In the x86 instruction emulator fuzzer, when checking wether the input size is
correct, we are checking for this bounds : DATA_OFFSET < size < INPUT_SIZE.
The fact is that INPUT_SIZE is actually the size of the data buffer in the
fuzz_corpus structure. This way, AFL is not able to have full control over this
entry, as we are actually filling this buffer for at most
INPUT_SIZE - DATA_OFFSET.
If I understand the fuzzer correctly, we really need to give full control on
this to AFL so that we can get some "random" from it.
I am wondering if the bounds should rather be :
DATA_OFFSET < size < sizeof (struct fuzz_corpus)
but maybe I am missing something here 🙂
Xen-devel mailing list