Hi all,

it's unclear to me which are the options in using the 3 different buffers given to the afl_custom_fuzz method when building a custom mutator.

From the documentation, little information is given on the meaning of "the returned buffer is under your memory management". Does it mean that if I allocate this, I should also be responsible for freeing it (I would assume so)? If so, can I assume that I will always get the same (pointer to the) buffer back on the next invocation of afl_custom_fuzz?

Finally, following the C example provided, it seems to suggest that is possible to reuse the input buffer as a result buffer (where the mutation will be stored). However, the code in the end seems to ignore the fact that it memcpyed the mutated data into buf and still sets out_buff. (edited: I misunderstood the code, this question does not make any sense)

Thanks in advance for the support 😄

The documentation I'm referring to: https://aflplus.plus/docs/custom_mutators/
The example I'm referring to: https://github.com/AFLplusplus/AFLplusplus/blob/dev/custom_mutators/examples/example.c

The code:

size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
                       u8 **out_buf, uint8_t *add_buf,
                       size_t add_buf_size,  // add_buf can be NULL
                       size_t max_size) {

  // Make sure that the packet size does not exceed the maximum size expected by
  // the fuzzer
  size_t mutated_size = DATA_SIZE <= max_size ? DATA_SIZE : max_size;

  memcpy(data->mutated_out, buf, buf_size);

  // Randomly select a command string to add as a header to the packet
  memcpy(data->mutated_out, commands[rand() % 3], 3);

  if (mutated_size > max_size) { mutated_size = max_size; }

  *out_buf = data->mutated_out;
  return mutated_size;

}