1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibleabilitychannelstub_fuzzer.h"
17 #include "accessible_ability_channel_stub.h"
18 #include "accessibility_ipc_interface_code.h"
19 #include "parcel/accessibility_gesture_inject_path_parcel.h"
20 #include "securec.h"
21
22 namespace OHOS {
23 namespace Accessibility {
24 namespace {
25 constexpr size_t DATA_MIN_SIZE = 200;
26 constexpr char END_CHAR = '\0';
27 constexpr size_t LEN = 10;
28 }
29
30 class AbilityChannelImplFuzzTest : public AccessibleAbilityChannelStub {
31 public:
32 AbilityChannelImplFuzzTest() = default;
33 ~AbilityChannelImplFuzzTest() = default;
34
SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,const int32_t mode,bool isFilter,bool systemApi)35 RetError SearchElementInfoByAccessibilityId(const ElementBasicInfo elementBasicInfo,
36 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback,
37 const int32_t mode, bool isFilter, bool systemApi) override
38 {
39 return RET_OK;
40 }
SearchDefaultFocusedByWindowId(const ElementBasicInfo elementBasicInfo,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,const int32_t mode,bool isFilter)41 RetError SearchDefaultFocusedByWindowId(const ElementBasicInfo elementBasicInfo,
42 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback,
43 const int32_t mode, bool isFilter) override
44 {
45 return RET_OK;
46 }
SearchElementInfosByText(const int32_t accessibilityWindowId,const int64_t elementId,const std::string & text,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,bool systemApi)47 RetError SearchElementInfosByText(const int32_t accessibilityWindowId, const int64_t elementId,
48 const std::string &text, const int32_t requestId,
49 const sptr<IAccessibilityElementOperatorCallback> &callback, bool systemApi) override
50 {
51 return RET_OK;
52 }
FindFocusedElementInfo(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t focusType,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,bool systemApi)53 RetError FindFocusedElementInfo(const int32_t accessibilityWindowId, const int64_t elementId,
54 const int32_t focusType, const int32_t requestId,
55 const sptr<IAccessibilityElementOperatorCallback> &callback, bool systemApi) override
56 {
57 return RET_OK;
58 }
FocusMoveSearch(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t direction,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback,bool systemApi)59 RetError FocusMoveSearch(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t direction,
60 const int32_t requestId, const sptr<IAccessibilityElementOperatorCallback> &callback, bool systemApi) override
61 {
62 return RET_OK;
63 }
ExecuteAction(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)64 RetError ExecuteAction(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t action,
65 const std::map<std::string, std::string> &actionArguments, const int32_t requestId,
66 const sptr<IAccessibilityElementOperatorCallback> &callback) override
67 {
68 return RET_OK;
69 }
EnableScreenCurtain(bool isEnable)70 RetError EnableScreenCurtain(bool isEnable) override
71 {
72 return RET_OK;
73 }
HoldRunningLock()74 RetError HoldRunningLock() override
75 {
76 return RET_OK;
77 }
UnholdRunningLock()78 RetError UnholdRunningLock() override
79 {
80 return RET_OK;
81 }
GetCursorPosition(const int32_t accessibilityWindowId,const int64_t elementId,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)82 RetError GetCursorPosition(const int32_t accessibilityWindowId, const int64_t elementId, const int32_t requestId,
83 const sptr<IAccessibilityElementOperatorCallback> &callback) override
84 {
85 return RET_OK;
86 }
GetWindow(const int32_t windowId,AccessibilityWindowInfo & windowInfo)87 RetError GetWindow(const int32_t windowId, AccessibilityWindowInfo &windowInfo) override
88 {
89 return RET_OK;
90 }
GetWindows(std::vector<AccessibilityWindowInfo> & windows,bool systemApi)91 RetError GetWindows(std::vector<AccessibilityWindowInfo> &windows, bool systemApi) override
92 {
93 return RET_OK;
94 }
GetWindowsByDisplayId(const uint64_t displayId,std::vector<AccessibilityWindowInfo> & windows,bool systemApi)95 RetError GetWindowsByDisplayId(
96 const uint64_t displayId, std::vector<AccessibilityWindowInfo>& windows, bool systemApi) override
97 {
98 return RET_OK;
99 }
SetOnKeyPressEventResult(const bool handled,const int32_t sequence)100 void SetOnKeyPressEventResult(const bool handled, const int32_t sequence) override {}
SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> & gesturePath)101 RetError SendSimulateGesture(const std::shared_ptr<AccessibilityGestureInjectPath> &gesturePath) override
102 {
103 return RET_OK;
104 }
SetTargetBundleName(const std::vector<std::string> & targetBundleNames)105 RetError SetTargetBundleName(const std::vector<std::string> &targetBundleNames) override
106 {
107 return RET_OK;
108 }
SetIsRegisterDisconnectCallback(bool isRegister)109 RetError SetIsRegisterDisconnectCallback(bool isRegister) override
110 {
111 return RET_OK;
112 }
NotifyDisconnect()113 RetError NotifyDisconnect() override
114 {
115 return RET_OK;
116 }
ConfigureEvents(const std::vector<uint32_t> needEvents)117 RetError ConfigureEvents(const std::vector<uint32_t> needEvents) override
118 {
119 return RET_OK;
120 }
SearchElementInfoBySpecificProperty(const ElementBasicInfo elementBasicInfo,const SpecificPropertyParam & param,const int32_t requestId,const sptr<IAccessibilityElementOperatorCallback> & callback)121 void SearchElementInfoBySpecificProperty(const ElementBasicInfo elementBasicInfo,
122 const SpecificPropertyParam& param, const int32_t requestId,
123 const sptr<IAccessibilityElementOperatorCallback> &callback) override {}
124 };
125
126 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)127 size_t GetObject(T &object, const uint8_t *data, size_t size)
128 {
129 size_t objectSize = sizeof(object);
130 if (objectSize > size) {
131 return 0;
132 }
133 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
134 }
135
FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t * data,size_t size)136 bool FuzzHandleSearchElementInfoByAccessibilityId(const uint8_t *data, size_t size)
137 {
138 if (data == nullptr || size < DATA_MIN_SIZE) {
139 return false;
140 }
141
142 size_t position = 0;
143 int32_t accessibilityWindowId = 0;
144 int64_t elementId = 0;
145 int32_t requestId = 0;
146 MessageParcel mdata;
147 MessageParcel reply;
148 MessageOption option(MessageOption::TF_SYNC);
149
150 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
151 position += GetObject<int64_t>(elementId, &data[position], size - position);
152 GetObject<int32_t>(requestId, &data[position], size - position);
153 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
154 if (chanImp == nullptr) {
155 return false;
156 }
157 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
158 mdata.WriteInt32(accessibilityWindowId);
159 mdata.WriteInt64(elementId);
160 mdata.WriteInt32(requestId);
161 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFO_BY_ACCESSIBILITY_ID),
162 mdata, reply, option);
163 return true;
164 }
165
FuzzHandleSearchElementInfosByText(const uint8_t * data,size_t size)166 bool FuzzHandleSearchElementInfosByText(const uint8_t *data, size_t size)
167 {
168 if (data == nullptr || size < DATA_MIN_SIZE) {
169 return false;
170 }
171
172 size_t position = 0;
173 int32_t accessibilityWindowId = 0;
174 int64_t elementId = 0;
175 int32_t requestId = 0;
176 MessageParcel mdata;
177 MessageParcel reply;
178 MessageOption option(MessageOption::TF_SYNC);
179
180 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
181 position += GetObject<int64_t>(elementId, &data[position], size - position);
182 char name[LEN + 1];
183 name[LEN] = END_CHAR;
184 for (size_t i = 0; i < LEN; i++) {
185 position += GetObject<char>(name[i], data + position, size - position);
186 }
187 std::string text(name);
188 GetObject<int32_t>(requestId, &data[position], size - position);
189 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
190 if (chanImp == nullptr) {
191 return false;
192 }
193 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
194 mdata.WriteInt32(accessibilityWindowId);
195 mdata.WriteInt64(elementId);
196 mdata.WriteString(text);
197 mdata.WriteInt32(requestId);
198 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEARCH_ELEMENTINFOS_BY_TEXT),
199 mdata, reply, option);
200 return true;
201 }
202
FuzzHandleFindFocusedElementInfo(const uint8_t * data,size_t size)203 bool FuzzHandleFindFocusedElementInfo(const uint8_t *data, size_t size)
204 {
205 if (data == nullptr || size < DATA_MIN_SIZE) {
206 return false;
207 }
208
209 size_t position = 0;
210 int32_t accessibilityWindowId = 0;
211 int64_t elementId = 0;
212 int32_t focusType = 0;
213 int32_t requestId = 0;
214 MessageParcel mdata;
215 MessageParcel reply;
216 MessageOption option(MessageOption::TF_SYNC);
217
218 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
219 position += GetObject<int64_t>(elementId, &data[position], size - position);
220 position += GetObject<int32_t>(focusType, &data[position], size - position);
221 GetObject<int32_t>(requestId, &data[position], size - position);
222 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
223 if (chanImp == nullptr) {
224 return false;
225 }
226 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
227 mdata.WriteInt32(accessibilityWindowId);
228 mdata.WriteInt64(elementId);
229 mdata.WriteInt32(focusType);
230 mdata.WriteInt32(requestId);
231 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FIND_FOCUSED_ELEMENTINFO),
232 mdata, reply, option);
233 return true;
234 }
235
FuzzHandleFocusMoveSearch(const uint8_t * data,size_t size)236 bool FuzzHandleFocusMoveSearch(const uint8_t *data, size_t size)
237 {
238 if (data == nullptr || size < DATA_MIN_SIZE) {
239 return false;
240 }
241
242 size_t position = 0;
243 int32_t accessibilityWindowId = 0;
244 int64_t elementId = 0;
245 int32_t direction = 0;
246 int32_t requestId = 0;
247 MessageParcel mdata;
248 MessageParcel reply;
249 MessageOption option(MessageOption::TF_SYNC);
250
251 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
252 position += GetObject<int64_t>(elementId, &data[position], size - position);
253 position += GetObject<int32_t>(direction, &data[position], size - position);
254 GetObject<int32_t>(requestId, &data[position], size - position);
255 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
256 if (chanImp == nullptr) {
257 return false;
258 }
259 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
260 mdata.WriteInt32(accessibilityWindowId);
261 mdata.WriteInt64(elementId);
262 mdata.WriteInt32(direction);
263 mdata.WriteInt32(requestId);
264 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::FOCUS_MOVE_SEARCH),
265 mdata, reply, option);
266 return true;
267 }
268
FuzzHandleExecuteAction(const uint8_t * data,size_t size)269 bool FuzzHandleExecuteAction(const uint8_t *data, size_t size)
270 {
271 if (data == nullptr || size < DATA_MIN_SIZE) {
272 return false;
273 }
274
275 size_t position = 0;
276 int32_t accessibilityWindowId = 0;
277 int64_t elementId = 0;
278 int32_t action = 0;
279 MessageParcel mdata;
280 MessageParcel reply;
281 MessageOption option(MessageOption::TF_SYNC);
282
283 position += GetObject<int32_t>(accessibilityWindowId, &data[position], size - position);
284 position += GetObject<int64_t>(elementId, &data[position], size - position);
285 GetObject<int32_t>(action, &data[position], size - position);
286 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
287 if (chanImp == nullptr) {
288 return false;
289 }
290 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
291 mdata.WriteInt32(accessibilityWindowId);
292 mdata.WriteInt64(elementId);
293 mdata.WriteInt32(action);
294 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::PERFORM_ACTION),
295 mdata, reply, option);
296 return true;
297 }
298
FuzzHandleGetWindow(const uint8_t * data,size_t size)299 bool FuzzHandleGetWindow(const uint8_t *data, size_t size)
300 {
301 if (data == nullptr || size < DATA_MIN_SIZE) {
302 return false;
303 }
304
305 size_t position = 0;
306 int32_t windowId = 0;
307 MessageParcel mdata;
308 MessageParcel reply;
309 MessageOption option(MessageOption::TF_SYNC);
310
311 GetObject<int32_t>(windowId, &data[position], size - position);
312 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
313 if (chanImp == nullptr) {
314 return false;
315 }
316 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
317 mdata.WriteInt32(windowId);
318 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOW),
319 mdata, reply, option);
320 return true;
321 }
322
FuzzHandleGetWindows()323 bool FuzzHandleGetWindows()
324 {
325 MessageParcel mdata;
326 MessageParcel reply;
327 MessageOption option(MessageOption::TF_SYNC);
328
329 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
330 if (chanImp == nullptr) {
331 return false;
332 }
333 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
334 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS),
335 mdata, reply, option);
336 return true;
337 }
338
FuzzHandleHoldRunningLock()339 bool FuzzHandleHoldRunningLock()
340 {
341 MessageParcel mdata;
342 MessageParcel reply;
343 MessageOption option(MessageOption::TF_SYNC);
344
345 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
346 if (chanImp == nullptr) {
347 return false;
348 }
349 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
350 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::HOLD_RUNNING_LOCK),
351 mdata, reply, option);
352 return true;
353 }
354
FuzzHandleUnholdRunningLock()355 bool FuzzHandleUnholdRunningLock()
356 {
357 MessageParcel mdata;
358 MessageParcel reply;
359 MessageOption option(MessageOption::TF_SYNC);
360
361 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
362 if (chanImp == nullptr) {
363 return false;
364 }
365 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
366 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::UNHOLD_RUNNING_LOCK),
367 mdata, reply, option);
368 return true;
369 }
370
FuzzHandleGetWindowsByDisplayId(const uint8_t * data,size_t size)371 bool FuzzHandleGetWindowsByDisplayId(const uint8_t *data, size_t size)
372 {
373 if (data == nullptr || size < DATA_MIN_SIZE) {
374 return false;
375 }
376
377 size_t position = 0;
378 uint64_t displayId = 0;
379 MessageParcel mdata;
380 MessageParcel reply;
381 MessageOption option(MessageOption::TF_SYNC);
382
383 GetObject<uint64_t>(displayId, &data[position], size - position);
384 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
385 if (chanImp == nullptr) {
386 return false;
387 }
388 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
389 mdata.WriteUint64(displayId);
390 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::GET_WINDOWS_BY_DISPLAY_ID),
391 mdata, reply, option);
392 return true;
393 }
394
FuzzHandleSendSimulateGesturePath(const uint8_t * data,size_t size)395 bool FuzzHandleSendSimulateGesturePath(const uint8_t *data, size_t size)
396 {
397 if (data == nullptr || size < DATA_MIN_SIZE) {
398 return false;
399 }
400
401 size_t position = 0;
402 float positionX = 0.0;
403 float positionY = 0.0;
404 int64_t durationTime = 300;
405 MessageParcel mdata;
406 MessageParcel reply;
407 MessageOption option(MessageOption::TF_SYNC);
408 position += GetObject<float>(positionX, &data[position], size - position);
409 position += GetObject<float>(positionY, &data[position], size - position);
410
411 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
412 if (chanImp == nullptr) {
413 return false;
414 }
415 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
416
417 std::shared_ptr<AccessibilityGestureInjectPath> gesturePath = std::make_shared<AccessibilityGestureInjectPath>();
418 if (gesturePath == nullptr) {
419 return false;
420 }
421 AccessibilityGesturePosition point { positionX, positionY };
422 gesturePath->AddPosition(point);
423 gesturePath->SetDurationTime(durationTime);
424 sptr<AccessibilityGestureInjectPathParcel> path = new(
425 std::nothrow) AccessibilityGestureInjectPathParcel(*gesturePath);
426 if (path == nullptr) {
427 return false;
428 }
429 mdata.WriteStrongParcelable(path);
430 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SEND_SIMULATE_GESTURE_PATH),
431 mdata, reply, option);
432 return true;
433 }
434
FuzzHandleSetTargetBundleName(const uint8_t * data,size_t size)435 bool FuzzHandleSetTargetBundleName(const uint8_t *data, size_t size)
436 {
437 if (data == nullptr || size < DATA_MIN_SIZE) {
438 return false;
439 }
440
441 size_t positions = 0;
442 MessageParcel mdata;
443 MessageParcel reply;
444 MessageOption option(MessageOption::TF_SYNC);
445 char name[LEN + 1];
446 name[LEN] = END_CHAR;
447 for (size_t i = 0; i < LEN; i++) {
448 positions += GetObject<char>(name[i], data + positions, size - positions);
449 }
450 std::string bundleName(name);
451 std::shared_ptr<AbilityChannelImplFuzzTest> chanImp = std::make_shared<AbilityChannelImplFuzzTest>();
452 if (chanImp == nullptr) {
453 return false;
454 }
455 mdata.WriteInterfaceToken(AccessibleAbilityChannelStub::GetDescriptor());
456 mdata.WriteInt32(LEN);
457 for (size_t i = 0; i < LEN; i++) {
458 mdata.WriteString(bundleName);
459 }
460 chanImp->OnRemoteRequest(static_cast<uint32_t>(AccessibilityInterfaceCode::SET_TARGET_BUNDLE_NAME),
461 mdata, reply, option);
462 return true;
463 }
464 } // namespace Accessibility
465 } // namespace OHOS
466
467 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)468 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
469 {
470 /* Run your code on data */
471 OHOS::Accessibility::FuzzHandleSearchElementInfoByAccessibilityId(data, size);
472 OHOS::Accessibility::FuzzHandleSearchElementInfosByText(data, size);
473 OHOS::Accessibility::FuzzHandleFindFocusedElementInfo(data, size);
474 OHOS::Accessibility::FuzzHandleFocusMoveSearch(data, size);
475 OHOS::Accessibility::FuzzHandleExecuteAction(data, size);
476 OHOS::Accessibility::FuzzHandleGetWindow(data, size);
477 OHOS::Accessibility::FuzzHandleGetWindows();
478 OHOS::Accessibility::FuzzHandleGetWindowsByDisplayId(data, size);
479 OHOS::Accessibility::FuzzHandleSendSimulateGesturePath(data, size);
480 OHOS::Accessibility::FuzzHandleSetTargetBundleName(data, size);
481 OHOS::Accessibility::FuzzHandleHoldRunningLock();
482 OHOS::Accessibility::FuzzHandleUnholdRunningLock();
483 return 0;
484 }