fix: stack smashing on large string IDs (aflnet#19)

Author: mlgiraud

afl-fuzz.c

@@ -782,9 +782,9 @@ void update_state_aware_variables(struct queue_entry *q, u8 dry_run)
 
       for(i=1; i < state_count; i++) {
         unsigned int curStateID = state_sequence[i];
-        char fromState[10], toState[10];
-        sprintf(fromState, "%d", prevStateID);
-        sprintf(toState, "%d", curStateID);
+        char fromState[STATE_STR_LEN], toState[STATE_STR_LEN];
+        snprintf(fromState, STATE_STR_LEN, "%d", prevStateID);
+        snprintf(toState, STATE_STR_LEN, "%d", curStateID);
 
         //Check if the prevStateID and curStateID have been added to the state machine as vertices
         //Check also if the edge prevStateID->curStateID has been added

aflnet.c

@@ -1413,29 +1413,29 @@ u8* state_sequence_to_string(unsigned int *stateSequence, unsigned int stateCoun
 
   u8 *out = NULL;
 
-  char strState[10];
-  int len = 0;
+  char strState[STATE_STR_LEN];
+  size_t len = 0;
   for (i = 0; i < stateCount; i++) {
     //Limit the loop to shorten the output string
     if ((i >= 2) && (stateSequence[i] == stateSequence[i - 1]) && (stateSequence[i] == stateSequence[i - 2])) continue;
     unsigned int stateID = stateSequence[i];
     if (i == stateCount - 1) {
-      sprintf(strState, "%d", (int) stateID);
+      snprintf(strState, STATE_STR_LEN, "%d", (int) stateID);
     } else {
-      sprintf(strState, "%d-", (int) stateID);
+      snprintf(strState, STATE_STR_LEN, "%d-", (int) stateID);
     }
     out = (u8 *)ck_realloc(out, len + strlen(strState) + 1);
     memcpy(&out[len], strState, strlen(strState) + 1);
     len=strlen(out);
     //As Linux limit the size of the file name
     //we set a fixed upper bound here
     if (len > 150 && (i + 1 < stateCount)) {
-      sprintf(strState, "%s", "end-at-");
+      snprintf(strState, STATE_STR_LEN, "%s", "end-at-");
       out = (u8 *)ck_realloc(out, len + strlen(strState) + 1);
       memcpy(&out[len], strState, strlen(strState) + 1);
       len=strlen(out);
 
-      sprintf(strState, "%d", (int) stateSequence[stateCount - 1]);
+      snprintf(strState, STATE_STR_LEN, "%d", (int) stateSequence[stateCount - 1]);
       out = (u8 *)ck_realloc(out, len + strlen(strState) + 1);
       memcpy(&out[len], strState, strlen(strState) + 1);
       len=strlen(out);

config.h

@@ -328,6 +328,8 @@
 #define MAP_SIZE_POW2       16
 #define MAP_SIZE            (1 << MAP_SIZE_POW2)
 
+#define STATE_STR_LEN 12
+
 /* Maximum allocator request size (keep well under INT_MAX): */
 
 #define MAX_ALLOC           0x40000000