1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "medialibrary_mtp_event_fuzzer.h"
16
17 #include <cstdint>
18 #include <string>
19 #include <vector>
20 #include <fstream>
21 #include <fuzzer/FuzzedDataProvider.h>
22
23 #include "system_ability_definition.h"
24 #include "iservice_registry.h"
25 #include "userfilemgr_uri.h"
26 #include "payload_data.h"
27 #include "close_session_data.h"
28 #include "media_log.h"
29
30 #define private public
31 #include "media_log.h"
32 #include "media_mtp_utils.h"
33 #include "mtp_driver.h"
34 #include "mtp_error_utils.h"
35 #include "mtp_event.h"
36 #include "mtp_file_observer.h"
37 #include "mtp_manager.h"
38 #include "mtp_monitor.h"
39 #include "mtp_operation.h"
40 #include "mtp_packet.h"
41 #include "mtp_service.h"
42 #include "mtp_storage_manager.h"
43 #include "mtp_store_observer.h"
44 #include "packet_payload_factory.h"
45 #include "ptp_album_handles.h"
46 #undef private
47
48 namespace OHOS {
49 using namespace std;
50 using namespace Media;
51
52 static const int32_t NUM_BYTES = 1;
53 static const int32_t MAX_BYTE_VALUE = 256;
54 static const int32_t SEED_SIZE = 1024;
55 FuzzedDataProvider *provider = nullptr;
56
FuzzVectorUInt32()57 static inline vector<uint32_t> FuzzVectorUInt32()
58 {
59 return {provider->ConsumeIntegral<uint32_t>()};
60 }
61
FuzzMtpOperationContext()62 static MtpOperationContext FuzzMtpOperationContext()
63 {
64 MtpOperationContext context;
65 context.operationCode = provider->ConsumeIntegral<uint16_t>();
66 context.transactionID = provider->ConsumeIntegral<uint32_t>();
67 context.devicePropertyCode = provider->ConsumeIntegral<uint32_t>();
68 context.storageID = provider->ConsumeIntegral<uint32_t>();
69 context.format = provider->ConsumeIntegral<uint16_t>();
70 context.parent = provider->ConsumeIntegral<uint32_t>();
71 context.handle = provider->ConsumeIntegral<uint32_t>();
72 context.property = provider->ConsumeIntegral<uint32_t>();
73 context.groupCode = provider->ConsumeIntegral<uint32_t>();
74 context.depth = provider->ConsumeIntegral<uint32_t>();
75 context.properStrValue = provider->ConsumeBytesAsString(NUM_BYTES);
76 context.properIntValue = provider->ConsumeIntegral<int64_t>();
77 context.handles = make_shared<UInt32List>(FuzzVectorUInt32());
78 context.name = provider->ConsumeBytesAsString(NUM_BYTES);
79 context.created = provider->ConsumeBytesAsString(NUM_BYTES);
80 context.modified = provider->ConsumeBytesAsString(NUM_BYTES);
81 context.indata = provider->ConsumeBool();
82 context.storageInfoID = provider->ConsumeIntegral<uint32_t>();
83 context.sessionOpen = provider->ConsumeBool();
84 context.sessionID = provider->ConsumeIntegral<uint32_t>();
85 context.mtpDriver = make_shared<MtpDriver>();
86 context.tempSessionID = provider->ConsumeIntegral<uint32_t>();
87 context.eventHandle = provider->ConsumeIntegral<uint32_t>();
88 context.eventProperty = provider->ConsumeIntegral<uint32_t>();
89 return context;
90 }
91
MtpEventTest()92 static void MtpEventTest()
93 {
94 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
95 FuzzMtpOperationContext());
96 if (context == nullptr) {
97 MEDIA_ERR_LOG("context is nullptr");
98 return;
99 }
100 shared_ptr<MtpEvent> mtpEvent = make_shared<MtpEvent>(context);
101 string path = provider->ConsumeBytesAsString(NUM_BYTES);
102 uint32_t handle = provider->ConsumeIntegral<uint32_t>();
103 string fsUuid = provider->ConsumeBytesAsString(NUM_BYTES);
104 mtpEvent->SendObjectAdded(path);
105 mtpEvent->SendObjectRemoved(path);
106 mtpEvent->SendObjectRemovedByHandle(handle);
107 mtpEvent->SendObjectInfoChanged(path);
108 mtpEvent->SendDevicePropertyChanged();
109 mtpEvent->SendStoreAdded(fsUuid);
110 mtpEvent->SendStoreRemoved(fsUuid);
111 }
112
AddSeed()113 static int32_t AddSeed()
114 {
115 char *seedData = new char[OHOS::SEED_SIZE];
116 for (int i = 0; i < OHOS::SEED_SIZE; i++) {
117 seedData[i] = static_cast<char>(i % MAX_BYTE_VALUE);
118 }
119
120 const char* filename = "corpus/seed.txt";
121 std::ofstream file(filename, std::ios::binary | std::ios::trunc);
122 if (!file) {
123 MEDIA_ERR_LOG("Cannot open file filename:%{public}s", filename);
124 delete[] seedData;
125 return Media::E_ERR;
126 }
127 file.write(seedData, OHOS::SEED_SIZE);
128 file.close();
129 delete[] seedData;
130 MEDIA_INFO_LOG("seedData has been successfully written to file filename:%{public}s", filename);
131 return Media::E_OK;
132 }
133 } // namespace OHOS
134
LLVMFuzzerInitialize(int * argc,char *** argv)135 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
136 {
137 OHOS::AddSeed();
138 return 0;
139 }
140
141 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)142 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
143 {
144 /* Run your code on data */
145 FuzzedDataProvider fdp(data, size);
146 OHOS::provider = &fdp;
147 if (data == nullptr) {
148 return 0;
149 }
150 OHOS::MtpEventTest();
151 return 0;
152 }
153