From e69b25e34be8028921389bbb114135c3028d0a3d Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Mon, 28 Sep 2020 10:13:00 +0200
Subject: [PATCH] increase havoc_stack_pow2 on no finds

---
 include/afl-fuzz.h   | 1 +
 src/afl-fuzz-one.c   | 4 ++--
 src/afl-fuzz-state.c | 1 +
 src/afl-fuzz.c       | 5 +++++
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 441ecc61e2..aa27882006 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -443,6 +443,7 @@ typedef struct afl_state {
 
   u8 cal_cycles,                        /* Calibration cycles defaults      */
       cal_cycles_long,                  /* Calibration cycles defaults      */
+      havoc_stack_pow2,                 /* HAVOC_STACK_POW2                 */
       no_unlink,                        /* do not unlink cur_input          */
       debug,                            /* Debug mode                       */
       custom_only,                      /* Custom mutator only mode         */
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index e96c4311f1..c04b492b04 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1884,7 +1884,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
   for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
 
-    u32 use_stacking = 1 << (1 + rand_below(afl, HAVOC_STACK_POW2));
+    u32 use_stacking = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
 
     afl->stage_cur_val = use_stacking;
 
@@ -3970,7 +3970,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
       for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max;
            ++afl->stage_cur) {
 
-        u32 use_stacking = 1 << (1 + rand_below(afl, HAVOC_STACK_POW2));
+        u32 use_stacking = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
 
         afl->stage_cur_val = use_stacking;
 
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 5e0995fe2f..a8e56e609d 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -95,6 +95,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
   afl->stage_name = "init";             /* Name of the current fuzz stage   */
   afl->splicing_with = -1;              /* Splicing with which test case?   */
   afl->cpu_to_bind = -1;
+  afl->havoc_stack_pow2 = HAVOC_STACK_POW2;
   afl->cal_cycles = CAL_CYCLES;
   afl->cal_cycles_long = CAL_CYCLES_LONG;
   afl->hang_tmout = EXEC_TIMEOUT;
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 002be0bed1..28507857ad 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1368,9 +1368,14 @@ int main(int argc, char **argv_orig, char **envp) {
               break;
             case 2:
               // if (!have_p) afl->schedule = EXPLOIT;
+              afl->havoc_stack_pow2++;
               afl->expand_havoc = 3;
               break;
             case 3:
+              afl->havoc_stack_pow2++;
+              afl->expand_havoc = 4;
+              break;
+            case 4:
               // nothing else currently
               break;