• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "securec.h"
17 #include "avsession_log.h"
18 #include "iremote_proxy.h"
19 #include "avcontroller_callback_proxy.h"
20 #include "iavcontroller_callback.h"
21 #include "iremote_proxy.h"
22 #include "avsession_log.h"
23 #include "avsession_errors.h"
24 #include "system_ability_definition.h"
25 #include "avsession_service.h"
26 #include "ability_connect_helper_fuzzer.h"
27 
28 using namespace std;
29 using namespace OHOS;
30 using namespace OHOS::AVSession;
31 
32 static const int32_t MAX_CODE_LEN  = 20;
33 static const int32_t MIN_SIZE_NUM = 10;
34 static const uint8_t *RAW_DATA = nullptr;
35 static size_t g_totalSize = 0;
36 static size_t g_sizePos;
37 
38 namespace {
39     /*
40     * describe: get data from FUZZ untrusted data(RAW_DATA) which size is according to sizeof(T)
41     * tips: only support basic type
42     */
43     template<class T>
GetData()44     T GetData()
45     {
46         T object {};
47         size_t objectSize = sizeof(object);
48         if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
49             return object;
50         }
51         errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_sizePos, objectSize);
52         if (ret != EOK) {
53             return {};
54         }
55         g_sizePos += objectSize;
56         return object;
57     }
58 
GetString()59     std::string GetString()
60     {
61         size_t objectSize = (GetData<int8_t>() % MAX_CODE_LEN) + 1;
62         if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
63             return "OVER_SIZE";
64         }
65         char object[objectSize + 1];
66         errno_t ret = memcpy_s(object, sizeof(object), RAW_DATA + g_sizePos, objectSize);
67         if (ret != EOK) {
68             return "";
69         }
70         g_sizePos += objectSize;
71         std::string output(object);
72         return output;
73     }
74 
75     template<class T>
GetArrLength(T & arr)76     uint32_t GetArrLength(T& arr)
77     {
78         if (arr == nullptr) {
79             SLOGE("%{public}s: The array length is equal to 0", __func__);
80             return 0;
81         }
82         return sizeof(arr) / sizeof(arr[0]);
83     }
84 
85     typedef void (*TestFuncs[3])();
86 
87     TestFuncs g_allFuncs = {
88         AbilityConnectHelperFuzzTest,
89         AbilityConnectionStubFuzzTest,
90         AbilityConnectCallbackFuzzTest
91     };
92 
FuzzTest(const uint8_t * rawData,size_t size)93     bool FuzzTest(const uint8_t* rawData, size_t size)
94     {
95         if (rawData == nullptr) {
96             return false;
97         }
98 
99         // initialize data
100         RAW_DATA = rawData;
101         g_totalSize = size;
102         g_sizePos = 0;
103 
104         uint32_t code = GetData<uint32_t>();
105         uint32_t len = GetArrLength(g_allFuncs);
106         if (len > 0) {
107             g_allFuncs[code % len]();
108         } else {
109             SLOGE("%{public}s: The len length is equal to 0", __func__);
110         }
111 
112         return true;
113     }
114 }
115 
AbilityConnectHelperFuzzTest()116 void OHOS::AVSession::AbilityConnectHelperFuzzTest()
117 {
118     std::string bundleName = GetString();
119     std::string abilityName = GetString();
120 
121     AbilityConnectHelper::GetInstance().StartAbilityByCall(bundleName, abilityName);
122 }
123 
AbilityConnectionStubFuzzTest()124 void OHOS::AVSession::AbilityConnectionStubFuzzTest()
125 {
126     MessageParcel Parcel;
127     MessageParcel reply;
128     MessageOption option;
129     uint32_t code = GetData<uint32_t>();
130 
131     AbilityConnectCallback abilityConnectCallback;
132     abilityConnectCallback.OnRemoteRequest(code, Parcel, reply, option);
133 }
134 
AbilityConnectCallbackFuzzTest()135 void OHOS::AVSession::AbilityConnectCallbackFuzzTest()
136 {
137     OHOS::AppExecFwk::ElementName elementName;
138     int resultCode = GetData<int32_t>();
139     AbilityConnectCallback abilityConnectCallback;
140     sptr<IRemoteObject> remoteObject = nullptr;
141 
142     abilityConnectCallback.OnAbilityConnectDone(elementName, remoteObject, resultCode);
143     abilityConnectCallback.OnAbilityDisconnectDone(elementName, resultCode);
144 }
145 
146 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)147 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size)
148 {
149     if (size < MIN_SIZE_NUM) {
150         return 0;
151     }
152     /* Run your code on data */
153     FuzzTest(data, size);
154     return 0;
155 }