1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "medialibrary_mtppackettool_fuzzer.h"
16
17 #include <cstdint>
18 #include <string>
19 #include <vector>
20 #include <fstream>
21 #include <fuzzer/FuzzedDataProvider.h>
22
23 #include "system_ability_definition.h"
24 #include "iservice_registry.h"
25 #include "userfilemgr_uri.h"
26 #include "payload_data.h"
27 #include "close_session_data.h"
28 #include "medialibrary_errno.h"
29 #include "media_log.h"
30
31 #define private public
32 #include "mtp_packet_tools.h"
33 #undef private
34
35 namespace OHOS {
36 using namespace std;
37 using namespace Media;
38 static const int32_t NUM_BYTES = 1;
39 static const int32_t MAX_BYTE_VALUE = 256;
40 static const int32_t SEED_SIZE = 1024;
41 FuzzedDataProvider *provider = nullptr;
42
43 // MtpPacketToolTest start
MtpPacketToolPutTest()44 static void MtpPacketToolPutTest()
45 {
46 vector<uint8_t> outBuffer = provider->ConsumeBytes<uint8_t>(NUM_BYTES);
47 MtpPacketTool::PutUInt8(outBuffer, provider->ConsumeIntegral<uint16_t>());
48 MtpPacketTool::PutUInt16(outBuffer, provider->ConsumeIntegral<uint16_t>());
49 MtpPacketTool::PutUInt32(outBuffer, provider->ConsumeIntegral<uint32_t>());
50 MtpPacketTool::PutUInt64(outBuffer, provider->ConsumeIntegral<uint64_t>());
51 MtpPacketTool::PutUInt128(outBuffer, provider->ConsumeIntegral<uint64_t>());
52 uint32_t valueUInt32First = provider->ConsumeIntegral<uint32_t>();
53 uint32_t valueUInt32Second = provider->ConsumeIntegral<uint32_t>();
54 uint128_t valueUInt128 = {valueUInt32First, valueUInt32Second};
55 MtpPacketTool::PutUInt128(outBuffer, valueUInt128);
56
57 MtpPacketTool::PutInt8(outBuffer, provider->ConsumeIntegral<int8_t>());
58 MtpPacketTool::PutInt16(outBuffer, provider->ConsumeIntegral<int16_t>());
59 MtpPacketTool::PutInt32(outBuffer, provider->ConsumeIntegral<int32_t>());
60 MtpPacketTool::PutInt64(outBuffer, provider->ConsumeIntegral<int64_t>());
61 MtpPacketTool::PutInt128(outBuffer, provider->ConsumeIntegral<int64_t>());
62 int32_t valueInt32First = provider->ConsumeIntegral<int32_t>();
63 int32_t valueInt32Second = provider->ConsumeIntegral<int32_t>();
64 int128_t valueInt128 = {valueInt32First, valueInt32Second};
65 MtpPacketTool::PutInt128(outBuffer, valueInt128);
66 MtpPacketTool::PutString(outBuffer, provider->ConsumeBytesAsString(NUM_BYTES));
67 }
68
MtpPacketToolGetTest()69 static void MtpPacketToolGetTest()
70 {
71 uint8_t numFirst = provider->ConsumeIntegral<uint8_t>();
72 uint8_t numSecond = provider->ConsumeIntegral<uint8_t>();
73 MtpPacketTool::GetUInt16(numFirst, numSecond);
74 numFirst = provider->ConsumeIntegral<uint8_t>();
75 numSecond = provider->ConsumeIntegral<uint8_t>();
76 uint8_t numThird = provider->ConsumeIntegral<uint8_t>();
77 uint8_t numFourth = provider->ConsumeIntegral<uint8_t>();
78 MtpPacketTool::GetUInt32(numFirst, numSecond, numThird, numFourth);
79 }
80
MtpPacketToolGetUInt8Test()81 static void MtpPacketToolGetUInt8Test()
82 {
83 vector<uint8_t> buffer;
84 size_t offsetTest = 0;
85 MtpPacketTool::PutUInt8(buffer, provider->ConsumeIntegral<uint16_t>());
86 MtpPacketTool::GetUInt8(buffer, offsetTest);
87 MtpPacketTool::PutUInt8(buffer, provider->ConsumeIntegral<uint16_t>());
88 uint8_t valueUInt8 = provider->ConsumeIntegral<uint8_t>();
89 MtpPacketTool::GetUInt8(buffer, offsetTest, valueUInt8);
90 }
91
MtpPacketToolGetUInt16Test()92 static void MtpPacketToolGetUInt16Test()
93 {
94 vector<uint8_t> buffer;
95 size_t offsetTest = 0;
96 MtpPacketTool::PutUInt16(buffer, provider->ConsumeIntegral<uint16_t>());
97 MtpPacketTool::GetUInt16(buffer, offsetTest);
98 MtpPacketTool::PutUInt16(buffer, provider->ConsumeIntegral<uint16_t>());
99 uint16_t valueUInt16 = provider->ConsumeIntegral<uint16_t>();
100 MtpPacketTool::GetUInt16(buffer, offsetTest, valueUInt16);
101 }
102
MtpPacketToolGetUInt32Test()103 static void MtpPacketToolGetUInt32Test()
104 {
105 vector<uint8_t> buffer;
106 size_t offsetTest = 0;
107 MtpPacketTool::PutUInt32(buffer, provider->ConsumeIntegral<uint32_t>());
108 MtpPacketTool::GetUInt32(buffer, offsetTest);
109 MtpPacketTool::PutUInt32(buffer, provider->ConsumeIntegral<uint32_t>());
110 uint32_t valueUInt32 = provider->ConsumeIntegral<uint32_t>();
111 MtpPacketTool::GetUInt32(buffer, offsetTest, valueUInt32);
112 }
113
MtpPacketToolGetUInt64Test()114 static void MtpPacketToolGetUInt64Test()
115 {
116 vector<uint8_t> buffer;
117 size_t offsetTest = 0;
118 MtpPacketTool::PutUInt64(buffer, provider->ConsumeIntegral<uint64_t>());
119 uint64_t valueUInt64 = provider->ConsumeIntegral<uint64_t>();
120 MtpPacketTool::GetUInt64(buffer, offsetTest, valueUInt64);
121 }
122
MtpPacketToolGetUInt128Test()123 static void MtpPacketToolGetUInt128Test()
124 {
125 vector<uint8_t> buffer;
126 size_t offsetTest = 0;
127 uint32_t valueUInt32First = provider->ConsumeIntegral<uint32_t>();
128 uint32_t valueUInt32Second = provider->ConsumeIntegral<uint32_t>();
129 uint128_t valueUInt128 = {valueUInt32First, valueUInt32Second};
130 MtpPacketTool::PutUInt128(buffer, valueUInt128);
131 uint128_t outUInt128 = {0, 1};
132 MtpPacketTool::GetUInt128(buffer, offsetTest, outUInt128);
133 }
134
MtpPacketToolGetInt8Test()135 static void MtpPacketToolGetInt8Test()
136 {
137 vector<uint8_t> buffer;
138 MtpPacketTool::PutInt8(buffer, provider->ConsumeIntegral<int8_t>());
139 size_t offsetTest = 0;
140 int8_t valueInt8 = provider->ConsumeIntegral<int8_t>();
141 MtpPacketTool::GetInt8(buffer, offsetTest, valueInt8);
142 }
143
MtpPacketToolGetInt16Test()144 static void MtpPacketToolGetInt16Test()
145 {
146 vector<uint8_t> buffer;
147 size_t offsetTest = 0;
148 MtpPacketTool::PutInt16(buffer, provider->ConsumeIntegral<int16_t>());
149 int16_t valueInt16 = provider->ConsumeIntegral<int16_t>();
150 MtpPacketTool::GetInt16(buffer, offsetTest, valueInt16);
151 }
152
MtpPacketToolGetInt32Test()153 static void MtpPacketToolGetInt32Test()
154 {
155 vector<uint8_t> buffer;
156 MtpPacketTool::PutUInt32(buffer, provider->ConsumeIntegral<int32_t>());
157 int32_t valueInt32 = provider->ConsumeIntegral<int32_t>();
158 size_t offsetTest = 0;
159 MtpPacketTool::GetInt32(buffer, offsetTest, valueInt32);
160 }
161
MtpPacketToolGetInt64Test()162 static void MtpPacketToolGetInt64Test()
163 {
164 vector<uint8_t> buffer;
165 MtpPacketTool::PutInt64(buffer, provider->ConsumeIntegral<int64_t>());
166 size_t offsetTest = 0;
167 int64_t valueInt64 = provider->ConsumeIntegral<int64_t>();
168 MtpPacketTool::GetInt64(buffer, offsetTest, valueInt64);
169 }
170
MtpPacketToolGetInt128Test()171 static void MtpPacketToolGetInt128Test()
172 {
173 int32_t valueInt32First = provider->ConsumeIntegral<int32_t>();
174 int32_t valueInt32Second = provider->ConsumeIntegral<int32_t>();
175 int128_t valueInt128 = {valueInt32First, valueInt32Second};
176 vector<uint8_t> buffer;
177 MtpPacketTool::PutInt128(buffer, valueInt128);
178 size_t offsetTest = 0;
179 int128_t outInt128 = {0, 1};
180 MtpPacketTool::GetInt128(buffer, offsetTest, outInt128);
181 }
182
MtpPacketToolGetStringTest()183 static void MtpPacketToolGetStringTest()
184 {
185 vector<uint8_t> buffer;
186 MtpPacketTool::PutString(buffer, provider->ConsumeBytesAsString(NUM_BYTES));
187 size_t offsetTest = 0;
188 string str = "";
189 MtpPacketTool::GetString(buffer, offsetTest);
190 MtpPacketTool::PutString(buffer, provider->ConsumeBytesAsString(NUM_BYTES));
191 MtpPacketTool::GetString(buffer, offsetTest, str);
192 string valueString = provider->ConsumeBytesAsString(NUM_BYTES);
193 MtpPacketTool::StrToString(valueString);
194 }
195
MtpPacketToolToStringTest()196 static void MtpPacketToolToStringTest()
197 {
198 string outStr = "";
199 int8_t valueInt8 = provider->ConsumeIntegral<int8_t>();
200 MtpPacketTool::Int8ToString(valueInt8, outStr);
201 uint8_t valueUInt8 = provider->ConsumeIntegral<uint8_t>();
202 MtpPacketTool::UInt8ToString(valueUInt8, outStr);
203 int16_t valueInt16 = provider->ConsumeIntegral<int16_t>();
204 MtpPacketTool::Int16ToString(valueInt16, outStr);
205 uint16_t valueUInt16 = provider->ConsumeIntegral<uint16_t>();
206 MtpPacketTool::UInt16ToString(valueUInt16, outStr);
207 int32_t valueInt32 = provider->ConsumeIntegral<int32_t>();
208 MtpPacketTool::Int32ToString(valueInt32, outStr);
209 uint32_t valueUInt32 = provider->ConsumeIntegral<uint32_t>();
210 MtpPacketTool::UInt32ToString(valueUInt32, outStr);
211 int64_t valueInt64 = provider->ConsumeIntegral<int64_t>();
212 MtpPacketTool::Int64ToString(valueInt64, outStr);
213 uint64_t valueUInt64 = provider->ConsumeIntegral<uint64_t>();
214 MtpPacketTool::UInt64ToString(valueUInt64, outStr);
215 int32_t valueInt32First = provider->ConsumeIntegral<int32_t>();
216 int32_t valueInt32Second = provider->ConsumeIntegral<int32_t>();
217 int128_t valueInt128 = {valueInt32First, valueInt32Second};
218 MtpPacketTool::Int128ToString(valueInt128, outStr);
219 uint32_t valueUInt32First = provider->ConsumeIntegral<uint32_t>();
220 uint32_t valueUInt32Second = provider->ConsumeIntegral<uint32_t>();
221 uint128_t valueUInt128 = {valueUInt32First, valueUInt32Second};
222 MtpPacketTool::UInt128ToString(valueUInt128, outStr);
223 }
224
MtpPacketToolGetNameTest()225 static void MtpPacketToolGetNameTest()
226 {
227 uint16_t code = provider->ConsumeIntegral<uint16_t>();
228 MtpPacketTool::GetOperationName(code);
229 code = provider->ConsumeIntegral<uint16_t>();
230 MtpPacketTool::GetEventName(code);
231 code = provider->ConsumeIntegral<uint16_t>();
232 MtpPacketTool::GetFormatName(code);
233 code = provider->ConsumeIntegral<uint16_t>();
234 MtpPacketTool::GetObjectPropName(code);
235 code = provider->ConsumeIntegral<uint16_t>();
236 MtpPacketTool::GetEventName(code);
237
238 time_t sec = 0;
239 MtpPacketTool::FormatDateTime(sec);
240 int type = provider->ConsumeIntegral<int32_t>();
241 MtpPacketTool::GetDataTypeName(type);
242 type = provider->ConsumeIntegral<int32_t>();
243 MtpPacketTool::GetAssociationName(type);
244
245 uint16_t propCode = provider->ConsumeIntegral<uint16_t>();
246 MtpPacketTool::GetObjectPropTypeByPropCode(propCode);
247 }
248
MtpPacketToolOtherTest()249 static void MtpPacketToolOtherTest()
250 {
251 MtpPacketTool::GetIndentBlank();
252 size_t indent = provider->ConsumeIntegral<int32_t>();
253 MtpPacketTool::GetIndentBlank(indent);
254 vector<uint8_t> dumpData = provider->ConsumeBytes<uint8_t>(NUM_BYTES);
255 MtpPacketTool::Dump(dumpData);
256 unique_ptr<char[]> hexBuf;
257 int hexBufSize = provider->ConsumeIntegral<int32_t>();
258 unique_ptr<char[]> txtBuf;
259 int txtBufSize = provider->ConsumeIntegral<int32_t>();
260 MtpPacketTool::DumpClear(indent, hexBuf, hexBufSize, txtBuf, txtBufSize);
261
262 uint8_t u8 = provider->ConsumeIntegral<uint8_t>();
263 MtpPacketTool::DumpChar(u8, hexBuf, hexBufSize, txtBuf, txtBufSize);
264 MtpPacketTool::DumpShow(hexBuf, hexBufSize, txtBuf, txtBufSize);
265
266 string str = provider->ConsumeBytesAsString(NUM_BYTES);
267 hexBuf = make_unique<char[]>('a');
268 txtBuf = make_unique<char[]>('a');
269 MtpPacketTool::DumpClear(indent, hexBuf, hexBufSize, txtBuf, txtBufSize);
270
271 MtpPacketTool::DumpChar(u8, hexBuf, hexBufSize, txtBuf, txtBufSize);
272
273 MtpPacketTool::DumpShow(hexBuf, hexBufSize, txtBuf, txtBufSize);
274 hexBuf[OFFSET_0] = '\0';
275 MtpPacketTool::DumpShow(hexBuf, hexBufSize, txtBuf, txtBufSize);
276 }
277
MtpPacketToolTest()278 static void MtpPacketToolTest()
279 {
280 MtpPacketToolPutTest();
281 MtpPacketToolGetTest();
282 MtpPacketToolGetUInt8Test();
283 MtpPacketToolGetUInt16Test();
284 MtpPacketToolGetUInt32Test();
285 MtpPacketToolGetUInt64Test();
286 MtpPacketToolGetUInt128Test();
287 MtpPacketToolGetInt8Test();
288 MtpPacketToolGetInt16Test();
289 MtpPacketToolGetInt32Test();
290 MtpPacketToolGetInt64Test();
291 MtpPacketToolGetInt128Test();
292 MtpPacketToolGetStringTest();
293 MtpPacketToolToStringTest();
294 MtpPacketToolGetNameTest();
295 MtpPacketToolOtherTest();
296 }
297
AddSeed()298 static int32_t AddSeed()
299 {
300 char *seedData = new char[OHOS::SEED_SIZE];
301 for (int i = 0; i < OHOS::SEED_SIZE; i++) {
302 seedData[i] = static_cast<char>(i % MAX_BYTE_VALUE);
303 }
304
305 const char* filename = "corpus/seed.txt";
306 std::ofstream file(filename, std::ios::binary | std::ios::trunc);
307 if (!file) {
308 MEDIA_ERR_LOG("Cannot open file filename:%{public}s", filename);
309 delete[] seedData;
310 return Media::E_ERR;
311 }
312 file.write(seedData, OHOS::SEED_SIZE);
313 file.close();
314 delete[] seedData;
315 MEDIA_INFO_LOG("seedData has been successfully written to file filename:%{public}s", filename);
316 return Media::E_OK;
317 }
318 } // namespace OHOS
319
LLVMFuzzerInitialize(int * argc,char *** argv)320 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
321 {
322 OHOS::AddSeed();
323 return 0;
324 }
325
326 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)327 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
328 {
329 /* Run your code on data */
330 FuzzedDataProvider fdp(data, size);
331 OHOS::provider = &fdp;
332 if (data == nullptr) {
333 return 0;
334 }
335 OHOS::MtpPacketToolTest();
336 return 0;
337 }