1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibilitysystemabilityclient_fuzzer.h"
17 #include "accessibility_system_ability_client_impl.h"
18 #include "securec.h"
19
20 namespace OHOS {
21 namespace Accessibility {
22 namespace {
23 constexpr size_t DATA_MIN_SIZE = 200;
24 constexpr char END_CHAR = '\0';
25 constexpr size_t LEN = 10;
26 }
27 static AccessibilitySystemAbilityClientImpl g_asacImpl_;
28
29 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)30 size_t GetObject(T &object, const uint8_t *data, size_t size)
31 {
32 size_t objectSize = sizeof(object);
33 if (objectSize > size) {
34 return 0;
35 }
36 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
37 }
38
39 class ElementOperatorForFuzzTest : public AccessibilityElementOperator {
40 public:
41 virtual ~ElementOperatorForFuzzTest() = default;
SearchElementInfoByAccessibilityId(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t mode)42 void SearchElementInfoByAccessibilityId(const int64_t elementId,
43 const int32_t requestId, AccessibilityElementOperatorCallback &callback,
44 const int32_t mode) override {}
SearchElementInfosByText(const int64_t elementId,const std::string & text,const int32_t requestId,AccessibilityElementOperatorCallback & callback)45 void SearchElementInfosByText(const int64_t elementId, const std::string &text,
46 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
47
FindFocusedElementInfo(const int64_t elementId,const int32_t focusType,const int32_t requestId,AccessibilityElementOperatorCallback & callback)48 void FindFocusedElementInfo(const int64_t elementId, const int32_t focusType, const int32_t requestId,
49 AccessibilityElementOperatorCallback &callback) override {}
50
FocusMoveSearch(const int64_t elementId,const int32_t direction,const int32_t requestId,AccessibilityElementOperatorCallback & callback)51 void FocusMoveSearch(const int64_t elementId, const int32_t direction, const int32_t requestId,
52 AccessibilityElementOperatorCallback &callback) override {}
53
ExecuteAction(const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,AccessibilityElementOperatorCallback & callback)54 void ExecuteAction(const int64_t elementId, const int32_t action,
55 const std::map<std::string, std::string> &actionArguments,
56 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
GetCursorPosition(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback)57 void GetCursorPosition(const int64_t elementId, const int32_t requestId,
58 AccessibilityElementOperatorCallback &callback) override {}
ClearFocus()59 void ClearFocus() override {}
OutsideTouch()60 void OutsideTouch() override {}
SetChildTreeIdAndWinId(const int64_t elementId,const int32_t treeId,const int32_t childWindowId)61 void SetChildTreeIdAndWinId(const int64_t elementId, const int32_t treeId,
62 const int32_t childWindowId) override {}
SetBelongTreeId(const int32_t treeId)63 void SetBelongTreeId(const int32_t treeId) override {}
SetParentWindowId(const int32_t parentWindowId)64 void SetParentWindowId(const int32_t parentWindowId) override {}
65 };
66
67 class StateObserverForFuzzTest : public AccessibilityStateObserver {
68 public:
69 virtual ~StateObserverForFuzzTest() = default;
OnStateChanged(const bool state)70 void OnStateChanged(const bool state) {}
71 };
72
73
CreateEventInfoFirstPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)74 static void CreateEventInfoFirstPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
75 size_t& position)
76 {
77 int64_t componentId = 0;
78 position += GetObject<int64_t>(componentId, &data[position], size - position);
79 eventInfo.SetSource(componentId);
80 int32_t windowId = 0;
81 position += GetObject<int32_t>(windowId, &data[position], size - position);
82 eventInfo.SetWindowId(windowId);
83 int32_t index = 0;
84 position += GetObject<int32_t>(index, &data[position], size - position);
85 eventInfo.SetCurrentIndex(index);
86 position += GetObject<int32_t>(index, &data[position], size - position);
87 eventInfo.SetBeginIndex(index);
88 position += GetObject<int32_t>(index, &data[position], size - position);
89 eventInfo.SetEndIndex(index);
90 int32_t itemCounts = 0;
91 position += GetObject<int32_t>(itemCounts, &data[position], size - position);
92 eventInfo.SetItemCounts(itemCounts);
93 WindowsContentChangeTypes changeTypes;
94 position += GetObject<WindowsContentChangeTypes>(changeTypes, &data[position], size - position);
95 eventInfo.SetWindowContentChangeTypes(changeTypes);
96 WindowUpdateType updateTypes;
97 position += GetObject<WindowUpdateType>(updateTypes, &data[position], size - position);
98 eventInfo.SetWindowChangeTypes(updateTypes);
99 EventType eventType;
100 position += GetObject<EventType>(eventType, &data[position], size - position);
101 eventInfo.SetEventType(eventType);
102 int64_t timeStamp = 0;
103 position += GetObject<int64_t>(timeStamp, &data[position], size - position);
104 eventInfo.SetTimeStamp(timeStamp);
105 TextMoveUnit granularity;
106 position += GetObject<TextMoveUnit>(granularity, &data[position], size - position);
107 eventInfo.SetTextMovementStep(granularity);
108 ActionType action;
109 position += GetObject<ActionType>(action, &data[position], size - position);
110 eventInfo.SetTriggerAction(action);
111 NotificationCategory category;
112 position += GetObject<NotificationCategory>(category, &data[position], size - position);
113 eventInfo.SetNotificationInfo(category);
114 GestureType gestureType;
115 position += GetObject<GestureType>(gestureType, &data[position], size - position);
116 eventInfo.SetGestureType(gestureType);
117 int32_t pageId = 0;
118 position += GetObject<int32_t>(pageId, &data[position], size - position);
119 eventInfo.SetPageId(pageId);
120 }
121
CreateEventInfoSecondPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)122 static void CreateEventInfoSecondPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
123 size_t& position)
124 {
125 char name[LEN + 1];
126 name[LEN] = END_CHAR;
127 for (size_t i = 0; i < LEN; i++) {
128 position += GetObject<char>(name[i], &data[position], size - position);
129 }
130 std::string className(name);
131 eventInfo.SetComponentType(className);
132
133 for (size_t i = 0; i < LEN; i++) {
134 position += GetObject<char>(name[i], &data[position], size - position);
135 }
136 std::string beforeText(name);
137 eventInfo.SetBeforeText(beforeText);
138
139 for (size_t i = 0; i < LEN; i++) {
140 position += GetObject<char>(name[i], &data[position], size - position);
141 }
142 std::string content(name);
143 eventInfo.AddContent(content);
144
145 for (size_t i = 0; i < LEN; i++) {
146 position += GetObject<char>(name[i], &data[position], size - position);
147 }
148 std::string lastContent(name);
149 eventInfo.SetLatestContent(lastContent);
150
151 for (size_t i = 0; i < LEN; i++) {
152 position += GetObject<char>(name[i], &data[position], size - position);
153 }
154 std::string contentDescription(name);
155 eventInfo.SetDescription(contentDescription);
156
157 for (size_t i = 0; i < LEN; i++) {
158 position += GetObject<char>(name[i], &data[position], size - position);
159 }
160 std::string bundleName(name);
161 eventInfo.SetBundleName(bundleName);
162
163 for (size_t i = 0; i < LEN; i++) {
164 position += GetObject<char>(name[i], &data[position], size - position);
165 }
166 std::string notificationContent(name);
167 eventInfo.SetNotificationContent(notificationContent);
168 }
169
CreateEventInfo(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size)170 static size_t CreateEventInfo(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size)
171 {
172 size_t position = 0;
173 CreateEventInfoFirstPart(eventInfo, data, size, position);
174 CreateEventInfoSecondPart(eventInfo, data, size, position);
175 return position;
176 }
177
RegisterElementOperatorFuzzTest(const uint8_t * data,size_t size)178 bool RegisterElementOperatorFuzzTest(const uint8_t* data, size_t size)
179 {
180 if (data == nullptr || size < DATA_MIN_SIZE) {
181 return false;
182 }
183
184 auto instance = AccessibilitySystemAbilityClient::GetInstance();
185 if (!instance) {
186 return false;
187 }
188
189 size_t position = 0;
190 int32_t windowId = 0;
191 position += GetObject<int32_t>(windowId, &data[position], size - position);
192 std::shared_ptr<ElementOperatorForFuzzTest> elementOperator = std::make_shared<ElementOperatorForFuzzTest>();
193 instance->RegisterElementOperator(windowId, elementOperator);
194
195 GetObject<int32_t>(windowId, &data[position], size - position);
196 instance->DeregisterElementOperator(windowId);
197 return true;
198 }
199
GetAbilityListFuzzTest(const uint8_t * data,size_t size)200 bool GetAbilityListFuzzTest(const uint8_t* data, size_t size)
201 {
202 if (data == nullptr || size < DATA_MIN_SIZE) {
203 return false;
204 }
205
206 auto instance = AccessibilitySystemAbilityClient::GetInstance();
207 if (!instance) {
208 return false;
209 }
210
211 size_t position = 0;
212 uint32_t abilityTypes = 0;
213 position += GetObject<uint32_t>(abilityTypes, &data[position], size - position);
214 AbilityStateType stateType;
215 GetObject<AbilityStateType>(stateType, &data[position], size - position);
216 std::vector<AccessibilityAbilityInfo> infos;
217 instance->GetAbilityList(abilityTypes, stateType, infos);
218 return true;
219 }
220
SendEventFuzzTest(const uint8_t * data,size_t size)221 bool SendEventFuzzTest(const uint8_t* data, size_t size)
222 {
223 if (data == nullptr || size < DATA_MIN_SIZE) {
224 return false;
225 }
226
227 auto instance = AccessibilitySystemAbilityClient::GetInstance();
228 if (!instance) {
229 return false;
230 }
231
232 size_t position = 0;
233 EventType eventType;
234 position += GetObject<EventType>(eventType, &data[position], size - position);
235 int64_t componentId = 0;
236 position += GetObject<int64_t>(componentId, &data[position], size - position);
237 instance->SendEvent(eventType, componentId);
238
239 AccessibilityEventInfo eventInfo;
240 (void)CreateEventInfo(eventInfo, data, size - position);
241 instance->SendEvent(eventInfo);
242 return true;
243 }
244
SubscribeStateObserverFuzzTest(const uint8_t * data,size_t size)245 bool SubscribeStateObserverFuzzTest(const uint8_t* data, size_t size)
246 {
247 if (data == nullptr || size < DATA_MIN_SIZE) {
248 return false;
249 }
250
251 auto instance = AccessibilitySystemAbilityClient::GetInstance();
252 if (!instance) {
253 return false;
254 }
255
256 size_t position = 0;
257 uint32_t eventTypes = 0;
258 position += GetObject<uint32_t>(eventTypes, &data[position], size - position);
259 std::shared_ptr<StateObserverForFuzzTest> observer = std::make_shared<StateObserverForFuzzTest>();
260 instance->SubscribeStateObserver(observer, eventTypes);
261
262 GetObject<uint32_t>(eventTypes, &data[position], size - position);
263 instance->UnsubscribeStateObserver(observer, eventTypes);
264 return true;
265 }
266
IsEnabledFuzzTest(const uint8_t * data,size_t size)267 bool IsEnabledFuzzTest(const uint8_t* data, size_t size)
268 {
269 if (data == nullptr || size < DATA_MIN_SIZE) {
270 return false;
271 }
272
273 auto instance = AccessibilitySystemAbilityClient::GetInstance();
274 if (!instance) {
275 return false;
276 }
277
278 bool isEnabled = false;
279 GetObject<bool>(isEnabled, &data[0], size);
280 instance->IsEnabled(isEnabled);
281 return true;
282 }
283
IsTouchExplorationEnabledFuzzTest(const uint8_t * data,size_t size)284 bool IsTouchExplorationEnabledFuzzTest(const uint8_t* data, size_t size)
285 {
286 if (data == nullptr || size < DATA_MIN_SIZE) {
287 return false;
288 }
289
290 auto instance = AccessibilitySystemAbilityClient::GetInstance();
291 if (!instance) {
292 return false;
293 }
294
295 bool isEnabled = false;
296 GetObject<bool>(isEnabled, &data[0], size);
297 instance->IsTouchExplorationEnabled(isEnabled);
298 return true;
299 }
300
GetEnabledAbilitiesFuzzTest(const uint8_t * data,size_t size)301 bool GetEnabledAbilitiesFuzzTest(const uint8_t* data, size_t size)
302 {
303 if (data == nullptr || size < DATA_MIN_SIZE) {
304 return false;
305 }
306
307 auto instance = AccessibilitySystemAbilityClient::GetInstance();
308 if (!instance) {
309 return false;
310 }
311
312 size_t position = 0;
313 char name[LEN + 1];
314 name[LEN] = END_CHAR;
315 for (size_t i = 0; i < LEN; i++) {
316 position += GetObject<char>(name[i], &data[position], size - position);
317 }
318 std::string enabledAbility(name);
319 std::vector<std::string> enabledAbilities;
320 enabledAbilities.emplace_back(enabledAbility);
321 instance->GetEnabledAbilities(enabledAbilities);
322 return true;
323 }
324
SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t * data,size_t size)325 bool SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t* data, size_t size)
326 {
327 if (data == nullptr || size < DATA_MIN_SIZE) {
328 return false;
329 }
330
331 int32_t requestId = 0;
332 GetObject<int32_t>(requestId, &data[0], size);
333 std::list<AccessibilityElementInfo> infos;
334 g_asacImpl_.SetSearchElementInfoByAccessibilityIdResult(infos, requestId);
335 return true;
336 }
337
SetSearchElementInfoByTextResultFuzzTest(const uint8_t * data,size_t size)338 bool SetSearchElementInfoByTextResultFuzzTest(const uint8_t* data, size_t size)
339 {
340 if (data == nullptr || size < DATA_MIN_SIZE) {
341 return false;
342 }
343
344 int32_t requestId = 0;
345 GetObject<int32_t>(requestId, &data[0], size);
346 std::list<AccessibilityElementInfo> infos;
347 g_asacImpl_.SetSearchElementInfoByTextResult(infos, requestId);
348 return true;
349 }
350
SetFindFocusedElementInfoResultFuzzTest(const uint8_t * data,size_t size)351 bool SetFindFocusedElementInfoResultFuzzTest(const uint8_t* data, size_t size)
352 {
353 if (data == nullptr || size < DATA_MIN_SIZE) {
354 return false;
355 }
356
357 int32_t requestId = 0;
358 GetObject<int32_t>(requestId, &data[0], size);
359 AccessibilityElementInfo info;
360 g_asacImpl_.SetFindFocusedElementInfoResult(info, requestId);
361 return true;
362 }
363
SetFocusMoveSearchResultFuzzTest(const uint8_t * data,size_t size)364 bool SetFocusMoveSearchResultFuzzTest(const uint8_t* data, size_t size)
365 {
366 if (data == nullptr || size < DATA_MIN_SIZE) {
367 return false;
368 }
369
370 int32_t requestId = 0;
371 GetObject<int32_t>(requestId, &data[0], size);
372 AccessibilityElementInfo info;
373 g_asacImpl_.SetFocusMoveSearchResult(info, requestId);
374 return true;
375 }
376
SetExecuteActionResultFuzzTest(const uint8_t * data,size_t size)377 bool SetExecuteActionResultFuzzTest(const uint8_t* data, size_t size)
378 {
379 if (data == nullptr || size < DATA_MIN_SIZE) {
380 return false;
381 }
382
383 size_t position = 0;
384 bool succeeded = false;
385 int32_t requestId = 0;
386 position += GetObject<bool>(succeeded, &data[position], size - position);
387 GetObject<int32_t>(requestId, &data[position], size - position);
388 g_asacImpl_.SetExecuteActionResult(succeeded, requestId);
389 return true;
390 }
391 } // namespace Accessibility
392 } // namespace OHOS
393
394 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)395 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
396 {
397 /* Run your code on data */
398 OHOS::Accessibility::RegisterElementOperatorFuzzTest(data, size);
399 OHOS::Accessibility::GetAbilityListFuzzTest(data, size);
400 OHOS::Accessibility::SendEventFuzzTest(data, size);
401 OHOS::Accessibility::SubscribeStateObserverFuzzTest(data, size);
402 OHOS::Accessibility::IsEnabledFuzzTest(data, size);
403 OHOS::Accessibility::IsTouchExplorationEnabledFuzzTest(data, size);
404 OHOS::Accessibility::GetEnabledAbilitiesFuzzTest(data, size);
405 OHOS::Accessibility::SetSearchElementInfoByAccessibilityIdResultFuzzTest(data, size);
406 OHOS::Accessibility::SetSearchElementInfoByTextResultFuzzTest(data, size);
407 OHOS::Accessibility::SetFindFocusedElementInfoResultFuzzTest(data, size);
408 OHOS::Accessibility::SetFocusMoveSearchResultFuzzTest(data, size);
409 OHOS::Accessibility::SetExecuteActionResultFuzzTest(data, size);
410 return 0;
411 }