How to know the argument used by a crash poc?

[13579and2468]

Hello,

I tried to reproduce the crash CarpetFuzz finded. The name of poc in crashes is like "crashes/id:000000,sig:07,src:000000,argv:000334,op:argv,pos:0".

I guessed the used argv is about at line 334/335/336 in ranked_stubs.

I run the following command to extract the argv.

$ cat ranked_stubs_xmllint.txt  | head -n 334
$ cat ranked_stubs_xmllint.txt  | head -n 335
$ cat ranked_stubs_xmllint.txt  | head -n 336

I copy and run like the following picture.

But I still cannot reproduce the crash.
May I ask how to reproduce the finded crashes?

Thanks

[waugustus]

Hi, the format of the file ranked_stubs is

1 [number of argvs]
2 argv:000000
...
336 argv:000334
...

so you should use line 336.

If you are still unable to reproduce the crash, I have two suggestions,

1. Try testing with an ASAN-compiled executable instead of the CarpetFuzz-compiled one
2. Check the memory limit, as mentioned in page,

If still irreproducible, I think it may be a false positive of AFL++.