[libFuzzer] Fix off-by-one error in ApplyDictionaryEntry
In the overwrite branch of MutationDispatcher::ApplyDictionaryEntry in
FuzzerMutate.cpp, the index Idx at which W.size() bytes are overwritten
with the word W is chosen uniformly at random in the interval
[0, Size - W.size()). This means that Idx + W.size() will always be
strictly less than Size, i.e., the last byte of the current unit will
never be overwritten.
This is fixed by adding 1 to the exclusive upper bound.
Addresses https://bugs.llvm.org/show_bug.cgi?id=49989.
Reviewed By: morehouse
Differential Revision: https://reviews.llvm.org/D101625
GitOrigin-RevId: 62e4dca94e25668c9f70abc7e524328fd5c6d5c9
diff --git a/FuzzerMutate.cpp b/FuzzerMutate.cpp
index 90d3697..9854e56 100644
--- a/FuzzerMutate.cpp
+++ b/FuzzerMutate.cpp
@@ -195,7 +195,8 @@
Size += W.size();
} else { // Overwrite some bytes with W.
if (W.size() > Size) return 0;
- size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
+ size_t Idx =
+ UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1 - W.size());
memcpy(Data + Idx, W.data(), W.size());
}
return Size;