├── testcases
├── tests
│ ├── small.txt
│ ├── bigalloc.txt
│ ├── crash.txt
│ ├── crash_gs.txt
│ ├── hang.txt
│ ├── normal.txt
│ ├── exception.txt
│ └── big.txt
├── others
│ ├── text
│ │ └── hello_world.txt
│ ├── js
│ │ └── small_script.js
│ ├── xml
│ │ └── small_document.xml
│ ├── rtf
│ │ └── small_document.rtf
│ ├── elf
│ │ └── small_exec.elf
│ ├── sql
│ │ └── simple_queries.sql
│ ├── pcap
│ │ └── small_capture.pcap
│ └── pdf
│ │ └── small.pdf
├── images
│ ├── bmp
│ │ └── not_kitty.bmp
│ ├── gif
│ │ └── not_kitty.gif
│ ├── ico
│ │ └── not_kitty.ico
│ ├── jp2
│ │ └── not_kitty.jp2
│ ├── jxr
│ │ └── not_kitty.jxr
│ ├── png
│ │ ├── not_kitty.png
│ │ ├── not_kitty_icc.png
│ │ ├── not_kitty_alpha.png
│ │ └── not_kitty_gamma.png
│ ├── jpeg
│ │ └── not_kitty.jpg
│ ├── tiff
│ │ └── not_kitty.tiff
│ └── webp
│ │ └── not_kitty.webp
├── multimedia
│ └── h264
│ │ └── small_movie.mp4
├── archives
│ ├── common
│ │ ├── cab
│ │ │ └── small_archive.cab
│ │ ├── gzip
│ │ │ └── small_archive.gz
│ │ ├── lzo
│ │ │ └── small_archive.lzo
│ │ ├── rar
│ │ │ └── small_archive.rar
│ │ ├── xz
│ │ │ └── small_archive.xz
│ │ ├── zip
│ │ │ └── small_archive.zip
│ │ ├── bzip2
│ │ │ └── small_archive.bz2
│ │ ├── cpio
│ │ │ └── small_archive.cpio
│ │ ├── compress
│ │ │ └── small_archive.Z
│ │ ├── ar
│ │ │ └── small_archive.a
│ │ └── tar
│ │ │ └── small_archive.tar
│ └── exotic
│ │ ├── arj
│ │ └── small_archive.arj
│ │ ├── lha
│ │ └── small_archive.lha
│ │ ├── lzip
│ │ └── small_archive.lz
│ │ ├── rzip
│ │ └── small_archive.rz
│ │ ├── zoo
│ │ └── small_archive.zoo
│ │ ├── lrzip
│ │ └── small_archive.lrz
│ │ └── lzma
│ │ └── small_archive.lzma
├── _extras
│ ├── gif.dict
│ ├── webp.dict
│ ├── jpeg.dict
│ ├── png.dict
│ ├── tiff.dict
│ ├── xml.dict
│ ├── js.dict
│ ├── html_tags.dict
│ └── sql.dict
└── README.testcases
├── afl_docs
├── vuln_samples
│ ├── bash-cmd-exec.var
│ ├── sqlite-null-ptr4.sql
│ ├── sqlite-null-ptr3.sql
│ ├── sqlite-null-ptr5.sql
│ ├── bash-uninit-mem.var
│ ├── sqlite-null-ptr10.sql
│ ├── sqlite-null-ptr11.sql
│ ├── sqlite-null-ptr2.sql
│ ├── sqlite-null-ptr7.sql
│ ├── sqlite-bad-ptr.sql
│ ├── sqlite-null-ptr1.sql
│ ├── sqlite-null-ptr8.sql
│ ├── sqlite-stack-exhaustion.sql
│ ├── sqlite-null-ptr12.sql
│ ├── sqlite-null-ptr13.sql
│ ├── sqlite-unint-mem.sql
│ ├── libxml2-bad-read.xml
│ ├── jxrlib-crash.jxr
│ ├── jxrlib-crash2.jxr
│ ├── jxrlib-crash3.jxr
│ ├── jxrlib-crash4.jxr
│ ├── msie-dht-leak.jpg
│ ├── msie-zlib-dos.png
│ ├── sqlite-bad-free.sql
│ ├── sqlite-null-ptr9.sql
│ ├── firefox-bmp-leak.bmp
│ ├── firefox-gif-leak.gif
│ ├── libjpeg-sos-leak.jpg
│ ├── openssl-null-ptr.der
│ ├── sqlite-null-ptr6.sql
│ ├── sqlite-oob-read.sql
│ ├── file-fpu-exception.elf
│ ├── firefox-gif-leak2.gif
│ ├── libtiff-bad-write.tif
│ ├── libtiff-uninit-mem.tif
│ ├── msie-jxr-mem-leak.jxr
│ ├── msie-png-mem-leak.png
│ ├── msie-tiff-mem-leak.tif
│ ├── openssl-null-ptr2.der
│ ├── photoshop-mem-leak.jpg
│ ├── strings-bfd-badptr.elf
│ ├── strings-stack-overflow
│ ├── tcpdump-arp-crash.pcap
│ ├── tcpdump-ppp-crash.pcap
│ ├── ffmpeg-h264-bad-read.mp4
│ ├── firefox-chrome-leak.jpg
│ ├── libtiff-uninit-mem2.tif
│ ├── libtiff-uninit-mem3.tif
│ ├── libtiff-uninit-mem4.tif
│ ├── strings-bfd-badptr2.elf
│ ├── strings-unchecked-ctr.elf
│ ├── unrtf-arbitrary-read.rtf
│ ├── libjpeg-turbo-dht-leak.jpg
│ ├── unzip-t-mem-corruption.zip
│ ├── ffmpeg-h264-bad-ptr-800m.mp4
│ ├── lesspipe-cpio-bad-write.cpio
│ ├── sqlite-bad-ptr2.sql
│ ├── ffmpeg-h264-call-stack-overflow.mp4
│ ├── sqlite-stack-buf-overflow.sql
│ ├── sqlite-null-ptr15.sql
│ ├── sqlite-bad-ptr3.sql
│ ├── sqlite-heap-overflow.sql
│ ├── sqlite-use-after-free.sql
│ ├── sqlite-oob-write.sql
│ ├── sqlite-null-ptr14.sql
│ ├── sqlite-negative-memset.sql
│ └── sqlite-heap-overwrite.sql
├── visualization
│ └── afl_gzip.png
├── QuickStartGuide.txt
├── notes_for_asan.txt
├── INSTALL
├── sister_projects.txt
├── historical_notes.txt
├── perf_tips.txt
├── parallel_fuzzing.txt
├── env_variables.txt
└── COPYING
├── bin32
├── test.exe
├── test.ilk
├── test.pdb
├── winafl.dll
├── winafl.exp
├── winafl.lib
├── afl-fuzz.exe
├── afl-tmin.exe
├── afl-showmap.exe
├── instrument.exe
├── test_gdiplus.exe
├── test_gdiplus.ilk
├── test_gdiplus.pdb
├── test_static.exe
└── test_static.pdb
├── bin64
├── test.exe
├── test.ilk
├── test.pdb
├── winafl.dll
├── winafl.exp
├── winafl.lib
├── afl-fuzz.exe
├── afl-tmin.exe
├── afl-showmap.exe
├── test_gdiplus.exe
├── test_gdiplus.ilk
└── test_gdiplus.pdb
├── screenshots
├── afl-fuzz.gif
├── afl-instr.png
└── winafl-cmin.py.png
├── CONTRIBUTING.md
├── afl-staticinstr.h
├── CMakeLists.txt
├── gdiplus.cpp
├── types.h
├── hash.h
├── test.cpp
├── utils.h
├── modules.h
├── test_static.cpp
├── ChangeLog
├── winafl-whatsup.py
├── debug.h
├── modules.c
├── LICENSE
└── config.h
/testcases/tests/small.txt:
--------------------------------------------------------------------------------
1 | 0
--------------------------------------------------------------------------------
/testcases/tests/bigalloc.txt:
--------------------------------------------------------------------------------
1 | test6
--------------------------------------------------------------------------------
/testcases/tests/crash.txt:
--------------------------------------------------------------------------------
1 | test1
--------------------------------------------------------------------------------
/testcases/tests/crash_gs.txt:
--------------------------------------------------------------------------------
1 | test2
--------------------------------------------------------------------------------
/testcases/tests/hang.txt:
--------------------------------------------------------------------------------
1 | test3
--------------------------------------------------------------------------------
/testcases/tests/normal.txt:
--------------------------------------------------------------------------------
1 | abcdefgh
--------------------------------------------------------------------------------
/testcases/tests/exception.txt:
--------------------------------------------------------------------------------
1 | test4
2 |
--------------------------------------------------------------------------------
/testcases/others/text/hello_world.txt:
--------------------------------------------------------------------------------
1 | hello
2 |
--------------------------------------------------------------------------------
/testcases/others/js/small_script.js:
--------------------------------------------------------------------------------
1 | if (1==1) eval('1');
--------------------------------------------------------------------------------
/testcases/others/xml/small_document.xml:
--------------------------------------------------------------------------------
1 | d
2 |
--------------------------------------------------------------------------------
/testcases/others/rtf/small_document.rtf:
--------------------------------------------------------------------------------
1 | {\rtf1\pard Test\par}
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/bash-cmd-exec.var:
--------------------------------------------------------------------------------
1 | () { _; } >_[$($())] { id; }
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr4.sql:
--------------------------------------------------------------------------------
1 | select n()AND+#00;
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr3.sql:
--------------------------------------------------------------------------------
1 | select(select strftime());
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr5.sql:
--------------------------------------------------------------------------------
1 | select e.*,0 from(s,(L))e;
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/bash-uninit-mem.var:
--------------------------------------------------------------------------------
1 | () { x() { _; }; x() { _; } <O));insert into t0
2 | select randomblob(0)-trim(0);
3 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr9.sql:
--------------------------------------------------------------------------------
1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d;
2 |
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_icc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/images/png/not_kitty_icc.png
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/firefox-bmp-leak.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/firefox-bmp-leak.bmp
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/firefox-gif-leak.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/firefox-gif-leak.gif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libjpeg-sos-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libjpeg-sos-leak.jpg
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/openssl-null-ptr.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/openssl-null-ptr.der
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr6.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/sqlite-null-ptr6.sql
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-oob-read.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/sqlite-oob-read.sql
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_alpha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/images/png/not_kitty_alpha.png
--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/images/png/not_kitty_gamma.png
--------------------------------------------------------------------------------
/testcases/multimedia/h264/small_movie.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/multimedia/h264/small_movie.mp4
--------------------------------------------------------------------------------
/testcases/others/pcap/small_capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/others/pcap/small_capture.pcap
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/file-fpu-exception.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/file-fpu-exception.elf
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/firefox-gif-leak2.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/firefox-gif-leak2.gif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libtiff-bad-write.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libtiff-bad-write.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libtiff-uninit-mem.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libtiff-uninit-mem.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/msie-jxr-mem-leak.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/msie-jxr-mem-leak.jxr
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/msie-png-mem-leak.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/msie-png-mem-leak.png
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/msie-tiff-mem-leak.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/msie-tiff-mem-leak.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/openssl-null-ptr2.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/openssl-null-ptr2.der
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/photoshop-mem-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/photoshop-mem-leak.jpg
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/strings-bfd-badptr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/strings-bfd-badptr.elf
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/strings-stack-overflow:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/strings-stack-overflow
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/tcpdump-arp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/tcpdump-arp-crash.pcap
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/tcpdump-ppp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/tcpdump-ppp-crash.pcap
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/ffmpeg-h264-bad-read.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/ffmpeg-h264-bad-read.mp4
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/firefox-chrome-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/firefox-chrome-leak.jpg
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libtiff-uninit-mem2.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libtiff-uninit-mem2.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libtiff-uninit-mem3.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libtiff-uninit-mem3.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libtiff-uninit-mem4.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libtiff-uninit-mem4.tif
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/strings-bfd-badptr2.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/strings-bfd-badptr2.elf
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/strings-unchecked-ctr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/strings-unchecked-ctr.elf
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/unrtf-arbitrary-read.rtf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/unrtf-arbitrary-read.rtf
--------------------------------------------------------------------------------
/testcases/archives/common/cab/small_archive.cab:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/cab/small_archive.cab
--------------------------------------------------------------------------------
/testcases/archives/common/gzip/small_archive.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/gzip/small_archive.gz
--------------------------------------------------------------------------------
/testcases/archives/common/lzo/small_archive.lzo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/lzo/small_archive.lzo
--------------------------------------------------------------------------------
/testcases/archives/common/rar/small_archive.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/rar/small_archive.rar
--------------------------------------------------------------------------------
/testcases/archives/common/xz/small_archive.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/xz/small_archive.xz
--------------------------------------------------------------------------------
/testcases/archives/common/zip/small_archive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/zip/small_archive.zip
--------------------------------------------------------------------------------
/testcases/archives/exotic/arj/small_archive.arj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/arj/small_archive.arj
--------------------------------------------------------------------------------
/testcases/archives/exotic/lha/small_archive.lha:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/lha/small_archive.lha
--------------------------------------------------------------------------------
/testcases/archives/exotic/lzip/small_archive.lz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/lzip/small_archive.lz
--------------------------------------------------------------------------------
/testcases/archives/exotic/rzip/small_archive.rz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/rzip/small_archive.rz
--------------------------------------------------------------------------------
/testcases/archives/exotic/zoo/small_archive.zoo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/zoo/small_archive.zoo
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/libjpeg-turbo-dht-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/libjpeg-turbo-dht-leak.jpg
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/unzip-t-mem-corruption.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/unzip-t-mem-corruption.zip
--------------------------------------------------------------------------------
/testcases/archives/common/bzip2/small_archive.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/bzip2/small_archive.bz2
--------------------------------------------------------------------------------
/testcases/archives/common/cpio/small_archive.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/cpio/small_archive.cpio
--------------------------------------------------------------------------------
/testcases/archives/exotic/lrzip/small_archive.lrz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/lrzip/small_archive.lrz
--------------------------------------------------------------------------------
/testcases/archives/exotic/lzma/small_archive.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/exotic/lzma/small_archive.lzma
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/lesspipe-cpio-bad-write.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/lesspipe-cpio-bad-write.cpio
--------------------------------------------------------------------------------
/testcases/archives/common/compress/small_archive.Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/testcases/archives/common/compress/small_archive.Z
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-bad-ptr2.sql:
--------------------------------------------------------------------------------
1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0);
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mboehme/winaflfast/HEAD/afl_docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-stack-buf-overflow.sql:
--------------------------------------------------------------------------------
1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">"";
2 |
--------------------------------------------------------------------------------
/testcases/others/pdf/small.pdf:
--------------------------------------------------------------------------------
1 | %PDF-1.0
2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<>
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr15.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check');
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-bad-ptr3.sql:
--------------------------------------------------------------------------------
1 | create table t(l);PRAGMA writable_schema=ON;
2 | UPDATE sqlite_master SET sql='0�0000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM;
3 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-heap-overflow.sql:
--------------------------------------------------------------------------------
1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0
2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x;
3 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-use-after-free.sql:
--------------------------------------------------------------------------------
1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-oob-write.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC);
2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o');
3 | INSERT INTO t0 VALUES('');
4 | INSERT INTO t0 VALUES('');
5 | INSeRT INTO t0 VALUES('o');
6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"';
7 |
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-null-ptr14.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 |
--------------------------------------------------------------------------------
/testcases/archives/common/ar/small_archive.a:
--------------------------------------------------------------------------------
1 | !
2 | limerick/ 1415337776 500 500 100640 191 `
3 | There was a young man from Japan
4 | Whose limericks never would scan.
5 | When asked why that was,
6 | He replied "It's because
7 | I always try to cram as many words into the last line as I possibly can."
8 |
9 |
--------------------------------------------------------------------------------
/testcases/_extras/gif.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for GIF images
3 | # -----------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_87a="87a"
9 | header_89a="89a"
10 | header_gif="GIF"
11 |
12 | marker_2c=","
13 | marker_3b=";"
14 |
15 | section_2101="!\x01\x12"
16 | section_21f9="!\xf9\x04"
17 | section_21fe="!\xfe"
18 | section_21ff="!\xff\x11"
19 |
--------------------------------------------------------------------------------
/testcases/_extras/webp.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for WebP images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_RIFF="RIFF"
9 | header_WEBP="WEBP"
10 |
11 | section_ALPH="ALPH"
12 | section_ANIM="ANIM"
13 | section_ANMF="ANMF"
14 | section_EXIF="EXIF"
15 | section_FRGM="FRGM"
16 | section_ICCP="ICCP"
17 | section_VP8="VP8 "
18 | section_VP8L="VP8L"
19 | section_VP8X="VP8X"
20 | section_XMP="XMP "
21 |
--------------------------------------------------------------------------------
/testcases/tests/big.txt:
--------------------------------------------------------------------------------
1 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
--------------------------------------------------------------------------------
/afl_docs/vuln_samples/sqlite-negative-memset.sql:
--------------------------------------------------------------------------------
1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0));
2 |
--------------------------------------------------------------------------------
/testcases/_extras/jpeg.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JPEG images
3 | # ------------------------------
4 | #
5 | # Created by Michal Zalewski
6 | #
7 |
8 | header_jfif="JFIF\x00"
9 | header_jfxx="JFXX\x00"
10 |
11 | section_ffc0="\xff\xc0"
12 | section_ffc2="\xff\xc2"
13 | section_ffc4="\xff\xc4"
14 | section_ffd0="\xff\xd0"
15 | section_ffd8="\xff\xd8"
16 | section_ffd9="\xff\xd9"
17 | section_ffda="\xff\xda"
18 | section_ffdb="\xff\xdb"
19 | section_ffdd="\xff\xdd"
20 | section_ffe0="\xff\xe0"
21 | section_ffe1="\xff\xe1"
22 | section_fffe="\xff\xfe"
23 |
--------------------------------------------------------------------------------
/testcases/_extras/png.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for PNG images
3 | # -----------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_png="\x89PNG\x0d\x0a\x1a\x0a"
12 |
13 | section_IDAT="IDAT"
14 | section_IEND="IEND"
15 | section_IHDR="IHDR"
16 | section_PLTE="PLTE"
17 | section_bKGD="bKGD"
18 | section_cHRM="cHRM"
19 | section_fRAc="fRAc"
20 | section_gAMA="gAMA"
21 | section_gIFg="gIFg"
22 | section_gIFt="gIFt"
23 | section_gIFx="gIFx"
24 | section_hIST="hIST"
25 | section_iCCP="iCCP"
26 | section_iTXt="iTXt"
27 | section_oFFs="oFFs"
28 | section_pCAL="pCAL"
29 | section_pHYs="pHYs"
30 | section_sBIT="sBIT"
31 | section_sCAL="sCAL"
32 | section_sPLT="sPLT"
33 | section_sRGB="sRGB"
34 | section_sTER="sTER"
35 | section_tEXt="tEXt"
36 | section_tIME="tIME"
37 | section_tRNS="tRNS"
38 | section_zTXt="zTXt"
39 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # How to contribute
2 |
3 | We'd love to accept your patches and contributions to this project. There are
4 | just a few small guidelines you need to follow.
5 |
6 | ## Contributor License Agreement
7 |
8 | Contributions to any Google project must be accompanied by a Contributor License
9 | Agreement. This is necessary because you own the copyright to your changes, even
10 | after your contribution becomes part of this project. So this agreement simply
11 | gives us permission to use and redistribute your contributions as part of the
12 | project. Head over to to see your current
13 | agreements on file or to sign a new one.
14 |
15 | You generally only need to submit a CLA once, so if you've already submitted one
16 | (even if it was for a different project), you probably don't need to do it
17 | again.
18 |
19 | ## Code reviews
20 |
21 | All submissions, including submissions by project members, require review. We
22 | use GitHub pull requests for this purpose. Consult [GitHub Help] for more
23 | information on using pull requests.
24 |
25 | [GitHub Help]: https://help.github.com/articles/about-pull-requests/
26 |
--------------------------------------------------------------------------------
/testcases/_extras/tiff.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for TIFF images
3 | # ------------------------------
4 | #
5 | # Just the basic, standard-originating sections; does not include vendor
6 | # extensions.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | header_ii="II*\x00"
12 | header_mm="MM\x00*"
13 |
14 | section_100="\x00\x01"
15 | section_101="\x01\x01"
16 | section_102="\x02\x01"
17 | section_103="\x03\x01"
18 | section_106="\x06\x01"
19 | section_107="\x07\x01"
20 | section_10D="\x0d\x01"
21 | section_10E="\x0e\x01"
22 | section_10F="\x0f\x01"
23 | section_110="\x10\x01"
24 | section_111="\x11\x01"
25 | section_112="\x12\x01"
26 | section_115="\x15\x01"
27 | section_116="\x16\x01"
28 | section_117="\x17\x01"
29 | section_11A="\x1a\x01"
30 | section_11B="\x1b\x01"
31 | section_11C="\x1c\x01"
32 | section_11D="\x1d\x01"
33 | section_11E="\x1e\x01"
34 | section_11F="\x1f\x01"
35 | section_122="\"\x01"
36 | section_123="#\x01"
37 | section_124="$\x01"
38 | section_125="%\x01"
39 | section_128="(\x01"
40 | section_129=")\x01"
41 | section_12D="-\x01"
42 | section_131="1\x01"
43 | section_132="2\x01"
44 | section_13B=";\x01"
45 | section_13C="<\x01"
46 | section_13D="=\x01"
47 | section_13E=">\x01"
48 | section_13F="?\x01"
49 | section_140="@\x01"
50 | section_FE="\xfe\x00"
51 | section_FF="\xff\x00"
52 |
--------------------------------------------------------------------------------
/afl-staticinstr.h:
--------------------------------------------------------------------------------
1 | /*
2 | WinAFL persistent loop implementation for statically instrumented target
3 | -----------------------------------------------------------------------
4 |
5 | Written by Axel "0vercl0k" Souchet <0vercl0k@tuxfamily.org>
6 |
7 | Licensed under the Apache License, Version 2.0 (the "License");
8 | you may not use this file except in compliance with the License.
9 | You may obtain a copy of the License at:
10 |
11 | http://www.apache.org/licenses/LICENSE-2.0
12 |
13 | This header is the glue you need to make afl-fuzz and your statically
14 | instrumented target play nice together.
15 |
16 | The entry-point __afl_persistent_loop is meant to be called at the start of the harness,
17 | in a loop like below. The function will set up everything needed to communicate
18 | and synchronize with afl-fuzz - if it is present (named pipe, shm, etc).
19 |
20 | while(__afl_persistent_loop()) {
21 | // init state
22 | // exercise target
23 | // clear state
24 | }
25 |
26 | If afl-fuzz isn't detected, then the function will simply return TRUE the first
27 | time so that the body gets executed once.
28 | */
29 | #pragma once
30 | #include
31 | #include
32 | #include
33 |
34 | #if defined(_M_X64) || defined(__amd64__)
35 | #error Static instrumentation is only available for 32 bit binaries
36 | #endif
37 |
38 | //
39 | // Enable the variable behavior debugging mode.
40 | //
41 |
42 | // #define AFL_STATIC_VARIABLE_BEHAVIOR_DEBUG
43 |
44 | #ifdef __cplusplus
45 | extern "C" {
46 | #endif
47 |
48 | BOOL __afl_persistent_loop();
49 |
50 | #ifdef __cplusplus
51 | }
52 | #endif
53 |
--------------------------------------------------------------------------------
/testcases/_extras/xml.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for XML
3 | # ----------------------
4 | #
5 | # Several basic syntax elements and attributes, modeled on libxml2.
6 | #
7 | # Created by Michal Zalewski
8 | #
9 |
10 | attr_encoding=" encoding=\"1\""
11 | attr_generic=" a=\"1\""
12 | attr_href=" href=\"1\""
13 | attr_standalone=" standalone=\"no\""
14 | attr_version=" version=\"1\""
15 | attr_xml_base=" xml:base=\"1\""
16 | attr_xml_id=" xml:id=\"1\""
17 | attr_xml_lang=" xml:lang=\"1\""
18 | attr_xml_space=" xml:space=\"1\""
19 | attr_xmlns=" xmlns=\"1\""
20 |
21 | entity_builtin="<"
22 | entity_decimal="�"
23 | entity_external="&a;"
24 | entity_hex="�"
25 |
26 | string_any="ANY"
27 | string_brackets="[]"
28 | string_cdata="CDATA"
29 | string_col_fallback=":fallback"
30 | string_col_generic=":a"
31 | string_col_include=":include"
32 | string_dashes="--"
33 | string_empty="EMPTY"
34 | string_empty_dblquotes="\"\""
35 | string_empty_quotes="''"
36 | string_entities="ENTITIES"
37 | string_entity="ENTITY"
38 | string_fixed="#FIXED"
39 | string_id="ID"
40 | string_idref="IDREF"
41 | string_idrefs="IDREFS"
42 | string_implied="#IMPLIED"
43 | string_nmtoken="NMTOKEN"
44 | string_nmtokens="NMTOKENS"
45 | string_notation="NOTATION"
46 | string_parentheses="()"
47 | string_pcdata="#PCDATA"
48 | string_percent="%a"
49 | string_public="PUBLIC"
50 | string_required="#REQUIRED"
51 | string_schema=":schema"
52 | string_system="SYSTEM"
53 | string_ucs4="UCS-4"
54 | string_utf16="UTF-16"
55 | string_utf8="UTF-8"
56 | string_xmlns="xmlns:"
57 |
58 | tag_attlist=""
61 | tag_doctype=""
68 | tag_open_close=""
69 | tag_open_exclamation=""
72 | tag_xml_q=""
73 |
--------------------------------------------------------------------------------
/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | cmake_minimum_required(VERSION 2.6)
2 |
3 | if (${USE_COLOR})
4 | add_definitions(-DUSE_COLOR)
5 | endif()
6 |
7 | project(test)
8 |
9 | add_executable(test
10 | test.cpp
11 | )
12 |
13 | if(NOT "${CMAKE_GENERATOR}" MATCHES "(Win64)")
14 |
15 | project(test_static)
16 |
17 | add_executable(test_static
18 | test_static.cpp
19 | afl-staticinstr.c
20 | )
21 |
22 | target_link_libraries(test_static "psapi.lib")
23 |
24 | set_target_properties(test_static PROPERTIES COMPILE_FLAGS "/EHsc")
25 | set_target_properties(test_static PROPERTIES LINK_FLAGS "/PROFILE")
26 |
27 | endif()
28 |
29 | project(test_gdiplus)
30 |
31 | add_executable(test_gdiplus
32 | gdiplus.cpp
33 | )
34 |
35 | target_link_libraries(test_gdiplus gdiplus)
36 |
37 | project(afl-showmap)
38 |
39 | add_executable(afl-showmap
40 | afl-showmap.c
41 | )
42 |
43 | project(afl-fuzz)
44 |
45 | add_executable(afl-fuzz
46 | afl-fuzz.c
47 | )
48 |
49 | project(afl-tmin)
50 |
51 | add_executable(afl-tmin
52 | afl-tmin.c
53 | )
54 |
55 |
56 | project(WinAFL)
57 |
58 | set(DynamoRIO_LOG_COMPATIBILITY on)
59 |
60 | find_package(DynamoRIO)
61 | if (NOT DynamoRIO_FOUND)
62 | message(FATAL_ERROR "DynamoRIO package required to build")
63 | endif(NOT DynamoRIO_FOUND)
64 |
65 | if (STATIC_LIBRARY)
66 | set(libtype STATIC)
67 | else()
68 | set(libtype SHARED)
69 | endif ()
70 |
71 | add_library(winafl ${libtype}
72 | winafl.c
73 | modules.c
74 | )
75 | configure_DynamoRIO_client(winafl)
76 | use_DynamoRIO_extension(winafl drmgr)
77 | use_DynamoRIO_extension(winafl drx)
78 | use_DynamoRIO_extension(winafl drcontainers)
79 | use_DynamoRIO_extension(winafl drreg)
80 | use_DynamoRIO_extension(winafl drwrap)
81 | use_DynamoRIO_extension(winafl drsyms)
82 |
83 | # VS2015 Fix
84 | if (NOT (MSVC_VERSION LESS 1900))
85 | target_link_libraries(winafl "libucrt.lib")
86 | target_link_libraries(winafl "libvcruntime.lib")
87 | endif()
88 |
89 |
--------------------------------------------------------------------------------
/gdiplus.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | WinAFL - GDI+ test binary (image parsing)
3 | -----------------------------------------
4 |
5 | Written and maintained by Ivan Fratric
6 |
7 | Copyright 2016 Google Inc. All Rights Reserved.
8 |
9 | Licensed under the Apache License, Version 2.0 (the "License");
10 | you may not use this file except in compliance with the License.
11 | You may obtain a copy of the License at
12 |
13 | http://www.apache.org/licenses/LICENSE-2.0
14 |
15 | Unless required by applicable law or agreed to in writing, software
16 | distributed under the License is distributed on an "AS IS" BASIS,
17 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 | See the License for the specific language governing permissions and
19 | limitations under the License.
20 |
21 | */
22 |
23 | #include
24 | #include
25 | #include
26 |
27 | using namespace Gdiplus;
28 |
29 | wchar_t* charToWChar(const char* text)
30 | {
31 | size_t size = strlen(text) + 1;
32 | wchar_t* wa = new wchar_t[size];
33 | mbstowcs(wa,text,size);
34 | return wa;
35 | }
36 |
37 | int main(int argc, char** argv)
38 | {
39 | if(argc < 2) {
40 | printf("Usage: %s \n", argv[0]);
41 | return 0;
42 | }
43 |
44 | GdiplusStartupInput gdiplusStartupInput;
45 | ULONG_PTR gdiplusToken;
46 | GdiplusStartup(&gdiplusToken, &gdiplusStartupInput, NULL);
47 |
48 | Image *image = NULL, *thumbnail=NULL;
49 |
50 | image = new Image(charToWChar(argv[1]));
51 | if(image && (Ok == image->GetLastStatus())) {
52 | //printf("Image loaded\n");
53 | /*thumbnail = image->GetThumbnailImage(100, 100, NULL, NULL);
54 | if(thumbnail && (Ok == thumbnail->GetLastStatus())) {
55 | //printf("Thumbnail created\n");
56 | }*/
57 | }
58 |
59 | //printf("Done\n");
60 |
61 | if(image) delete image;
62 | if(thumbnail) delete thumbnail;
63 |
64 | GdiplusShutdown(gdiplusToken);
65 |
66 | return 0;
67 | }
68 |
69 |
--------------------------------------------------------------------------------
/testcases/archives/common/tar/small_archive.tar:
--------------------------------------------------------------------------------
1 | limerick��������������������������������������������������������������������������������������������0000640�0000764�0000764�00000000277�12427053460�012465� 0����������������������������������������������������������������������������������������������������ustar �lcamtuf�������������������������lcamtuf����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������There was a young man from Japan
2 | Whose limericks never would scan.
3 | When asked why that was,
4 | He replied "It's because
5 | I always try to cram as many words into the last line as I possibly can."
6 | �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
--------------------------------------------------------------------------------
/afl_docs/QuickStartGuide.txt:
--------------------------------------------------------------------------------
1 | =====================
2 | AFL quick start guide
3 | =====================
4 |
5 | You should read docs/README. It's pretty short. If you really can't, here's
6 | how to hit the ground running:
7 |
8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips.
9 |
10 | 2) Find or write a reasonably fast and simple program that takes data from
11 | a file or stdin, processes it in a test-worthy way, then exits cleanly.
12 | If testing a network service, modify it to run in the foreground and read
13 | from stdin. When fuzzing a format that uses checksums, comment out the
14 | checksum verification code, too.
15 |
16 | The program must crash properly when a fault is encountered. Watch out for
17 | custom SIGSEGV or SIGABRT handlers and background processes.
18 |
19 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to
20 | do this would be:
21 |
22 | CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared
23 | make clean all
24 |
25 | If program build fails, ping .
26 |
27 | 4) Get a small but valid input file that makes sense to the program. When
28 | fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
29 | testcases/README.testcases, too.
30 |
31 | 5) If the program reads from stdin, run 'afl-fuzz' like so:
32 |
33 | ./afl-fuzz -i testcase_dir -o findings_dir -- \
34 | /path/to/tested/program [...program's cmdline...]
35 |
36 | If the program takes input from a file, you can put @@ in the program's
37 | command line; AFL will put an auto-generated file name in there for you.
38 |
39 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting
40 | docs/status_screen.txt.
41 |
42 | That's it. Sit back, relax, and - time permitting - try to skim through the
43 | following files:
44 |
45 | - docs/README - A general introduction to AFL,
46 | - docs/perf_tips.txt - Simple tips on how to fuzz more quickly,
47 | - docs/status_screen.txt - An explanation of the tidbits shown in the UI,
48 | - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores.
49 |
--------------------------------------------------------------------------------
/types.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - type definitions and minor macros
3 | ------------------------------------------------------
4 |
5 | Original AFL code written by Michal Zalewski
6 |
7 | Windows fork written and maintained by Ivan Fratric
8 |
9 | Copyright 2016 Google Inc. All Rights Reserved.
10 |
11 | Licensed under the Apache License, Version 2.0 (the "License");
12 | you may not use this file except in compliance with the License.
13 | You may obtain a copy of the License at
14 |
15 | http://www.apache.org/licenses/LICENSE-2.0
16 |
17 | Unless required by applicable law or agreed to in writing, software
18 | distributed under the License is distributed on an "AS IS" BASIS,
19 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 | See the License for the specific language governing permissions and
21 | limitations under the License.
22 |
23 | */
24 |
25 | #ifndef _HAVE_TYPES_H
26 | #define _HAVE_TYPES_H
27 |
28 | #include
29 | #include
30 |
31 | typedef uint8_t u8;
32 | typedef uint16_t u16;
33 | typedef uint32_t u32;
34 |
35 | /*
36 |
37 | Ugh. There is an unintended compiler / glibc #include glitch caused by
38 | combining the u64 type an %llu in format strings, necessitating a workaround.
39 |
40 | In essence, the compiler is always looking for 'unsigned long long' for %llu.
41 | On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
42 | 'unsigned long long' in , so everything checks out.
43 |
44 | But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
45 | Now, it only happens in circumstances where the type happens to have the
46 | expected bit width, *but* the compiler does not know that... and complains
47 | about 'unsigned long' being unsafe to pass to %llu.
48 |
49 | */
50 |
51 | #ifdef __x86_64__
52 | typedef unsigned long long u64;
53 | #else
54 | typedef uint64_t u64;
55 | #endif /* ^sizeof(...) */
56 |
57 | typedef int8_t s8;
58 | typedef int16_t s16;
59 | typedef int32_t s32;
60 | typedef int64_t s64;
61 |
62 | #ifndef MIN
63 | # define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
64 | # define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
65 | #endif /* !MIN */
66 |
67 | #define SWAP16(x) (((x) >> 8) | ((x) << 8))
68 | #define SWAP32(x) (((x) >> 24) | (((x) & 0x00FF0000) >> 8) | (((x) & 0x0000FF00) << 8) | ((x) << 24))
69 |
70 | #define R(x) (rand() % (x))
71 |
72 | #define STRINGIFY_INTERNAL(x) #x
73 | #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
74 |
75 | #define MEM_BARRIER() \
76 | asm volatile("" ::: "memory")
77 |
78 | #endif /* ! _HAVE_TYPES_H */
79 |
--------------------------------------------------------------------------------
/testcases/_extras/js.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for JavaScript
3 | # -----------------------------
4 | #
5 | # Contains basic reserved keywords and syntax building blocks.
6 | #
7 | # Created by Michal Zalewski
8 | #
9 |
10 | keyword_arguments="arguments"
11 | keyword_break="break"
12 | keyword_case="case"
13 | keyword_catch="catch"
14 | keyword_const="const"
15 | keyword_continue="continue"
16 | keyword_debugger="debugger"
17 | keyword_decodeURI="decodeURI"
18 | keyword_default="default"
19 | keyword_delete="delete"
20 | keyword_do="do"
21 | keyword_else="else"
22 | keyword_escape="escape"
23 | keyword_eval="eval"
24 | keyword_export="export"
25 | keyword_finally="finally"
26 | keyword_for="for (a=0;a<2;a++)"
27 | keyword_function="function"
28 | keyword_if="if"
29 | keyword_in="in"
30 | keyword_instanceof="instanceof"
31 | keyword_isNaN="isNaN"
32 | keyword_let="let"
33 | keyword_new="new"
34 | keyword_parseInt="parseInt"
35 | keyword_return="return"
36 | keyword_switch="switch"
37 | keyword_this="this"
38 | keyword_throw="throw"
39 | keyword_try="try"
40 | keyword_typeof="typeof"
41 | keyword_var="var"
42 | keyword_void="void"
43 | keyword_while="while"
44 | keyword_with="with"
45 |
46 | misc_1=" 1"
47 | misc_a="a"
48 | misc_array=" [1]"
49 | misc_assign=" a=1"
50 | misc_code_block=" {1}"
51 | misc_colon_num=" 1:"
52 | misc_colon_string=" 'a':"
53 | misc_comma=" ,"
54 | misc_comment_block=" /* */"
55 | misc_comment_line=" //"
56 | misc_cond=" 1?2:3"
57 | misc_dec=" --"
58 | misc_div=" /"
59 | misc_equals=" ="
60 | misc_fn=" a()"
61 | misc_identical=" ==="
62 | misc_inc=" ++"
63 | misc_minus=" -"
64 | misc_modulo=" %"
65 | misc_parentheses=" ()"
66 | misc_parentheses_1=" (1)"
67 | misc_parentheses_1x4=" (1,1,1,1)"
68 | misc_parentheses_a=" (a)"
69 | misc_period="."
70 | misc_plus=" +"
71 | misc_plus_assign=" +="
72 | misc_regex=" /a/g"
73 | misc_rol=" <<<"
74 | misc_semicolon=" ;"
75 | misc_serialized_object=" {'a': 1}"
76 | misc_string=" 'a'"
77 | misc_unicode=" '\\u0001'"
78 |
79 | object_Array=" Array"
80 | object_Boolean=" Boolean"
81 | object_Date=" Date"
82 | object_Function=" Function"
83 | object_Infinity=" Infinity"
84 | object_Int8Array=" Int8Array"
85 | object_Math=" Math"
86 | object_NaN=" NaN"
87 | object_Number=" Number"
88 | object_Object=" Object"
89 | object_RegExp=" RegExp"
90 | object_String=" String"
91 | object_Symbol=" Symbol"
92 | object_false=" false"
93 | object_null=" null"
94 | object_true=" true"
95 |
96 | prop_charAt=".charAt"
97 | prop_concat=".concat"
98 | prop_constructor=".constructor"
99 | prop_destructor=".destructor"
100 | prop_length=".length"
101 | prop_match=".match"
102 | prop_proto=".__proto__"
103 | prop_prototype=".prototype"
104 | prop_slice=".slice"
105 | prop_toCode=".toCode"
106 | prop_toString=".toString"
107 | prop_valueOf=".valueOf"
108 |
--------------------------------------------------------------------------------
/testcases/README.testcases:
--------------------------------------------------------------------------------
1 | ===============================
2 | AFL test cases and dictionaries
3 | ===============================
4 |
5 | (See ../docs/README for the general instruction manual.)
6 |
7 | 1) Starting test cases
8 | ----------------------
9 |
10 | The archives/, images/, multimedia/, and others/ subdirectories contain small,
11 | standalone files that can be used to seed afl-fuzz when testing parsers for a
12 | variety of common data formats.
13 |
14 | There is probably not much to be said about these files, except that they were
15 | optimized for size and stripped of any non-essential fluff. Some directories
16 | contain several examples that exercise various features of the underlying format.
17 | For example, there is a PNG file with and without a color profile.
18 |
19 | Additional test cases are always welcome; the current "most wanted" list
20 | includes:
21 |
22 | - JBIG,
23 | - Ogg Vorbis,
24 | - Ogg Theora,
25 | - MP3,
26 | - AAC,
27 | - WebM,
28 | - Small JPEG with a color profile,
29 | - Small fonts.
30 |
31 | 2) Dictionaries
32 | ---------------
33 |
34 | The _extras/ subdirectory contains a set of dictionaries that can be used in
35 | conjunction with the -x option to allow the fuzzer to effortlessly explore the
36 | grammar of some of the more verbose data formats or languages. The basic
37 | principle behind the operation of fuzzer dictionaries is outlined in section 9
38 | of the "main" README for the project.
39 |
40 | Custom dictionaries can be added at will. They should consist of a
41 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try
42 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually
43 | the sweet spot.
44 |
45 | Custom dictionaries can be created in two ways:
46 |
47 | - By creating a new directory and placing each token in a separate file, in
48 | which case, there is no need to escape or otherwise format the data.
49 |
50 | - By creating a flat text file where tokens are listed one per line in the
51 | format of name="value". The alphanumeric name is ignored and can be omitted,
52 | although it is a convenient way to document the meaning of a particular
53 | token. The value must appear in quotes, with hex escaping (\xNN) applied to
54 | all non-printable, high-bit, or otherwise problematic characters (\\ and \"
55 | shorthands are recognized, too).
56 |
57 | The fuzzer auto-selects the appropriate mode depending on whether the -x
58 | parameter is a file or a directory.
59 |
60 | In the file mode, every name field can be optionally followed by @, e.g.:
61 |
62 | keyword_foo@1 = "foo"
63 |
64 | Such entries will be loaded only if the requested dictionary level is equal or
65 | higher than this number. The default level is zero; a higher value can be set
66 | by appending @ to the dictionary file name, like so:
67 |
68 | -x path/to/dictionary.dct@2
69 |
70 | Good examples of dictionaries can be found in _extras/xml.dict and
71 | _extras/png.dict.
72 |
--------------------------------------------------------------------------------
/hash.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - hashing function
3 | -------------------------------------
4 |
5 | Original AFL code written by Michal Zalewski
6 |
7 | Windows fork written and maintained by Ivan Fratric
8 |
9 | Copyright 2016 Google Inc. All Rights Reserved.
10 |
11 | Licensed under the Apache License, Version 2.0 (the "License");
12 | you may not use this file except in compliance with the License.
13 | You may obtain a copy of the License at
14 |
15 | http://www.apache.org/licenses/LICENSE-2.0
16 |
17 | Unless required by applicable law or agreed to in writing, software
18 | distributed under the License is distributed on an "AS IS" BASIS,
19 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 | See the License for the specific language governing permissions and
21 | limitations under the License.
22 |
23 | */
24 |
25 | /*
26 | The hash32() function is a variant of MurmurHash3, a good
27 | non-cryptosafe hashing function developed by Austin Appleby.
28 |
29 | For simplicity, this variant does *NOT* accept buffer lengths
30 | that are not divisible by 8 bytes. The 32-bit version is otherwise
31 | similar to the original; the 64-bit one is a custom hack with
32 | mostly-unproven properties.
33 |
34 | Austin's original code is public domain.
35 |
36 | */
37 |
38 | #ifndef _HAVE_HASH_H
39 | #define _HAVE_HASH_H
40 |
41 | #include "types.h"
42 |
43 | #ifdef __x86_64__
44 |
45 | #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
46 |
47 | static inline u32 hash32(const void* key, u32 len, u32 seed) {
48 |
49 | const u64* data = (u64*)key;
50 | u64 h1 = seed ^ len;
51 |
52 | len >>= 3;
53 |
54 | while (len--) {
55 |
56 | u64 k1 = *data++;
57 |
58 | k1 *= 0x87c37b91114253d5ULL;
59 | k1 = ROL64(k1, 31);
60 | k1 *= 0x4cf5ad432745937fULL;
61 |
62 | h1 ^= k1;
63 | h1 = ROL64(h1, 27);
64 | h1 = h1 * 5 + 0x52dce729;
65 |
66 | }
67 |
68 | h1 ^= h1 >> 33;
69 | h1 *= 0xff51afd7ed558ccdULL;
70 | h1 ^= h1 >> 33;
71 | h1 *= 0xc4ceb9fe1a85ec53ULL;
72 | h1 ^= h1 >> 33;
73 |
74 | return h1;
75 |
76 | }
77 |
78 | #else
79 |
80 | #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
81 |
82 | static inline u32 hash32(const void* key, u32 len, u32 seed) {
83 |
84 | const u32* data = (u32*)key;
85 | u32 h1 = seed ^ len;
86 |
87 | len >>= 2;
88 |
89 | while (len--) {
90 |
91 | u32 k1 = *data++;
92 |
93 | k1 *= 0xcc9e2d51;
94 | k1 = ROL32(k1, 15);
95 | k1 *= 0x1b873593;
96 |
97 | h1 ^= k1;
98 | h1 = ROL32(h1, 13);
99 | h1 = h1 * 5 + 0xe6546b64;
100 |
101 | }
102 |
103 | h1 ^= h1 >> 16;
104 | h1 *= 0x85ebca6b;
105 | h1 ^= h1 >> 13;
106 | h1 *= 0xc2b2ae35;
107 | h1 ^= h1 >> 16;
108 |
109 | return h1;
110 |
111 | }
112 |
113 | #endif /* ^__x86_64__ */
114 |
115 | #endif /* !_HAVE_HASH_H */
116 |
--------------------------------------------------------------------------------
/test.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | WinAFL - A simple test binary that crashes on certain inputs:
3 | - 'test1' with a normal write access violation at NULL
4 | - 'test2' with a /GS stack cookie violation
5 | -------------------------------------------------------------
6 |
7 | Written and maintained by Ivan Fratric
8 |
9 | Copyright 2016 Google Inc. All Rights Reserved.
10 |
11 | Licensed under the Apache License, Version 2.0 (the "License");
12 | you may not use this file except in compliance with the License.
13 | You may obtain a copy of the License at
14 |
15 | http://www.apache.org/licenses/LICENSE-2.0
16 |
17 | Unless required by applicable law or agreed to in writing, software
18 | distributed under the License is distributed on an "AS IS" BASIS,
19 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 | See the License for the specific language governing permissions and
21 | limitations under the License.
22 |
23 | */
24 |
25 | #define _CRT_SECURE_NO_WARNINGS
26 | #include
27 | #include
28 | #include
29 |
30 | int main(int argc, char** argv)
31 | {
32 | char *crash = NULL;
33 |
34 | if(argc < 2) {
35 | printf("Usage: %s \n", argv[0]);
36 | return 0;
37 | }
38 |
39 | FILE *fp = fopen(argv[1], "rb");
40 | char c;
41 | if(!fp) {
42 | printf("Error opening file\n");
43 | return 0;
44 | }
45 | if(fread(&c, 1, 1, fp) != 1) {
46 | printf("Error reading file\n");
47 | fclose(fp);
48 | return 0;
49 | }
50 | if(c != 't') {
51 | printf("Error 1\n");
52 | fclose(fp);
53 | return 0;
54 | }
55 | if(fread(&c, 1, 1, fp) != 1) {
56 | printf("Error reading file\n");
57 | fclose(fp);
58 | return 0;
59 | }
60 | if(c != 'e') {
61 | printf("Error 2\n");
62 | fclose(fp);
63 | return 0;
64 | }
65 | if(fread(&c, 1, 1, fp) != 1) {
66 | printf("Error reading file\n");
67 | fclose(fp);
68 | return 0;
69 | }
70 | if(c != 's') {
71 | printf("Error 3\n");
72 | fclose(fp);
73 | return 0;
74 | }
75 | if(fread(&c, 1, 1, fp) != 1) {
76 | printf("Error reading file\n");
77 | fclose(fp);
78 | return 0;
79 | }
80 | if(c != 't') {
81 | printf("Error 4\n");
82 | fclose(fp);
83 | return 0;
84 | }
85 | printf("!!!!!!!!!!OK!!!!!!!!!!\n");
86 |
87 | if(fread(&c, 1, 1, fp) != 1) {
88 | printf("Error reading file\n");
89 | fclose(fp);
90 | return 0;
91 | }
92 | if(c == '1') {
93 | // cause a crash
94 | crash[0] = 1;
95 | } else if(c == '2') {
96 | char buffer[5] = { 0 };
97 | // stack-based overflow to trigger the GS cookie corruption
98 | for(int i = 0; i < 5; ++i)
99 | strcat(buffer, argv[0]);
100 | printf("buffer: %s\n", buffer);
101 | } else {
102 | printf("Error 5\n");
103 | }
104 | fclose(fp);
105 | return 0;
106 | }
107 |
--------------------------------------------------------------------------------
/utils.h:
--------------------------------------------------------------------------------
1 | /* ***************************************************************************
2 | * Copyright (c) 2012-2013 Google, Inc. All rights reserved.
3 | * ***************************************************************************/
4 |
5 | /*
6 | * Redistribution and use in source and binary forms, with or without
7 | * modification, are permitted provided that the following conditions are met:
8 | *
9 | * * Redistributions of source code must retain the above copyright notice,
10 | * this list of conditions and the following disclaimer.
11 | *
12 | * * Redistributions in binary form must reproduce the above copyright notice,
13 | * this list of conditions and the following disclaimer in the documentation
14 | * and/or other materials provided with the distribution.
15 | *
16 | * * Neither the name of Google, Inc. nor the names of its contributors may be
17 | * used to endorse or promote products derived from this software without
18 | * specific prior written permission.
19 | *
20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
30 | * DAMAGE.
31 | */
32 |
33 | /*
34 | DynamoRIO utility macros. Copied from the DyanmoRIO project,
35 | http://dynamorio.org/
36 | */
37 |
38 |
39 | #ifndef CLIENTS_COMMON_UTILS_H_
40 | #define CLIENTS_COMMON_UTILS_H_
41 |
42 | #include "dr_api.h"
43 |
44 | #ifdef DEBUG
45 | # define ASSERT(x, msg) DR_ASSERT_MSG(x, msg)
46 | # define IF_DEBUG(x) x
47 | #else
48 | # define ASSERT(x, msg) /* nothing */
49 | # define IF_DEBUG(x) /* nothing */
50 | #endif
51 |
52 | /* XXX: should be moved to DR API headers? */
53 | #define BUFFER_SIZE_BYTES(buf) sizeof(buf)
54 | #define BUFFER_SIZE_ELEMENTS(buf) (BUFFER_SIZE_BYTES(buf) / sizeof((buf)[0]))
55 | #define BUFFER_LAST_ELEMENT(buf) (buf)[BUFFER_SIZE_ELEMENTS(buf) - 1]
56 | #define NULL_TERMINATE_BUFFER(buf) BUFFER_LAST_ELEMENT(buf) = 0
57 | #define ALIGNED(x, alignment) ((((ptr_uint_t)x) & ((alignment)-1)) == 0)
58 | #define TESTANY(mask, var) (((mask) & (var)) != 0)
59 | #define TEST TESTANY
60 |
61 | #ifdef WINDOWS
62 | # define IF_WINDOWS(x) x
63 | # define IF_UNIX_ELSE(x,y) y
64 | #else
65 | # define IF_WINDOWS(x)
66 | # define IF_UNIX_ELSE(x,y) x
67 | #endif
68 |
69 | /* Checks for both debug and release builds: */
70 | #define USAGE_CHECK(x, msg) DR_ASSERT_MSG(x, msg)
71 |
72 | static inline generic_func_t
73 | cast_to_func(void *p)
74 | {
75 | #ifdef WINDOWS
76 | # pragma warning(push)
77 | # pragma warning(disable : 4055)
78 | #endif
79 | return (generic_func_t) p;
80 | #ifdef WINDOWS
81 | # pragma warning(pop)
82 | #endif
83 | }
84 |
85 | #endif /* CLIENTS_COMMON_UTILS_H_ */
86 |
--------------------------------------------------------------------------------
/modules.h:
--------------------------------------------------------------------------------
1 | /* ***************************************************************************
2 | * Copyright (c) 2012-2013 Google, Inc. All rights reserved.
3 | * ***************************************************************************/
4 |
5 | /*
6 | * Redistribution and use in source and binary forms, with or without
7 | * modification, are permitted provided that the following conditions are met:
8 | *
9 | * * Redistributions of source code must retain the above copyright notice,
10 | * this list of conditions and the following disclaimer.
11 | *
12 | * * Redistributions in binary form must reproduce the above copyright notice,
13 | * this list of conditions and the following disclaimer in the documentation
14 | * and/or other materials provided with the distribution.
15 | *
16 | * * Neither the name of Google, Inc. nor the names of its contributors may be
17 | * used to endorse or promote products derived from this software without
18 | * specific prior written permission.
19 | *
20 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | * ARE DISCLAIMED. IN NO EVENT SHALL GOOGLE, INC. OR CONTRIBUTORS BE LIABLE
24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
30 | * DAMAGE.
31 | */
32 |
33 | /*
34 | Utilities for keeping track of (un)loaded modules in DynamoRIO clients.
35 | Copied from the DyanmoRIO project, http://dynamorio.org/
36 | */
37 |
38 | #ifndef CLIENTS_COMMON_MODULES_H_
39 | #define CLIENTS_COMMON_MODULES_H_
40 |
41 | #include "dr_api.h"
42 | #include "drvector.h"
43 |
44 | #define NUM_GLOBAL_MODULE_CACHE 8
45 |
46 | typedef struct _module_entry_t {
47 | int id;
48 | bool unload; /* if the module is unloaded */
49 | module_data_t *data;
50 | } module_entry_t;
51 |
52 | typedef struct _module_table_t {
53 | drvector_t vector;
54 | /* for quick query without lock, assuming pointer-aligned */
55 | module_entry_t *cache[NUM_GLOBAL_MODULE_CACHE];
56 | } module_table_t;
57 |
58 | void
59 | module_table_load(module_table_t *table, const module_data_t *data);
60 |
61 | /* To avoid data race, proper sychronization on module table is required for
62 | * accessing module table entry.
63 | */
64 | module_entry_t *
65 | module_table_lookup(module_entry_t **cache, int cache_size,
66 | module_table_t *table, app_pc pc);
67 |
68 | /* To avoid data race, proper sychronization on module table is required for
69 | * accessing module table entry.
70 | */
71 | void
72 | module_table_entry_print(module_entry_t *entry, file_t log, bool print_all_info);
73 |
74 | void
75 | module_table_unload(module_table_t *table, const module_data_t *data);
76 |
77 | void
78 | module_table_print(module_table_t *table, file_t log, bool print_all_info);
79 |
80 | module_table_t *
81 | module_table_create();
82 |
83 | void
84 | module_table_destroy(module_table_t *table);
85 |
86 | #endif /* CLIENTS_COMMON_MODULES_H_ */
87 |
--------------------------------------------------------------------------------
/testcases/_extras/html_tags.dict:
--------------------------------------------------------------------------------
1 | #
2 | # AFL dictionary for HTML parsers (tags only)
3 | # -------------------------------------------
4 | #
5 | # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
6 | # include any attributes or attribute values.
7 | #
8 | # Created by Michal Zalewski
9 | #
10 |
11 | tag_a=""
12 | tag_abbr=""
13 | tag_acronym=""
14 | tag_address=""
15 | tag_annotation_xml=""
16 | tag_applet="