[libFuzzer] Fix off-by-one error in ApplyDictionaryEntry In the overwrite branch of MutationDispatcher::ApplyDictionaryEntry in FuzzerMutate.cpp, the index Idx at which W.size() bytes are overwritten with the word W is chosen uniformly at random in the interval [0, Size - W.size()). This means that Idx + W.size() will always be strictly less than Size, i.e., the last byte of the current unit will never be overwritten. This is fixed by adding 1 to the exclusive upper bound. Addresses https://bugs.llvm.org/show_bug.cgi?id=49989. Reviewed By: morehouse Differential Revision: https://reviews.llvm.org/D101625 GitOrigin-RevId: 62e4dca94e25668c9f70abc7e524328fd5c6d5c9

commit: ec3a006e2b10743694463cf97bd3b1f802f53122 [log] [tgz]
author: Fabian Meumertzheim <meumertzheim@code-intelligence.com> Fri Apr 30 09:16:43 2021 -0700
committer: Copybara-Service <copybara-worker@google.com> Sun May 09 19:11:01 2021 -0700
tree: b73fe55c03bd301f6e0ecf919b5cbc310954efd3
parent: 978a3f644af00159b9280009341cf881d2abdb03 [diff]
diff --git a/FuzzerMutate.cpp b/FuzzerMutate.cpp
index 90d3697..9854e56 100644
--- a/FuzzerMutate.cpp
+++ b/FuzzerMutate.cpp

@@ -195,7 +195,8 @@
     Size += W.size();
   } else {  // Overwrite some bytes with W.
     if (W.size() > Size) return 0;
-    size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
+    size_t Idx =
+        UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1 - W.size());
     memcpy(Data + Idx, W.data(), W.size());
   }
   return Size;
commit	ec3a006e2b10743694463cf97bd3b1f802f53122	[log] [tgz]
author	Fabian Meumertzheim <meumertzheim@code-intelligence.com>	Fri Apr 30 09:16:43 2021 -0700
committer	Copybara-Service <copybara-worker@google.com>	Sun May 09 19:11:01 2021 -0700
tree	b73fe55c03bd301f6e0ecf919b5cbc310954efd3
parent	978a3f644af00159b9280009341cf881d2abdb03 [diff]