[compiler-rt] 62e4dca - [libFuzzer] Fix off-by-one error in ApplyDictionaryEntry
Matt Morehouse via llvm-commits
llvm-commits at lists.llvm.org
Mon May 3 10:38:02 PDT 2021
Author: Fabian Meumertzheim
Date: 2021-05-03T10:37:44-07:00
New Revision: 62e4dca94e25668c9f70abc7e524328fd5c6d5c9
URL: https://github.com/llvm/llvm-project/commit/62e4dca94e25668c9f70abc7e524328fd5c6d5c9
DIFF: https://github.com/llvm/llvm-project/commit/62e4dca94e25668c9f70abc7e524328fd5c6d5c9.diff
LOG: [libFuzzer] Fix off-by-one error in ApplyDictionaryEntry
In the overwrite branch of MutationDispatcher::ApplyDictionaryEntry in
FuzzerMutate.cpp, the index Idx at which W.size() bytes are overwritten
with the word W is chosen uniformly at random in the interval
[0, Size - W.size()). This means that Idx + W.size() will always be
strictly less than Size, i.e., the last byte of the current unit will
never be overwritten.
This is fixed by adding 1 to the exclusive upper bound.
Addresses https://bugs.llvm.org/show_bug.cgi?id=49989.
Reviewed By: morehouse
Differential Revision: https://reviews.llvm.org/D101625
Added:
Modified:
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
Removed:
################################################################################
diff --git a/compiler-rt/lib/fuzzer/FuzzerMutate.cpp b/compiler-rt/lib/fuzzer/FuzzerMutate.cpp
index 90d3697742c02..9854e56bb804b 100644
--- a/compiler-rt/lib/fuzzer/FuzzerMutate.cpp
+++ b/compiler-rt/lib/fuzzer/FuzzerMutate.cpp
@@ -195,7 +195,8 @@ size_t MutationDispatcher::ApplyDictionaryEntry(uint8_t *Data, size_t Size,
Size += W.size();
} else { // Overwrite some bytes with W.
if (W.size() > Size) return 0;
- size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
+ size_t Idx =
+ UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1 - W.size());
memcpy(Data + Idx, W.data(), W.size());
}
return Size;
More information about the llvm-commits
mailing list