1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <assert.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <sys/stat.h>
21
22 #include <string>
23
24 #define LOG_TAG "MtpFuzzer"
25
26 #include <log/log.h>
27
28 #include "MtpDebug.h"
29 #include "MtpMockDatabase.h"
30 #include "MtpObjectInfo.h"
31
32 namespace android {
33
MtpMockDatabase()34 MtpMockDatabase::MtpMockDatabase() : mLastObjectHandle(0) {}
35
~MtpMockDatabase()36 MtpMockDatabase::~MtpMockDatabase() {
37 for (MtpObjectInfo* i : mObjects) {
38 delete i;
39 }
40 mObjects.clear();
41 }
42
addObject(MtpObjectInfo * info)43 void MtpMockDatabase::addObject(MtpObjectInfo* info) {
44 assert(hasStorage(info->mStorageID));
45
46 // we take ownership
47 mObjects.push_back(info);
48
49 return;
50 }
51
allocateObjectHandle()52 MtpObjectHandle MtpMockDatabase::allocateObjectHandle() {
53 // this is in sync with our mObjects database
54 return mLastObjectHandle++;
55 }
56
57 // Called from SendObjectInfo to reserve a database entry for the incoming file.
beginSendObject(const char * path,MtpObjectFormat format,MtpObjectHandle parent,MtpStorageID storage)58 MtpObjectHandle MtpMockDatabase::beginSendObject(const char* path, MtpObjectFormat format,
59 MtpObjectHandle parent, MtpStorageID storage) {
60 if (!hasStorage(storage)) {
61 ALOGW("%s: Tried to lookup storageID %u, but doesn't exist\n", __func__, storage);
62 return kInvalidObjectHandle;
63 }
64
65 ALOGD("MockDatabase %s: path=%s oformat=0x%04x parent_handle=%u "
66 "storage_id=%u\n",
67 __func__, path, format, parent, storage);
68
69 return mLastObjectHandle;
70 }
71
72 // Called to report success or failure of the SendObject file transfer.
endSendObject(MtpObjectHandle handle,bool succeeded)73 void MtpMockDatabase::endSendObject(MtpObjectHandle handle, bool succeeded) {
74 ALOGD("MockDatabase %s: ohandle=%u succeeded=%d\n", __func__, handle, succeeded);
75 }
76
77 // Called to rescan a file, such as after an edit.
rescanFile(const char * path,MtpObjectHandle handle,MtpObjectFormat format)78 void MtpMockDatabase::rescanFile(const char* path, MtpObjectHandle handle, MtpObjectFormat format) {
79 ALOGD("MockDatabase %s: path=%s ohandle=%u, oformat=0x%04x\n", __func__, path, handle, format);
80 }
81
getObjectList(MtpStorageID storageID,MtpObjectFormat format,MtpObjectHandle parent)82 MtpObjectHandleList* MtpMockDatabase::getObjectList(MtpStorageID storageID, MtpObjectFormat format,
83 MtpObjectHandle parent) {
84 ALOGD("MockDatabase %s: storage_id=%u oformat=0x%04x ohandle=%u\n", __func__, storageID, format,
85 parent);
86 return nullptr;
87 }
88
getNumObjects(MtpStorageID storageID,MtpObjectFormat format,MtpObjectHandle parent)89 int MtpMockDatabase::getNumObjects(MtpStorageID storageID, MtpObjectFormat format,
90 MtpObjectHandle parent) {
91 ALOGD("MockDatabase %s: storage_id=%u oformat=0x%04x ohandle=%u\n", __func__, storageID, format,
92 parent);
93 // TODO: return MTP_RESPONSE_OK when it stops segfaulting
94 return 0;
95 }
96
97 // callee should delete[] the results from these
98 // results can be NULL
getSupportedPlaybackFormats()99 MtpObjectFormatList* MtpMockDatabase::getSupportedPlaybackFormats() {
100 ALOGD("MockDatabase %s\n", __func__);
101 return nullptr;
102 }
getSupportedCaptureFormats()103 MtpObjectFormatList* MtpMockDatabase::getSupportedCaptureFormats() {
104 ALOGD("MockDatabase %s\n", __func__);
105 return nullptr;
106 }
getSupportedObjectProperties(MtpObjectFormat format)107 MtpObjectPropertyList* MtpMockDatabase::getSupportedObjectProperties(MtpObjectFormat format) {
108 ALOGD("MockDatabase %s: oformat=0x%04x\n", __func__, format);
109 return nullptr;
110 }
getSupportedDeviceProperties()111 MtpDevicePropertyList* MtpMockDatabase::getSupportedDeviceProperties() {
112 ALOGD("MockDatabase %s\n", __func__);
113 return nullptr;
114 }
115
getObjectPropertyValue(MtpObjectHandle handle,MtpObjectProperty property,MtpDataPacket & packet)116 MtpResponseCode MtpMockDatabase::getObjectPropertyValue(MtpObjectHandle handle,
117 MtpObjectProperty property,
118 MtpDataPacket& packet) {
119 ALOGD("MockDatabase %s: ohandle=%u property=%s\n", __func__, handle,
120 MtpDebug::getObjectPropCodeName(property));
121 return MTP_RESPONSE_OK;
122 }
123
setObjectPropertyValue(MtpObjectHandle handle,MtpObjectProperty property,MtpDataPacket & packet)124 MtpResponseCode MtpMockDatabase::setObjectPropertyValue(MtpObjectHandle handle,
125 MtpObjectProperty property,
126 MtpDataPacket& packet) {
127 ALOGD("MockDatabase %s: ohandle=%u property=%s\n", __func__, handle,
128 MtpDebug::getObjectPropCodeName(property));
129 return MTP_RESPONSE_OK;
130 }
131
getDevicePropertyValue(MtpDeviceProperty property,MtpDataPacket & packet)132 MtpResponseCode MtpMockDatabase::getDevicePropertyValue(MtpDeviceProperty property,
133 MtpDataPacket& packet) {
134 ALOGD("MockDatabase %s: property=%s\n", __func__, MtpDebug::getDevicePropCodeName(property));
135 return MTP_RESPONSE_OK;
136 }
137
setDevicePropertyValue(MtpDeviceProperty property,MtpDataPacket & packet)138 MtpResponseCode MtpMockDatabase::setDevicePropertyValue(MtpDeviceProperty property,
139 MtpDataPacket& packet) {
140 ALOGD("MockDatabase %s: property=%s\n", __func__, MtpDebug::getDevicePropCodeName(property));
141 return MTP_RESPONSE_OK;
142 }
143
resetDeviceProperty(MtpDeviceProperty property)144 MtpResponseCode MtpMockDatabase::resetDeviceProperty(MtpDeviceProperty property) {
145 ALOGD("MockDatabase %s: property=%s\n", __func__, MtpDebug::getDevicePropCodeName(property));
146 return MTP_RESPONSE_OK;
147 }
148
getObjectPropertyList(MtpObjectHandle handle,uint32_t format,uint32_t property,int groupCode,int depth,MtpDataPacket & packet)149 MtpResponseCode MtpMockDatabase::getObjectPropertyList(MtpObjectHandle handle, uint32_t format,
150 uint32_t property, int groupCode, int depth,
151 MtpDataPacket& packet) {
152 ALOGD("MockDatabase %s: ohandle=%u format=%s property=%s groupCode=%d "
153 "depth=%d\n",
154 __func__, handle, MtpDebug::getFormatCodeName(format),
155 MtpDebug::getObjectPropCodeName(property), groupCode, depth);
156 return MTP_RESPONSE_OK;
157 }
158
getObjectInfo(MtpObjectHandle handle,MtpObjectInfo & info)159 MtpResponseCode MtpMockDatabase::getObjectInfo(MtpObjectHandle handle, MtpObjectInfo& info) {
160 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
161
162 // used for the root
163 if (handle == kInvalidObjectHandle) {
164 return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
165 } else {
166 if (mObjects.size() == 0) {
167 return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
168 }
169
170 // this is used to let the fuzzer make progress, otherwise
171 // it has to brute-force a 32-bit handle
172 MtpObjectHandle reducedHandle = handle % mObjects.size();
173 MtpObjectInfo* obj = mObjects[reducedHandle];
174
175 // make a copy, but make sure to maintain ownership of string pointers
176 info = *obj;
177
178 // fixup the response handle
179 info.mHandle = handle;
180
181 if (obj->mName) info.mName = strdup(obj->mName);
182 if (obj->mKeywords) info.mKeywords = strdup(obj->mKeywords);
183
184 return MTP_RESPONSE_OK;
185 }
186 }
187
getThumbnail(MtpObjectHandle handle,size_t & outThumbSize)188 void* MtpMockDatabase::getThumbnail(MtpObjectHandle handle, size_t& outThumbSize) {
189 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
190
191 size_t allocSize = handle % 0x1000;
192 void* data = calloc(allocSize, sizeof(uint8_t));
193 if (!data) {
194 return nullptr;
195 } else {
196 ALOGD("MockDatabase %s\n", __func__);
197 outThumbSize = allocSize;
198 return data;
199 }
200 }
201
getObjectFilePath(MtpObjectHandle handle,MtpStringBuffer & outFilePath,int64_t & outFileLength,MtpObjectFormat & outFormat)202 MtpResponseCode MtpMockDatabase::getObjectFilePath(MtpObjectHandle handle,
203 MtpStringBuffer& outFilePath,
204 int64_t& outFileLength,
205 MtpObjectFormat& outFormat) {
206 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
207
208 if (mObjects.size() == 0) {
209 return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
210 }
211
212 // this is used to let the fuzzer make progress, otherwise
213 // it has to brute-force a 32-bit handle
214 MtpObjectHandle reducedHandle = handle % mObjects.size();
215 MtpObjectInfo* obj = mObjects[reducedHandle];
216 MtpStorage* storage = mStorage[obj->mStorageID];
217
218 // walk up the tree to build a full path of the object
219 MtpObjectHandle currentHandle = reducedHandle;
220 std::string path = "";
221
222 while (currentHandle != MTP_PARENT_ROOT) {
223 MtpObjectInfo* next = mObjects[currentHandle];
224
225 // prepend the name
226 if (path == "")
227 path = std::string(next->mName);
228 else
229 path = std::string(next->mName) + "/" + path;
230
231 currentHandle = next->mParent;
232 }
233
234 outFilePath.set(storage->getPath());
235 outFilePath.append("/");
236 outFilePath.append(path.c_str());
237
238 outFormat = obj->mFormat;
239
240 ALOGD("MockDatabase %s: get file %s\n", __func__, (const char*)outFilePath);
241
242 struct stat sstat;
243 // this should not happen unless our database view of the filesystem is out of
244 // sync
245 if (stat((const char*)outFilePath, &sstat) < 0) {
246 ALOGE("MockDatabase %s: unable to stat %s\n", __func__, (const char*)outFilePath);
247
248 return MTP_RESPONSE_INVALID_OBJECT_HANDLE;
249 }
250
251 outFileLength = sstat.st_size;
252
253 return MTP_RESPONSE_OK;
254 }
255
openFilePath(const char * path,bool transcode)256 int MtpMockDatabase::openFilePath(const char* path, bool transcode) {
257 ALOGD("MockDatabase %s: filePath=%s transcode=%d\n", __func__, path, transcode);
258 return 0;
259 }
260
beginDeleteObject(MtpObjectHandle handle)261 MtpResponseCode MtpMockDatabase::beginDeleteObject(MtpObjectHandle handle) {
262 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
263 return MTP_RESPONSE_OK;
264 }
endDeleteObject(MtpObjectHandle handle,bool succeeded)265 void MtpMockDatabase::endDeleteObject(MtpObjectHandle handle, bool succeeded) {
266 ALOGD("MockDatabase %s: ohandle=%u succeeded=%d\n", __func__, handle, succeeded);
267 return;
268 }
269
getObjectReferences(MtpObjectHandle handle)270 MtpObjectHandleList* MtpMockDatabase::getObjectReferences(MtpObjectHandle handle) {
271 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
272 return nullptr;
273 }
274
setObjectReferences(MtpObjectHandle handle,MtpObjectHandleList * references)275 MtpResponseCode MtpMockDatabase::setObjectReferences(MtpObjectHandle handle,
276 MtpObjectHandleList* references) {
277 ALOGD("MockDatabase %s: ohandle=%u\n", __func__, handle);
278 return MTP_RESPONSE_OK;
279 }
280
getObjectPropertyDesc(MtpObjectProperty property,MtpObjectFormat format)281 MtpProperty* MtpMockDatabase::getObjectPropertyDesc(MtpObjectProperty property,
282 MtpObjectFormat format) {
283 ALOGD("MockDatabase %s: property=%s format=%s\n", __func__,
284 MtpDebug::getObjectPropCodeName(property), MtpDebug::getFormatCodeName(format));
285
286 return nullptr;
287 }
288
getDevicePropertyDesc(MtpDeviceProperty property)289 MtpProperty* MtpMockDatabase::getDevicePropertyDesc(MtpDeviceProperty property) {
290 ALOGD("MockDatabase %s: property=%s\n", __func__, MtpDebug::getDevicePropCodeName(property));
291 return nullptr;
292 }
293
beginMoveObject(MtpObjectHandle handle,MtpObjectHandle newParent,MtpStorageID newStorage)294 MtpResponseCode MtpMockDatabase::beginMoveObject(MtpObjectHandle handle, MtpObjectHandle newParent,
295 MtpStorageID newStorage) {
296 ALOGD("MockDatabase %s: ohandle=%u newParent=%u newStorage=%u\n", __func__, handle, newParent,
297 newStorage);
298 return MTP_RESPONSE_OK;
299 }
300
endMoveObject(MtpObjectHandle oldParent,MtpObjectHandle newParent,MtpStorageID oldStorage,MtpStorageID newStorage,MtpObjectHandle handle,bool succeeded)301 void MtpMockDatabase::endMoveObject(MtpObjectHandle oldParent, MtpObjectHandle newParent,
302 MtpStorageID oldStorage, MtpStorageID newStorage,
303 MtpObjectHandle handle, bool succeeded) {
304 ALOGD("MockDatabase %s: oldParent=%u newParent=%u oldStorage=%u newStorage=%u "
305 "ohandle=%u succeeded=%d\n",
306 __func__, oldParent, newParent, oldStorage, newStorage, handle, succeeded);
307 return;
308 }
309
beginCopyObject(MtpObjectHandle handle,MtpObjectHandle newParent,MtpStorageID newStorage)310 MtpResponseCode MtpMockDatabase::beginCopyObject(MtpObjectHandle handle, MtpObjectHandle newParent,
311 MtpStorageID newStorage) {
312 ALOGD("MockDatabase %s: ohandle=%u newParent=%u newStorage=%u\n", __func__, handle, newParent,
313 newStorage);
314 return MTP_RESPONSE_OK;
315 }
316
endCopyObject(MtpObjectHandle handle,bool succeeded)317 void MtpMockDatabase::endCopyObject(MtpObjectHandle handle, bool succeeded) {
318 ALOGD("MockDatabase %s: ohandle=%u succeeded=%d\n", __func__, handle, succeeded);
319 }
320
321 }; // namespace android
322