feat: decode bytes as CESU-8 when converting to char[]

Author: kyakdan

src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java

@@ -42,6 +42,7 @@
 import java.lang.reflect.AnnotatedArrayType;
 import java.lang.reflect.AnnotatedType;
 import java.nio.ByteBuffer;
+import java.nio.charset.Charset;
 import java.util.Optional;
 import java.util.function.BiFunction;
 import java.util.function.Function;
@@ -253,16 +254,16 @@ private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType
       }
     }
 
-    // Randomly maps the byte array from libFuzzer directly onto char[] or converts each byte into a
-    // 2 byte char. This helps in cases where a String is constructed out of char[] and libFuzzer
-    // inserts CESU8 encoded bytes into the byte[].
+    // The strings we pass to native callbacks to trace data flow are CESU-8 encoded.
+    // As a result, libFuzzer's TORC contains CESU-8 encoded strings.
+    // Therefore, in 50% of times we decode the byte array as a CESU-8  string.
     public char[] postMutateChars(byte[] bytes, PseudoRandom prng) {
       if (prng.choice()) {
         return (char[]) toPrimitive.apply(bytes);
       } else {
-        char[] chars = new char[bytes.length];
+        char[] chars = new String(bytes, Charset.forName("CESU-8")).toCharArray();
         for (int i = 0; i < chars.length; i++) {
-          chars[i] = (char) bytes[i];
+          chars[i] = (char) forceInRange(chars[i], minRange, maxRange);
         }
         return chars;
       }

tests/src/test/java/com/example/CharArrayFuzzer.java

@@ -22,8 +22,8 @@ public static void fuzzerTestOneInput(char[] data) {
       return;
     }
     String expression = new String(data);
-    if (expression.contains("jazzer")) {
-      throw new RuntimeException("found jazzer");
+    if (expression.equals("中 Bös3r \uD801\uDC00 C0d3 中")) {
+      throw new RuntimeException("Found evil code");
     }
   }
 }