| Michael Ensing | 910968d | 2020-07-19 17:19:31 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2022 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include <MapperHelpers.h> |
| 18 | #include <fuzzer/FuzzedDataProvider.h> |
| 19 | #include "InputCommonConverter.h" |
| 20 | #include "InputProcessor.h" |
| 21 | |
| 22 | namespace android { |
| 23 | |
| 24 | static constexpr int32_t MAX_AXES = 64; |
| 25 | |
| 26 | // Used by two fuzz operations and a bit lengthy, so pulled out into a function. |
| 27 | NotifyMotionArgs generateFuzzedMotionArgs(FuzzedDataProvider &fdp) { |
| 28 | // Create a basic motion event for testing |
| 29 | PointerProperties properties; |
| 30 | properties.id = 0; |
| 31 | properties.toolType = AMOTION_EVENT_TOOL_TYPE_FINGER; |
| 32 | PointerCoords coords; |
| 33 | coords.clear(); |
| 34 | for (int32_t i = 0; i < fdp.ConsumeIntegralInRange<int32_t>(0, MAX_AXES); i++) { |
| 35 | coords.setAxisValue(fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeFloatingPoint<float>()); |
| 36 | } |
| 37 | |
| 38 | const nsecs_t downTime = 2; |
| 39 | const nsecs_t readTime = downTime + fdp.ConsumeIntegralInRange<nsecs_t>(0, 1E8); |
| 40 | NotifyMotionArgs motionArgs(fdp.ConsumeIntegral<uint32_t>() /*sequenceNum*/, |
| 41 | downTime /*eventTime*/, readTime, |
| 42 | fdp.ConsumeIntegral<int32_t>() /*deviceId*/, AINPUT_SOURCE_ANY, |
| 43 | ADISPLAY_ID_DEFAULT, |
| 44 | fdp.ConsumeIntegral<uint32_t>() /*policyFlags*/, |
| 45 | AMOTION_EVENT_ACTION_DOWN, |
| 46 | fdp.ConsumeIntegral<int32_t>() /*actionButton*/, |
| 47 | fdp.ConsumeIntegral<int32_t>() /*flags*/, AMETA_NONE, |
| 48 | fdp.ConsumeIntegral<int32_t>() /*buttonState*/, |
| 49 | MotionClassification::NONE, AMOTION_EVENT_EDGE_FLAG_NONE, |
| 50 | 1 /*pointerCount*/, &properties, &coords, |
| 51 | fdp.ConsumeFloatingPoint<float>() /*xPrecision*/, |
| 52 | fdp.ConsumeFloatingPoint<float>() /*yPrecision*/, |
| 53 | AMOTION_EVENT_INVALID_CURSOR_POSITION, |
| 54 | AMOTION_EVENT_INVALID_CURSOR_POSITION, downTime, |
| 55 | {} /*videoFrames*/); |
| 56 | return motionArgs; |
| 57 | } |
| 58 | |
| 59 | extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { |
| 60 | FuzzedDataProvider fdp(data, size); |
| 61 | |
| 62 | std::unique_ptr<FuzzInputListener> mFuzzListener = std::make_unique<FuzzInputListener>(); |
| 63 | std::unique_ptr<InputProcessorInterface> mClassifier = |
| 64 | std::make_unique<InputProcessor>(*mFuzzListener); |
| 65 | |
| 66 | while (fdp.remaining_bytes() > 0) { |
| 67 | fdp.PickValueInArray<std::function<void()>>({ |
| 68 | [&]() -> void { |
| 69 | // SendToNextStage_NotifyConfigurationChangedArgs |
| 70 | NotifyConfigurationChangedArgs |
| 71 | args(fdp.ConsumeIntegral<uint32_t>() /*sequenceNum*/, |
| 72 | fdp.ConsumeIntegral<nsecs_t>() /*eventTime*/); |
| 73 | mClassifier->notifyConfigurationChanged(&args); |
| 74 | }, |
| 75 | [&]() -> void { |
| 76 | // SendToNextStage_NotifyKeyArgs |
| 77 | const nsecs_t eventTime = fdp.ConsumeIntegral<nsecs_t>(); |
| 78 | const nsecs_t readTime = |
| 79 | eventTime + fdp.ConsumeIntegralInRange<nsecs_t>(0, 1E8); |
| 80 | NotifyKeyArgs keyArgs(fdp.ConsumeIntegral<uint32_t>() /*sequenceNum*/, |
| 81 | eventTime, readTime, |
| 82 | fdp.ConsumeIntegral<int32_t>() /*deviceId*/, |
| 83 | AINPUT_SOURCE_KEYBOARD, ADISPLAY_ID_DEFAULT, |
| 84 | fdp.ConsumeIntegral<uint32_t>() /*policyFlags*/, |
| 85 | AKEY_EVENT_ACTION_DOWN, |
| 86 | fdp.ConsumeIntegral<int32_t>() /*flags*/, AKEYCODE_HOME, |
| 87 | fdp.ConsumeIntegral<int32_t>() /*scanCode*/, AMETA_NONE, |
| 88 | fdp.ConsumeIntegral<nsecs_t>() /*downTime*/); |
| 89 | |
| 90 | mClassifier->notifyKey(&keyArgs); |
| 91 | }, |
| 92 | [&]() -> void { |
| 93 | // SendToNextStage_NotifyMotionArgs |
| 94 | NotifyMotionArgs motionArgs = generateFuzzedMotionArgs(fdp); |
| 95 | mClassifier->notifyMotion(&motionArgs); |
| 96 | }, |
| 97 | [&]() -> void { |
| 98 | // SendToNextStage_NotifySwitchArgs |
| 99 | NotifySwitchArgs switchArgs(fdp.ConsumeIntegral<uint32_t>() /*sequenceNum*/, |
| 100 | fdp.ConsumeIntegral<nsecs_t>() /*eventTime*/, |
| 101 | fdp.ConsumeIntegral<uint32_t>() /*policyFlags*/, |
| 102 | fdp.ConsumeIntegral<uint32_t>() /*switchValues*/, |
| 103 | fdp.ConsumeIntegral<uint32_t>() /*switchMask*/); |
| 104 | |
| 105 | mClassifier->notifySwitch(&switchArgs); |
| 106 | }, |
| 107 | [&]() -> void { |
| 108 | // SendToNextStage_NotifyDeviceResetArgs |
| 109 | NotifyDeviceResetArgs resetArgs(fdp.ConsumeIntegral<uint32_t>() /*sequenceNum*/, |
| 110 | fdp.ConsumeIntegral<nsecs_t>() /*eventTime*/, |
| 111 | fdp.ConsumeIntegral<int32_t>() /*deviceId*/); |
| 112 | |
| 113 | mClassifier->notifyDeviceReset(&resetArgs); |
| 114 | }, |
| 115 | [&]() -> void { |
| 116 | // InputClassifierConverterTest |
| 117 | const NotifyMotionArgs motionArgs = generateFuzzedMotionArgs(fdp); |
| 118 | aidl::android::hardware::input::common::MotionEvent motionEvent = |
| 119 | notifyMotionArgsToHalMotionEvent(motionArgs); |
| 120 | }, |
| 121 | })(); |
| 122 | } |
| 123 | return 0; |
| 124 | } |
| 125 | |
| 126 | } // namespace android |