From dad116f1b3f23fe10a092763616df5f30067dafb Mon Sep 17 00:00:00 2001
From: "yaoruozi1@huawei.com" <yaoruozi1@huawei.com>
Date: Fri, 11 Jul 2025 20:22:48 +0800
Subject: [PATCH] modify fuzz

Signed-off-by: yaoruozi1@huawei.com <yaoruozi1@huawei.com>
---
 test/fuzztest/BUILD.gn                        |  23 ++-
 .../backupext_fuzzer/backupext_fuzzer.cpp     |  26 ---
 .../backupext_idlstub_fuzzer/BUILD.gn         |  87 +++++++++
 .../backupext_idlstub_fuzzer.cpp              |  65 +++++++
 .../backupext_idlstub_fuzzer.h                |  21 +++
 .../corpus/init                               |   2 +-
 .../backupext_idlstub_fuzzer/project.xml      |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 .../backupsa_app_incrementaldone_fuzzer.cpp   |  71 ++++++++
 .../backupsa_app_incrementaldone_fuzzer.h     |  21 +++
 .../corpus/init                               |   2 +-
 .../project.xml                               |   2 +-
 .../BUILD.gn                                  |  66 +++++++
 ...ckupsa_app_incrementalfileready_fuzzer.cpp |  78 ++++++++
 ...backupsa_app_incrementalfileready_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |   2 +-
 .../fuzztest/backupsa_appdone_fuzzer/BUILD.gn |  64 +++++++
 .../backupsa_appdone_fuzzer.cpp               |  69 +++++++
 .../backupsa_appdone_fuzzer.h}                |   8 +-
 .../backupsa_appdone_fuzzer/corpus/init       |  16 ++
 .../backupsa_appdone_fuzzer/project.xml       |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...psa_appendbundles_backupsession_fuzzer.cpp |  83 +++++++++
 ...kupsa_appendbundles_backupsession_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...appendbundles_increbacksession_fuzzer.cpp} |  46 +++--
 ...sa_appendbundles_increbacksession_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  64 +++++++
 ...a_appendbundles_restoresession_fuzzer.cpp} | 168 +-----------------
 ...upsa_appendbundles_restoresession_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../backupsa_appfileready_fuzzer/BUILD.gn     |  64 +++++++
 .../backupsa_appfileready_fuzzer.cpp          |  75 ++++++++
 .../backupsa_appfileready_fuzzer.h            |  21 +++
 .../backupsa_appfileready_fuzzer/corpus/init  |  16 ++
 .../backupsa_appfileready_fuzzer/project.xml  |  25 +++
 test/fuzztest/backupsa_finish_fuzzer/BUILD.gn |  64 +++++++
 .../backupsa_finish_fuzzer.cpp                |  66 +++++++
 .../backupsa_finish_fuzzer.h                  |  21 +++
 .../backupsa_finish_fuzzer/corpus/init        |  16 ++
 .../backupsa_finish_fuzzer/project.xml        |  25 +++
 .../backupsa_getfile_handle_fuzzer/BUILD.gn   |  66 +++++++
 .../backupsa_getfile_handle_fuzzer.cpp        |  77 ++++++++
 .../backupsa_getfile_handle_fuzzer.h          |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...etincremental_localcapabilities_fuzzer.cpp | 115 ++++++++++++
 ..._getincremental_localcapabilities_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...kupsa_getincrementalfile_handle_fuzzer.cpp |  78 ++++++++
 ...ackupsa_getincrementalfile_handle_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  64 +++++++
 .../backupsa_getlocalcapabilities_fuzzer.cpp  |  67 +++++++
 .../backupsa_getlocalcapabilities_fuzzer.h    |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  64 +++++++
 .../backupsa_init_backupsession_fuzzer.cpp    |  67 +++++++
 .../backupsa_init_backupsession_fuzzer.h      |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...sa_init_incrementalbackupession_fuzzer.cpp |  68 +++++++
 ...upsa_init_incrementalbackupession_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |  64 +++++++
 .../backupsa_init_restoresession_fuzzer.cpp   |  67 +++++++
 .../backupsa_init_restoresession_fuzzer.h     |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../backupsa_publish_file_fuzzer/BUILD.gn     |  64 +++++++
 .../backupsa_publish_file_fuzzer.cpp          |  77 ++++++++
 .../backupsa_publish_file_fuzzer.h            |  21 +++
 .../backupsa_publish_file_fuzzer/corpus/init  |  16 ++
 .../backupsa_publish_file_fuzzer/project.xml  |  25 +++
 .../BUILD.gn                                  |  66 +++++++
 ...ackupsa_publish_incrementalfile_fuzzer.cpp |  79 ++++++++
 .../backupsa_publish_incrementalfile_fuzzer.h |  21 +++
 .../corpus/init                               |  16 ++
 .../project.xml                               |  25 +++
 .../BUILD.gn                                  |   8 +-
 .../backupsa_release_fuzzer.cpp               |  68 +++++++
 .../backupsa_release_fuzzer.h}                |   8 +-
 .../backupsa_release_fuzzer/corpus/init       |  16 ++
 .../backupsa_release_fuzzer/project.xml       |  25 +++
 .../BUILD.gn                                  |  10 +-
 .../backupsa_start_fuzzer.cpp                 |  67 +++++++
 .../backupsa_start_fuzzer.h                   |  21 +++
 .../backupsa_start_fuzzer/corpus/init         |  16 ++
 .../backupsa_start_fuzzer/project.xml         |  25 +++
 .../servicereverse_fuzzer.cpp                 |   9 +-
 103 files changed, 3736 insertions(+), 224 deletions(-)
 create mode 100644 test/fuzztest/backupext_idlstub_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.cpp
 create mode 100644 test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.h
 rename test/fuzztest/{backupsaappend_fuzzer => backupext_idlstub_fuzzer}/corpus/init (92%)
 create mode 100644 test/fuzztest/backupext_idlstub_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_app_incrementaldone_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.h
 rename test/fuzztest/{backupsaanother_fuzzer => backupsa_app_incrementaldone_fuzzer}/corpus/init (92%)
 rename test/fuzztest/{backupsaanother_fuzzer => backupsa_app_incrementaldone_fuzzer}/project.xml (95%)
 create mode 100644 test/fuzztest/backupsa_app_incrementalfileready_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_app_incrementalfileready_fuzzer/corpus/init
 rename test/fuzztest/{backupsaappend_fuzzer => backupsa_app_incrementalfileready_fuzzer}/project.xml (95%)
 create mode 100644 test/fuzztest/backupsa_appdone_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.cpp
 rename test/fuzztest/{backupsaappend_fuzzer/backupsaappend_fuzzer.h => backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.h} (77%)
 create mode 100644 test/fuzztest/backupsa_appdone_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_appdone_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/BUILD.gn
 rename test/fuzztest/{backupsaanother_fuzzer/backupsaanother_fuzzer.cpp => backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.cpp} (87%)
 create mode 100644 test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/BUILD.gn
 rename test/fuzztest/{backupsaappend_fuzzer/backupsaappend_fuzzer.cpp => backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.cpp} (33%)
 create mode 100644 test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_appfileready_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_appfileready_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_appfileready_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_finish_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_finish_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_finish_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_getfile_handle_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_getfile_handle_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_getfile_handle_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_getlocalcapabilities_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_getlocalcapabilities_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_getlocalcapabilities_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_init_backupsession_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_init_backupsession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_init_backupsession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_init_restoresession_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_init_restoresession_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_init_restoresession_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_publish_file_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_publish_file_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_publish_file_fuzzer/project.xml
 create mode 100644 test/fuzztest/backupsa_publish_incrementalfile_fuzzer/BUILD.gn
 create mode 100644 test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_publish_incrementalfile_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_publish_incrementalfile_fuzzer/project.xml
 rename test/fuzztest/{backupsaanother_fuzzer => backupsa_release_fuzzer}/BUILD.gn (91%)
 create mode 100644 test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.cpp
 rename test/fuzztest/{backupsaanother_fuzzer/backupsaanother_fuzzer.h => backupsa_release_fuzzer/backupsa_release_fuzzer.h} (77%)
 create mode 100644 test/fuzztest/backupsa_release_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_release_fuzzer/project.xml
 rename test/fuzztest/{backupsaappend_fuzzer => backupsa_start_fuzzer}/BUILD.gn (90%)
 create mode 100644 test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.cpp
 create mode 100644 test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.h
 create mode 100644 test/fuzztest/backupsa_start_fuzzer/corpus/init
 create mode 100644 test/fuzztest/backupsa_start_fuzzer/project.xml

diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn
index 1c4a33aca..3905d97c5 100644
--- a/test/fuzztest/BUILD.gn
+++ b/test/fuzztest/BUILD.gn
@@ -17,9 +17,28 @@ group("fuzztest") {
   deps = [
     # deps file
     "backupext_fuzzer:BackupExtFuzzTest",
+    "backupext_idlstub_fuzzer:BackupExtIdlStubFuzzTest",
     "backupsa_fuzzer:BackupSaFuzzTest",
-    "backupsaanother_fuzzer:BackupSaAnotherFuzzTest",
-    "backupsaappend_fuzzer:BackupSaAppendFuzzTest",
+    "backupsa_app_incrementaldone_fuzzer:BackupSaAppIncrementalDoneFuzzTest",
+    "backupsa_app_incrementalfileready_fuzzer:BackupSaAppIncrementalFileReadyFuzzTest",
+    "backupsa_appdone_fuzzer:BackupSaAppDoneFuzzTest",
+    "backupsa_appendbundles_backupsession_fuzzer:BackupSaAppendBundlesBackupSessionFuzzTest",
+    "backupsa_appendbundles_increbacksession_fuzzer:BackupSaAppendBundlesIncreBackupSessionFuzzTest",
+    "backupsa_appendbundles_restoresession_fuzzer:BackupSaAppendBundlesRestoreSessionFuzzTest",
+    "backupsa_appfileready_fuzzer:BackupSaAppFileReadyFuzzTest",
+    "backupsa_finish_fuzzer:BackupSaFinishFuzzTest",
+    "backupsa_fuzzer:BackupSaFuzzTest",
+    "backupsa_getfile_handle_fuzzer:BackupSaGetFileHandleFuzzTest",
+    "backupsa_getincremental_localcapabilities_fuzzer:BackupSaGetIncrementalLocalCapabilitiesFuzzTest",
+    "backupsa_getincrementalfile_handle_fuzzer:BackupSaGetIncrementalFileHandleFuzzTest",
+    "backupsa_getlocalcapabilities_fuzzer:BackupSaGetLocalCapabilitiesFuzzTest",
+    "backupsa_init_backupsession_fuzzer:BackupSaInitBackupSessionFuzzTest",
+    "backupsa_init_incrementalbackupession_fuzzer:BackupSaInitIncreBackupSessionFuzzTest",
+    "backupsa_init_restoresession_fuzzer:BackupSaInitRestoreSessionFuzzTest",
+    "backupsa_publish_file_fuzzer:BackupSaPublishFileFuzzTest",
+    "backupsa_publish_incrementalfile_fuzzer:BackupSaPublishIncrementalFileFuzzTest",
+    "backupsa_release_fuzzer:BackupSaReleaseFuzzTest",
+    "backupsa_start_fuzzer:BackupSaStartFuzzTest",
     "backupservicestub_fuzzer:BackupServiceStubFuzzTest",
     "fileshare_fuzzer:FileShareFuzzTest",
     "remotefileshare_fuzzer:RemoteFileShareFuzzTest",
diff --git a/test/fuzztest/backupext_fuzzer/backupext_fuzzer.cpp b/test/fuzztest/backupext_fuzzer/backupext_fuzzer.cpp
index a100e64fa..ea0fe7d08 100644
--- a/test/fuzztest/backupext_fuzzer/backupext_fuzzer.cpp
+++ b/test/fuzztest/backupext_fuzzer/backupext_fuzzer.cpp
@@ -313,31 +313,6 @@ bool CmdGetIncrementalBackupFileHandleFuzzTest(OHOS::sptr<BackupExtExtension> ex
     extension->OnRemoteRequest(code, msg, reply, option);
     return true;
 }
-
-bool OnRemoteRequestFuzzTest(OHOS::sptr<BackupExtExtension> extension,  const uint8_t *data, size_t size)
-{
-    uint32_t codeMax = 17;
-    for (uint32_t code = 1; code < codeMax; code++) {
-        MessageParcel datas;
-        MessageParcel reply;
-        MessageOption option;
-
-        datas.WriteInterfaceToken(ExtensionStub::GetDescriptor());
-        datas.WriteBuffer(reinterpret_cast<const char*>(data), size);
-        datas.RewindRead(0);
-        if (extension == nullptr) {
-            return false;
-        }
-        try {
-            extension->OnRemoteRequest(code, datas, reply, option);
-        } catch (OHOS::FileManagement::Backup::BError &err) {
-            // filter Backup error
-        } catch (...) {
-            // filter other error
-        }
-    }
-    return true;
-}
 } // namespace OHOS
 
 /* Fuzzer entry point */
@@ -373,7 +348,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
         OHOS::CmdHandleIncrementalBackupFuzzTest(extension, data, size);
         OHOS::CmdIncrementalOnBackupFuzzTest(extension, data, size);
         OHOS::CmdGetIncrementalBackupFileHandleFuzzTest(extension, data, size);
-        OHOS::OnRemoteRequestFuzzTest(extension, data, size);
     } catch (OHOS::FileManagement::Backup::BError &err) {
         // Only filter BError errors, Other results are not expected.
     }
diff --git a/test/fuzztest/backupext_idlstub_fuzzer/BUILD.gn b/test/fuzztest/backupext_idlstub_fuzzer/BUILD.gn
new file mode 100644
index 000000000..e43511f6d
--- /dev/null
+++ b/test/fuzztest/backupext_idlstub_fuzzer/BUILD.gn
@@ -0,0 +1,87 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupExtIdlStubFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file = "${app_file_service_path}/test/fuzztest/backupext_idlstub_fuzzer"
+  include_dirs = [
+    "${path_backup}/frameworks/native/backup_ext/include",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${path_backup}/utils/include",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup_ani.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup_context.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup_context_js.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup_js.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_backup_loader.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/ext_extension.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/installd_un_tar_file.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/sub_ext_extension.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/tar_file.cpp",
+    "${path_backup}/frameworks/native/backup_ext/src/untar_file.cpp",
+    "backupext_idlstub_fuzzer.cpp",
+  ]
+
+  deps = [
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  external_deps = [
+    "ability_base:want",
+    "ability_runtime:ability_context_native",
+    "ability_runtime:abilitykit_native",
+    "ability_runtime:ani_common",
+    "ability_runtime:app_context",
+    "ability_runtime:appkit_native",
+    "ability_runtime:runtime",
+    "access_token:libaccesstoken_sdk",
+    "bundle_framework:appexecfwk_core",
+    "c_utils:utils",
+    "hilog:libhilog",
+    "hitrace:hitrace_meter",
+    "ipc:ipc_core",
+    "ipc:ipc_napi",
+    "jsoncpp:jsoncpp",
+    "napi:ace_napi",
+    "runtime_core:ani",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private = public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.cpp b/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.cpp
new file mode 100644
index 000000000..c94ee5dd8
--- /dev/null
+++ b/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "backupext_idlstub_fuzzer.h"
+#include <cstring>
+
+#include "ext_backup.h"
+#include "ext_extension.h"
+#include "message_parcel.h"
+
+namespace OHOS {
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+bool OnRemoteRequestFuzzTest(OHOS::sptr<BackupExtExtension> extension,  const uint8_t *data, size_t size)
+{
+    uint32_t codeMax = 17;
+    for (uint32_t code = 1; code < codeMax; code++) {
+        MessageParcel datas;
+        MessageParcel reply;
+        MessageOption option;
+
+        datas.WriteInterfaceToken(ExtensionStub::GetDescriptor());
+        datas.WriteBuffer(reinterpret_cast<const char*>(data), size);
+        datas.RewindRead(0);
+        if (extension == nullptr) {
+            return false;
+        }
+        try {
+            extension->OnRemoteRequest(code, datas, reply, option);
+        } catch (OHOS::FileManagement::Backup::BError &err) {
+            // filter Backup error
+        } catch (...) {
+            // filter other error
+        }
+    }
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    auto extBackup = std::make_shared<OHOS::FileManagement::Backup::ExtBackup>();
+    auto extension = OHOS::sptr<OHOS::FileManagement::Backup::BackupExtExtension>(
+        new OHOS::FileManagement::Backup::BackupExtExtension(extBackup, ""));
+    try {
+        OHOS::OnRemoteRequestFuzzTest(extension, data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // Only filter BError errors, Other results are not expected.
+    }
+    return 0;
+}
diff --git a/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.h b/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.h
new file mode 100644
index 000000000..cf70eb8c6
--- /dev/null
+++ b/test/fuzztest/backupext_idlstub_fuzzer/backupext_idlstub_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPEXTIDLSTUB_FUZZER_H
+#define BACKUPEXTIDLSTUB_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupext_idlstub_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsaappend_fuzzer/corpus/init b/test/fuzztest/backupext_idlstub_fuzzer/corpus/init
similarity index 92%
rename from test/fuzztest/backupsaappend_fuzzer/corpus/init
rename to test/fuzztest/backupext_idlstub_fuzzer/corpus/init
index 6198079a2..7ade8a0fa 100644
--- a/test/fuzztest/backupsaappend_fuzzer/corpus/init
+++ b/test/fuzztest/backupext_idlstub_fuzzer/corpus/init
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
diff --git a/test/fuzztest/backupext_idlstub_fuzzer/project.xml b/test/fuzztest/backupext_idlstub_fuzzer/project.xml
new file mode 100644
index 000000000..8cd958170
--- /dev/null
+++ b/test/fuzztest/backupext_idlstub_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_app_incrementaldone_fuzzer/BUILD.gn b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/BUILD.gn
new file mode 100644
index 000000000..702c4ec89
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppIncrementalDoneFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_app_incrementaldone_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_app_incrementaldone_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.cpp b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.cpp
new file mode 100644
index 000000000..04e3bc869
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_app_incrementaldone_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdAppIncrementalDoneFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size >= sizeof(int32_t)) {
+        datas.WriteInt32(*(reinterpret_cast<const int32_t *>(data)));
+    }
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_INCREMENTAL_DONE),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdAppIncrementalDoneFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.h b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.h
new file mode 100644
index 000000000..155769148
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/backupsa_app_incrementaldone_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPINCREMENTADONE_FUZZER_H
+#define BACKUPSAAPPINCREMENTADONE_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_app_incrementaldone_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsaanother_fuzzer/corpus/init b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/corpus/init
similarity index 92%
rename from test/fuzztest/backupsaanother_fuzzer/corpus/init
rename to test/fuzztest/backupsa_app_incrementaldone_fuzzer/corpus/init
index 6198079a2..7ade8a0fa 100644
--- a/test/fuzztest/backupsaanother_fuzzer/corpus/init
+++ b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/corpus/init
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
diff --git a/test/fuzztest/backupsaanother_fuzzer/project.xml b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/project.xml
similarity index 95%
rename from test/fuzztest/backupsaanother_fuzzer/project.xml
rename to test/fuzztest/backupsa_app_incrementaldone_fuzzer/project.xml
index 7133b2b92..66e1dcac4 100644
--- a/test/fuzztest/backupsaanother_fuzzer/project.xml
+++ b/test/fuzztest/backupsa_app_incrementaldone_fuzzer/project.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
 
      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
diff --git a/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/BUILD.gn b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/BUILD.gn
new file mode 100644
index 000000000..8a5e4b3b7
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppIncrementalFileReadyFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_app_incrementalfileready_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_app_incrementalfileready_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.cpp b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.cpp
new file mode 100644
index 000000000..7cadd558e
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_app_incrementalfileready_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdAppIncrementalFileReadyFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    std::string fileName(reinterpret_cast<const char *>(data), size);
+    datas.WriteString(fileName);
+    if (size >= sizeof(int)) {
+        int fd = *(reinterpret_cast<const int *>(data));
+        datas.WriteFileDescriptor(UniqueFd(fd));
+    }
+
+    if (size >= sizeof(int) + sizeof(int))  {
+        int manifestId = *(reinterpret_cast<const int *>(data + sizeof(int)));
+        datas.WriteFileDescriptor(UniqueFd(manifestId));
+    }
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_INCREMENTAL_FILE_READY);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdAppIncrementalFileReadyFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.h b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.h
new file mode 100644
index 000000000..f5bcc48a4
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/backupsa_app_incrementalfileready_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPINCREMENTALFILEREADY_FUZZER_H
+#define BACKUPSAAPPINCREMENTALFILEREADY_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_app_incrementalfileready_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/corpus/init b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsaappend_fuzzer/project.xml b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/project.xml
similarity index 95%
rename from test/fuzztest/backupsaappend_fuzzer/project.xml
rename to test/fuzztest/backupsa_app_incrementalfileready_fuzzer/project.xml
index 7133b2b92..66e1dcac4 100644
--- a/test/fuzztest/backupsaappend_fuzzer/project.xml
+++ b/test/fuzztest/backupsa_app_incrementalfileready_fuzzer/project.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
 
      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
diff --git a/test/fuzztest/backupsa_appdone_fuzzer/BUILD.gn b/test/fuzztest/backupsa_appdone_fuzzer/BUILD.gn
new file mode 100644
index 000000000..8648d1a2a
--- /dev/null
+++ b/test/fuzztest/backupsa_appdone_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppDoneFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_appdone_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_appdone_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.cpp b/test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.cpp
new file mode 100644
index 000000000..64d484f53
--- /dev/null
+++ b/test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.cpp
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_appdone_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdAppDoneFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size >= sizeof(bool)) {
+        datas.WriteBool(*(reinterpret_cast<const bool *>(data)));
+    }
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_DONE),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdAppDoneFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.h b/test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.h
similarity index 77%
rename from test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.h
rename to test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.h
index 8ddfc2126..49c088321 100644
--- a/test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.h
+++ b/test/fuzztest/backupsa_appdone_fuzzer/backupsa_appdone_fuzzer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -13,9 +13,9 @@
  * limitations under the License.
  */
 
-#ifndef BACKUPSAAPPEND_FUZZER_H
-#define BACKUPSAAPPEND_FUZZER_H
+#ifndef BACKUPSAAPPDONE_FUZZER_H
+#define BACKUPSAAPPDONE_FUZZER_H
 
-#define FUZZ_PROJECT_NAME "backupsaappend_fuzzer"
+#define FUZZ_PROJECT_NAME "backupsa_appdone_fuzzer"
 
 #endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appdone_fuzzer/corpus/init b/test/fuzztest/backupsa_appdone_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_appdone_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appdone_fuzzer/project.xml b/test/fuzztest/backupsa_appdone_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_appdone_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..37ff84e60
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppendBundlesBackupSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_appendbundles_backupsession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.cpp b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.cpp
new file mode 100644
index 000000000..d767e0b5f
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.cpp
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_appendbundles_backupsession_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdAppendBundlesBackupSessionFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size > 0) {
+        vector<string> bundleNames;
+        for (size_t i = 0; i < size; i++) {
+            string param(reinterpret_cast<const char*>(data), size);
+            string name = param + to_string(i);
+            bundleNames.push_back(name);
+        }
+        datas.WriteStringVector(bundleNames);
+    }
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_APPEND_BUNDLES_BACKUP_SESSION);
+    try {
+        service->OnRemoteRequest(code, datas, reply, option);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        HILOGE("BackupSaFuzzTest error");
+    } catch (...) {
+        // filter other error
+    }
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdAppendBundlesBackupSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.h b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.h
new file mode 100644
index 000000000..4e0abe9eb
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/backupsa_appendbundles_backupsession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPENDBUNDLEBACKUPSESSION_FUZZER_H
+#define BACKUPSAAPPENDBUNDLEBACKUPSESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_appendbundles_backupsession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/corpus/init b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/project.xml b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_backupsession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..661fc6e34
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppendBundlesIncreBackupSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_appendbundles_increbacksession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.cpp
similarity index 87%
rename from test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp
rename to test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.cpp
index 8c3ae92d8..246576d0b 100644
--- a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp
+++ b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-#include "backupsaanother_fuzzer.h"
+#include "backupsa_appendbundles_increbacksession_fuzzer.h"
 
 #include <cstddef>
 #include <cstdint>
@@ -82,7 +82,13 @@ bool CmdAppendBundlesBackupSessionFuzzTest(const uint8_t *data, size_t size)
 
     sptr service(new Service(SERVICE_ID));
     uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_APPEND_BUNDLES_BACKUP_SESSION);
-    service->OnRemoteRequest(code, datas, reply, option);
+    try {
+        service->OnRemoteRequest(code, datas, reply, option);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        HILOGE("BackupSaFuzzTest error");
+    } catch (...) {
+        // filter other error
+    }
     service = nullptr;
     return true;
 }
@@ -198,7 +204,13 @@ bool CmdAppendBundlesIncrementalBackupSessionFuzzTest(const uint8_t *data, size_
     sptr service(new Service(SERVICE_ID));
     uint32_t code = static_cast<uint32_t>(
         IServiceIpcCode::COMMAND_APPEND_BUNDLES_INCREMENTAL_BACKUP_SESSION);
-    service->OnRemoteRequest(code, datas, reply, option);
+    try {
+        service->OnRemoteRequest(code, datas, reply, option);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        HILOGE("BackupSaFuzzTest error");
+    } catch (...) {
+        // filter other error
+    }
     service = nullptr;
     return true;
 }
@@ -305,15 +317,21 @@ bool CmdGetIncrementalFileHandleFuzzTest(const uint8_t *data, size_t size)
 /* Fuzzer entry point */
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
-    OHOS::CmdGetFileHandleFuzzTest(data, size);
-    OHOS::CmdAppendBundlesBackupSessionFuzzTest(data, size);
-    OHOS::CmdReleaseFuzzTest(data, size);
-    OHOS::CmdGetLocalCapabilitiesIncrementalFuzzTest(data, size);
-    OHOS::CmdInitIncrementalBackupSessionFuzzTest(data, size);
-    OHOS::CmdPublishIncrementalFileFuzzTest(data, size);
-    OHOS::CmdAppIncrementalFileReadyFuzzTest(data, size);
-    OHOS::CmdAppIncrementalDoneFuzzTest(data, size);
-    OHOS::CmdGetIncrementalFileHandleFuzzTest(data, size);
-    OHOS::CmdAppendBundlesIncrementalBackupSessionFuzzTest(data, size);
+    try {
+        OHOS::CmdGetFileHandleFuzzTest(data, size);
+        OHOS::CmdAppendBundlesBackupSessionFuzzTest(data, size);
+        OHOS::CmdReleaseFuzzTest(data, size);
+        OHOS::CmdGetLocalCapabilitiesIncrementalFuzzTest(data, size);
+        OHOS::CmdInitIncrementalBackupSessionFuzzTest(data, size);
+        OHOS::CmdPublishIncrementalFileFuzzTest(data, size);
+        OHOS::CmdAppIncrementalFileReadyFuzzTest(data, size);
+        OHOS::CmdAppIncrementalDoneFuzzTest(data, size);
+        OHOS::CmdGetIncrementalFileHandleFuzzTest(data, size);
+        OHOS::CmdAppendBundlesIncrementalBackupSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
     return 0;
 }
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.h b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.h
new file mode 100644
index 000000000..383a9b454
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/backupsa_appendbundles_increbacksession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPENDBUNDLESINCREBACKUPSESSION_FUZZER_H
+#define BACKUPSAAPPENDBUNDLESINCREBACKUPSESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_appendbundles_increbacksession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/corpus/init b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/project.xml b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_increbacksession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..1e2af73d6
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppendBundlesRestoreSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_appendbundles_restoresession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.cpp b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.cpp
similarity index 33%
rename from test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.cpp
rename to test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.cpp
index 9a6e46113..80befe630 100644
--- a/test/fuzztest/backupsaappend_fuzzer/backupsaappend_fuzzer.cpp
+++ b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-#include "backupsaappend_fuzzer.h"
+#include "backupsa_appendbundles_restoresession_fuzzer.h"
 
 #include <cstddef>
 #include <cstdint>
@@ -35,154 +35,6 @@ using namespace OHOS::FileManagement::Backup;
 namespace OHOS {
 constexpr int32_t SERVICE_ID = 5203;
 
-bool CmdInitRestoreSessionFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    datas.WriteBuffer(data, size);
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_INIT_RESTORE_SESSION),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdInitBackupSessionFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    datas.WriteBuffer(data, size);
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_INIT_BACKUP_SESSION),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdPublishFileFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    if (size > 0) {
-        int pos = (size + 1) >> 1;
-        std::string fileName(reinterpret_cast<const char *>(data), pos);
-        std::string bundleName(reinterpret_cast<const char *>(data + pos), size - pos);
-        uint32_t sn = 0;
-        if (size > sizeof(uint32_t)) {
-            sn = *(reinterpret_cast<const uint32_t *>(data));
-        }
-        BFileInfo fileInfo(fileName, bundleName, sn);
-        datas.WriteParcelable(&fileInfo);
-    }
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_PUBLISH_FILE),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdGetLocalCapabilitiesFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    datas.WriteBuffer(data, size);
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_GET_LOCAL_CAPABILITIES);
-    service->OnRemoteRequest(code, datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdAppFileReadyFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    std::string fileName(reinterpret_cast<const char *>(data), size);
-    datas.WriteString(fileName);
-
-    int fd = -1;
-    if (size >= sizeof(int)) {
-        fd = *(reinterpret_cast<const int *>(data));
-    }
-    datas.WriteFileDescriptor(UniqueFd(fd));
-
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_FILE_READY);
-    service->OnRemoteRequest(code, datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdAppDoneFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    if (size >= sizeof(bool)) {
-        datas.WriteBool(*(reinterpret_cast<const bool *>(data)));
-    }
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_DONE),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdStartFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    datas.WriteBuffer(data, size);
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_START),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
-bool CmdFinishFuzzTest(const uint8_t *data, size_t size)
-{
-    MessageParcel datas;
-    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
-    datas.WriteBuffer(data, size);
-    datas.RewindRead(0);
-    MessageParcel reply;
-    MessageOption option;
-
-    sptr service(new Service(SERVICE_ID));
-    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_FINISH),
-        datas, reply, option);
-    service = nullptr;
-    return true;
-}
-
 bool CmdAppendBundlesRestoreSessionFuzzTest(const uint8_t *data, size_t size)
 {
     MessageParcel datas;
@@ -230,14 +82,12 @@ bool CmdAppendBundlesRestoreSessionFuzzTest(const uint8_t *data, size_t size)
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
     /* Run your code on data */
-    OHOS::CmdInitRestoreSessionFuzzTest(data, size);
-    OHOS::CmdInitBackupSessionFuzzTest(data, size);
-    OHOS::CmdPublishFileFuzzTest(data, size);
-    OHOS::CmdGetLocalCapabilitiesFuzzTest(data, size);
-    OHOS::CmdAppFileReadyFuzzTest(data, size);
-    OHOS::CmdAppDoneFuzzTest(data, size);
-    OHOS::CmdStartFuzzTest(data, size);
-    OHOS::CmdFinishFuzzTest(data, size);
-    OHOS::CmdAppendBundlesRestoreSessionFuzzTest(data, size);
+    try {
+        OHOS::CmdAppendBundlesRestoreSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
     return 0;
 }
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.h b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.h
new file mode 100644
index 000000000..15bccb6cd
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/backupsa_appendbundles_restoresession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPENDBUNDLESRESTORESESSION_FUZZER_H
+#define BACKUPSAAPPENDBUNDLESRESTORESESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_appendbundles_restoresession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/corpus/init b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/project.xml b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_appendbundles_restoresession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_appfileready_fuzzer/BUILD.gn b/test/fuzztest/backupsa_appfileready_fuzzer/BUILD.gn
new file mode 100644
index 000000000..e218648ca
--- /dev/null
+++ b/test/fuzztest/backupsa_appfileready_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaAppFileReadyFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_appfileready_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_appfileready_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.cpp b/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.cpp
new file mode 100644
index 000000000..e3d9a8264
--- /dev/null
+++ b/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.cpp
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_appfileready_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdAppFileReadyFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    std::string fileName(reinterpret_cast<const char *>(data), size);
+    datas.WriteString(fileName);
+
+    int fd = -1;
+    if (size >= sizeof(int)) {
+        fd = *(reinterpret_cast<const int *>(data));
+    }
+    datas.WriteFileDescriptor(UniqueFd(fd));
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_APP_FILE_READY);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdAppFileReadyFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.h b/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.h
new file mode 100644
index 000000000..33d5d2a52
--- /dev/null
+++ b/test/fuzztest/backupsa_appfileready_fuzzer/backupsa_appfileready_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAAPPFILEREADY_FUZZER_H
+#define BACKUPSAAPPFILEREADY_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_appfileready_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appfileready_fuzzer/corpus/init b/test/fuzztest/backupsa_appfileready_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_appfileready_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_appfileready_fuzzer/project.xml b/test/fuzztest/backupsa_appfileready_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_appfileready_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_finish_fuzzer/BUILD.gn b/test/fuzztest/backupsa_finish_fuzzer/BUILD.gn
new file mode 100644
index 000000000..a994a4759
--- /dev/null
+++ b/test/fuzztest/backupsa_finish_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaFinishFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_finish_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_finish_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.cpp b/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.cpp
new file mode 100644
index 000000000..04d1de87b
--- /dev/null
+++ b/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.cpp
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_finish_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+bool CmdFinishFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_FINISH),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdFinishFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.h b/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.h
new file mode 100644
index 000000000..c4473b66c
--- /dev/null
+++ b/test/fuzztest/backupsa_finish_fuzzer/backupsa_finish_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAFINISHFUZZ_FUZZER_H
+#define BACKUPSAFINISHFUZZ_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_finish_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_finish_fuzzer/corpus/init b/test/fuzztest/backupsa_finish_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_finish_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_finish_fuzzer/project.xml b/test/fuzztest/backupsa_finish_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_finish_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_getfile_handle_fuzzer/BUILD.gn b/test/fuzztest/backupsa_getfile_handle_fuzzer/BUILD.gn
new file mode 100644
index 000000000..66fd866ef
--- /dev/null
+++ b/test/fuzztest/backupsa_getfile_handle_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaGetFileHandleFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_getfile_handle_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_getfile_handle_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.cpp b/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.cpp
new file mode 100644
index 000000000..082edcd9b
--- /dev/null
+++ b/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.cpp
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_getfile_handle_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdGetFileHandleFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    int pos = (size + 1) >> 1;
+    if (size > 0) {
+        std::string param(string(reinterpret_cast<const char*>(data), pos));
+        datas.WriteString(param);
+    }
+
+    if (size > 1) {
+        std::string param(string(reinterpret_cast<const char*>(data + pos), size - pos));
+        datas.WriteString(param);
+    }
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_GET_FILE_HANDLE),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdGetFileHandleFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.h b/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.h
new file mode 100644
index 000000000..583af0752
--- /dev/null
+++ b/test/fuzztest/backupsa_getfile_handle_fuzzer/backupsa_getfile_handle_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAGETFILEHANDLE_FUZZER_H
+#define BACKUPSAGETFILEHANDLE_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_getfile_handle_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getfile_handle_fuzzer/corpus/init b/test/fuzztest/backupsa_getfile_handle_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_getfile_handle_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getfile_handle_fuzzer/project.xml b/test/fuzztest/backupsa_getfile_handle_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_getfile_handle_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/BUILD.gn b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/BUILD.gn
new file mode 100644
index 000000000..9b060181c
--- /dev/null
+++ b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaGetIncrementalLocalCapabilitiesFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_getincremental_localcapabilities_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.cpp b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.cpp
new file mode 100644
index 000000000..96af190e2
--- /dev/null
+++ b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.cpp
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_getincremental_localcapabilities_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+void GetBundleNamesData(const uint8_t *data, size_t size, vector<BIncrementalData> &bundleNames)
+{
+    int minLen = sizeof(int64_t) + sizeof(int) + sizeof(int32_t);
+    if (size < minLen + 1) {
+        return;
+    }
+    FuzzedDataProvider fdp(data, size);
+    uint8_t loop = fdp.ConsumeIntegral<uint8_t>();
+    size--;
+    if (loop == 0 || (minLen * loop) > size) {
+        return;
+    }
+    int blob = (size / loop);
+    int len = (blob - minLen) >> 1;
+    for (size_t i = 0, pos = 1; i < loop; i++, pos += blob) {
+        int64_t nTime = fdp.ConsumeIntegral<int64_t>();
+        int fd = fdp.ConsumeIntegral<int>();
+        int32_t priority = fdp.ConsumeIntegral<int32_t>();
+        string name(reinterpret_cast<const char*>(data + pos + minLen), len);
+        string parameters(reinterpret_cast<const char*>(data + pos + len + minLen), len);
+        BIncrementalData incrementaData(name, nTime, fd, parameters, priority);
+        bundleNames.push_back(incrementaData);
+    }
+}
+
+template <typename T>
+void WriteParcelableVector(const std::vector<T> &parcelableVector, Parcel &data)
+{
+    if (!data.WriteUint32(parcelableVector.size())) {
+        return;
+    }
+
+    for (const auto &parcelable : parcelableVector) {
+        if (!data.WriteParcelable(&parcelable)) {
+            return;
+        }
+    }
+
+    return;
+}
+
+bool CmdGetLocalCapabilitiesIncrementalFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size >= sizeof(int32_t)) {
+        vector<BIncrementalData> bundleNames;
+        GetBundleNamesData(data, size, bundleNames);
+        WriteParcelableVector(bundleNames, datas);
+    }
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_GET_LOCAL_CAPABILITIES_INCREMENTAL);
+    service->OnRemoteRequest(code, datas, reply, option);
+    OHOS::AppFileService::SandboxHelper::ClearBackupSandboxPathMap();
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdGetLocalCapabilitiesIncrementalFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.h b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.h
new file mode 100644
index 000000000..6461fd44a
--- /dev/null
+++ b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/backupsa_getincremental_localcapabilities_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAGETINCREMENTALLOCALCAPABILITIES_FUZZER_H
+#define BACKUPSAGETINCREMENTALLOCALCAPABILITIES_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_getincremental_localcapabilities_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/corpus/init b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/project.xml b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_getincremental_localcapabilities_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/BUILD.gn b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/BUILD.gn
new file mode 100644
index 000000000..1b28332e0
--- /dev/null
+++ b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaGetIncrementalFileHandleFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_getincrementalfile_handle_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.cpp b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.cpp
new file mode 100644
index 000000000..46f721c71
--- /dev/null
+++ b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.cpp
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_getincrementalfile_handle_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdGetIncrementalFileHandleFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    int pos = (size + 1) >> 1;
+    if (size > 0) {
+        string param(reinterpret_cast<const char*>(data), pos);
+        datas.WriteString(param);
+    }
+
+    if (size > 1) {
+        string param(reinterpret_cast<const char*>(data + pos), size - pos);
+        datas.WriteString(param);
+    }
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_GET_INCREMENTAL_FILE_HANDLE),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdGetIncrementalFileHandleFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.h b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.h
new file mode 100644
index 000000000..3d5b9b5d9
--- /dev/null
+++ b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/backupsa_getincrementalfile_handle_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAINCREMENTALFILEHANDLE_FUZZER_H
+#define BACKUPSAINCREMENTALFILEHANDLE_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_getincrementalfile_handle_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/corpus/init b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/project.xml b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_getincrementalfile_handle_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/BUILD.gn b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/BUILD.gn
new file mode 100644
index 000000000..bbf0c01aa
--- /dev/null
+++ b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaGetLocalCapabilitiesFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_getlocalcapabilities_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_getlocalcapabilities_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.cpp b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.cpp
new file mode 100644
index 000000000..70e8d19ab
--- /dev/null
+++ b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.cpp
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_getlocalcapabilities_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdGetLocalCapabilitiesFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_GET_LOCAL_CAPABILITIES);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdGetLocalCapabilitiesFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.h b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.h
new file mode 100644
index 000000000..ea1e3b556
--- /dev/null
+++ b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/backupsa_getlocalcapabilities_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAGETLOCALCAPABILITIES_FUZZER_H
+#define BACKUPSAGETLOCALCAPABILITIES_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_getlocalcapabilities_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/corpus/init b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/project.xml b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_getlocalcapabilities_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_init_backupsession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_init_backupsession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..ac3d3b950
--- /dev/null
+++ b/test/fuzztest/backupsa_init_backupsession_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaInitBackupSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_init_backupsession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_init_backupsession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.cpp b/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.cpp
new file mode 100644
index 000000000..05eb10c66
--- /dev/null
+++ b/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.cpp
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_init_backupsession_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdInitBackupSessionFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_INIT_BACKUP_SESSION),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdInitBackupSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.h b/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.h
new file mode 100644
index 000000000..58ed5a930
--- /dev/null
+++ b/test/fuzztest/backupsa_init_backupsession_fuzzer/backupsa_init_backupsession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAINITBACKUPSESSION_FUZZER_H
+#define BACKUPSAINITBACKUPSESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_init_backupsession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_backupsession_fuzzer/corpus/init b/test/fuzztest/backupsa_init_backupsession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_init_backupsession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_backupsession_fuzzer/project.xml b/test/fuzztest/backupsa_init_backupsession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_init_backupsession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..cee3d7d0d
--- /dev/null
+++ b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaInitIncreBackupSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_init_incrementalbackupession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.cpp b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.cpp
new file mode 100644
index 000000000..e517c87c3
--- /dev/null
+++ b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.cpp
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_init_incrementalbackupession_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdInitIncrementalBackupSessionFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_INIT_INCREMENTAL_BACKUP_SESSION);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdInitIncrementalBackupSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.h b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.h
new file mode 100644
index 000000000..d31e4f684
--- /dev/null
+++ b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/backupsa_init_incrementalbackupession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAINITINCREMENTALBACKUPSESSION_FUZZER_H
+#define BACKUPSAINITINCREMENTALBACKUPSESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_init_incrementalbackupession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/corpus/init b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/project.xml b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_init_incrementalbackupession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_init_restoresession_fuzzer/BUILD.gn b/test/fuzztest/backupsa_init_restoresession_fuzzer/BUILD.gn
new file mode 100644
index 000000000..d4fb83b64
--- /dev/null
+++ b/test/fuzztest/backupsa_init_restoresession_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaInitRestoreSessionFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_init_restoresession_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_init_restoresession_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.cpp b/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.cpp
new file mode 100644
index 000000000..c310b1c64
--- /dev/null
+++ b/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.cpp
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_init_restoresession_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdInitRestoreSessionFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_INIT_RESTORE_SESSION),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdInitRestoreSessionFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.h b/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.h
new file mode 100644
index 000000000..488cb206d
--- /dev/null
+++ b/test/fuzztest/backupsa_init_restoresession_fuzzer/backupsa_init_restoresession_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAINITRESTORESESSION_FUZZER_H
+#define BACKUPSAINITRESTORESESSION_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_init_restoresession_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_restoresession_fuzzer/corpus/init b/test/fuzztest/backupsa_init_restoresession_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_init_restoresession_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_init_restoresession_fuzzer/project.xml b/test/fuzztest/backupsa_init_restoresession_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_init_restoresession_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_publish_file_fuzzer/BUILD.gn b/test/fuzztest/backupsa_publish_file_fuzzer/BUILD.gn
new file mode 100644
index 000000000..ca176a82f
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_file_fuzzer/BUILD.gn
@@ -0,0 +1,64 @@
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaPublishFileFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_publish_file_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_publish_file_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/utils:backup_utils",
+  ]
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+    "private=public",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.cpp b/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.cpp
new file mode 100644
index 000000000..2abda33ee
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.cpp
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_publish_file_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdPublishFileFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size > 0) {
+        int pos = (size + 1) >> 1;
+        std::string fileName(reinterpret_cast<const char *>(data), pos);
+        std::string bundleName(reinterpret_cast<const char *>(data + pos), size - pos);
+        uint32_t sn = 0;
+        if (size > sizeof(uint32_t)) {
+            sn = *(reinterpret_cast<const uint32_t *>(data));
+        }
+        BFileInfo fileInfo(fileName, bundleName, sn);
+        datas.WriteParcelable(&fileInfo);
+    }
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_PUBLISH_FILE),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdPublishFileFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.h b/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.h
new file mode 100644
index 000000000..058f39fb7
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_file_fuzzer/backupsa_publish_file_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAPUBLISHFILE_FUZZER_H
+#define BACKUPSAPUBLISHFILE_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_publish_file_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_file_fuzzer/corpus/init b/test/fuzztest/backupsa_publish_file_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_file_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_file_fuzzer/project.xml b/test/fuzztest/backupsa_publish_file_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_file_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/BUILD.gn b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/BUILD.gn
new file mode 100644
index 000000000..5bdb46590
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/BUILD.gn
@@ -0,0 +1,66 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#####################hydra-fuzz###################
+import("//build/config/features.gni")
+import("//build/test.gni")
+import("//foundation/filemanagement/app_file_service/app_file_service.gni")
+import("//foundation/filemanagement/app_file_service/backup.gni")
+
+##############################fuzztest##########################################
+ohos_fuzztest("BackupSaPublishIncrementalFileFuzzTest") {
+  module_out_path = "app_file_service/app_file_service"
+  fuzz_config_file =
+      "${app_file_service_path}/test/fuzztest/backupsa_publish_incrementalfile_fuzzer"
+  include_dirs = [
+    "${app_file_service_path}/services/backup_sa/include/module_ipc",
+    "${app_file_service_path}/services/backup_sa/include",
+    "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl",
+    "${app_file_service_path}/frameworks/native/backup_kit_inner/include",
+  ]
+  cflags = [
+    "-g",
+    "-O0",
+    "-Wno-unused-variable",
+    "-fno-omit-frame-pointer",
+  ]
+  sources = [ "backupsa_publish_incrementalfile_fuzzer.cpp" ]
+
+  deps = [
+    "${app_file_service_path}/services/backup_sa:backup_sa",
+    "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner",
+    "${path_backup}/interfaces/innerkits/native:sandbox_helper_native",
+    "${path_backup}/utils:backup_utils",
+  ]
+
+  public_configs = [ "${path_backup}/services/backup_sa:public_idl_config" ]
+
+  external_deps = [
+    "ability_runtime:ability_manager",
+    "ability_runtime:abilitykit_native",
+    "bounds_checking_function:libsec_shared",
+    "c_utils:utils",
+    "file_api:filemgmt_libn",
+    "hilog:libhilog",
+    "ipc:ipc_core",
+    "safwk:system_ability_fwk",
+  ]
+
+  defines = [
+    "LOG_TAG=\"app_file_service\"",
+    "LOG_DOMAIN=0xD004303",
+  ]
+
+  use_exceptions = true
+}
+###############################################################################
diff --git a/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.cpp b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.cpp
new file mode 100644
index 000000000..2c576fc97
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.cpp
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_publish_incrementalfile_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdPublishIncrementalFileFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    if (size > 0) {
+        int pos = (size + 1) >> 1;
+        std::string fileName(reinterpret_cast<const char *>(data), pos);
+        std::string bundleName(reinterpret_cast<const char *>(data + pos), size - pos);
+        uint32_t sn = 0;
+        if (size > sizeof(uint32_t)) {
+            sn = *(reinterpret_cast<const uint32_t *>(data));
+        }
+        BFileInfo fileInfo(fileName, bundleName, sn);
+        datas.WriteParcelable(&fileInfo);
+    }
+
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_PUBLISH_INCREMENTAL_FILE);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdPublishIncrementalFileFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.h b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.h
new file mode 100644
index 000000000..95b0ead3e
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/backupsa_publish_incrementalfile_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSAPUBLISHINCREMENTALFILE_FUZZER_H
+#define BACKUPSAPUBLISHINCREMENTALFILE_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_publish_incrementalfile_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/corpus/init b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/project.xml b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_publish_incrementalfile_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsaanother_fuzzer/BUILD.gn b/test/fuzztest/backupsa_release_fuzzer/BUILD.gn
similarity index 91%
rename from test/fuzztest/backupsaanother_fuzzer/BUILD.gn
rename to test/fuzztest/backupsa_release_fuzzer/BUILD.gn
index 36412f43b..bac96c5be 100644
--- a/test/fuzztest/backupsaanother_fuzzer/BUILD.gn
+++ b/test/fuzztest/backupsa_release_fuzzer/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Copyright (c) 2025 Huawei Device Co., Ltd.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -18,10 +18,10 @@ import("//foundation/filemanagement/app_file_service/app_file_service.gni")
 import("//foundation/filemanagement/app_file_service/backup.gni")
 
 ##############################fuzztest##########################################
-ohos_fuzztest("BackupSaAnotherFuzzTest") {
+ohos_fuzztest("BackupSaReleaseFuzzTest") {
   module_out_path = "app_file_service/app_file_service"
   fuzz_config_file =
-      "${app_file_service_path}/test/fuzztest/backupsaanother_fuzzer"
+      "${app_file_service_path}/test/fuzztest/backupsa_release_fuzzer"
   include_dirs = [
     "${app_file_service_path}/services/backup_sa/include/module_ipc",
     "${app_file_service_path}/services/backup_sa/include",
@@ -34,7 +34,7 @@ ohos_fuzztest("BackupSaAnotherFuzzTest") {
     "-Wno-unused-variable",
     "-fno-omit-frame-pointer",
   ]
-  sources = [ "backupsaanother_fuzzer.cpp" ]
+  sources = [ "backupsa_release_fuzzer.cpp" ]
 
   deps = [
     "${app_file_service_path}/services/backup_sa:backup_sa",
diff --git a/test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.cpp b/test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.cpp
new file mode 100644
index 000000000..1b0e4d6b6
--- /dev/null
+++ b/test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.cpp
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_release_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#include "message_parcel.h"
+#include "sandbox_helper.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdReleaseFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    uint32_t code = static_cast<uint32_t>(IServiceIpcCode::COMMAND_RELEASE);
+    service->OnRemoteRequest(code, datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    try {
+        OHOS::CmdReleaseFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        //  filter backup
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h b/test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.h
similarity index 77%
rename from test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h
rename to test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.h
index f89e351e6..9996d1226 100644
--- a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h
+++ b/test/fuzztest/backupsa_release_fuzzer/backupsa_release_fuzzer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
@@ -13,9 +13,9 @@
  * limitations under the License.
  */
 
-#ifndef BACKUPSAANOTHER_FUZZER_H
-#define BACKUPSAANOTHER_FUZZER_H
+#ifndef BACKUPSARELEASE_FUZZER_H
+#define BACKUPSARELEASE_FUZZER_H
 
-#define FUZZ_PROJECT_NAME "backupsaanother_fuzzer"
+#define FUZZ_PROJECT_NAME "backupsa_release_fuzzer"
 
 #endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_release_fuzzer/corpus/init b/test/fuzztest/backupsa_release_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_release_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_release_fuzzer/project.xml b/test/fuzztest/backupsa_release_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_release_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/backupsaappend_fuzzer/BUILD.gn b/test/fuzztest/backupsa_start_fuzzer/BUILD.gn
similarity index 90%
rename from test/fuzztest/backupsaappend_fuzzer/BUILD.gn
rename to test/fuzztest/backupsa_start_fuzzer/BUILD.gn
index 410ead2a2..3d2089727 100644
--- a/test/fuzztest/backupsaappend_fuzzer/BUILD.gn
+++ b/test/fuzztest/backupsa_start_fuzzer/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2024 Huawei Device Co., Ltd.
+# Copyright (c) 2021-2025 Huawei Device Co., Ltd.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@@ -18,10 +18,10 @@ import("//foundation/filemanagement/app_file_service/app_file_service.gni")
 import("//foundation/filemanagement/app_file_service/backup.gni")
 
 ##############################fuzztest##########################################
-ohos_fuzztest("BackupSaAppendFuzzTest") {
+ohos_fuzztest("BackupSaStartFuzzTest") {
   module_out_path = "app_file_service/app_file_service"
   fuzz_config_file =
-      "${app_file_service_path}/test/fuzztest/backupsaappend_fuzzer"
+      "${app_file_service_path}/test/fuzztest/backupsa_start_fuzzer"
   include_dirs = [
     "${app_file_service_path}/services/backup_sa/include/module_ipc",
     "${app_file_service_path}/services/backup_sa/include",
@@ -34,7 +34,7 @@ ohos_fuzztest("BackupSaAppendFuzzTest") {
     "-Wno-unused-variable",
     "-fno-omit-frame-pointer",
   ]
-  sources = [ "backupsaappend_fuzzer.cpp" ]
+  sources = [ "backupsa_start_fuzzer.cpp" ]
 
   deps = [
     "${app_file_service_path}/services/backup_sa:backup_sa",
@@ -58,5 +58,7 @@ ohos_fuzztest("BackupSaAppendFuzzTest") {
     "LOG_DOMAIN=0xD004303",
     "private=public",
   ]
+
+  use_exceptions = true
 }
 ###############################################################################
diff --git a/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.cpp b/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.cpp
new file mode 100644
index 000000000..1c039ee08
--- /dev/null
+++ b/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.cpp
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "backupsa_start_fuzzer.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <climits>
+#include <vector>
+
+#include "message_parcel.h"
+#include "service.h"
+#include "service_proxy.h"
+#include "service_reverse.h"
+#include "service_stub.h"
+#include "securec.h"
+#include "system_ability.h"
+
+using namespace std;
+using namespace OHOS::FileManagement::Backup;
+
+namespace OHOS {
+constexpr int32_t SERVICE_ID = 5203;
+
+bool CmdStartFuzzTest(const uint8_t *data, size_t size)
+{
+    MessageParcel datas;
+    datas.WriteInterfaceToken(ServiceStub::GetDescriptor());
+    datas.WriteBuffer(data, size);
+    datas.RewindRead(0);
+    MessageParcel reply;
+    MessageOption option;
+
+    sptr service(new Service(SERVICE_ID));
+    service->OnRemoteRequest(static_cast<uint32_t>(IServiceIpcCode::COMMAND_START),
+        datas, reply, option);
+    service = nullptr;
+    return true;
+}
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    try {
+        OHOS::CmdStartFuzzTest(data, size);
+    } catch (OHOS::FileManagement::Backup::BError &err) {
+        // filter backup error
+    } catch (...) {
+        // filter other error
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.h b/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.h
new file mode 100644
index 000000000..64a1ad685
--- /dev/null
+++ b/test/fuzztest/backupsa_start_fuzzer/backupsa_start_fuzzer.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BACKUPSASTARTFUZZ_FUZZER_H
+#define BACKUPSASTARTFUZZ_FUZZER_H
+
+#define FUZZ_PROJECT_NAME "backupsa_start_fuzzer"
+
+#endif
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_start_fuzzer/corpus/init b/test/fuzztest/backupsa_start_fuzzer/corpus/init
new file mode 100644
index 000000000..7ade8a0fa
--- /dev/null
+++ b/test/fuzztest/backupsa_start_fuzzer/corpus/init
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+FUZZ
\ No newline at end of file
diff --git a/test/fuzztest/backupsa_start_fuzzer/project.xml b/test/fuzztest/backupsa_start_fuzzer/project.xml
new file mode 100644
index 000000000..66e1dcac4
--- /dev/null
+++ b/test/fuzztest/backupsa_start_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input -->
+    <max_len>1000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/test/fuzztest/servicereverse_fuzzer/servicereverse_fuzzer.cpp b/test/fuzztest/servicereverse_fuzzer/servicereverse_fuzzer.cpp
index 09767b6ee..4589cf549 100644
--- a/test/fuzztest/servicereverse_fuzzer/servicereverse_fuzzer.cpp
+++ b/test/fuzztest/servicereverse_fuzzer/servicereverse_fuzzer.cpp
@@ -657,16 +657,19 @@ bool IncrementalRestoreOnProcessInfoFuzzTest(sptr<ServiceReverse> service, const
 
 bool OnRemoteRequestFuzzTest(sptr<ServiceReverse> service, const uint8_t *data, size_t size)
 {
-    uint32_t codeMax = 26;
+    uint32_t codeMax = 31;
     for (uint32_t code = 1; code < codeMax; code++) {
         MessageParcel datas;
         MessageParcel reply;
         MessageOption option;
-
         datas.WriteInterfaceToken(ServiceReverseStub::GetDescriptor());
         datas.WriteBuffer(reinterpret_cast<const char*>(data), size);
         datas.RewindRead(0);
-        service->OnRemoteRequest(code, datas, reply, option);
+        try {
+            service->OnRemoteRequest(code, datas, reply, option);
+        } catch (BError &err) {
+            // Only filter BError errors, Other results are not expected.
+        }
     }
     {
         MessageParcel datas;
-- 
Gitee