1/* 2 * Copyright (c) 2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16#include "abilitydebugresponseproxy_fuzzer.h" 17 18#include <cstddef> 19#include <cstdint> 20 21#define private public 22#define protected public 23#include "ability_debug_response_proxy.h" 24#undef protected 25#undef private 26 27#include "ability_record.h" 28 29using namespace OHOS::AAFwk; 30using namespace OHOS::AppExecFwk; 31using namespace OHOS::AbilityRuntime; 32 33namespace OHOS { 34namespace { 35constexpr int INPUT_ZERO = 0; 36constexpr int INPUT_ONE = 1; 37constexpr int INPUT_THREE = 3; 38constexpr size_t FOO_MAX_LEN = 1024; 39constexpr size_t U32_AT_SIZE = 4; 40constexpr uint8_t ENABLE = 2; 41constexpr size_t OFFSET_ZERO = 24; 42constexpr size_t OFFSET_ONE = 16; 43constexpr size_t OFFSET_TWO = 8; 44} 45 46uint32_t GetU32Data(const char* ptr) 47{ 48 // convert fuzz input data to an integer 49 return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[ENABLE] << OFFSET_TWO) | 50 ptr[INPUT_THREE]; 51} 52 53sptr<Token> GetFuzzAbilityToken() 54{ 55 sptr<Token> token = nullptr; 56 AbilityRequest abilityRequest; 57 abilityRequest.appInfo.bundleName = "com.example.fuzzTest"; 58 abilityRequest.abilityInfo.name = "MainAbility"; 59 abilityRequest.abilityInfo.type = AbilityType::DATA; 60 std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest); 61 if (abilityRecord) { 62 token = abilityRecord->GetToken(); 63 } 64 return token; 65} 66 67void AbilityDebugResponseProxyFuzztest1(bool boolParam, std::string &stringParam, int32_t int32Param) 68{ 69 std::shared_ptr<AbilityDebugResponseProxy> proxy = 70 std::make_shared<AbilityDebugResponseProxy>(nullptr); // branch constructor 71 MessageParcel data; 72 proxy->WriteInterfaceToken(data); // branch 73 std::vector<sptr<IRemoteObject>> tokens; 74 proxy->OnAbilitysDebugStarted(tokens); // branch 75 proxy->OnAbilitysDebugStoped(tokens); // branch 76 proxy->OnAbilitysAssertDebugChange(tokens, boolParam); // branch 77 sptr<Token> token = GetFuzzAbilityToken(); 78 tokens.emplace_back(token); 79 proxy->SendRequest(static_cast<IAbilityDebugResponse::Message>(int32Param), tokens); // branch tokens no empty. 80 tokens.clear(); 81 proxy->SendRequest(static_cast<IAbilityDebugResponse::Message>(int32Param), tokens); // branch tokens empty. 82} 83 84bool DoSomethingInterestingWithMyAPI(const char* data, size_t size) 85{ 86 bool boolParam = *data % ENABLE; 87 std::string stringParam(data, size); 88 int32_t int32Param = static_cast<int32_t>(GetU32Data(data)); 89 AbilityDebugResponseProxyFuzztest1(boolParam, stringParam, int32Param); 90 return true; 91} 92} 93 94/* Fuzzer entry point */ 95extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) 96{ 97 /* Run your code on data */ 98 if (data == nullptr) { 99 return 0; 100 } 101 102 /* Validate the length of size */ 103 if (size < OHOS::U32_AT_SIZE || size > OHOS::FOO_MAX_LEN) { 104 return 0; 105 } 106 107 char* ch = (char*)malloc(size + 1); 108 if (ch == nullptr) { 109 std::cout << "malloc failed." << std::endl; 110 return 0; 111 } 112 113 (void)memset_s(ch, size + 1, 0x00, size + 1); 114 if (memcpy_s(ch, size, data, size) != EOK) { 115 std::cout << "copy failed." << std::endl; 116 free(ch); 117 ch = nullptr; 118 return 0; 119 } 120 121 OHOS::DoSomethingInterestingWithMyAPI(ch, size); 122 free(ch); 123 ch = nullptr; 124 return 0; 125} 126 127