2.46b

config.h

@@ -21,7 +21,7 @@
 
 /* Version string: */
 
-#define VERSION             "2.45b"
+#define VERSION             "2.46b"
 
 /******************************************************
  *                                                    *

dictionaries/json.dict

@@ -0,0 +1,52 @@
+#
+# AFL dictionary for JSON
+# -----------------------
+#
+# Just the very basics.
+#
+# Inspired by a dictionary by Jakub Wilk <[email protected]>
+#
+
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"

docs/ChangeLog

@@ -16,6 +16,15 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.41b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.46b:
+--------------
+
+  - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
+    want to abort on calloc() overflows.
+
+  - Made a minor fix to libtokencap. Reported by Daniel Stender.
+
 --------------
 Version 2.45b:
 --------------

docs/env_variables.txt

@@ -217,6 +217,10 @@ The library honors three environmental variables:
   - AFL_LD_VERBOSE causes the library to output some diagnostic messages
     that may be useful for pinpointing the cause of any observed issues.
 
+  - AFL_LD_NO_CALLOC_OVER inhibits abort() on calloc() overflows. Most
+    of the common allocators check for that internally and return NULL, so
+    it's a security risk only in more exotic setups.
+
 8) Settings for libtokencap.so
 ------------------------------
 

libdislocator/libdislocator.so.c

@@ -73,7 +73,8 @@
 
 static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 static u8  alloc_verbose,               /* Additional debug messages        */
-           hard_fail;                   /* abort() when max_mem exceeded?   */
+           hard_fail,                   /* abort() when max_mem exceeded?   */
+           no_calloc_over;              /* abort() on calloc() overflows?   */
 
 static __thread size_t total_mem;       /* Currently allocated mem          */
 
@@ -153,9 +154,17 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
 
   /* Perform some sanity checks to detect obvious issues... */
 
-  if (elem_cnt && len / elem_cnt != elem_len)
+  if (elem_cnt && len / elem_cnt != elem_len) {
+
+    if (no_calloc_over) {
+      DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
+      return NULL;
+    }
+
     FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
 
+  }
+
   ret = __dislocator_alloc(len);
 
   DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret,
@@ -254,5 +263,6 @@ __attribute__((constructor)) void __dislocator_init(void) {
 
   alloc_verbose = !!getenv("AFL_LD_VERBOSE");
   hard_fail = !!getenv("AFL_LD_HARD_FAIL");
+  no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
 
 }

libtokencap/libtokencap.so.c

@@ -243,7 +243,7 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
 
 #undef strstr
 
-const char* strstr(const char* haystack, const char* needle) {
+char* strstr(const char* haystack, const char* needle) {
 
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
@@ -257,7 +257,7 @@ const char* strstr(const char* haystack, const char* needle) {
 
     while(*n && *h && *n == *h) n++, h++;
 
-    if(!*n) return haystack;
+    if(!*n) return (char*)haystack;
 
   } while (*(haystack++));
 
@@ -268,7 +268,7 @@ const char* strstr(const char* haystack, const char* needle) {
 
 #undef strcasestr
 
-const char* strcasestr(const char* haystack, const char* needle) {
+char* strcasestr(const char* haystack, const char* needle) {
 
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
@@ -283,7 +283,7 @@ const char* strcasestr(const char* haystack, const char* needle) {
 
     while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
 
-    if(!*n) return haystack;
+    if(!*n) return (char*)haystack;
 
   } while(*(haystack++));