1.78b

Makefile

@@ -14,7 +14,7 @@
 #
 
 PROGNAME    = afl
-VERSION     = 1.77b
+VERSION     = 1.78b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin

afl-fuzz.c

@@ -1355,10 +1355,9 @@ static int compare_extras_use_d(const void* p1, const void* p2) {
 
 /* Read extras from a file, sort by size. */
 
-static void load_extras_file(u8* fname) {
+static void load_extras_file(u8* fname, u32* min_len, u32* max_len) {
 
   FILE* f;
-  u32 min_len = MAX_DICT_FILE, max_len = 0;
   u8  buf[MAX_LINE];
   u8  *lptr;
   u32 cur_line = 0;
@@ -1468,8 +1467,8 @@ static void load_extras_file(u8* fname) {
       FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line,
             DMS(klen), DMS(MAX_DICT_FILE));
 
-    if (min_len > klen) min_len = klen;
-    if (max_len < klen) max_len = klen;
+    if (*min_len > klen) *min_len = klen;
+    if (*max_len < klen) *max_len = klen;
 
     extras_cnt++;
 
@@ -1495,7 +1494,7 @@ static void load_extras(u8* dir) {
   if (!d) {
 
     if (errno == ENOTDIR) {
-      load_extras_file(dir);
+      load_extras_file(dir, &min_len, &max_len);
       goto check_and_sort;
     }
 
@@ -6783,7 +6782,7 @@ static void check_crash_handling(void) {
      until I get a box to test the code. So, for now, we check for crash
      reporting the awful way. */
 
-  if (system("launchctl bslist 2>/dev/null | grep -q '\\.ReportCrash$'")) return;
+  if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return;
 
   SAYF("\n" cLRD "[-] " cRST
        "Whoops, your system is configured to forward crash notifications to an\n"

docs/ChangeLog

@@ -16,12 +16,25 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 1.76b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 1.78b:
+--------------
+
+  - Added a dictionary for PDF, contributed by Ben Nagy.
+
+  - Added several references to afl-cov, a new tool by Michael Rash.
+
+  - Fixed a problem with crash reporter detection on MacOS X, as reported by
+    Louis Dassy.
+
 --------------
 Version 1.77b:
 --------------
 
   - Extended the -x option to support single-file dictionaries.
 
+  - Replaced factory-packaged dictionaries with file-based variants.
+
   - Removed newlines from HTML keywords in testcases/_extras/html/.
 
 --------------

docs/README

@@ -276,14 +276,9 @@ magic headers, or other special tokens associated with the targeted data type
 
   http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
 
-To use this feature, place the tokens in a new directory, one per file; and then
-point the fuzzer to that directory via the -x option in the command line. One
-good example can be found in testcases/_extras/xml/; another useful reference
-point would be testcases/_extras/png/.
-
-Note that the tokens should be *extremely* short and correspond to the basic
-syntax units that the fuzzer will then clobber together in various ways;
-snippets between 2 and 16 bytes are the sweet spot in almost all cases.
+To use this feature, you first need to create a dictionary in one of the two
+formats discussed in testcases/README.testcases; and then point the fuzzer to
+it via the -x option in the command line.
 
 There is no way to provide more structured descriptions of the underlying
 syntax, but the fuzzer will likely figure out some of this based on the
@@ -296,11 +291,6 @@ existing syntax tokens in the input corpus by watching the instrumentation
 very closely during deterministic byte flips. This works for some types of
 parsers and grammars, but isn't nearly as good as the -x mode.
 
-PPS. Due to popular demand, it is now also possible to specify a file dictionary
-via -x. The file must follow the name="value" format, one token per line.
-Alphanumeric names are ignored, along with empty lines of lines that start with #.
-Non-printable and control characters must be escaped within values using \xNN.
-
 10) Crash triage
 ----------------
 
@@ -397,6 +387,9 @@ Here are some of the most important caveats for AFL:
     need to make simple code changes to make them behave in a more traditional
     way.
 
+  - AFL doesn't output human-readable coverage data. If you want to monitor
+    coverage, use afl-cov from Michael Rash: https://github.com/mrash/afl-cov
+
 Beyond this, see INSTALL for platform-specific tips.
 
 13) Special thanks
@@ -425,6 +418,7 @@ bug reports, or patches from:
   Sam Hakim                             Laszlo Szekeres
   David A. Wheeler                      Turo Lamminen
   Andreas Stieger                       Richard Godbee
+  Louis Dassy
 
 Thank you!
 

docs/sister_projects.txt

@@ -84,6 +84,13 @@ Crashwalk (Ben Nagy)
 
   https://github.com/bnagy/crashwalk
 
+afl-cov (Michael Rash)
+----------------------
+
+  Produces human-readable coverage data based on the output queue of afl-fuzz.
+
+  https://github.com/mrash/afl-cov
+
 Distfuzz-AFL (Martijn Bogaard)
 ------------------------------
 

testcases/README.testcases

@@ -1,31 +1,61 @@
-This directory contains two sets of data:
+===============================
+AFL test cases and dictionaries
+===============================
 
-  - A collection of standalone, small starting files for a variety of common
-    data formats, including images, archives, and so on. You can use them
-    directly with the -i option when running afl-fuzz.
+  (See ../docs/README for the general instruction manual.)
 
-  - A smaller set of fuzzing dictionaries, provided in _extras/ subdirectory and
-    to be used with the -x option, as discussed in the README.
+1) Starting test cases
+----------------------
 
-The first data set probably requires no special discussion. The other provides
-good examples of syntax tokens both for binary files (e.g., PNG, TIFF) and for
-text-based formats (XML, SQL).
+The archives/, images/, multimedia/, and others/ subdirectories contain small,
+standalone files that can be used to seed afl-fuzz when testing parsers for a
+variety of common data formats.
 
-Somewhat predictably, when the syntax tokens are around 1-2 bytes long (as is
-the case for GIF and JPEG), the benefits of fuzzing with a dictionary are
-fairly modest and the ultimate coverage does not differ much. For data formats
-that rely on longer atomically checked tokens (e.g., 4-byte PNG section
-headers), the gains are are much more profound.
+There is probably not much to be said about these files, except that they were
+optimized for size and stripped of any non-essential fluff. Some directories
+contain several examples that exercise various features of the underlying format.
+For example, there is a PNG file with and without a color profile.
 
-Oh, by the way: contributions to both data sets are very welcome. For the
-initial samples, my current "most wanted" list includes:
+Additional test cases are always welcome; the current "most wanted" list
+includes:
 
-  - PDF,
   - JBIG,
   - Ogg Vorbis,
   - Ogg Theora,
   - MP3,
   - AAC,
   - WebM,
-  - Small JPEG with ICC (LCMS),
-  - Small font (Freetype).
+  - Small JPEG with a color profile,
+  - Small fonts.
+
+2) Dictionaries
+---------------
+
+The _extras/ subdirectory contains a set of dictionaries that can be used in
+conjunction with the -x option to allow the fuzzer to effortlessly explore the
+grammar of some of the more verbose data formats or languages. The basic
+principle behind the operation of fuzzer dictionaries is outlined in section 9
+of the "main" README for the project.
+
+Custom dictionaries can be added at will. They should consist of a
+reasonably-sized set of rudimentary syntax units that the fuzzer will then try
+to clobber together in various ways. Snippets between 2 and 16 bytes are usually
+the sweet spot.
+
+Custom dictionaries can be created in two ways:
+
+  - By creating a new directory and placing each token in a separate file, in
+    which case, there is no need to escape or otherwise format the data.
+
+  - By creating a flat text file where tokens are listed one per line in the
+    format of name="value". The alphanumeric name is ignored and can be omitted,
+    although it is a convenient way to document the meaning of a particular
+    token. The value must appear in quotes, with hex escaping (\xNN) applied to
+    all non-printable, high-bit, or otherwise problematic characters (\\ and \"
+    shorthands are recognized, too).
+
+The fuzzer auto-selects the appropriate mode depending on whether the -x
+parameter is a file or a directory.
+
+Good examples of dictionaries can be found in _extras/xml.dict and
+_extras/png.dict.

testcases/_extras/gif.dict

@@ -0,0 +1,18 @@
+#
+# AFL dictionary for GIF images
+# -----------------------------
+#
+# Created by Michal Zalewski <[email protected]>
+#
+
+header_87a="87a"
+header_89a="89a"
+header_gif="GIF"
+
+marker_2c=","
+marker_3b=";"
+
+section_2101="!\x01\x12"
+section_21f9="!\xf9\x04"
+section_21fe="!\xfe"
+section_21ff="!\xff\x11"