1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibility_config_impl.h"
17 #include "accessibility_def.h"
18 #include "accessibility_element_operator_fuzz_impl.h"
19 #include "accessibility_element_operator_impl.h"
20 #include "accessibility_event_info_parcel.h"
21 #include "accessibility_ipc_interface_code.h"
22 #include "accessibility_system_ability_client_impl.h"
23 #include "accessible_ability_manager_service.h"
24 #include "accessible_ability_manager_service_stub.h"
25 #include "accessibleabilitymanagerservicestub_fuzzer.h"
26 #include "addaamstoken_fuzzer.h"
27 #include "singleton.h"
28
29 #define private public
30
31 namespace OHOS {
32 namespace Accessibility {
33 namespace {
34 constexpr size_t FOO_MAX_LEN = 1024;
35 constexpr size_t U32_AT_SIZE = 4;
36 constexpr size_t BASE_CODE = 800;
37 constexpr size_t MESSAGE_SIZE = 66;
38 constexpr size_t FUZZ_NUM1 = 1;
39 constexpr size_t FUZZ_NUM2 = 2;
40 constexpr size_t FUZZ_NUM3 = 3;
41 constexpr size_t FUZZ_NUM8 = 8;
42 constexpr size_t FUZZ_NUM16 = 16;
43 constexpr size_t FUZZ_NUM24 = 24;
44 constexpr uint8_t DEVISOR_TWO = 2;
45 } // namespace
46
GetU32Data(const uint8_t *ptr)47 uint32_t GetU32Data(const uint8_t *ptr)
48 {
49 return (ptr[0] << FUZZ_NUM24) | (ptr[FUZZ_NUM1] << FUZZ_NUM16) | (ptr[FUZZ_NUM2] << FUZZ_NUM8) | (ptr[FUZZ_NUM3]);
50 }
51
52 static bool g_initialized = false;
53
InitService()54 bool InitService()
55 {
56 if (!g_initialized) {
57 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnStart();
58 if (DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->handler_) {
59 g_initialized = true;
60 }
61 }
62 return g_initialized;
63 }
64
65 /*
66 * Sort the functions from AccessibilityInterfaceCode 800 in ascending order
67 */
HandleRegisterStateCallbackTest(const uint8_t *data, size_t size)68 bool HandleRegisterStateCallbackTest(const uint8_t *data, size_t size)
69 {
70 if (!InitService()) {
71 return false;
72 }
73 MessageParcel request;
74 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
75 request.WriteInterfaceToken(descriptor);
76 if (!request.WriteInterfaceToken(descriptor)) {
77 return false;
78 }
79
80 auto *impl = new AccessibilityConfig::AccessibilityConfig::Impl();
81 sptr<AccessibleAbilityManagerConfigObserverImpl> callback = new (std::nothrow)
82 AccessibleAbilityManagerConfigObserverImpl(impl);
83 if (!request.WriteRemoteObject(callback->AsObject())) {
84 return false;
85 }
86 MessageParcel reply;
87 MessageOption option(MessageOption::TF_ASYNC);
88
89 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
90 static_cast<uint32_t>(AccessibilityInterfaceCode::REGISTER_STATE_CALLBACK), request, reply, option);
91 return true;
92 }
93
HandleGetAbilityListTest(const uint8_t *data, size_t size)94 bool HandleGetAbilityListTest(const uint8_t *data, size_t size)
95 {
96 if (!InitService()) {
97 return false;
98 }
99 MessageParcel request;
100 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
101 request.WriteInterfaceToken(descriptor);
102 if (!request.WriteInterfaceToken(descriptor)) {
103 return false;
104 }
105
106 uint32_t abilityTypes = ACCESSIBILITY_ABILITY_TYPE_ALL;
107 int32_t stateType = data[0];
108 auto *impl = new AccessibilityConfig::AccessibilityConfig::Impl();
109 if (!request.WriteUint32(abilityTypes)) {
110 return false;
111 }
112
113 if (!request.WriteInt32(stateType)) {
114 return false;
115 }
116 MessageParcel reply;
117 MessageOption option;
118
119 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
120 static_cast<uint32_t>(AccessibilityInterfaceCode::GET_ABILITYLIST), request, reply, option);
121 return true;
122 }
123
HandleRegisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)124 bool HandleRegisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)
125 {
126 if (!InitService()) {
127 return false;
128 }
129 MessageParcel request;
130 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
131 request.WriteInterfaceToken(descriptor);
132 if (!request.WriteInterfaceToken(descriptor)) {
133 return false;
134 }
135
136 int32_t windowId = static_cast<int32_t>(*data);
137 if (!request.WriteInt32(windowId)) {
138 return false;
139 }
140 std::shared_ptr<AccessibilityElementOperatorFuzzImpl> operation =
141 std::make_shared<AccessibilityElementOperatorFuzzImpl>();
142 auto *impl = new AccessibilitySystemAbilityClientImpl();
143 sptr<AccessibilityElementOperatorImpl> optr = new (std::nothrow) AccessibilityElementOperatorImpl(
144 windowId, operation, reinterpret_cast<AccessibilityElementOperatorCallback &>(impl));
145 if (optr == nullptr) {
146 return false;
147 }
148 if (!request.WriteRemoteObject(optr->AsObject())) {
149 return false;
150 }
151
152 MessageParcel reply;
153 MessageOption option(MessageOption::TF_ASYNC);
154
155 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
156 static_cast<uint32_t>(AccessibilityInterfaceCode::REGISTER_INTERACTION_CONNECTION), request, reply, option);
157 return true;
158 }
159
HandleMultiRegisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)160 bool HandleMultiRegisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)
161 {
162 if (!InitService()) {
163 return false;
164 }
165 MessageParcel request;
166 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
167 request.WriteInterfaceToken(descriptor);
168 if (!request.WriteInterfaceToken(descriptor)) {
169 return false;
170 }
171
172 int32_t windowId = static_cast<int32_t>(*data);
173 if (!request.WriteInt32(windowId)) {
174 return false;
175 }
176 int32_t parentWindowId = static_cast<int32_t>(*data);
177 if (!request.WriteInt32(parentWindowId)) {
178 return false;
179 }
180 int32_t parentTreeId = static_cast<int32_t>(*data);
181 if (!request.WriteInt32(parentTreeId)) {
182 return false;
183 }
184 int32_t elementId = static_cast<int32_t>(*data);
185 if (!request.WriteInt64(elementId)) {
186 return false;
187 }
188 std::shared_ptr<AccessibilityElementOperatorFuzzImpl> operation =
189 std::make_shared<AccessibilityElementOperatorFuzzImpl>();
190 auto *impl = new AccessibilitySystemAbilityClientImpl();
191 sptr<AccessibilityElementOperatorImpl> optr = new (std::nothrow) AccessibilityElementOperatorImpl(
192 windowId, operation, reinterpret_cast<AccessibilityElementOperatorCallback &>(impl));
193 if (optr == nullptr) {
194 return false;
195 }
196 if (!request.WriteRemoteObject(optr->AsObject())) {
197 return false;
198 }
199
200 MessageParcel reply;
201 MessageOption option(MessageOption::TF_ASYNC);
202
203 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
204 static_cast<uint32_t>(AccessibilityInterfaceCode::CARDREGISTER_INTERACTION_CONNECTION), request, reply, option);
205 return true;
206 }
207
HandleDeregisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)208 bool HandleDeregisterAccessibilityElementOperatorTest(const uint8_t *data, size_t size)
209 {
210 if (!InitService()) {
211 return false;
212 }
213 MessageParcel request;
214 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
215 request.WriteInterfaceToken(descriptor);
216 if (!request.WriteInterfaceToken(descriptor)) {
217 return false;
218 }
219
220 int32_t windowId = static_cast<int32_t>(*data);
221 if (!request.WriteInt32(windowId)) {
222 return false;
223 }
224 MessageParcel reply;
225 MessageOption option(MessageOption::TF_ASYNC);
226
227 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
228 static_cast<uint32_t>(AccessibilityInterfaceCode::DEREGISTER_INTERACTION_CONNECTION), request, reply, option);
229 return true;
230 }
231
HandleSendEventTest(const uint8_t *data, size_t size)232 bool HandleSendEventTest(const uint8_t *data, size_t size)
233 {
234 if (!InitService()) {
235 return false;
236 }
237 MessageParcel request;
238 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
239 if (!request.WriteInterfaceToken(descriptor)) {
240 return false;
241 }
242 AccessibilityEventInfo event;
243 AccessibilityEventInfoParcel eventParcel(event);
244 if (!request.WriteParcelable(&eventParcel)) {
245 return false;
246 }
247 MessageParcel reply;
248 MessageOption option(MessageOption::TF_ASYNC);
249
250 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
251 static_cast<uint32_t>(AccessibilityInterfaceCode::SEND_EVENT), request, reply, option);
252 return true;
253 }
254
HandleSetDaltonizationStateTest(const uint8_t *data, size_t size)255 bool HandleSetDaltonizationStateTest(const uint8_t *data, size_t size)
256 {
257 MessageParcel request;
258 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
259 if (!request.WriteInterfaceToken(descriptor)) {
260 return false;
261 }
262 bool isSetDaltonizationState = data[0] % DEVISOR_TWO;
263 if (!request.WriteBool(isSetDaltonizationState)) {
264 return false;
265 }
266 MessageParcel reply;
267 MessageOption option;
268
269 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
270 static_cast<uint32_t>(AccessibilityInterfaceCode::SET_DALTONIZATION_STATE), request, reply, option);
271 return true;
272 }
273
HandleRemoveRequestIdTest(const uint8_t *data, size_t size)274 bool HandleRemoveRequestIdTest(const uint8_t *data, size_t size)
275 {
276 MessageParcel request;
277 std::u16string descriptor = AccessibleAbilityManagerServiceStub::GetDescriptor();
278 if (!request.WriteInterfaceToken(descriptor)) {
279 return false;
280 }
281 int32_t requestId = static_cast<int32_t>(*data);
282 if (!request.WriteInt32(requestId)) {
283 return false;
284 }
285
286 MessageParcel reply;
287 MessageOption option;
288 DelayedSingleton<AccessibleAbilityManagerService>::GetInstance()->OnRemoteRequest(
289 static_cast<uint32_t>(AccessibilityInterfaceCode::REMOVE_REQUEST_ID), request, reply, option);
290 return true;
291 }
292
293 } // namespace Accessibility
294 } // namespace OHOS
295
296 /* Fuzzer entry point */
LLVMFuzzerInitialize(int *argc, char ***argv)297 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
298 {
299 OHOS::AddAAMSTokenFuzzer token;
300 return 0;
301 }
302
303 // Fuzzer entry point.
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)304 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
305 {
306 /* Run your code on data */
307 if (data == nullptr) {
308 return 0;
309 }
310
311 if (size < OHOS::Accessibility::U32_AT_SIZE) {
312 return 0;
313 }
314
315 OHOS::Accessibility::HandleRegisterStateCallbackTest(data, size);
316 OHOS::Accessibility::HandleGetAbilityListTest(data, size);
317 OHOS::Accessibility::HandleRegisterAccessibilityElementOperatorTest(data, size);
318 OHOS::Accessibility::HandleMultiRegisterAccessibilityElementOperatorTest(data, size);
319 OHOS::Accessibility::HandleDeregisterAccessibilityElementOperatorTest(data, size);
320 OHOS::Accessibility::HandleSendEventTest(data, size);
321 OHOS::Accessibility::HandleSetDaltonizationStateTest(data, size);
322 OHOS::Accessibility::HandleRemoveRequestIdTest(data, size);
323 return 0;
324 }