feat: decode bytes as CESU-8 when converting to char[]

kyakdan · kyakdan · commit e62234def385 · 2025-11-19T11:10:03.000+01:00
diff --git a/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java b/src/main/java/com/code_intelligence/jazzer/mutation/mutator/lang/PrimitiveArrayMutatorFactory.java
@@ -42,6 +42,7 @@
 import java.lang.reflect.AnnotatedArrayType;
 import java.lang.reflect.AnnotatedType;
 import java.nio.ByteBuffer;
+import java.nio.charset.Charset;
 import java.util.Optional;
 import java.util.function.BiFunction;
 import java.util.function.Function;
@@ -71,6 +72,7 @@ public Optional<SerializingMutator<?>> tryCreate(
   public static final class PrimitiveArrayMutator<T> extends SerializingMutator<T> {
     private static final int DEFAULT_MIN_LENGTH = 0;
     private static final int DEFAULT_MAX_LENGTH = 1000;
+    private static final Charset FUZZED_DATA_CHARSET = Charset.forName("CESU-8");
     private long minRange;
     private long maxRange;
     private boolean allowNaN;
@@ -253,16 +255,16 @@ private static AnnotatedType convertWithLength(AnnotatedType type, AnnotatedType
       }
     }
 
-    // Randomly maps the byte array from libFuzzer directly onto char[] or converts each byte into a
-    // 2 byte char. This helps in cases where a String is constructed out of char[] and libFuzzer
-    // inserts CESU8 encoded bytes into the byte[].
+    // The strings we pass to native callbacks to trace data flow are CESU-8 encoded.
+    // As a result, libFuzzer's TORC contains CESU-8 encoded strings.
+    // Therefore, in 50% of times we decode the byte array as a CESU-8  string.
     public char[] postMutateChars(byte[] bytes, PseudoRandom prng) {
       if (prng.choice()) {
         return (char[]) toPrimitive.apply(bytes);
       } else {
-        char[] chars = new char[bytes.length];
+        char[] chars = new String(bytes, FUZZED_DATA_CHARSET).toCharArray();
         for (int i = 0; i < chars.length; i++) {
-          chars[i] = (char) bytes[i];
+          chars[i] = (char) forceInRange(chars[i], minRange, maxRange);
         }
         return chars;
       }
diff --git a/tests/src/test/java/com/example/CharArrayFuzzer.java b/tests/src/test/java/com/example/CharArrayFuzzer.java
@@ -22,8 +22,8 @@ public static void fuzzerTestOneInput(char[] data) {
       return;
     }
     String expression = new String(data);
-    if (expression.contains("jazzer")) {
-      throw new RuntimeException("found jazzer");
+    if (expression.equals("中 Bös3r \uD801\uDC00 C0d3 中")) {
+      throw new RuntimeException("Found evil code");
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,8 @@ public static void fuzzerTestOneInput(char[] data) {`
`22`	`22`	`return;`
`23`	`23`	`}`
`24`	`24`	`String expression = new String(data);`
`25`		`- if (expression.contains("jazzer")) {`
`26`		`- throw new RuntimeException("found jazzer");`
	`25`	`+ if (expression.equals("中 Bös3r \uD801\uDC00 C0d3 中")) {`
	`26`	`+ throw new RuntimeException("Found evil code");`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`	`}`