From 184256122ad13edb619fd72d539ac453e2a65452 Mon Sep 17 00:00:00 2001
From: Thomas HUET <git@thomash.fr>
Date: Sat, 29 Jul 2017 16:26:06 +0200
Subject: [PATCH] 2.46b

---
 config.h                         |  2 +-
 dictionaries/json.dict           | 52 ++++++++++++++++++++++++++++++++
 docs/ChangeLog                   |  9 ++++++
 docs/env_variables.txt           |  4 +++
 libdislocator/libdislocator.so.c | 14 +++++++--
 libtokencap/libtokencap.so.c     |  8 ++---
 6 files changed, 82 insertions(+), 7 deletions(-)
 create mode 100644 dictionaries/json.dict

diff --git a/config.h b/config.h
index d00f6211..d39dc50d 100644
--- a/config.h
+++ b/config.h
@@ -21,7 +21,7 @@
 
 /* Version string: */
 
-#define VERSION             "2.45b"
+#define VERSION             "2.46b"
 
 /******************************************************
  *                                                    *
diff --git a/dictionaries/json.dict b/dictionaries/json.dict
new file mode 100644
index 00000000..e08245a2
--- /dev/null
+++ b/dictionaries/json.dict
@@ -0,0 +1,52 @@
+#
+# AFL dictionary for JSON
+# -----------------------
+#
+# Just the very basics.
+#
+# Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
+#
+
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"
diff --git a/docs/ChangeLog b/docs/ChangeLog
index fd76f59f..31b34ca5 100644
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@@ -16,6 +16,15 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.41b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.46b:
+--------------
+
+  - libdislocator now supports AFL_LD_NO_CALLOC_OVER for folks who do not
+    want to abort on calloc() overflows.
+
+  - Made a minor fix to libtokencap. Reported by Daniel Stender.
+
 --------------
 Version 2.45b:
 --------------
diff --git a/docs/env_variables.txt b/docs/env_variables.txt
index 97d81694..50571ebd 100644
--- a/docs/env_variables.txt
+++ b/docs/env_variables.txt
@@ -217,6 +217,10 @@ The library honors three environmental variables:
   - AFL_LD_VERBOSE causes the library to output some diagnostic messages
     that may be useful for pinpointing the cause of any observed issues.
 
+  - AFL_LD_NO_CALLOC_OVER inhibits abort() on calloc() overflows. Most
+    of the common allocators check for that internally and return NULL, so
+    it's a security risk only in more exotic setups.
+
 8) Settings for libtokencap.so
 ------------------------------
 
diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c
index 0dfc98e6..043480a6 100644
--- a/libdislocator/libdislocator.so.c
+++ b/libdislocator/libdislocator.so.c
@@ -73,7 +73,8 @@
 
 static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 static u8  alloc_verbose,               /* Additional debug messages        */
-           hard_fail;                   /* abort() when max_mem exceeded?   */
+           hard_fail,                   /* abort() when max_mem exceeded?   */
+           no_calloc_over;              /* abort() on calloc() overflows?   */
 
 static __thread size_t total_mem;       /* Currently allocated mem          */
 
@@ -153,9 +154,17 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
 
   /* Perform some sanity checks to detect obvious issues... */
 
-  if (elem_cnt && len / elem_cnt != elem_len)
+  if (elem_cnt && len / elem_cnt != elem_len) {
+
+    if (no_calloc_over) {
+      DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
+      return NULL;
+    }
+
     FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
 
+  }
+
   ret = __dislocator_alloc(len);
 
   DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret,
@@ -254,5 +263,6 @@ __attribute__((constructor)) void __dislocator_init(void) {
 
   alloc_verbose = !!getenv("AFL_LD_VERBOSE");
   hard_fail = !!getenv("AFL_LD_HARD_FAIL");
+  no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
 
 }
diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c
index 41997f04..24805c1b 100644
--- a/libtokencap/libtokencap.so.c
+++ b/libtokencap/libtokencap.so.c
@@ -243,7 +243,7 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
 
 #undef strstr
 
-const char* strstr(const char* haystack, const char* needle) {
+char* strstr(const char* haystack, const char* needle) {
 
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
@@ -257,7 +257,7 @@ const char* strstr(const char* haystack, const char* needle) {
 
     while(*n && *h && *n == *h) n++, h++;
 
-    if(!*n) return haystack;
+    if(!*n) return (char*)haystack;
 
   } while (*(haystack++));
 
@@ -268,7 +268,7 @@ const char* strstr(const char* haystack, const char* needle) {
 
 #undef strcasestr
 
-const char* strcasestr(const char* haystack, const char* needle) {
+char* strcasestr(const char* haystack, const char* needle) {
 
   if (__tokencap_is_ro(haystack))
     __tokencap_dump(haystack, strlen(haystack), 1);
@@ -283,7 +283,7 @@ const char* strcasestr(const char* haystack, const char* needle) {
 
     while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
 
-    if(!*n) return haystack;
+    if(!*n) return (char*)haystack;
 
   } while(*(haystack++));