1. 8
  1.  

  2. 4

    tl;dr: afl finds an integer overflow which results in miscalculated buffer size and in turn the buffer won’t be realloced to the right size. The following write into the buffer will overrun it. Classic.

    If there’s one interesting part, it’d be how to exploit this with guard pages. Unfortunately that part is missing from tfa.