tcpr_in6_addr * addr; 43 | struct tcpr_in6_addr *AFG_const_0; 44 | AFG_const_0 = (struct tcpr_in6_addr*)malloc(sizeof(struct tcpr_in6_addr)); 45 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) AFG_const_0; 46 | memcpy((void *)&AFG_const_0->__u6_addr, AFG_Data+AFG_offset, sizeof(AFG_const_0->__u6_addr)); 47 | AFG_offset+=sizeof(AFG_const_0->__u6_addr); 48 | addr = AFG_const_0; 49 | unsigned char * data; 50 | data = (unsigned char *)malloc(pt_size+1); 51 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) data; 52 | memcpy((void *)data, AFG_Data+AFG_offset, pt_size); 53 | memset((void *)(data + pt_size), '\0', 1); 54 | AFG_offset+=pt_size; 55 | int len; 56 | memcpy((void *)&len, AFG_Data+AFG_offset, sizeof(int)); 57 | AFG_offset+=sizeof(int); 58 | 59 | len = pt_size; 60 | 61 | AFG_func(addr, data, len); 62 | 63 | AFG_fail: 64 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 65 | free(AFG_alloc_list[AFG_free_i]); 66 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 67 | fclose(AFG_fopen_list[AFG_free_i]); 68 | AFG_alloc_cnt = 0; 69 | AFG_fopen_cnt = 0; 70 | 71 | return 0; 72 | } 73 | -------------------------------------------------------------------------------- /jhead/0e98605/CVE-2022-28550/AFG-jhead.c-DoCommand-shellescape.c: -------------------------------------------------------------------------------- 1 | #include "AFG-jhead.c-DoCommand-shellescape.h" 2 | /* This is the copy of /opt/disk/marsman/jhead/3.04/build_normal/jhead.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* ApplyCommand,char* FileName) 15 | { 16 | int a, e; 17 | char ExecString[12288]; 18 | char TempName[4106]; 19 | e = 0; 20 | a = strlen(FileName) - 1; 21 | while(a > 0 && FileName[a - 1] != '/') 22 | a--; 23 | memcpy(TempName, FileName, a); 24 | strcpy(TempName + a, "XXXXXX"); 25 | mktemp(TempName); 26 | for(a = 0; ; a++) 27 | { 28 | if(ApplyCommand[a] == '&') 29 | { 30 | if(ApplyCommand[a + 1] == 'i') 31 | { 32 | e += shellescape(ExecString + e, FileName); 33 | a += 1; 34 | continue; 35 | } 36 | if(ApplyCommand[a + 1] == 'o') 37 | { 38 | e += shellescape(ExecString + e, TempName); 39 | a += 1; 40 | continue; 41 | } 42 | } 43 | ExecString[e++] = ApplyCommand[a]; 44 | if(ApplyCommand[a] == 0) 45 | break; 46 | } 47 | } 48 | 49 | size_t minimum_size = sizeof(char)*2; 50 | 51 | #ifdef __cplusplus 52 | extern "C" 53 | #endif 54 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 55 | printf("Minimum size is %ld\n", minimum_size); 56 | return 0; 57 | } 58 | #ifdef __cplusplus 59 | extern "C" 60 | #endif 61 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 62 | size_t AFG_offset = 0; 63 | if(Size <= minimum_size) { 64 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 65 | return -1; 66 | } 67 | size_t pt_size = (Size - minimum_size) / 2; 68 | if (pt_size < sizeof(char) ) { return -1; } 69 | char * ApplyCommand; 70 | ApplyCommand = (char *)malloc(pt_size+1); 71 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ApplyCommand; 72 | memcpy((void *)ApplyCommand, AFG_Data+AFG_offset, pt_size); 73 | memset((void *)(ApplyCommand + pt_size), '\0', 1); 74 | AFG_offset+=pt_size; 75 | char * FileName; 76 | FileName = (char *)malloc(pt_size+1); 77 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) FileName; 78 | memcpy((void *)FileName, AFG_Data+AFG_offset, pt_size); 79 | memset((void *)(FileName + pt_size), '\0', 1); 80 | AFG_offset+=pt_size; 81 | 82 | if (strlen(FileName) > 0) 83 | AFG_func(ApplyCommand, FileName); 84 | 85 | AFG_fail: 86 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 87 | free(AFG_alloc_list[AFG_free_i]); 88 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 89 | fclose(AFG_fopen_list[AFG_free_i]); 90 | AFG_alloc_cnt = 0; 91 | AFG_fopen_cnt = 0; 92 | 93 | return 0; 94 | } 95 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26769/AFG-compileTranslationTable.c-_lou_defaultTableResolver-resolveSubtable.c: -------------------------------------------------------------------------------- 1 | #include "AFG-compileTranslationTable.c-_lou_defaultTableResolver-resolveSubtable.h" 2 | /* This is the copy of /opt/disk/marsman/liblouis/3.2.0/code/liblouis/compileTranslationTable.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[3] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* base,char* tableList) 15 | { 16 | char *searchPath; 17 | char **tableFiles; 18 | char *subTable; 19 | char *tableList_copy; 20 | char *cp; 21 | int k; 22 | searchPath = _lou_getTablePath(); 23 | k = 0; 24 | for(cp = (char *)tableList; *cp != '\x00'; cp++) 25 | if(*cp == ',') 26 | k++; 27 | tableFiles = (char **)malloc((k + 2) * sizeof(char *)); 28 | k = 0; 29 | tableList_copy = strdup(tableList); 30 | for(subTable = tableList_copy; ; subTable = cp + 1) 31 | { 32 | *cp = '\x00'; 33 | if(!(tableFiles[k++] = resolveSubtable(subTable, base, searchPath))) 34 | { 35 | _lou_logMessage(LOG_ERROR, "Cannot resolve table '%s'", subTable); 36 | free(searchPath); 37 | free(tableList_copy); 38 | free(tableFiles); 39 | return 0; 40 | } 41 | if(k == 1) 42 | base = subTable; 43 | } 44 | } 45 | 46 | size_t minimum_size = sizeof(char)*2; 47 | 48 | #ifdef __cplusplus 49 | extern "C" 50 | #endif 51 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 52 | printf("Minimum size is %ld\n", minimum_size); 53 | return 0; 54 | } 55 | #ifdef __cplusplus 56 | extern "C" 57 | #endif 58 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 59 | size_t AFG_offset = 0; 60 | if(Size <= minimum_size) { 61 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 62 | return -1; 63 | } 64 | size_t pt_size = (Size - minimum_size) / 2; 65 | if (pt_size < sizeof(char) ) { return -1; } 66 | char * base; 67 | base = (char *)malloc(pt_size+1); 68 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) base; 69 | memcpy((void *)base, AFG_Data+AFG_offset, pt_size); 70 | base[pt_size] = '\0'; 71 | AFG_offset+=pt_size; 72 | char * tableList; 73 | tableList = (char *)malloc(pt_size+1); 74 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) tableList; 75 | memcpy((void *)tableList, AFG_Data+AFG_offset, pt_size); 76 | tableList[pt_size] = '\0'; 77 | AFG_offset+=pt_size; 78 | 79 | AFG_func(base, tableList); 80 | 81 | AFG_fail: 82 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 83 | free(AFG_alloc_list[AFG_free_i]); 84 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 85 | fclose(AFG_fopen_list[AFG_free_i]); 86 | AFG_alloc_cnt = 0; 87 | AFG_fopen_cnt = 0; 88 | 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27787/AFG-xX.c-parse_xX_str-parse_list.c: -------------------------------------------------------------------------------- 1 | #include "AFG-xX.c-parse_xX_str-parse_list.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/xX.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[5] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* str,struct tcpr_xX_s* xX) 15 | { 16 | switch(str[0]) 17 | { 18 | case 'P': 19 | str = str + 2; 20 | if(!parse_list(&(xX->list), str)) 21 | return 0; 22 | break; 23 | default: 24 | break; 25 | } 26 | } 27 | 28 | size_t minimum_size = sizeof(char)*1+sizeof(struct tcpr_xX_s)*1+sizeof(struct list_s)*1+sizeof(struct tcpr_cidr_s)*1+sizeof(struct tcpr_in6_addr)*2+sizeof(unsigned int)*2+sizeof(unsigned char)*1+sizeof(unsigned short)*1; 29 | 30 | #ifdef __cplusplus 31 | extern "C" 32 | #endif 33 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 34 | printf("Minimum size is %ld\n", minimum_size); 35 | return 0; 36 | } 37 | #ifdef __cplusplus 38 | extern "C" 39 | #endif 40 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 41 | size_t AFG_offset = 0; 42 | if(Size <= minimum_size) { 43 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 44 | return -1; 45 | } 46 | size_t pt_size = (Size - minimum_size) / 4; 47 | if (pt_size < sizeof(char) ) { return -1; } 48 | char * str; 49 | str = (char *)malloc(pt_size+1); 50 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) str; 51 | memcpy((void *)str, AFG_Data+AFG_offset, pt_size); 52 | str[pt_size] = '\0'; 53 | AFG_offset+=pt_size; 54 | struct tcpr_xX_s * xX; 55 | xX = (struct tcpr_xX_s*)malloc(sizeof(struct tcpr_xX_s)); 56 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) xX; 57 | memcpy((void *)&xX->mode, AFG_Data+AFG_offset, sizeof(int)); 58 | AFG_offset+=sizeof(int); 59 | memcpy((void *)&xX->type, AFG_Data+AFG_offset, sizeof(int)); 60 | AFG_offset+=sizeof(int); 61 | xX->list = (struct list_s*)malloc(sizeof(struct list_s)); 62 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) xX->list; 63 | xX->list->next = NULL; 64 | memcpy((void *)&xX->list->max, AFG_Data+AFG_offset, sizeof(unsigned long long)); 65 | AFG_offset+=sizeof(unsigned long long); 66 | memcpy((void *)&xX->list->min, AFG_Data+AFG_offset, sizeof(unsigned long long)); 67 | AFG_offset+=sizeof(unsigned long long); 68 | xX->cidr = (struct tcpr_cidr_s*)malloc(sizeof(struct tcpr_cidr_s)); 69 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) xX->cidr; 70 | memcpy((void *)&xX->cidr->family, AFG_Data+AFG_offset, sizeof(int)); 71 | AFG_offset+=sizeof(int); 72 | memcpy((void *)&xX->cidr->masklen, AFG_Data+AFG_offset, sizeof(int)); 73 | AFG_offset+=sizeof(int); 74 | xX->cidr->next = NULL; 75 | // A Union 'anonymous at /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.h:28:5' here, we select 'network6' 76 | memcpy((void *)&xX->cidr->u.network6.__u6_addr, AFG_Data+AFG_offset, sizeof(xX->cidr->u.network6.__u6_addr)); 77 | AFG_offset+=sizeof(xX->cidr->u.network6.__u6_addr); 78 | 79 | AFG_func(str, xX); 80 | 81 | AFG_fail: 82 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 83 | free(AFG_alloc_list[AFG_free_i]); 84 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 85 | fclose(AFG_fopen_list[AFG_free_i]); 86 | AFG_alloc_cnt = 0; 87 | AFG_fopen_cnt = 0; 88 | 89 | return 0; 90 | } 91 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27788/AFG-portmap.c-parse_portmap-ports2PORT.c: -------------------------------------------------------------------------------- 1 | #include "AFG-portmap.c-parse_portmap-ports2PORT.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/portmap.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[13] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(char* ourstr,struct tcpedit_portmap_s** portmap) 15 | { 16 | char *substr = ((void *)0), *ourstrcpy = ((void *)0), *token = ((void *)0); 17 | ((ourstr) ? (void)(0) : __assert_fail("ourstr", "/opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/portmap.c", 195, __PRETTY_FUNCTION__)); 18 | ourstrcpy = _our_safe_strdup(ourstr, __FUNCTION__, 196, "/opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/portmap.c"); 19 | substr = strtok_r(ourstrcpy, ",", &token); 20 | if((*portmap = ports2PORT(substr)) == ((void *)0)) 21 | { 22 | _our_safe_free(ourstrcpy, __FUNCTION__, 202, "/opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/portmap.c"); 23 | return 0; 24 | } 25 | } 26 | 27 | size_t minimum_size = sizeof(char)*1+sizeof(struct tcpedit_portmap_s)*10; 28 | 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 33 | printf("Minimum size is %ld\n", minimum_size); 34 | return 0; 35 | } 36 | #ifdef __cplusplus 37 | extern "C" 38 | #endif 39 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 40 | size_t AFG_offset = 0; 41 | if(Size <= minimum_size) { 42 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 43 | return -1; 44 | } 45 | size_t pt_size = (Size - minimum_size) / 12; 46 | if (pt_size < sizeof(char) ) { return -1; } 47 | char * ourstr; 48 | ourstr = (char *)malloc(pt_size+1); 49 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ourstr; 50 | memcpy((void *)ourstr, AFG_Data+AFG_offset, pt_size); 51 | ourstr[pt_size] = '\0'; 52 | AFG_offset+=pt_size; 53 | struct tcpedit_portmap_s ** portmap; 54 | portmap = (struct tcpedit_portmap_s**)malloc(sizeof(struct tcpedit_portmap_s*)*5); 55 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) portmap; 56 | for(int temp_AFG_1 = 0; temp_AFG_1 < 5; temp_AFG_1++) { 57 | portmap[temp_AFG_1] = (struct tcpedit_portmap_s*)malloc(sizeof(struct tcpedit_portmap_s)); 58 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) portmap[temp_AFG_1]; 59 | memcpy((void *)&portmap[temp_AFG_1]->from, AFG_Data+AFG_offset, sizeof(long)); 60 | AFG_offset+=sizeof(long); 61 | memcpy((void *)&portmap[temp_AFG_1]->to, AFG_Data+AFG_offset, sizeof(long)); 62 | AFG_offset+=sizeof(long); 63 | portmap[temp_AFG_1]->next = (struct tcpedit_portmap_s*)malloc(sizeof(struct tcpedit_portmap_s)); 64 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) portmap[temp_AFG_1]->next; 65 | memcpy((void *)&portmap[temp_AFG_1]->next->from, AFG_Data+AFG_offset, sizeof(long)); 66 | AFG_offset+=sizeof(long); 67 | memcpy((void *)&portmap[temp_AFG_1]->next->to, AFG_Data+AFG_offset, sizeof(long)); 68 | AFG_offset+=sizeof(long); 69 | portmap[temp_AFG_1]->next->next = NULL; 70 | } 71 | 72 | AFG_func(ourstr, portmap); 73 | 74 | AFG_fail: 75 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 76 | free(AFG_alloc_list[AFG_free_i]); 77 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 78 | fclose(AFG_fopen_list[AFG_free_i]); 79 | AFG_alloc_cnt = 0; 80 | AFG_fopen_cnt = 0; 81 | 82 | return 0; 83 | } 84 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26769/poc: -------------------------------------------------------------------------------- 1 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 2 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23051/AFG-action.c-SWFAction_compile-swf5parse.c: -------------------------------------------------------------------------------- 1 | /* Structure definition needed by the fuzz driver */ 2 | struct SWFOutput_s { 3 | int bitpos; 4 | int buffersize; 5 | int free; 6 | struct SWFOutput_s* next; 7 | unsigned char* buffer; 8 | unsigned char* pos; 9 | }; 10 | typedef struct SWFOutput_s * SWFOutput; 11 | 12 | void 13 | AFG_error_default(const char *msg, ...) 14 | { 15 | return; 16 | } 17 | 18 | #include "AFG-action.c-SWFAction_compile-swf5parse.h" 19 | /* This is the copy of /opt/disk/marsman/libming/0.4.8/code/src/blocks/action.c */ 20 | #include 21 | #include 22 | #include 23 | 24 | 25 | void* AFG_alloc_list[6] = { NULL }; 26 | int AFG_alloc_cnt = 0; 27 | FILE* AFG_fopen_list[1] = { NULL }; 28 | int AFG_fopen_cnt = 0; 29 | 30 | int AFG_func(int swfVersion,struct SWFAction_s* action) 31 | { 32 | char *script = ((void *)0); 33 | Buffer b; 34 | switch(action->inputType) 35 | { 36 | case INPUT_SCRIPT: 37 | script = action->input.script; 38 | break; 39 | case INPUT_FILE: 40 | script = readActionFile(action->input.file); 41 | break; 42 | default: 43 | break; 44 | } 45 | if(script != ((void *)0)) 46 | { 47 | swf5ParseInit(script, action->debug, swfVersion); 48 | swf5parse((void *)&b); 49 | } 50 | } 51 | 52 | #ifdef __cplusplus 53 | extern "C" 54 | #endif 55 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 56 | { 57 | size_t AFG_offset = 0, minimum_size = sizeof(int)*1+sizeof(struct SWFAction_s)*1+sizeof(struct SWFBlock_s)*1+sizeof(struct SWFOutput_s)*1+sizeof(char)*1+sizeof(void*)*1; 58 | if(Size <= minimum_size) { 59 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 60 | return 0; 61 | } 62 | size_t pt_size = (Size - minimum_size) / 5; 63 | if (pt_size < sizeof(char) || pt_size < sizeof(unsigned char) ) { return 0; } 64 | int swfVersion; 65 | memcpy((void *)&swfVersion, Data+AFG_offset, sizeof(int)); 66 | AFG_offset+=sizeof(int); 67 | struct SWFAction_s * action; 68 | action = (struct SWFAction_s*)malloc(sizeof(struct SWFAction_s)); 69 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) action; 70 | memcpy((void *)&action->inputType, Data+AFG_offset, sizeof(ActionInputType)); 71 | AFG_offset+=sizeof(ActionInputType); 72 | memcpy((void *)&action->debug, Data+AFG_offset, sizeof(int)); 73 | AFG_offset+=sizeof(int); 74 | memcpy((void *)&action->block, Data+AFG_offset, sizeof(struct SWFBlock_s)); 75 | AFG_offset+=sizeof(struct SWFBlock_s); 76 | action->out = (struct SWFOutput_s*)malloc(sizeof(struct SWFOutput_s)); 77 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) action->out; 78 | memcpy((void *)&action->out->bitpos, Data+AFG_offset, sizeof(int)); 79 | AFG_offset+=sizeof(int); 80 | memcpy((void *)&action->out->buffersize, Data+AFG_offset, sizeof(int)); 81 | AFG_offset+=sizeof(int); 82 | memcpy((void *)&action->out->free, Data+AFG_offset, sizeof(int)); 83 | AFG_offset+=sizeof(int); 84 | action->out->next = NULL; 85 | action->out->buffer = (unsigned char *)malloc(pt_size); 86 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) action->out->buffer; 87 | memcpy((void *)action->out->buffer, Data+AFG_offset, pt_size); 88 | AFG_offset+=pt_size; 89 | action->out->pos = (unsigned char *)malloc(pt_size); 90 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) action->out->pos; 91 | memcpy((void *)action->out->pos, Data+AFG_offset, pt_size); 92 | AFG_offset+=pt_size; 93 | // A Union 'anonymous at /opt/disk/marsman/libming/0.4.8/code/src/blocks/action.c:49:2' here, we select 'script' 94 | action->input.script = (char *)malloc(pt_size+1); 95 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) action->input.script; 96 | memcpy((void *)action->input.script, Data+AFG_offset, pt_size); 97 | memset((void *)(action->input.script + pt_size), '\0', 1); 98 | AFG_offset+=pt_size; 99 | 100 | action->inputType = INPUT_SCRIPT; 101 | setSWFErrorFunction(NULL); 102 | 103 | AFG_func(swfVersion, action); 104 | 105 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 106 | free(AFG_alloc_list[AFG_free_i]); 107 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 108 | fclose(AFG_fopen_list[AFG_free_i]); 109 | AFG_alloc_cnt = 0; 110 | AFG_fopen_cnt = 0; 111 | 112 | return 0; 113 | } 114 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27786/AFG-mac.c-AFG_default-macinstring.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | 3 | /* 4 | * Copyright (c) 2001-2010 Aaron Turner 5 | * Copyright (c) 2013-2017 Fred Klassen - AppNeta 6 | * 7 | * The Tcpreplay Suite of tools is free software: you can redistribute it 8 | * and/or modify it under the terms of the GNU General Public License as 9 | * published by the Free Software Foundation, either version 3 of the 10 | * License, or with the authors permission any later version. 11 | * 12 | * The Tcpreplay Suite is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with the Tcpreplay Suite. If not, see . 19 | */ 20 | 21 | #include "config.h" 22 | #include "defines.h" 23 | #include "common.h" 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | #include "mac.h" 30 | 31 | /** 32 | * converts a string representation of a MAC address, based on 33 | * non-portable ether_aton() 34 | */ 35 | void 36 | mac2hex(const char *mac, u_char *dst, int len) 37 | { 38 | int i; 39 | long l; 40 | char *pp; 41 | 42 | if (len < 6) 43 | return; 44 | 45 | while (isspace(*mac)) 46 | mac++; 47 | 48 | /* expect 6 hex octets separated by ':' or space/NUL if last octet */ 49 | for (i = 0; i < 6; i++) { 50 | l = strtol(mac, &pp, 16); 51 | if (pp == mac || l > 0xFF || l < 0) 52 | return; 53 | if (!(*pp == ':' || (i == 5 && (isspace(*pp) || *pp == '\0')))) 54 | return; 55 | dst[i] = (u_char) l; 56 | mac = pp + 1; 57 | } 58 | } 59 | 60 | /** 61 | * converts a string representation of TWO MAC addresses, which 62 | * are comma deliminated into two hex values. Either *first or *second 63 | * can be NULL if there is nothing before or after the comma. 64 | * returns: 65 | * 1 = first mac 66 | * 2 = second mac 67 | * 3 = both mac's 68 | * 0 = none 69 | */ 70 | int 71 | dualmac2hex(const char *dualmac, u_char *first, u_char *second, int len) 72 | { 73 | char *tok = NULL, *temp, *string; 74 | int ret = 0; 75 | 76 | string = safe_strdup(dualmac); 77 | 78 | /* if we've only got a comma, then return NULL's */ 79 | if (len <= 1) { 80 | second = first = NULL; 81 | goto done; 82 | } 83 | 84 | temp = strtok_r(string, ",", &tok); 85 | if (strlen(temp)) { 86 | mac2hex(temp, first, len); 87 | ret = 1; 88 | } 89 | 90 | temp = strtok_r(NULL, ",", &tok); 91 | /* temp is null if no comma */ 92 | if (temp != NULL) { 93 | if (strlen(temp)) { 94 | mac2hex(temp, second, len); 95 | ret += 2; 96 | } 97 | } 98 | 99 | done: 100 | safe_free(string); 101 | return ret; 102 | } 103 | 104 | /** 105 | * Figures out if a MAC is listed in a comma delimited 106 | * string of MAC addresses. 107 | * returns TCPR_DIR_C2S if listed 108 | * returns TCPR_DIR_S2C if not listed 109 | */ 110 | tcpr_dir_t 111 | macinstring(const char *macstring, const u_char *mac) 112 | { 113 | char *tok = NULL, *tempstr, *ourstring; 114 | u_char tempmac[6]; 115 | int len = 6, ret = TCPR_DIR_S2C; 116 | 117 | ourstring = safe_strdup(macstring); 118 | memset(&tempmac[0], 0, sizeof(tempmac)); 119 | 120 | tempstr = strtok_r(ourstring, ",", &tok); 121 | if (strlen(tempstr)) { 122 | mac2hex(tempstr, tempmac, len); 123 | if (memcmp(mac, tempmac, len) == 0) { 124 | dbgx(3, "Packet matches: " MAC_FORMAT " sending out primary.\n", MAC_STR(tempmac)); 125 | ret = TCPR_DIR_C2S; 126 | goto EXIT_MACINSTRING; 127 | } 128 | } else { 129 | goto EXIT_MACINSTRING; 130 | } 131 | 132 | while ((tempstr = strtok_r(NULL, ",", &tok)) != NULL) { 133 | mac2hex(tempstr, tempmac, len); 134 | if (memcmp(mac, tempmac, len) == 0) { 135 | ret = TCPR_DIR_C2S; 136 | dbgx(3, "Packet matches: " MAC_FORMAT " sending out primary.\n", MAC_STR(tempmac)); 137 | goto EXIT_MACINSTRING; 138 | } 139 | } 140 | 141 | EXIT_MACINSTRING: 142 | safe_free(ourstring); 143 | #ifdef DEBUG 144 | if (ret == TCPR_DIR_S2C) 145 | dbg(3, "Packet doesn't match any MAC addresses sending out secondary.\n"); 146 | #endif 147 | return ret; 148 | } 149 | -------------------------------------------------------------------------------- /liblouis/3.2.0/CVE-2023-26767/AFG-logging.c-AFG_default-lou_logFile.h: -------------------------------------------------------------------------------- 1 | /* liblouis Braille Translation and Back-Translation Library 2 | 3 | Copyright (C) 2004, 2005, 2006 ViewPlus Technologies, Inc. www.viewplus.com 4 | Copyright (C) 2004, 2005, 2006 JJB Software, Inc. www.jjb-software.com 5 | 6 | This file is part of liblouis. 7 | 8 | liblouis is free software: you can redistribute it and/or modify it 9 | under the terms of the GNU Lesser General Public License as published 10 | by the Free Software Foundation, either version 2.1 of the License, or 11 | (at your option) any later version. 12 | 13 | liblouis is distributed in the hope that it will be useful, but 14 | WITHOUT ANY WARRANTY; without even the implied warranty of 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 | Lesser General Public License for more details. 17 | 18 | You should have received a copy of the GNU Lesser General Public 19 | License along with liblouis. If not, see . 20 | 21 | */ 22 | 23 | /** 24 | * @file 25 | * @brief Logging 26 | */ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #include "internal.h" 35 | 36 | void EXPORT_CALL _lou_logWidecharBuf(logLevels level, const char *msg, const widechar *wbuf, int wlen) 37 | { 38 | /* When calculating output size: 39 | * Each wdiechar is represented in hex, thus needing two bytes for each 40 | * byte in the widechar (sizeof(widechar) * 2) 41 | * Allow space for the "0x%X " formatting (+ 3) 42 | * Number of characters in widechar buffer (wlen * ) 43 | * Give space for additional message (+ strlen(msg)) 44 | * Remember the null terminator (+ 1) 45 | */ 46 | int logBufSize = (wlen * ((sizeof(widechar) * 3) + 3)) + 3 + (int)strlen(msg); 47 | char *logMsg = malloc(logBufSize); 48 | char *p = logMsg; 49 | char *formatString; 50 | int i = 0; 51 | if (sizeof(widechar) == 2) 52 | formatString = "0x%04X "; 53 | else 54 | formatString = "0x%08X "; 55 | for (i = 0; i < (int) strlen(msg); i++) 56 | logMsg[i] = msg[i]; 57 | p += strlen(msg); 58 | for (i = 0; i < wlen; i++) 59 | { 60 | p += sprintf(p, formatString, wbuf[i]); 61 | } 62 | *p = '~'; 63 | p++; 64 | *p = ' '; 65 | p++; 66 | for(i = 0; i < wlen; i++) 67 | { 68 | if(wbuf[i] & 0xff00) 69 | *p = ' '; 70 | else 71 | *p = (char)wbuf[i]; 72 | p++; 73 | } 74 | *p = '\0'; 75 | _lou_logMessage(level, "%s", logMsg); 76 | free(logMsg); 77 | } 78 | 79 | static void defaultLogCallback(logLevels level, const char *message) 80 | { 81 | lou_logPrint("%s", message); // lou_logPrint takes formatting, protect against % in message 82 | } 83 | 84 | static logcallback logCallbackFunction = defaultLogCallback; 85 | void EXPORT_CALL lou_registerLogCallback(logcallback callback) 86 | { 87 | if (callback == NULL) 88 | logCallbackFunction = defaultLogCallback; 89 | else 90 | logCallbackFunction = callback; 91 | } 92 | 93 | static logLevels logLevel = LOG_INFO; 94 | void EXPORT_CALL lou_setLogLevel(logLevels level) 95 | { 96 | logLevel = level; 97 | } 98 | 99 | void EXPORT_CALL _lou_logMessage(logLevels level, const char *format, ...) 100 | { 101 | if (format == NULL) 102 | return; 103 | if (level < logLevel) 104 | return; 105 | if (logCallbackFunction != NULL) 106 | { 107 | #ifdef _WIN32 108 | double f = 2.3; // Needed to force VC++ runtime floating point support 109 | #endif 110 | char *s; 111 | size_t len; 112 | va_list argp; 113 | va_start(argp, format); 114 | len = vsnprintf(0, 0, format, argp); 115 | va_end(argp); 116 | if ((s = malloc(len+1)) != 0) 117 | { 118 | va_start(argp, format); 119 | vsnprintf(s, len+1, format, argp); 120 | va_end(argp); 121 | logCallbackFunction(level, s); 122 | free(s); 123 | } 124 | } 125 | } 126 | 127 | 128 | static FILE *logFile = NULL; 129 | static char initialLogFileName[256] = ""; 130 | 131 | void EXPORT_CALL 132 | lou_logFile (const char *fileName) 133 | { 134 | if(logFile) 135 | { 136 | fclose(logFile); 137 | logFile = NULL; 138 | } 139 | if (fileName == NULL || fileName[0] == 0) 140 | return; 141 | if (initialLogFileName[0] == 0) 142 | strcpy (initialLogFileName, fileName); 143 | logFile = fopen (fileName, "a"); 144 | if (logFile == NULL && initialLogFileName[0] != 0) 145 | logFile = fopen (initialLogFileName, "a"); 146 | if (logFile == NULL) 147 | { 148 | fprintf (stderr, "Cannot open log file %s\n", fileName); 149 | logFile = stderr; 150 | } 151 | } 152 | 153 | void EXPORT_CALL 154 | lou_logPrint (const char *format, ...) 155 | { 156 | #ifndef __SYMBIAN32__ 157 | va_list argp; 158 | if (format == NULL) 159 | return; 160 | if (logFile == NULL) 161 | logFile = fopen (initialLogFileName, "a"); 162 | if (logFile == NULL) 163 | logFile = stderr; 164 | va_start (argp, format); 165 | vfprintf (logFile, format, argp); 166 | fprintf (logFile, "\n"); 167 | fflush(logFile); 168 | va_end (argp); 169 | #endif 170 | } 171 | 172 | /* Close the log file */ 173 | void EXPORT_CALL 174 | lou_logEnd (void) 175 | { 176 | if (logFile != NULL && logFile != stderr) 177 | fclose (logFile); 178 | logFile = NULL; 179 | } 180 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36531/AFG-ngiflib.c-DecodeGifImg-GetByte.c: -------------------------------------------------------------------------------- 1 | #include "AFG-ngiflib.c-DecodeGifImg-GetByte.h" 2 | /* This is the copy of /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflib.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[6] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[2] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(struct ngiflib_img* i) 15 | { 16 | u8 flags; 17 | if(!i) 18 | return 0; 19 | GetWord(i->parent); 20 | GetWord(i->parent); 21 | GetWord(i->parent); 22 | GetWord(i->parent); 23 | flags = GetByte(i->parent); 24 | i->localpalbits = (flags & 7) + 1; 25 | if(flags & 128) 26 | { 27 | int k; 28 | int localpalsize = 1 << i->localpalbits; 29 | for(k = 0; k < localpalsize; k++) 30 | { 31 | GetByte(i->parent); 32 | GetByte(i->parent); 33 | GetByte(i->parent); 34 | } 35 | } 36 | else 37 | { 38 | i->localpalbits = i->parent->imgbits; 39 | } 40 | } 41 | 42 | size_t minimum_size = sizeof(struct ngiflib_img)*1+sizeof(struct ngiflib_gif)*1+sizeof(struct ngiflib_rgb)*1+sizeof(unsigned char)*1+sizeof(void*)*1+sizeof(union ngiflib_pixpointer)*1; 43 | 44 | #ifdef __cplusplus 45 | extern "C" 46 | #endif 47 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 48 | printf("Minimum size is %ld\n", minimum_size); 49 | return 0; 50 | } 51 | #ifdef __cplusplus 52 | extern "C" 53 | #endif 54 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 55 | size_t AFG_offset = 0; 56 | if(Size <= minimum_size) { 57 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 58 | return -1; 59 | } 60 | size_t pt_size = (Size - minimum_size) / 6; 61 | if (pt_size < sizeof(unsigned int) || pt_size < sizeof(unsigned char) ) { return -1; } 62 | struct ngiflib_img * i; 63 | i = (struct ngiflib_img*)malloc(sizeof(struct ngiflib_img)); 64 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) i; 65 | i->parent = (struct ngiflib_gif*)malloc(sizeof(struct ngiflib_gif)); 66 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) i->parent; 67 | memcpy((void *)&i->parent->netscape_loop_count, AFG_Data+AFG_offset, sizeof(int)); 68 | AFG_offset+=sizeof(int); 69 | memcpy((void *)&i->parent->nimg, AFG_Data+AFG_offset, sizeof(int)); 70 | AFG_offset+=sizeof(int); 71 | i->parent->log = fopen("AFG_file_0", "w+"); 72 | AFG_fopen_list[AFG_fopen_cnt++] = i->parent->log; 73 | fwrite(AFG_Data+AFG_offset, 1, pt_size, i->parent->log); 74 | rewind(i->parent->log); 75 | AFG_offset+=pt_size; 76 | i->parent->cur_img = NULL; 77 | i->parent->first_img = NULL; 78 | i->parent->palette = (struct ngiflib_rgb*)malloc(sizeof(struct ngiflib_rgb)); 79 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) i->parent->palette; 80 | memcpy((void *)i->parent->palette, AFG_Data+AFG_offset, sizeof(struct ngiflib_rgb)); 81 | AFG_offset+=sizeof(struct ngiflib_rgb); 82 | // A Union 'anonymous at /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflib.h:132:2' here, we select 'bytes' 83 | i->parent->input.bytes = (unsigned char *)malloc(pt_size+1); 84 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) i->parent->input.bytes; 85 | memcpy((void *)i->parent->input.bytes, AFG_Data+AFG_offset, pt_size); 86 | memset((void *)(i->parent->input.bytes + pt_size), '\0', 1); 87 | AFG_offset+=pt_size; 88 | // A Union 'union ngiflib_pixpointer' here, we select 'p32' 89 | i->parent->frbuff.p32 = (unsigned int *)malloc(pt_size); 90 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) i->parent->frbuff.p32; 91 | memcpy((void *)i->parent->frbuff.p32, AFG_Data+AFG_offset, pt_size); 92 | AFG_offset+=pt_size; 93 | memcpy((void *)&i->parent->signature, AFG_Data+AFG_offset, sizeof(unsigned char)*7); 94 | AFG_offset+=sizeof(unsigned char)*7; 95 | memcpy((void *)&i->parent->backgroundindex, AFG_Data+AFG_offset, sizeof(unsigned char)); 96 | AFG_offset+=sizeof(unsigned char); 97 | memcpy((void *)&i->parent->colorresolution, AFG_Data+AFG_offset, sizeof(unsigned char)); 98 | AFG_offset+=sizeof(unsigned char); 99 | memcpy((void *)&i->parent->imgbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 100 | AFG_offset+=sizeof(unsigned char); 101 | memcpy((void *)&i->parent->mode, AFG_Data+AFG_offset, sizeof(unsigned char)); 102 | AFG_offset+=sizeof(unsigned char); 103 | memcpy((void *)&i->parent->pixaspectratio, AFG_Data+AFG_offset, sizeof(unsigned char)); 104 | AFG_offset+=sizeof(unsigned char); 105 | memcpy((void *)&i->parent->sort_flag, AFG_Data+AFG_offset, sizeof(unsigned char)); 106 | AFG_offset+=sizeof(unsigned char); 107 | memcpy((void *)&i->parent->height, AFG_Data+AFG_offset, sizeof(unsigned short)); 108 | AFG_offset+=sizeof(unsigned short); 109 | memcpy((void *)&i->parent->ncolors, AFG_Data+AFG_offset, sizeof(unsigned short)); 110 | AFG_offset+=sizeof(unsigned short); 111 | memcpy((void *)&i->parent->width, AFG_Data+AFG_offset, sizeof(unsigned short)); 112 | AFG_offset+=sizeof(unsigned short); 113 | memcpy((void *)&i->localpalbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 114 | AFG_offset+=sizeof(unsigned char); 115 | 116 | i->parent->mode = NGIFLIB_MODE_FROM_MEM; 117 | unsigned int AFG_br; 118 | memcpy(&AFG_br, AFG_Data + AFG_offset, sizeof(unsigned int)); 119 | if ((AFG_br % 2) == 1) 120 | i->parent->mode |= NGIFLIB_MODE_INDEXED; 121 | else 122 | i->parent->mode |= NGIFLIB_MODE_TRUE_COLOR; 123 | 124 | AFG_func(i); 125 | 126 | AFG_fail: 127 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 128 | free(AFG_alloc_list[AFG_free_i]); 129 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 130 | fclose(AFG_fopen_list[AFG_free_i]); 131 | AFG_alloc_cnt = 0; 132 | AFG_fopen_cnt = 0; 133 | 134 | return 0; 135 | } 136 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27785/AFG-cidr.c-AFG_default-parse_endpoints.c: -------------------------------------------------------------------------------- 1 | 2 | #include "AFG-cidr.c-AFG_default-parse_endpoints.h" 3 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.c */ 4 | #include 5 | #include 6 | #include 7 | 8 | /* Structure definition needed by the fuzz driver */ 9 | 10 | void* AFG_alloc_list[44] = { NULL }; 11 | int AFG_alloc_cnt = 0; 12 | FILE* AFG_fopen_list[1] = { NULL }; 13 | int AFG_fopen_cnt = 0; 14 | 15 | int AFG_func(struct tcpr_cidrmap_s** cidrmap1,struct tcpr_cidrmap_s** cidrmap2,char* optarg) 16 | { 17 | parse_endpoints(cidrmap1, cidrmap2, optarg); 18 | return 0; 19 | } 20 | 21 | size_t minimum_size = sizeof(char)*1+sizeof(struct tcpr_cidrmap_s)*20+sizeof(struct tcpr_cidr_s)*20+sizeof(struct tcpr_in6_addr)*19+sizeof(unsigned int)*7+sizeof(unsigned char)*3+sizeof(unsigned short)*3; 22 | 23 | #ifdef __cplusplus 24 | extern "C" 25 | #endif 26 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 27 | printf("Minimum size is %ld\n", minimum_size); 28 | return 0; 29 | } 30 | #ifdef __cplusplus 31 | extern "C" 32 | #endif 33 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 34 | size_t AFG_offset = 0; 35 | if(Size <= minimum_size) { 36 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 37 | return -1; 38 | } 39 | size_t pt_size = (Size - minimum_size) / 43; 40 | if (pt_size < sizeof(char) ) { return -1; } 41 | struct tcpr_cidrmap_s ** cidrmap1; 42 | cidrmap1 = (struct tcpr_cidrmap_s**)malloc(sizeof(struct tcpr_cidrmap_s*)*5); 43 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap1; 44 | for(int temp_AFG_1 = 0; temp_AFG_1 < 5; temp_AFG_1++) { 45 | cidrmap1[temp_AFG_1] = (struct tcpr_cidrmap_s*)malloc(sizeof(struct tcpr_cidrmap_s)); 46 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap1[temp_AFG_1]; 47 | cidrmap1[temp_AFG_1]->from = (struct tcpr_cidr_s*)malloc(sizeof(struct tcpr_cidr_s)); 48 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap1[temp_AFG_1]->from; 49 | memcpy((void *)&cidrmap1[temp_AFG_1]->from->family, AFG_Data+AFG_offset, sizeof(int)); 50 | AFG_offset+=sizeof(int); 51 | memcpy((void *)&cidrmap1[temp_AFG_1]->from->masklen, AFG_Data+AFG_offset, sizeof(int)); 52 | AFG_offset+=sizeof(int); 53 | cidrmap1[temp_AFG_1]->from->next = NULL; 54 | // A Union 'anonymous at /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.h:28:5' here, we select 'network6' 55 | memcpy((void *)&cidrmap1[temp_AFG_1]->from->u.network6.__u6_addr, AFG_Data+AFG_offset, sizeof(cidrmap1[temp_AFG_1]->from->u.network6.__u6_addr)); 56 | AFG_offset+=sizeof(cidrmap1[temp_AFG_1]->from->u.network6.__u6_addr); 57 | cidrmap1[temp_AFG_1]->to = (struct tcpr_cidr_s*)malloc(sizeof(struct tcpr_cidr_s)); 58 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap1[temp_AFG_1]->to; 59 | memcpy((void *)&cidrmap1[temp_AFG_1]->to->family, AFG_Data+AFG_offset, sizeof(int)); 60 | AFG_offset+=sizeof(int); 61 | memcpy((void *)&cidrmap1[temp_AFG_1]->to->masklen, AFG_Data+AFG_offset, sizeof(int)); 62 | AFG_offset+=sizeof(int); 63 | cidrmap1[temp_AFG_1]->to->next = NULL; 64 | // A Union 'anonymous at /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.h:28:5' here, we select 'network6' 65 | memcpy((void *)&cidrmap1[temp_AFG_1]->to->u.network6.__u6_addr, AFG_Data+AFG_offset, sizeof(cidrmap1[temp_AFG_1]->to->u.network6.__u6_addr)); 66 | AFG_offset+=sizeof(cidrmap1[temp_AFG_1]->to->u.network6.__u6_addr); 67 | cidrmap1[temp_AFG_1]->next = (struct tcpr_cidrmap_s*)malloc(sizeof(struct tcpr_cidrmap_s)); 68 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap1[temp_AFG_1]->next; 69 | cidrmap1[temp_AFG_1]->next->from = NULL; 70 | cidrmap1[temp_AFG_1]->next->to = NULL; 71 | cidrmap1[temp_AFG_1]->next->next = NULL; 72 | } 73 | struct tcpr_cidrmap_s ** cidrmap2; 74 | cidrmap2 = (struct tcpr_cidrmap_s**)malloc(sizeof(struct tcpr_cidrmap_s*)*5); 75 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap2; 76 | for(int temp_AFG_1 = 0; temp_AFG_1 < 5; temp_AFG_1++) { 77 | cidrmap2[temp_AFG_1] = (struct tcpr_cidrmap_s*)malloc(sizeof(struct tcpr_cidrmap_s)); 78 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap2[temp_AFG_1]; 79 | cidrmap2[temp_AFG_1]->from = (struct tcpr_cidr_s*)malloc(sizeof(struct tcpr_cidr_s)); 80 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap2[temp_AFG_1]->from; 81 | memcpy((void *)&cidrmap2[temp_AFG_1]->from->family, AFG_Data+AFG_offset, sizeof(int)); 82 | AFG_offset+=sizeof(int); 83 | memcpy((void *)&cidrmap2[temp_AFG_1]->from->masklen, AFG_Data+AFG_offset, sizeof(int)); 84 | AFG_offset+=sizeof(int); 85 | cidrmap2[temp_AFG_1]->from->next = NULL; 86 | // A Union 'anonymous at /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.h:28:5' here, we select 'network' 87 | memcpy((void *)&cidrmap2[temp_AFG_1]->from->u.network, AFG_Data+AFG_offset, sizeof(unsigned int)); 88 | AFG_offset+=sizeof(unsigned int); 89 | cidrmap2[temp_AFG_1]->to = (struct tcpr_cidr_s*)malloc(sizeof(struct tcpr_cidr_s)); 90 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap2[temp_AFG_1]->to; 91 | memcpy((void *)&cidrmap2[temp_AFG_1]->to->family, AFG_Data+AFG_offset, sizeof(int)); 92 | AFG_offset+=sizeof(int); 93 | memcpy((void *)&cidrmap2[temp_AFG_1]->to->masklen, AFG_Data+AFG_offset, sizeof(int)); 94 | AFG_offset+=sizeof(int); 95 | cidrmap2[temp_AFG_1]->to->next = NULL; 96 | // A Union 'anonymous at /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/common/cidr.h:28:5' here, we select 'network6' 97 | memcpy((void *)&cidrmap2[temp_AFG_1]->to->u.network6.__u6_addr, AFG_Data+AFG_offset, sizeof(cidrmap2[temp_AFG_1]->to->u.network6.__u6_addr)); 98 | AFG_offset+=sizeof(cidrmap2[temp_AFG_1]->to->u.network6.__u6_addr); 99 | cidrmap2[temp_AFG_1]->next = (struct tcpr_cidrmap_s*)malloc(sizeof(struct tcpr_cidrmap_s)); 100 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) cidrmap2[temp_AFG_1]->next; 101 | cidrmap2[temp_AFG_1]->next->from = NULL; 102 | cidrmap2[temp_AFG_1]->next->to = NULL; 103 | cidrmap2[temp_AFG_1]->next->next = NULL; 104 | } 105 | char * optarg; 106 | optarg = (char *)malloc(pt_size+1); 107 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) optarg; 108 | memcpy((void *)optarg, AFG_Data+AFG_offset, pt_size); 109 | optarg[pt_size] = '\0'; 110 | AFG_offset+=pt_size; 111 | 112 | AFG_func(cidrmap1, cidrmap2, optarg); 113 | 114 | AFG_fail: 115 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 116 | free(AFG_alloc_list[AFG_free_i]); 117 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 118 | fclose(AFG_fopen_list[AFG_free_i]); 119 | AFG_alloc_cnt = 0; 120 | AFG_fopen_cnt = 0; 121 | 122 | return 0; 123 | } 124 | -------------------------------------------------------------------------------- /ffjpeg/23dffdf/pr-46/AFG-jfif.c-AFG_default-jfif_decode.c: -------------------------------------------------------------------------------- 1 | #include "AFG-jfif.c-AFG_default-jfif_decode.h" 2 | /* This is the copy of /opt/disk/marsman/ffjpeg/23dffdf/code/src/jfif.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[117+16] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[1] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(JFIF* ctxt,BMP* pb) 15 | { 16 | jfif_decode(ctxt, pb); 17 | return 0; 18 | } 19 | 20 | size_t minimum_size = sizeof(JFIF)*1+sizeof(HUFCODEC)*32+sizeof(HUFCODEITEM)*8192+sizeof(int)*6+sizeof(BMP)*1; 21 | 22 | #ifdef __cplusplus 23 | extern "C" 24 | #endif 25 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 26 | printf("Minimum size is %ld\n", minimum_size); 27 | return 0; 28 | } 29 | #ifdef __cplusplus 30 | extern "C" 31 | #endif 32 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 33 | size_t AFG_offset = 0; 34 | if(Size <= minimum_size) { 35 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 36 | return -1; 37 | } 38 | size_t pt_size = (Size - minimum_size) / (116+16); 39 | if (pt_size < sizeof(int) || pt_size < sizeof(unsigned char) ) { return -1; } 40 | JFIF * ctxt; 41 | ctxt = (JFIF*)malloc(sizeof(JFIF)); 42 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt; 43 | for(int temp_AFG_2 = 0; temp_AFG_2 < 16; temp_AFG_2++) { 44 | ctxt->phcac[temp_AFG_2] = (HUFCODEC*)malloc(sizeof(HUFCODEC)); 45 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcac[temp_AFG_2]; 46 | for (int temp_AFG_3 = 0; temp_AFG_3 < 256; temp_AFG_3++) { 47 | memcpy((void *)&ctxt->phcac[temp_AFG_2]->codelist[temp_AFG_3], AFG_Data+AFG_offset, sizeof(HUFCODEITEM)); 48 | AFG_offset+=sizeof(HUFCODEITEM); 49 | } 50 | memcpy((void *)&ctxt->phcac[temp_AFG_2]->first, AFG_Data+AFG_offset, sizeof(int)*16); 51 | AFG_offset+=sizeof(int)*16; 52 | memcpy((void *)&ctxt->phcac[temp_AFG_2]->index, AFG_Data+AFG_offset, sizeof(int)*16); 53 | AFG_offset+=sizeof(int)*16; 54 | memcpy((void *)&ctxt->phcac[temp_AFG_2]->huftab, AFG_Data+AFG_offset, sizeof(unsigned char)*272); 55 | AFG_offset+=sizeof(unsigned char)*272; 56 | ctxt->phcac[temp_AFG_2]->input = (void *)malloc(pt_size); 57 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcac[temp_AFG_2]->input; 58 | memcpy((void *)ctxt->phcac[temp_AFG_2]->input, AFG_Data+AFG_offset, pt_size); 59 | AFG_offset+=pt_size; 60 | ctxt->phcac[temp_AFG_2]->output = (void *)malloc(pt_size); 61 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcac[temp_AFG_2]->output; 62 | memcpy((void *)ctxt->phcac[temp_AFG_2]->output, AFG_Data+AFG_offset, pt_size); 63 | AFG_offset+=pt_size; 64 | } 65 | for(int temp_AFG_2 = 0; temp_AFG_2 < 16; temp_AFG_2++) { 66 | ctxt->phcdc[temp_AFG_2] = (HUFCODEC*)malloc(sizeof(HUFCODEC)); 67 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcdc[temp_AFG_2]; 68 | for (int temp_AFG_3 = 0; temp_AFG_3 < 256; temp_AFG_3++) { 69 | memcpy((void *)&ctxt->phcdc[temp_AFG_2]->codelist[temp_AFG_3], AFG_Data+AFG_offset, sizeof(HUFCODEITEM)); 70 | AFG_offset+=sizeof(HUFCODEITEM); 71 | } 72 | memcpy((void *)&ctxt->phcdc[temp_AFG_2]->first, AFG_Data+AFG_offset, sizeof(int)*16); 73 | AFG_offset+=sizeof(int)*16; 74 | memcpy((void *)&ctxt->phcdc[temp_AFG_2]->index, AFG_Data+AFG_offset, sizeof(int)*16); 75 | AFG_offset+=sizeof(int)*16; 76 | memcpy((void *)&ctxt->phcdc[temp_AFG_2]->huftab, AFG_Data+AFG_offset, sizeof(unsigned char)*272); 77 | AFG_offset+=sizeof(unsigned char)*272; 78 | ctxt->phcdc[temp_AFG_2]->input = (void *)malloc(pt_size); 79 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcdc[temp_AFG_2]->input; 80 | memcpy((void *)ctxt->phcdc[temp_AFG_2]->input, AFG_Data+AFG_offset, pt_size); 81 | AFG_offset+=pt_size; 82 | ctxt->phcdc[temp_AFG_2]->output = (void *)malloc(pt_size); 83 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->phcdc[temp_AFG_2]->output; 84 | memcpy((void *)ctxt->phcdc[temp_AFG_2]->output, AFG_Data+AFG_offset, pt_size); 85 | AFG_offset+=pt_size; 86 | } 87 | for(int temp_AFG_2 = 0; temp_AFG_2 < 16; temp_AFG_2++) { 88 | ctxt->pqtab[temp_AFG_2] = (int *)malloc(pt_size); 89 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->pqtab[temp_AFG_2]; 90 | memcpy((void *)ctxt->pqtab[temp_AFG_2], AFG_Data+AFG_offset, pt_size); 91 | AFG_offset+=pt_size; 92 | } 93 | memcpy((void *)&ctxt->comp_num, AFG_Data+AFG_offset, sizeof(int)); 94 | AFG_offset+=sizeof(int); 95 | memcpy((void *)&ctxt->datalen, AFG_Data+AFG_offset, sizeof(int)); 96 | AFG_offset+=sizeof(int); 97 | memcpy((void *)&ctxt->height, AFG_Data+AFG_offset, sizeof(int)); 98 | AFG_offset+=sizeof(int); 99 | memcpy((void *)&ctxt->width, AFG_Data+AFG_offset, sizeof(int)); 100 | AFG_offset+=sizeof(int); 101 | for (int temp_AFG_2 = 0; temp_AFG_2 < 4; temp_AFG_2++) { 102 | memcpy((void *)&ctxt->comp_info[temp_AFG_2], AFG_Data+AFG_offset, sizeof(ctxt->comp_info)/4); 103 | AFG_offset+=sizeof(ctxt->comp_info)/4; 104 | } 105 | ctxt->databuf = (unsigned char *)malloc(pt_size+1); 106 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->databuf; 107 | memcpy((void *)ctxt->databuf, AFG_Data+AFG_offset, pt_size); 108 | memset((void *)(ctxt->databuf + pt_size), '\0', 1); 109 | AFG_offset+=pt_size; 110 | BMP * pb; 111 | pb = (BMP*)malloc(sizeof(BMP)); 112 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) pb; 113 | memcpy((void *)&pb->height, AFG_Data+AFG_offset, sizeof(int)); 114 | AFG_offset+=sizeof(int); 115 | memcpy((void *)&pb->stride, AFG_Data+AFG_offset, sizeof(int)); 116 | AFG_offset+=sizeof(int); 117 | memcpy((void *)&pb->width, AFG_Data+AFG_offset, sizeof(int)); 118 | AFG_offset+=sizeof(int); 119 | pb->pdata = (void *)malloc(pt_size); 120 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) pb->pdata; 121 | memcpy((void *)pb->pdata, AFG_Data+AFG_offset, pt_size); 122 | AFG_offset+=pt_size; 123 | 124 | ctxt->comp_num = ctxt->comp_num < 4 ? ctxt->comp_num : 4; 125 | AFG_offset = 0; 126 | for(int temp_AFG_2 = 0; temp_AFG_2 < 16; temp_AFG_2++) { 127 | ctxt->pqtab[temp_AFG_2] = (int *)malloc(64 * sizeof(int)); 128 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctxt->pqtab[temp_AFG_2]; 129 | memcpy((void *)ctxt->pqtab[temp_AFG_2], AFG_Data+AFG_offset, 64 * sizeof(int)); 130 | AFG_offset+=pt_size; 131 | } 132 | 133 | AFG_func(ctxt, pb); 134 | 135 | AFG_fail: 136 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 137 | free(AFG_alloc_list[AFG_free_i]); 138 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 139 | fclose(AFG_fopen_list[AFG_free_i]); 140 | AFG_alloc_cnt = 0; 141 | AFG_fopen_cnt = 0; 142 | 143 | return 0; 144 | } 145 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2022-30858/AFG-ngiflibSDL.c-AFG_default-SDL_LoadAnimatedGif.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "ngiflib.h" 4 | #include "ngiflibSDL.h" 5 | 6 | /* define NGIFLIBSDL_LOG to log to stdout */ 7 | 8 | /* SDL_LoadGIF a le meme comportement que SDL_LoadBMP */ 9 | SDL_Surface * SDL_LoadGIF(const char * file) 10 | { 11 | /* MODE WRAPPER A DEUX BALLES */ 12 | SDL_Surface * surface; 13 | struct ngiflib_gif * gif; 14 | FILE *fgif; 15 | int err,i; 16 | u8 * pdst, * psrc; 17 | u8 * p = NULL; 18 | #ifdef NGIFLIB_NO_FILE 19 | u8 * buffer; 20 | long filesize; 21 | #endif /* NGIFLIB_NO_FILE */ 22 | 23 | fgif = fopen(file, "rb"); 24 | if(fgif==NULL) 25 | return NULL; 26 | gif = (struct ngiflib_gif *)ngiflib_malloc(sizeof(struct ngiflib_gif)); 27 | ngiflib_memset(gif, 0, sizeof(struct ngiflib_gif)); 28 | #ifdef NGIFLIB_NO_FILE 29 | fseek(fgif, 0, SEEK_END); 30 | filesize = ftell(fgif); 31 | fseek(fgif, 0, SEEK_SET); 32 | buffer = malloc(filesize); 33 | if(buffer == NULL) { 34 | GifDestroy(gif); 35 | return NULL; 36 | } 37 | fread(buffer, 1, filesize, fgif); 38 | gif->input.bytes = buffer; 39 | gif->mode = NGIFLIB_MODE_FROM_MEM | NGIFLIB_MODE_INDEXED; 40 | #else /* NGIFLIB_NO_FILE */ 41 | gif->input.file = fgif; 42 | /*gif->mode = NGIFLIB_MODE_FROM_FILE | NGIFLIB_MODE_TRUE_COLOR; */ 43 | gif->mode = NGIFLIB_MODE_FROM_FILE | NGIFLIB_MODE_INDEXED; 44 | #ifdef NGIFLIBSDL_LOG 45 | gif->log = stdout; 46 | #endif /* NGIFLIBSDL_LOG */ 47 | #endif /* NGIFLIB_NO_FILE */ 48 | err = LoadGif(gif); 49 | fclose(fgif); 50 | #ifdef NGIFLIB_NO_FILE 51 | free(buffer); 52 | #endif /* NGIFLIB_NO_FILE */ 53 | if(err!=1) 54 | { 55 | GifDestroy(gif); 56 | return NULL; 57 | } 58 | p = gif->frbuff.p8; 59 | /* 60 | surface = SDL_CreateRGBSurfaceFrom(p, gif->width, gif->height, 61 | 32, gif->width << 2, 62 | 0x00ff0000, 63 | 0x0000ff00, 64 | 0x000000ff, 65 | 0xff000000); 66 | */ 67 | surface = SDL_CreateRGBSurface(SDL_SWSURFACE | SDL_SRCCOLORKEY, 68 | gif->width, gif->height, 8, 69 | 0,0,0,0); 70 | SDL_LockSurface(surface); 71 | if(gif->cur_img->gce.transparent_flag) 72 | { 73 | SDL_SetColorKey(surface, SDL_SRCCOLORKEY, gif->cur_img->gce.transparent_color); 74 | } 75 | for(i=0; incolors; i++) 76 | { 77 | surface->format->palette->colors[i].r = gif->palette[i].r; 78 | surface->format->palette->colors[i].g = gif->palette[i].g; 79 | surface->format->palette->colors[i].b = gif->palette[i].b; 80 | } 81 | psrc = p; pdst = surface->pixels; 82 | for(i=0; iheight; i++) 83 | { 84 | ngiflib_memcpy(pdst, psrc, gif->width); 85 | pdst += surface->pitch; 86 | psrc += gif->width; 87 | } 88 | SDL_UnlockSurface(surface); 89 | GifDestroy(gif); 90 | return surface; 91 | } 92 | 93 | struct ngiflibSDL_animation * SDL_LoadAnimatedGif(const char * file) 94 | { 95 | SDL_Surface * surface; 96 | struct ngiflib_gif * gif; 97 | FILE *fgif; 98 | int err,i; 99 | u8 * pdst, * psrc; 100 | u8 * p = NULL; 101 | #ifdef NGIFLIB_NO_FILE 102 | u8 * buffer; 103 | long filesize; 104 | #endif /* NGIFLIB_NO_FILE */ 105 | int image_count = 0; 106 | int image_count_max = 50; 107 | struct ngiflibSDL_animation * animation = NULL; 108 | struct ngiflib_rgb * current_palette = NULL; 109 | int current_palette_size = 0; 110 | 111 | fgif = fopen(file, "rb"); 112 | if(fgif==NULL) 113 | return NULL; 114 | gif = (struct ngiflib_gif *)ngiflib_malloc(sizeof(struct ngiflib_gif)); 115 | ngiflib_memset(gif, 0, sizeof(struct ngiflib_gif)); 116 | #ifdef NGIFLIB_NO_FILE 117 | fseek(fgif, 0, SEEK_END); 118 | filesize = ftell(fgif); 119 | fseek(fgif, 0, SEEK_SET); 120 | buffer = malloc(filesize); 121 | if(buffer == NULL) { 122 | GifDestroy(gif); 123 | return NULL; 124 | } 125 | fread(buffer, 1, filesize, fgif); 126 | gif->input.bytes = buffer; 127 | gif->mode = NGIFLIB_MODE_FROM_MEM | NGIFLIB_MODE_INDEXED; 128 | #else /* NGIFLIB_NO_FILE */ 129 | gif->input.file = fgif; 130 | /*gif->mode = NGIFLIB_MODE_FROM_FILE | NGIFLIB_MODE_TRUE_COLOR; */ 131 | gif->mode = NGIFLIB_MODE_FROM_FILE | NGIFLIB_MODE_INDEXED; 132 | #ifdef NGIFLIBSDL_LOG 133 | gif->log = stdout; 134 | #endif /* NGIFLIBSDL_LOG */ 135 | #endif /* NGIFLIB_NO_FILE */ 136 | while((err = LoadGif(gif)) == 1) { 137 | if(animation == NULL) { 138 | animation = ngiflib_malloc(sizeof(struct ngiflibSDL_animation) + image_count_max*sizeof(struct ngiflibSDL_image)); 139 | if(animation == NULL) 140 | return NULL; 141 | } else if(image_count >= image_count_max) { 142 | image_count_max += 50; 143 | struct ngiflibSDL_animation * tmp; 144 | tmp = realloc(animation, sizeof(struct ngiflibSDL_animation) + image_count_max*sizeof(struct ngiflibSDL_image)); 145 | if(tmp == NULL) { 146 | fprintf(stderr, "realloc() failed, cannot decode more images\n"); 147 | break; 148 | } 149 | animation = tmp; 150 | } 151 | p = gif->frbuff.p8; 152 | /* 153 | surface = SDL_CreateRGBSurfaceFrom(p, gif->width, gif->height, 154 | 32, gif->width << 2, 155 | 0x00ff0000, 156 | 0x0000ff00, 157 | 0x000000ff, 158 | 0xff000000); 159 | */ 160 | surface = SDL_CreateRGBSurface(SDL_SWSURFACE | SDL_SRCCOLORKEY, 161 | gif->width, gif->height, 8, 162 | 0,0,0,0); 163 | SDL_LockSurface(surface); 164 | /* 165 | if(gif->transparent_flag) { 166 | SDL_SetColorKey(surface, SDL_SRCCOLORKEY, gif->transparent_color); 167 | } 168 | */ 169 | if(gif->palette != gif->cur_img->palette) { 170 | current_palette = gif->cur_img->palette; 171 | current_palette_size = (1 << gif->cur_img->localpalbits); 172 | } else if(current_palette == NULL) { 173 | current_palette = gif->palette; 174 | current_palette_size = gif->ncolors; 175 | } 176 | for(i = 0; i < current_palette_size; i++) { 177 | surface->format->palette->colors[i].r = current_palette[i].r; 178 | surface->format->palette->colors[i].g = current_palette[i].g; 179 | surface->format->palette->colors[i].b = current_palette[i].b; 180 | //printf("#%02x%02x%02x ", current_palette[i].r, current_palette[i].g, current_palette[i].b); 181 | } 182 | for(; i < gif->ncolors; i++) { 183 | surface->format->palette->colors[i].r = gif->palette[i].r; 184 | surface->format->palette->colors[i].g = gif->palette[i].g; 185 | surface->format->palette->colors[i].b = gif->palette[i].b; 186 | //printf("#%02x%02x%02x ", gif->palette[i].r, gif->palette[i].g, gif->palette[i].b); 187 | } 188 | printf("\n"); 189 | psrc = p; pdst = surface->pixels; 190 | for(i=0; iheight; i++) { 191 | ngiflib_memcpy(pdst, psrc, gif->width); 192 | pdst += surface->pitch; 193 | psrc += gif->width; 194 | } 195 | SDL_UnlockSurface(surface); 196 | animation->images[image_count].delay_time = -1; 197 | if(gif->cur_img->gce.gce_present) { 198 | animation->images[image_count].delay_time = gif->cur_img->gce.delay_time; 199 | } 200 | animation->images[image_count].surface = surface; 201 | image_count++; 202 | } 203 | fclose(fgif); 204 | #ifdef NGIFLIB_NO_FILE 205 | free(buffer); 206 | #endif /* NGIFLIB_NO_FILE */ 207 | GifDestroy(gif); 208 | if(animation) animation->image_count = image_count; 209 | return animation; 210 | } 211 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27787/AFG-xX.c-parse_xX_str-parse_list.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | 3 | /* 4 | * Copyright (c) 2001-2010 Aaron Turner 5 | * Copyright (c) 2013-2017 Fred Klassen - AppNeta 6 | * 7 | * The Tcpreplay Suite of tools is free software: you can redistribute it 8 | * and/or modify it under the terms of the GNU General Public License as 9 | * published by the Free Software Foundation, either version 3 of the 10 | * License, or with the authors permission any later version. 11 | * 12 | * The Tcpreplay Suite is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with the Tcpreplay Suite. If not, see . 19 | */ 20 | 21 | /* 22 | * xX stands for "include or exclude" which is used with the 23 | * -x and -X flags 24 | * 25 | * Functions for use to process args for or check data against in 26 | * tcpreplay/do_packets and tcpprep. 27 | */ 28 | 29 | #include 30 | 31 | #include "config.h" 32 | #include "defines.h" 33 | #include "common.h" 34 | #include 35 | 36 | /** 37 | * returns the include_exclude_mode on success placing the CIDR or LIST in mybuf 38 | * but on failure, returns xXError 39 | */ 40 | int 41 | parse_xX_str(tcpr_xX_t *xX, char *str, tcpr_bpf_t *bpf) 42 | { 43 | int out = 0; 44 | 45 | dbgx(1, "Parsing string: %s", str); 46 | dbgx(1, "Switching on: %c", str[0]); 47 | 48 | switch (str[0]) { 49 | case 'B': /* both ip's */ 50 | str = str + 2; 51 | out = xXBoth; 52 | if (!parse_cidr(&(xX->cidr), str, ",")) 53 | return xXError; 54 | break; 55 | 56 | case 'D': /* dst ip */ 57 | str = str + 2; 58 | out = xXDest; 59 | if (!parse_cidr(&(xX->cidr), str, ",")) 60 | return xXError; 61 | break; 62 | 63 | case 'E': /* either ip */ 64 | str = str + 2; 65 | out = xXEither; 66 | if (!parse_cidr(&(xX->cidr), str, ",")) 67 | return xXError; 68 | break; 69 | 70 | case 'F': /* bpf filter */ 71 | str = str + 2; 72 | out = xXBPF; 73 | bpf->filter = safe_strdup(str); 74 | /* 75 | * note: it's temping to compile the BPF here, but we don't 76 | * yet know what the link type is for the file, so we have 77 | * to compile the BPF once we open the pcap file 78 | */ 79 | break; 80 | 81 | case 'P': /* packet id */ 82 | str = str + 2; 83 | out = xXPacket; 84 | if (!parse_list(&(xX->list), str)) 85 | return xXError; 86 | break; 87 | 88 | case 'S': /* source ip */ 89 | str = str + 2; 90 | out = xXSource; 91 | if (!parse_cidr(&(xX->cidr), str, ",")) 92 | return xXError; 93 | break; 94 | 95 | default: 96 | errx(-1, "Invalid -%c option: %c", xX->mode, *str); 97 | break; 98 | } 99 | 100 | if (xX->mode == 'X') { /* run in exclude mode */ 101 | out += xXExclude; 102 | if (bpf->filter != NULL) 103 | err(-1, "Using a BPF filter with -X doesn't work.\n" 104 | "Try using -xF:\"not \" instead"); 105 | } 106 | 107 | xX->mode = out; 108 | return xX->mode; 109 | } 110 | 111 | 112 | 113 | /** 114 | * compare the source/destination IP address according to the mode 115 | * and return 1 if we should send the packet or 0 if not 116 | */ 117 | int 118 | process_xX_by_cidr_ipv4(int mode, tcpr_cidr_t * cidr, ipv4_hdr_t * ip_hdr) 119 | { 120 | 121 | if (mode & xXExclude) { 122 | /* Exclude mode */ 123 | switch (mode ^ xXExclude) { 124 | case xXSource: 125 | /* note: check_ip_cidr() returns TCPR_DIR_C2S for true, TCPR_DIR_S2C for false 126 | * and NOT true/false or 1/0, etc! 127 | */ 128 | return check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ? DONT_SEND : SEND; 129 | break; 130 | 131 | case xXDest: 132 | return check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) ? DONT_SEND : SEND; 133 | 134 | case xXBoth: 135 | return (check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) && 136 | check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ) ? DONT_SEND : SEND; 137 | break; 138 | 139 | case xXEither: 140 | return (check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) || 141 | check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ) ? DONT_SEND : SEND; 142 | break; 143 | } 144 | } 145 | else { 146 | /* Include Mode */ 147 | switch (mode) { 148 | case xXSource: 149 | return check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ? SEND : DONT_SEND; 150 | break; 151 | 152 | case xXDest: 153 | return check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) ? SEND : DONT_SEND; 154 | break; 155 | 156 | case xXBoth: 157 | return (check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) && 158 | check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ) ? SEND : DONT_SEND; 159 | break; 160 | 161 | case xXEither: 162 | return (check_ip_cidr(cidr, ip_hdr->ip_dst.s_addr) || 163 | check_ip_cidr(cidr, ip_hdr->ip_src.s_addr) ) ? SEND : DONT_SEND; 164 | break; 165 | } 166 | } 167 | 168 | /* total failure */ 169 | if (mode &xXExclude) { 170 | warn("Unable to determine action in CIDR filter mode. Default: Don't Send."); 171 | return DONT_SEND; 172 | } else { 173 | warn("Unable to determine action in CIDR filter mode. Default: Send."); 174 | return SEND; 175 | } 176 | 177 | } 178 | 179 | int 180 | process_xX_by_cidr_ipv6(int mode, tcpr_cidr_t * cidr, ipv6_hdr_t * ip6_hdr) 181 | { 182 | 183 | if (mode & xXExclude) { 184 | /* Exclude mode */ 185 | switch (mode ^ xXExclude) { 186 | case xXSource: 187 | /* note: check_ip_cidr() returns TCPR_DIR_C2S for true, TCPR_DIR_S2C for false 188 | * and NOT true/false or 1/0, etc! 189 | */ 190 | return check_ip6_cidr(cidr, &ip6_hdr->ip_src) ? DONT_SEND : SEND; 191 | break; 192 | 193 | case xXDest: 194 | return check_ip6_cidr(cidr, &ip6_hdr->ip_dst) ? DONT_SEND : SEND; 195 | 196 | case xXBoth: 197 | return (check_ip6_cidr(cidr, &ip6_hdr->ip_dst) && 198 | check_ip6_cidr(cidr, &ip6_hdr->ip_src) ) ? DONT_SEND : SEND; 199 | break; 200 | 201 | case xXEither: 202 | return (check_ip6_cidr(cidr, &ip6_hdr->ip_dst) || 203 | check_ip6_cidr(cidr, &ip6_hdr->ip_src) ) ? DONT_SEND : SEND; 204 | break; 205 | } 206 | } 207 | else { 208 | /* Include Mode */ 209 | switch (mode) { 210 | case xXSource: 211 | return check_ip6_cidr(cidr, &ip6_hdr->ip_src) ? SEND : DONT_SEND; 212 | break; 213 | 214 | case xXDest: 215 | return check_ip6_cidr(cidr, &ip6_hdr->ip_dst) ? SEND : DONT_SEND; 216 | break; 217 | 218 | case xXBoth: 219 | return (check_ip6_cidr(cidr, &ip6_hdr->ip_dst) && 220 | check_ip6_cidr(cidr, &ip6_hdr->ip_src) ) ? SEND : DONT_SEND; 221 | break; 222 | 223 | case xXEither: 224 | return (check_ip6_cidr(cidr, &ip6_hdr->ip_dst) || 225 | check_ip6_cidr(cidr, &ip6_hdr->ip_src) ) ? SEND : DONT_SEND; 226 | break; 227 | } 228 | } 229 | 230 | /* total failure */ 231 | if (mode &xXExclude) { 232 | warn("Unable to determine action in CIDR filter mode. Default: Don't Send."); 233 | return DONT_SEND; 234 | } else { 235 | warn("Unable to determine action in CIDR filter mode. Default: Send."); 236 | return SEND; 237 | } 238 | 239 | } 240 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23053/AFDG-AFDG_default-makeswf_compile_source.h: -------------------------------------------------------------------------------- 1 | /**************************************************************************** 2 | * 3 | * makeswf - a command line actionscript compiler 4 | * 5 | * Copyright (C) 2003-2009 "Sandro Santilli" 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 20 | * 21 | **************************************************************************** 22 | * 23 | * Utility functions for 'makeswf' 24 | * 25 | ***************************************************************************/ 26 | 27 | /* This is needed to get vasprintf definition */ 28 | #define _GNU_SOURCE 1 29 | 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include "makeswf.h" 41 | #ifdef HAVE_GETOPT_H 42 | #include 43 | #endif 44 | #include "vasprintf.h" 45 | 46 | // Cheating, but it works (not sure why the above ifdef for getopt isn't) 47 | #ifdef _WIN32 48 | #include 49 | #endif 50 | 51 | #define DEFSWFVERSION 6 52 | #define DEFSWFCOMPRESSION 9 53 | 54 | //#define CPP "cpp -P -C -Wall" 55 | /* we don't need comments, do we ? */ 56 | #define CPP "cpp -xc++ -P -Wall" 57 | #define MAXERRORMSG 1024 58 | 59 | /* prototypes */ 60 | static int makeswf_preprocess (const char *file, const char *out); 61 | static char *makeswf_readfile (const char *file); 62 | static void compileError(const char *fmt, ...); 63 | static void printCompileMessage(SWFMsgFunc); 64 | 65 | /* data */ 66 | static char lastcompilemessage[MAXERRORMSG]; 67 | static int lastcompilefailed = 0; 68 | static int swfversion = DEFSWFVERSION; 69 | 70 | #define MAXCPPARGS 1024 71 | 72 | static char cppargs[MAXCPPARGS]; 73 | static int dopreprocess = 1; /* use preprocessor by default */ 74 | 75 | void 76 | makeswf_append_cpparg(const char* buf) 77 | { 78 | strncat(cppargs, buf, MAXCPPARGS-1); 79 | } 80 | 81 | void 82 | makeswf_set_dopreprocess(int value) 83 | { 84 | dopreprocess=value; 85 | } 86 | 87 | void 88 | makeswf_set_swfversion(int value) 89 | { 90 | swfversion=value; 91 | } 92 | 93 | SWFAction 94 | makeswf_compile_source(const char* filename, const char* ppfile, int debug) 95 | { 96 | SWFAction ac; 97 | char *code; 98 | char ppfile_fallback[PATH_MAX]; /* preprocessed file */ 99 | SWFMsgFunc old_error_func; 100 | int length; 101 | if ( dopreprocess ) 102 | { 103 | if ( ! ppfile ) 104 | { 105 | sprintf(ppfile_fallback, "%s.pp", filename); 106 | ppfile = ppfile_fallback; 107 | } 108 | 109 | // TODO: make sure ppfile is writable 110 | 111 | 112 | printf("Preprocessing %s... ", filename); 113 | fflush(stdout); 114 | if ( ! makeswf_preprocess(filename, ppfile) ) 115 | { 116 | return NULL; 117 | } 118 | //unlink(ppfile); 119 | filename = ppfile; 120 | printf("done.\n"); 121 | } 122 | if ( ! (code=makeswf_readfile(filename)) ) 123 | { 124 | return NULL; 125 | } 126 | 127 | old_error_func = Ming_setErrorFunction(compileError); 128 | 129 | printf("Compiling `%s'... ", filename); 130 | ac = newSWFAction(code); 131 | SWFAction_setDebug(ac, debug); 132 | if (SWFAction_compile(ac, swfversion, &length) || lastcompilefailed) 133 | { 134 | printf("failed:\n"); 135 | printCompileMessage(old_error_func); 136 | return NULL; 137 | } 138 | else 139 | { 140 | printf("successfully compiled %i bytes bytecode.\n", length); 141 | } 142 | free(code); 143 | 144 | Ming_setErrorFunction(old_error_func); 145 | 146 | return ac; 147 | } 148 | 149 | /* 150 | * Should translate preprocessed file's line number to 151 | * original file's line number (seems not so easy) 152 | */ 153 | static void 154 | printCompileMessage(SWFMsgFunc func) 155 | { 156 | char *ptr1; 157 | 158 | fprintf(stderr, " %s\n", strtok(lastcompilemessage, "\n")); 159 | while ( (ptr1=strtok(NULL, "\n")) ) 160 | { 161 | fprintf(stderr, " %s\n", ptr1); 162 | } 163 | func("\n"); 164 | } 165 | 166 | 167 | /* 168 | * This is here to handle line number reporting 169 | * due to preprocessor scrambling of it 170 | */ 171 | static void 172 | compileError(const char *fmt, ...) 173 | { 174 | char *msg; 175 | va_list ap; 176 | size_t msglen; 177 | 178 | va_start (ap, fmt); 179 | 180 | lastcompilefailed++; 181 | 182 | /* 183 | * This is a GNU extension. 184 | * Dunno how to handle errors here. 185 | */ 186 | if ( ! vasprintf(&msg, fmt, ap) ) 187 | { 188 | fprintf(stderr, "vasnprintf allocated 0 bytes\n"); 189 | va_end(ap); 190 | return; 191 | } 192 | va_end(ap); 193 | 194 | msglen = strlen(msg); 195 | if ( msglen > MAXERRORMSG-1 ) msglen = MAXERRORMSG-1; 196 | memcpy(lastcompilemessage, msg, msglen); 197 | free(msg); 198 | lastcompilemessage[MAXERRORMSG-1] = '\0'; 199 | 200 | return; 201 | } 202 | 203 | static char * 204 | makeswf_readfile (const char *file) 205 | { 206 | FILE *fd; 207 | struct stat buf; 208 | int size; 209 | char *ret; 210 | 211 | fd = fopen(file, "r"); 212 | if ( ! fd ) 213 | { 214 | perror(file); 215 | return NULL; 216 | } 217 | fstat(fileno(fd), &buf); 218 | size = buf.st_size; 219 | ret = (char *) malloc( size+1 ); 220 | if ( ! ret ) 221 | { 222 | perror("readfile"); 223 | return NULL; 224 | } 225 | if(fread(ret, 1, size, fd) != size) 226 | { 227 | fprintf(stderr, "makeswf_readfile: failed\n"); 228 | fclose(fd); 229 | free(ret); 230 | return NULL; 231 | } 232 | ret[size] = '\0'; 233 | fclose(fd); 234 | 235 | return ret; 236 | } 237 | 238 | static int 239 | makeswf_preprocess (const char *file, const char *out) 240 | { 241 | char buf[1024]; 242 | int ret; 243 | struct stat statbuf; 244 | 245 | if ( -1 == stat(file, &statbuf) ) 246 | { 247 | perror(file); 248 | // exit(EXIT_FAILURE); 249 | } 250 | 251 | sprintf(buf, "%s -D__SWF_VERSION__=%d %s %s > %s", CPP, 252 | swfversion, cppargs, file, out); 253 | /*printf("preprocess[%s]\n", buf);*/ 254 | 255 | ret = system(buf); 256 | if ( ret ) 257 | { 258 | return 0; 259 | // exit(EXIT_FAILURE); 260 | } 261 | 262 | return 1; 263 | } 264 | 265 | /************************************************************** 266 | * 267 | * $Log$ 268 | * Revision 1.14 2010/04/28 12:09:58 strk 269 | * Don't trust SWFAction_compile return code to be the only sign of failure. 270 | * 271 | * Revision 1.13 2009/09/08 22:26:17 strk 272 | * Update copyright notice (and FSF address) 273 | * 274 | * Revision 1.12 2008/10/13 21:57:19 krechert 275 | * fix warning 276 | * 277 | * Revision 1.11 2008/06/26 19:36:12 krechert 278 | * fix linker error and make enabling SWFAction's debug mode generic 279 | * 280 | * Revision 1.10 2007/12/17 17:28:26 strk 281 | * Check existance of input file before attempting to preprocess it 282 | * 283 | * Revision 1.9 2007/11/02 10:18:08 krechert 284 | * fix warnings 285 | * 286 | * Revision 1.8 2007/10/31 16:53:29 krechert 287 | * x 288 | * 289 | * Revision 1.7 2007/10/27 15:12:58 krechert 290 | * pass through real swf version 291 | * 292 | * Revision 1.6 2007/10/27 15:03:14 krechert 293 | * handle compile errors. do not output empty swf files 294 | * 295 | * Revision 1.5 2007/04/30 09:58:32 strk 296 | * Don't include getopt.h if it's not found. Patch by Nils Goroll . 297 | * 298 | * Revision 1.4 2007/04/14 16:58:46 strk 299 | * Removed unused CPP define from makeswf.c, fix the *used* one in makeswf_utils. 300 | * Thanks to Bastiaan Jacques for finding this out. 301 | * 302 | * Revision 1.3 2007/03/22 10:59:20 strk 303 | * Updated to use newSWFAction() instead of compileSWFActionCode() 304 | * 305 | * Revision 1.2 2006/07/10 16:11:26 strk 306 | * Changed makeswf_compile_source signature to accept path to preprocessor output file. Changed preprocessed file paths to (.frame#.pp) to reduce probability of filesystem permission problems. 307 | * 308 | * Revision 1.1 2006/07/08 13:47:18 strk 309 | * Split makeswf general functionalities in a separate file, for use by unit testers 310 | * 311 | * 312 | **************************************************************/ 313 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23054/AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.h: -------------------------------------------------------------------------------- 1 | /* 2 | Ming, an SWF output library 3 | Copyright (C) 2002 Opaque Industries - http://www.opaque.net/ 4 | 5 | This library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | This library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with this library; if not, write to the Free Software 17 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | */ 19 | 20 | #ifndef __C2MAN__ 21 | #include 22 | #include 23 | #endif 24 | 25 | #include "ming.h" 26 | #include "libming.h" 27 | #include "shape_util.h" 28 | #include "blocks/error.h" 29 | #include "blocks/shape.h" 30 | 31 | 32 | typedef struct 33 | { 34 | double x; 35 | double y; 36 | } point; 37 | 38 | typedef struct 39 | { 40 | point a; 41 | point b; 42 | point c; 43 | point d; 44 | } cubic; 45 | 46 | typedef struct 47 | { 48 | point a; 49 | point b; 50 | point c; 51 | } quadratic; 52 | 53 | static void halfpointCubic(cubic *c, double *x, double *y) 54 | { 55 | *x = (c->a.x + 3*c->b.x + 3*c->c.x + c->d.x) / 8; 56 | *y = (c->a.y + 3*c->b.y + 3*c->c.y + c->d.y) / 8; 57 | } 58 | 59 | static void halfpointQuadratic(quadratic *q, double *x, double *y) 60 | { 61 | *x = (q->a.x + 2*q->b.x + q->c.x) / 4; 62 | *y = (q->a.y + 2*q->b.y + q->c.y) / 4; 63 | } 64 | 65 | #define abs(f) ((f)>0?(f):-(f)) 66 | 67 | static double errorPoints(double ax, double ay, double bx, double by) 68 | { 69 | return abs(ax-bx) + abs(ay-by); 70 | } 71 | 72 | static void subdivideCubicLeft(cubic *New, cubic *old, double t) 73 | { 74 | SWF_assert(t>0.0 && t<1.0); 75 | 76 | if(New != old) 77 | memcpy(New, old, sizeof(cubic)); 78 | 79 | New->d.x = t*New->c.x + (1-t)*New->d.x; 80 | New->d.y = t*New->c.y + (1-t)*New->d.y; 81 | New->c.x = t*New->b.x + (1-t)*New->c.x; 82 | New->c.y = t*New->b.y + (1-t)*New->c.y; 83 | New->b.x = t*New->a.x + (1-t)*New->b.x; 84 | New->b.y = t*New->a.y + (1-t)*New->b.y; 85 | 86 | New->d.x = t*New->c.x + (1-t)*New->d.x; 87 | New->d.y = t*New->c.y + (1-t)*New->d.y; 88 | New->c.x = t*New->b.x + (1-t)*New->c.x; 89 | New->c.y = t*New->b.y + (1-t)*New->c.y; 90 | 91 | New->d.x = t*New->c.x + (1-t)*New->d.x; 92 | New->d.y = t*New->c.y + (1-t)*New->d.y; 93 | } 94 | 95 | static void subdivideCubicRight(cubic *New, cubic *old, double t) 96 | { 97 | SWF_assert(t>0.0 && t<1.0); 98 | 99 | if(New != old) 100 | memcpy(New, old, sizeof(cubic)); 101 | 102 | New->a.x = t*New->a.x + (1-t)*New->b.x; 103 | New->a.y = t*New->a.y + (1-t)*New->b.y; 104 | New->b.x = t*New->b.x + (1-t)*New->c.x; 105 | New->b.y = t*New->b.y + (1-t)*New->c.y; 106 | New->c.x = t*New->c.x + (1-t)*New->d.x; 107 | New->c.y = t*New->c.y + (1-t)*New->d.y; 108 | 109 | New->a.x = t*New->a.x + (1-t)*New->b.x; 110 | New->a.y = t*New->a.y + (1-t)*New->b.y; 111 | New->b.x = t*New->b.x + (1-t)*New->c.x; 112 | New->b.y = t*New->b.y + (1-t)*New->c.y; 113 | 114 | New->a.x = t*New->a.x + (1-t)*New->b.x; 115 | New->a.y = t*New->a.y + (1-t)*New->b.y; 116 | } 117 | 118 | static int SWFShape_approxCubic(SWFShape shape, cubic *c); 119 | 120 | static int subdivideCubic(SWFShape shape, cubic *c) 121 | { 122 | cubic New; 123 | int nCurves; 124 | 125 | subdivideCubicLeft(&New, c, 0.5); 126 | nCurves = SWFShape_approxCubic(shape, &New); 127 | 128 | subdivideCubicRight(&New, c, 0.5); 129 | nCurves += SWFShape_approxCubic(shape, &New); 130 | 131 | return nCurves; 132 | } 133 | 134 | static int SWFShape_approxCubic(SWFShape shape, cubic *c) 135 | { 136 | quadratic q; 137 | 138 | double cx, cy, qx, qy; 139 | 140 | if(c->b.x == c->a.x && c->b.y == c->a.y) 141 | { 142 | q.a = c->a; 143 | q.b = c->c; 144 | q.c = c->d; 145 | } 146 | else if(c->d.x == c->c.x && c->d.y == c->c.y) 147 | { 148 | q.a = c->a; 149 | q.b = c->b; 150 | q.c = c->d; 151 | } 152 | else 153 | if((c->a.x-c->b.x)*(c->c.x-c->b.x)+(c->a.y-c->b.y)*(c->c.y-c->b.y) >= 0 || 154 | (c->b.x-c->c.x)*(c->d.x-c->c.x)+(c->b.y-c->c.y)*(c->d.y-c->c.y) >= 0) 155 | { 156 | /* make sure that angles B and C are obtuse, so that outside 157 | edges meet on the right side */ 158 | 159 | return subdivideCubic(shape, c); 160 | } 161 | else 162 | { 163 | double bcrossa = c->b.x*c->a.y - c->a.x*c->b.y; 164 | double ccrossd = c->c.x*c->d.y - c->d.x*c->c.y; 165 | 166 | double denom = (c->a.y-c->b.y)*(c->d.x-c->c.x) - 167 | (c->a.x-c->b.x)*(c->d.y-c->c.y); 168 | 169 | if(denom == 0) 170 | { 171 | /* XXX - they're collinear?? */ 172 | SWFShape_drawScaledLineTo(shape, (int)rint(c->d.x), (int)rint(c->d.y)); 173 | return 1; 174 | } 175 | 176 | q.a = c->a; 177 | q.b.x = ((c->d.x-c->c.x)*bcrossa + (c->b.x-c->a.x)*ccrossd) / denom; 178 | q.b.y = ((c->d.y-c->c.y)*bcrossa + (c->b.y-c->a.y)*ccrossd) / denom; 179 | q.c = c->d; 180 | } 181 | 182 | halfpointCubic(c, &cx, &cy); 183 | halfpointQuadratic(&q, &qx, &qy); 184 | 185 | if(errorPoints(cx, cy, qx, qy) > Ming_cubicThreshold) 186 | { 187 | return subdivideCubic(shape, c); 188 | } 189 | else 190 | { 191 | /* draw quadratic w/ control point at intersection of outside edges */ 192 | 193 | SWFShape_drawScaledCurveTo(shape, (int)rint(q.b.x), (int)rint(q.b.y), 194 | (int)rint(q.c.x), (int)rint(q.c.y)); 195 | return 1; 196 | } 197 | } 198 | 199 | 200 | int SWFShape_drawScaledCubicTo(SWFShape shape, int bx, int by, 201 | int cx, int cy, int dx, int dy) 202 | { 203 | int ax = SWFShape_getScaledPenX(shape); 204 | int ay = SWFShape_getScaledPenY(shape); 205 | 206 | /* compute coefficients */ 207 | int a1x = -ax + 3*bx - 3*cx + dx; 208 | int a1y = -ay + 3*by - 3*cy + dy; 209 | int a2x = ax - 2*bx + cx; 210 | int a2y = ay - 2*by + cy; 211 | int a3x = -ax + bx; 212 | int a3y = -ay + by; 213 | 214 | double a = 6*(a2x*a1y-a2y*a1x); 215 | double b = 6*(a3x*a1y-a3y*a1x); 216 | double c = 2*(a3x*a2y-a3y*a2x); 217 | 218 | /* First, chop at inflection points, where a*t^2 + b*t + c = 0 */ 219 | 220 | double d = b*b - 4*a*c; 221 | 222 | double t1 = 0.0, t2 = 1.0; 223 | int nCurves = 0; 224 | 225 | cubic pts = { { ax, ay }, { bx, by }, {cx, cy }, { dx, dy } }; 226 | cubic New; 227 | 228 | if ( d > 0 ) 229 | { 230 | /* two roots */ 231 | 232 | t1 = (-b-sqrt(d))/(2*a); 233 | t2 = (-b+sqrt(d))/(2*a); 234 | 235 | if ( a < 0 ) 236 | { 237 | double tmp = t2; 238 | t2 = t1; 239 | t1 = tmp; 240 | } 241 | } 242 | else if ( d == 0 ) 243 | { 244 | /* singular root */ 245 | t1 = -b/(2*a); 246 | } 247 | 248 | /* use subdivision method to build t=0..t1, t=t1..t2, t=t2..1 curves */ 249 | 250 | if ( t1 > 0.0 && t1 < 1.0 ) 251 | { 252 | subdivideCubicLeft(&New, &pts, t1); 253 | 254 | nCurves += SWFShape_approxCubic(shape, &New); 255 | 256 | /* 257 | nCurves += SWFShape_drawCubicTo(shape, 258 | new.b.x, new.b.y, 259 | new.c.x, new.c.y, 260 | new.d.x, new.d.y); 261 | */ 262 | 263 | subdivideCubicRight(&pts, &pts, t1); 264 | t2 = (t2-t1)/(1-t1); 265 | } 266 | 267 | if ( t2 > 0.0 && t2 < 1.0 ) 268 | { 269 | subdivideCubicLeft(&New, &pts, t2); 270 | 271 | nCurves += SWFShape_approxCubic(shape, &New); 272 | 273 | /* 274 | nCurves += SWFShape_drawCubicTo(shape, 275 | new.b.x, new.b.y, 276 | new.c.x, new.c.y, 277 | new.d.x, new.d.y); 278 | */ 279 | 280 | subdivideCubicRight(&pts, &pts, t2); 281 | } 282 | 283 | nCurves += SWFShape_approxCubic(shape, &pts); 284 | 285 | return nCurves; 286 | } 287 | 288 | 289 | /* returns number of splines used */ 290 | 291 | int 292 | SWFShape_drawCubic(SWFShape shape, double bx, double by, 293 | double cx, double cy, double dx, double dy) 294 | { 295 | int sax = SWFShape_getScaledPenX(shape); 296 | int say = SWFShape_getScaledPenY(shape); 297 | int sbx = (int)rint(bx*Ming_scale) + sax; 298 | int sby = (int)rint(by*Ming_scale) + say; 299 | int scx = (int)rint(cx*Ming_scale) + sbx; 300 | int scy = (int)rint(cy*Ming_scale) + sby; 301 | int sdx = (int)rint(dx*Ming_scale) + scx; 302 | int sdy = (int)rint(dy*Ming_scale) + scy; 303 | 304 | return SWFShape_drawScaledCubicTo(shape, sbx, sby, scx, scy, sdx, sdy); 305 | } 306 | 307 | int SWFShape_drawCubicTo(SWFShape shape, double bx, double by, 308 | double cx, double cy, double dx, double dy) 309 | { 310 | return SWFShape_drawScaledCubicTo(shape, 311 | (int)rint(bx*Ming_scale), 312 | (int)rint(by*Ming_scale), 313 | (int)rint(cx*Ming_scale), 314 | (int)rint(cy*Ming_scale), 315 | (int)rint(dx*Ming_scale), 316 | (int)rint(dy*Ming_scale)); 317 | } 318 | 319 | 320 | /* 321 | * Local variables: 322 | * tab-width: 2 323 | * c-basic-offset: 2 324 | * End: 325 | */ 326 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23054/AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.c: -------------------------------------------------------------------------------- 1 | #include "/opt/disk/marsman/libming/0.4.8/code/src/blocks/output.c" 2 | #include "/opt/disk/marsman/libming/0.4.8/code/src/blocks/shape.c" 3 | #include "/opt/disk/marsman/libming/0.4.8/code/src/gc.c" 4 | #include "/opt/disk/marsman/libming/0.4.8/code/src/blocks/linestyle.c" 5 | #include "/opt/disk/marsman/libming/0.4.8/code/src/blocks/gradient.c" 6 | #include "/opt/disk/marsman/libming/0.4.8/code/src/blocks/fillstyle.c" 7 | 8 | #include "AFG-shape_cubic.c-AFG_default-SWFShape_drawCubic.h" 9 | /* This is the copy of /opt/disk/marsman/libming/0.4.8/code/src/shape_cubic.c */ 10 | #include 11 | // #include 12 | #include 13 | 14 | /* Structure definition needed by the fuzz driver */ 15 | 16 | void* AFG_alloc_list[29] = { NULL }; 17 | int AFG_alloc_cnt = 0; 18 | FILE* AFG_fopen_list[1] = { NULL }; 19 | int AFG_fopen_cnt = 0; 20 | 21 | int AFG_func(struct SWFShape_s* shape,double bx,double by,double cx,double cy,double dx,double dy) 22 | { 23 | SWFShape_drawCubic(shape, bx, by, cx, cy, dx, dy); 24 | return 0; 25 | } 26 | 27 | #ifdef __cplusplus 28 | extern "C" 29 | #endif 30 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 31 | { 32 | size_t AFG_offset = 0, minimum_size = sizeof(double)*6+sizeof(struct SWFShape_s)*1+sizeof(struct SWFCharacter_s)*2+sizeof(struct SWFBlock_s)*1+sizeof(struct SWFRect_s)*2+sizeof(struct SWFFillStyle_s)*5+sizeof(struct SWFMatrix_s)*5+sizeof(unsigned char)*4+sizeof(struct SWFGradient_s)*1+sizeof(struct SWFLineStyle_s)*5+sizeof(struct SWFOutput_s)*1+sizeof(struct mem_node_t)*1+sizeof(struct shapeRecord)*1+sizeof(struct curveToRecord)*1+sizeof(struct lineToRecord)*1+sizeof(struct stateChangeRecord)*2; 33 | if(Size <= minimum_size) { 34 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 35 | return 0; 36 | } 37 | size_t pt_size = (Size - minimum_size) / 28; 38 | if (pt_size < sizeof(unsigned char) ) { return 0; } 39 | struct SWFShape_s * shape; 40 | shape = (struct SWFShape_s*)malloc(sizeof(struct SWFShape_s)); 41 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape; 42 | memcpy((void *)&shape->nRecords, Data+AFG_offset, sizeof(int)); 43 | AFG_offset+=sizeof(int); 44 | memcpy((void *)&shape->useVersion, Data+AFG_offset, sizeof(int)); 45 | AFG_offset+=sizeof(int); 46 | memcpy((void *)&shape->xpos, Data+AFG_offset, sizeof(int)); 47 | AFG_offset+=sizeof(int); 48 | memcpy((void *)&shape->ypos, Data+AFG_offset, sizeof(int)); 49 | AFG_offset+=sizeof(int); 50 | memcpy((void *)&shape->lineWidth, Data+AFG_offset, sizeof(short)); 51 | AFG_offset+=sizeof(short); 52 | shape->character.onFrame = SWFDisplayItem_removeFromList; /* Other candidate: None */ 53 | shape->character.onPlace = SWFDisplayItem_removeFromList; /* Other candidate: None */ 54 | memcpy((void *)&shape->character.id, Data+AFG_offset, sizeof(int)); 55 | AFG_offset+=sizeof(int); 56 | memcpy((void *)&shape->character.nDependencies, Data+AFG_offset, sizeof(int)); 57 | AFG_offset+=sizeof(int); 58 | memcpy((void *)&shape->character.block, Data+AFG_offset, sizeof(struct SWFBlock_s)); 59 | AFG_offset+=sizeof(struct SWFBlock_s); 60 | shape->character.dependencies = (struct SWFCharacter_s**)malloc(sizeof(struct SWFCharacter_s*)*5); 61 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->character.dependencies; 62 | shape->character.dependencies = NULL; 63 | shape->character.bounds = (struct SWFRect_s*)malloc(sizeof(struct SWFRect_s)); 64 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->character.bounds; 65 | memcpy((void *)shape->character.bounds, Data+AFG_offset, sizeof(struct SWFRect_s)); 66 | AFG_offset+=sizeof(struct SWFRect_s); 67 | memcpy((void *)&shape->character.isFinished, Data+AFG_offset, sizeof(unsigned char)); 68 | AFG_offset+=sizeof(unsigned char); 69 | shape->fills = (struct SWFFillStyle_s**)malloc(sizeof(struct SWFFillStyle_s*)*5); 70 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->fills; 71 | for(int temp_AFG_2 = 0; temp_AFG_2 < 5; temp_AFG_2++) { 72 | shape->fills[temp_AFG_2] = (struct SWFFillStyle_s*)malloc(sizeof(struct SWFFillStyle_s)); 73 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->fills[temp_AFG_2]; 74 | shape->fills[temp_AFG_2]->matrix = (struct SWFMatrix_s*)malloc(sizeof(struct SWFMatrix_s)); 75 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->fills[temp_AFG_2]->matrix; 76 | memcpy((void *)shape->fills[temp_AFG_2]->matrix, Data+AFG_offset, sizeof(struct SWFMatrix_s)); 77 | AFG_offset+=sizeof(struct SWFMatrix_s); 78 | // A Union 'anonymous at /opt/disk/marsman/libming/0.4.8/code/src/blocks/fillstyle.c:37:2' here, we select 'bitmap' 79 | shape->fills[temp_AFG_2]->data.bitmap = NULL; 80 | memcpy((void *)&shape->fills[temp_AFG_2]->type, Data+AFG_offset, sizeof(unsigned char)); 81 | AFG_offset+=sizeof(unsigned char); 82 | } 83 | shape->lines = (struct SWFLineStyle_s**)malloc(sizeof(struct SWFLineStyle_s*)*5); 84 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->lines; 85 | for(int temp_AFG_2 = 0; temp_AFG_2 < 5; temp_AFG_2++) { 86 | shape->lines[temp_AFG_2] = (struct SWFLineStyle_s*)malloc(sizeof(struct SWFLineStyle_s)); 87 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->lines[temp_AFG_2]; 88 | memcpy((void *)&shape->lines[temp_AFG_2]->miterLimit, Data+AFG_offset, sizeof(float)); 89 | AFG_offset+=sizeof(float); 90 | memcpy((void *)&shape->lines[temp_AFG_2]->flags, Data+AFG_offset, sizeof(int)); 91 | AFG_offset+=sizeof(int); 92 | shape->lines[temp_AFG_2]->fill = NULL; 93 | memcpy((void *)&shape->lines[temp_AFG_2]->a, Data+AFG_offset, sizeof(unsigned char)); 94 | AFG_offset+=sizeof(unsigned char); 95 | memcpy((void *)&shape->lines[temp_AFG_2]->b, Data+AFG_offset, sizeof(unsigned char)); 96 | AFG_offset+=sizeof(unsigned char); 97 | memcpy((void *)&shape->lines[temp_AFG_2]->g, Data+AFG_offset, sizeof(unsigned char)); 98 | AFG_offset+=sizeof(unsigned char); 99 | memcpy((void *)&shape->lines[temp_AFG_2]->r, Data+AFG_offset, sizeof(unsigned char)); 100 | AFG_offset+=sizeof(unsigned char); 101 | memcpy((void *)&shape->lines[temp_AFG_2]->width, Data+AFG_offset, sizeof(unsigned short)); 102 | AFG_offset+=sizeof(unsigned short); 103 | } 104 | shape->out = (struct SWFOutput_s*)malloc(sizeof(struct SWFOutput_s)); 105 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->out; 106 | memcpy((void *)&shape->out->bitpos, Data+AFG_offset, sizeof(int)); 107 | AFG_offset+=sizeof(int); 108 | memcpy((void *)&shape->out->buffersize, Data+AFG_offset, sizeof(int)); 109 | AFG_offset+=sizeof(int); 110 | memcpy((void *)&shape->out->free, Data+AFG_offset, sizeof(int)); 111 | AFG_offset+=sizeof(int); 112 | shape->out->next = NULL; 113 | shape->out->buffer = (unsigned char *)malloc(pt_size); 114 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->out->buffer; 115 | memcpy((void *)shape->out->buffer, Data+AFG_offset, pt_size); 116 | AFG_offset+=pt_size; 117 | shape->out->pos = (unsigned char *)malloc(pt_size); 118 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->out->pos; 119 | memcpy((void *)shape->out->pos, Data+AFG_offset, pt_size); 120 | AFG_offset+=pt_size; 121 | shape->edgeBounds = (struct SWFRect_s*)malloc(sizeof(struct SWFRect_s)); 122 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->edgeBounds; 123 | memcpy((void *)shape->edgeBounds, Data+AFG_offset, sizeof(struct SWFRect_s)); 124 | AFG_offset+=sizeof(struct SWFRect_s); 125 | shape->gcnode = (struct mem_node_t*)malloc(sizeof(struct mem_node_t)); 126 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->gcnode; 127 | shape->gcnode->next = NULL; 128 | shape->gcnode->prev = NULL; 129 | shape->gcnode->dtor = destroySWFAction; /* Other candidate: None */ 130 | shape->gcnode->ptr = (void *)malloc(pt_size); 131 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->gcnode->ptr; 132 | memcpy((void *)shape->gcnode->ptr, Data+AFG_offset, pt_size); 133 | AFG_offset+=pt_size; 134 | shape->records = (struct shapeRecord*)malloc(sizeof(struct shapeRecord)); 135 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->records; 136 | memcpy((void *)&shape->records->type, Data+AFG_offset, sizeof(shapeRecordType)); 137 | AFG_offset+=sizeof(shapeRecordType); 138 | // A Union 'anonymous at /opt/disk/marsman/libming/0.4.8/code/src/blocks/shape.c:76:2' here, we select 'stateChange' 139 | shape->records->record.stateChange = (struct stateChangeRecord*)malloc(sizeof(struct stateChangeRecord)); 140 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) shape->records->record.stateChange; 141 | memcpy((void *)shape->records->record.stateChange, Data+AFG_offset, sizeof(struct stateChangeRecord)); 142 | AFG_offset+=sizeof(struct stateChangeRecord); 143 | memcpy((void *)&shape->flags, Data+AFG_offset, sizeof(unsigned char)); 144 | AFG_offset+=sizeof(unsigned char); 145 | memcpy((void *)&shape->isEnded, Data+AFG_offset, sizeof(unsigned char)); 146 | AFG_offset+=sizeof(unsigned char); 147 | memcpy((void *)&shape->isMorph, Data+AFG_offset, sizeof(unsigned char)); 148 | AFG_offset+=sizeof(unsigned char); 149 | memcpy((void *)&shape->nFills, Data+AFG_offset, sizeof(unsigned char)); 150 | AFG_offset+=sizeof(unsigned char); 151 | memcpy((void *)&shape->nLines, Data+AFG_offset, sizeof(unsigned char)); 152 | AFG_offset+=sizeof(unsigned char); 153 | double bx; 154 | memcpy((void *)&bx, Data+AFG_offset, sizeof(double)); 155 | AFG_offset+=sizeof(double); 156 | double by; 157 | memcpy((void *)&by, Data+AFG_offset, sizeof(double)); 158 | AFG_offset+=sizeof(double); 159 | double cx; 160 | memcpy((void *)&cx, Data+AFG_offset, sizeof(double)); 161 | AFG_offset+=sizeof(double); 162 | double cy; 163 | memcpy((void *)&cy, Data+AFG_offset, sizeof(double)); 164 | AFG_offset+=sizeof(double); 165 | double dx; 166 | memcpy((void *)&dx, Data+AFG_offset, sizeof(double)); 167 | AFG_offset+=sizeof(double); 168 | double dy; 169 | memcpy((void *)&dy, Data+AFG_offset, sizeof(double)); 170 | AFG_offset+=sizeof(double); 171 | 172 | AFG_func(shape, bx, by, cx, cy, dx, dy); 173 | 174 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 175 | free(AFG_alloc_list[AFG_free_i]); 176 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 177 | fclose(AFG_fopen_list[AFG_free_i]); 178 | AFG_alloc_cnt = 0; 179 | AFG_fopen_cnt = 0; 180 | 181 | return 0; 182 | } 183 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27784/AFG-utils.c-AFG_default-read_hexstring.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | 3 | /* 4 | * Copyright (c) 2001-2010 Aaron Turner 5 | * Copyright (c) 2013-2017 Fred Klassen - AppNeta 6 | * 7 | * The Tcpreplay Suite of tools is free software: you can redistribute it 8 | * and/or modify it under the terms of the GNU General Public License as 9 | * published by the Free Software Foundation, either version 3 of the 10 | * License, or with the authors permission any later version. 11 | * 12 | * The Tcpreplay Suite is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with the Tcpreplay Suite. If not, see . 19 | */ 20 | 21 | #include "config.h" 22 | #include "defines.h" 23 | #include "common.h" 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #ifdef DEBUG 32 | extern int debug; 33 | #endif 34 | 35 | /** 36 | * this is wrapped up in a #define safe_malloc 37 | * This function, detects failures to malloc memory and zeros out the 38 | * memory before returning 39 | */ 40 | 41 | void * 42 | _our_safe_malloc(size_t len, const char *funcname, const int line, const char *file) 43 | { 44 | u_char *ptr; 45 | 46 | if ((ptr = malloc(len)) == NULL) { 47 | fprintf(stderr, "ERROR in %s:%s() line %d: Unable to malloc() %zu bytes", file, funcname, line, len); 48 | exit(-1); 49 | } 50 | 51 | /* zero memory */ 52 | memset(ptr, 0, len); 53 | 54 | /* wrapped inside an #ifdef for better performance */ 55 | dbgx(5, "Malloc'd %zu bytes in %s:%s() line %d", len, file, funcname, line); 56 | 57 | return (void *)ptr; 58 | } 59 | 60 | /** 61 | * this is wrapped up in a #define safe_realloc 62 | * This function, detects failures to realloc memory and zeros 63 | * out the NEW memory if len > current len. As always, remember 64 | * to use it as: 65 | * ptr = safe_realloc(ptr, size) 66 | */ 67 | void * 68 | _our_safe_realloc(void *ptr, size_t len, const char *funcname, const int line, const char *file) 69 | { 70 | 71 | if ((ptr = realloc(ptr, len)) == NULL) { 72 | fprintf(stderr, "ERROR: in %s:%s() line %d: Unable to remalloc() buffer to %zu bytes", file, funcname, line, len); 73 | exit(-1); 74 | } 75 | 76 | dbgx(5, "Remalloc'd buffer to %zu bytes in %s:%s() line %d", len, file, funcname, line); 77 | 78 | return ptr; 79 | } 80 | 81 | /** 82 | * this is wrapped up in a #define safe_strdup 83 | * This function, detects failures to realloc memory 84 | */ 85 | char * 86 | _our_safe_strdup(const char *str, const char *funcname, const int line, const char *file) 87 | { 88 | char *newstr; 89 | 90 | if ((newstr = (char *)malloc(strlen(str) + 1)) == NULL) { 91 | fprintf(stderr, "ERROR in %s:%s() line %d: Unable to strdup() %zu bytes\n", file, funcname, line, strlen(str)); 92 | exit(-1); 93 | } 94 | 95 | memcpy(newstr, str, strlen(str) + 1); 96 | 97 | return newstr; 98 | 99 | } 100 | 101 | /** 102 | * calls free and sets to NULL. 103 | */ 104 | void 105 | _our_safe_free(void *ptr, const char *funcname, const int line, const char *file) 106 | { 107 | assert(funcname); 108 | assert(line); 109 | assert(file); 110 | 111 | if (ptr == NULL) 112 | return; 113 | 114 | free(ptr); 115 | ptr = NULL; 116 | } 117 | 118 | /** 119 | * Print various packet statistics 120 | */ 121 | void 122 | packet_stats(const tcpreplay_stats_t *stats) 123 | { 124 | struct timeval diff; 125 | COUNTER diff_us; 126 | COUNTER bytes_sec = 0; 127 | u_int32_t bytes_sec_10ths = 0; 128 | COUNTER mb_sec = 0; 129 | u_int32_t mb_sec_100ths = 0; 130 | u_int32_t mb_sec_1000ths = 0; 131 | COUNTER pkts_sec = 0; 132 | u_int32_t pkts_sec_100ths = 0; 133 | 134 | timersub(&stats->end_time, &stats->start_time, &diff); 135 | diff_us = TIMEVAL_TO_MICROSEC(&diff); 136 | 137 | if (diff_us && stats->pkts_sent && stats->bytes_sent) { 138 | COUNTER bytes_sec_X10; 139 | COUNTER pkts_sec_X100; 140 | COUNTER mb_sec_X1000; 141 | COUNTER mb_sec_X100; 142 | 143 | if (stats->bytes_sent > 1000 * 1000 * 1000 && diff_us > 1000 * 1000) { 144 | bytes_sec_X10 = (stats->bytes_sent * 10 * 1000) / (diff_us / 1000); 145 | pkts_sec_X100 = (stats->pkts_sent * 100 * 1000) / (diff_us / 1000); 146 | } else { 147 | bytes_sec_X10 = (stats->bytes_sent * 10 * 1000 * 1000) / diff_us; 148 | pkts_sec_X100 = (stats->pkts_sent * 100 * 1000 * 1000) / diff_us; 149 | } 150 | 151 | bytes_sec = bytes_sec_X10 / 10; 152 | bytes_sec_10ths = bytes_sec_X10 % 10; 153 | 154 | mb_sec_X1000 = (bytes_sec * 8) / 1000; 155 | mb_sec_X100 = mb_sec_X1000 / 10; 156 | mb_sec = mb_sec_X1000 / 1000; 157 | mb_sec_100ths = mb_sec_X100 % 100; 158 | mb_sec_1000ths = mb_sec_X1000 % 1000; 159 | 160 | pkts_sec = pkts_sec_X100 / 100; 161 | pkts_sec_100ths = pkts_sec_X100 % 100; 162 | } 163 | 164 | if (diff_us >= 1000 * 1000) 165 | printf("Actual: " COUNTER_SPEC " packets (" COUNTER_SPEC " bytes) sent in %zd.%02zd seconds\n", 166 | stats->pkts_sent, stats->bytes_sent, (ssize_t)diff.tv_sec, (ssize_t)(diff.tv_usec / (10 * 1000))); 167 | else 168 | printf("Actual: " COUNTER_SPEC " packets (" COUNTER_SPEC " bytes) sent in %zd.%06zd seconds\n", 169 | stats->pkts_sent, stats->bytes_sent, (ssize_t)diff.tv_sec, (ssize_t)diff.tv_usec); 170 | 171 | 172 | if (mb_sec >= 1) 173 | printf("Rated: %llu.%1u Bps, %llu.%02u Mbps, %llu.%02u pps\n", 174 | bytes_sec, bytes_sec_10ths, mb_sec, mb_sec_100ths, pkts_sec, pkts_sec_100ths); 175 | else 176 | printf("Rated: %llu.%1u Bps, %llu.%03u Mbps, %llu.%02u pps\n", 177 | bytes_sec, bytes_sec_10ths, mb_sec, mb_sec_1000ths, pkts_sec, pkts_sec_100ths); 178 | fflush(NULL); 179 | 180 | if (stats->failed) 181 | printf("Failed write attempts: " COUNTER_SPEC "\n", 182 | stats->failed); 183 | } 184 | 185 | /** 186 | * fills a buffer with a string representing the given time 187 | * 188 | * @param when: the time that should be formatted 189 | * @param buf: a buffer to write to 190 | * @param len: length of the buffer 191 | * @return: string containing date, or -1 on error 192 | */ 193 | int format_date_time(struct timeval *when, char *buf, size_t len) 194 | { 195 | struct tm *tm; 196 | char tmp[64]; 197 | 198 | assert(len); 199 | 200 | tm = localtime(&when->tv_sec); 201 | if (!tm) 202 | return -1; 203 | 204 | strftime(tmp, sizeof tmp, "%Y-%m-%d %H:%M:%S.%%06u", tm); 205 | return snprintf(buf, len, tmp, when->tv_usec); 206 | } 207 | 208 | /** 209 | * reads a hexstring in the format of xx,xx,xx,xx spits it back into *hex 210 | * up to hexlen bytes. Returns actual number of bytes returned. On error 211 | * it just calls errx() since all errors are fatal. 212 | */ 213 | int 214 | read_hexstring(const char *l2string, u_char *hex, const int hexlen) 215 | { 216 | int numbytes = 0; 217 | unsigned int value; 218 | char *l2byte; 219 | u_char databyte; 220 | char *token = NULL; 221 | char *string; 222 | 223 | string = safe_strdup(l2string); 224 | 225 | if (hexlen <= 0) 226 | err(-1, "Hex buffer must be > 0"); 227 | 228 | memset(hex, '\0', hexlen); 229 | 230 | /* data is hex, comma seperated, byte by byte */ 231 | 232 | /* get the first byte */ 233 | l2byte = strtok_r(string, ",", &token); 234 | sscanf(l2byte, "%x", &value); 235 | if (value > 0xff) 236 | errx(-1, "Invalid hex string byte: %s", l2byte); 237 | databyte = (u_char) value; 238 | memcpy(&hex[numbytes], &databyte, 1); 239 | 240 | /* get remaining bytes */ 241 | while ((l2byte = strtok_r(NULL, ",", &token)) != NULL) { 242 | numbytes++; 243 | if (numbytes + 1 > hexlen) { 244 | warn("Hex buffer too small for data- skipping data"); 245 | goto done; 246 | } 247 | sscanf(l2byte, "%x", &value); 248 | if (value > 0xff) 249 | errx(-1, "Invalid hex string byte: %s", l2byte); 250 | databyte = (u_char) value; 251 | memcpy(&hex[numbytes], &databyte, 1); 252 | } 253 | 254 | numbytes++; 255 | 256 | done: 257 | safe_free(string); 258 | 259 | dbgx(1, "Read %d bytes of hex data", numbytes); 260 | return (numbytes); 261 | } 262 | 263 | #ifdef USE_CUSTOM_INET_ATON 264 | int 265 | inet_aton(const char *name, struct in_addr *addr) 266 | { 267 | in_addr_t a = inet_addr(name); 268 | addr->s_addr = a; 269 | return a != (in_addr_t)-1; 270 | } 271 | #endif 272 | 273 | #if SIZEOF_CHARP == 4 274 | uint32_t __div64_32(uint64_t *n, uint32_t base) 275 | { 276 | uint64_t rem = *n; 277 | uint64_t b = base; 278 | uint64_t res, d = 1; 279 | uint32_t high = rem >> 32; 280 | 281 | /* Reduce the thing a bit first */ 282 | res = 0; 283 | if (high >= base) { 284 | high /= base; 285 | res = (uint64_t) high << 32; 286 | rem -= (uint64_t) (high*base) << 32; 287 | } 288 | 289 | while ((int64_t)b > 0 && b < rem) { 290 | b = b+b; 291 | d = d+d; 292 | } 293 | 294 | do { 295 | if (rem >= b) { 296 | rem -= b; 297 | res += d; 298 | } 299 | b >>= 1; 300 | d >>= 1; 301 | } while (d); 302 | 303 | *n = res; 304 | return rem; 305 | } 306 | #endif /* SIZEOF_CHARP == 4 */ 307 | 308 | /** 309 | * Implementation of rand_r that is consistent across all platforms 310 | * This algorithm is mentioned in the ISO C standard, here extended 311 | * for 32 bits. 312 | * @param: seed 313 | * @return: random number 314 | */ 315 | int tcpr_random(uint32_t *seed) 316 | { 317 | unsigned int next = *seed; 318 | int result; 319 | 320 | next *= 1103515245; 321 | next += 12345; 322 | result = (unsigned int) (next / 65536) % 2048; 323 | 324 | next *= 1103515245; 325 | next += 12345; 326 | result <<= 10; 327 | result ^= (unsigned int) (next / 65536) % 1024; 328 | 329 | next *= 1103515245; 330 | next += 12345; 331 | result <<= 10; 332 | result ^= (unsigned int) (next / 65536) % 1024; 333 | 334 | *seed = next; 335 | 336 | return result; 337 | } 338 | -------------------------------------------------------------------------------- /libming/0.4.8/CVE-2023-23051/AFG-action.c-SWFAction_compile-swf5parse.h: -------------------------------------------------------------------------------- 1 | /* 2 | Ming, an SWF output library 3 | Copyright (C) 2002 Opaque Industries - http://www.opaque.net/ 4 | 5 | This library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | This library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with this library; if not, write to the Free Software 17 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 | */ 19 | 20 | /* $Id$ */ 21 | 22 | #ifndef __C2MAN__ 23 | #include 24 | #include 25 | #endif 26 | 27 | #include "action.h" 28 | #include "output.h" 29 | #include "block.h" 30 | #include "input.h" 31 | #include "method.h" 32 | #include "libming.h" 33 | #include "character.h" 34 | #include "movieclip.h" 35 | #include "actioncompiler/compile.h" 36 | #include "actiontypes.h" 37 | 38 | typedef enum { 39 | INPUT_EMPTY, 40 | INPUT_FILE, 41 | INPUT_SCRIPT 42 | } ActionInputType; 43 | 44 | struct SWFAction_s 45 | { 46 | struct SWFBlock_s block; 47 | ActionInputType inputType; 48 | SWFOutput out; 49 | union 50 | { 51 | FILE *file; 52 | char *script; 53 | } input; 54 | int debug; 55 | }; 56 | 57 | struct SWFInitAction_s 58 | { 59 | struct SWFBlock_s block; 60 | int spriteId; 61 | SWFAction action; 62 | SWFMovieClip clip; 63 | }; 64 | 65 | static char *readActionFile(FILE *file) 66 | { 67 | int len; 68 | char *script; 69 | SWFInput input = newSWFInput_file(file); 70 | len = SWFInput_length(input); 71 | script = (char *)malloc(len + 1); 72 | if(SWFInput_read(input, (unsigned char *)script, len) != len) 73 | { 74 | SWF_warn("readActionFile failed\n"); 75 | free(script); 76 | return NULL; 77 | } 78 | destroySWFInput(input); 79 | script[len] = '\0'; 80 | return script; 81 | } 82 | 83 | void SWFOutput_writeAction(SWFOutput out, SWFAction action) 84 | { 85 | int len; 86 | byte *data; 87 | 88 | if(action->out == NULL) 89 | { 90 | SWF_warn("SWFAction: compile action first\n"); 91 | return; 92 | } 93 | 94 | len = SWFOutput_getLength(action->out); 95 | data = SWFOutput_getBuffer(action->out); 96 | SWFOutput_writeBuffer(out, data, len); 97 | } 98 | 99 | /* 100 | * Compiles the current script stored in this SWFAction instance. 101 | * returns 0 on success, -1 otherwise. 102 | * the length of the compiled bytecode is storen in the length pointer (if not NULL). 103 | */ 104 | int SWFAction_compile(SWFAction action, 105 | int swfVersion /* target SWF version */, 106 | int *length /* output length */) 107 | { 108 | char *script = NULL; 109 | Buffer b; 110 | int parserError; 111 | 112 | if(action->out != NULL) 113 | { 114 | if(length != NULL) 115 | *length = SWFOutput_getLength(action->out); 116 | return 0; 117 | } 118 | 119 | switch(action->inputType) 120 | { 121 | case INPUT_SCRIPT: 122 | script = action->input.script; 123 | break; 124 | case INPUT_FILE: 125 | script = readActionFile(action->input.file); 126 | break; 127 | default: break; 128 | } 129 | 130 | if(script != NULL && swfVersion == 4) 131 | { 132 | swf4ParseInit(script, action->debug, swfVersion); 133 | parserError = swf4parse((void *)&b); 134 | } 135 | else if (script != NULL) 136 | { 137 | swf5ParseInit(script, action->debug, swfVersion); 138 | parserError = swf5parse((void *)&b); 139 | } 140 | else 141 | parserError = 1; 142 | 143 | // if INPUT_FILE script was allocated by readActionFile() 144 | if(action->inputType == INPUT_FILE) 145 | free(script); 146 | 147 | action->out = newSWFOutput(); 148 | 149 | if(!parserError) 150 | { 151 | SWFOutput_writeBuffer(action->out, b->buffer, bufferLength(b)); 152 | destroyBuffer(b); 153 | } 154 | else 155 | SWF_warn("Parser error: writing empty block\n"); 156 | 157 | SWFOutput_writeUInt8(action->out, SWFACTION_END); 158 | if(length != NULL) 159 | *length = SWFOutput_getLength(action->out); 160 | 161 | if(parserError) 162 | return -1; 163 | 164 | return 0; 165 | } 166 | 167 | /* 168 | * Returns the compiled bytecode. 169 | * If not already compiled the script will compiled for SWF V7. 170 | * 171 | * Returns NULL in case of an error. Length pointer stores the length of 172 | * the compiled bytecode. 173 | */ 174 | byte *SWFAction_getByteCode(SWFAction action, int *length) 175 | { 176 | int ret = 0; 177 | if(action == NULL) 178 | return NULL; 179 | 180 | if(action->out == NULL) 181 | { 182 | SWF_warn("SWFAction_getByteCode: please use SWFAction_compile first\n"); 183 | SWF_warn("auto-compiling as SWF 7 code now...\n"); 184 | ret = SWFAction_compile(action, 7, (int *)length); 185 | } 186 | 187 | if(ret < 0) 188 | { 189 | *length = -1; 190 | return NULL; 191 | } 192 | return SWFOutput_getBuffer(action->out); 193 | } 194 | 195 | static int 196 | completeSWFAction(SWFBlock block) 197 | { 198 | int length; 199 | SWFAction action = (SWFAction)block; 200 | SWFAction_compile(action, block->swfVersion, &length); 201 | return length; 202 | } 203 | 204 | static int 205 | completeSWFInitAction(SWFBlock block) 206 | { 207 | SWFInitAction init = (SWFInitAction)block; 208 | int len; 209 | 210 | SWFAction_compile(init->action, block->swfVersion, &len); 211 | return len + 2; 212 | } 213 | 214 | 215 | static void 216 | writeSWFActionToMethod(SWFBlock block, SWFByteOutputMethod method, void* data) 217 | { 218 | SWFOutput out = ((SWFAction)block)->out; 219 | SWFOutput_writeToMethod(out, method, data); 220 | } 221 | 222 | static void 223 | writeSWFInitActionToMethod(SWFBlock block, SWFByteOutputMethod method, void* data) 224 | { 225 | SWFInitAction init = (SWFInitAction)block; 226 | methodWriteUInt16(init->spriteId, method, data); 227 | SWFOutput_writeToMethod(init->action->out, method, data); 228 | } 229 | 230 | /* 231 | * Destroys a SWFAction instance 232 | */ 233 | void destroySWFAction(SWFAction action) 234 | { 235 | if(!action) 236 | return; 237 | 238 | switch(action->inputType) 239 | { 240 | case INPUT_FILE: 241 | fclose(action->input.file); 242 | break; 243 | case INPUT_SCRIPT: 244 | free(action->input.script); 245 | break; 246 | default: 247 | break; 248 | } 249 | 250 | if(action->out) 251 | destroySWFOutput(action->out); 252 | 253 | free(action); 254 | } 255 | 256 | void destroySWFInitAction(SWFInitAction init) 257 | { 258 | if(!init) 259 | return; 260 | 261 | if(init->clip) 262 | destroySWFMovieClip(init->clip); 263 | destroySWFAction(init->action); 264 | free(init); 265 | } 266 | 267 | 268 | static SWFAction createEmptyAction() 269 | { 270 | SWFAction action = (SWFAction)malloc(sizeof(struct SWFAction_s)); 271 | 272 | SWFBlockInit(BLOCK(action)); 273 | BLOCK(action)->type = SWF_DOACTION; 274 | BLOCK(action)->writeBlock = writeSWFActionToMethod; 275 | BLOCK(action)->complete = completeSWFAction; 276 | BLOCK(action)->dtor = (destroySWFBlockMethod) destroySWFAction; 277 | action->inputType = INPUT_EMPTY; 278 | action->out = NULL; 279 | action->debug = 0; 280 | return action; 281 | } 282 | 283 | /** 284 | * enable verbose compiler output 285 | * 286 | * Set debug value to 1 get very! verbose compile messages. 287 | * @return old value 288 | */ 289 | int SWFAction_setDebug(SWFAction a, int debug /*debug switch*/) 290 | { 291 | int oldval; 292 | if(!a) 293 | return -1; 294 | oldval = a->debug; 295 | a->debug = debug; 296 | return oldval; 297 | } 298 | 299 | /* 300 | * Creates a new SWFAction object. 301 | * Takes a String containing AS[2] source code. 302 | * 303 | * returns a SWFAction instance. 304 | */ 305 | SWFAction newSWFAction(const char *script) 306 | { 307 | SWFAction action = createEmptyAction(); 308 | action->inputType = INPUT_SCRIPT; 309 | action->input.script = strdup(script); 310 | 311 | return action; 312 | } 313 | 314 | /* 315 | * Creates a new SWFAction object. 316 | * Takes a filename pointing to a file containing AS[2] source code. 317 | * 318 | * return a SWFAction instance. 319 | */ 320 | SWFAction newSWFAction_fromFile(const char *filename) 321 | { 322 | SWFAction action = createEmptyAction(); 323 | action->inputType = INPUT_FILE; 324 | action->input.file = fopen(filename, "r"); 325 | if(action->input.file == NULL) 326 | { 327 | destroySWFAction(action); 328 | return NULL; 329 | } 330 | return action; 331 | } 332 | 333 | SWFMovieClip SWFInitAction_getMovieClip(SWFInitAction action) 334 | { 335 | return action->clip; 336 | } 337 | 338 | /* 339 | * create a InitAction block with a given sprite's character id 340 | * 341 | * This function creates a InitAction block with a given sprite's character id. 342 | * Use with care! 343 | */ 344 | SWFInitAction newSWFInitAction_withId(SWFAction action, int id /* mc character id */) 345 | { 346 | SWFInitAction init = (SWFInitAction)malloc(sizeof(struct SWFInitAction_s)); 347 | SWFBlockInit(BLOCK(init)); 348 | BLOCK(init)->writeBlock = writeSWFInitActionToMethod; 349 | BLOCK(init)->complete = completeSWFInitAction; 350 | BLOCK(init)->dtor = (destroySWFBlockMethod) destroySWFInitAction; 351 | BLOCK(init)->type = SWF_INITACTION; 352 | init->clip = NULL; // use external clip 353 | init->spriteId = id; 354 | init->action = action; 355 | return init; 356 | } 357 | 358 | /* 359 | * create a InitAction block 360 | * 361 | * This function creates a InitAction block and defines an empty sprite/mc 362 | * which is not placed. This functions is usefull for defining classes. 363 | */ 364 | SWFInitAction newSWFInitAction(SWFAction action) 365 | { 366 | SWFInitAction init = (SWFInitAction)malloc(sizeof(struct SWFInitAction_s)); 367 | SWFBlockInit(BLOCK(init)); 368 | BLOCK(init)->writeBlock = writeSWFInitActionToMethod; 369 | BLOCK(init)->complete = completeSWFInitAction; 370 | BLOCK(init)->dtor = (destroySWFBlockMethod) destroySWFInitAction; 371 | BLOCK(init)->type = SWF_INITACTION; 372 | init->clip = newSWFMovieClip(); 373 | init->spriteId = CHARACTERID(init->clip); 374 | init->action = action; 375 | return init; 376 | } 377 | 378 | SWFInitAction newSWFInitAction_MovieClip(SWFMovieClip clip, SWFAction action) 379 | { 380 | SWFInitAction init = (SWFInitAction)malloc(sizeof(struct SWFInitAction_s)); 381 | SWFBlockInit(BLOCK(init)); 382 | BLOCK(init)->writeBlock = writeSWFInitActionToMethod; 383 | BLOCK(init)->complete = completeSWFInitAction; 384 | BLOCK(init)->dtor = (destroySWFBlockMethod) destroySWFInitAction; 385 | BLOCK(init)->type = SWF_INITACTION; 386 | init->spriteId = CHARACTERID(clip); 387 | init->clip = NULL; // use external clip 388 | init->action = action; 389 | return init; 390 | } 391 | 392 | /* 393 | * Local variables: 394 | * tab-width: 2 395 | * c-basic-offset: 2 396 | * End: 397 | */ 398 | -------------------------------------------------------------------------------- /ngiflib/75b9920/CVE-2021-36530/AFG-ngiflib.c-LoadGif-GetByteStr.c: -------------------------------------------------------------------------------- 1 | #include "AFG-ngiflib.c-LoadGif-GetByteStr.h" 2 | /* This is the copy of /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflib.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | 9 | void* AFG_alloc_list[9] = { NULL }; 10 | int AFG_alloc_cnt = 0; 11 | FILE* AFG_fopen_list[2] = { NULL }; 12 | int AFG_fopen_cnt = 0; 13 | 14 | int AFG_func(struct ngiflib_gif* g) 15 | { 16 | struct ngiflib_gce gce; 17 | u8 sign; 18 | u8 tmp; 19 | int i; 20 | if(!g) 21 | return 0; 22 | gce.gce_present = 0; 23 | if(g->nimg == 0) 24 | { 25 | GetByteStr(g, g->signature, 6); 26 | g->signature[6] = '\x00'; 27 | if(g->signature[0] != 'G' || g->signature[1] != 'I' || g->signature[2] != 'F' || g->signature[3] != '8') 28 | return 0; 29 | GetWord(g); 30 | GetWord(g); 31 | tmp = GetByte(g); 32 | g->imgbits = (tmp & 7) + 1; 33 | g->ncolors = 1 << g->imgbits; 34 | GetByte(g); 35 | GetByte(g); 36 | if(tmp & 128) 37 | { 38 | for(i = 0; i < g->ncolors; i++) 39 | { 40 | GetByte(g); 41 | GetByte(g); 42 | GetByte(g); 43 | } 44 | } 45 | } 46 | for(; ; ) 47 | { 48 | char appid_auth[11]; 49 | u8 id, size; 50 | int blockindex; 51 | sign = GetByte(g); 52 | switch(sign) 53 | { 54 | case 59: 55 | return 0; 56 | case '!': 57 | id = GetByte(g); 58 | blockindex = 0; 59 | while((size = GetByte(g))) 60 | { 61 | u8 ext[256]; 62 | GetByteStr(g, ext, size); 63 | switch(id) 64 | { 65 | case 249: 66 | gce.gce_present = 1; 67 | gce.disposal_method = (ext[0] >> 2) & 7; 68 | gce.transparent_flag = ext[0] & 1; 69 | if(gce.transparent_flag && ((g->nimg == 0) || gce.disposal_method == 2)) 70 | { 71 | FillGifBackGround(g); 72 | } 73 | break; 74 | case 254: 75 | if(g->log) 76 | { 77 | ext[size] = '\x00'; 78 | fputs((char *)ext, g->log); 79 | } 80 | break; 81 | case 255: 82 | if(blockindex == 0) 83 | { 84 | memcpy(appid_auth, ext, 11); 85 | if(g->log) 86 | { 87 | fputc((ext[8] < 32) ? ' ' : ext[8], g->log); 88 | fputc((ext[9] < 32) ? ' ' : ext[9], g->log); 89 | fputc((ext[10] < 32) ? ' ' : ext[10], g->log); 90 | } 91 | } 92 | else 93 | { 94 | if(g->log) 95 | { 96 | for(i = 0; i < size; i++) 97 | { 98 | _IO_putc((ext[i] < 32) ? ' ' : ext[i], g->log); 99 | } 100 | } 101 | if(0 == memcmp(appid_auth, "NETSCAPE2.0", 11)) 102 | { 103 | if(ext[0] == 1) 104 | { 105 | } 106 | } 107 | } 108 | break; 109 | case 1: 110 | if(g->log) 111 | { 112 | for(i = 0; i < size; i++) 113 | { 114 | _IO_putc((ext[i] < 32) ? ' ' : ext[i], g->log); 115 | } 116 | _IO_putc('\n', g->log); 117 | } 118 | break; 119 | } 120 | blockindex++; 121 | } 122 | switch(id) 123 | { 124 | case 1: 125 | case 254: 126 | case 255: 127 | break; 128 | } 129 | break; 130 | case 44: 131 | if(g->nimg == 0) 132 | { 133 | g->cur_img = malloc(sizeof(struct ngiflib_img)); 134 | } 135 | else 136 | { 137 | g->cur_img->next = malloc(sizeof(struct ngiflib_img)); 138 | g->cur_img = g->cur_img->next; 139 | } 140 | g->cur_img->next = ((void *)0); 141 | if(gce.gce_present) 142 | { 143 | memcpy(&g->cur_img->gce, &gce, sizeof(struct ngiflib_gce)); 144 | } 145 | else 146 | { 147 | memset(&g->cur_img->gce, 0, sizeof(struct ngiflib_gce)); 148 | } 149 | DecodeGifImg(g->cur_img); 150 | g->nimg++; 151 | tmp = GetByte(g); 152 | return 0; 153 | default: 154 | return 0; 155 | } 156 | } 157 | } 158 | 159 | size_t minimum_size = sizeof(struct ngiflib_gif)*1+sizeof(struct ngiflib_img)*2+sizeof(struct ngiflib_gce)*2+sizeof(struct ngiflib_rgb)*3+sizeof(unsigned char)*1+sizeof(void*)*1+sizeof(union ngiflib_pixpointer)*1; 160 | 161 | #ifdef __cplusplus 162 | extern "C" 163 | #endif 164 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 165 | printf("Minimum size is %ld\n", minimum_size); 166 | return 0; 167 | } 168 | #ifdef __cplusplus 169 | extern "C" 170 | #endif 171 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 172 | size_t AFG_offset = 0; 173 | if(Size <= minimum_size) { 174 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 175 | return -1; 176 | } 177 | size_t pt_size = (Size - minimum_size) / 9; 178 | if (pt_size < sizeof(unsigned char) || pt_size < sizeof(unsigned int) ) { return -1; } 179 | struct ngiflib_gif * g; 180 | g = (struct ngiflib_gif*)malloc(sizeof(struct ngiflib_gif)); 181 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g; 182 | memcpy((void *)&g->netscape_loop_count, AFG_Data+AFG_offset, sizeof(int)); 183 | AFG_offset+=sizeof(int); 184 | memcpy((void *)&g->nimg, AFG_Data+AFG_offset, sizeof(int)); 185 | AFG_offset+=sizeof(int); 186 | g->log = fopen("AFG_file_0", "w+"); 187 | AFG_fopen_list[AFG_fopen_cnt++] = g->log; 188 | fwrite(AFG_Data+AFG_offset, 1, pt_size, g->log); 189 | rewind(g->log); 190 | AFG_offset+=pt_size; 191 | g->cur_img = (struct ngiflib_img*)malloc(sizeof(struct ngiflib_img)); 192 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->cur_img; 193 | memcpy((void *)&g->cur_img->gce, AFG_Data+AFG_offset, sizeof(struct ngiflib_gce)); 194 | AFG_offset+=sizeof(struct ngiflib_gce); 195 | g->cur_img->parent = NULL; 196 | g->cur_img->next = NULL; 197 | g->cur_img->palette = (struct ngiflib_rgb*)malloc(sizeof(struct ngiflib_rgb)); 198 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->cur_img->palette; 199 | memcpy((void *)g->cur_img->palette, AFG_Data+AFG_offset, sizeof(struct ngiflib_rgb)); 200 | AFG_offset+=sizeof(struct ngiflib_rgb); 201 | memcpy((void *)&g->cur_img->imgbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 202 | AFG_offset+=sizeof(unsigned char); 203 | memcpy((void *)&g->cur_img->interlaced, AFG_Data+AFG_offset, sizeof(unsigned char)); 204 | AFG_offset+=sizeof(unsigned char); 205 | memcpy((void *)&g->cur_img->localpalbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 206 | AFG_offset+=sizeof(unsigned char); 207 | memcpy((void *)&g->cur_img->sort_flag, AFG_Data+AFG_offset, sizeof(unsigned char)); 208 | AFG_offset+=sizeof(unsigned char); 209 | memcpy((void *)&g->cur_img->height, AFG_Data+AFG_offset, sizeof(unsigned short)); 210 | AFG_offset+=sizeof(unsigned short); 211 | memcpy((void *)&g->cur_img->ncolors, AFG_Data+AFG_offset, sizeof(unsigned short)); 212 | AFG_offset+=sizeof(unsigned short); 213 | memcpy((void *)&g->cur_img->posX, AFG_Data+AFG_offset, sizeof(unsigned short)); 214 | AFG_offset+=sizeof(unsigned short); 215 | memcpy((void *)&g->cur_img->posY, AFG_Data+AFG_offset, sizeof(unsigned short)); 216 | AFG_offset+=sizeof(unsigned short); 217 | memcpy((void *)&g->cur_img->width, AFG_Data+AFG_offset, sizeof(unsigned short)); 218 | AFG_offset+=sizeof(unsigned short); 219 | g->first_img = (struct ngiflib_img*)malloc(sizeof(struct ngiflib_img)); 220 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->first_img; 221 | memcpy((void *)&g->first_img->gce, AFG_Data+AFG_offset, sizeof(struct ngiflib_gce)); 222 | AFG_offset+=sizeof(struct ngiflib_gce); 223 | g->first_img->parent = NULL; 224 | g->first_img->next = NULL; 225 | g->first_img->palette = (struct ngiflib_rgb*)malloc(sizeof(struct ngiflib_rgb)); 226 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->first_img->palette; 227 | memcpy((void *)g->first_img->palette, AFG_Data+AFG_offset, sizeof(struct ngiflib_rgb)); 228 | AFG_offset+=sizeof(struct ngiflib_rgb); 229 | memcpy((void *)&g->first_img->imgbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 230 | AFG_offset+=sizeof(unsigned char); 231 | memcpy((void *)&g->first_img->interlaced, AFG_Data+AFG_offset, sizeof(unsigned char)); 232 | AFG_offset+=sizeof(unsigned char); 233 | memcpy((void *)&g->first_img->localpalbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 234 | AFG_offset+=sizeof(unsigned char); 235 | memcpy((void *)&g->first_img->sort_flag, AFG_Data+AFG_offset, sizeof(unsigned char)); 236 | AFG_offset+=sizeof(unsigned char); 237 | memcpy((void *)&g->first_img->height, AFG_Data+AFG_offset, sizeof(unsigned short)); 238 | AFG_offset+=sizeof(unsigned short); 239 | memcpy((void *)&g->first_img->ncolors, AFG_Data+AFG_offset, sizeof(unsigned short)); 240 | AFG_offset+=sizeof(unsigned short); 241 | memcpy((void *)&g->first_img->posX, AFG_Data+AFG_offset, sizeof(unsigned short)); 242 | AFG_offset+=sizeof(unsigned short); 243 | memcpy((void *)&g->first_img->posY, AFG_Data+AFG_offset, sizeof(unsigned short)); 244 | AFG_offset+=sizeof(unsigned short); 245 | memcpy((void *)&g->first_img->width, AFG_Data+AFG_offset, sizeof(unsigned short)); 246 | AFG_offset+=sizeof(unsigned short); 247 | g->palette = (struct ngiflib_rgb*)malloc(sizeof(struct ngiflib_rgb)); 248 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->palette; 249 | memcpy((void *)g->palette, AFG_Data+AFG_offset, sizeof(struct ngiflib_rgb)); 250 | AFG_offset+=sizeof(struct ngiflib_rgb); 251 | // A Union 'anonymous at /opt/disk/marsman/ngiflib/75b9920/build_normal/ngiflib.h:132:2' here, we select 'bytes' 252 | g->input.bytes = (unsigned char *)malloc(pt_size+1); 253 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->input.bytes; 254 | memcpy((void *)g->input.bytes, AFG_Data+AFG_offset, pt_size); 255 | memset((void *)(g->input.bytes + pt_size), '\0', 1); 256 | AFG_offset+=pt_size; 257 | // A Union 'union ngiflib_pixpointer' here, we select 'p32' 258 | g->frbuff.p32 = (unsigned int *)malloc(pt_size); 259 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) g->frbuff.p32; 260 | memcpy((void *)g->frbuff.p32, AFG_Data+AFG_offset, pt_size); 261 | AFG_offset+=pt_size; 262 | memcpy((void *)&g->signature, AFG_Data+AFG_offset, sizeof(unsigned char)*7); 263 | AFG_offset+=sizeof(unsigned char)*7; 264 | memcpy((void *)&g->backgroundindex, AFG_Data+AFG_offset, sizeof(unsigned char)); 265 | AFG_offset+=sizeof(unsigned char); 266 | memcpy((void *)&g->colorresolution, AFG_Data+AFG_offset, sizeof(unsigned char)); 267 | AFG_offset+=sizeof(unsigned char); 268 | memcpy((void *)&g->imgbits, AFG_Data+AFG_offset, sizeof(unsigned char)); 269 | AFG_offset+=sizeof(unsigned char); 270 | memcpy((void *)&g->mode, AFG_Data+AFG_offset, sizeof(unsigned char)); 271 | AFG_offset+=sizeof(unsigned char); 272 | memcpy((void *)&g->pixaspectratio, AFG_Data+AFG_offset, sizeof(unsigned char)); 273 | AFG_offset+=sizeof(unsigned char); 274 | memcpy((void *)&g->sort_flag, AFG_Data+AFG_offset, sizeof(unsigned char)); 275 | AFG_offset+=sizeof(unsigned char); 276 | memcpy((void *)&g->height, AFG_Data+AFG_offset, sizeof(unsigned short)); 277 | AFG_offset+=sizeof(unsigned short); 278 | memcpy((void *)&g->ncolors, AFG_Data+AFG_offset, sizeof(unsigned short)); 279 | AFG_offset+=sizeof(unsigned short); 280 | memcpy((void *)&g->width, AFG_Data+AFG_offset, sizeof(unsigned short)); 281 | AFG_offset+=sizeof(unsigned short); 282 | 283 | g->mode = NGIFLIB_MODE_FROM_MEM; 284 | unsigned int AFG_br; 285 | memcpy(&AFG_br, AFG_Data + AFG_offset, sizeof(unsigned int)); 286 | if ((AFG_br % 2) == 1) 287 | g->mode |= NGIFLIB_MODE_INDEXED; 288 | else 289 | g->mode |= NGIFLIB_MODE_TRUE_COLOR; 290 | 291 | AFG_func(g); 292 | 293 | AFG_fail: 294 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 295 | free(AFG_alloc_list[AFG_free_i]); 296 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 297 | fclose(AFG_fopen_list[AFG_free_i]); 298 | AFG_alloc_cnt = 0; 299 | AFG_fopen_cnt = 0; 300 | 301 | return 0; 302 | } 303 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27788/AFG-portmap.c-parse_portmap-ports2PORT.h: -------------------------------------------------------------------------------- 1 | /* $Id$ */ 2 | 3 | /* 4 | * Copyright (c) 2001-2010 Aaron Turner 5 | * Copyright (c) 2013-2017 Fred Klassen - AppNeta 6 | * 7 | * The Tcpreplay Suite of tools is free software: you can redistribute it 8 | * and/or modify it under the terms of the GNU General Public License as 9 | * published by the Free Software Foundation, either version 3 of the 10 | * License, or with the authors permission any later version. 11 | * 12 | * The Tcpreplay Suite is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with the Tcpreplay Suite. If not, see . 19 | */ 20 | 21 | /* 22 | * This file contains routines to manipulate port maps, in which 23 | * one port number is mapped to another. 24 | */ 25 | #include "config.h" 26 | #include "defines.h" 27 | #include "common.h" 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | #include "tcpreplay.h" 34 | #include "tcpedit.h" 35 | #include "portmap.h" 36 | #include "incremental_checksum.h" 37 | 38 | /** 39 | * mallocs a new tcpedit_portmap_t structure 40 | */ 41 | tcpedit_portmap_t * 42 | new_portmap() 43 | { 44 | tcpedit_portmap_t *newportmap; 45 | 46 | newportmap = (tcpedit_portmap_t *)safe_malloc(sizeof(tcpedit_portmap_t)); 47 | return (newportmap); 48 | } 49 | 50 | /** 51 | * \brief parses a string : and returns a new tcpedit_portmap_t struct 52 | * 53 | * We support the following formats: 54 | * : - map a single port to a new port 55 | * -: - map a range of ports to a new port 56 | * ++...: - map a list of ports to a single ports 57 | * 58 | * In the case of port ranges or port lists, we actually return a 59 | * chain of tcpedit_portmap_t's 60 | */ 61 | static tcpedit_portmap_t * 62 | ports2PORT(char *ports) 63 | { 64 | tcpedit_portmap_t *portmap = NULL, *portmap_head = NULL, *portmap_last = NULL; 65 | char *from_s, *to_s, *from_begin, *from_end, *badchar; 66 | long from_l, to_l, from_b, from_e, i; 67 | char *token = NULL, *token2 = NULL; 68 | 69 | assert(ports); 70 | 71 | from_begin = NULL; 72 | from_end = NULL; 73 | 74 | /* first split the port numbers */ 75 | from_s = strtok_r(ports, ":", &token); 76 | to_s = strtok_r(NULL, ":", &token); 77 | 78 | /* if there's anything left, it's a syntax error */ 79 | if (strtok_r(NULL, ":", &token) != NULL) 80 | return NULL; 81 | 82 | /* if either of the parsed strings is NULL, we have a problem */ 83 | if (from_s == NULL || to_s == NULL) 84 | return NULL; 85 | 86 | /* source map can have - (range) or , (and), but not both */ 87 | if (strchr(from_s, '-') && strchr(from_s, '+')) 88 | return NULL; 89 | 90 | /* process to the to port */ 91 | to_l = strtol(to_s, &badchar, 10); 92 | if (strlen(badchar) != 0) 93 | return NULL; 94 | 95 | if (to_l > 65535 || to_l < 0) 96 | return NULL; 97 | 98 | /* 99 | * put the new portmap info into the new node 100 | * while we convert to network-byte order, b/c its better 101 | * to do it once now, rather then each time we have to do a lookup 102 | */ 103 | portmap_head = new_portmap(); 104 | portmap = portmap_last = portmap_head; 105 | 106 | /* process a range, setting from_begin & from_end */ 107 | if (strchr(from_s, '-')) { 108 | from_begin = strtok_r(from_s, "-", &token2); 109 | from_end = strtok_r(NULL, "-", &token2); 110 | from_b = strtol(from_begin, &badchar, 10); 111 | if (strlen(badchar) != 0) { 112 | free(portmap); 113 | return NULL; 114 | } 115 | from_e = strtol(from_end, &badchar, 10); 116 | if (strlen(badchar) != 0) { 117 | free(portmap); 118 | return NULL; 119 | } 120 | 121 | if (from_b > 65535 || from_b < 0 || from_e > 65535 || from_e < 0) { 122 | free(portmap); 123 | return NULL; 124 | } 125 | 126 | for (i = from_b; i <= from_e; i++) { 127 | portmap->from = htons(i); 128 | portmap->to = htons(to_l); 129 | portmap->next = new_portmap(); 130 | portmap_last = portmap; 131 | portmap = portmap->next; 132 | } 133 | portmap_last->next = NULL; 134 | free(portmap); 135 | portmap = portmap_head = NULL; 136 | } 137 | /* process a list via +, filling in list[] */ 138 | else if (strchr(from_s, '+')) { 139 | from_begin = strtok_r(from_s, "+", &token2); 140 | from_l = strtol(from_begin, &badchar, 10); 141 | if (strlen(badchar) != 0) { 142 | free(portmap); 143 | return NULL; 144 | } 145 | portmap->to = htons(to_l); 146 | portmap->from = htons(from_l); 147 | 148 | while ((from_begin = strtok_r(NULL, "+", &token2)) != NULL) { 149 | from_l = strtol(from_begin, &badchar, 10); 150 | if (strlen(badchar) != 0 || from_l > 65535 || from_l < 0) { 151 | portmap = portmap_head; 152 | while (portmap) { 153 | tcpedit_portmap_t *tmp_portmap = portmap->next; 154 | free(portmap); 155 | portmap = tmp_portmap; 156 | } 157 | return NULL; 158 | } 159 | portmap->next = new_portmap(); 160 | portmap = portmap->next; 161 | portmap->to = htons(to_l); 162 | portmap->from = htons(from_l); 163 | } 164 | } 165 | /* this is just the old port:port format */ 166 | else { 167 | /* 168 | * convert the strings to longs: if badchar points to anything 169 | * after, then it was a bad string 170 | */ 171 | from_l = strtol(from_s, &badchar, 10); 172 | if (strlen(badchar) != 0 || from_l > 65535 || from_l < 0) { 173 | free(portmap); 174 | return NULL; 175 | } 176 | portmap->to = htons(to_l); 177 | portmap->from = htons(from_l); 178 | } 179 | 180 | /* return structure for success */ 181 | return portmap_head; 182 | } 183 | 184 | /** 185 | * Processes a string (ourstr) containing the portmap ("2000:4000" for 186 | * example) and places the data in **portmapdata and finally returns 1 for 187 | * success, 0 for fail. 188 | */ 189 | int 190 | parse_portmap(tcpedit_portmap_t ** portmap, const char *ourstr) 191 | { 192 | tcpedit_portmap_t *portmap_ptr; 193 | char *substr = NULL, *ourstrcpy = NULL, *token = NULL; 194 | 195 | assert(ourstr); 196 | ourstrcpy = safe_strdup(ourstr); 197 | 198 | /* first iteration of input */ 199 | substr = strtok_r(ourstrcpy, ",", &token); 200 | 201 | if ((*portmap = ports2PORT(substr)) == NULL) { 202 | safe_free(ourstrcpy); 203 | return 0; 204 | } 205 | 206 | portmap_ptr = *portmap; 207 | 208 | /* ports2PORT may return a chain, so find the end of it */ 209 | while (portmap_ptr->next != NULL) 210 | portmap_ptr = portmap_ptr->next; 211 | 212 | while (1) { 213 | substr = strtok_r(NULL, ",", &token); 214 | /* if that was the last one, kick out */ 215 | if (substr == NULL) 216 | break; 217 | 218 | /* process next record */ 219 | portmap_ptr->next = ports2PORT(substr); 220 | 221 | /* ports2PORT may return a chain, so find the end of it */ 222 | while (portmap_ptr->next != NULL) 223 | portmap_ptr = portmap_ptr->next; 224 | } 225 | 226 | safe_free(ourstrcpy); 227 | return 1; 228 | } 229 | 230 | 231 | /** 232 | * Free's all the memory associated with the given portmap chain 233 | */ 234 | void 235 | free_portmap(tcpedit_portmap_t * portmap) 236 | { 237 | 238 | assert(portmap); 239 | 240 | /* recursively go down the portmaps */ 241 | if (portmap->next != NULL) 242 | free_portmap(portmap->next); 243 | 244 | safe_free(portmap); 245 | } 246 | 247 | 248 | /** 249 | * This function takes a pointer to a portmap list and prints each node 250 | */ 251 | void 252 | print_portmap(tcpedit_portmap_t *portmap_data) 253 | { 254 | tcpedit_portmap_t *portmap_ptr; 255 | 256 | assert(portmap_data); 257 | portmap_ptr = portmap_data; 258 | while (portmap_ptr != NULL) { 259 | printf("from: %ld to: %ld\n", portmap_ptr->from, portmap_ptr->to); 260 | portmap_ptr = portmap_ptr->next; 261 | } 262 | 263 | printf("\n"); 264 | } 265 | 266 | 267 | /** 268 | * This function takes a portmap and a port, and returns the mapped port, 269 | * or the original port if it isn't mapped to anything. 270 | */ 271 | long 272 | map_port(tcpedit_portmap_t *portmap_data, long port) 273 | { 274 | tcpedit_portmap_t *portmap_ptr; 275 | long newport; 276 | 277 | assert(portmap_data); 278 | 279 | portmap_ptr = portmap_data; 280 | newport = port; 281 | 282 | /* step through the nodes, resetting newport if a match is found */ 283 | while (portmap_ptr != NULL) { 284 | if (portmap_ptr->from == port) 285 | newport = portmap_ptr->to; 286 | 287 | portmap_ptr = portmap_ptr->next; 288 | } 289 | 290 | return(newport); 291 | } 292 | 293 | /** 294 | * rewrites the TCP or UDP ports based on a portmap 295 | * returns 1 for changes made or 0 for none 296 | */ 297 | 298 | static int 299 | rewrite_ports(tcpedit_t *tcpedit, u_char protocol, u_char *layer4) 300 | { 301 | tcp_hdr_t *tcp_hdr = NULL; 302 | udp_hdr_t *udp_hdr = NULL; 303 | uint16_t newport; 304 | tcpedit_portmap_t *portmap; 305 | 306 | assert(tcpedit); 307 | assert(tcpedit->portmap); 308 | portmap = tcpedit->portmap; 309 | 310 | if (protocol == IPPROTO_TCP) { 311 | tcp_hdr = (tcp_hdr_t *)layer4; 312 | 313 | /* check if we need to remap the destination port */ 314 | newport = map_port(portmap, tcp_hdr->th_dport); 315 | if (newport != tcp_hdr->th_dport) { 316 | csum_replace2(&tcp_hdr->th_sum, tcp_hdr->th_dport, newport); 317 | tcp_hdr->th_dport = newport; 318 | } 319 | 320 | /* check if we need to remap the source port */ 321 | newport = map_port(portmap, tcp_hdr->th_sport); 322 | if (newport != tcp_hdr->th_sport) { 323 | csum_replace2(&tcp_hdr->th_sum, tcp_hdr->th_sport, newport); 324 | tcp_hdr->th_sport = newport; 325 | } 326 | 327 | } else if (protocol == IPPROTO_UDP) { 328 | udp_hdr = (udp_hdr_t *)layer4; 329 | 330 | /* check if we need to remap the destination port */ 331 | newport = map_port(portmap, udp_hdr->uh_dport); 332 | if (newport != udp_hdr->uh_dport) { 333 | if (udp_hdr->uh_sum) { 334 | csum_replace2(&udp_hdr->uh_sum, udp_hdr->uh_dport, newport); 335 | } 336 | 337 | udp_hdr->uh_dport = newport; 338 | } 339 | 340 | /* check if we need to remap the source port */ 341 | newport = map_port(portmap, udp_hdr->uh_sport); 342 | if (newport != udp_hdr->uh_sport) { 343 | if (udp_hdr->uh_sum) { 344 | csum_replace2(&udp_hdr->uh_sum, udp_hdr->uh_sport, newport); 345 | } 346 | 347 | udp_hdr->uh_sport = newport; 348 | } 349 | 350 | } 351 | return 0; 352 | } 353 | 354 | int 355 | rewrite_ipv4_ports(tcpedit_t *tcpedit, ipv4_hdr_t **ip_hdr) 356 | { 357 | assert(tcpedit); 358 | u_char *l4; 359 | 360 | if (*ip_hdr == NULL) { 361 | return 0; 362 | } else if ((*ip_hdr)->ip_p == IPPROTO_TCP || (*ip_hdr)->ip_p == IPPROTO_UDP) { 363 | l4 = get_layer4_v4(*ip_hdr, 65536); 364 | return rewrite_ports(tcpedit, (*ip_hdr)->ip_p, l4); 365 | } 366 | 367 | return 0; 368 | } 369 | 370 | int 371 | rewrite_ipv6_ports(tcpedit_t *tcpedit, ipv6_hdr_t **ip6_hdr) 372 | { 373 | assert(tcpedit); 374 | u_char *l4; 375 | 376 | if (*ip6_hdr == NULL) { 377 | return 0; 378 | } else if ((*ip6_hdr)->ip_nh == IPPROTO_TCP || (*ip6_hdr)->ip_nh == IPPROTO_UDP) { 379 | l4 = get_layer4_v6(*ip6_hdr, 65535); 380 | return rewrite_ports(tcpedit, (*ip6_hdr)->ip_nh, l4); 381 | } 382 | return 0; 383 | } 384 | -------------------------------------------------------------------------------- /tcpreplay/4.2.6/CVE-2023-27783/AFG-jnpr_ether.c-dlt_jnpr_ether_cleanup-tcpedit_dlt_cleanup.c: -------------------------------------------------------------------------------- 1 | #include "AFG-jnpr_ether.c-dlt_jnpr_ether_cleanup-tcpedit_dlt_cleanup.h" 2 | /* This is the copy of /opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c */ 3 | #include 4 | #include 5 | #include 6 | 7 | /* Structure definition needed by the fuzz driver */ 8 | tOptDesc *const tcpedit_tcpedit_optDesc_p; 9 | 10 | void* AFG_alloc_list[13] = { NULL }; 11 | int AFG_alloc_cnt = 0; 12 | FILE* AFG_fopen_list[1] = { NULL }; 13 | int AFG_fopen_cnt = 0; 14 | 15 | int AFG_func(struct tcpeditdlt_s* ctx,unsigned short dlt_value) 16 | { 17 | tcpeditdlt_plugin_t *plugin; 18 | jnpr_ether_config_t *config; 19 | ((ctx) ? (void)(0) : __assert_fail("ctx", "/opt/disk/marsman/tcpreplay/4.2.6/build_normal/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c", 157, __PRETTY_FUNCTION__)); 20 | if((plugin = tcpedit_dlt_getplugin(ctx, dlt_value)) == ((void *)0)) 21 | return 0; 22 | if(plugin->config != ((void *)0)) 23 | { 24 | config = (jnpr_ether_config_t *)ctx->encoder->config; 25 | tcpedit_dlt_cleanup(config->subctx); 26 | plugin->config = ((void *)0); 27 | } 28 | } 29 | 30 | size_t minimum_size = sizeof(unsigned short)*1+sizeof(struct tcpeditdlt_s)*1+sizeof(struct tcpeditdlt_plugin_s)*3+sizeof(tcpedit_t)*1+sizeof(tcpedit_runtime_t)*1; 31 | 32 | #ifdef __cplusplus 33 | extern "C" 34 | #endif 35 | int LLVMFuzzerInitialize(int *argc, char ***argv) { 36 | printf("Minimum size is %ld\n", minimum_size); 37 | return 0; 38 | } 39 | #ifdef __cplusplus 40 | extern "C" 41 | #endif 42 | int LLVMFuzzerTestOneInput(const uint8_t *AFG_Data, size_t Size) { 43 | size_t AFG_offset = 0; 44 | if(Size <= minimum_size) { 45 | // printf("[Error]: Cannot pass size check %ld < %ld\n", Size, minimum_size); 46 | return -1; 47 | } 48 | size_t pt_size = (Size - minimum_size) / 12; 49 | if (pt_size < sizeof(char) ) { return -1; } 50 | struct tcpeditdlt_s * ctx; 51 | ctx = (struct tcpeditdlt_s*)malloc(sizeof(struct tcpeditdlt_s)); 52 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx; 53 | memcpy((void *)&ctx->l2len, AFG_Data+AFG_offset, sizeof(int)); 54 | AFG_offset+=sizeof(int); 55 | memcpy((void *)&ctx->skip_broadcast, AFG_Data+AFG_offset, sizeof(int)); 56 | AFG_offset+=sizeof(int); 57 | ctx->decoder = (struct tcpeditdlt_plugin_s*)malloc(sizeof(struct tcpeditdlt_plugin_s)); 58 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->decoder; 59 | ctx->decoder->name = (char *)malloc(pt_size+1); 60 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->decoder->name; 61 | memcpy((void *)ctx->decoder->name, AFG_Data+AFG_offset, pt_size); 62 | ctx->decoder->name[pt_size] = '\0'; 63 | AFG_offset+=pt_size; 64 | ctx->decoder->plugin_cleanup = dlt_jnpr_ether_cleanup; /* All candidates: ['dlt_jnpr_ether_cleanup'] */ 65 | ctx->decoder->plugin_init = dlt_jnpr_ether_init; /* All candidates: ['dlt_jnpr_ether_init'] */ 66 | ctx->decoder->plugin_parse_opts = dlt_jnpr_ether_parse_opts; /* All candidates: ['dlt_jnpr_ether_parse_opts'] */ 67 | ctx->decoder->plugin_post_init = dlt_jnpr_ether_post_init; /* All candidates: ['dlt_jnpr_ether_post_init'] */ 68 | ctx->decoder->plugin_decode = dlt_jnpr_ether_decode; /* All candidates: ['dlt_jnpr_ether_decode'] */ 69 | ctx->decoder->plugin_l2len = dlt_jnpr_ether_l2len; /* All candidates: ['dlt_jnpr_ether_l2len'] */ 70 | ctx->decoder->plugin_proto = dlt_jnpr_ether_proto; /* All candidates: ['dlt_jnpr_ether_proto'] */ 71 | ctx->decoder->plugin_encode = dlt_jnpr_ether_encode; /* All candidates: ['dlt_jnpr_ether_encode'] */ 72 | memcpy((void *)&ctx->decoder->provides, AFG_Data+AFG_offset, sizeof(int)); 73 | AFG_offset+=sizeof(int); 74 | memcpy((void *)&ctx->decoder->requires, AFG_Data+AFG_offset, sizeof(int)); 75 | AFG_offset+=sizeof(int); 76 | ctx->decoder->next = NULL; 77 | ctx->decoder->plugin_l2addr_type = dlt_jnpr_ether_l2addr_type; /* All candidates: ['dlt_jnpr_ether_l2addr_type'] */ 78 | ctx->decoder->plugin_get_mac = dlt_jnpr_ether_get_mac; /* All candidates: ['dlt_jnpr_ether_get_mac'] */ 79 | ctx->decoder->plugin_get_layer3 = dlt_jnpr_ether_get_layer3; /* All candidates: ['dlt_jnpr_ether_get_layer3'] */ 80 | ctx->decoder->plugin_merge_layer3 = dlt_jnpr_ether_merge_layer3; /* All candidates: ['dlt_jnpr_ether_merge_layer3'] */ 81 | memcpy((void *)&ctx->decoder->dlt, AFG_Data+AFG_offset, sizeof(unsigned short)); 82 | AFG_offset+=sizeof(unsigned short); 83 | ctx->decoder->config = (void *)malloc(pt_size); 84 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->decoder->config; 85 | memcpy((void *)ctx->decoder->config, AFG_Data+AFG_offset, pt_size); 86 | AFG_offset+=pt_size; 87 | ctx->encoder = (struct tcpeditdlt_plugin_s*)malloc(sizeof(struct tcpeditdlt_plugin_s)); 88 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->encoder; 89 | ctx->encoder->name = (char *)malloc(pt_size+1); 90 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->encoder->name; 91 | memcpy((void *)ctx->encoder->name, AFG_Data+AFG_offset, pt_size); 92 | ctx->encoder->name[pt_size] = '\0'; 93 | AFG_offset+=pt_size; 94 | ctx->encoder->plugin_cleanup = dlt_jnpr_ether_cleanup; /* All candidates: ['dlt_jnpr_ether_cleanup'] */ 95 | ctx->encoder->plugin_init = dlt_jnpr_ether_init; /* All candidates: ['dlt_jnpr_ether_init'] */ 96 | ctx->encoder->plugin_parse_opts = dlt_jnpr_ether_parse_opts; /* All candidates: ['dlt_jnpr_ether_parse_opts'] */ 97 | ctx->encoder->plugin_post_init = dlt_jnpr_ether_post_init; /* All candidates: ['dlt_jnpr_ether_post_init'] */ 98 | ctx->encoder->plugin_decode = dlt_jnpr_ether_decode; /* All candidates: ['dlt_jnpr_ether_decode'] */ 99 | ctx->encoder->plugin_l2len = dlt_jnpr_ether_l2len; /* All candidates: ['dlt_jnpr_ether_l2len'] */ 100 | ctx->encoder->plugin_proto = dlt_jnpr_ether_proto; /* All candidates: ['dlt_jnpr_ether_proto'] */ 101 | ctx->encoder->plugin_encode = dlt_jnpr_ether_encode; /* All candidates: ['dlt_jnpr_ether_encode'] */ 102 | memcpy((void *)&ctx->encoder->provides, AFG_Data+AFG_offset, sizeof(int)); 103 | AFG_offset+=sizeof(int); 104 | memcpy((void *)&ctx->encoder->requires, AFG_Data+AFG_offset, sizeof(int)); 105 | AFG_offset+=sizeof(int); 106 | ctx->encoder->next = NULL; 107 | ctx->encoder->plugin_l2addr_type = dlt_jnpr_ether_l2addr_type; /* All candidates: ['dlt_jnpr_ether_l2addr_type'] */ 108 | ctx->encoder->plugin_get_mac = dlt_jnpr_ether_get_mac; /* All candidates: ['dlt_jnpr_ether_get_mac'] */ 109 | ctx->encoder->plugin_get_layer3 = dlt_jnpr_ether_get_layer3; /* All candidates: ['dlt_jnpr_ether_get_layer3'] */ 110 | ctx->encoder->plugin_merge_layer3 = dlt_jnpr_ether_merge_layer3; /* All candidates: ['dlt_jnpr_ether_merge_layer3'] */ 111 | memcpy((void *)&ctx->encoder->dlt, AFG_Data+AFG_offset, sizeof(unsigned short)); 112 | AFG_offset+=sizeof(unsigned short); 113 | ctx->encoder->config = (struct jnpr_ether_config_s *)malloc(sizeof(struct jnpr_ether_config_s)); 114 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->encoder->config; 115 | // ctx->encoder->config->subctx = NULL; 116 | jnpr_ether_config_t *config; 117 | config = (jnpr_ether_config_t *)ctx->encoder->config; 118 | config->subctx = NULL; 119 | ctx->plugins = (struct tcpeditdlt_plugin_s*)malloc(sizeof(struct tcpeditdlt_plugin_s)); 120 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->plugins; 121 | ctx->plugins->name = (char *)malloc(pt_size+1); 122 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->plugins->name; 123 | memcpy((void *)ctx->plugins->name, AFG_Data+AFG_offset, pt_size); 124 | ctx->plugins->name[pt_size] = '\0'; 125 | AFG_offset+=pt_size; 126 | ctx->plugins->plugin_cleanup = dlt_jnpr_ether_cleanup; /* All candidates: ['dlt_jnpr_ether_cleanup'] */ 127 | ctx->plugins->plugin_init = dlt_jnpr_ether_init; /* All candidates: ['dlt_jnpr_ether_init'] */ 128 | ctx->plugins->plugin_parse_opts = dlt_jnpr_ether_parse_opts; /* All candidates: ['dlt_jnpr_ether_parse_opts'] */ 129 | ctx->plugins->plugin_post_init = dlt_jnpr_ether_post_init; /* All candidates: ['dlt_jnpr_ether_post_init'] */ 130 | ctx->plugins->plugin_decode = dlt_jnpr_ether_decode; /* All candidates: ['dlt_jnpr_ether_decode'] */ 131 | ctx->plugins->plugin_l2len = dlt_jnpr_ether_l2len; /* All candidates: ['dlt_jnpr_ether_l2len'] */ 132 | ctx->plugins->plugin_proto = dlt_jnpr_ether_proto; /* All candidates: ['dlt_jnpr_ether_proto'] */ 133 | ctx->plugins->plugin_encode = dlt_jnpr_ether_encode; /* All candidates: ['dlt_jnpr_ether_encode'] */ 134 | memcpy((void *)&ctx->plugins->provides, AFG_Data+AFG_offset, sizeof(int)); 135 | AFG_offset+=sizeof(int); 136 | memcpy((void *)&ctx->plugins->requires, AFG_Data+AFG_offset, sizeof(int)); 137 | AFG_offset+=sizeof(int); 138 | ctx->plugins->next = NULL; 139 | ctx->plugins->plugin_l2addr_type = dlt_jnpr_ether_l2addr_type; /* All candidates: ['dlt_jnpr_ether_l2addr_type'] */ 140 | ctx->plugins->plugin_get_mac = dlt_jnpr_ether_get_mac; /* All candidates: ['dlt_jnpr_ether_get_mac'] */ 141 | ctx->plugins->plugin_get_layer3 = dlt_jnpr_ether_get_layer3; /* All candidates: ['dlt_jnpr_ether_get_layer3'] */ 142 | ctx->plugins->plugin_merge_layer3 = dlt_jnpr_ether_merge_layer3; /* All candidates: ['dlt_jnpr_ether_merge_layer3'] */ 143 | memcpy((void *)&ctx->plugins->dlt, AFG_Data+AFG_offset, sizeof(unsigned short)); 144 | AFG_offset+=sizeof(unsigned short); 145 | ctx->plugins->config = (void *)malloc(pt_size); 146 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->plugins->config; 147 | memcpy((void *)ctx->plugins->config, AFG_Data+AFG_offset, pt_size); 148 | AFG_offset+=pt_size; 149 | ctx->tcpedit = (tcpedit_t*)malloc(sizeof(tcpedit_t)); 150 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->tcpedit; 151 | memcpy((void *)&ctx->tcpedit->efcs, AFG_Data+AFG_offset, sizeof(_Bool)); 152 | AFG_offset+=sizeof(_Bool); 153 | memcpy((void *)&ctx->tcpedit->fixcsum, AFG_Data+AFG_offset, sizeof(_Bool)); 154 | AFG_offset+=sizeof(_Bool); 155 | memcpy((void *)&ctx->tcpedit->mtu_truncate, AFG_Data+AFG_offset, sizeof(_Bool)); 156 | AFG_offset+=sizeof(_Bool); 157 | memcpy((void *)&ctx->tcpedit->rewrite_ip, AFG_Data+AFG_offset, sizeof(_Bool)); 158 | AFG_offset+=sizeof(_Bool); 159 | memcpy((void *)&ctx->tcpedit->skip_broadcast, AFG_Data+AFG_offset, sizeof(_Bool)); 160 | AFG_offset+=sizeof(_Bool); 161 | memcpy((void *)&ctx->tcpedit->validated, AFG_Data+AFG_offset, sizeof(_Bool)); 162 | AFG_offset+=sizeof(_Bool); 163 | memcpy((void *)&ctx->tcpedit->flowlabel, AFG_Data+AFG_offset, sizeof(int)); 164 | AFG_offset+=sizeof(int); 165 | memcpy((void *)&ctx->tcpedit->maxpacket, AFG_Data+AFG_offset, sizeof(int)); 166 | AFG_offset+=sizeof(int); 167 | memcpy((void *)&ctx->tcpedit->mtu, AFG_Data+AFG_offset, sizeof(int)); 168 | AFG_offset+=sizeof(int); 169 | memcpy((void *)&ctx->tcpedit->tclass, AFG_Data+AFG_offset, sizeof(int)); 170 | AFG_offset+=sizeof(int); 171 | memcpy((void *)&ctx->tcpedit->tos, AFG_Data+AFG_offset, sizeof(int)); 172 | AFG_offset+=sizeof(int); 173 | ctx->tcpedit->portmap = NULL; 174 | ctx->tcpedit->dlt_ctx = NULL; 175 | ctx->tcpedit->cidrmap1 = NULL; 176 | ctx->tcpedit->cidrmap2 = NULL; 177 | ctx->tcpedit->dstipmap = NULL; 178 | ctx->tcpedit->srcipmap = NULL; 179 | memcpy((void *)&ctx->tcpedit->editdir, AFG_Data+AFG_offset, sizeof(tcpedit_direction)); 180 | AFG_offset+=sizeof(tcpedit_direction); 181 | memcpy((void *)&ctx->tcpedit->fixlen, AFG_Data+AFG_offset, sizeof(tcpedit_fixlen)); 182 | AFG_offset+=sizeof(tcpedit_fixlen); 183 | ctx->tcpedit->packet = NULL; 184 | memcpy((void *)&ctx->tcpedit->runtime, AFG_Data+AFG_offset, sizeof(tcpedit_runtime_t)); 185 | AFG_offset+=sizeof(tcpedit_runtime_t); 186 | memcpy((void *)&ctx->tcpedit->ttl_mode, AFG_Data+AFG_offset, sizeof(tcpedit_ttl_mode)); 187 | AFG_offset+=sizeof(tcpedit_ttl_mode); 188 | memcpy((void *)&ctx->tcpedit->ttl_value, AFG_Data+AFG_offset, sizeof(unsigned char)); 189 | AFG_offset+=sizeof(unsigned char); 190 | memcpy((void *)&ctx->tcpedit->fuzz_factor, AFG_Data+AFG_offset, sizeof(unsigned int)); 191 | AFG_offset+=sizeof(unsigned int); 192 | memcpy((void *)&ctx->tcpedit->fuzz_seed, AFG_Data+AFG_offset, sizeof(unsigned int)); 193 | AFG_offset+=sizeof(unsigned int); 194 | memcpy((void *)&ctx->tcpedit->seed, AFG_Data+AFG_offset, sizeof(unsigned int)); 195 | AFG_offset+=sizeof(unsigned int); 196 | memcpy((void *)&ctx->addr_type, AFG_Data+AFG_offset, sizeof(tcpeditdlt_l2addr_type_t)); 197 | AFG_offset+=sizeof(tcpeditdlt_l2addr_type_t); 198 | memcpy((void *)&ctx->dstaddr, AFG_Data+AFG_offset, sizeof(tcpeditdlt_l2address_t)); 199 | AFG_offset+=sizeof(tcpeditdlt_l2address_t); 200 | memcpy((void *)&ctx->srcaddr, AFG_Data+AFG_offset, sizeof(tcpeditdlt_l2address_t)); 201 | AFG_offset+=sizeof(tcpeditdlt_l2address_t); 202 | memcpy((void *)&ctx->dstmac, AFG_Data+AFG_offset, sizeof(unsigned char)*10); 203 | AFG_offset+=sizeof(unsigned char)*10; 204 | memcpy((void *)&ctx->srcmac, AFG_Data+AFG_offset, sizeof(unsigned char)*10); 205 | AFG_offset+=sizeof(unsigned char)*10; 206 | memcpy((void *)&ctx->dlt, AFG_Data+AFG_offset, sizeof(unsigned short)); 207 | AFG_offset+=sizeof(unsigned short); 208 | memcpy((void *)&ctx->proto, AFG_Data+AFG_offset, sizeof(unsigned short)); 209 | AFG_offset+=sizeof(unsigned short); 210 | ctx->decoded_extra = (void *)malloc(pt_size); 211 | AFG_alloc_list[AFG_alloc_cnt++] = (void*) ctx->decoded_extra; 212 | memcpy((void *)ctx->decoded_extra, AFG_Data+AFG_offset, pt_size); 213 | AFG_offset+=pt_size; 214 | unsigned short dlt_value; 215 | memcpy((void *)&dlt_value, AFG_Data+AFG_offset, sizeof(unsigned short)); 216 | AFG_offset+=sizeof(unsigned short); 217 | 218 | AFG_func(ctx, dlt_value); 219 | 220 | AFG_fail: 221 | for(int AFG_free_i = 0; AFG_free_i < AFG_alloc_cnt; AFG_free_i++) 222 | free(AFG_alloc_list[AFG_free_i]); 223 | for(int AFG_free_i = 0; AFG_free_i < AFG_fopen_cnt; AFG_free_i++) 224 | fclose(AFG_fopen_list[AFG_free_i]); 225 | AFG_alloc_cnt = 0; 226 | AFG_fopen_cnt = 0; 227 | 228 | return 0; 229 | } 230 | --------------------------------------------------------------------------------