(Experimental - Uploading this to get early feedback before a large-scale experiment.)
This patch extends the ChangeBinaryInteger mutator to support overwriting the selected input with predefined integers. The rationale for this heuristic is that certain byte (word, qword, or qword) overwrite at a specific location (with "magic" integers) in a large input may make an invalid input valid, potentially triggering new neighbor code paths.
Currently, triggering such an overwrite is costly in libFuzzer. ChangeBinaryInteger mutator may do the same, but only with a low probability, because the chosen byte (word, dword, or qword) must already be an integer ranging from -10 to 10.
CopyPart/CrossOver mutator may also effectively do the same, but only if these predefined integers are found in any of the corpus inputs; even if the corpus inputs do contain the predefined integers, the chances are much narrower because a specific location and a specific width have to be selected.
InsertRepeatedBytes combined with EraseBytes mutators (or other combinations of existing mutators) may eventually trigger the desired change, but still the probability is low, as the probabilities of different mutators multiply.
This patch allows to find the desired input in a single mutation (as tested by the accompanying test - overwrite-bytes.test), effectively increasing the probability of finding the desired input given a corpus input.
Please add a comment saying these are borrowed from AFL.