1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibleabilitychannelstub_fuzzer.h"
17 #include "accessible_ability_channel_stub.h"
18 #include "accessibility_ipc_interface_code.h"
19 #include "securec.h"
20
21 namespace OHOS {
22 namespace Accessibility {
23 namespace {
24 constexpr size_t DATA_MIN_SIZE = 200;
25 constexpr char END_CHAR = '\0';
26 constexpr size_t LEN = 10;
27 }
28
29 class AbilityChannelImplFuzzTest : public AccessibleAbilityChannelStub {
30 public:
31 AbilityChannelImplFuzzTest() = default;
32 ~AbilityChannelImplFuzzTest() = default;
33
SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,const int32_t mode,bool isFilter)34 RetError SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,
35 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback,
36 const int32_t mode, bool isFilter) override
37 {
38 return RET_OK;
39 }
SearchElementInfosByText(const int32_t accessibilityWindowId,const int64_t elementId,const std::string & text,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)40 RetError SearchElementInfosByText(const int32_t accessibilityWindowId, const int64_t elementId,
41 const std::string &text, const int32_t requestId,
42 const sptr<IAccessibilityElementOperatorCallback> &callback) override
43 {
44 return RET_OK;
45 }
FindFocusedElementInfo(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t focusType,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)46 RetError FindFocusedElementInfo(const int32_t accessibilityWindowId, const int64_t elementId,
47 const int32_t focusType, const int32_t requestId,
48 const sptr<IAccessibilityElementOperatorCallback> &callback) override
49 {
50 return RET_OK;
51 }
FocusMoveSearch(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t direction,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)52 RetError FocusMoveSearch(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t direction,
53 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback) override
54 {
55 return RET_OK;
56 }
ExecuteAction(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)57 RetError ExecuteAction(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t action,
58 const std::map<std::string, std::string> &actionArguments, const int32_t requestId,
59 const sptr<IAccessibilityElementOperatorCallback> &callback) override
60 {
61 return RET_OK;
62 }
EnableScreenCurtain(bool isEnable)63 RetError EnableScreenCurtain(bool isEnable) override
64 {
65 return RET_OK;
66 }
GetCursorPosition(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)67 RetError GetCursorPosition(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t requestId,
68 const sptr<IAccessibilityElementOperatorCallback> &callback) override
69 {
70 return RET_OK;
71 }
GetWindow(const int32_t windowId,AccessibilityWindowInfo & windowInfo)72 RetError GetWindow(const int32_t windowId, AccessibilityWindowInfo &windowInfo) override
73 {
74 return RET_OK;
75 }
GetWindows(std::vector<AccessibilityWindowInfo> & windows)76 RetError GetWindows(std::vector<AccessibilityWindowInfo> &windows) override
77 {
78 return RET_OK;
79 }
GetWindowsByDisplayId(const uint64_t displayId,std::vector<AccessibilityWindowInfo> & windows)80 RetError GetWindowsByDisplayId(const uint64_t displayId, std::vector<AccessibilityWindowInfo> &windows) override
81 {
82 return RET_OK;
83 }
SetOnKeyPressEventResult(const bool handled,const int32_t sequence)84 void SetOnKeyPressEventResult(const bool handled, const int32_t sequence) override {}
SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> & gesturePath)85 RetError SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> &gesturePath) override
86 {
87 return RET_OK;
88 }
SetTargetBundleName(const std::vector<std::string> & targetBundleNames)89 RetError SetTargetBundleName(const std::vector<std::string> &targetBundleNames) override
90 {
91 return RET_OK;
92 }
93 };
94
95 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)96 size_t GetObject(T &object, const uint8_t *data, size_t size)
97 {
98 size_t objectSize = sizeof(object);
99 if (objectSize > size) {
100 return 0;
101 }
102 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
103 }
104
FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t * data,size_t size)105 bool FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t *data, size_t size)
106 {
107 if (data == nullptr || size < DATA_MIN_SIZE) {
108 return false;
109 }
110
111 size_t position = 0;
112 int32_t accessibilityWindowId = 0;
113 int64_t elementId = 0;
114 int32_t requestId = 0;
115 MessageParcel mdata;
116 MessageParcel reply;
117 MessageOption option(MessageOption::TF_SYNC);
118
119 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
120 position += GetObject<int64_t>(elementId, &data[position], size - position);
121 GetObject<int32_t>(requestId, &data[position], size - position);
122 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
123 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
124 mdata.WriteInt32(accessibilityWindowId);
125 mdata.WriteInt64(elementId);
126 mdata.WriteInt32(requestId);
127 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFO_BY_ACCESSIBILITY_ID),
128 mdata, reply, option);
129 return true;
130 }
131
FuzzHandleSearchElementInfosByText(const uint8_t * data,size_t size)132 bool FuzzHandleSearchElementInfosByText(const uint8_t *data, size_t size)
133 {
134 if (data == nullptr || size < DATA_MIN_SIZE) {
135 return false;
136 }
137
138 size_t position = 0;
139 int32_t accessibilityWindowId = 0;
140 int64_t elementId = 0;
141 int32_t requestId = 0;
142 MessageParcel mdata;
143 MessageParcel reply;
144 MessageOption option(MessageOption::TF_SYNC);
145
146 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
147 position += GetObject<int64_t>(elementId, &data[position], size - position);
148 char name[LEN + 1];
149 name[LEN] = END_CHAR;
150 for (size_t i = 0; i < LEN; i++) {
151 position += GetObject<char>(name[i], data + position, size - position);
152 }
153 std::string text(name);
154 GetObject<int32_t>(requestId, &data[position], size - position);
155 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
156 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
157 mdata.WriteInt32(accessibilityWindowId);
158 mdata.WriteInt64(elementId);
159 mdata.WriteString(text);
160 mdata.WriteInt32(requestId);
161 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFOS_BY_TEXT),
162 mdata, reply, option);
163 return true;
164 }
165
FuzzHandleFindFocusedElementInfo(const uint8_t * data,size_t size)166 bool FuzzHandleFindFocusedElementInfo(const uint8_t *data, size_t size)
167 {
168 if (data == nullptr || size < DATA_MIN_SIZE) {
169 return false;
170 }
171
172 size_t position = 0;
173 int32_t accessibilityWindowId = 0;
174 int64_t elementId = 0;
175 int32_t focusType = 0;
176 int32_t requestId = 0;
177 MessageParcel mdata;
178 MessageParcel reply;
179 MessageOption option(MessageOption::TF_SYNC);
180
181 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
182 position += GetObject<int64_t>(elementId, &data[position], size - position);
183 position += GetObject<int32_t>(focusType, &data[position], size - position);
184 GetObject<int32_t>(requestId, &data[position], size - position);
185 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
186 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
187 mdata.WriteInt32(accessibilityWindowId);
188 mdata.WriteInt64(elementId);
189 mdata.WriteInt32(focusType);
190 mdata.WriteInt32(requestId);
191 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FIND_FOCUSED_ELEMENTINFO),
192 mdata, reply, option);
193 return true;
194 }
195
FuzzHandleFocusMoveSearch(const uint8_t * data,size_t size)196 bool FuzzHandleFocusMoveSearch(const uint8_t *data, size_t size)
197 {
198 if (data == nullptr || size < DATA_MIN_SIZE) {
199 return false;
200 }
201
202 size_t position = 0;
203 int32_t accessibilityWindowId = 0;
204 int64_t elementId = 0;
205 int32_t direction = 0;
206 int32_t requestId = 0;
207 MessageParcel mdata;
208 MessageParcel reply;
209 MessageOption option(MessageOption::TF_SYNC);
210
211 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
212 position += GetObject<int64_t>(elementId, &data[position], size - position);
213 position += GetObject<int32_t>(direction, &data[position], size - position);
214 GetObject<int32_t>(requestId, &data[position], size - position);
215 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
216 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
217 mdata.WriteInt32(accessibilityWindowId);
218 mdata.WriteInt64(elementId);
219 mdata.WriteInt32(direction);
220 mdata.WriteInt32(requestId);
221 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FOCUS_MOVE_SEARCH),
222 mdata, reply, option);
223 return true;
224 }
225
FuzzHandleExecuteAction(const uint8_t * data,size_t size)226 bool FuzzHandleExecuteAction(const uint8_t *data, size_t size)
227 {
228 if (data == nullptr || size < DATA_MIN_SIZE) {
229 return false;
230 }
231
232 size_t position = 0;
233 int32_t accessibilityWindowId = 0;
234 int64_t elementId = 0;
235 int32_t action = 0;
236 MessageParcel mdata;
237 MessageParcel reply;
238 MessageOption option(MessageOption::TF_SYNC);
239
240 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
241 position += GetObject<int64_t>(elementId, &data[position], size - position);
242 GetObject<int32_t>(action, &data[position], size - position);
243 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
244 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
245 mdata.WriteInt32(accessibilityWindowId);
246 mdata.WriteInt64(elementId);
247 mdata.WriteInt32(action);
248 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::PERFORM_ACTION),
249 mdata, reply, option);
250 return true;
251 }
252
FuzzHandleGetWindow(const uint8_t * data,size_t size)253 bool FuzzHandleGetWindow(const uint8_t *data, size_t size)
254 {
255 if (data == nullptr || size < DATA_MIN_SIZE) {
256 return false;
257 }
258
259 size_t position = 0;
260 int32_t windowId = 0;
261 MessageParcel mdata;
262 MessageParcel reply;
263 MessageOption option(MessageOption::TF_SYNC);
264
265 GetObject<int32_t>(windowId, &data[position], size - position);
266 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
267 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
268 mdata.WriteInt32(windowId);
269 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOW),
270 mdata, reply, option);
271 return true;
272 }
273
FuzzHandleGetWindows(const uint8_t * data,size_t size)274 bool FuzzHandleGetWindows(const uint8_t *data, size_t size)
275 {
276 if (data == nullptr || size < DATA_MIN_SIZE) {
277 return false;
278 }
279
280 MessageParcel mdata;
281 MessageParcel reply;
282 MessageOption option(MessageOption::TF_SYNC);
283
284 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
285 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
286 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS),
287 mdata, reply, option);
288 return true;
289 }
290
FuzzHandleGetWindowsByDisplayId(const uint8_t * data,size_t size)291 bool FuzzHandleGetWindowsByDisplayId(const uint8_t *data, size_t size)
292 {
293 if (data == nullptr || size < DATA_MIN_SIZE) {
294 return false;
295 }
296
297 size_t position = 0;
298 uint64_t displayId = 0;
299 MessageParcel mdata;
300 MessageParcel reply;
301 MessageOption option(MessageOption::TF_SYNC);
302
303 GetObject<uint64_t>(displayId, &data[position], size - position);
304 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
305 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
306 mdata.WriteUint64(displayId);
307 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS_BY_DISPLAY_ID),
308 mdata, reply, option);
309 return true;
310 }
311
FuzzHandleSendSimulateGesturePath(const uint8_t * data,size_t size)312 bool FuzzHandleSendSimulateGesturePath(const uint8_t *data, size_t size)
313 {
314 if (data == nullptr || size < DATA_MIN_SIZE) {
315 return false;
316 }
317
318 MessageParcel mdata;
319 MessageParcel reply;
320 MessageOption option(MessageOption::TF_SYNC);
321
322 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
323 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
324 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEND_SIMULATE_GESTURE_PATH),
325 mdata, reply, option);
326 return true;
327 }
328
FuzzHandleSetTargetBundleName(const uint8_t * data,size_t size)329 bool FuzzHandleSetTargetBundleName(const uint8_t *data, size_t size)
330 {
331 if (data == nullptr || size < DATA_MIN_SIZE) {
332 return false;
333 }
334
335 int32_t bundleNamesSize = 0;
336 MessageParcel mdata;
337 MessageParcel reply;
338 MessageOption option(MessageOption::TF_SYNC);
339
340 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
341 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
342 mdata.WriteInt32(bundleNamesSize);
343 mdata.WriteString("test");
344 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SET_TARGET_BUNDLE_NAME),
345 mdata, reply, option);
346 return true;
347 }
348 } // namespace Accessibility
349 } // namespace OHOS
350
351 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)352 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
353 {
354 /* Run your code on data */
355 OHOS::Accessibility::FuzzHandleSearchElementInfoByAccessibilityId(data, size);
356 OHOS::Accessibility::FuzzHandleSearchElementInfosByText(data, size);
357 OHOS::Accessibility::FuzzHandleFindFocusedElementInfo(data, size);
358 OHOS::Accessibility::FuzzHandleFocusMoveSearch(data, size);
359 OHOS::Accessibility::FuzzHandleExecuteAction(data, size);
360 OHOS::Accessibility::FuzzHandleGetWindow(data, size);
361 OHOS::Accessibility::FuzzHandleGetWindows(data, size);
362 OHOS::Accessibility::FuzzHandleGetWindowsByDisplayId(data, size);
363 OHOS::Accessibility::FuzzHandleSendSimulateGesturePath(data, size);
364 OHOS::Accessibility::FuzzHandleSetTargetBundleName(data, size);
365 return 0;
366 }