commit 952f286e7e24eb119021b6321e62ea1661131feb
author Max Moroz <mmoroz@chromium.org> Thu Apr 11 16:24:53 2019 +0000
committer Copybara-Service <copybara-worker@google.com> Thu Mar 25 23:19:22 2021 -0700
tree 1cd91bb69e964e6684c327bd654af7c3251125c5
parent 29832ba023cb9ef0b42fd71c6b573f5f21bd4d24

[libFuzzer] Fallback to default Mutate when MutateWithMask fails.

Summary:
In case the current corpus input doesn't have bytes going into the
focus function, MutateWithMask is useless and may fail gently, allowing the
default mutation routine happen, rather than crashing on an assertion.

For more context and the initial fix suggestion, see:
https://github.com/google/oss-fuzz/issues/1632#issuecomment-481862879

Reviewers: kcc, morehouse

Reviewed By: kcc

Subscribers: delcypher, #sanitizers, llvm-commits

Tags: #llvm, #sanitizers

Differential Revision: https://reviews.llvm.org/D60567

llvm-svn: 358190
GitOrigin-RevId: 9d5e7ee296651acc1e00ffbe0844532a78725e82

FuzzerLoop.cpp

diff --git a/FuzzerLoop.cpp b/FuzzerLoop.cpp
index b86512b..40461c2 100644
--- a/FuzzerLoop.cpp
+++ b/FuzzerLoop.cpp
@@ -658,7 +658,9 @@
         Size <= CurrentMaxMutationLen)
       NewSize = MD.MutateWithMask(CurrentUnitData, Size, Size,
                                   II.DataFlowTraceForFocusFunction);
-    else
+    
+    // If MutateWithMask either failed or wasn't called, call default Mutate.
+    if (!NewSize)
       NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen);
     assert(NewSize > 0 && "Mutator returned empty unit");
     assert(NewSize <= CurrentMaxMutationLen && "Mutator return oversized unit");

FuzzerMutate.cpp

diff --git a/FuzzerMutate.cpp b/FuzzerMutate.cpp
index 92e469f..a825b83 100644
--- a/FuzzerMutate.cpp
+++ b/FuzzerMutate.cpp
@@ -542,6 +542,7 @@
     if (Mask[I])
       T[OneBits++] = Data[I];
 
+  if (!OneBits) return 0;
   assert(!T.empty());
   size_t NewSize = Mutate(T.data(), OneBits, OneBits);
   assert(NewSize <= OneBits);