From 956a700e173c2043264e29e070c6634806d0363d Mon Sep 17 00:00:00 2001
From: ehuang32 <ericchristopherwong@gmail.com>
Date: Fri, 23 Oct 2020 14:45:58 +1100
Subject: [PATCH] vuln_4 change

---
 fuzzer/Fuzzer.java      | 28 +++++-----------------------
 fuzzer/Instruction.java |  1 -
 poc/vuln-4.poc          |  4 ++--
 src/vuln-4/dc.c         |  5 +++--
 4 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/fuzzer/Fuzzer.java b/fuzzer/Fuzzer.java
index 69c59a6..70afc3f 100644
--- a/fuzzer/Fuzzer.java
+++ b/fuzzer/Fuzzer.java
@@ -43,10 +43,6 @@ public class Fuzzer {
 
     private static ArrayList<String> vars = new ArrayList<>();
 
-    // Instruction Count Array
-    private static int[] counts = {0,0,0,0,0,0,0,0,0,0,0,0};
-    // Instruction Added Probability Array
-    private static int[] addProb = {0,0,0,0,0,0,0,0,0,0,0,0};
     // Pathway Prob Map, E.g. key = [PUSH, POP, STORE] - value = 2, this value is added to base prob
     private static HashMap<List<Instruction>, Integer> pathwayProb = new HashMap<List<Instruction>, Integer>();
     // Current stack of instructions
@@ -122,36 +118,22 @@ public class Fuzzer {
         switch (runCount){
             case 0:
                 // Test with stack full
-                return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, false, false);
+                return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, true, false);
             case 1:
                 // Test with stack full
-                return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, false, false);
+                return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, true, false);
             case 3:
                 // Run static tests and empty stack
-                return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, false, false);
+                return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, true, false);
             case 4:
                 // Test with dynamic probability
                 return generateInput(true, INSTRUCTION_MAX, 0, true, false);
             case 5:
                 // Test with long var names
-                return generateInput(true, INSTRUCTION_MAX, 0, false, true);
+                return generateInput(true, INSTRUCTION_MAX, 0, true, true);
         }
         // Run from random stack
-        return generateInput(true, INSTRUCTION_MAX, 0, false, false);
-    }
-
-    /*
-    *   Given an instruction, adds the instruction count to the global array
-    *   and adds probability to the other instructions
-    */
-    private static void addCountProb(Instruction instruction) {
-        int index = instruction.ordinal();
-        for (int i = 0; i < 12; i++) {
-            if (i != index) {
-                counts[i] += 1;
-                addProb[i] += Instruction.values()[i].getProbability();
-            }
-        }
+        return generateInput(true, INSTRUCTION_MAX, 0, true, false);
     }
 
 
diff --git a/fuzzer/Instruction.java b/fuzzer/Instruction.java
index ea21857..d3d2690 100644
--- a/fuzzer/Instruction.java
+++ b/fuzzer/Instruction.java
@@ -86,7 +86,6 @@ public enum Instruction {
         Map<List<Instruction>, Integer> pathwayProb) {
         // Check if cumlative probabilities have been calculated
         checkProbability(instructionStack, pathwayProb);
-        System.out.println(max);
 
         ArrayList<Instruction> instructions;
         ArrayList<Integer> instCumlProbs;
diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc
index f26318d..e5d699d 100644
--- a/poc/vuln-4.poc
+++ b/poc/vuln-4.poc
@@ -1,4 +1,4 @@
 push 10
-store x
+store 10
 push 10
-store x
+store 10
diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c
index 68ab539..0a1588e 100644
--- a/src/vuln-4/dc.c
+++ b/src/vuln-4/dc.c
@@ -83,8 +83,9 @@ static node_t *node_new(const char *varname, const value_t value){
 /* updates a node's value in place: 
    replaces p's value with that from q and frees q */
 static void node_edit_value(node_t * p, node_t *q){  
-  if (p->value == q->value) {
-    free(q);
+  char *ptr;
+  if (q->value == strtol(q->varname, &ptr, 10)) {
+    free(q->value);
   }
   p->value = q->value;
   free(q->varname);
-- 
GitLab