Segmentation fault in __afl_store()

Question

Segmentation fault in __afl_store()

hos3in-sh opened this issue 4 years ago · 1 comments

hi
i found an issue in AFL.
i compiled a simple c++ code with afl-g++ and found some crashes.
the crash file make Segmentation fault in compiled code (afl-g++) but there is no Segmentation fault in normal compiled code (gcc).

code :

#include
#include
const char *uridecode(const char *s) {
static char ret[100];
for(auto *p=ret;*s;++s) {
if (*s=='%') {
auto const a = *++s;
auto const b = *++s;
*p++ = (a<='9' ? a-'0' : a-'a') * 16 + (b<='9' ? b-'0' : b-'a');
} else if (*s=='+') {
*p++ = ' ';
} else {
*p++ = *s;
}
}
return ret;
}
int main() {
auto const uri = std::string(
std::istreambuf_iterator(std::cin),
std::istreambuf_iterator()
);
std::cout << uridecode(uri.c_str());
}

Answer 1 · 2020-10-06T20:27:59.000Z

I haven't tried to understand your code, but I anticipate that the issue is that without instrumentation the crash doesn't happen because your program doesn't attempt to access invalid memory. For example, if you try to access ret[100] element, most likely the program won't crash without the instrumentation, as the underlying memory allocation contains some number of bytes after the first 100 chars allocated for the ret array.

I'd suggest compiling your program with clang -g -fsanitize=fuzzer and reproducing the issue again. AddressSanitizer should give you a readable and actionable report. Alternatively, try reproducing the crash under the debugger and inspecting program memory layout.