1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "medialibrary_mtp_fuzzer.h"
16
17 #include <cstdint>
18 #include <string>
19 #include <vector>
20 #include <fstream>
21 #include <fuzzer/FuzzedDataProvider.h>
22
23 #include "system_ability_definition.h"
24 #include "iservice_registry.h"
25 #include "userfilemgr_uri.h"
26 #include "payload_data.h"
27 #include "close_session_data.h"
28 #include "media_log.h"
29
30 #define private public
31 #include "media_log.h"
32 #include "media_mtp_utils.h"
33 #include "mtp_driver.h"
34 #include "mtp_error_utils.h"
35 #include "mtp_event.h"
36 #include "mtp_file_observer.h"
37 #include "mtp_manager.h"
38 #include "mtp_monitor.h"
39 #include "mtp_operation.h"
40 #include "mtp_packet.h"
41 #include "mtp_service.h"
42 #include "mtp_storage_manager.h"
43 #include "mtp_store_observer.h"
44 #include "packet_payload_factory.h"
45 #include "ptp_album_handles.h"
46 #undef private
47
48 namespace OHOS {
49 using namespace std;
50 using namespace Media;
51
52 static const int32_t NUM_BYTES = 1;
53 static const int32_t MAX_BYTE_VALUE = 256;
54 static const int32_t SEED_SIZE = 1024;
55 FuzzedDataProvider *provider = nullptr;
56
FuzzVectorUInt32()57 static inline vector<uint32_t> FuzzVectorUInt32()
58 {
59 return {provider->ConsumeIntegral<uint32_t>()};
60 }
61
FuzzMtpOperationContext()62 static MtpOperationContext FuzzMtpOperationContext()
63 {
64 MtpOperationContext context;
65 context.operationCode = provider->ConsumeIntegral<uint16_t>();
66 context.transactionID = provider->ConsumeIntegral<uint32_t>();
67 context.devicePropertyCode = provider->ConsumeIntegral<uint32_t>();
68 context.storageID = provider->ConsumeIntegral<uint32_t>();
69 context.format = provider->ConsumeIntegral<uint16_t>();
70 context.parent = provider->ConsumeIntegral<uint32_t>();
71 context.handle = provider->ConsumeIntegral<uint32_t>();
72 context.property = provider->ConsumeIntegral<uint32_t>();
73 context.groupCode = provider->ConsumeIntegral<uint32_t>();
74 context.depth = provider->ConsumeIntegral<uint32_t>();
75 context.properStrValue = provider->ConsumeBytesAsString(NUM_BYTES);
76 context.properIntValue = provider->ConsumeIntegral<int64_t>();
77 context.handles = make_shared<UInt32List>(FuzzVectorUInt32());
78 context.name = provider->ConsumeBytesAsString(NUM_BYTES);
79 context.created = provider->ConsumeBytesAsString(NUM_BYTES);
80 context.modified = provider->ConsumeBytesAsString(NUM_BYTES);
81 context.indata = provider->ConsumeBool();
82 context.storageInfoID = provider->ConsumeIntegral<uint32_t>();
83 context.sessionOpen = provider->ConsumeBool();
84 context.sessionID = provider->ConsumeIntegral<uint32_t>();
85 context.mtpDriver = make_shared<MtpDriver>();
86 context.tempSessionID = provider->ConsumeIntegral<uint32_t>();
87 context.eventHandle = provider->ConsumeIntegral<uint32_t>();
88 context.eventProperty = provider->ConsumeIntegral<uint32_t>();
89 return context;
90 }
91
MtpDriverTest()92 static void MtpDriverTest()
93 {
94 shared_ptr<MtpDriver> mtpDriver = make_shared<MtpDriver>();
95 mtpDriver->OpenDriver();
96
97 vector<uint8_t> buffer = provider->ConsumeBytes<uint8_t>(NUM_BYTES);
98 uint32_t sizeBuf = buffer.size();
99 int32_t result = provider->ConsumeIntegral<int32_t>();
100 mtpDriver->Read(buffer, sizeBuf);
101 mtpDriver->Write(buffer, sizeBuf, result);
102 MtpFileRange mfr;
103 mtpDriver->SendObj(mfr);
104 mtpDriver->ReceiveObj(mfr);
105
106 EventMtp me;
107 me.data = provider->ConsumeBytes<uint8_t>(NUM_BYTES);
108 me.length = me.data.size();
109 mtpDriver->WriteEvent(me);
110 mtpDriver->CloseDriver();
111 }
112
MtpErrorUtilsTest()113 static void MtpErrorUtilsTest()
114 {
115 const int32_t mediaError = provider->ConsumeIntegral<int32_t>();
116 MtpErrorUtils::SolveGetHandlesError(mediaError);
117 MtpErrorUtils::SolveGetObjectInfoError(mediaError);
118 MtpErrorUtils::SolveSendObjectInfoError(mediaError);
119 MtpErrorUtils::SolveMoveObjectError(mediaError);
120 MtpErrorUtils::SolveCopyObjectError(mediaError);
121 MtpErrorUtils::SolveDeleteObjectError(mediaError);
122 MtpErrorUtils::SolveObjectPropValueError(mediaError);
123 MtpErrorUtils::SolveCloseFdError(mediaError);
124 }
125
MtpFileObserverTest()126 static void MtpFileObserverTest()
127 {
128 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
129 FuzzMtpOperationContext());
130 if (context == nullptr) {
131 MEDIA_ERR_LOG("context is nullptr");
132 return;
133 }
134 shared_ptr<MtpFileObserver> mtpFileObserver = make_shared<MtpFileObserver>();
135 string path = provider->ConsumeBytesAsString(NUM_BYTES);
136 string realPath = provider->ConsumeBytesAsString(NUM_BYTES);
137 mtpFileObserver->StartFileInotify();
138 mtpFileObserver->AddFileInotify(path, realPath, context);
139 mtpFileObserver->AddPathToWatchMap(path);
140 mtpFileObserver->StopFileInotify();
141 }
142
143
MtpMonitorTest()144 static void MtpMonitorTest()
145 {
146 shared_ptr<MtpMonitor> mtpMonitor = make_shared<MtpMonitor>();
147 mtpMonitor->Start();
148 mtpMonitor->Stop();
149 }
150
MtpOperationTest()151 static void MtpOperationTest()
152 {
153 shared_ptr<MtpOperation> mtpOperation = make_shared<MtpOperation>();
154 mtpOperation->mtpContextPtr_->operationCode = provider->ConsumeIntegral<int32_t>();
155 mtpOperation->Execute();
156 mtpOperation->Stop();
157 for (size_t i = 0; i < MTP_OPERATIONS_LIST.size(); ++i) {
158 mtpOperation->mtpContextPtr_->operationCode = MTP_OPERATIONS_LIST[i];
159 mtpOperation->Execute();
160 mtpOperation->Stop();
161 }
162 }
163
MtpPacketTest()164 static void MtpPacketTest()
165 {
166 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
167 FuzzMtpOperationContext());
168 if (context == nullptr) {
169 MEDIA_ERR_LOG("context is nullptr");
170 return;
171 }
172 shared_ptr<MtpPacket> mtpPacket = make_shared<MtpPacket>(context);
173 mtpPacket->Parser();
174 mtpPacket->ParserHead();
175 mtpPacket->ParserPayload();
176 mtpPacket->MakeHead();
177 mtpPacket->MakerPayload();
178 mtpPacket->GetOperationCode();
179 mtpPacket->GetTransactionId();
180 mtpPacket->GetSessionID();
181
182 uint16_t operationCode = provider->ConsumeIntegral<uint16_t>();
183 mtpPacket->IsNeedDataPhase(operationCode);
184 mtpPacket->IsI2R(operationCode);
185 mtpPacket->Reset();
186 }
187
MtpServiceTest()188 static void MtpServiceTest()
189 {
190 shared_ptr<MtpService> mtpService = make_shared<MtpService>();
191 mtpService->StartService();
192 mtpService->StopService();
193 }
194
MtpStoreObserverTest()195 static void MtpStoreObserverTest()
196 {
197 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
198 FuzzMtpOperationContext());
199 if (context == nullptr) {
200 MEDIA_ERR_LOG("context is nullptr");
201 return;
202 }
203 EventFwk::CommonEventData eventData;
204 EventFwk::MatchingSkills matchingSkills;
205 EventFwk::CommonEventSubscribeInfo subscriberInfo(matchingSkills);
206 shared_ptr<MtpStoreObserver> mtpStoreObserver = make_shared<MtpStoreObserver>(subscriberInfo);
207 mtpStoreObserver->StartObserver();
208 mtpStoreObserver->AttachContext(context);
209 mtpStoreObserver->OnReceiveEvent(eventData);
210 mtpStoreObserver->StopObserver();
211 }
212
PacketPayloadFactoryTest()213 static void PacketPayloadFactoryTest()
214 {
215 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
216 FuzzMtpOperationContext());
217 if (context == nullptr) {
218 MEDIA_ERR_LOG("context is nullptr");
219 return;
220 }
221 shared_ptr<PacketPayloadFactory> packetPayloadFactory = make_shared<PacketPayloadFactory>();
222 uint16_t stage = provider->ConsumeIntegral<uint16_t>();
223 for (size_t i = 0; i < MTP_OPERATIONS_LIST.size(); ++i) {
224 uint16_t code = MTP_OPERATIONS_LIST[i];
225 packetPayloadFactory->CreatePayload(context, code, stage);
226 }
227 }
228
PtpAlbumHandlesTest()229 static void PtpAlbumHandlesTest()
230 {
231 shared_ptr<PtpAlbumHandles> ptpAlbumHandles = PtpAlbumHandles::GetInstance();
232 int32_t value = provider->ConsumeIntegral<int32_t>();
233 ptpAlbumHandles->AddHandle(value);
234 ptpAlbumHandles->RemoveHandle(value);
235 shared_ptr<DataShare::DataShareResultSet> resultSet = make_shared<DataShare::DataShareResultSet>();
236 ptpAlbumHandles->AddAlbumHandles(resultSet);
237 ptpAlbumHandles->FindHandle(value);
238 std::set<int32_t> albumIds;
239 albumIds.insert(0);
240 ptpAlbumHandles->dataHandles_.push_back(provider->ConsumeIntegral<int32_t>());
241 std::vector<int32_t> removeIds;
242 ptpAlbumHandles->UpdateHandle(albumIds, removeIds);
243 }
244
AddSeed()245 static int32_t AddSeed()
246 {
247 char *seedData = new char[OHOS::SEED_SIZE];
248 for (int i = 0; i < OHOS::SEED_SIZE; i++) {
249 seedData[i] = static_cast<char>(i % MAX_BYTE_VALUE);
250 }
251
252 const char* filename = "corpus/seed.txt";
253 std::ofstream file(filename, std::ios::binary | std::ios::trunc);
254 if (!file) {
255 MEDIA_ERR_LOG("Cannot open file filename:%{public}s", filename);
256 delete[] seedData;
257 return Media::E_ERR;
258 }
259 file.write(seedData, OHOS::SEED_SIZE);
260 file.close();
261 delete[] seedData;
262 MEDIA_INFO_LOG("seedData has been successfully written to file filename:%{public}s", filename);
263 return Media::E_OK;
264 }
265 } // namespace OHOS
266
LLVMFuzzerInitialize(int * argc,char *** argv)267 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
268 {
269 OHOS::AddSeed();
270 return 0;
271 }
272
273 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)274 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
275 {
276 /* Run your code on data */
277 FuzzedDataProvider fdp(data, size);
278 OHOS::provider = &fdp;
279 if (data == nullptr) {
280 return 0;
281 }
282 OHOS::MtpDriverTest();
283 OHOS::MtpErrorUtilsTest();
284 OHOS::MtpFileObserverTest();
285 OHOS::MtpMonitorTest();
286 OHOS::MtpOperationTest();
287 OHOS::MtpPacketTest();
288 OHOS::MtpServiceTest();
289 OHOS::MtpStoreObserverTest();
290 OHOS::PacketPayloadFactoryTest();
291 OHOS::PtpAlbumHandlesTest();
292 return 0;
293 }
294