unsignedchar *buf = __AFL_FUZZ_TESTCASE_BUF; // must be after __AFL_INIT // and before __AFL_LOOP!
while (__AFL_LOOP(10000)) {
int len = __AFL_FUZZ_TESTCASE_LEN; // don't use the macro directly in a // call!
if (len < 8) continue; // check for a required/useful minimum input length
/* Setup function call, e.g. struct target *tmp = libtarget_init() */ /* Call function to be fuzzed, e.g.: */ target_function(buf, len); /* Reset state. e.g. libtarget_free(tmp) */
while (__AFL_LOOP(1000)) { // (re-) initialize the library and read new input read_bytes = -1; memset(buf, 0, 128); read_bytes = read(STDIN_FILENO, buf, 128);
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) == CS_ERR_OK) { // disassemble the bytes we just read using capstone count = cs_disasm(handle, buf, read_bytes, 0x1000, 0, &insn);
// Don't leak memory. This is especially important in persistent mode, // because we reuse the process a significant number of times cs_free(insn, count); } cs_close(&handle); } return0; }
/* A simplified persistent mode handler, used as explained in README.llvm. */
int __afl_persistent_loop(unsignedint max_cnt) {
static u8 first_pass = 1; static u32 cycle_cnt;
if (first_pass) {
/* Make sure that every iteration of __AFL_LOOP() starts with a clean slate. On subsequent calls, the parent will take care of that, but on the first iteration, it's our job to erase any trace of whatever happened before the loop. */
/* When exiting __AFL_LOOP(), make sure that the subsequent code that follows the loop is not traced. We do that by pivoting back to the dummy output region. */