1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibilitysystemabilityclient_fuzzer.h"
17 #include "accessibility_system_ability_client_impl.h"
18 #include "securec.h"
19
20 namespace OHOS {
21 namespace Accessibility {
22 namespace {
23 constexpr size_t DATA_MIN_SIZE = 200;
24 constexpr char END_CHAR = '\0';
25 constexpr size_t LEN = 10;
26 }
27 static AccessibilitySystemAbilityClientImpl g_asacImpl_;
28
29 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)30 size_t GetObject(T &object, const uint8_t *data, size_t size)
31 {
32 size_t objectSize = sizeof(object);
33 if (objectSize > size) {
34 return 0;
35 }
36 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
37 }
38
39 class ElementOperatorForFuzzTest : public AccessibilityElementOperator {
40 public:
41 virtual ~ElementOperatorForFuzzTest() = default;
SearchElementInfoByAccessibilityId(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t mode)42 RetError SearchElementInfoByAccessibilityId(const int64_t elementId,
43 const int32_t requestId, AccessibilityElementOperatorCallback &callback,
44 const int32_t mode) override { return RET_OK; }
SearchDefaultFocusByWindowId(const int32_t windowId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t pageId)45 void SearchDefaultFocusByWindowId(const int32_t windowId,
46 const int32_t requestId, AccessibilityElementOperatorCallback &callback,
47 const int32_t pageId) override {}
SearchElementInfosByText(const int64_t elementId,const std::string & text,const int32_t requestId,AccessibilityElementOperatorCallback & callback)48 void SearchElementInfosByText(const int64_t elementId, const std::string &text,
49 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
50
FindFocusedElementInfo(const int64_t elementId,const int32_t focusType,const int32_t requestId,AccessibilityElementOperatorCallback & callback)51 void FindFocusedElementInfo(const int64_t elementId, const int32_t focusType, const int32_t requestId,
52 AccessibilityElementOperatorCallback &callback) override {}
53
FocusMoveSearch(const int64_t elementId,const int32_t direction,const int32_t requestId,AccessibilityElementOperatorCallback & callback)54 void FocusMoveSearch(const int64_t elementId, const int32_t direction, const int32_t requestId,
55 AccessibilityElementOperatorCallback &callback) override {}
56
ExecuteAction(const int64_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,AccessibilityElementOperatorCallback & callback)57 void ExecuteAction(const int64_t elementId, const int32_t action,
58 const std::map<std::string, std::string> &actionArguments,
59 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
GetCursorPosition(const int64_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback)60 void GetCursorPosition(const int64_t elementId, const int32_t requestId,
61 AccessibilityElementOperatorCallback &callback) override {}
SearchElementInfoBySpecificProperty(const int64_t elementId,const SpecificPropertyParam & param,const int32_t requestId,AccessibilityElementOperatorCallback & callback)62 void SearchElementInfoBySpecificProperty(const int64_t elementId,
63 const SpecificPropertyParam& param, const int32_t requestId,
64 AccessibilityElementOperatorCallback &callback) override {}
ClearFocus()65 void ClearFocus() override {}
OutsideTouch()66 void OutsideTouch() override {}
SetChildTreeIdAndWinId(const int64_t elementId,const int32_t treeId,const int32_t childWindowId)67 void SetChildTreeIdAndWinId(const int64_t elementId, const int32_t treeId,
68 const int32_t childWindowId) override {}
SetBelongTreeId(const int32_t treeId)69 void SetBelongTreeId(const int32_t treeId) override {}
SetParentWindowId(const int32_t parentWindowId)70 void SetParentWindowId(const int32_t parentWindowId) override {}
71 };
72
73 class StateObserverForFuzzTest : public AccessibilityStateObserver {
74 public:
75 virtual ~StateObserverForFuzzTest() = default;
OnStateChanged(const bool state)76 void OnStateChanged(const bool state) {}
77 };
78
79
CreateEventInfoFirstPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)80 static void CreateEventInfoFirstPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
81 size_t& position)
82 {
83 int64_t componentId = 0;
84 position += GetObject<int64_t>(componentId, &data[position], size - position);
85 eventInfo.SetSource(componentId);
86 int32_t windowId = 0;
87 position += GetObject<int32_t>(windowId, &data[position], size - position);
88 eventInfo.SetWindowId(windowId);
89 int32_t index = 0;
90 position += GetObject<int32_t>(index, &data[position], size - position);
91 eventInfo.SetCurrentIndex(index);
92 position += GetObject<int32_t>(index, &data[position], size - position);
93 eventInfo.SetBeginIndex(index);
94 position += GetObject<int32_t>(index, &data[position], size - position);
95 eventInfo.SetEndIndex(index);
96 int32_t itemCounts = 0;
97 position += GetObject<int32_t>(itemCounts, &data[position], size - position);
98 eventInfo.SetItemCounts(itemCounts);
99 WindowsContentChangeTypes changeTypes;
100 position += GetObject<WindowsContentChangeTypes>(changeTypes, &data[position], size - position);
101 eventInfo.SetWindowContentChangeTypes(changeTypes);
102 WindowUpdateType updateTypes;
103 position += GetObject<WindowUpdateType>(updateTypes, &data[position], size - position);
104 eventInfo.SetWindowChangeTypes(updateTypes);
105 EventType eventType;
106 position += GetObject<EventType>(eventType, &data[position], size - position);
107 eventInfo.SetEventType(eventType);
108 int64_t timeStamp = 0;
109 position += GetObject<int64_t>(timeStamp, &data[position], size - position);
110 eventInfo.SetTimeStamp(timeStamp);
111 TextMoveUnit granularity;
112 position += GetObject<TextMoveUnit>(granularity, &data[position], size - position);
113 eventInfo.SetTextMovementStep(granularity);
114 ActionType action;
115 position += GetObject<ActionType>(action, &data[position], size - position);
116 eventInfo.SetTriggerAction(action);
117 NotificationCategory category;
118 position += GetObject<NotificationCategory>(category, &data[position], size - position);
119 eventInfo.SetNotificationInfo(category);
120 GestureType gestureType;
121 position += GetObject<GestureType>(gestureType, &data[position], size - position);
122 eventInfo.SetGestureType(gestureType);
123 int32_t pageId = 0;
124 position += GetObject<int32_t>(pageId, &data[position], size - position);
125 eventInfo.SetPageId(pageId);
126 int32_t int32Data = 0;
127 position += GetObject<int32_t>(int32Data, &data[position], size - position);
128 eventInfo.SetElementMainWindowId(int32Data);
129 }
130
CreateEventInfoSecondPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)131 static void CreateEventInfoSecondPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
132 size_t& position)
133 {
134 char name[LEN + 1];
135 name[LEN] = END_CHAR;
136 for (size_t i = 0; i < LEN; i++) {
137 position += GetObject<char>(name[i], &data[position], size - position);
138 }
139 std::string className(name);
140 eventInfo.SetComponentType(className);
141
142 for (size_t i = 0; i < LEN; i++) {
143 position += GetObject<char>(name[i], &data[position], size - position);
144 }
145 std::string beforeText(name);
146 eventInfo.SetBeforeText(beforeText);
147
148 for (size_t i = 0; i < LEN; i++) {
149 position += GetObject<char>(name[i], &data[position], size - position);
150 }
151 std::string content(name);
152 eventInfo.AddContent(content);
153
154 for (size_t i = 0; i < LEN; i++) {
155 position += GetObject<char>(name[i], &data[position], size - position);
156 }
157 std::string lastContent(name);
158 eventInfo.SetLatestContent(lastContent);
159
160 for (size_t i = 0; i < LEN; i++) {
161 position += GetObject<char>(name[i], &data[position], size - position);
162 }
163 std::string contentDescription(name);
164 eventInfo.SetDescription(contentDescription);
165
166 for (size_t i = 0; i < LEN; i++) {
167 position += GetObject<char>(name[i], &data[position], size - position);
168 }
169 std::string bundleName(name);
170 eventInfo.SetBundleName(bundleName);
171
172 for (size_t i = 0; i < LEN; i++) {
173 position += GetObject<char>(name[i], &data[position], size - position);
174 }
175 std::string notificationContent(name);
176 eventInfo.SetNotificationContent(notificationContent);
177 }
178
CheckEventInfoFuzzTest(AccessibilityEventInfo & eventInfo)179 void CheckEventInfoFuzzTest(AccessibilityEventInfo &eventInfo)
180 {
181 eventInfo.GetViewId();
182 eventInfo.GetAccessibilityId();
183 eventInfo.GetWindowId();
184 eventInfo.GetCurrentIndex();
185 eventInfo.GetBeginIndex();
186 eventInfo.GetEndIndex();
187 eventInfo.GetComponentType();
188 eventInfo.GetBeforeText();
189 eventInfo.GetContentList();
190 eventInfo.GetLatestContent();
191 eventInfo.GetDescription();
192 eventInfo.GetItemCounts();
193 eventInfo.GetWindowContentChangeTypes();
194 eventInfo.GetWindowChangeTypes();
195 eventInfo.GetTimeStamp();
196 eventInfo.GetResourceId();
197 eventInfo.GetResourceBundleName();
198 eventInfo.GetResourceModuleName();
199 eventInfo.GetBundleName();
200 eventInfo.GetNotificationContent();
201 eventInfo.GetTextAnnouncedForAccessibility();
202 eventInfo.GetInspectorKey();
203 eventInfo.GetTextMovementStep();
204 eventInfo.GetTriggerAction();
205 eventInfo.GetGestureType();
206 eventInfo.GetNotificationInfo();
207 eventInfo.GetPageId();
208 eventInfo.GetElementInfo();
209 eventInfo.GetRequestFocusElementId();
210 }
211
CreateEventInfo(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size)212 static size_t CreateEventInfo(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size)
213 {
214 size_t position = 0;
215 CreateEventInfoFirstPart(eventInfo, data, size, position);
216 CreateEventInfoSecondPart(eventInfo, data, size, position);
217 CheckEventInfoFuzzTest(eventInfo);
218 return position;
219 }
220
RegisterElementOperatorFuzzTest(const uint8_t * data,size_t size)221 bool RegisterElementOperatorFuzzTest(const uint8_t* data, size_t size)
222 {
223 if (data == nullptr || size < DATA_MIN_SIZE) {
224 return false;
225 }
226
227 auto instance = AccessibilitySystemAbilityClient::GetInstance();
228 if (!instance) {
229 return false;
230 }
231
232 size_t position = 0;
233 int32_t windowId = 0;
234 position += GetObject<int32_t>(windowId, &data[position], size - position);
235 std::shared_ptr<ElementOperatorForFuzzTest> elementOperator = std::make_shared<ElementOperatorForFuzzTest>();
236 instance->RegisterElementOperator(windowId, elementOperator);
237
238 GetObject<int32_t>(windowId, &data[position], size - position);
239 instance->DeregisterElementOperator(windowId);
240 return true;
241 }
242
GetAbilityListFuzzTest(const uint8_t * data,size_t size)243 bool GetAbilityListFuzzTest(const uint8_t* data, size_t size)
244 {
245 if (data == nullptr || size < DATA_MIN_SIZE) {
246 return false;
247 }
248
249 auto instance = AccessibilitySystemAbilityClient::GetInstance();
250 if (!instance) {
251 return false;
252 }
253
254 size_t position = 0;
255 uint32_t abilityTypes = 0;
256 position += GetObject<uint32_t>(abilityTypes, &data[position], size - position);
257 AbilityStateType stateType;
258 GetObject<AbilityStateType>(stateType, &data[position], size - position);
259 std::vector<AccessibilityAbilityInfo> infos;
260 instance->GetAbilityList(abilityTypes, stateType, infos);
261 return true;
262 }
263
SendEventFuzzTest(const uint8_t * data,size_t size)264 bool SendEventFuzzTest(const uint8_t* data, size_t size)
265 {
266 if (data == nullptr || size < DATA_MIN_SIZE) {
267 return false;
268 }
269
270 auto instance = AccessibilitySystemAbilityClient::GetInstance();
271 if (!instance) {
272 return false;
273 }
274
275 size_t position = 0;
276 EventType eventType;
277 position += GetObject<EventType>(eventType, &data[position], size - position);
278 int64_t componentId = 0;
279 position += GetObject<int64_t>(componentId, &data[position], size - position);
280 instance->SendEvent(eventType, componentId);
281
282 AccessibilityEventInfo eventInfo;
283 (void)CreateEventInfo(eventInfo, data, size - position);
284 instance->SendEvent(eventInfo);
285 return true;
286 }
287
SubscribeStateObserverFuzzTest(const uint8_t * data,size_t size)288 bool SubscribeStateObserverFuzzTest(const uint8_t* data, size_t size)
289 {
290 if (data == nullptr || size < DATA_MIN_SIZE) {
291 return false;
292 }
293
294 auto instance = AccessibilitySystemAbilityClient::GetInstance();
295 if (!instance) {
296 return false;
297 }
298
299 size_t position = 0;
300 uint32_t eventTypes = 0;
301 position += GetObject<uint32_t>(eventTypes, &data[position], size - position);
302 std::shared_ptr<StateObserverForFuzzTest> observer = std::make_shared<StateObserverForFuzzTest>();
303 instance->SubscribeStateObserver(observer, eventTypes);
304
305 GetObject<uint32_t>(eventTypes, &data[position], size - position);
306 instance->UnsubscribeStateObserver(observer, eventTypes);
307 return true;
308 }
309
IsEnabledFuzzTest(const uint8_t * data,size_t size)310 bool IsEnabledFuzzTest(const uint8_t* data, size_t size)
311 {
312 if (data == nullptr || size < DATA_MIN_SIZE) {
313 return false;
314 }
315
316 auto instance = AccessibilitySystemAbilityClient::GetInstance();
317 if (!instance) {
318 return false;
319 }
320
321 bool isEnabled = false;
322 GetObject<bool>(isEnabled, &data[0], size);
323 instance->IsEnabled(isEnabled);
324 return true;
325 }
326
IsTouchExplorationEnabledFuzzTest(const uint8_t * data,size_t size)327 bool IsTouchExplorationEnabledFuzzTest(const uint8_t* data, size_t size)
328 {
329 if (data == nullptr || size < DATA_MIN_SIZE) {
330 return false;
331 }
332
333 auto instance = AccessibilitySystemAbilityClient::GetInstance();
334 if (!instance) {
335 return false;
336 }
337
338 bool isEnabled = false;
339 GetObject<bool>(isEnabled, &data[0], size);
340 instance->IsTouchExplorationEnabled(isEnabled);
341 return true;
342 }
343
GetEnabledAbilitiesFuzzTest(const uint8_t * data,size_t size)344 bool GetEnabledAbilitiesFuzzTest(const uint8_t* data, size_t size)
345 {
346 if (data == nullptr || size < DATA_MIN_SIZE) {
347 return false;
348 }
349
350 auto instance = AccessibilitySystemAbilityClient::GetInstance();
351 if (!instance) {
352 return false;
353 }
354
355 size_t position = 0;
356 char name[LEN + 1];
357 name[LEN] = END_CHAR;
358 for (size_t i = 0; i < LEN; i++) {
359 position += GetObject<char>(name[i], &data[position], size - position);
360 }
361 std::string enabledAbility(name);
362 std::vector<std::string> enabledAbilities;
363 enabledAbilities.emplace_back(enabledAbility);
364 instance->GetEnabledAbilities(enabledAbilities);
365 return true;
366 }
367
SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t * data,size_t size)368 bool SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t* data, size_t size)
369 {
370 if (data == nullptr || size < DATA_MIN_SIZE) {
371 return false;
372 }
373
374 int32_t requestId = 0;
375 GetObject<int32_t>(requestId, &data[0], size);
376 std::list<AccessibilityElementInfo> infos;
377 g_asacImpl_.SetSearchElementInfoByAccessibilityIdResult(infos, requestId);
378 return true;
379 }
380
SetSearchElementInfoByTextResultFuzzTest(const uint8_t * data,size_t size)381 bool SetSearchElementInfoByTextResultFuzzTest(const uint8_t* data, size_t size)
382 {
383 if (data == nullptr || size < DATA_MIN_SIZE) {
384 return false;
385 }
386
387 int32_t requestId = 0;
388 GetObject<int32_t>(requestId, &data[0], size);
389 std::list<AccessibilityElementInfo> infos;
390 g_asacImpl_.SetSearchElementInfoByTextResult(infos, requestId);
391 return true;
392 }
393
SetFindFocusedElementInfoResultFuzzTest(const uint8_t * data,size_t size)394 bool SetFindFocusedElementInfoResultFuzzTest(const uint8_t* data, size_t size)
395 {
396 if (data == nullptr || size < DATA_MIN_SIZE) {
397 return false;
398 }
399
400 int32_t requestId = 0;
401 GetObject<int32_t>(requestId, &data[0], size);
402 AccessibilityElementInfo info;
403 g_asacImpl_.SetFindFocusedElementInfoResult(info, requestId);
404 return true;
405 }
406
SetFocusMoveSearchResultFuzzTest(const uint8_t * data,size_t size)407 bool SetFocusMoveSearchResultFuzzTest(const uint8_t* data, size_t size)
408 {
409 if (data == nullptr || size < DATA_MIN_SIZE) {
410 return false;
411 }
412
413 int32_t requestId = 0;
414 GetObject<int32_t>(requestId, &data[0], size);
415 AccessibilityElementInfo info;
416 g_asacImpl_.SetFocusMoveSearchResult(info, requestId);
417 return true;
418 }
419
SetExecuteActionResultFuzzTest(const uint8_t * data,size_t size)420 bool SetExecuteActionResultFuzzTest(const uint8_t* data, size_t size)
421 {
422 if (data == nullptr || size < DATA_MIN_SIZE) {
423 return false;
424 }
425
426 size_t position = 0;
427 bool succeeded = false;
428 int32_t requestId = 0;
429 position += GetObject<bool>(succeeded, &data[position], size - position);
430 GetObject<int32_t>(requestId, &data[position], size - position);
431 g_asacImpl_.SetExecuteActionResult(succeeded, requestId);
432 return true;
433 }
434 } // namespace Accessibility
435 } // namespace OHOS
436
437 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)438 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
439 {
440 /* Run your code on data */
441 OHOS::Accessibility::RegisterElementOperatorFuzzTest(data, size);
442 OHOS::Accessibility::GetAbilityListFuzzTest(data, size);
443 OHOS::Accessibility::SendEventFuzzTest(data, size);
444 OHOS::Accessibility::SubscribeStateObserverFuzzTest(data, size);
445 OHOS::Accessibility::IsEnabledFuzzTest(data, size);
446 OHOS::Accessibility::IsTouchExplorationEnabledFuzzTest(data, size);
447 OHOS::Accessibility::GetEnabledAbilitiesFuzzTest(data, size);
448 OHOS::Accessibility::SetSearchElementInfoByAccessibilityIdResultFuzzTest(data, size);
449 OHOS::Accessibility::SetSearchElementInfoByTextResultFuzzTest(data, size);
450 OHOS::Accessibility::SetFindFocusedElementInfoResultFuzzTest(data, size);
451 OHOS::Accessibility::SetFocusMoveSearchResultFuzzTest(data, size);
452 OHOS::Accessibility::SetExecuteActionResultFuzzTest(data, size);
453 return 0;
454 }