1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibilitysystemabilityclient_fuzzer.h"
17 #include "accessibility_system_ability_client_impl.h"
18 #include "securec.h"
19
20 namespace OHOS {
21 namespace Accessibility {
22 namespace {
23 constexpr size_t DATA_MIN_SIZE = 200;
24 constexpr char END_CHAR = '\0';
25 constexpr size_t LEN = 10;
26 }
27 static AccessibilitySystemAbilityClientImpl g_asacImpl_;
28
29 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)30 size_t GetObject(T &object, const uint8_t *data, size_t size)
31 {
32 size_t objectSize = sizeof(object);
33 if (objectSize > size) {
34 return 0;
35 }
36 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
37 }
38
39 class ElementOperatorForFuzzTest : public AccessibilityElementOperator {
40 public:
41 virtual ~ElementOperatorForFuzzTest() = default;
SearchElementInfoByAccessibilityId(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t mode)42 void SearchElementInfoByAccessibilityId(const int64_t elementId,
43 const int32_t requestId, AccessibilityElementOperatorCallback &callback,
44 const int32_t mode) override {}
SearchElementInfosByText(const int64_t elementId,const std::string & text,const int32_t requestId,AccessibilityElementOperatorCallback & callback)45 void SearchElementInfosByText(const int64_t elementId, const std::string &text,
46 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
47
FindFocusedElementInfo(const int64_t elementId,const int32_t focusType,const int32_t requestId,AccessibilityElementOperatorCallback & callback)48 void FindFocusedElementInfo(const int64_t elementId, const int32_t focusType, const int32_t requestId,
49 AccessibilityElementOperatorCallback &callback) override {}
50
FocusMoveSearch(const int64_t elementId,const int32_t direction,const int32_t requestId,AccessibilityElementOperatorCallback & callback)51 void FocusMoveSearch(const int64_t elementId, const int32_t direction, const int32_t requestId,
52 AccessibilityElementOperatorCallback &callback) override {}
53
ExecuteAction(const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,AccessibilityElementOperatorCallback & callback)54 void ExecuteAction(const int64_t elementId, const int32_t action,
55 const std::map<std::string, std::string> &actionArguments,
56 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
GetCursorPosition(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback)57 void GetCursorPosition(const int64_t elementId, const int32_t requestId,
58 AccessibilityElementOperatorCallback &callback) override {}
SearchElementInfoBySpecificProperty(const int64_t elementId,const SpecificPropertyParam & param,const int32_t requestId,AccessibilityElementOperatorCallback & callback)59 void SearchElementInfoBySpecificProperty(const int64_t elementId,
60 const SpecificPropertyParam& param, const int32_t requestId,
61 AccessibilityElementOperatorCallback &callback) override {}
ClearFocus()62 void ClearFocus() override {}
OutsideTouch()63 void OutsideTouch() override {}
SetChildTreeIdAndWinId(const int64_t elementId,const int32_t treeId,const int32_t childWindowId)64 void SetChildTreeIdAndWinId(const int64_t elementId, const int32_t treeId,
65 const int32_t childWindowId) override {}
SetBelongTreeId(const int32_t treeId)66 void SetBelongTreeId(const int32_t treeId) override {}
SetParentWindowId(const int32_t parentWindowId)67 void SetParentWindowId(const int32_t parentWindowId) override {}
68 };
69
70 class StateObserverForFuzzTest : public AccessibilityStateObserver {
71 public:
72 virtual ~StateObserverForFuzzTest() = default;
OnStateChanged(const bool state)73 void OnStateChanged(const bool state) {}
74 };
75
76
CreateEventInfoFirstPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)77 static void CreateEventInfoFirstPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
78 size_t& position)
79 {
80 int64_t componentId = 0;
81 position += GetObject<int64_t>(componentId, &data[position], size - position);
82 eventInfo.SetSource(componentId);
83 int32_t windowId = 0;
84 position += GetObject<int32_t>(windowId, &data[position], size - position);
85 eventInfo.SetWindowId(windowId);
86 int32_t index = 0;
87 position += GetObject<int32_t>(index, &data[position], size - position);
88 eventInfo.SetCurrentIndex(index);
89 position += GetObject<int32_t>(index, &data[position], size - position);
90 eventInfo.SetBeginIndex(index);
91 position += GetObject<int32_t>(index, &data[position], size - position);
92 eventInfo.SetEndIndex(index);
93 int32_t itemCounts = 0;
94 position += GetObject<int32_t>(itemCounts, &data[position], size - position);
95 eventInfo.SetItemCounts(itemCounts);
96 WindowsContentChangeTypes changeTypes;
97 position += GetObject<WindowsContentChangeTypes>(changeTypes, &data[position], size - position);
98 eventInfo.SetWindowContentChangeTypes(changeTypes);
99 WindowUpdateType updateTypes;
100 position += GetObject<WindowUpdateType>(updateTypes, &data[position], size - position);
101 eventInfo.SetWindowChangeTypes(updateTypes);
102 EventType eventType;
103 position += GetObject<EventType>(eventType, &data[position], size - position);
104 eventInfo.SetEventType(eventType);
105 int64_t timeStamp = 0;
106 position += GetObject<int64_t>(timeStamp, &data[position], size - position);
107 eventInfo.SetTimeStamp(timeStamp);
108 TextMoveUnit granularity;
109 position += GetObject<TextMoveUnit>(granularity, &data[position], size - position);
110 eventInfo.SetTextMovementStep(granularity);
111 ActionType action;
112 position += GetObject<ActionType>(action, &data[position], size - position);
113 eventInfo.SetTriggerAction(action);
114 NotificationCategory category;
115 position += GetObject<NotificationCategory>(category, &data[position], size - position);
116 eventInfo.SetNotificationInfo(category);
117 GestureType gestureType;
118 position += GetObject<GestureType>(gestureType, &data[position], size - position);
119 eventInfo.SetGestureType(gestureType);
120 int32_t pageId = 0;
121 position += GetObject<int32_t>(pageId, &data[position], size - position);
122 eventInfo.SetPageId(pageId);
123 }
124
CreateEventInfoSecondPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)125 static void CreateEventInfoSecondPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
126 size_t& position)
127 {
128 char name[LEN + 1];
129 name[LEN] = END_CHAR;
130 for (size_t i = 0; i < LEN; i++) {
131 position += GetObject<char>(name[i], &data[position], size - position);
132 }
133 std::string className(name);
134 eventInfo.SetComponentType(className);
135
136 for (size_t i = 0; i < LEN; i++) {
137 position += GetObject<char>(name[i], &data[position], size - position);
138 }
139 std::string beforeText(name);
140 eventInfo.SetBeforeText(beforeText);
141
142 for (size_t i = 0; i < LEN; i++) {
143 position += GetObject<char>(name[i], &data[position], size - position);
144 }
145 std::string content(name);
146 eventInfo.AddContent(content);
147
148 for (size_t i = 0; i < LEN; i++) {
149 position += GetObject<char>(name[i], &data[position], size - position);
150 }
151 std::string lastContent(name);
152 eventInfo.SetLatestContent(lastContent);
153
154 for (size_t i = 0; i < LEN; i++) {
155 position += GetObject<char>(name[i], &data[position], size - position);
156 }
157 std::string contentDescription(name);
158 eventInfo.SetDescription(contentDescription);
159
160 for (size_t i = 0; i < LEN; i++) {
161 position += GetObject<char>(name[i], &data[position], size - position);
162 }
163 std::string bundleName(name);
164 eventInfo.SetBundleName(bundleName);
165
166 for (size_t i = 0; i < LEN; i++) {
167 position += GetObject<char>(name[i], &data[position], size - position);
168 }
169 std::string notificationContent(name);
170 eventInfo.SetNotificationContent(notificationContent);
171 }
172
CreateEventInfo(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size)173 static size_t CreateEventInfo(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size)
174 {
175 size_t position = 0;
176 CreateEventInfoFirstPart(eventInfo, data, size, position);
177 CreateEventInfoSecondPart(eventInfo, data, size, position);
178 return position;
179 }
180
RegisterElementOperatorFuzzTest(const uint8_t * data,size_t size)181 bool RegisterElementOperatorFuzzTest(const uint8_t* data, size_t size)
182 {
183 if (data == nullptr || size < DATA_MIN_SIZE) {
184 return false;
185 }
186
187 auto instance = AccessibilitySystemAbilityClient::GetInstance();
188 if (!instance) {
189 return false;
190 }
191
192 size_t position = 0;
193 int32_t windowId = 0;
194 position += GetObject<int32_t>(windowId, &data[position], size - position);
195 std::shared_ptr<ElementOperatorForFuzzTest> elementOperator = std::make_shared<ElementOperatorForFuzzTest>();
196 instance->RegisterElementOperator(windowId, elementOperator);
197
198 GetObject<int32_t>(windowId, &data[position], size - position);
199 instance->DeregisterElementOperator(windowId);
200 return true;
201 }
202
GetAbilityListFuzzTest(const uint8_t * data,size_t size)203 bool GetAbilityListFuzzTest(const uint8_t* data, size_t size)
204 {
205 if (data == nullptr || size < DATA_MIN_SIZE) {
206 return false;
207 }
208
209 auto instance = AccessibilitySystemAbilityClient::GetInstance();
210 if (!instance) {
211 return false;
212 }
213
214 size_t position = 0;
215 uint32_t abilityTypes = 0;
216 position += GetObject<uint32_t>(abilityTypes, &data[position], size - position);
217 AbilityStateType stateType;
218 GetObject<AbilityStateType>(stateType, &data[position], size - position);
219 std::vector<AccessibilityAbilityInfo> infos;
220 instance->GetAbilityList(abilityTypes, stateType, infos);
221 return true;
222 }
223
SendEventFuzzTest(const uint8_t * data,size_t size)224 bool SendEventFuzzTest(const uint8_t* data, size_t size)
225 {
226 if (data == nullptr || size < DATA_MIN_SIZE) {
227 return false;
228 }
229
230 auto instance = AccessibilitySystemAbilityClient::GetInstance();
231 if (!instance) {
232 return false;
233 }
234
235 size_t position = 0;
236 EventType eventType;
237 position += GetObject<EventType>(eventType, &data[position], size - position);
238 int64_t componentId = 0;
239 position += GetObject<int64_t>(componentId, &data[position], size - position);
240 instance->SendEvent(eventType, componentId);
241
242 AccessibilityEventInfo eventInfo;
243 (void)CreateEventInfo(eventInfo, data, size - position);
244 instance->SendEvent(eventInfo);
245 return true;
246 }
247
SubscribeStateObserverFuzzTest(const uint8_t * data,size_t size)248 bool SubscribeStateObserverFuzzTest(const uint8_t* data, size_t size)
249 {
250 if (data == nullptr || size < DATA_MIN_SIZE) {
251 return false;
252 }
253
254 auto instance = AccessibilitySystemAbilityClient::GetInstance();
255 if (!instance) {
256 return false;
257 }
258
259 size_t position = 0;
260 uint32_t eventTypes = 0;
261 position += GetObject<uint32_t>(eventTypes, &data[position], size - position);
262 std::shared_ptr<StateObserverForFuzzTest> observer = std::make_shared<StateObserverForFuzzTest>();
263 instance->SubscribeStateObserver(observer, eventTypes);
264
265 GetObject<uint32_t>(eventTypes, &data[position], size - position);
266 instance->UnsubscribeStateObserver(observer, eventTypes);
267 return true;
268 }
269
IsEnabledFuzzTest(const uint8_t * data,size_t size)270 bool IsEnabledFuzzTest(const uint8_t* data, size_t size)
271 {
272 if (data == nullptr || size < DATA_MIN_SIZE) {
273 return false;
274 }
275
276 auto instance = AccessibilitySystemAbilityClient::GetInstance();
277 if (!instance) {
278 return false;
279 }
280
281 bool isEnabled = false;
282 GetObject<bool>(isEnabled, &data[0], size);
283 instance->IsEnabled(isEnabled);
284 return true;
285 }
286
IsTouchExplorationEnabledFuzzTest(const uint8_t * data,size_t size)287 bool IsTouchExplorationEnabledFuzzTest(const uint8_t* data, size_t size)
288 {
289 if (data == nullptr || size < DATA_MIN_SIZE) {
290 return false;
291 }
292
293 auto instance = AccessibilitySystemAbilityClient::GetInstance();
294 if (!instance) {
295 return false;
296 }
297
298 bool isEnabled = false;
299 GetObject<bool>(isEnabled, &data[0], size);
300 instance->IsTouchExplorationEnabled(isEnabled);
301 return true;
302 }
303
GetEnabledAbilitiesFuzzTest(const uint8_t * data,size_t size)304 bool GetEnabledAbilitiesFuzzTest(const uint8_t* data, size_t size)
305 {
306 if (data == nullptr || size < DATA_MIN_SIZE) {
307 return false;
308 }
309
310 auto instance = AccessibilitySystemAbilityClient::GetInstance();
311 if (!instance) {
312 return false;
313 }
314
315 size_t position = 0;
316 char name[LEN + 1];
317 name[LEN] = END_CHAR;
318 for (size_t i = 0; i < LEN; i++) {
319 position += GetObject<char>(name[i], &data[position], size - position);
320 }
321 std::string enabledAbility(name);
322 std::vector<std::string> enabledAbilities;
323 enabledAbilities.emplace_back(enabledAbility);
324 instance->GetEnabledAbilities(enabledAbilities);
325 return true;
326 }
327
SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t * data,size_t size)328 bool SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t* data, size_t size)
329 {
330 if (data == nullptr || size < DATA_MIN_SIZE) {
331 return false;
332 }
333
334 int32_t requestId = 0;
335 GetObject<int32_t>(requestId, &data[0], size);
336 std::list<AccessibilityElementInfo> infos;
337 g_asacImpl_.SetSearchElementInfoByAccessibilityIdResult(infos, requestId);
338 return true;
339 }
340
SetSearchElementInfoByTextResultFuzzTest(const uint8_t * data,size_t size)341 bool SetSearchElementInfoByTextResultFuzzTest(const uint8_t* data, size_t size)
342 {
343 if (data == nullptr || size < DATA_MIN_SIZE) {
344 return false;
345 }
346
347 int32_t requestId = 0;
348 GetObject<int32_t>(requestId, &data[0], size);
349 std::list<AccessibilityElementInfo> infos;
350 g_asacImpl_.SetSearchElementInfoByTextResult(infos, requestId);
351 return true;
352 }
353
SetFindFocusedElementInfoResultFuzzTest(const uint8_t * data,size_t size)354 bool SetFindFocusedElementInfoResultFuzzTest(const uint8_t* data, size_t size)
355 {
356 if (data == nullptr || size < DATA_MIN_SIZE) {
357 return false;
358 }
359
360 int32_t requestId = 0;
361 GetObject<int32_t>(requestId, &data[0], size);
362 AccessibilityElementInfo info;
363 g_asacImpl_.SetFindFocusedElementInfoResult(info, requestId);
364 return true;
365 }
366
SetFocusMoveSearchResultFuzzTest(const uint8_t * data,size_t size)367 bool SetFocusMoveSearchResultFuzzTest(const uint8_t* data, size_t size)
368 {
369 if (data == nullptr || size < DATA_MIN_SIZE) {
370 return false;
371 }
372
373 int32_t requestId = 0;
374 GetObject<int32_t>(requestId, &data[0], size);
375 AccessibilityElementInfo info;
376 g_asacImpl_.SetFocusMoveSearchResult(info, requestId);
377 return true;
378 }
379
SetExecuteActionResultFuzzTest(const uint8_t * data,size_t size)380 bool SetExecuteActionResultFuzzTest(const uint8_t* data, size_t size)
381 {
382 if (data == nullptr || size < DATA_MIN_SIZE) {
383 return false;
384 }
385
386 size_t position = 0;
387 bool succeeded = false;
388 int32_t requestId = 0;
389 position += GetObject<bool>(succeeded, &data[position], size - position);
390 GetObject<int32_t>(requestId, &data[position], size - position);
391 g_asacImpl_.SetExecuteActionResult(succeeded, requestId);
392 return true;
393 }
394 } // namespace Accessibility
395 } // namespace OHOS
396
397 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)398 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
399 {
400 /* Run your code on data */
401 OHOS::Accessibility::RegisterElementOperatorFuzzTest(data, size);
402 OHOS::Accessibility::GetAbilityListFuzzTest(data, size);
403 OHOS::Accessibility::SendEventFuzzTest(data, size);
404 OHOS::Accessibility::SubscribeStateObserverFuzzTest(data, size);
405 OHOS::Accessibility::IsEnabledFuzzTest(data, size);
406 OHOS::Accessibility::IsTouchExplorationEnabledFuzzTest(data, size);
407 OHOS::Accessibility::GetEnabledAbilitiesFuzzTest(data, size);
408 OHOS::Accessibility::SetSearchElementInfoByAccessibilityIdResultFuzzTest(data, size);
409 OHOS::Accessibility::SetSearchElementInfoByTextResultFuzzTest(data, size);
410 OHOS::Accessibility::SetFindFocusedElementInfoResultFuzzTest(data, size);
411 OHOS::Accessibility::SetFocusMoveSearchResultFuzzTest(data, size);
412 OHOS::Accessibility::SetExecuteActionResultFuzzTest(data, size);
413 return 0;
414 }