1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibleabilitychannelstub_fuzzer.h"
17 #include "accessible_ability_channel_stub.h"
18 #include "accessibility_ipc_interface_code.h"
19 #include "parcel/accessibility_gesture_inject_path_parcel.h"
20 #include "securec.h"
21
22 namespace OHOS {
23 namespace Accessibility {
24 namespace {
25 constexpr size_t DATA_MIN_SIZE = 200;
26 constexpr char END_CHAR = '\0';
27 constexpr size_t LEN = 10;
28 }
29
30 class AbilityChannelImplFuzzTest : public AccessibleAbilityChannelStub {
31 public:
32 AbilityChannelImplFuzzTest() = default;
33 ~AbilityChannelImplFuzzTest() = default;
34
SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,const int32_t mode,bool isFilter)35 RetError SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,
36 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback,
37 const int32_t mode, bool isFilter) override
38 {
39 return RET_OK;
40 }
SearchDefaultFocusedByWindowId(const ElementBasicInfo elementBasicInfo,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,const int32_t mode,bool isFilter)41 RetError SearchDefaultFocusedByWindowId(const ElementBasicInfo elementBasicInfo,
42 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback,
43 const int32_t mode, bool isFilter) override
44 {
45 return RET_OK;
46 }
SearchElementInfosByText(const int32_t accessibilityWindowId,const int64_t elementId,const std::string & text,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)47 RetError SearchElementInfosByText(const int32_t accessibilityWindowId, const int64_t elementId,
48 const std::string &text, const int32_t requestId,
49 const sptr<IAccessibilityElementOperatorCallback> &callback) override
50 {
51 return RET_OK;
52 }
FindFocusedElementInfo(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t focusType,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)53 RetError FindFocusedElementInfo(const int32_t accessibilityWindowId, const int64_t elementId,
54 const int32_t focusType, const int32_t requestId,
55 const sptr<IAccessibilityElementOperatorCallback> &callback) override
56 {
57 return RET_OK;
58 }
FocusMoveSearch(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t direction,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)59 RetError FocusMoveSearch(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t direction,
60 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback) override
61 {
62 return RET_OK;
63 }
ExecuteAction(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)64 RetError ExecuteAction(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t action,
65 const std::map<std::string, std::string> &actionArguments, const int32_t requestId,
66 const sptr<IAccessibilityElementOperatorCallback> &callback) override
67 {
68 return RET_OK;
69 }
EnableScreenCurtain(bool isEnable)70 RetError EnableScreenCurtain(bool isEnable) override
71 {
72 return RET_OK;
73 }
GetCursorPosition(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)74 RetError GetCursorPosition(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t requestId,
75 const sptr<IAccessibilityElementOperatorCallback> &callback) override
76 {
77 return RET_OK;
78 }
GetWindow(const int32_t windowId,AccessibilityWindowInfo & windowInfo)79 RetError GetWindow(const int32_t windowId, AccessibilityWindowInfo &windowInfo) override
80 {
81 return RET_OK;
82 }
GetWindows(std::vector<AccessibilityWindowInfo> & windows)83 RetError GetWindows(std::vector<AccessibilityWindowInfo> &windows) override
84 {
85 return RET_OK;
86 }
GetWindowsByDisplayId(const uint64_t displayId,std::vector<AccessibilityWindowInfo> & windows)87 RetError GetWindowsByDisplayId(const uint64_t displayId, std::vector<AccessibilityWindowInfo> &windows) override
88 {
89 return RET_OK;
90 }
SetOnKeyPressEventResult(const bool handled,const int32_t sequence)91 void SetOnKeyPressEventResult(const bool handled, const int32_t sequence) override {}
SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> & gesturePath)92 RetError SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> &gesturePath) override
93 {
94 return RET_OK;
95 }
SetTargetBundleName(const std::vector<std::string> & targetBundleNames)96 RetError SetTargetBundleName(const std::vector<std::string> &targetBundleNames) override
97 {
98 return RET_OK;
99 }
100 };
101
102 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)103 size_t GetObject(T &object, const uint8_t *data, size_t size)
104 {
105 size_t objectSize = sizeof(object);
106 if (objectSize > size) {
107 return 0;
108 }
109 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
110 }
111
FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t * data,size_t size)112 bool FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t *data, size_t size)
113 {
114 if (data == nullptr || size < DATA_MIN_SIZE) {
115 return false;
116 }
117
118 size_t position = 0;
119 int32_t accessibilityWindowId = 0;
120 int64_t elementId = 0;
121 int32_t requestId = 0;
122 MessageParcel mdata;
123 MessageParcel reply;
124 MessageOption option(MessageOption::TF_SYNC);
125
126 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
127 position += GetObject<int64_t>(elementId, &data[position], size - position);
128 GetObject<int32_t>(requestId, &data[position], size - position);
129 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
130 if (chanImp == nullptr) {
131 return false;
132 }
133 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
134 mdata.WriteInt32(accessibilityWindowId);
135 mdata.WriteInt64(elementId);
136 mdata.WriteInt32(requestId);
137 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFO_BY_ACCESSIBILITY_ID),
138 mdata, reply, option);
139 return true;
140 }
141
FuzzHandleSearchElementInfosByText(const uint8_t * data,size_t size)142 bool FuzzHandleSearchElementInfosByText(const uint8_t *data, size_t size)
143 {
144 if (data == nullptr || size < DATA_MIN_SIZE) {
145 return false;
146 }
147
148 size_t position = 0;
149 int32_t accessibilityWindowId = 0;
150 int64_t elementId = 0;
151 int32_t requestId = 0;
152 MessageParcel mdata;
153 MessageParcel reply;
154 MessageOption option(MessageOption::TF_SYNC);
155
156 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
157 position += GetObject<int64_t>(elementId, &data[position], size - position);
158 char name[LEN + 1];
159 name[LEN] = END_CHAR;
160 for (size_t i = 0; i < LEN; i++) {
161 position += GetObject<char>(name[i], data + position, size - position);
162 }
163 std::string text(name);
164 GetObject<int32_t>(requestId, &data[position], size - position);
165 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
166 if (chanImp == nullptr) {
167 return false;
168 }
169 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
170 mdata.WriteInt32(accessibilityWindowId);
171 mdata.WriteInt64(elementId);
172 mdata.WriteString(text);
173 mdata.WriteInt32(requestId);
174 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFOS_BY_TEXT),
175 mdata, reply, option);
176 return true;
177 }
178
FuzzHandleFindFocusedElementInfo(const uint8_t * data,size_t size)179 bool FuzzHandleFindFocusedElementInfo(const uint8_t *data, size_t size)
180 {
181 if (data == nullptr || size < DATA_MIN_SIZE) {
182 return false;
183 }
184
185 size_t position = 0;
186 int32_t accessibilityWindowId = 0;
187 int64_t elementId = 0;
188 int32_t focusType = 0;
189 int32_t requestId = 0;
190 MessageParcel mdata;
191 MessageParcel reply;
192 MessageOption option(MessageOption::TF_SYNC);
193
194 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
195 position += GetObject<int64_t>(elementId, &data[position], size - position);
196 position += GetObject<int32_t>(focusType, &data[position], size - position);
197 GetObject<int32_t>(requestId, &data[position], size - position);
198 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
199 if (chanImp == nullptr) {
200 return false;
201 }
202 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
203 mdata.WriteInt32(accessibilityWindowId);
204 mdata.WriteInt64(elementId);
205 mdata.WriteInt32(focusType);
206 mdata.WriteInt32(requestId);
207 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FIND_FOCUSED_ELEMENTINFO),
208 mdata, reply, option);
209 return true;
210 }
211
FuzzHandleFocusMoveSearch(const uint8_t * data,size_t size)212 bool FuzzHandleFocusMoveSearch(const uint8_t *data, size_t size)
213 {
214 if (data == nullptr || size < DATA_MIN_SIZE) {
215 return false;
216 }
217
218 size_t position = 0;
219 int32_t accessibilityWindowId = 0;
220 int64_t elementId = 0;
221 int32_t direction = 0;
222 int32_t requestId = 0;
223 MessageParcel mdata;
224 MessageParcel reply;
225 MessageOption option(MessageOption::TF_SYNC);
226
227 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
228 position += GetObject<int64_t>(elementId, &data[position], size - position);
229 position += GetObject<int32_t>(direction, &data[position], size - position);
230 GetObject<int32_t>(requestId, &data[position], size - position);
231 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
232 if (chanImp == nullptr) {
233 return false;
234 }
235 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
236 mdata.WriteInt32(accessibilityWindowId);
237 mdata.WriteInt64(elementId);
238 mdata.WriteInt32(direction);
239 mdata.WriteInt32(requestId);
240 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FOCUS_MOVE_SEARCH),
241 mdata, reply, option);
242 return true;
243 }
244
FuzzHandleExecuteAction(const uint8_t * data,size_t size)245 bool FuzzHandleExecuteAction(const uint8_t *data, size_t size)
246 {
247 if (data == nullptr || size < DATA_MIN_SIZE) {
248 return false;
249 }
250
251 size_t position = 0;
252 int32_t accessibilityWindowId = 0;
253 int64_t elementId = 0;
254 int32_t action = 0;
255 MessageParcel mdata;
256 MessageParcel reply;
257 MessageOption option(MessageOption::TF_SYNC);
258
259 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
260 position += GetObject<int64_t>(elementId, &data[position], size - position);
261 GetObject<int32_t>(action, &data[position], size - position);
262 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
263 if (chanImp == nullptr) {
264 return false;
265 }
266 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
267 mdata.WriteInt32(accessibilityWindowId);
268 mdata.WriteInt64(elementId);
269 mdata.WriteInt32(action);
270 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::PERFORM_ACTION),
271 mdata, reply, option);
272 return true;
273 }
274
FuzzHandleGetWindow(const uint8_t * data,size_t size)275 bool FuzzHandleGetWindow(const uint8_t *data, size_t size)
276 {
277 if (data == nullptr || size < DATA_MIN_SIZE) {
278 return false;
279 }
280
281 size_t position = 0;
282 int32_t windowId = 0;
283 MessageParcel mdata;
284 MessageParcel reply;
285 MessageOption option(MessageOption::TF_SYNC);
286
287 GetObject<int32_t>(windowId, &data[position], size - position);
288 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
289 if (chanImp == nullptr) {
290 return false;
291 }
292 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
293 mdata.WriteInt32(windowId);
294 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOW),
295 mdata, reply, option);
296 return true;
297 }
298
FuzzHandleGetWindows()299 bool FuzzHandleGetWindows()
300 {
301 MessageParcel mdata;
302 MessageParcel reply;
303 MessageOption option(MessageOption::TF_SYNC);
304
305 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
306 if (chanImp == nullptr) {
307 return false;
308 }
309 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
310 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS),
311 mdata, reply, option);
312 return true;
313 }
314
FuzzHandleGetWindowsByDisplayId(const uint8_t * data,size_t size)315 bool FuzzHandleGetWindowsByDisplayId(const uint8_t *data, size_t size)
316 {
317 if (data == nullptr || size < DATA_MIN_SIZE) {
318 return false;
319 }
320
321 size_t position = 0;
322 uint64_t displayId = 0;
323 MessageParcel mdata;
324 MessageParcel reply;
325 MessageOption option(MessageOption::TF_SYNC);
326
327 GetObject<uint64_t>(displayId, &data[position], size - position);
328 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
329 if (chanImp == nullptr) {
330 return false;
331 }
332 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
333 mdata.WriteUint64(displayId);
334 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS_BY_DISPLAY_ID),
335 mdata, reply, option);
336 return true;
337 }
338
FuzzHandleSendSimulateGesturePath(const uint8_t * data,size_t size)339 bool FuzzHandleSendSimulateGesturePath(const uint8_t *data, size_t size)
340 {
341 if (data == nullptr || size < DATA_MIN_SIZE) {
342 return false;
343 }
344
345 size_t position = 0;
346 float positionX = 0.0;
347 float positionY = 0.0;
348 int64_t durationTime = 300;
349 MessageParcel mdata;
350 MessageParcel reply;
351 MessageOption option(MessageOption::TF_SYNC);
352 position += GetObject<float>(positionX, &data[position], size - position);
353 position += GetObject<float>(positionY, &data[position], size - position);
354
355 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
356 if (chanImp == nullptr) {
357 return false;
358 }
359 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
360
361 std::shared_ptr<AccessibilityGestureInjectPath> gesturePath = std::make_shared<AccessibilityGestureInjectPath>();
362 if (gesturePath == nullptr) {
363 return false;
364 }
365 AccessibilityGesturePosition point { positionX, positionY };
366 gesturePath->AddPosition(point);
367 gesturePath->SetDurationTime(durationTime);
368 sptr<AccessibilityGestureInjectPathParcel> path = new(
369 std::nothrow) AccessibilityGestureInjectPathParcel(*gesturePath);
370 if (path == nullptr) {
371 return false;
372 }
373 mdata.WriteStrongParcelable(path);
374 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEND_SIMULATE_GESTURE_PATH),
375 mdata, reply, option);
376 return true;
377 }
378
FuzzHandleSetTargetBundleName(const uint8_t * data,size_t size)379 bool FuzzHandleSetTargetBundleName(const uint8_t *data, size_t size)
380 {
381 if (data == nullptr || size < DATA_MIN_SIZE) {
382 return false;
383 }
384
385 size_t positions = 0;
386 MessageParcel mdata;
387 MessageParcel reply;
388 MessageOption option(MessageOption::TF_SYNC);
389 char name[LEN + 1];
390 name[LEN] = END_CHAR;
391 for (size_t i = 0; i < LEN; i++) {
392 positions += GetObject<char>(name[i], data + positions, size - positions);
393 }
394 std::string bundleName(name);
395 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
396 if (chanImp == nullptr) {
397 return false;
398 }
399 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
400 mdata.WriteInt32(LEN);
401 for (size_t i = 0; i < LEN; i++) {
402 mdata.WriteString(bundleName);
403 }
404 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SET_TARGET_BUNDLE_NAME),
405 mdata, reply, option);
406 return true;
407 }
408 } // namespace Accessibility
409 } // namespace OHOS
410
411 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)412 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
413 {
414 /* Run your code on data */
415 OHOS::Accessibility::FuzzHandleSearchElementInfoByAccessibilityId(data, size);
416 OHOS::Accessibility::FuzzHandleSearchElementInfosByText(data, size);
417 OHOS::Accessibility::FuzzHandleFindFocusedElementInfo(data, size);
418 OHOS::Accessibility::FuzzHandleFocusMoveSearch(data, size);
419 OHOS::Accessibility::FuzzHandleExecuteAction(data, size);
420 OHOS::Accessibility::FuzzHandleGetWindow(data, size);
421 OHOS::Accessibility::FuzzHandleGetWindows();
422 OHOS::Accessibility::FuzzHandleGetWindowsByDisplayId(data, size);
423 OHOS::Accessibility::FuzzHandleSendSimulateGesturePath(data, size);
424 OHOS::Accessibility::FuzzHandleSetTargetBundleName(data, size);
425 return 0;
426 }