/*
 *
 * honggfuzz - run->dynfile->datafer mangling routines
 * -----------------------------------------
 *
 * Author:
 * Robert Swiecki <swiecki@google.com>
 *
 * Copyright 2010-2018 by Google Inc. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License.
 *
 */

#include "mangle.h"

#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <time.h>

#include "input.h"
#include "libhfcommon/common.h"
#include "libhfcommon/log.h"
#include "libhfcommon/util.h"

typedef enum {
    MANGLE_SHRINK = 0,
    MANGLE_EXPAND,
    MANGLE_BIT,
    MANGLE_INC_BYTE,
    MANGLE_DEC_BYTE,
    MANGLE_NEG_BYTE,
    MANGLE_ADD_SUB,
    MANGLE_ARITH8,
    MANGLE_MEM_SET,
    MANGLE_MEM_CLR,
    MANGLE_MEM_SWAP,
    MANGLE_MEM_COPY,
    MANGLE_BLOCK_MOVE,
    MANGLE_BLOCK_REPEAT,
    MANGLE_BLOCK_SWAP,
    MANGLE_CHUNK_SHUFFLE,
    MANGLE_BYTES,
    MANGLE_BYTE_REPEAT,
    MANGLE_RANDOM_BUF,
    MANGLE_INTERESTING_VALUES,
    MANGLE_ASCII_NUM,
    MANGLE_ASCII_NUM_CHANGE,
    MANGLE_MAGIC,
    MANGLE_STATIC_DICT,
    MANGLE_CONST_FEEDBACK_DICT,
    MANGLE_CMP_SOLVE,
    MANGLE_SPLICE,
    MANGLE_CROSS_OVER,
    MANGLE_SPECIAL_STRINGS,
    MANGLE_TLV_MUTATE,
    MANGLE_TOKEN_SHUFFLE,
    MANGLE_GRADIENT_CMP,
    MANGLE_ARITH_CONST,
    MANGLE_DICT_INSERT,
    MANGLE_PUNCTUATION,
    MANGLE_HAVOC,
    MANGLE_COUNT
} mangle_t;

static inline size_t mangle_LenLeft(run_t* run, size_t off) {
    if (off >= run->dynfile->size) {
        LOG_F("Offset is too large: off:%zu >= len:%zu", off, run->dynfile->size);
    }
    return (run->dynfile->size - off - 1);
}

/*
 * Get a random value <1:max>, but prefer smaller ones
 * Based on an idea by https://twitter.com/gamozolabs
 */
static inline size_t mangle_getLen(size_t max) {
    if (max > _HF_INPUT_MAX_SIZE) {
        LOG_F("max (%zu) > _HF_INPUT_MAX_SIZE (%zu)", max, (size_t)_HF_INPUT_MAX_SIZE);
    }
    if (max == 0) {
        LOG_F("max == 0");
    }
    if (max == 1) {
        return 1;
    }

    /* Give 50% chance the the uniform distribution */
    if (util_rnd64() & 1) {
        return (size_t)util_rndGet(1, max);
    }

    /* effectively exprand() */
    return (size_t)util_rndGet(1, util_rndGet(1, max));
}

/* Prefer smaller values here, so use mangle_getLen() */
static inline size_t mangle_getOffSet(run_t* run) {
    return mangle_getLen(run->dynfile->size) - 1;
}

/* Offset which can be equal to the file size */
static inline size_t mangle_getOffSetPlus1(run_t* run) {
    size_t reqlen = HF_MIN(run->dynfile->size + 1, _HF_INPUT_MAX_SIZE);
    return mangle_getLen(reqlen) - 1;
}

static inline void mangle_Move(run_t* run, size_t off_from, size_t off_to, size_t len) {
    if (off_from >= run->dynfile->size) {
        return;
    }
    if (off_to >= run->dynfile->size) {
        return;
    }
    if (off_from == off_to) {
        return;
    }

    size_t len_from = run->dynfile->size - off_from;
    len             = HF_MIN(len, len_from);

    size_t len_to = run->dynfile->size - off_to;
    len           = HF_MIN(len, len_to);

    memmove(&run->dynfile->data[off_to], &run->dynfile->data[off_from], len);
}

static inline void mangle_Overwrite(
    run_t* run, size_t off, const uint8_t* src, size_t len, bool printable) {
    if (len == 0) {
        return;
    }
    size_t maxToCopy = run->dynfile->size - off;
    if (len > maxToCopy) {
        len = maxToCopy;
    }

    memmove(&run->dynfile->data[off], src, len);
    if (printable) {
        util_turnToPrintable(&run->dynfile->data[off], len);
    }
}

static inline size_t mangle_Inflate(run_t* run, size_t off, size_t len, bool printable) {
    if (run->dynfile->size >= run->global->mutate.maxInputSz) {
        return 0;
    }
    if (len > (run->global->mutate.maxInputSz - run->dynfile->size)) {
        len = run->global->mutate.maxInputSz - run->dynfile->size;
    }

    input_setSize(run, run->dynfile->size + len);
    mangle_Move(run, off, off + len, run->dynfile->size);
    if (printable) {
        memset(&run->dynfile->data[off], ' ', len);
    }

    return len;
}

static inline void mangle_Insert(
    run_t* run, size_t off, const uint8_t* val, size_t len, bool printable) {
    len = mangle_Inflate(run, off, len, printable);
    mangle_Overwrite(run, off, val, len, printable);
}

static inline void mangle_UseValue(run_t* run, const uint8_t* val, size_t len, bool printable) {
    if (util_rnd64() & 1) {
        mangle_Overwrite(run, mangle_getOffSet(run), val, len, printable);
    } else {
        mangle_Insert(run, mangle_getOffSetPlus1(run), val, len, printable);
    }
}

#if 0
static inline void mangle_UseValueAt(
    run_t* run, size_t off, const uint8_t* val, size_t len, bool printable) {
    if (util_rnd64() & 1) {
        mangle_Overwrite(run, off, val, len, printable);
    } else {
        mangle_Insert(run, off, val, len, printable);
    }
}
#endif

static void mangle_MemSwap(run_t* run, bool printable HF_ATTR_UNUSED) {
    /* No big deal if those two are overlapping */
    size_t off1    = mangle_getOffSet(run);
    size_t maxlen1 = run->dynfile->size - off1;
    size_t off2    = mangle_getOffSet(run);
    size_t maxlen2 = run->dynfile->size - off2;
    size_t len     = mangle_getLen(HF_MIN(maxlen1, maxlen2));

    if (off1 == off2) {
        return;
    }

    for (size_t i = 0; i < (len / 2); i++) {
        /*
         * First - from the head, next from the tail. Don't worry about layout of the overlapping
         * part - there's no good solution to that, and it can be left somewhat scrambled,
         * while still preserving the entropy
         */
        const uint8_t tmp1                       = run->dynfile->data[off2 + i];
        run->dynfile->data[off2 + i]             = run->dynfile->data[off1 + i];
        run->dynfile->data[off1 + i]             = tmp1;
        const uint8_t tmp2                       = run->dynfile->data[off2 + (len - 1) - i];
        run->dynfile->data[off2 + (len - 1) - i] = run->dynfile->data[off1 + (len - 1) - i];
        run->dynfile->data[off1 + (len - 1) - i] = tmp2;
    }
}

static void mangle_BlockMove(run_t* run, bool printable HF_ATTR_UNUSED) {
    size_t off_from = mangle_getOffSet(run);
    size_t off_to   = mangle_getOffSet(run);
    size_t len      = mangle_getLen(run->dynfile->size);
    mangle_Move(run, off_from, off_to, len);
}

static void mangle_MemCopy(run_t* run, bool printable HF_ATTR_UNUSED) {
    size_t off = mangle_getOffSet(run);
    size_t len = mangle_getLen(run->dynfile->size - off);

    /* Use a temp buf, as Insert/Inflate can change source bytes */
    uint8_t* tmpbuf = (uint8_t*)util_Malloc(len);
    defer {
        free(tmpbuf);
    };
    memmove(tmpbuf, &run->dynfile->data[off], len);

    mangle_UseValue(run, tmpbuf, len, printable);
}

static void mangle_Bytes(run_t* run, bool printable) {
    uint16_t buf;
    if (printable) {
        util_rndBufPrintable((uint8_t*)&buf, sizeof(buf));
    } else {
        buf = util_rnd64();
    }

    /* Overwrite with random 1-2-byte values */
    size_t toCopy = util_rndGet(1, 2);
    mangle_UseValue(run, (const uint8_t*)&buf, toCopy, printable);
}

static void mangle_ByteRepeat(run_t* run, bool printable) {
    size_t off     = mangle_getOffSet(run);
    size_t destOff = off + 1;
    size_t maxSz   = run->dynfile->size - destOff;

    /* No space to repeat */
    if (!maxSz) {
        mangle_Bytes(run, printable);
        return;
    }

    size_t len = mangle_getLen(maxSz);
    if (util_rnd64() & 0x1) {
        len = mangle_Inflate(run, destOff, len, printable);
    }
    memset(&run->dynfile->data[destOff], run->dynfile->data[off], len);
}

static void mangle_Bit(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    run->dynfile->data[off] ^= (uint8_t)(1U << util_rndGet(0, 7));
    if (printable) {
        util_turnToPrintable(&(run->dynfile->data[off]), 1);
    }
}

static const struct {
#if __has_attribute(nonstring)
    const uint8_t val[8] __attribute__((nonstring));
#else
    const uint8_t val[8];
#endif /* __has_attribute(nonstring) */
    const size_t size;
} mangleMagicVals[] = {
    /* 1B - No endianness */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x01\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x02\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x03\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x04\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x05\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x06\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x07\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x08\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x09\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x10\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x20\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x40\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\x81\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 1},
    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 1},
    /* 2B - NE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x01\x01\x00\x00\x00\x00\x00\x00", 2},
    {"\x80\x80\x00\x00\x00\x00\x00\x00", 2},
    {"\xFF\xFF\x00\x00\x00\x00\x00\x00", 2},
    /* 2B - BE */
    {"\x00\x01\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x02\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x03\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x04\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x05\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x06\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x07\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x08\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x09\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0A\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0B\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0C\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0D\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0E\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x0F\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x10\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x20\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x40\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x7E\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x7F\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x80\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x81\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\xC0\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\xFE\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\xFF\x00\x00\x00\x00\x00\x00", 2},
    {"\x7E\xFF\x00\x00\x00\x00\x00\x00", 2},
    {"\x7F\xFF\x00\x00\x00\x00\x00\x00", 2},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x80\x01\x00\x00\x00\x00\x00\x00", 2},
    {"\xFF\xFE\x00\x00\x00\x00\x00\x00", 2},
    /* 2B - LE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x01\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x02\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x03\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x04\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x05\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x06\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x07\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x08\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x09\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x10\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x20\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x40\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\x81\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 2},
    {"\xFF\x7E\x00\x00\x00\x00\x00\x00", 2},
    {"\xFF\x7F\x00\x00\x00\x00\x00\x00", 2},
    {"\x00\x80\x00\x00\x00\x00\x00\x00", 2},
    {"\x01\x80\x00\x00\x00\x00\x00\x00", 2},
    {"\xFE\xFF\x00\x00\x00\x00\x00\x00", 2},
    /* 4B - NE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x01\x01\x01\x01\x00\x00\x00\x00", 4},
    {"\x80\x80\x80\x80\x00\x00\x00\x00", 4},
    {"\xFF\xFF\xFF\xFF\x00\x00\x00\x00", 4},
    /* 4B - BE */
    {"\x00\x00\x00\x01\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x02\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x03\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x04\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x05\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x06\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x07\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x08\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x09\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0A\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0B\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0C\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0D\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0E\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x0F\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x10\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x20\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x40\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x7E\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x7F\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x80\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x81\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\xC0\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\xFE\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\xFF\x00\x00\x00\x00", 4},
    {"\x7E\xFF\xFF\xFF\x00\x00\x00\x00", 4},
    {"\x7F\xFF\xFF\xFF\x00\x00\x00\x00", 4},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x80\x00\x00\x01\x00\x00\x00\x00", 4},
    {"\xFF\xFF\xFF\xFE\x00\x00\x00\x00", 4},
    /* 4B - LE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x01\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x02\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x03\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x04\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x05\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x06\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x07\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x08\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x09\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x10\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x20\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x40\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\x81\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 4},
    {"\xFF\xFF\xFF\x7E\x00\x00\x00\x00", 4},
    {"\xFF\xFF\xFF\x7F\x00\x00\x00\x00", 4},
    {"\x00\x00\x00\x80\x00\x00\x00\x00", 4},
    {"\x01\x00\x00\x80\x00\x00\x00\x00", 4},
    {"\xFE\xFF\xFF\xFF\x00\x00\x00\x00", 4},
    /* 8B - NE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x01\x01\x01\x01\x01\x01\x01\x01", 8},
    {"\x80\x80\x80\x80\x80\x80\x80\x80", 8},
    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
    /* 8B - BE */
    {"\x00\x00\x00\x00\x00\x00\x00\x01", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x02", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x03", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x04", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x05", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x06", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x07", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x08", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x09", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0A", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0B", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0C", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0D", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0E", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x0F", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x10", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x20", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x40", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x7E", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x7F", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x81", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\xC0", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\xFE", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\xFF", 8},
    {"\x7E\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
    {"\x7F\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x80\x00\x00\x00\x00\x00\x00\x01", 8},
    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE", 8},
    /* 8B - LE */
    {"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x01\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x02\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x03\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x04\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x05\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x06\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x07\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x08\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x09\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x10\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x20\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x40\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\x81\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 8},
    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7E", 8},
    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7F", 8},
    {"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
    {"\x01\x00\x00\x00\x00\x00\x00\x80", 8},
    {"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
};

static void mangle_Magic(run_t* run, bool printable) {
    uint64_t choice = util_rndGet(0, ARRAYSIZE(mangleMagicVals) - 1);
    mangle_UseValue(run, mangleMagicVals[choice].val, mangleMagicVals[choice].size, printable);
}

static inline const uint8_t* mangle_FeedbackDict(run_t* run, size_t* len) {
    fuzz_data_t* cmpf = run->global->feedback.cmpFeedbackMap;
    uint32_t     cnt  = ATOMIC_GET(cmpf->dictCnt);
    if (cnt > 0) {
        uint32_t max_idx = HF_MIN(cnt, ARRAYSIZE(cmpf->dict));
        uint32_t choice  = util_rndGet(0, max_idx - 1);
        *len             = (size_t)ATOMIC_GET(cmpf->dict[choice].len);
        if (*len > 0) {
            return cmpf->dict[choice].val;
        }
    }

    return NULL;
}

static void mangle_StaticDict(run_t* run, bool printable) {
    size_t         len;
    const uint8_t* val = mangle_FeedbackDict(run, &len);
    if (val == NULL) {
        mangle_Bytes(run, printable);
        return;
    }

    /* 10% of time, for sizes 2/4/8, use bswap'd value */
    uint8_t buf[8];
    if ((len == 2 || len == 4 || len == 8) && util_rndGet(0, 9) == 0) {
        memcpy(buf, val, len);
        if (len == 2) {
            uint16_t v;
            memcpy(&v, buf, sizeof(v));
            v = __builtin_bswap16(v);
            memcpy(buf, &v, sizeof(v));
        } else if (len == 4) {
            uint32_t v;
            memcpy(&v, buf, sizeof(v));
            v = __builtin_bswap32(v);
            memcpy(buf, &v, sizeof(v));
        } else {
            uint64_t v;
            memcpy(&v, buf, sizeof(v));
            v = __builtin_bswap64(v);
            memcpy(buf, &v, sizeof(v));
        }
        val = buf;
    }

    mangle_UseValue(run, val, len, printable);
}

static void mangle_ConstFeedbackDict(run_t* run, bool printable) {
    mangle_StaticDict(run, printable);
}

static void mangle_MemSet(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    size_t len = mangle_getLen(run->dynfile->size - off);
    int    val = printable ? (int)util_rndPrintable() : (int)util_rndGet(0, UINT8_MAX);

    if (util_rnd64() & 1) {
        len = mangle_Inflate(run, off, len, printable);
    }

    memset(&run->dynfile->data[off], val, len);
}

static void mangle_MemClr(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    size_t len = mangle_getLen(run->dynfile->size - off);
    int    val = printable ? ' ' : 0;

    if (util_rnd64() & 1) {
        len = mangle_Inflate(run, off, len, printable);
    }

    memset(&run->dynfile->data[off], val, len);
}

static void mangle_RandomBuf(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    size_t len = mangle_getLen(run->dynfile->size - off);

    if (util_rnd64() & 1) {
        len = mangle_Inflate(run, off, len, printable);
    }

    if (printable) {
        util_rndBufPrintable(&run->dynfile->data[off], len);
    } else {
        util_rndBuf(&run->dynfile->data[off], len);
    }
}

static inline void mangle_AddSubWithRange(
    run_t* run, size_t off, size_t varLen, uint64_t range, bool printable) {
    int64_t delta = (int64_t)util_rndGet(0, range * 2) - (int64_t)range;

    switch (varLen) {
    case 1: {
        run->dynfile->data[off] += delta;
        break;
    }
    case 2: {
        int16_t val;
        util_memcpyInline(&val, &run->dynfile->data[off], sizeof(val));
        if (util_rnd64() & 0x1) {
            val += delta;
        } else {
            /* Foreign endianess */
            val = __builtin_bswap16(val);
            val += delta;
            val = __builtin_bswap16(val);
        }
        mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
        break;
    }
    case 4: {
        int32_t val;
        util_memcpyInline(&val, &run->dynfile->data[off], sizeof(val));
        if (util_rnd64() & 0x1) {
            val += delta;
        } else {
            /* Foreign endianess */
            val = __builtin_bswap32(val);
            val += delta;
            val = __builtin_bswap32(val);
        }
        mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
        break;
    }
    case 8: {
        int64_t val;
        util_memcpyInline(&val, &run->dynfile->data[off], sizeof(val));
        if (util_rnd64() & 0x1) {
            val += delta;
        } else {
            /* Foreign endianess */
            val = __builtin_bswap64(val);
            val += delta;
            val = __builtin_bswap64(val);
        }
        mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
        break;
    }
    default: {
        LOG_F("Unknown variable length size: %zu", varLen);
    }
    }
}

static void mangle_AddSub(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);

    /* 1,2,4,8 */
    size_t varLen = 1U << util_rndGet(0, 3);
    if ((run->dynfile->size - off) < varLen) {
        varLen = 1;
    }

    /* Ranges relative to the width of the type */
    const uint64_t range8Bit  = 16;
    const uint64_t range16Bit = 4096;
    const uint64_t range32Bit = 1048576;
    const uint64_t range64Bit = 268435456;

    uint64_t range;
    switch (varLen) {
    case 1:
        range = range8Bit;
        break;
    case 2:
        range = range16Bit;
        break;
    case 4:
        range = range32Bit;
        break;
    case 8:
        range = range64Bit;
        break;
    default:
        LOG_F("Invalid operand size: %zu", varLen);
    }

    mangle_AddSubWithRange(run, off, varLen, range, printable);
}

static void mangle_IncByte(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    if (printable) {
        run->dynfile->data[off] = (run->dynfile->data[off] - 32 + 1) % 95 + 32;
    } else {
        run->dynfile->data[off] += (uint8_t)1UL;
    }
}

static void mangle_DecByte(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    if (printable) {
        run->dynfile->data[off] = (run->dynfile->data[off] - 32 + 94) % 95 + 32;
    } else {
        run->dynfile->data[off] -= (uint8_t)1UL;
    }
}

static void mangle_NegByte(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    if (printable) {
        run->dynfile->data[off] = 94 - (run->dynfile->data[off] - 32) + 32;
    } else {
        run->dynfile->data[off] = ~(run->dynfile->data[off]);
    }
}

static void mangle_Expand(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    size_t len;
    if (util_rnd64() % 16) {
        len = mangle_getLen(HF_MIN(16, run->global->mutate.maxInputSz - off));
    } else {
        len = mangle_getLen(run->global->mutate.maxInputSz - off);
    }

    mangle_Inflate(run, off, len, printable);
}

static void mangle_Shrink(run_t* run, bool printable HF_ATTR_UNUSED) {
    if (run->dynfile->size <= 2U) {
        return;
    }

    size_t off_start = mangle_getOffSet(run);
    size_t len       = mangle_LenLeft(run, off_start);
    if (len == 0) {
        return;
    }
    if (util_rnd64() % 16) {
        len = mangle_getLen(HF_MIN(16, len));
    } else {
        len = mangle_getLen(len);
    }
    size_t off_end     = off_start + len;
    size_t len_to_move = run->dynfile->size - off_end;

    mangle_Move(run, off_end, off_start, len_to_move);
    input_setSize(run, run->dynfile->size - len);
}

static void mangle_ASCIINum(run_t* run, bool printable) {
    size_t len = util_rndGet(2, 8);

    char buf[20];
    snprintf(buf, sizeof(buf), "%-19" PRId64, (int64_t)util_rnd64());

    mangle_UseValue(run, (const uint8_t*)buf, len, printable);
}

static void mangle_ASCIINumChange(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);

    /* Find a digit */
    for (; off < run->dynfile->size; off++) {
        if (isdigit(run->dynfile->data[off])) {
            break;
        }
    }
    size_t left = run->dynfile->size - off;
    if (left == 0) {
        return;
    }

    size_t   len = 0;
    uint64_t val = 0;
    /* 20 is maximum lenght of a string representing a 64-bit unsigned value */
    for (len = 0; (len < 20) && (len < left); len++) {
        char c = run->dynfile->data[off + len];
        if (!isdigit(c)) {
            break;
        }
        val *= 10;
        val += (c - '0');
    }

    enum { OP_INC = 0, OP_DEC, OP_MUL, OP_DIV, OP_RND, OP_ADD_RND, OP_SUB_RND, OP_NOT, OP_COUNT };

    switch (util_rndGet(0, OP_COUNT - 1)) {
    case OP_INC:
        val++;
        break;
    case OP_DEC:
        val--;
        break;
    case OP_MUL:
        val *= 2;
        break;
    case OP_DIV:
        val /= 2;
        break;
    case OP_RND:
        val = util_rnd64();
        break;
    case OP_ADD_RND:
        val += util_rndGet(1, 256);
        break;
    case OP_SUB_RND:
        val -= util_rndGet(1, 256);
        break;
    case OP_NOT:
        val = ~(val);
        break;
    default:
        LOG_F("Invalid choice");
    };

    char buf[64];
    snprintf(buf, sizeof(buf), "%" PRIu64, val);
    size_t new_len = strlen(buf);

    if (util_rnd64() & 1) {
        mangle_Insert(run, off, (const uint8_t*)buf, new_len, printable);
    } else {
        if (new_len == len) {
            mangle_Overwrite(run, off, (const uint8_t*)buf, new_len, printable);
        } else if (new_len > len) {
            mangle_Inflate(run, off + len, new_len - len, printable);
            mangle_Overwrite(run, off, (const uint8_t*)buf, new_len, printable);
        } else {
            mangle_Overwrite(run, off, (const uint8_t*)buf, new_len, printable);
            mangle_Move(run, off + len, off + new_len, run->dynfile->size - (off + len));
            input_setSize(run, run->dynfile->size - (len - new_len));
        }
    }
}

static void mangle_Splice(run_t* run, bool printable) {
    if (run->global->feedback.dynFileMethod == _HF_DYNFILE_NONE) {
        mangle_Bytes(run, printable);
        return;
    }

    size_t         sz  = 0;
    const uint8_t* buf = input_getRandomInputAsBuf(run, &sz);
    if (!buf) {
        LOG_E("input_getRandomInputAsBuf() returned no input");
        mangle_Bytes(run, printable);
        return;
    }
    if (!sz) {
        mangle_Bytes(run, printable);
        return;
    }

    size_t remoteOff = mangle_getLen(sz) - 1;
    size_t len       = mangle_getLen(sz - remoteOff);
    mangle_UseValue(run, &buf[remoteOff], len, printable);
}

static void mangle_Resize(run_t* run, bool printable) {
    ssize_t oldsz = run->dynfile->size;
    ssize_t newsz = 0;

    /* Probability distribution (out of 32)
     *   0:     arbitrary size (1/32)
     *   1-4:   small increase (4/32)
     *   5:     large increase (1/32)
     *   6-9:   small decrease (4/32)
     *   10:    large decrease (1/32)
     *   11-32: no change (21/32)
     */
    uint64_t choice = util_rndGet(0, 32);
    switch (choice) {
    case 0: /* Set new size arbitrarily */
        newsz = (ssize_t)util_rndGet(1, run->global->mutate.maxInputSz);
        break;
    case 1 ... 4: /* Increase size by a small value */
        newsz = oldsz + (ssize_t)util_rndGet(0, 8);
        break;
    case 5: /* Increase size by a larger value */
        newsz = oldsz + (ssize_t)util_rndGet(9, 128);
        break;
    case 6 ... 9: /* Decrease size by a small value */
        newsz = oldsz - (ssize_t)util_rndGet(0, 8);
        break;
    case 10: /* Decrease size by a larger value */
        newsz = oldsz - (ssize_t)util_rndGet(9, 128);
        break;
    default: /* Do nothing */
        newsz = oldsz;
        break;
    }
    if (newsz < 1) {
        newsz = 1;
    }
    if (newsz > (ssize_t)run->global->mutate.maxInputSz) {
        newsz = run->global->mutate.maxInputSz;
    }

    input_setSize(run, (size_t)newsz);
    if (newsz > oldsz) {
        if (printable) {
            memset(&run->dynfile->data[oldsz], ' ', newsz - oldsz);
        }
    }
}

static void mangle_BlockRepeat(run_t* run, bool printable) {
    size_t off = mangle_getOffSet(run);
    size_t len = mangle_getLen(run->dynfile->size - off);

    len = HF_MIN(len, 1024);

    uint8_t* tmp = util_Malloc(len);
    defer {
        free(tmp);
    };
    memcpy(tmp, run->dynfile->data + off, len);

    size_t repeats = 0;
    /* 1/16 chance to repeat a LOT - useful for buffer overflows */
    if (util_rnd64() % 16 == 0) {
        repeats = util_rndGet(16, 256);
    } else {
        repeats = util_rndGet(1, 16);
    }

    size_t total_add = len * repeats;
    size_t added     = mangle_Inflate(run, off + len, total_add, printable);

    for (size_t i = 0; i < added; i += len) {
        size_t copy_len = HF_MIN(len, added - i);
        memcpy(run->dynfile->data + off + len + i, tmp, copy_len);
    }
}

static void mangle_BlockSwap(run_t* run, bool printable HF_ATTR_UNUSED) {
    if (run->dynfile->size < 8) return;

    size_t max_len = run->dynfile->size / 4;
    if (max_len < 1) return;
    size_t len = util_rndGet(1, HF_MIN(max_len, 256));

    size_t space = run->dynfile->size - len * 2;
    if (space < 1) return;

    size_t off1 = util_rndGet(0, space);
    size_t gap  = run->dynfile->size - off1 - len * 2;
    size_t off2 = off1 + len + (gap > 0 ? util_rndGet(0, gap) : 0);

    if (off2 + len > run->dynfile->size) return;

    uint8_t* tmp = util_Malloc(len);
    defer {
        free(tmp);
    };

    memcpy(tmp, run->dynfile->data + off1, len);
    memmove(run->dynfile->data + off1, run->dynfile->data + off2, len);
    memcpy(run->dynfile->data + off2, tmp, len);
}

static void mangle_CmpSolve(run_t* run, bool printable) {
    size_t         cmp_len;
    const uint8_t* cmp_val_ptr = mangle_FeedbackDict(run, &cmp_len);
    if (cmp_val_ptr == NULL) {
        mangle_Magic(run, printable);
        return;
    }

    if (cmp_len == 0 || cmp_len > 32) {
        mangle_Magic(run, printable);
        return;
    }

    uint8_t cmp_val[32];
    memcpy(cmp_val, cmp_val_ptr, cmp_len);

    /* Find partial match in input */
    for (size_t off = 0; off + cmp_len <= run->dynfile->size; off++) {
        size_t matches = 0;
        for (size_t i = 0; i < cmp_len; i++) {
            if (run->dynfile->data[off + i] == cmp_val[i]) matches++;
        }

        if (matches > 0 && matches < cmp_len) {
            /* Gradient - 50% exact, 25% val+1, 25% val-1 */
            uint64_t r = util_rndGet(0, 3);
            if (r == 1 && cmp_len <= 8) {
                /* Increment as little-endian integer */
                for (size_t i = 0; i < cmp_len; i++) {
                    if (++cmp_val[i] != 0) break;
                }
            } else if (r == 2 && cmp_len <= 8) {
                /* Decrement as little-endian integer */
                for (size_t i = 0; i < cmp_len; i++) {
                    if (cmp_val[i]-- != 0) break;
                }
            }
            mangle_Overwrite(run, off, cmp_val, cmp_len, printable);
            return;
        }
    }

    mangle_UseValue(run, cmp_val, cmp_len, printable);
}

static void mangle_InterestingValues(run_t* run, bool printable) {
    static const struct {
        const uint8_t val[8];
        const size_t  len;
    } interestingVals[] = {
        /* 8-bit */
        {{0x00}, 1},
        {{0x01}, 1},
        {{0x7f}, 1},
        {{0x80}, 1},
        {{0xff}, 1},

        /* 16-bit */
        {{0x7f, 0xff}, 2},
        {{0x80, 0x00}, 2},
        {{0xff, 0xff}, 2},
        {{0x00, 0x01}, 2},
        {{0x00, 0x00}, 2},

        /* 32-bit */
        {{0x7f, 0xff, 0xff, 0xff}, 4},
        {{0x80, 0x00, 0x00, 0x00}, 4},
        {{0xff, 0xff, 0xff, 0xff}, 4},
        {{0x00, 0x00, 0x00, 0x01}, 4},
        {{0x00, 0x00, 0x00, 0x00}, 4},

        /* 64-bit */
        {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 8},
        {{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 8},
        {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 8},
        {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 8},
        {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 8},
    };

    size_t choice = util_rndGet(0, ARRAYSIZE(interestingVals) - 1);
    mangle_UseValue(run, interestingVals[choice].val, interestingVals[choice].len, printable);
}

static void mangle_SpecialStrings(run_t* run, bool printable) {
    static const char* const strings[] = {
        /* Format strings */
        "%s",
        "%n",
        "%x",
        "%p",
        "%9999999s",
        "%08x",
        /* SQL Injection / Quote imbalance */
        "'",
        "\"",
        "`",
        "1=1",
        "--",
        "/*",
        "*/",
        " OR ",
        " AND ",
        "UNION SELECT",
        /* Path */
        "../",
        "..\\",
        "../../../../../../../../etc/passwd",
        "boot.ini",
        "/bin/sh",
        /* XML/HTML */
        "<",
        ">",
        "<script>",
        "javascript:",
        "CDATA",
        "<!--",
        "-->",
        /* JSON/Misc */
        "null",
        "true",
        "false",
        "NaN",
        "Infinity",
        "undefined",
        "{}",
        "[]",
        /* Command Injection */
        "|",
        ";",
        "`",
        "$(",
        "&&",
        "||",
        /* Terminator/Separators */
        "\n",
        "\r\n",
        "\x00",
        "\xff",
    };

    const char* val = strings[util_rndGet(0, ARRAYSIZE(strings) - 1)];
    mangle_UseValue(run, (const uint8_t*)val, strlen(val), printable);
}

static void mangle_ChunkShuffle(run_t* run, bool printable HF_ATTR_UNUSED) {
    if (run->dynfile->size < 8) return;

    size_t chunk_size = util_rndGet(1, 4);
    size_t num_chunks = run->dynfile->size / chunk_size;
    if (num_chunks < 2) return;

    size_t max_swaps = num_chunks / 2;
    if (max_swaps < 1) max_swaps = 1;
    size_t swaps = util_rndGet(1, max_swaps);
    for (size_t s = 0; s < swaps; s++) {
        size_t i = util_rndGet(0, num_chunks - 1);
        size_t j = util_rndGet(0, num_chunks - 1);
        if (i == j) continue;

        for (size_t k = 0; k < chunk_size; k++) {
            uint8_t tmp                            = run->dynfile->data[i * chunk_size + k];
            run->dynfile->data[i * chunk_size + k] = run->dynfile->data[j * chunk_size + k];
            run->dynfile->data[j * chunk_size + k] = tmp;
        }
    }
}

static void mangle_Arith8(run_t* run, bool printable) {
    size_t off              = mangle_getOffSet(run);
    int8_t delta            = (int8_t)util_rndGet(1, 35) * (util_rnd64() & 1 ? 1 : -1);
    run->dynfile->data[off] = (uint8_t)((int8_t)run->dynfile->data[off] + delta);
    if (printable) {
        util_turnToPrintable(&run->dynfile->data[off], 1);
    }
}

/*
 * TLV (Tag-Length-Value) mutation - detects length fields and mutates them
 * Common in binary protocols, ASN.1, network packets, file formats
 */
static void mangle_TlvMutate(run_t* run, bool printable) {
    if (run->dynfile->size < 4) {
        mangle_Bytes(run, printable);
        return;
    }

    /* Scan for potential length fields: byte that matches distance to some boundary */
    /* Limit scan to first 4KB or 10% of file to avoid O(N) penalty on large inputs */
    size_t scan_limit = HF_MIN(run->dynfile->size - 2, 4096);
    if (run->dynfile->size > 40960) {
        scan_limit = HF_MAX(scan_limit, run->dynfile->size / 10);
    }

    for (size_t off = 0; off < scan_limit; off++) {
        uint8_t  b1       = run->dynfile->data[off];
        uint16_t b2       = 0;
        size_t   len_size = 1;

        if (off + 1 < run->dynfile->size) {
            b2       = (uint16_t)run->dynfile->data[off] << 8 | run->dynfile->data[off + 1];
            len_size = 2;
        }

        /* Check if b1 or b2 could be a length field pointing within remaining data */
        size_t remaining = run->dynfile->size - off - 1;
        bool   found     = false;

        if (b1 > 0 && b1 <= remaining) {
            /* 1-byte length field candidate */
            found    = true;
            len_size = 1;
        } else if (len_size == 2 && b2 > 0 && b2 <= remaining && b2 < run->dynfile->size) {
            /* 2-byte length field candidate (big-endian) */
            found = true;
        }

        /* Found a candidate - mutate it with 1/8 probability */
        if (found && util_rnd64() % 8 == 0) {
            /* Mutate the length field */
            uint8_t mutations[] = {
                0x00,                              /* Zero length */
                0x01,                              /* Minimal */
                0x7f,                              /* Max signed byte */
                0x80,                              /* Min negative as signed */
                0xff,                              /* Max byte */
                (uint8_t)(remaining & 0xff),       /* Exact remaining */
                (uint8_t)((remaining + 1) & 0xff), /* Off by one */
                (uint8_t)((remaining * 2) & 0xff), /* Double */
            };
            uint8_t new_len         = mutations[util_rndGet(0, ARRAYSIZE(mutations) - 1)];
            run->dynfile->data[off] = new_len;
            if (printable) {
                util_turnToPrintable(&run->dynfile->data[off], 1);
            }
            return;
        }
    }

    /* Fallback: insert a TLV-like structure */
    uint8_t tlv[4] = {
        (uint8_t)util_rndGet(0, 255), /* Tag */
        (uint8_t)util_rndGet(1, 16),  /* Length */
        (uint8_t)util_rndGet(0, 255), /* Value byte 1 */
        (uint8_t)util_rndGet(0, 255), /* Value byte 2 */
    };
    mangle_UseValue(run, tlv, sizeof(tlv), printable);
}

/*
 * Token-based mutation - split on common delimiters and shuffle/modify tokens
 * Effective for text protocols, config files, command lines
 */
static void mangle_TokenShuffle(run_t* run, bool printable HF_ATTR_UNUSED) {
    if (run->dynfile->size < 4) return;

    /* Find delimiter positions */
    static const char delims[] = " \t\n\r,;:|/\\=&?";
    size_t            token_starts[64];
    size_t            token_cnt = 0;

    token_starts[token_cnt++] = 0;
    for (size_t i = 0; i < run->dynfile->size && token_cnt < ARRAYSIZE(token_starts) - 1; i++) {
        for (size_t d = 0; d < sizeof(delims) - 1; d++) {
            if (run->dynfile->data[i] == (uint8_t)delims[d]) {
                if (i + 1 < run->dynfile->size) {
                    token_starts[token_cnt++] = i + 1;
                }
                break;
            }
        }
    }

    if (token_cnt < 2) return;

    /* Swap two random tokens */
    size_t idx1 = util_rndGet(0, token_cnt - 2);
    size_t idx2 = util_rndGet(idx1 + 1, token_cnt - 1);

    size_t start1 = token_starts[idx1];
    size_t end1   = token_starts[idx1 + 1];
    size_t start2 = token_starts[idx2];
    size_t end2   = (idx2 + 1 < token_cnt) ? token_starts[idx2 + 1] : run->dynfile->size;

    size_t len1 = end1 - start1;
    size_t len2 = end2 - start2;

    if (len1 == 0 || len2 == 0 || len1 > 256 || len2 > 256) return;

    /* Simple swap: copy both tokens, then write back swapped */
    uint8_t* tmp1 = util_Malloc(len1);
    defer {
        free(tmp1);
    };
    uint8_t* tmp2 = util_Malloc(len2);
    defer {
        free(tmp2);
    };

    memcpy(tmp1, &run->dynfile->data[start1], len1);
    memcpy(tmp2, &run->dynfile->data[start2], len2);

    /* If same length, simple swap */
    if (len1 == len2) {
        memcpy(&run->dynfile->data[start1], tmp2, len2);
        memcpy(&run->dynfile->data[start2], tmp1, len1);
    }
    /* Different lengths - move middle block then insert tokens */
    else {
        /*
         * Layout: [Prefix][Token1][Middle][Token2][Suffix]
         * Want:   [Prefix][Token2][Middle][Token1][Suffix]
         *
         * 1. Copy Token2 to Start1
         * 2. Move Middle from End1 to Start1+Len2
         * 3. Copy Token1 to Start1+Len2+MiddleLen
         */

        size_t mid_len = start2 - end1;

        /* Step 2: Move Middle first (using memmove for safety) */
        /* Dest: start1 + len2. Src: end1 (which is start1+len1). Len: mid_len */
        memmove(&run->dynfile->data[start1 + len2], &run->dynfile->data[end1], mid_len);

        /* Step 1: Copy Token2 */
        memcpy(&run->dynfile->data[start1], tmp2, len2);

        /* Step 3: Copy Token1 */
        /* Dest: start1 + len2 + mid_len */
        memcpy(&run->dynfile->data[start1 + len2 + mid_len], tmp1, len1);
    }
}

/*
 * Gradient-guided CMP mutation - focus mutations on bytes that differ in comparisons
 */
static void mangle_GradientCmp(run_t* run, bool printable) {
    size_t         cmp_len;
    const uint8_t* cmp_val_ptr = mangle_FeedbackDict(run, &cmp_len);
    if (cmp_val_ptr == NULL) {
        mangle_Bytes(run, printable);
        return;
    }

    if (cmp_len == 0 || cmp_len > 32) {
        mangle_Magic(run, printable);
        return;
    }

    uint8_t cmp_val[32];
    memcpy(cmp_val, cmp_val_ptr, cmp_len);

    /* Find partial match and identify differing bytes */
    for (size_t off = 0; off + cmp_len <= run->dynfile->size; off++) {
        size_t  matches    = 0;
        size_t  first_diff = cmp_len;
        uint8_t diff_mask  = 0;

        for (size_t i = 0; i < cmp_len; i++) {
            if (run->dynfile->data[off + i] == cmp_val[i]) {
                matches++;
            } else if (first_diff == cmp_len) {
                first_diff = i;
                diff_mask  = run->dynfile->data[off + i] ^ cmp_val[i];
            }
        }

        /* If we have partial progress, focus on the differing byte */
        if (matches > 0 && matches < cmp_len && first_diff < cmp_len) {
            size_t target_off = off + first_diff;

            /* Gradient strategies */
            uint64_t strategy = util_rndGet(0, 5);
            switch (strategy) {
            case 0: /* Set to expected value */
                run->dynfile->data[target_off] = cmp_val[first_diff];
                break;
            case 1: /* Flip differing bits */
                run->dynfile->data[target_off] ^= diff_mask;
                break;
            case 2: /* Increment toward target */
                if (run->dynfile->data[target_off] < cmp_val[first_diff]) {
                    run->dynfile->data[target_off]++;
                } else {
                    run->dynfile->data[target_off]--;
                }
                break;
            case 3: /* Binary search toward target */
                run->dynfile->data[target_off] =
                    (run->dynfile->data[target_off] + cmp_val[first_diff]) / 2;
                break;
            case 4: /* Set entire comparison value */
                mangle_Overwrite(run, off, cmp_val, cmp_len, printable);
                return;
            case 5: /* Flip single bit in differing byte */
                run->dynfile->data[target_off] ^= (1U << util_rndGet(0, 7));
                break;
            }

            if (printable) {
                util_turnToPrintable(&run->dynfile->data[target_off], 1);
            }
            return;
        }
    }

    /* No partial match found - insert the value */
    mangle_UseValue(run, cmp_val, cmp_len, printable);
}

/*
 * Arithmetic mutations on discovered constants from CMP feedback
 */
static void mangle_ArithConst(run_t* run, bool printable) {
    size_t         val_len;
    const uint8_t* val_ptr = mangle_FeedbackDict(run, &val_len);
    if (val_ptr == NULL) {
        mangle_AddSub(run, printable);
        return;
    }

    if (val_len == 0 || val_len > 8) {
        mangle_AddSub(run, printable);
        return;
    }

    /* Extract value as integer */
    uint64_t val = 0;
    for (size_t i = 0; i < val_len; i++) {
        val |= ((uint64_t)val_ptr[i]) << (i * 8);
    }

    /* Apply arithmetic mutation */
    uint64_t op = util_rndGet(0, 7);
    switch (op) {
    case 0:
        val += 1;
        break;
    case 1:
        val -= 1;
        break;
    case 2:
        val *= 2;
        break;
    case 3:
        val /= 2;
        break;
    case 4:
        val ^= 0xff;
        break; /* Flip low byte */
    case 5:
        val = ~val;
        break; /* Bitwise NOT */
    case 6:
        val = __builtin_bswap64(val) >> ((8 - val_len) * 8);
        break; /* Byte swap */
    case 7:
        val += util_rndGet(1, 256);
        break;
    }

    /* Convert back to bytes */
    uint8_t result[8];
    for (size_t i = 0; i < val_len; i++) {
        result[i] = (uint8_t)(val >> (i * 8));
    }

    mangle_UseValue(run, result, val_len, printable);
}

static void mangle_DictionaryInsert(run_t* run, bool printable) {
    size_t         len1;
    const uint8_t* val1 = mangle_FeedbackDict(run, &len1);
    if (val1 == NULL) {
        mangle_Bytes(run, printable);
        return;
    }

    size_t         len2;
    const uint8_t* val2 = mangle_FeedbackDict(run, &len2);
    if (val2 == NULL) {
        mangle_Bytes(run, printable);
        return;
    }

    const char* separators[] = {
        "", " ", "\t", "\n", "\r\n", ",", ";", ":", "=", "&", "|", "(", ")", ".", "\"", "'"};
    size_t      sep_idx = util_rndGet(0, ARRAYSIZE(separators) - 1);
    const char* sep     = separators[sep_idx];
    size_t      sep_len = strlen(sep);

    size_t total_len = len1 + sep_len + len2;

    uint8_t* buf = util_Malloc(total_len);
    defer {
        free(buf);
    };

    memcpy(buf, val1, len1);
    memcpy(buf + len1, sep, sep_len);
    memcpy(buf + len1 + sep_len, val2, len2);

    mangle_UseValue(run, buf, total_len, printable);
}

static void mangle_Punctuation(run_t* run, bool printable) {
    static const char punct[] = "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
    size_t            len     = util_rndGet(1, 4);
    uint8_t           buf[4];

    for (size_t i = 0; i < len && i < sizeof(buf); i++) {
        buf[i] = (uint8_t)punct[util_rndGet(0, sizeof(punct) - 2)];
    }

    mangle_UseValue(run, buf, len, printable);
}

static void mangle_CrossOver(run_t* run, bool printable) {
    if (run->global->feedback.dynFileMethod == _HF_DYNFILE_NONE) {
        mangle_Bytes(run, printable);
        return;
    }

    if (run->dynfile->size < 2) {
        mangle_Bytes(run, printable);
        return;
    }

    /* Use diverse input selection for better coverage combination */
    size_t         other_sz = 0;
    const uint8_t* other    = input_getDiverseInputAsBuf(run, &other_sz);
    if (!other || other_sz == 0) {
        mangle_Bytes(run, printable);
        return;
    }

    size_t crossover_point = util_rndGet(1, run->dynfile->size - 1);
    size_t other_point     = util_rndGet(0, other_sz - 1);
    size_t copy_len        = HF_MIN(run->dynfile->size - crossover_point, other_sz - other_point);

    if (copy_len > 0) {
        mangle_Overwrite(run, crossover_point, &other[other_point], copy_len, printable);
    }
}

/*
 * Havoc mode - used when fuzzing is stagnating to escape local minima
 */
static void mangle_Havoc(run_t* run, bool printable) {
    /* Number of mutations: 16-128 */
    size_t num_mutations = util_rndGet(16, 128);

    for (size_t i = 0; i < num_mutations; i++) {
        /* Pick a random simple mutation */
        uint64_t choice = util_rndGet(0, 21);
        switch (choice) {
        case 0:
            mangle_Bit(run, printable);
            break;
        case 1:
            mangle_IncByte(run, printable);
            break;
        case 2:
            mangle_DecByte(run, printable);
            break;
        case 3:
            mangle_NegByte(run, printable);
            break;
        case 4:
            mangle_Bytes(run, printable);
            break;
        case 5:
            mangle_Magic(run, printable);
            break;
        case 6:
            mangle_AddSub(run, printable);
            break;
        case 7:
            mangle_MemSet(run, printable);
            break;
        case 8:
            mangle_MemSwap(run, printable);
            break;
        case 9:
            mangle_MemCopy(run, printable);
            break;
        case 10:
            mangle_Expand(run, printable);
            break;
        case 11:
            mangle_Shrink(run, printable);
            break;
        case 12:
            mangle_Arith8(run, printable);
            break;
        case 13:
            mangle_BlockMove(run, printable);
            break;
        case 14:
            mangle_ByteRepeat(run, printable);
            break;
        case 15:
            mangle_RandomBuf(run, printable);
            break;
        case 16:
            mangle_StaticDict(run, printable);
            break;
        case 17:
            mangle_ConstFeedbackDict(run, printable);
            break;
        case 18:
            mangle_DictionaryInsert(run, printable);
            break;
        case 19:
            mangle_CmpSolve(run, printable);
            break;
        case 20:
            mangle_Splice(run, printable);
            break;
        case 21:
            mangle_CrossOver(run, printable);
            break;
        }
    }
}

/*
 * Mutation scheduling
 */

typedef enum { TIER_DATA = 0, TIER_ARITH = 1, TIER_SPLICE = 2, TIER_OTHER = 3 } tier_t;

/* Mutation tier arrays - shared between picker and stagnation booster */
static const mangle_t tierData[] = {
    MANGLE_INTERESTING_VALUES,
    MANGLE_MAGIC,
    MANGLE_STATIC_DICT,
    MANGLE_CONST_FEEDBACK_DICT,
    MANGLE_CMP_SOLVE,
    MANGLE_SPECIAL_STRINGS,
    MANGLE_GRADIENT_CMP,
    MANGLE_ARITH_CONST,
    MANGLE_DICT_INSERT,
    MANGLE_PUNCTUATION,
};

static const mangle_t tierArith[] = {
    MANGLE_BIT,
    MANGLE_INC_BYTE,
    MANGLE_DEC_BYTE,
    MANGLE_NEG_BYTE,
    MANGLE_ADD_SUB,
    MANGLE_ARITH8,
};

static const mangle_t tierSplice[] = {MANGLE_SPLICE, MANGLE_CROSS_OVER};

static const mangle_t tierStructure[] = {
    MANGLE_CHUNK_SHUFFLE,
    MANGLE_BLOCK_REPEAT,
    MANGLE_BLOCK_SWAP,
    MANGLE_BLOCK_MOVE,
    MANGLE_TLV_MUTATE,
    MANGLE_TOKEN_SHUFFLE,
};

static inline mangle_t mangle_pickFromList(const mangle_t* list, size_t cnt) {
    return cnt > 0 ? list[util_rndGet(0, cnt - 1)] : (mangle_t)util_rndGet(0, MANGLE_COUNT - 1);
}

static inline mangle_t mangle_sanitize(run_t* run, mangle_t m) {
    if ((unsigned)m >= MANGLE_COUNT) {
        return (mangle_t)util_rndGet(0, MANGLE_COUNT - 1);
    }

    static const struct {
        const uint8_t  needs;
        const mangle_t fallback;
    } reqs[MANGLE_COUNT] = {
        [MANGLE_STATIC_DICT]         = {1, MANGLE_MAGIC},
        [MANGLE_CONST_FEEDBACK_DICT] = {2, MANGLE_MAGIC},
        [MANGLE_CMP_SOLVE]           = {2, MANGLE_MAGIC},
        [MANGLE_SPLICE]              = {4, MANGLE_RANDOM_BUF},
        [MANGLE_CROSS_OVER]          = {4, MANGLE_BYTES},
        [MANGLE_GRADIENT_CMP]        = {2, MANGLE_MAGIC},
        [MANGLE_ARITH_CONST]         = {2, MANGLE_ADD_SUB},
        [MANGLE_DICT_INSERT]         = {1, MANGLE_PUNCTUATION},
    };

    uint8_t need = reqs[m].needs;
    if (!need) return m;

    if ((need & 1) && run->global->mutate.dictionaryCnt == 0) return reqs[m].fallback;
    if ((need & 4) && run->global->feedback.dynFileMethod == _HF_DYNFILE_NONE)
        return reqs[m].fallback;

    return m;
}

static mangle_t mangle_pickWeighted(run_t* run, uint8_t* tier_out) {
    /*
     * Adaptive weights - start with defaults, adjust based on success rate.
     * Use a simplified momentum-like approach where recent success bumps the weight
     */
    uint8_t w[4] = {40, 25, 20, 15};

    for (int i = 0; i < 4; i++) {
        uint64_t tries = ATOMIC_GET(run->global->mutate.stats[i].tries);
        if (tries < 500) {
            continue; /* Not enough data yet */
        }

        uint64_t hits = ATOMIC_GET(run->global->mutate.stats[i].successes);
        uint64_t rate = (hits * 10000) / tries; /* x10000 for precision */

        /*
         * Baseline success rate is low (fuzzing is hard), so even small rates are good.
         * Adjust weights proportionally to performance relative to others.
         */
        if (rate > 50) {                  /* > 0.5% success rate is very good. */
            w[i] = HF_MIN(w[i] + 15, 90); /* Increased boost. */
        } else if (rate > 10) {           /* > 0.1% */
            w[i] = HF_MIN(w[i] + 5, 70);
        } else if (rate < 1) { /* < 0.01% */
            w[i] = HF_MAX(w[i] / 2, 5);
        }
    }

    /* Roll weighted random */
    uint16_t sum  = w[0] + w[1] + w[2] + w[3];
    uint8_t  roll = util_rndGet(0, sum - 1);

    mangle_t choice;
    uint8_t  tier;

    if (roll < w[0]) {
        choice = mangle_pickFromList(tierData, ARRAYSIZE(tierData));
        tier   = TIER_DATA;
    } else if (roll < w[0] + w[1]) {
        choice = mangle_pickFromList(tierArith, ARRAYSIZE(tierArith));
        tier   = TIER_ARITH;
    } else if (roll < w[0] + w[1] + w[2]) {
        choice = mangle_pickFromList(tierSplice, ARRAYSIZE(tierSplice));
        tier   = TIER_SPLICE;
    } else {
        choice = (mangle_t)util_rndGet(0, MANGLE_COUNT - 1);
        tier   = TIER_OTHER;
    }

    *tier_out = tier;
    return mangle_sanitize(run, choice);
}

/* Dispatch table - enum -> function pointer */
static void (*const mangleFuncs[MANGLE_COUNT])(run_t*, bool) = {
    [MANGLE_SHRINK]              = mangle_Shrink,
    [MANGLE_EXPAND]              = mangle_Expand,
    [MANGLE_BIT]                 = mangle_Bit,
    [MANGLE_INC_BYTE]            = mangle_IncByte,
    [MANGLE_DEC_BYTE]            = mangle_DecByte,
    [MANGLE_NEG_BYTE]            = mangle_NegByte,
    [MANGLE_ADD_SUB]             = mangle_AddSub,
    [MANGLE_ARITH8]              = mangle_Arith8,
    [MANGLE_MEM_SET]             = mangle_MemSet,
    [MANGLE_MEM_CLR]             = mangle_MemClr,
    [MANGLE_MEM_SWAP]            = mangle_MemSwap,
    [MANGLE_MEM_COPY]            = mangle_MemCopy,
    [MANGLE_BLOCK_MOVE]          = mangle_BlockMove,
    [MANGLE_BLOCK_REPEAT]        = mangle_BlockRepeat,
    [MANGLE_BLOCK_SWAP]          = mangle_BlockSwap,
    [MANGLE_CHUNK_SHUFFLE]       = mangle_ChunkShuffle,
    [MANGLE_BYTES]               = mangle_Bytes,
    [MANGLE_BYTE_REPEAT]         = mangle_ByteRepeat,
    [MANGLE_RANDOM_BUF]          = mangle_RandomBuf,
    [MANGLE_INTERESTING_VALUES]  = mangle_InterestingValues,
    [MANGLE_ASCII_NUM]           = mangle_ASCIINum,
    [MANGLE_ASCII_NUM_CHANGE]    = mangle_ASCIINumChange,
    [MANGLE_MAGIC]               = mangle_Magic,
    [MANGLE_STATIC_DICT]         = mangle_StaticDict,
    [MANGLE_CONST_FEEDBACK_DICT] = mangle_ConstFeedbackDict,
    [MANGLE_CMP_SOLVE]           = mangle_CmpSolve,
    [MANGLE_SPLICE]              = mangle_Splice,
    [MANGLE_CROSS_OVER]          = mangle_CrossOver,
    [MANGLE_SPECIAL_STRINGS]     = mangle_SpecialStrings,
    [MANGLE_TLV_MUTATE]          = mangle_TlvMutate,
    [MANGLE_TOKEN_SHUFFLE]       = mangle_TokenShuffle,
    [MANGLE_GRADIENT_CMP]        = mangle_GradientCmp,
    [MANGLE_ARITH_CONST]         = mangle_ArithConst,
    [MANGLE_DICT_INSERT]         = mangle_DictionaryInsert,
    [MANGLE_PUNCTUATION]         = mangle_Punctuation,
    [MANGLE_HAVOC]               = mangle_Havoc,
};

static inline void mangle_dispatch(run_t* run, mangle_t m, bool printable) {
    mangleFuncs[mangle_sanitize(run, m)](run, printable);
}

void mangle_mangleContent(run_t* run) {
    if (run->mutationsPerRun == 0U) {
        return;
    }

    bool printable = run->global->cfg.only_printable;

    if (run->dynfile->size == 0U) {
        mangle_Resize(run, printable);
    }

    time_t   stagnation = time(NULL) - ATOMIC_GET(run->global->timing.lastCovUpdate);
    uint64_t base       = run->mutationsPerRun;

    run->mutationTiers = 0;

    const time_t timeStagnated = 10;
    const time_t timeStuck     = 60;
    const time_t timeGivenUp   = 300;

    /* Scale mutation count with stagnation */
    uint8_t mult = 1, cap = 16, min = 1;
    if (stagnation > timeGivenUp) {
        mult = 4;
        cap  = 64;
        min  = 2;
    } else if (stagnation > timeStuck) {
        mult = 2;
        cap  = 32;
    }

    uint64_t count = util_rndGet(min, HF_MIN(base * mult, cap));

    /*
     * Extra mutations when stagnating.
     * If we are stuck, we want to try more specific strategies (dictionaries, splices)
     */
    if (stagnation > timeStagnated) {
        if (util_rnd64() % 3 == 0) {
            run->mutationTiers |= (1 << TIER_DATA);
            mangle_dispatch(run, MANGLE_CMP_SOLVE, printable);
        }
        if (util_rnd64() % 2 == 0) {
            run->mutationTiers |= (1 << TIER_SPLICE);
            mangle_dispatch(run, MANGLE_SPLICE, printable);
        }
        /* Try gradient-guided CMP mutations */
        if (util_rnd64() % 4 == 0) {
            run->mutationTiers |= (1 << TIER_DATA);
            mangle_dispatch(run, MANGLE_GRADIENT_CMP, printable);
        }
    }
    if (stagnation > timeStuck && util_rnd64() % 3 == 0) {
        run->mutationTiers |= (1 << TIER_SPLICE);
        mangle_dispatch(run, MANGLE_CROSS_OVER, printable);
    }
    if (stagnation > timeGivenUp && util_rnd64() % 8 == 0) {
        run->mutationTiers |= (1 << TIER_OTHER);
        mangle_dispatch(
            run, mangle_pickFromList(tierStructure, ARRAYSIZE(tierStructure)), printable);
    }
    /* Havoc mode - when extremely stuck, go wild */
    if (stagnation > timeGivenUp * 2 && util_rnd64() % 16 == 0) {
        run->mutationTiers |= (1 << TIER_OTHER);
        mangle_dispatch(run, MANGLE_HAVOC, printable);
        return; /* Havoc does many mutations internally */
    }

    /* Main mutation loop */
    for (uint64_t i = 0; i < count; i++) {
        uint8_t  tier;
        mangle_t m = mangle_pickWeighted(run, &tier);

        /*
         * Boost data mutations when stagnating - if stuck for >30s,
         * 25% chance to force a data mutation (dictionaries, magic values)
         */
        if (stagnation > (timeStuck / 2) && util_rnd64() % 4 == 0) {
            m    = mangle_sanitize(run, mangle_pickFromList(tierData, ARRAYSIZE(tierData)));
            tier = TIER_DATA;
        }

        run->mutationTiers |= (1 << tier);
        ATOMIC_POST_INC(run->global->mutate.stats[tier].tries);
        mangle_dispatch(run, m, printable);
    }
}