fix AflppRedQueen mutator's u64 I2S replacement

drewbarbs · drewbarbs · commit e75d51872363 · 2026-04-12T12:26:10.000-04:00
When the RQ mutator sees that a 8 byte comparison operand is equal to 8
bytes from the input, then it treats that as an I2S correspondence and
pushes a mutation that replaces those input bytes with a big-endian
encoding of the second comparison operand, `repl` (this process is done
on both the original/byte-swapped versions of the relevant values, to
handle either byte order)

This commit fixes a bit shifting bug (probably typo) that broke the
replacement and made RQ unable to solve the comparison. Instead, we'll
use copy_from_slice
diff --git a/crates/libafl/src/mutators/token_mutations.rs b/crates/libafl/src/mutators/token_mutations.rs
@@ -1076,8 +1076,7 @@ impl AflppRedQueen {
 
                     if buf_16 == pattern as u16 && another_buf_16 == another_pattern as u16 {
                         let mut cloned = buf.to_vec();
-                        cloned[buf_idx + 1] = (repl & 0xff) as u8;
-                        cloned[buf_idx] = ((repl >> 8) & 0xff) as u8;
+                        cloned[buf_idx..(buf_idx+2)].copy_from_slice(&(repl as u16).to_be_bytes());
                         vec.push(cloned);
                         return Ok(true);
                     }
@@ -1091,12 +1090,8 @@ impl AflppRedQueen {
                     // println!("buf: {buf_32} {another_buf_32} {pattern} {another_pattern}");
                     if buf_32 == pattern as u32 && another_buf_32 == another_pattern as u32 {
                         let mut cloned = buf.to_vec();
-                        cloned[buf_idx + 3] = (repl & 0xff) as u8;
-                        cloned[buf_idx + 2] = ((repl >> 8) & 0xff) as u8;
-                        cloned[buf_idx + 1] = ((repl >> 16) & 0xff) as u8;
-                        cloned[buf_idx] = ((repl >> 24) & 0xff) as u8;
+                        cloned[buf_idx..(buf_idx+4)].copy_from_slice(&(repl as u32).to_be_bytes());
                         vec.push(cloned);
-
                         return Ok(true);
                     }
                 }
@@ -1109,16 +1104,7 @@ impl AflppRedQueen {
 
                     if buf_64 == pattern && another_buf_64 == another_pattern {
                         let mut cloned = buf.to_vec();
-
-                        cloned[buf_idx + 7] = (repl & 0xff) as u8;
-                        cloned[buf_idx + 6] = ((repl >> 8) & 0xff) as u8;
-                        cloned[buf_idx + 5] = ((repl >> 16) & 0xff) as u8;
-                        cloned[buf_idx + 4] = ((repl >> 24) & 0xff) as u8;
-                        cloned[buf_idx + 3] = ((repl >> 32) & 0xff) as u8;
-                        cloned[buf_idx + 2] = ((repl >> 32) & 0xff) as u8;
-                        cloned[buf_idx + 1] = ((repl >> 40) & 0xff) as u8;
-                        cloned[buf_idx] = ((repl >> 48) & 0xff) as u8;
-
+                        cloned[buf_idx..(buf_idx+8)].copy_from_slice(&repl.to_be_bytes());
                         vec.push(cloned);
                         return Ok(true);
                     }
