1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "rsrenderservicestub_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <if_system_ability_manager.h>
21 #include <iremote_stub.h>
22 #include <iservice_registry.h>
23 #include <message_option.h>
24 #include <message_parcel.h>
25 #include <system_ability_definition.h>
26 #include <securec.h>
27
28 #include "platform/ohos/rs_irender_service.h"
29 #include "platform/ohos/rs_irender_service_ipc_interface_code_access_verifier.h"
30 #include "platform/ohos/rs_render_service_proxy.h"
31 #include "pipeline/rs_render_service.h"
32 #include "transaction/rs_render_service_stub.h"
33
34 namespace OHOS {
35 namespace Rosen {
36 namespace {
37 const uint8_t* DATA = nullptr;
38 size_t g_size = 0;
39 size_t g_pos;
40 } // namespace
41
42 template<class T>
GetData()43 T GetData()
44 {
45 T object {};
46 size_t objectSize = sizeof(object);
47 if (DATA == nullptr || objectSize > g_size - g_pos) {
48 return object;
49 }
50 errno_t ret = memcpy_s(&object, objectSize, DATA + g_pos, objectSize);
51 if (ret != EOK) {
52 return {};
53 }
54 g_pos += objectSize;
55 return object;
56 }
57
RSStubFuzztest001(const uint8_t * data,size_t size)58 bool RSStubFuzztest001(const uint8_t* data, size_t size)
59 {
60 if (data == nullptr) {
61 return false;
62 }
63 // initialize
64 DATA = data;
65 g_size = size;
66 g_pos = 0;
67
68 // get data
69 uint32_t code = GetData<uint32_t>();
70 sptr<RSRenderServiceStub> stub = new RSRenderService();
71 MessageParcel data1;
72 MessageParcel reply;
73 MessageOption option;
74 stub->OnRemoteRequest(code, data1, reply, option);
75 return true;
76 }
77
RSStubFuzztest002(const uint8_t * data,size_t size)78 bool RSStubFuzztest002(const uint8_t* data, size_t size)
79 {
80 if (data == nullptr) {
81 return false;
82 }
83 // initialize
84 DATA = data;
85 g_size = size;
86 g_pos = 0;
87
88 // get data
89 uint32_t code = static_cast<uint32_t>(RSIRenderServiceInterfaceCode::CREATE_CONNECTION);
90 sptr<RSRenderServiceStub> stub = new RSRenderService();
91 MessageParcel data1;
92 MessageParcel reply;
93 MessageOption option;
94 data1.WriteInterfaceToken(RSIRenderService::GetDescriptor());
95 stub->OnRemoteRequest(code, data1, reply, option);
96 return true;
97 }
98
RSStubFuzztest003(const uint8_t * data,size_t size)99 bool RSStubFuzztest003(const uint8_t* data, size_t size)
100 {
101 if (data == nullptr) {
102 return false;
103 }
104 // initialize
105 DATA = data;
106 g_size = size;
107 g_pos = 0;
108
109 // get data
110 uint32_t code = GetData<uint32_t>();
111 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
112 auto remoteObject = samgr->GetSystemAbility(RENDER_SERVICE);
113 sptr<RSIRenderService> renderService = iface_cast<RSRenderServiceProxy>(remoteObject);
114 sptr<RSRenderServiceStub> stub = new RSRenderService();
115 sptr<RSIConnectionToken> token = new IRemoteStub<RSIConnectionToken>();
116 sptr<RSIRenderServiceConnection> conn = renderService->CreateConnection(token);
117 MessageOption option;
118 MessageParcel data1;
119 MessageParcel reply;
120 data1.WriteInterfaceToken(RSIRenderServiceConnection::GetDescriptor());
121 stub->OnRemoteRequest(code, data1, reply, option);
122 return true;
123 }
124
RSStubFuzztest004(const uint8_t * data,size_t size)125 bool RSStubFuzztest004(const uint8_t* data, size_t size)
126 {
127 if (data == nullptr) {
128 return false;
129 }
130 // initialize
131 DATA = data;
132 g_size = size;
133 g_pos = 0;
134
135 // get data
136 uint32_t code = GetData<uint32_t>();
137 sptr<RSRenderServiceStub> stub = new RSRenderService();
138 sptr<RSIConnectionToken> token = new IRemoteStub<RSIConnectionToken>();
139 MessageParcel data1;
140 MessageParcel reply;
141 MessageOption option;
142 data1.WriteInterfaceToken(RSIRenderService::GetDescriptor());
143 data1.WriteRemoteObject(token->AsObject());
144 stub->OnRemoteRequest(code, data1, reply, option);
145 return true;
146 }
147 } // namespace Rosen
148 } // namespace OHOS
149
150 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)151 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
152 {
153 /* Run your code on data */
154 OHOS::Rosen::RSStubFuzztest001(data, size);
155 OHOS::Rosen::RSStubFuzztest002(data, size);
156 OHOS::Rosen::RSStubFuzztest003(data, size);
157 OHOS::Rosen::RSStubFuzztest004(data, size);
158 return 0;
159 }