1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibilitysystemabilityclient_fuzzer.h"
17 #include "accessibility_system_ability_client_impl.h"
18 #include "securec.h"
19
20 namespace OHOS {
21 namespace Accessibility {
22 namespace {
23 constexpr size_t DATA_MIN_SIZE = 200;
24 constexpr char END_CHAR = '\0';
25 constexpr size_t LEN = 10;
26 }
27 static AccessibilitySystemAbilityClientImpl g_asacImpl_;
28
29 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)30 size_t GetObject(T &object, const uint8_t *data, size_t size)
31 {
32 size_t objectSize = sizeof(object);
33 if (objectSize > size) {
34 return 0;
35 }
36 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
37 }
38
39 class ElementOperatorForFuzzTest : public AccessibilityElementOperator {
40 public:
41 virtual ~ElementOperatorForFuzzTest() = default;
SearchElementInfoByAccessibilityId(const int32_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t mode)42 void SearchElementInfoByAccessibilityId(const int32_t elementId,
43 const int32_t requestId, AccessibilityElementOperatorCallback &callback, const int32_t mode) override {}
44
SearchElementInfosByText(const int32_t elementId,const std::string & text,const int32_t requestId,AccessibilityElementOperatorCallback & callback)45 void SearchElementInfosByText(const int32_t elementId, const std::string &text,
46 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
47
FindFocusedElementInfo(const int32_t elementId,const int32_t focusType,const int32_t requestId,AccessibilityElementOperatorCallback & callback)48 void FindFocusedElementInfo(const int32_t elementId, const int32_t focusType, const int32_t requestId,
49 AccessibilityElementOperatorCallback &callback) override {}
50
FocusMoveSearch(const int32_t elementId,const int32_t direction,const int32_t requestId,AccessibilityElementOperatorCallback & callback)51 void FocusMoveSearch(const int32_t elementId, const int32_t direction, const int32_t requestId,
52 AccessibilityElementOperatorCallback &callback) override {}
53
ExecuteAction(const int32_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,AccessibilityElementOperatorCallback & callback)54 void ExecuteAction(const int32_t elementId, const int32_t action,
55 const std::map<std::string, std::string> &actionArguments,
56 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
ClearFocus()57 void ClearFocus() override {}
OutsideTouch()58 void OutsideTouch() override {}
59 };
60
61 class StateObserverForFuzzTest : public AccessibilityStateObserver {
62 public:
63 virtual ~StateObserverForFuzzTest() = default;
OnStateChanged(const bool state)64 void OnStateChanged(const bool state) {}
65 };
66
CreateEventInfo(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size)67 static size_t CreateEventInfo(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size)
68 {
69 size_t position = 0;
70 int32_t componentId = 0;
71 position += GetObject<int32_t>(componentId, &data[position], size - position);
72 eventInfo.SetSource(componentId);
73 int32_t windowId = 0;
74 position += GetObject<int32_t>(windowId, &data[position], size - position);
75 eventInfo.SetWindowId(windowId);
76 int32_t index = 0;
77 position += GetObject<int32_t>(index, &data[position], size - position);
78 eventInfo.SetCurrentIndex(index);
79 position += GetObject<int32_t>(index, &data[position], size - position);
80 eventInfo.SetBeginIndex(index);
81 position += GetObject<int32_t>(index, &data[position], size - position);
82 eventInfo.SetEndIndex(index);
83 int32_t itemCounts = 0;
84 position += GetObject<int32_t>(itemCounts, &data[position], size - position);
85 eventInfo.SetItemCounts(itemCounts);
86 WindowsContentChangeTypes changeTypes;
87 position += GetObject<WindowsContentChangeTypes>(changeTypes, &data[position], size - position);
88 eventInfo.SetWindowContentChangeTypes(changeTypes);
89 WindowUpdateType updateTypes;
90 position += GetObject<WindowUpdateType>(updateTypes, &data[position], size - position);
91 eventInfo.SetWindowChangeTypes(updateTypes);
92 EventType eventType;
93 position += GetObject<EventType>(eventType, &data[position], size - position);
94 eventInfo.SetEventType(eventType);
95 int64_t timeStamp = 0;
96 position += GetObject<int64_t>(timeStamp, &data[position], size - position);
97 eventInfo.SetTimeStamp(timeStamp);
98 TextMoveUnit granularity;
99 position += GetObject<TextMoveUnit>(granularity, &data[position], size - position);
100 eventInfo.SetTextMovementStep(granularity);
101 ActionType action;
102 position += GetObject<ActionType>(action, &data[position], size - position);
103 eventInfo.SetTriggerAction(action);
104 NotificationCategory category;
105 position += GetObject<NotificationCategory>(category, &data[position], size - position);
106 eventInfo.SetNotificationInfo(category);
107 GestureType gestureType;
108 position += GetObject<GestureType>(gestureType, &data[position], size - position);
109 eventInfo.SetGestureType(gestureType);
110 int32_t pageId = 0;
111 position += GetObject<int32_t>(pageId, &data[position], size - position);
112 eventInfo.SetPageId(pageId);
113
114 char name[LEN + 1];
115 name[LEN] = END_CHAR;
116 for (size_t i = 0; i < LEN; i++) {
117 position += GetObject<char>(name[i], &data[position], size - position);
118 }
119 std::string className(name);
120 eventInfo.SetComponentType(className);
121
122 for (size_t i = 0; i < LEN; i++) {
123 position += GetObject<char>(name[i], &data[position], size - position);
124 }
125 std::string beforeText(name);
126 eventInfo.SetBeforeText(beforeText);
127
128 for (size_t i = 0; i < LEN; i++) {
129 position += GetObject<char>(name[i], &data[position], size - position);
130 }
131 std::string content(name);
132 eventInfo.AddContent(content);
133
134 for (size_t i = 0; i < LEN; i++) {
135 position += GetObject<char>(name[i], &data[position], size - position);
136 }
137 std::string lastContent(name);
138 eventInfo.SetLatestContent(lastContent);
139
140 for (size_t i = 0; i < LEN; i++) {
141 position += GetObject<char>(name[i], &data[position], size - position);
142 }
143 std::string contentDescription(name);
144 eventInfo.SetDescription(contentDescription);
145
146 for (size_t i = 0; i < LEN; i++) {
147 position += GetObject<char>(name[i], &data[position], size - position);
148 }
149 std::string bundleName(name);
150 eventInfo.SetBundleName(bundleName);
151
152 for (size_t i = 0; i < LEN; i++) {
153 position += GetObject<char>(name[i], &data[position], size - position);
154 }
155 std::string notificationContent(name);
156 eventInfo.SetNotificationContent(notificationContent);
157
158 return position;
159 }
160
RegisterElementOperatorFuzzTest(const uint8_t * data,size_t size)161 bool RegisterElementOperatorFuzzTest(const uint8_t* data, size_t size)
162 {
163 if (data == nullptr || size < DATA_MIN_SIZE) {
164 return false;
165 }
166
167 auto instance = AccessibilitySystemAbilityClient::GetInstance();
168 if (!instance) {
169 return false;
170 }
171
172 size_t position = 0;
173 int32_t windowId = 0;
174 position += GetObject<int32_t>(windowId, &data[position], size - position);
175 std::shared_ptr<ElementOperatorForFuzzTest> elementOperator = std::make_shared<ElementOperatorForFuzzTest>();
176 instance->RegisterElementOperator(windowId, elementOperator);
177
178 GetObject<int32_t>(windowId, &data[position], size - position);
179 instance->DeregisterElementOperator(windowId);
180 return true;
181 }
182
GetAbilityListFuzzTest(const uint8_t * data,size_t size)183 bool GetAbilityListFuzzTest(const uint8_t* data, size_t size)
184 {
185 if (data == nullptr || size < DATA_MIN_SIZE) {
186 return false;
187 }
188
189 auto instance = AccessibilitySystemAbilityClient::GetInstance();
190 if (!instance) {
191 return false;
192 }
193
194 size_t position = 0;
195 uint32_t abilityTypes = 0;
196 position += GetObject<uint32_t>(abilityTypes, &data[position], size - position);
197 AbilityStateType stateType;
198 GetObject<AbilityStateType>(stateType, &data[position], size - position);
199 std::vector<AccessibilityAbilityInfo> infos;
200 instance->GetAbilityList(abilityTypes, stateType, infos);
201 return true;
202 }
203
SendEventFuzzTest(const uint8_t * data,size_t size)204 bool SendEventFuzzTest(const uint8_t* data, size_t size)
205 {
206 if (data == nullptr || size < DATA_MIN_SIZE) {
207 return false;
208 }
209
210 auto instance = AccessibilitySystemAbilityClient::GetInstance();
211 if (!instance) {
212 return false;
213 }
214
215 size_t position = 0;
216 EventType eventType;
217 position += GetObject<EventType>(eventType, &data[position], size - position);
218 int32_t componentId = 0;
219 position += GetObject<int32_t>(componentId, &data[position], size - position);
220 instance->SendEvent(eventType, componentId);
221
222 AccessibilityEventInfo eventInfo;
223 (void)CreateEventInfo(eventInfo, data, size - position);
224 instance->SendEvent(eventInfo);
225 return true;
226 }
227
SubscribeStateObserverFuzzTest(const uint8_t * data,size_t size)228 bool SubscribeStateObserverFuzzTest(const uint8_t* data, size_t size)
229 {
230 if (data == nullptr || size < DATA_MIN_SIZE) {
231 return false;
232 }
233
234 auto instance = AccessibilitySystemAbilityClient::GetInstance();
235 if (!instance) {
236 return false;
237 }
238
239 size_t position = 0;
240 uint32_t eventTypes = 0;
241 position += GetObject<uint32_t>(eventTypes, &data[position], size - position);
242 std::shared_ptr<StateObserverForFuzzTest> observer = std::make_shared<StateObserverForFuzzTest>();
243 instance->SubscribeStateObserver(observer, eventTypes);
244
245 GetObject<uint32_t>(eventTypes, &data[position], size - position);
246 instance->UnsubscribeStateObserver(observer, eventTypes);
247 return true;
248 }
249
IsEnabledFuzzTest(const uint8_t * data,size_t size)250 bool IsEnabledFuzzTest(const uint8_t* data, size_t size)
251 {
252 if (data == nullptr || size < DATA_MIN_SIZE) {
253 return false;
254 }
255
256 auto instance = AccessibilitySystemAbilityClient::GetInstance();
257 if (!instance) {
258 return false;
259 }
260
261 bool isEnabled = false;
262 GetObject<bool>(isEnabled, &data[0], size);
263 instance->IsEnabled(isEnabled);
264 return true;
265 }
266
IsTouchExplorationEnabledFuzzTest(const uint8_t * data,size_t size)267 bool IsTouchExplorationEnabledFuzzTest(const uint8_t* data, size_t size)
268 {
269 if (data == nullptr || size < DATA_MIN_SIZE) {
270 return false;
271 }
272
273 auto instance = AccessibilitySystemAbilityClient::GetInstance();
274 if (!instance) {
275 return false;
276 }
277
278 bool isEnabled = false;
279 GetObject<bool>(isEnabled, &data[0], size);
280 instance->IsTouchExplorationEnabled(isEnabled);
281 return true;
282 }
283
GetEnabledAbilitiesFuzzTest(const uint8_t * data,size_t size)284 bool GetEnabledAbilitiesFuzzTest(const uint8_t* data, size_t size)
285 {
286 if (data == nullptr || size < DATA_MIN_SIZE) {
287 return false;
288 }
289
290 auto instance = AccessibilitySystemAbilityClient::GetInstance();
291 if (!instance) {
292 return false;
293 }
294
295 size_t position = 0;
296 char name[LEN + 1];
297 name[LEN] = END_CHAR;
298 for (size_t i = 0; i < LEN; i++) {
299 position += GetObject<char>(name[i], &data[position], size - position);
300 }
301 std::string enabledAbility(name);
302 std::vector<std::string> enabledAbilities;
303 enabledAbilities.emplace_back(enabledAbility);
304 instance->GetEnabledAbilities(enabledAbilities);
305 return true;
306 }
307
SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t * data,size_t size)308 bool SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t* data, size_t size)
309 {
310 if (data == nullptr || size < DATA_MIN_SIZE) {
311 return false;
312 }
313
314 int32_t requestId = 0;
315 GetObject<int32_t>(requestId, &data[0], size);
316 std::list<AccessibilityElementInfo> infos;
317 g_asacImpl_.SetSearchElementInfoByAccessibilityIdResult(infos, requestId);
318 return true;
319 }
320
SetSearchElementInfoByTextResultFuzzTest(const uint8_t * data,size_t size)321 bool SetSearchElementInfoByTextResultFuzzTest(const uint8_t* data, size_t size)
322 {
323 if (data == nullptr || size < DATA_MIN_SIZE) {
324 return false;
325 }
326
327 int32_t requestId = 0;
328 GetObject<int32_t>(requestId, &data[0], size);
329 std::list<AccessibilityElementInfo> infos;
330 g_asacImpl_.SetSearchElementInfoByTextResult(infos, requestId);
331 return true;
332 }
333
SetFindFocusedElementInfoResultFuzzTest(const uint8_t * data,size_t size)334 bool SetFindFocusedElementInfoResultFuzzTest(const uint8_t* data, size_t size)
335 {
336 if (data == nullptr || size < DATA_MIN_SIZE) {
337 return false;
338 }
339
340 int32_t requestId = 0;
341 GetObject<int32_t>(requestId, &data[0], size);
342 AccessibilityElementInfo info;
343 g_asacImpl_.SetFindFocusedElementInfoResult(info, requestId);
344 return true;
345 }
346
SetFocusMoveSearchResultFuzzTest(const uint8_t * data,size_t size)347 bool SetFocusMoveSearchResultFuzzTest(const uint8_t* data, size_t size)
348 {
349 if (data == nullptr || size < DATA_MIN_SIZE) {
350 return false;
351 }
352
353 int32_t requestId = 0;
354 GetObject<int32_t>(requestId, &data[0], size);
355 AccessibilityElementInfo info;
356 g_asacImpl_.SetFocusMoveSearchResult(info, requestId);
357 return true;
358 }
359
SetExecuteActionResultFuzzTest(const uint8_t * data,size_t size)360 bool SetExecuteActionResultFuzzTest(const uint8_t* data, size_t size)
361 {
362 if (data == nullptr || size < DATA_MIN_SIZE) {
363 return false;
364 }
365
366 size_t position = 0;
367 bool succeeded = false;
368 int32_t requestId = 0;
369 position += GetObject<bool>(succeeded, &data[position], size - position);
370 GetObject<int32_t>(requestId, &data[position], size - position);
371 g_asacImpl_.SetExecuteActionResult(succeeded, requestId);
372 return true;
373 }
374 } // namespace Accessibility
375 } // namespace OHOS
376
377 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)378 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
379 {
380 /* Run your code on data */
381 OHOS::Accessibility::RegisterElementOperatorFuzzTest(data, size);
382 OHOS::Accessibility::GetAbilityListFuzzTest(data, size);
383 OHOS::Accessibility::SendEventFuzzTest(data, size);
384 OHOS::Accessibility::SubscribeStateObserverFuzzTest(data, size);
385 OHOS::Accessibility::IsEnabledFuzzTest(data, size);
386 OHOS::Accessibility::IsTouchExplorationEnabledFuzzTest(data, size);
387 OHOS::Accessibility::GetEnabledAbilitiesFuzzTest(data, size);
388 OHOS::Accessibility::SetSearchElementInfoByAccessibilityIdResultFuzzTest(data, size);
389 OHOS::Accessibility::SetSearchElementInfoByTextResultFuzzTest(data, size);
390 OHOS::Accessibility::SetFindFocusedElementInfoResultFuzzTest(data, size);
391 OHOS::Accessibility::SetFocusMoveSearchResultFuzzTest(data, size);
392 OHOS::Accessibility::SetExecuteActionResultFuzzTest(data, size);
393 return 0;
394 }