1/*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include "faultdata_fuzzer.h"
17
18#include <cstddef>
19#include <cstdint>
20
21#define private public
22#define protected public
23#include "fault_data.h"
24#undef protected
25#undef private
26
27#include "ability_record.h"
28
29using namespace OHOS::AAFwk;
30using namespace OHOS::AppExecFwk;
31using namespace OHOS::AbilityRuntime;
32
33namespace OHOS {
34namespace {
35constexpr int INPUT_ZERO = 0;
36constexpr int INPUT_ONE = 1;
37constexpr int INPUT_THREE = 3;
38constexpr size_t FOO_MAX_LEN = 1024;
39constexpr size_t U32_AT_SIZE = 4;
40constexpr uint8_t ENABLE = 2;
41constexpr size_t OFFSET_ZERO = 24;
42constexpr size_t OFFSET_ONE = 16;
43constexpr size_t OFFSET_TWO = 8;
44}
45
46uint32_t GetU32Data(const char* ptr)
47{
48    // convert fuzz input data to an integer
49    return (ptr[INPUT_ZERO] << OFFSET_ZERO) | (ptr[INPUT_ONE] << OFFSET_ONE) | (ptr[ENABLE] << OFFSET_TWO) |
50        ptr[INPUT_THREE];
51}
52
53sptr<Token> GetFuzzAbilityToken()
54{
55    sptr<Token> token = nullptr;
56    AbilityRequest abilityRequest;
57    abilityRequest.appInfo.bundleName = "com.example.fuzzTest";
58    abilityRequest.abilityInfo.name = "MainAbility";
59    abilityRequest.abilityInfo.type = AbilityType::DATA;
60    std::shared_ptr<AbilityRecord> abilityRecord = AbilityRecord::CreateAbilityRecord(abilityRequest);
61    if (abilityRecord) {
62        token = abilityRecord->GetToken();
63    }
64    return token;
65}
66
67Want& SetElement(Want &want)
68{
69    return want.SetElementName("deviceId", "bundleName", "ability", "moduleName");
70}
71
72void FaultDataFuzztest1(bool boolParam, std::string &stringParam, int32_t int32Param)
73{
74    FaultData faultData;
75    Parcel parcel1;
76    parcel1.WriteInt32(int32Param);
77    faultData.ReadFromParcel(parcel1); // branch name failed
78    Parcel parcel2;
79    parcel2.WriteString(stringParam);
80    parcel2.WriteInt32(int32Param);
81    faultData.ReadFromParcel(parcel2); // branch message failed
82    Parcel parcel3;
83    parcel3.WriteString(stringParam);
84    parcel3.WriteString(stringParam);
85    faultData.ReadFromParcel(parcel3); // branch stack failed
86    Parcel parcel4;
87    parcel4.WriteString(stringParam);
88    parcel4.WriteString(stringParam);
89    parcel4.WriteString(stringParam);
90    faultData.ReadFromParcel(parcel4); // branch FaultType failed
91
92    Parcel parcel5;
93    parcel5.WriteString(stringParam);
94    parcel5.WriteString(stringParam);
95    parcel5.WriteString(stringParam);
96    parcel5.WriteInt32(int32Param);
97    faultData.ReadFromParcel(parcel5); // branch FaultType failed
98
99    Parcel parcel6;
100    parcel6.WriteString(stringParam);
101    parcel6.WriteString(stringParam);
102    parcel6.WriteString(stringParam);
103    parcel6.WriteInt32(int32Param);
104    parcel6.WriteString(stringParam);
105    faultData.ReadFromParcel(parcel6); // branch FaultType failed
106    parcel6.WriteBool(boolParam);
107    faultData.ReadFromParcel(parcel6);
108    Parcel parcel7;
109    faultData.Marshalling(parcel7);
110}
111
112void FaultDataFuzztest2(bool boolParam, std::string &stringParam, int32_t int32Param)
113{
114    AppFaultDataBySA faultData;
115    Parcel appParcel1;
116    appParcel1.WriteInt32(int32Param);
117    faultData.ReadFromParcel(appParcel1); // branch name failed
118    Parcel appParcel2;
119    appParcel2.WriteString(stringParam);
120    appParcel2.WriteInt32(int32Param);
121    faultData.ReadFromParcel(appParcel2); // branch message failed
122    Parcel appParcel3;
123    appParcel3.WriteString(stringParam);
124    appParcel3.WriteString(stringParam);
125    faultData.ReadFromParcel(appParcel3); // branch stack failed
126    Parcel appParcel4;
127    appParcel4.WriteString(stringParam);
128    appParcel4.WriteString(stringParam);
129    appParcel4.WriteString(stringParam);
130    faultData.ReadFromParcel(appParcel4); // branch FaultType failed
131    Parcel appParcel5;
132    appParcel5.WriteString(stringParam);
133    appParcel5.WriteString(stringParam);
134    appParcel5.WriteString(stringParam);
135    appParcel5.WriteInt32(int32Param);
136    faultData.ReadFromParcel(appParcel5); // branch FaultType failed
137    Parcel appParcel6;
138    faultData.Marshalling(appParcel6);
139}
140
141bool DoSomethingInterestingWithMyAPI(const char* data, size_t size)
142{
143    bool boolParam = *data % ENABLE;
144    std::string stringParam(data, size);
145    int32_t int32Param = static_cast<int32_t>(GetU32Data(data));
146    FaultDataFuzztest1(boolParam, stringParam, int32Param);
147    FaultDataFuzztest2(boolParam, stringParam, int32Param);
148    return true;
149}
150}
151
152/* Fuzzer entry point */
153extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
154{
155    /* Run your code on data */
156    if (data == nullptr) {
157        return 0;
158    }
159
160    /* Validate the length of size */
161    if (size < OHOS::U32_AT_SIZE || size > OHOS::FOO_MAX_LEN) {
162        return 0;
163    }
164
165    char* ch = (char*)malloc(size + 1);
166    if (ch == nullptr) {
167        std::cout << "malloc failed." << std::endl;
168        return 0;
169    }
170
171    (void)memset_s(ch, size + 1, 0x00, size + 1);
172    if (memcpy_s(ch, size, data, size) != EOK) {
173        std::cout << "copy failed." << std::endl;
174        free(ch);
175        ch = nullptr;
176        return 0;
177    }
178
179    OHOS::DoSomethingInterestingWithMyAPI(ch, size);
180    free(ch);
181    ch = nullptr;
182    return 0;
183}
184
185