1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18
19 #include "avsession_item.h"
20 #include "ipc_skeleton.h"
21 #include "avcontroller_callback_proxy.h"
22 #include "avsession_controller_stub.h"
23 #include "avsession_errors.h"
24 #include "system_ability_definition.h"
25 #include "avsession_service.h"
26 #include "avcontrolleritem_fuzzer.h"
27
28 using namespace std;
29 using namespace OHOS;
30 using namespace OHOS::AVSession;
31
32 const int32_t MAX_CODE_TEST = 12;
33 const int32_t MAX_CODE_LEN = 512;
34 const int32_t MIN_SIZE_NUM = 4;
35
FuzzOnRemoteRequest(const uint8_t * data,size_t size)36 void AvControllerItemFuzzer::FuzzOnRemoteRequest(const uint8_t* data, size_t size)
37 {
38 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
39 return;
40 }
41 sptr<AVControllerItem> avControllerItem;
42 std::string tag(reinterpret_cast<const char*>(data), size);
43 int32_t type = *reinterpret_cast<const int32_t*>(data);
44 std::string bundleName(reinterpret_cast<const char*>(data), size);
45 std::string abilityName(reinterpret_cast<const char*>(data), size);
46 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
47 if (!service) {
48 SLOGI("service is null");
49 return;
50 }
51 AppExecFwk::ElementName elementName;
52 elementName.SetBundleName(bundleName);
53 elementName.SetAbilityName(abilityName);
54 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
55 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
56 if (!avSessionItem) {
57 SLOGI("avSessionItem is null");
58 return;
59 }
60 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
61 if (code >= MAX_CODE_TEST) {
62 return;
63 }
64 sptr<IRemoteObject> avControllerItemObj;
65 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
66 if (ret != AVSESSION_SUCCESS) {
67 SLOGI("CreateControllerInner fail");
68 return;
69 }
70 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
71 if (!avControllerItem) {
72 SLOGI("avControllerItem is null");
73 return;
74 }
75 MessageParcel dataMessageParcel;
76 MessageParcel reply;
77 MessageOption option;
78 if (!dataMessageParcel.WriteInterfaceToken(avControllerItem->GetDescriptor())) {
79 return;
80 }
81 size -= sizeof(uint32_t);
82 dataMessageParcel.WriteBuffer(data + sizeof(uint32_t), size);
83 dataMessageParcel.RewindRead(0);
84 avControllerItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
85 avControllerItem->Destroy();
86 }
87
AvControllerItemRemoteRequestTest(const uint8_t * data,size_t size)88 void OHOS::AVSession::AvControllerItemRemoteRequestTest(const uint8_t* data, size_t size)
89 {
90 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
91 if (avControllerItemFuzzer == nullptr) {
92 return;
93 }
94 avControllerItemFuzzer->FuzzOnRemoteRequest(data, size);
95 }
96
AvControllerItemDataTest(const uint8_t * data,size_t size)97 void OHOS::AVSession::AvControllerItemDataTest(const uint8_t* data, size_t size)
98 {
99 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
100 return;
101 }
102 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
103 if (!service) {
104 SLOGI("service is null");
105 return;
106 }
107 std::string tag(reinterpret_cast<const char*>(data), size);
108 int32_t type = *reinterpret_cast<const int32_t*>(data);
109 std::string bundleName(reinterpret_cast<const char*>(data), size);
110 std::string abilityName(reinterpret_cast<const char*>(data), size);
111 AppExecFwk::ElementName elementName;
112 elementName.SetBundleName(bundleName);
113 elementName.SetAbilityName(abilityName);
114 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
115 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
116 if (!avSessionItem) {
117 SLOGI("avSessionItem is null");
118 return;
119 }
120 sptr<AVControllerItem> avControllerItem;
121 std::string sessionId(reinterpret_cast<const char*>(data), size);
122 sptr<IRemoteObject> avControllerItemObj;
123 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
124 if (ret != AVSESSION_SUCCESS) {
125 SLOGI("CreateControllerInner fail");
126 return;
127 }
128 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
129 if (!avControllerItem) {
130 SLOGI("avControllerItem is null");
131 return;
132 }
133 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
134 if (avControllerItemFuzzer == nullptr) {
135 return;
136 }
137 AVPlaybackState playbackstate;
138 avControllerItem->GetAVPlaybackState(playbackstate);
139 AVMetaData metaData;
140 avControllerItem->GetAVMetaData(metaData);
141 std::vector<int32_t> cmds;
142 avControllerItem->GetValidCommands(cmds);
143 AVPlaybackState::PlaybackStateMaskType playBackFilter;
144 playBackFilter.set(*(reinterpret_cast<const int32_t*>(data)));
145 avControllerItem->SetPlaybackFilter(playBackFilter);
146 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
147 if (code <= AVMetaData::META_KEY_MAX) {
148 AVMetaData::MetaMaskType metaFilter;
149 metaFilter.set(code);
150 avControllerItem->SetMetaFilter(metaFilter);
151 }
152 avControllerItem->GetSessionId();
153 avControllerItem->GetPid();
154 avControllerItem->HasSession(sessionId);
155 auto keyEvent = OHOS::MMI::KeyEvent::Create();
156 keyEvent->SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
157 OHOS::MMI::KeyEvent::KeyItem item;
158 item.SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
159 keyEvent->AddKeyItem(item);
160 bool isActive = *(reinterpret_cast<const bool*>(data));
161 avControllerItem->IsSessionActive(isActive);
162 avControllerItem->SendAVKeyEvent(*(keyEvent.get()));
163 OHOS::AbilityRuntime::WantAgent::WantAgent ability;
164 avControllerItem->GetLaunchAbility(ability);
165 if (code <= AVControlCommand::SESSION_CMD_MAX) {
166 AVControlCommand command;
167 command.SetCommand(code);
168 avControllerItem->SendControlCommand(command);
169 }
170 avControllerItem->Destroy();
171 }
172
AvControllerItemTest(const uint8_t * data,size_t size)173 void OHOS::AVSession::AvControllerItemTest(const uint8_t* data, size_t size)
174 {
175 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
176 return;
177 }
178 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
179 if (!service) {
180 SLOGI("service is null");
181 return;
182 }
183 std::string tag(reinterpret_cast<const char*>(data), size);
184 int32_t type = *reinterpret_cast<const int32_t*>(data);
185 std::string bundleName(reinterpret_cast<const char*>(data), size);
186 std::string abilityName(reinterpret_cast<const char*>(data), size);
187 AppExecFwk::ElementName elementName;
188 elementName.SetBundleName(bundleName);
189 elementName.SetAbilityName(abilityName);
190 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
191 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
192 if (!avSessionItem) {
193 SLOGI("avSessionItem is null");
194 return;
195 }
196 sptr<AVControllerItem> avControllerItem;
197 sptr<IRemoteObject> avControllerItemObj;
198 std::string sessionId(reinterpret_cast<const char*>(data), size);
199 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
200 if (ret != AVSESSION_SUCCESS) {
201 SLOGI("CreateControllerInner fail");
202 return;
203 }
204 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
205 if (!avControllerItem) {
206 SLOGI("avControllerItem is null");
207 return;
208 }
209 std::string deviceId(reinterpret_cast<const char*>(data), size);
210
211 AVPlaybackState controllerBackState;
212 controllerBackState.SetState(*(reinterpret_cast<const int32_t*>(data)));
213 avControllerItem->HandlePlaybackStateChange(controllerBackState);
214 AVMetaData controllerMetaData;
215 controllerMetaData.Reset();
216 controllerMetaData.SetAssetId(deviceId);
217 avControllerItem->HandleMetaDataChange(controllerMetaData);
218 avControllerItem->HandleActiveStateChange(*(reinterpret_cast<const bool*>(data)));
219 std::vector<int32_t> controlCmds;
220 controlCmds.push_back(*(reinterpret_cast<const int32_t*>(data)));
221 avControllerItem->HandleValidCommandChange(controlCmds);
222 OutputDeviceInfo deviceInfo;
223 deviceInfo.isRemote_ = *(reinterpret_cast<const bool*>(data));
224 deviceInfo.deviceIds_.push_back(deviceId);
225 avControllerItem->HandleOutputDeviceChange(deviceInfo);
226 avControllerItem->HandleSessionDestroy();
227 avControllerItem->Destroy();
228 }
229
230 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)231 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
232 {
233 /* Run your code on data */
234 OHOS::AVSession::AvControllerItemRemoteRequestTest(data, size);
235 OHOS::AVSession::AvControllerItemDataTest(data, size);
236 OHOS::AVSession::AvControllerItemTest(data, size);
237 return 0;
238 }