122736c2fSopenharmony_ci/* 222736c2fSopenharmony_ci * Copyright (c) 2022-2023 Huawei Device Co., Ltd. 322736c2fSopenharmony_ci * Licensed under the Apache License, Version 2.0 (the "License"); 422736c2fSopenharmony_ci * you may not use this file except in compliance with the License. 522736c2fSopenharmony_ci * You may obtain a copy of the License at 622736c2fSopenharmony_ci * 722736c2fSopenharmony_ci * http://www.apache.org/licenses/LICENSE-2.0 822736c2fSopenharmony_ci * 922736c2fSopenharmony_ci * Unless required by applicable law or agreed to in writing, software 1022736c2fSopenharmony_ci * distributed under the License is distributed on an "AS IS" BASIS, 1122736c2fSopenharmony_ci * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1222736c2fSopenharmony_ci * See the License for the specific language governing permissions and 1322736c2fSopenharmony_ci * limitations under the License. 1422736c2fSopenharmony_ci */ 1522736c2fSopenharmony_ci#define private public 1622736c2fSopenharmony_ci#define protected public 1722736c2fSopenharmony_ci#include "input_method_system_ability.h" 1822736c2fSopenharmony_ci#include "input_method_system_ability_proxy.h" 1922736c2fSopenharmony_ci#undef private 2022736c2fSopenharmony_ci 2122736c2fSopenharmony_ci#include <atomic> 2222736c2fSopenharmony_ci#include <cstddef> 2322736c2fSopenharmony_ci#include <cstdint> 2422736c2fSopenharmony_ci#include <string_ex.h> 2522736c2fSopenharmony_ci 2622736c2fSopenharmony_ci#include "accesstoken_kit.h" 2722736c2fSopenharmony_ci#include "global.h" 2822736c2fSopenharmony_ci#include "input_method_controller.h" 2922736c2fSopenharmony_ci#include "iservice_registry.h" 3022736c2fSopenharmony_ci#include "message_parcel.h" 3122736c2fSopenharmony_ci#include "nativetoken_kit.h" 3222736c2fSopenharmony_ci#include "system_ability_definition.h" 3322736c2fSopenharmony_ci#include "systemabilitystub_fuzzer.h" 3422736c2fSopenharmony_ci#include "text_listener.h" 3522736c2fSopenharmony_ci#include "token_setproc.h" 3622736c2fSopenharmony_ci 3722736c2fSopenharmony_ciusing namespace OHOS::Security::AccessToken; 3822736c2fSopenharmony_ciusing namespace OHOS::MiscServices; 3922736c2fSopenharmony_cinamespace OHOS { 4022736c2fSopenharmony_cistd::atomic_bool g_isInitialize = false; 4122736c2fSopenharmony_ciconstexpr uint32_t TARGET_REMOTE_CODE_NUMS = 21; 4222736c2fSopenharmony_civoid GrantNativePermission() 4322736c2fSopenharmony_ci{ 4422736c2fSopenharmony_ci const char **perms = new const char *[1]; 4522736c2fSopenharmony_ci perms[0] = "ohos.permission.CONNECT_IME_ABILITY"; 4622736c2fSopenharmony_ci TokenInfoParams infoInstance = { 4722736c2fSopenharmony_ci .dcapsNum = 0, 4822736c2fSopenharmony_ci .permsNum = 1, 4922736c2fSopenharmony_ci .aclsNum = 0, 5022736c2fSopenharmony_ci .dcaps = nullptr, 5122736c2fSopenharmony_ci .perms = perms, 5222736c2fSopenharmony_ci .acls = nullptr, 5322736c2fSopenharmony_ci .processName = "inputmethod_imf", 5422736c2fSopenharmony_ci .aplStr = "system_core", 5522736c2fSopenharmony_ci }; 5622736c2fSopenharmony_ci uint64_t tokenId = GetAccessTokenId(&infoInstance); 5722736c2fSopenharmony_ci int res = SetSelfTokenID(tokenId); 5822736c2fSopenharmony_ci if (res == 0) { 5922736c2fSopenharmony_ci IMSA_HILOGI("SetSelfTokenID success!"); 6022736c2fSopenharmony_ci } else { 6122736c2fSopenharmony_ci IMSA_HILOGE("SetSelfTokenID fail!"); 6222736c2fSopenharmony_ci } 6322736c2fSopenharmony_ci AccessTokenKit::ReloadNativeTokenInfo(); 6422736c2fSopenharmony_ci delete[] perms; 6522736c2fSopenharmony_ci} 6622736c2fSopenharmony_ciconstexpr size_t THRESHOLD = 10; 6722736c2fSopenharmony_ciconstexpr int32_t OFFSET = 4; 6822736c2fSopenharmony_ciconst std::u16string SYSTEMABILITY_INTERFACE_TOKEN = u"ohos.miscservices.inputmethod.IInputMethodSystemAbility"; 6922736c2fSopenharmony_ci 7022736c2fSopenharmony_ciuint32_t ConvertToUint32(const uint8_t *ptr) 7122736c2fSopenharmony_ci{ 7222736c2fSopenharmony_ci if (ptr == nullptr) { 7322736c2fSopenharmony_ci return 0; 7422736c2fSopenharmony_ci } 7522736c2fSopenharmony_ci uint32_t bigVar = (ptr[0] << 24) | (ptr[1] << 16) | (ptr[2] << 8) | (ptr[3]); 7622736c2fSopenharmony_ci return bigVar; 7722736c2fSopenharmony_ci} 7822736c2fSopenharmony_cibool FuzzInputMethodSystemAbility(const uint8_t *rawData, size_t size) 7922736c2fSopenharmony_ci{ 8022736c2fSopenharmony_ci GrantNativePermission(); 8122736c2fSopenharmony_ci uint32_t code = ConvertToUint32(rawData) % TARGET_REMOTE_CODE_NUMS; 8222736c2fSopenharmony_ci rawData = rawData + OFFSET; 8322736c2fSopenharmony_ci size = size - OFFSET; 8422736c2fSopenharmony_ci 8522736c2fSopenharmony_ci if (!g_isInitialize.load()) { 8622736c2fSopenharmony_ci DelayedSingleton<InputMethodSystemAbility>::GetInstance()->Initialize(); 8722736c2fSopenharmony_ci g_isInitialize.store(true); 8822736c2fSopenharmony_ci } 8922736c2fSopenharmony_ci 9022736c2fSopenharmony_ci sptr<InputMethodController> imc = InputMethodController::GetInstance(); 9122736c2fSopenharmony_ci sptr<OnTextChangedListener> textListener = new TextListener(); 9222736c2fSopenharmony_ci imc->Attach(textListener); 9322736c2fSopenharmony_ci 9422736c2fSopenharmony_ci MessageParcel datas; 9522736c2fSopenharmony_ci datas.WriteInterfaceToken(SYSTEMABILITY_INTERFACE_TOKEN); 9622736c2fSopenharmony_ci datas.WriteBuffer(rawData, size); 9722736c2fSopenharmony_ci datas.RewindRead(0); 9822736c2fSopenharmony_ci MessageParcel reply; 9922736c2fSopenharmony_ci MessageOption option; 10022736c2fSopenharmony_ci DelayedSingleton<InputMethodSystemAbility>::GetInstance()->OnRemoteRequest(code, datas, reply, option); 10122736c2fSopenharmony_ci return true; 10222736c2fSopenharmony_ci} 10322736c2fSopenharmony_ci 10422736c2fSopenharmony_cibool TestDump(const uint8_t *rawData, size_t size) 10522736c2fSopenharmony_ci{ 10622736c2fSopenharmony_ci std::vector<std::u16string> args; 10722736c2fSopenharmony_ci std::string str(reinterpret_cast<const char *>(rawData), size); 10822736c2fSopenharmony_ci args.push_back(Str8ToStr16(str)); 10922736c2fSopenharmony_ci DelayedSingleton<InputMethodSystemAbility>::GetInstance()->Dump(static_cast<int32_t>(size), args); 11022736c2fSopenharmony_ci DelayedSingleton<InputMethodSystemAbility>::GetInstance()->DumpAllMethod(static_cast<int32_t>(size)); 11122736c2fSopenharmony_ci return true; 11222736c2fSopenharmony_ci} 11322736c2fSopenharmony_ci 11422736c2fSopenharmony_ci} // namespace OHOS 11522736c2fSopenharmony_ci/* Fuzzer entry point */ 11622736c2fSopenharmony_ciextern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 11722736c2fSopenharmony_ci{ 11822736c2fSopenharmony_ci if (size < OHOS::THRESHOLD) { 11922736c2fSopenharmony_ci return 0; 12022736c2fSopenharmony_ci } 12122736c2fSopenharmony_ci /* Run your code on data */ 12222736c2fSopenharmony_ci OHOS::FuzzInputMethodSystemAbility(data, size); 12322736c2fSopenharmony_ci OHOS::TestDump(data, size); 12422736c2fSopenharmony_ci return 0; 12522736c2fSopenharmony_ci} 126