I reported all crashes in a single issue on GitHub. A brief analysis of them didn’t uncover any interesting exploitation possibilities, thus I moved on. CrashesĪbout 24 hours of fuzzing led to finding 11 unique crashes. I started with a corpus containing only the smallest map and I was gradually increasing the corpus until all maps were used. Quake maps are quite big as for AFL’s requirements, so I was experimenting with different sets based on maps offered by nQuake which is a package combining ezQuake as a bare client and various data files (maps, textures, config files, etc.) making the game ready to play out of the box. It just required running the display server and updating the DISPLAY environment variable. Integration with the fuzzer was very easy. Games heavily rely on graphical operations, thus it was a good choice because finally, I achieved about 50% increased execution speed (from ridiculously slow 1.5 exec/s to still ridiculously slow 2.1 exec/s). Xvfb is a display server that performs all graphics-related operations in virtual memory its effects are not reflected on the actual screen. Host_Init (argc, argv, 128 * 1024 * 1024) ĭespite the typical AFL-related optimization techniques, I found out about one more technique in a j00ru’s talk which is specifically related to GUI applications. Strlcpy (map_name, name, sizeof(map_name)) If -1284,7 +1284,7 cmodel_t *CM_LoadMap (char *name, qbool clientload, unsigned *checksum, unsigned +++ -1158,7 +1158,7 cmodel_t *CM_LoadMap (char *name, qbool clientload, unsigned *checksum, unsigned