Mark auto-generated rust_fuzzer_custom_mutator function as unsafe

Fixes #113

Author: fitzgen

src/lib.rs

@@ -459,9 +459,11 @@ macro_rules! fuzz_mutator {
         |
         $body:block
     ) => {
-        /// Auto-generated function.
+        /// Auto-generated function. Do not use; only for LibFuzzer's
+        /// consumption.
         #[export_name = "LLVMFuzzerCustomMutator"]
-        pub fn rust_fuzzer_custom_mutator(
+        #[doc(hidden)]
+        pub unsafe fn rust_fuzzer_custom_mutator(
             $data: *mut u8,
             $size: usize,
             $max_size: usize,
@@ -471,15 +473,26 @@ macro_rules! fuzz_mutator {
             // might be larger or smaller than `max_size`. The `data`'s capacity
             // is the maximum of the two.
             let len = std::cmp::max($max_size, $size);
-            let $data: &mut [u8] = unsafe { std::slice::from_raw_parts_mut($data, len) };
+            let $data: &mut [u8] = std::slice::from_raw_parts_mut($data, len);
 
             // `unsigned int` is generally a `u32`, but not on all targets. Do
             // an infallible (and potentially lossy, but that's okay because it
             // preserves determinism) conversion.
             let $seed = $seed as u32;
 
+            // Define and invoke a new, safe function so that the body doesn't
+            // inherit `unsafe`.
+            fn custom_mutator(
+                $data: &mut [u8],
+                $size: usize,
+                $max_size: usize,
+                $seed: u32,
+            ) -> usize {
+                $body
+            }
+            let new_size = custom_mutator($data, $size, $max_size, $seed);
+
             // Truncate the new size if it is larger than the max.
-            let new_size = { $body };
             std::cmp::min(new_size, $max_size)
         }
     };