1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "medialibrary_mtpoperationutils_fuzzer.h"
16
17 #include <cstdint>
18 #include <string>
19 #include <vector>
20 #include <fuzzer/FuzzedDataProvider.h>
21
22 #include "system_ability_definition.h"
23 #include "iservice_registry.h"
24 #include "userfilemgr_uri.h"
25 #include "payload_data.h"
26 #include "close_session_data.h"
27 #include "media_log.h"
28 #include "media_mtp_utils.h"
29
30 #define private public
31 #include "mtp_operation_utils.h"
32 #include "mtp_manager.h"
33 #undef private
34
35 namespace OHOS {
36 using namespace std;
37 using namespace Media;
38 const int32_t MTP_ERROR_DEFAULT = 0;
39 static const int32_t NUM_BYTES = 1;
40 const string FILE_PATH = "/storage/media/local/files/Docs/Desktop";
41 FuzzedDataProvider *provider = nullptr;
42 shared_ptr<MtpOperationUtils> mtpOperUtils_ = nullptr;
43
FuzzVectorUInt32()44 static inline vector<uint32_t> FuzzVectorUInt32()
45 {
46 return {provider->ConsumeIntegral<uint32_t>()};
47 }
48
FuzzMtpFileRange()49 static MtpFileRange FuzzMtpFileRange()
50 {
51 MtpFileRange object;
52 object.fd = provider->ConsumeIntegral<int32_t>();
53 object.offset = provider->ConsumeIntegral<int64_t>();
54 object.length = provider->ConsumeIntegral<int64_t>();
55 object.command = provider->ConsumeIntegral<uint16_t>();
56 object.transaction_id = provider->ConsumeIntegral<uint32_t>();
57 return object;
58 }
59
FuzzMtpOperationContext()60 static MtpOperationContext FuzzMtpOperationContext()
61 {
62 MtpOperationContext context;
63 context.operationCode = provider->ConsumeIntegral<uint16_t>();
64 context.transactionID = provider->ConsumeIntegral<uint32_t>();
65 context.devicePropertyCode = provider->ConsumeIntegral<uint32_t>();
66 context.storageID = provider->ConsumeIntegral<uint32_t>();
67 context.format = provider->ConsumeIntegral<uint16_t>();
68 context.parent = provider->ConsumeIntegral<uint32_t>();
69 context.handle = provider->ConsumeIntegral<uint32_t>();
70 context.property = provider->ConsumeIntegral<uint32_t>();
71 context.groupCode = provider->ConsumeIntegral<uint32_t>();
72 context.depth = provider->ConsumeIntegral<uint32_t>();
73 context.properStrValue = provider->ConsumeBytesAsString(NUM_BYTES);
74 context.properIntValue = provider->ConsumeIntegral<int64_t>();
75 context.handles = make_shared<UInt32List>(FuzzVectorUInt32());
76 context.name = provider->ConsumeBytesAsString(NUM_BYTES);
77 context.created = provider->ConsumeBytesAsString(NUM_BYTES);
78 context.modified = provider->ConsumeBytesAsString(NUM_BYTES);
79 context.indata = provider->ConsumeBool();
80 context.storageInfoID = provider->ConsumeIntegral<uint32_t>();
81 context.sessionOpen = provider->ConsumeBool();
82 context.sessionID = provider->ConsumeIntegral<uint32_t>();
83 context.mtpDriver = make_shared<MtpDriver>();
84 context.tempSessionID = provider->ConsumeIntegral<uint32_t>();
85 context.eventHandle = provider->ConsumeIntegral<uint32_t>();
86 context.eventProperty = provider->ConsumeIntegral<uint32_t>();
87 return context;
88 }
89
90 // MtpOperationUtilsTest start
MtpOperationUtilsContainerTest()91 static void MtpOperationUtilsContainerTest()
92 {
93 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(FuzzMtpOperationContext());
94 if (mtpOperUtils_ == nullptr) {
95 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
96 }
97
98 shared_ptr<PayloadData> payData = make_shared<CloseSessionData>(context);
99 uint16_t containerType = provider->ConsumeIntegral<uint16_t>();
100 int errorCode = provider->ConsumeIntegral<int32_t>();
101 mtpOperUtils_->SetIsDevicePropSet();
102 mtpOperUtils_->GetDeviceInfo(payData, containerType, errorCode);
103 mtpOperUtils_->GetObjectInfo(payData, containerType, errorCode);
104 mtpOperUtils_->GetObjectHandles(payData, containerType, errorCode);
105 mtpOperUtils_->GetObjectPropValue(payData, containerType, errorCode);
106 mtpOperUtils_->GetObjectPropList(payData, containerType, errorCode);
107 mtpOperUtils_->DeleteObject(payData, errorCode);
108 mtpOperUtils_->CopyObject(payData, errorCode);
109 mtpOperUtils_->GetStorageIDs(payData, containerType, errorCode);
110 mtpOperUtils_->GetStorageInfo(payData, containerType, errorCode);
111
112 MtpManager::GetInstance().mtpMode_ = MtpManager::MtpMode::MTP_MODE;
113 containerType = DATA_CONTAINER_TYPE;
114 mtpOperUtils_->context_->sessionOpen = true;
115 mtpOperUtils_->GetDeviceInfo(payData, containerType, errorCode);
116 mtpOperUtils_->GetObjectInfo(payData, containerType, errorCode);
117 mtpOperUtils_->GetNumObjects(payData);
118 mtpOperUtils_->DoSetObjectPropValue(errorCode);
119 mtpOperUtils_->GetObjectHandles(payData, containerType, errorCode);
120 mtpOperUtils_->GetObjectPropDesc(payData, containerType, errorCode);
121 mtpOperUtils_->GetObjectPropValue(payData, containerType, errorCode);
122 mtpOperUtils_->GetObjectPropList(payData, containerType, errorCode);
123 mtpOperUtils_->SendObjectInfo(payData, errorCode);
124 mtpOperUtils_->GetPartialObject(payData);
125 mtpOperUtils_->GetObjectPropsSupported(payData);
126 mtpOperUtils_->GetOpenSession(payData, errorCode);
127 errorCode = MTP_ERROR_SESSION_ALREADY_OPEN;
128 mtpOperUtils_->GetOpenSession(payData, errorCode);
129 errorCode = MTP_ERROR_DEFAULT;
130 mtpOperUtils_->GetOpenSession(payData, errorCode);
131 mtpOperUtils_->GetCloseSession(payData);
132 mtpOperUtils_->DeleteObject(payData, errorCode);
133 mtpOperUtils_->MoveObject(payData, errorCode);
134 mtpOperUtils_->CopyObject(payData, errorCode);
135 mtpOperUtils_->GetStorageIDs(payData, containerType, errorCode);
136 mtpOperUtils_->GetStorageInfo(payData, containerType, errorCode);
137 }
138
MtpOperationUtilsGetPathByHandleTest()139 static void MtpOperationUtilsGetPathByHandleTest()
140 {
141 if (mtpOperUtils_ == nullptr) {
142 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
143 FuzzMtpOperationContext());
144 if (context == nullptr) {
145 MEDIA_ERR_LOG("context is nullptr");
146 return;
147 }
148 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
149 }
150
151 string path = FILE_PATH + "/" + provider->ConsumeBytesAsString(NUM_BYTES);
152 string realPath = FILE_PATH + "/" + provider->ConsumeBytesAsString(NUM_BYTES);
153 uint32_t handle = provider->ConsumeIntegral<uint32_t>();
154 mtpOperUtils_->GetPathByHandle(handle, path, realPath);
155 MtpManager::GetInstance().mtpMode_ = MtpManager::MtpMode::MTP_MODE;
156 mtpOperUtils_->GetPathByHandle(handle, path, realPath);
157 mtpOperUtils_->GetHandleByPaths(path, handle);
158 }
159
MtpOperationUtilsHandleTest()160 static void MtpOperationUtilsHandleTest()
161 {
162 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(FuzzMtpOperationContext());
163 if (mtpOperUtils_ == nullptr) {
164 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
165 }
166 shared_ptr<PayloadData> payData = make_shared<CloseSessionData>(context);
167 mtpOperUtils_->SetDevicePropValueResp(payData);
168 mtpOperUtils_->ResetDevicePropResp(payData);
169
170 mtpOperUtils_->ObjectEvent(payData, provider->ConsumeIntegral<int32_t>());
171
172 uint32_t objectHandle = provider->ConsumeIntegral<uint32_t>();
173 uint16_t eventCode = provider->ConsumeIntegral<uint16_t>();
174 mtpOperUtils_->context_->mtpDriver = make_shared<MtpDriver>();
175 mtpOperUtils_->SendEventPacket(objectHandle, eventCode);
176
177 int errorCode = provider->ConsumeIntegral<int32_t>();
178 mtpOperUtils_->GetRespCommonData(payData, errorCode);
179 mtpOperUtils_->HasStorage(errorCode);
180
181 uint16_t containerType = provider->ConsumeIntegral<uint16_t>();
182 mtpOperUtils_->context_->sessionOpen = true;
183 mtpOperUtils_->GetObjectReferences(payData, containerType, errorCode);
184
185 mtpOperUtils_->SetObjectReferences(payData);
186 mtpOperUtils_->GetObjectDataDeal();
187 mtpOperUtils_->GetObject(payData, errorCode);
188 mtpOperUtils_->ModifyObjectInfo();
189
190 MtpManager::GetInstance().mtpMode_ = MtpManager::MtpMode::MTP_MODE;
191 mtpOperUtils_->GetObjectDataDeal();
192 mtpOperUtils_->ModifyObjectInfo();
193 mtpOperUtils_->DoRecevieSendObject();
194
195 int fd = provider->ConsumeIntegral<int32_t>();
196 MtpFileRange object = FuzzMtpFileRange();
197 mtpOperUtils_->RecevieSendObject(object, fd);
198 mtpOperUtils_->GetThumb(payData, containerType, errorCode);
199 containerType = DATA_CONTAINER_TYPE;
200 mtpOperUtils_->GetObjectReferences(payData, containerType, errorCode);
201 mtpOperUtils_->GetThumb(payData, containerType, errorCode);
202 mtpOperUtils_->HasStorage(errorCode);
203 }
204
MtpOperationUtilsCheckErrorCodeTest()205 static void MtpOperationUtilsCheckErrorCodeTest()
206 {
207 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
208 FuzzMtpOperationContext());
209 if (context == nullptr) {
210 MEDIA_ERR_LOG("context is nullptr");
211 return;
212 }
213 if (mtpOperUtils_ == nullptr) {
214 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
215 }
216 int errorCode = provider->ConsumeIntegral<int32_t>();
217 mtpOperUtils_->CheckErrorCode(errorCode);
218 errorCode = MTP_ERROR_PACKET_INCORRECT;
219 mtpOperUtils_->CheckErrorCode(errorCode);
220 errorCode = MTP_ERROR_SESSION_ALREADY_OPEN;
221 mtpOperUtils_->CheckErrorCode(errorCode);
222 errorCode = MTP_ERROR_NO_THIS_FILE;
223 mtpOperUtils_->CheckErrorCode(errorCode);
224 errorCode = MTP_ERROR_INCOMPLETE_TRANSFER;
225 mtpOperUtils_->CheckErrorCode(errorCode);
226 errorCode = MTP_ERROR_SESSION_NOT_OPEN;
227 mtpOperUtils_->CheckErrorCode(errorCode);
228 errorCode = MTP_ERROR_INVALID_STORAGE_ID;
229 mtpOperUtils_->CheckErrorCode(errorCode);
230 errorCode = MTP_ERROR_INVALID_OBJECTHANDLE;
231 mtpOperUtils_->CheckErrorCode(errorCode);
232 errorCode = MTP_ERROR_DEVICEPROP_NOT_SUPPORTED;
233 mtpOperUtils_->CheckErrorCode(errorCode);
234 errorCode = MTP_ERROR_STORE_NOT_AVAILABLE;
235 mtpOperUtils_->CheckErrorCode(errorCode);
236 errorCode = MTP_ERROR_INVALID_PARENTOBJECT;
237 mtpOperUtils_->CheckErrorCode(errorCode);
238 errorCode = MTP_ERROR_PARAMETER_NOT_SUPPORTED;
239 mtpOperUtils_->CheckErrorCode(errorCode);
240 errorCode = MTP_ERROR_INVALID_OBJECTPROP_VALUE;
241 mtpOperUtils_->CheckErrorCode(errorCode);
242 errorCode = MTP_ERROR_INVALID_OBJECTPROP_FORMAT;
243 mtpOperUtils_->CheckErrorCode(errorCode);
244 errorCode = MTP_ERROR_INVALID_OBJECTPROPCODE;
245 mtpOperUtils_->CheckErrorCode(errorCode);
246 errorCode = MTP_ERROR_ACCESS_DENIED;
247 mtpOperUtils_->CheckErrorCode(errorCode);
248 errorCode = MTP_ERROR_SPECIFICATION_BY_GROUP_UNSUPPORTED;
249 mtpOperUtils_->CheckErrorCode(errorCode);
250 errorCode = MTP_ERROR_SPECIFICATION_BY_DEPTH_UNSUPPORTED;
251 mtpOperUtils_->CheckErrorCode(errorCode);
252 errorCode = MTP_ERROR_TRANSFER_FAILED;
253 mtpOperUtils_->CheckErrorCode(errorCode);
254 }
255
MtpOperationUtilsGetPropertyTest()256 static void MtpOperationUtilsGetPropertyTest()
257 {
258 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
259 FuzzMtpOperationContext());
260 if (context == nullptr) {
261 MEDIA_ERR_LOG("context is nullptr");
262 return;
263 }
264 if (mtpOperUtils_ == nullptr) {
265 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
266 }
267 shared_ptr<PayloadData> payData = make_shared<CloseSessionData>(context);
268 uint16_t containerType = provider->ConsumeBool() ? DATA_CONTAINER_TYPE : provider->ConsumeIntegral<uint16_t>();
269 int errorCode = provider->ConsumeIntegral<int32_t>();
270 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_UNDEFINED_CODE;
271 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
272 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
273 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_SYNCHRONIZATION_PARTNER_CODE;
274 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
275 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
276 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_DEVICE_FRIENDLY_NAME_CODE;
277 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
278 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
279 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_SESSION_INITIATOR_VERSION_INFO_CODE;
280 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
281 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
282 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_IMAGE_SIZE_CODE;
283 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
284 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
285 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_BATTERY_LEVEL_CODE;
286 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
287 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
288 mtpOperUtils_->context_->property = MTP_DEVICE_PROPERTY_PERCEIVED_DEVICE_TYPE_CODE;
289 mtpOperUtils_->GetPropDesc(payData, containerType, errorCode);
290 mtpOperUtils_->GetPropValue(payData, containerType, errorCode);
291 }
292
MtpOperationUtilsStorageIdTest()293 static void MtpOperationUtilsStorageIdTest()
294 {
295 if (mtpOperUtils_ == nullptr) {
296 shared_ptr<MtpOperationContext> context = make_shared<MtpOperationContext>(
297 FuzzMtpOperationContext());
298 if (context == nullptr) {
299 MEDIA_ERR_LOG("context is nullptr");
300 return;
301 }
302 mtpOperUtils_ = make_shared<MtpOperationUtils>(context);
303 }
304
305 string fsUuid = provider->ConsumeBytesAsString(NUM_BYTES);
306 uint32_t storageId = provider->ConsumeIntegral<uint32_t>();
307 mtpOperUtils_->TryAddExternalStorage(fsUuid, storageId);
308 mtpOperUtils_->TryRemoveExternalStorage(fsUuid, storageId);
309 mtpOperUtils_->GetBatteryLevel();
310 }
311
MtpOperationUtilsTest()312 static void MtpOperationUtilsTest()
313 {
314 MtpOperationUtilsContainerTest();
315 MtpOperationUtilsGetPathByHandleTest();
316 MtpOperationUtilsHandleTest();
317 MtpOperationUtilsCheckErrorCodeTest();
318 MtpOperationUtilsGetPropertyTest();
319 MtpOperationUtilsStorageIdTest();
320 }
321 } // namespace OHOS
322
323 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)324 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
325 {
326 /* Run your code on data */
327 FuzzedDataProvider fdp(data, size);
328 OHOS::provider = &fdp;
329 if (data == nullptr) {
330 return 0;
331 }
332 OHOS::MtpOperationUtilsTest();
333 return 0;
334 }