1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18
19 #include "securec.h"
20 #include "avsession_item.h"
21 #include "ipc_skeleton.h"
22 #include "avcontroller_callback_proxy.h"
23 #include "avsession_controller_stub.h"
24 #include "avsession_errors.h"
25 #include "system_ability_definition.h"
26 #include "avsession_service.h"
27 #include "avcontrolleritem_fuzzer.h"
28
29 using namespace std;
30 namespace OHOS {
31 namespace AVSession {
32 static const int32_t MAX_CODE_TEST = 5;
33 static const int32_t MAX_CODE_LEN = 20;
34 static const int32_t MIN_SIZE_NUM = 10;
35 static const uint8_t *RAW_DATA = nullptr;
36 static size_t g_totalSize = 0;
37 static size_t g_sizePos;
38
39 /*
40 * describe: get data from FUZZ untrusted data(RAW_DATA) which size is according to sizeof(T)
41 * tips: only support basic type
42 */
43 template<class T>
GetData()44 T GetData()
45 {
46 T object {};
47 size_t objectSize = sizeof(object);
48 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
49 return object;
50 }
51 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_sizePos, objectSize);
52 if (ret != EOK) {
53 return {};
54 }
55 g_sizePos += objectSize;
56 return object;
57 }
58
GetString()59 std::string GetString()
60 {
61 size_t objectSize = (GetData<int8_t>() % MAX_CODE_LEN) + 1;
62 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
63 return "OVER_SIZE";
64 }
65 char object[objectSize + 1];
66 errno_t ret = memcpy_s(object, sizeof(object), RAW_DATA + g_sizePos, objectSize);
67 if (ret != EOK) {
68 return "";
69 }
70 g_sizePos += objectSize;
71 std::string output(object);
72 return output;
73 }
74
75 template<class T>
GetArrLength(T & arr)76 uint32_t GetArrLength(T& arr)
77 {
78 if (arr == nullptr) {
79 SLOGE("%{public}s: The array length is equal to 0", __func__);
80 return 0;
81 }
82 return sizeof(arr) / sizeof(arr[0]);
83 }
84
85 typedef void (*TestFuncs[3])();
86
87 TestFuncs g_allFuncs = {
88 AvControllerItemRemoteRequestTest,
89 AvControllerItemDataTest,
90 AvControllerItemTest
91 };
92
FuzzTest(const uint8_t * rawData,size_t size)93 bool FuzzTest(const uint8_t* rawData, size_t size)
94 {
95 if (rawData == nullptr) {
96 return false;
97 }
98
99 // initialize data
100 RAW_DATA = rawData;
101 g_totalSize = size;
102 g_sizePos = 0;
103
104 uint32_t code = GetData<uint32_t>();
105 uint32_t len = GetArrLength(g_allFuncs);
106 if (len > 0) {
107 g_allFuncs[code % len]();
108 } else {
109 SLOGE("%{public}s: The len length is equal to 0", __func__);
110 }
111
112 return true;
113 }
114
115 template<typename T>
116 class ResourceAutoDestroy {
117 public:
ResourceAutoDestroy(T ptr)118 explicit ResourceAutoDestroy(T ptr) : ptr_(ptr)
119 {
120 }
121
~ResourceAutoDestroy()122 ~ResourceAutoDestroy()
123 {
124 if (ptr_) {
125 ptr_->Destroy();
126 }
127 }
128
129 private:
130 T ptr_;
131 };
132
FuzzOnRemoteRequest()133 void AvControllerItemFuzzer::FuzzOnRemoteRequest()
134 {
135 sptr<AVControllerItem> avControllerItem;
136 std::string tag = GetString();
137 int32_t type = GetData<int8_t>();
138 std::string bundleName = GetString();
139 std::string abilityName = GetString();
140 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
141 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
142 AppExecFwk::ElementName elementName;
143 elementName.SetBundleName(bundleName);
144 elementName.SetAbilityName(abilityName);
145 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
146 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
147 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
148 ResourceAutoDestroy<sptr<AVSessionItem>> avSessionItemRelease(avSessionItem);
149 uint32_t code = GetData<uint32_t>();
150 CHECK_AND_RETURN_LOG(code < MAX_CODE_TEST, "Unsupport code");
151 sptr<IRemoteObject> avControllerItemObj;
152 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
153 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner failed");
154 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
155 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
156 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
157
158 MessageParcel dataMessageParcel;
159 MessageParcel reply;
160 MessageOption option;
161 if (!dataMessageParcel.WriteInterfaceToken(avControllerItem->GetDescriptor())) {
162 return;
163 }
164 dataMessageParcel.WriteBuffer(RAW_DATA, g_sizePos);
165 g_sizePos += sizeof(uint32_t);
166 dataMessageParcel.RewindRead(0);
167 avControllerItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
168 }
169
AvControllerItemRemoteRequestTest()170 void AvControllerItemRemoteRequestTest()
171 {
172 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
173 if (avControllerItemFuzzer == nullptr) {
174 return;
175 }
176 avControllerItemFuzzer->FuzzOnRemoteRequest();
177 }
178
AvControllerItemDataTest()179 void AvControllerItemDataTest()
180 {
181 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
182 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
183 std::string tag = GetString();
184 int32_t type = GetData<uint8_t>();
185 std::string bundleName = GetString();
186 std::string abilityName = GetString();
187 AppExecFwk::ElementName elementName;
188 elementName.SetBundleName(bundleName);
189 elementName.SetAbilityName(abilityName);
190 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
191 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
192 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
193 ResourceAutoDestroy<sptr<AVSessionItem>> avSessionItemRelease(avSessionItem);
194 sptr<AVControllerItem> avControllerItem;
195 sptr<IRemoteObject> avControllerItemObj;
196 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
197 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner fail");
198 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
199 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
200 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
201
202 AVPlaybackState playbackstate;
203 avControllerItem->GetAVPlaybackState(playbackstate);
204 AVMetaData metaData;
205 avControllerItem->GetAVMetaData(metaData);
206 std::vector<int32_t> cmds;
207 avControllerItem->GetValidCommands(cmds);
208 AVPlaybackState::PlaybackStateMaskType playBackFilter;
209 uint32_t playCode = GetData<uint32_t>();
210 if (playCode <= AVPlaybackState::PLAYBACK_KEY_MAX) {
211 playBackFilter.set(playCode);
212 } else {
213 playBackFilter.set(AVPlaybackState::PLAYBACK_KEY_STATE);
214 }
215 avControllerItem->SetPlaybackFilter(playBackFilter);
216
217 AvControllerItemDataTestSecond(avControllerItem);
218 AvControllerItemDataTestThird(avControllerItem);
219 avControllerItem->RegisterCallbackInner(avControllerItemObj);
220 }
221
AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem)222 void AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem)
223 {
224 std::string sessionId = GetString();
225 avControllerItem->GetUserId();
226 avControllerItem->GetSessionId();
227 avControllerItem->GetPid();
228 avControllerItem->HasSession(sessionId);
229 auto keyEvent = MMI::KeyEvent::Create();
230 keyEvent->SetKeyCode(GetData<int32_t>());
231 MMI::KeyEvent::KeyItem item;
232 item.SetKeyCode(GetData<int32_t>());
233 keyEvent->AddKeyItem(item);
234 bool isActive = GetData<int32_t>();
235 avControllerItem->IsSessionActive(isActive);
236 avControllerItem->SendAVKeyEvent(*(keyEvent.get()));
237 AbilityRuntime::WantAgent::WantAgent ability;
238 avControllerItem->GetLaunchAbility(ability);
239
240 uint32_t code = GetData<int32_t>();
241 AVMetaData::MetaMaskType metaFilter;
242 metaFilter.set(code % AVMetaData::META_KEY_MAX);
243 avControllerItem->SetMetaFilter(metaFilter);
244 AVControlCommand command;
245 command.SetCommand(code % AVControlCommand::SESSION_CMD_MAX);
246 avControllerItem->SendControlCommand(command);
247
248 AVCallState avCallState;
249 avControllerItem->GetAVCallState(avCallState);
250 AVCallMetaData callMetaData;
251 avControllerItem->GetAVCallMetaData(callMetaData);
252 }
253
AvControllerItemDataTestThird(sptr<AVControllerItem> avControllerItem)254 void AvControllerItemDataTestThird(sptr<AVControllerItem> avControllerItem)
255 {
256 std::vector<AVQueueItem> items;
257 avControllerItem->GetAVQueueItems(items);
258
259 std::string title;
260 avControllerItem->GetAVQueueTitle(title);
261
262 int32_t itemId = GetData<int32_t>();
263 avControllerItem->SkipToQueueItem(itemId);
264
265 AAFwk::WantParams extras;
266 avControllerItem->GetExtras(extras);
267
268 std::string commonCommand = GetString();
269 avControllerItem->SendCommonCommand(commonCommand, extras);
270
271 uint32_t code = GetData<uint32_t>();
272 AVCallMetaData::AVCallMetaMaskType avCallMetaMaskType;
273 avCallMetaMaskType.set(code % AVCallMetaData::AVCALL_META_KEY_MAX);
274 avControllerItem->SetAVCallMetaFilter(avCallMetaMaskType);
275 AVCallState::AVCallStateMaskType avCallStateMaskType;
276 avCallStateMaskType.set(code % AVCallState::AVCALL_STATE_KEY_MAX);
277 avControllerItem->SetAVCallStateFilter(avCallStateMaskType);
278 }
279
AvControllerItemTest()280 void AvControllerItemTest()
281 {
282 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
283 if (!service) {
284 SLOGI("service is null");
285 return;
286 }
287 std::string tag = GetString();
288 int32_t type = 0;
289 std::string bundleName = GetString();
290 std::string abilityName = GetString();
291 AppExecFwk::ElementName elementName;
292 elementName.SetBundleName(bundleName);
293 elementName.SetAbilityName(abilityName);
294 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
295 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
296 if (!avSessionItem) {
297 SLOGI("avSessionItem is null");
298 return;
299 }
300 ResourceAutoDestroy<sptr<AVSessionItem>> avSessionItemRelease(avSessionItem);
301 sptr<AVControllerItem> avControllerItem;
302 sptr<IRemoteObject> avControllerItemObj;
303 std::string sessionId = GetString();
304 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
305 if (ret != AVSESSION_SUCCESS) {
306 SLOGI("CreateControllerInner fail");
307 return;
308 }
309 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
310 if (!avControllerItem) {
311 SLOGI("avControllerItem is null");
312 return;
313 }
314 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
315 AvControllerItemTestImpl(avControllerItem);
316 AvControllerItemTestImplSecond(avControllerItem);
317 }
318
AvControllerItemTestImpl(sptr<AVControllerItem> avControllerItem)319 void AvControllerItemTestImpl(sptr<AVControllerItem> avControllerItem)
320 {
321 std::string deviceId = GetString();
322 AVPlaybackState controllerBackState;
323 controllerBackState.SetState(GetData<int32_t>());
324 avControllerItem->HandlePlaybackStateChange(controllerBackState);
325 AVMetaData controllerMetaData;
326 controllerMetaData.Reset();
327 controllerMetaData.SetAssetId(deviceId);
328 avControllerItem->HandleMetaDataChange(controllerMetaData);
329 avControllerItem->HandleActiveStateChange(GetData<bool>());
330 std::vector<int32_t> controlCmds;
331 controlCmds.push_back(GetData<int32_t>());
332 avControllerItem->HandleValidCommandChange(controlCmds);
333 int32_t connectionState = 0;
334 OutputDeviceInfo outputDeviceInfo;
335 DeviceInfo deviceInfo;
336 deviceInfo.castCategory_ = GetData<int32_t>();
337 deviceInfo.deviceId_ = deviceId;
338 outputDeviceInfo.deviceInfos_.push_back(deviceInfo);
339 avControllerItem->HandleOutputDeviceChange(connectionState, outputDeviceInfo);
340 avControllerItem->HandleSessionDestroy();
341 }
342
AvControllerItemTestImplSecond(sptr<AVControllerItem> avControllerItem)343 void AvControllerItemTestImplSecond(sptr<AVControllerItem> avControllerItem)
344 {
345 AVCallMetaData callMetaData;
346 int32_t numberDate = GetData<int32_t>();
347 std::string dataToS(std::to_string(numberDate));
348 std::string strCallMetaData(dataToS);
349 callMetaData.SetName(strCallMetaData);
350 callMetaData.SetPhoneNumber(strCallMetaData);
351 avControllerItem->HandleAVCallMetaDataChange(callMetaData);
352
353 AVCallState avCallState;
354 int32_t callState = std::stoi(dataToS);
355 avCallState.SetAVCallState(callState);
356 bool mute = std::stoi(dataToS);
357 avCallState.SetAVCallMuted(mute);
358 avControllerItem->HandleAVCallStateChange(avCallState);
359
360 const std::string event = GetString();
361 const std::string title = GetString();
362 AAFwk::WantParams wantParams;
363 vector<AVQueueItem> items;
364 avControllerItem->HandleSetSessionEvent(event, wantParams);
365 avControllerItem->HandleQueueItemsChange(items);
366 avControllerItem->HandleQueueTitleChange(title);
367 avControllerItem->HandleExtrasChange(wantParams);
368
369 std::string sessionId = GetString();
370 auto releaseCallback = [](AVControllerItem& item) {};
371 auto avControllerCallback = std::make_shared<AVControllerObserver>(sessionId);
372 avControllerItem->SetServiceCallbackForRelease(releaseCallback);
373 avControllerItem->RegisterAVControllerCallback(avControllerCallback);
374 std::shared_ptr<AVControllerCallback> callback;
375 avControllerItem->RegisterAVControllerCallback(callback);
376 }
377
378 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)379 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
380 {
381 if (size < MIN_SIZE_NUM) {
382 return 0;
383 }
384 /* Run your code on data */
385 FuzzTest(data, size);
386 return 0;
387 }
388 } // namespace AVSession
389 } // namespace OHOS
390