1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "accessibilitysystemabilityclient_fuzzer.h"
17 #include "accessibility_system_ability_client_impl.h"
18 #include "securec.h"
19
20 namespace OHOS {
21 namespace Accessibility {
22 namespace {
23 constexpr size_t DATA_MIN_SIZE = 200;
24 constexpr char END_CHAR = '\0';
25 constexpr size_t LEN = 10;
26 }
27 static AccessibilitySystemAbilityClientImpl g_asacImpl_;
28
29 template<class T>
GetObject(T & object,const uint8_t * data,size_t size)30 size_t GetObject(T &object, const uint8_t *data, size_t size)
31 {
32 size_t objectSize = sizeof(object);
33 if (objectSize > size) {
34 return 0;
35 }
36 return memcpy_s(&object, objectSize, data, objectSize) == EOK ? objectSize : 0;
37 }
38
39 class ElementOperatorForFuzzTest : public AccessibilityElementOperator {
40 public:
41 virtual ~ElementOperatorForFuzzTest() = default;
SearchElementInfoByAccessibilityId(const int32_t elementId,const int32_t requestId,AccessibilityElementOperatorCallback & callback,const int32_t mode)42 void SearchElementInfoByAccessibilityId(const int32_t elementId,
43 const int32_t requestId, AccessibilityElementOperatorCallback &callback, const int32_t mode) override {}
44
SearchElementInfosByText(const int32_t elementId,const std::string & text,const int32_t requestId,AccessibilityElementOperatorCallback & callback)45 void SearchElementInfosByText(const int32_t elementId, const std::string &text,
46 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
47
FindFocusedElementInfo(const int32_t elementId,const int32_t focusType,const int32_t requestId,AccessibilityElementOperatorCallback & callback)48 void FindFocusedElementInfo(const int32_t elementId, const int32_t focusType, const int32_t requestId,
49 AccessibilityElementOperatorCallback &callback) override {}
50
FocusMoveSearch(const int32_t elementId,const int32_t direction,const int32_t requestId,AccessibilityElementOperatorCallback & callback)51 void FocusMoveSearch(const int32_t elementId, const int32_t direction, const int32_t requestId,
52 AccessibilityElementOperatorCallback &callback) override {}
53
ExecuteAction(const int32_t elementId,const int32_t action,const std::map<std::string,std::string> & actionArguments,const int32_t requestId,AccessibilityElementOperatorCallback & callback)54 void ExecuteAction(const int32_t elementId, const int32_t action,
55 const std::map<std::string, std::string> &actionArguments,
56 const int32_t requestId, AccessibilityElementOperatorCallback &callback) override {}
ClearFocus()57 void ClearFocus() override {}
OutsideTouch()58 void OutsideTouch() override {}
59 };
60
61 class StateObserverForFuzzTest : public AccessibilityStateObserver {
62 public:
63 virtual ~StateObserverForFuzzTest() = default;
OnStateChanged(const bool state)64 void OnStateChanged(const bool state) {}
65 };
66
67
CreateEventInfoFirstPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)68 static void CreateEventInfoFirstPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
69 size_t& position)
70 {
71 int32_t componentId = 0;
72 position += GetObject<int32_t>(componentId, &data[position], size - position);
73 eventInfo.SetSource(componentId);
74 int32_t windowId = 0;
75 position += GetObject<int32_t>(windowId, &data[position], size - position);
76 eventInfo.SetWindowId(windowId);
77 int32_t index = 0;
78 position += GetObject<int32_t>(index, &data[position], size - position);
79 eventInfo.SetCurrentIndex(index);
80 position += GetObject<int32_t>(index, &data[position], size - position);
81 eventInfo.SetBeginIndex(index);
82 position += GetObject<int32_t>(index, &data[position], size - position);
83 eventInfo.SetEndIndex(index);
84 int32_t itemCounts = 0;
85 position += GetObject<int32_t>(itemCounts, &data[position], size - position);
86 eventInfo.SetItemCounts(itemCounts);
87 WindowsContentChangeTypes changeTypes;
88 position += GetObject<WindowsContentChangeTypes>(changeTypes, &data[position], size - position);
89 eventInfo.SetWindowContentChangeTypes(changeTypes);
90 WindowUpdateType updateTypes;
91 position += GetObject<WindowUpdateType>(updateTypes, &data[position], size - position);
92 eventInfo.SetWindowChangeTypes(updateTypes);
93 EventType eventType;
94 position += GetObject<EventType>(eventType, &data[position], size - position);
95 eventInfo.SetEventType(eventType);
96 int64_t timeStamp = 0;
97 position += GetObject<int64_t>(timeStamp, &data[position], size - position);
98 eventInfo.SetTimeStamp(timeStamp);
99 TextMoveUnit granularity;
100 position += GetObject<TextMoveUnit>(granularity, &data[position], size - position);
101 eventInfo.SetTextMovementStep(granularity);
102 ActionType action;
103 position += GetObject<ActionType>(action, &data[position], size - position);
104 eventInfo.SetTriggerAction(action);
105 NotificationCategory category;
106 position += GetObject<NotificationCategory>(category, &data[position], size - position);
107 eventInfo.SetNotificationInfo(category);
108 GestureType gestureType;
109 position += GetObject<GestureType>(gestureType, &data[position], size - position);
110 eventInfo.SetGestureType(gestureType);
111 int32_t pageId = 0;
112 position += GetObject<int32_t>(pageId, &data[position], size - position);
113 eventInfo.SetPageId(pageId);
114 }
115
CreateEventInfoSecondPart(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size,size_t & position)116 static void CreateEventInfoSecondPart(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size,
117 size_t& position)
118 {
119 char name[LEN + 1];
120 name[LEN] = END_CHAR;
121 for (size_t i = 0; i < LEN; i++) {
122 position += GetObject<char>(name[i], &data[position], size - position);
123 }
124 std::string className(name);
125 eventInfo.SetComponentType(className);
126
127 for (size_t i = 0; i < LEN; i++) {
128 position += GetObject<char>(name[i], &data[position], size - position);
129 }
130 std::string beforeText(name);
131 eventInfo.SetBeforeText(beforeText);
132
133 for (size_t i = 0; i < LEN; i++) {
134 position += GetObject<char>(name[i], &data[position], size - position);
135 }
136 std::string content(name);
137 eventInfo.AddContent(content);
138
139 for (size_t i = 0; i < LEN; i++) {
140 position += GetObject<char>(name[i], &data[position], size - position);
141 }
142 std::string lastContent(name);
143 eventInfo.SetLatestContent(lastContent);
144
145 for (size_t i = 0; i < LEN; i++) {
146 position += GetObject<char>(name[i], &data[position], size - position);
147 }
148 std::string contentDescription(name);
149 eventInfo.SetDescription(contentDescription);
150
151 for (size_t i = 0; i < LEN; i++) {
152 position += GetObject<char>(name[i], &data[position], size - position);
153 }
154 std::string bundleName(name);
155 eventInfo.SetBundleName(bundleName);
156
157 for (size_t i = 0; i < LEN; i++) {
158 position += GetObject<char>(name[i], &data[position], size - position);
159 }
160 std::string notificationContent(name);
161 eventInfo.SetNotificationContent(notificationContent);
162 }
163
CreateEventInfo(AccessibilityEventInfo & eventInfo,const uint8_t * data,size_t size)164 static size_t CreateEventInfo(AccessibilityEventInfo &eventInfo, const uint8_t* data, size_t size)
165 {
166 size_t position = 0;
167 CreateEventInfoFirstPart(eventInfo, data, size, position);
168 CreateEventInfoSecondPart(eventInfo, data, size, position);
169 return position;
170 }
171
RegisterElementOperatorFuzzTest(const uint8_t * data,size_t size)172 bool RegisterElementOperatorFuzzTest(const uint8_t* data, size_t size)
173 {
174 if (data == nullptr || size < DATA_MIN_SIZE) {
175 return false;
176 }
177
178 auto instance = AccessibilitySystemAbilityClient::GetInstance();
179 if (!instance) {
180 return false;
181 }
182
183 size_t position = 0;
184 int32_t windowId = 0;
185 position += GetObject<int32_t>(windowId, &data[position], size - position);
186 std::shared_ptr<ElementOperatorForFuzzTest> elementOperator = std::make_shared<ElementOperatorForFuzzTest>();
187 instance->RegisterElementOperator(windowId, elementOperator);
188
189 GetObject<int32_t>(windowId, &data[position], size - position);
190 instance->DeregisterElementOperator(windowId);
191 return true;
192 }
193
GetAbilityListFuzzTest(const uint8_t * data,size_t size)194 bool GetAbilityListFuzzTest(const uint8_t* data, size_t size)
195 {
196 if (data == nullptr || size < DATA_MIN_SIZE) {
197 return false;
198 }
199
200 auto instance = AccessibilitySystemAbilityClient::GetInstance();
201 if (!instance) {
202 return false;
203 }
204
205 size_t position = 0;
206 uint32_t abilityTypes = 0;
207 position += GetObject<uint32_t>(abilityTypes, &data[position], size - position);
208 AbilityStateType stateType;
209 GetObject<AbilityStateType>(stateType, &data[position], size - position);
210 std::vector<AccessibilityAbilityInfo> infos;
211 instance->GetAbilityList(abilityTypes, stateType, infos);
212 return true;
213 }
214
SendEventFuzzTest(const uint8_t * data,size_t size)215 bool SendEventFuzzTest(const uint8_t* data, size_t size)
216 {
217 if (data == nullptr || size < DATA_MIN_SIZE) {
218 return false;
219 }
220
221 auto instance = AccessibilitySystemAbilityClient::GetInstance();
222 if (!instance) {
223 return false;
224 }
225
226 size_t position = 0;
227 EventType eventType;
228 position += GetObject<EventType>(eventType, &data[position], size - position);
229 int32_t componentId = 0;
230 position += GetObject<int32_t>(componentId, &data[position], size - position);
231 instance->SendEvent(eventType, componentId);
232
233 AccessibilityEventInfo eventInfo;
234 (void)CreateEventInfo(eventInfo, data, size - position);
235 instance->SendEvent(eventInfo);
236 return true;
237 }
238
SubscribeStateObserverFuzzTest(const uint8_t * data,size_t size)239 bool SubscribeStateObserverFuzzTest(const uint8_t* data, size_t size)
240 {
241 if (data == nullptr || size < DATA_MIN_SIZE) {
242 return false;
243 }
244
245 auto instance = AccessibilitySystemAbilityClient::GetInstance();
246 if (!instance) {
247 return false;
248 }
249
250 size_t position = 0;
251 uint32_t eventTypes = 0;
252 position += GetObject<uint32_t>(eventTypes, &data[position], size - position);
253 std::shared_ptr<StateObserverForFuzzTest> observer = std::make_shared<StateObserverForFuzzTest>();
254 instance->SubscribeStateObserver(observer, eventTypes);
255
256 GetObject<uint32_t>(eventTypes, &data[position], size - position);
257 instance->UnsubscribeStateObserver(observer, eventTypes);
258 return true;
259 }
260
IsEnabledFuzzTest(const uint8_t * data,size_t size)261 bool IsEnabledFuzzTest(const uint8_t* data, size_t size)
262 {
263 if (data == nullptr || size < DATA_MIN_SIZE) {
264 return false;
265 }
266
267 auto instance = AccessibilitySystemAbilityClient::GetInstance();
268 if (!instance) {
269 return false;
270 }
271
272 bool isEnabled = false;
273 GetObject<bool>(isEnabled, &data[0], size);
274 instance->IsEnabled(isEnabled);
275 return true;
276 }
277
IsTouchExplorationEnabledFuzzTest(const uint8_t * data,size_t size)278 bool IsTouchExplorationEnabledFuzzTest(const uint8_t* data, size_t size)
279 {
280 if (data == nullptr || size < DATA_MIN_SIZE) {
281 return false;
282 }
283
284 auto instance = AccessibilitySystemAbilityClient::GetInstance();
285 if (!instance) {
286 return false;
287 }
288
289 bool isEnabled = false;
290 GetObject<bool>(isEnabled, &data[0], size);
291 instance->IsTouchExplorationEnabled(isEnabled);
292 return true;
293 }
294
GetEnabledAbilitiesFuzzTest(const uint8_t * data,size_t size)295 bool GetEnabledAbilitiesFuzzTest(const uint8_t* data, size_t size)
296 {
297 if (data == nullptr || size < DATA_MIN_SIZE) {
298 return false;
299 }
300
301 auto instance = AccessibilitySystemAbilityClient::GetInstance();
302 if (!instance) {
303 return false;
304 }
305
306 size_t position = 0;
307 char name[LEN + 1];
308 name[LEN] = END_CHAR;
309 for (size_t i = 0; i < LEN; i++) {
310 position += GetObject<char>(name[i], &data[position], size - position);
311 }
312 std::string enabledAbility(name);
313 std::vector<std::string> enabledAbilities;
314 enabledAbilities.emplace_back(enabledAbility);
315 instance->GetEnabledAbilities(enabledAbilities);
316 return true;
317 }
318
SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t * data,size_t size)319 bool SetSearchElementInfoByAccessibilityIdResultFuzzTest(const uint8_t* data, size_t size)
320 {
321 if (data == nullptr || size < DATA_MIN_SIZE) {
322 return false;
323 }
324
325 int32_t requestId = 0;
326 GetObject<int32_t>(requestId, &data[0], size);
327 std::list<AccessibilityElementInfo> infos;
328 g_asacImpl_.SetSearchElementInfoByAccessibilityIdResult(infos, requestId);
329 return true;
330 }
331
SetSearchElementInfoByTextResultFuzzTest(const uint8_t * data,size_t size)332 bool SetSearchElementInfoByTextResultFuzzTest(const uint8_t* data, size_t size)
333 {
334 if (data == nullptr || size < DATA_MIN_SIZE) {
335 return false;
336 }
337
338 int32_t requestId = 0;
339 GetObject<int32_t>(requestId, &data[0], size);
340 std::list<AccessibilityElementInfo> infos;
341 g_asacImpl_.SetSearchElementInfoByTextResult(infos, requestId);
342 return true;
343 }
344
SetFindFocusedElementInfoResultFuzzTest(const uint8_t * data,size_t size)345 bool SetFindFocusedElementInfoResultFuzzTest(const uint8_t* data, size_t size)
346 {
347 if (data == nullptr || size < DATA_MIN_SIZE) {
348 return false;
349 }
350
351 int32_t requestId = 0;
352 GetObject<int32_t>(requestId, &data[0], size);
353 AccessibilityElementInfo info;
354 g_asacImpl_.SetFindFocusedElementInfoResult(info, requestId);
355 return true;
356 }
357
SetFocusMoveSearchResultFuzzTest(const uint8_t * data,size_t size)358 bool SetFocusMoveSearchResultFuzzTest(const uint8_t* data, size_t size)
359 {
360 if (data == nullptr || size < DATA_MIN_SIZE) {
361 return false;
362 }
363
364 int32_t requestId = 0;
365 GetObject<int32_t>(requestId, &data[0], size);
366 AccessibilityElementInfo info;
367 g_asacImpl_.SetFocusMoveSearchResult(info, requestId);
368 return true;
369 }
370
SetExecuteActionResultFuzzTest(const uint8_t * data,size_t size)371 bool SetExecuteActionResultFuzzTest(const uint8_t* data, size_t size)
372 {
373 if (data == nullptr || size < DATA_MIN_SIZE) {
374 return false;
375 }
376
377 size_t position = 0;
378 bool succeeded = false;
379 int32_t requestId = 0;
380 position += GetObject<bool>(succeeded, &data[position], size - position);
381 GetObject<int32_t>(requestId, &data[position], size - position);
382 g_asacImpl_.SetExecuteActionResult(succeeded, requestId);
383 return true;
384 }
385 } // namespace Accessibility
386 } // namespace OHOS
387
388 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)389 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
390 {
391 /* Run your code on data */
392 OHOS::Accessibility::RegisterElementOperatorFuzzTest(data, size);
393 OHOS::Accessibility::GetAbilityListFuzzTest(data, size);
394 OHOS::Accessibility::SendEventFuzzTest(data, size);
395 OHOS::Accessibility::SubscribeStateObserverFuzzTest(data, size);
396 OHOS::Accessibility::IsEnabledFuzzTest(data, size);
397 OHOS::Accessibility::IsTouchExplorationEnabledFuzzTest(data, size);
398 OHOS::Accessibility::GetEnabledAbilitiesFuzzTest(data, size);
399 OHOS::Accessibility::SetSearchElementInfoByAccessibilityIdResultFuzzTest(data, size);
400 OHOS::Accessibility::SetSearchElementInfoByTextResultFuzzTest(data, size);
401 OHOS::Accessibility::SetFindFocusedElementInfoResultFuzzTest(data, size);
402 OHOS::Accessibility::SetFocusMoveSearchResultFuzzTest(data, size);
403 OHOS::Accessibility::SetExecuteActionResultFuzzTest(data, size);
404 return 0;
405 }