fix array access

Thanks @Marcono1234

Author: yawkat

fuzzing-tests/src/main/java/io/micronaut/fuzzing/sanitizer/ByteBufArraySanitizer.java

@@ -21,22 +21,27 @@ final class ByteBufArraySanitizer {
 
     static byte baload(byte[] array, int index) {
         if (array[0] == PATTERN_B1) {
-            checkIndexSlow(array, index);
+            array = checkIndexSlow(array, index);
         }
         return array[index];
     }
 
     static void bastore(byte[] array, int index, byte value) {
         if (array[0] == PATTERN_B1) {
-            checkIndexSlow(array, index);
+            array = checkIndexSlow(array, index);
         }
         array[index] = value;
     }
 
-    private static void checkIndexSlow(byte[] array, int index) {
+    private static byte[] checkIndexSlow(byte[] array, int index) {
         Slot slot = findSlot(array);
-        if (slot != null && (index < slot.start || index >= slot.end)) {
-            Jazzer.reportFindingFromHook(new FuzzerSecurityIssueCritical("Out-of-bounds array access"));
+        if (slot != null) {
+            if (index < slot.start || index >= slot.end) {
+                Jazzer.reportFindingFromHook(new FuzzerSecurityIssueCritical("Out-of-bounds array access"));
+            }
+            return slot.backing;
+        } else {
+            return array;
         }
     }
 
@@ -85,33 +90,33 @@ static byte[] byteBufArray(ByteBuf buf) {
 
     static byte[] arraysCopyOf(byte[] array, int newLength) {
         if (array.length > 0 && array[0] == PATTERN_B1) {
-            checkRangeSlow(array, 0, newLength);
+            array = checkRangeSlow(array, 0, newLength);
         }
         return Arrays.copyOf(array, newLength);
     }
 
     static byte[] arraysCopyOfRange(byte[] array, int from, int to) {
         if (array.length > 0 && array[0] == PATTERN_B1) {
-            checkRangeSlow(array, from, to - from);
+            array = checkRangeSlow(array, from, to - from);
         }
         return Arrays.copyOfRange(array, from, to);
     }
 
     static void systemArraycopy(Object src, int srcPos, Object dest, int destPos, int length) {
         if (length != 0) {
             if (src instanceof byte[] s && s[0] == PATTERN_B1) {
-                checkRangeSlow(s, srcPos, length);
+                src = checkRangeSlow(s, srcPos, length);
             }
             if (dest instanceof byte[] d && d[0] == PATTERN_B1) {
-                checkRangeSlow(d, destPos, length);
+                dest = checkRangeSlow(d, destPos, length);
             }
         }
         System.arraycopy(src, srcPos, dest, destPos, length);
     }
 
-    private static void checkRangeSlow(byte[] array, int pos, int len) {
+    private static byte[] checkRangeSlow(byte[] array, int pos, int len) {
         if (len <= 0) {
-            return;
+            return array;
         }
         Slot slot = findSlot(array);
         if (slot != null) {
@@ -122,6 +127,9 @@ private static void checkRangeSlow(byte[] array, int pos, int len) {
             if (pos < start || hi > end) {
                 Jazzer.reportFindingFromHook(new FuzzerSecurityIssueCritical("Out-of-bounds array access"));
             }
+            return slot.backing;
+        } else {
+            return array;
         }
     }
 

fuzzing-tests/src/test/java/io/micronaut/fuzzing/sanitizer/SanitizerTransformerTest.java

@@ -10,6 +10,8 @@
 
 import java.util.Arrays;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 public class SanitizerTransformerTest {
     @BeforeAll
     static void init() {
@@ -18,6 +20,40 @@ static void init() {
 
     private static volatile int sink;
 
+    @Test
+    public void loadsAreAccurate() {
+        ByteBuf buffer = ByteBufAllocator.DEFAULT.heapBuffer(16);
+        try {
+            buffer.writeByte(1);
+            buffer.writeByte(2);
+            buffer.writeByte(3);
+
+            byte[] array = buffer.array();
+            assertEquals(1, array[0]);
+            assertEquals(2, array[1]);
+            assertEquals(3, array[2]);
+            array[0] = 4;
+            assertEquals(4, array[0]);
+
+            byte[] tmp = new byte[3];
+            System.arraycopy(array, 0, tmp, 0, 3);
+            assertEquals(4, tmp[0]);
+            assertEquals(2, tmp[1]);
+            assertEquals(3, tmp[2]);
+
+            tmp = Arrays.copyOf(array, 3);
+            assertEquals(4, tmp[0]);
+            assertEquals(2, tmp[1]);
+            assertEquals(3, tmp[2]);
+
+            tmp = Arrays.copyOfRange(array, 1, 3);
+            assertEquals(2, tmp[0]);
+            assertEquals(3, tmp[1]);
+        } finally {
+            buffer.release();
+        }
+    }
+
     @Test
     public void aload() {
         ByteBuf buffer = ByteBufAllocator.DEFAULT.heapBuffer(16);