From 956a700e173c2043264e29e070c6634806d0363d Mon Sep 17 00:00:00 2001 From: ehuang32 <ericchristopherwong@gmail.com> Date: Fri, 23 Oct 2020 14:45:58 +1100 Subject: [PATCH] vuln_4 change --- fuzzer/Fuzzer.java | 28 +++++----------------------- fuzzer/Instruction.java | 1 - poc/vuln-4.poc | 4 ++-- src/vuln-4/dc.c | 5 +++-- 4 files changed, 10 insertions(+), 28 deletions(-) diff --git a/fuzzer/Fuzzer.java b/fuzzer/Fuzzer.java index 69c59a6..70afc3f 100644 --- a/fuzzer/Fuzzer.java +++ b/fuzzer/Fuzzer.java @@ -43,10 +43,6 @@ public class Fuzzer { private static ArrayList<String> vars = new ArrayList<>(); - // Instruction Count Array - private static int[] counts = {0,0,0,0,0,0,0,0,0,0,0,0}; - // Instruction Added Probability Array - private static int[] addProb = {0,0,0,0,0,0,0,0,0,0,0,0}; // Pathway Prob Map, E.g. key = [PUSH, POP, STORE] - value = 2, this value is added to base prob private static HashMap<List<Instruction>, Integer> pathwayProb = new HashMap<List<Instruction>, Integer>(); // Current stack of instructions @@ -122,36 +118,22 @@ public class Fuzzer { switch (runCount){ case 0: // Test with stack full - return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, false, false); + return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, true, false); case 1: // Test with stack full - return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, false, false); + return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, true, false); case 3: // Run static tests and empty stack - return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, false, false); + return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, true, false); case 4: // Test with dynamic probability return generateInput(true, INSTRUCTION_MAX, 0, true, false); case 5: // Test with long var names - return generateInput(true, INSTRUCTION_MAX, 0, false, true); + return generateInput(true, INSTRUCTION_MAX, 0, true, true); } // Run from random stack - return generateInput(true, INSTRUCTION_MAX, 0, false, false); - } - - /* - * Given an instruction, adds the instruction count to the global array - * and adds probability to the other instructions - */ - private static void addCountProb(Instruction instruction) { - int index = instruction.ordinal(); - for (int i = 0; i < 12; i++) { - if (i != index) { - counts[i] += 1; - addProb[i] += Instruction.values()[i].getProbability(); - } - } + return generateInput(true, INSTRUCTION_MAX, 0, true, false); } diff --git a/fuzzer/Instruction.java b/fuzzer/Instruction.java index ea21857..d3d2690 100644 --- a/fuzzer/Instruction.java +++ b/fuzzer/Instruction.java @@ -86,7 +86,6 @@ public enum Instruction { Map<List<Instruction>, Integer> pathwayProb) { // Check if cumlative probabilities have been calculated checkProbability(instructionStack, pathwayProb); - System.out.println(max); ArrayList<Instruction> instructions; ArrayList<Integer> instCumlProbs; diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc index f26318d..e5d699d 100644 --- a/poc/vuln-4.poc +++ b/poc/vuln-4.poc @@ -1,4 +1,4 @@ push 10 -store x +store 10 push 10 -store x +store 10 diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c index 68ab539..0a1588e 100644 --- a/src/vuln-4/dc.c +++ b/src/vuln-4/dc.c @@ -83,8 +83,9 @@ static node_t *node_new(const char *varname, const value_t value){ /* updates a node's value in place: replaces p's value with that from q and frees q */ static void node_edit_value(node_t * p, node_t *q){ - if (p->value == q->value) { - free(q); + char *ptr; + if (q->value == strtol(q->varname, &ptr, 10)) { + free(q->value); } p->value = q->value; free(q->varname); -- GitLab