1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18 #include <iostream>
19 #include <memory>
20
21 #include "securec.h"
22 #include "avsession_item.h"
23 #include "iav_session.h"
24 #include "iremote_stub.h"
25 #include "avsession_stub.h"
26 #include "avsession_callback_proxy.h"
27 #include "avsession_controller_stub.h"
28 #include "avsession_service.h"
29 #include "avsession_errors.h"
30 #include "system_ability_definition.h"
31 #include "avcontrol_command.h"
32 #include "avcall_meta_data.h"
33 #include "avcall_state.h"
34 #include "avsessionitem_fuzzer.h"
35
36 using namespace std;
37 namespace OHOS {
38 namespace AVSession {
39 static const int32_t MAX_CODE_TEST = 24;
40 static const int32_t MAX_CODE_LEN = 20;
41 static const int32_t MIN_SIZE_NUM = 10;
42 static const uint8_t *RAW_DATA = nullptr;
43 static size_t g_totalSize = 0;
44 static size_t g_sizePos;
45
46 /*
47 * describe: get data from FUZZ untrusted data(RAW_DATA) which size is according to sizeof(T)
48 * tips: only support basic type
49 */
50 template<class T>
GetData()51 T GetData()
52 {
53 T object {};
54 size_t objectSize = sizeof(object);
55 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
56 return object;
57 }
58 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_sizePos, objectSize);
59 if (ret != EOK) {
60 return {};
61 }
62 g_sizePos += objectSize;
63 return object;
64 }
65
GetString()66 std::string GetString()
67 {
68 size_t objectSize = (GetData<int8_t>() % MAX_CODE_LEN) + 1;
69 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
70 return "OVER_SIZE";
71 }
72 char object[objectSize + 1];
73 errno_t ret = memcpy_s(object, sizeof(object), RAW_DATA + g_sizePos, objectSize);
74 if (ret != EOK) {
75 return "";
76 }
77 g_sizePos += objectSize;
78 std::string output(object);
79 return output;
80 }
81
82 template<class T>
GetArrLength(T & arr)83 uint32_t GetArrLength(T& arr)
84 {
85 if (arr == nullptr) {
86 SLOGE("%{public}s: The array length is equal to 0", __func__);
87 return 0;
88 }
89 return sizeof(arr) / sizeof(arr[0]);
90 }
91
92 typedef void (*TestFuncs[2])();
93
94 TestFuncs g_allFuncs = {
95 AvSessionItemOnRemoteRequest,
96 AvSessionItemTest
97 };
98
FuzzTest(const uint8_t * rawData,size_t size)99 bool FuzzTest(const uint8_t* rawData, size_t size)
100 {
101 if (rawData == nullptr) {
102 return false;
103 }
104
105 // initialize data
106 RAW_DATA = rawData;
107 g_totalSize = size;
108 g_sizePos = 0;
109
110 uint32_t code = GetData<uint32_t>();
111 uint32_t len = GetArrLength(g_allFuncs);
112 if (len > 0) {
113 g_allFuncs[code % len]();
114 } else {
115 SLOGE("%{public}s: The len length is equal to 0", __func__);
116 }
117
118 return true;
119 }
120
AvSessionItemFuzzerTest()121 void AvSessionItemFuzzer::AvSessionItemFuzzerTest()
122 {
123 uint32_t code = GetData<uint32_t>();
124 if (code >= MAX_CODE_TEST) {
125 return;
126 }
127 std::string tag = GetString();
128 int32_t type = GetData<int32_t>();
129 std::string bundleName = GetString();
130 std::string abilityName = GetString();
131
132 AppExecFwk::ElementName elementName;
133 elementName.SetBundleName(bundleName);
134 elementName.SetAbilityName(abilityName);
135
136 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
137 if (!service) {
138 SLOGI("service is null");
139 return;
140 }
141 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
142 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
143 if (!avSessionItem) {
144 SLOGI("avSessionItem is null");
145 return;
146 }
147 MessageParcel dataMessageParcel;
148 MessageParcel reply;
149 MessageOption option;
150 if (!dataMessageParcel.WriteInterfaceToken(IAVSession::GetDescriptor())) {
151 return;
152 }
153 dataMessageParcel.WriteBuffer(RAW_DATA, g_sizePos);
154 g_sizePos += sizeof(uint32_t);
155 dataMessageParcel.RewindRead(0);
156 avSessionItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
157 }
158
AvSessionItemTest()159 void AvSessionItemTest()
160 {
161 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
162 if (!service) {
163 SLOGI("service is null");
164 return;
165 }
166 std::string tag("audio");
167 int32_t type = 0;
168 AppExecFwk::ElementName elementName;
169 elementName.SetBundleName("bundleName");
170 elementName.SetAbilityName("abilityName");
171 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
172 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
173 if (!avSessionItem) {
174 SLOGI("avSessionItem is null");
175 return;
176 }
177 AvSessionItemTestImpl(avSessionItem);
178 AvSessionCallItemTest(avSessionItem);
179 AvSessionItemTestImplExtension(avSessionItem);
180 AvSessionCallItemTestExtension(avSessionItem);
181 }
182
AvSessionItemTestImpl(sptr<AVSessionItem> avSessionItem)183 void AvSessionItemTestImpl(sptr<AVSessionItem> avSessionItem)
184 {
185 AVPlaybackState avState;
186 int32_t state = GetData<int32_t>();
187 avState.SetState(state);
188
189 AVMetaData metaData;
190 std::string assetId = GetString();
191 metaData.SetAssetId(assetId);
192
193 std::vector<int32_t> cmds;
194 int32_t fuzzCmds = GetData<int32_t>();
195 cmds.push_back(fuzzCmds);
196
197 bool top = GetData<bool>();
198
199 AVControlCommand controlCommand;
200 int32_t cmd = GetData<int32_t>();
201 controlCommand.SetCommand(cmd);
202
203 OutputDeviceInfo info;
204 DeviceInfo deviceInfo;
205 deviceInfo.castCategory_ = 0;
206 std::string deviceId = GetString();
207 deviceInfo.deviceId_= deviceId;
208 std::string deviceName = GetString();
209 deviceInfo.deviceName_ = deviceName;
210 info.deviceInfos_.push_back(deviceInfo);
211
212 avSessionItem->ExecuteControllerCommand(controlCommand);
213 avSessionItem->SetTop(top);
214 avSessionItem->SetOutputDevice(info);
215 avSessionItem->GetOutputDevice(info);
216 avSessionItem->AddSupportCommand(controlCommand.GetCommand());
217 avSessionItem->DeleteSupportCommand(controlCommand.GetCommand());
218 avSessionItem->GetSessionId();
219 avSessionItem->GetAVMetaData(metaData);
220 avSessionItem->SetAVMetaData(metaData);
221 avSessionItem->GetAVPlaybackState(avState);
222 avSessionItem->Activate();
223 avSessionItem->Deactivate();
224 avSessionItem->IsActive();
225 avSessionItem->Destroy();
226 avSessionItem->SetAVPlaybackState(avState);
227 avSessionItem->GetPlaybackState();
228 avSessionItem->GetMetaData();
229 avSessionItem->GetSupportCommand();
230 avSessionItem->GetPid();
231 avSessionItem->GetUid();
232 avSessionItem->GetAbilityName();
233 avSessionItem->GetRemoteSource();
234 }
235
AvSessionItemTestImplExtension(sptr<AVSessionItem> avSessionItem)236 void AvSessionItemTestImplExtension(sptr<AVSessionItem> avSessionItem)
237 {
238 int32_t state = GetData<int32_t>();
239 int32_t itemId = GetData<int32_t>();
240 int32_t pid = GetData<int32_t>();
241 int32_t uid = GetData<int32_t>();
242
243 OutputDeviceInfo info;
244 DeviceInfo deviceInfo;
245 deviceInfo.castCategory_ = 0;
246 std::string deviceId = GetString();
247 deviceInfo.deviceId_= deviceId;
248 std::string deviceName = GetString();
249 deviceInfo.deviceName_ = deviceName;
250 info.deviceInfos_.push_back(deviceInfo);
251
252 std::vector<AVQueueItem> avQueueItems;
253 AVQueueItem avQueueItem;
254 avQueueItem.SetItemId(GetData<int32_t>());
255 avQueueItems.push_back(avQueueItem);
256
257 std::string title = GetString();
258 std::string commonCommand = GetString();
259
260 auto wantAgentPtr = std::make_shared<AbilityRuntime::WantAgent::WantAgent>();
261
262 AAFwk::WantParams wantParams;
263
264 auto keyEvent = MMI::KeyEvent::Create();
265 keyEvent->SetKeyCode(GetData<int32_t>());
266 MMI::KeyEvent::KeyItem keyItem;
267 keyItem.SetKeyCode(GetData<int32_t>());
268 keyEvent->AddKeyItem(keyItem);
269
270 sptr<AVControllerItem> avControllerItem = new(std::nothrow) AVControllerItem(pid, avSessionItem);
271 if (avControllerItem == nullptr) {
272 return;
273 }
274
275 avSessionItem->SetAVQueueItems(avQueueItems);
276 avSessionItem->GetAVQueueItems(avQueueItems);
277 avSessionItem->SetAVQueueTitle(title);
278 avSessionItem->GetAVQueueTitle(title);
279 avSessionItem->SetLaunchAbility(*wantAgentPtr);
280 avSessionItem->SetExtras(wantParams);
281 avSessionItem->GetExtras(wantParams);
282 avSessionItem->HandleMediaKeyEvent(*keyEvent);
283 avSessionItem->HandleOutputDeviceChange(state, info);
284 avSessionItem->HandleSkipToQueueItem(itemId);
285 avSessionItem->ExecueCommonCommand(commonCommand, wantParams);
286 avSessionItem->AddController(pid, avControllerItem);
287 avSessionItem->SetPid(pid);
288 avSessionItem->SetUid(uid);
289 avSessionItem->HandleControllerRelease(pid);
290 }
291
AvSessionCallItemTest(sptr<AVSessionItem> avSessionItem)292 void AvSessionCallItemTest(sptr<AVSessionItem> avSessionItem)
293 {
294 AVCallMetaData callMetaData;
295 int32_t numberDate = GetData<int32_t>();
296 std::string dataToS(std::to_string(numberDate));
297 std::string strCallMetaData(dataToS);
298 callMetaData.SetName(strCallMetaData);
299 callMetaData.SetPhoneNumber(strCallMetaData);
300
301 AVCallState avCallState;
302 int32_t callState = std::stoi(dataToS);
303 avCallState.SetAVCallState(callState);
304 bool mute = std::stoi(dataToS);
305 avCallState.SetAVCallMuted(mute);
306
307 avSessionItem->SetAVCallMetaData(callMetaData);
308 avSessionItem->SetAVCallState(avCallState);
309 }
310
AvSessionCallItemTestExtension(sptr<AVSessionItem> avSessionItem)311 void AvSessionCallItemTestExtension(sptr<AVSessionItem> avSessionItem)
312 {
313 string sinkDevice = GetString();
314 string event = GetString();
315
316 auto releaseAndStartCallback = [](AVSessionItem& item) {};
317 auto updateSessionCallback = [](string str, bool flag) {};
318
319 AAFwk::WantParams wantParams;
320
321 avSessionItem->GetSessionType();
322 avSessionItem->DestroyTask();
323 avSessionItem->GetDescriptor();
324 avSessionItem->GetAVCallState();
325 avSessionItem->GetAVCallMetaData();
326 avSessionItem->GetQueueItems();
327 avSessionItem->GetQueueTitle();
328 avSessionItem->GetExtras();
329 avSessionItem->GetLaunchAbility();
330 avSessionItem->GetBundleName();
331 avSessionItem->SetServiceCallbackForRelease(releaseAndStartCallback);
332 avSessionItem->SetServiceCallbackForCallStart(releaseAndStartCallback);
333 avSessionItem->SourceCancelCastAudio(sinkDevice);
334 avSessionItem->SinkCancelCastAudio();
335 avSessionItem->SetSessionEvent(event, wantParams);
336 avSessionItem->SetServiceCallbackForAVQueueInfo(releaseAndStartCallback);
337 avSessionItem->SetServiceCallbackForUpdateSession(updateSessionCallback);
338 }
339
AvSessionItemOnRemoteRequest()340 void AvSessionItemOnRemoteRequest()
341 {
342 auto avSessionItem = std::make_unique<AvSessionItemFuzzer>();
343 if (avSessionItem == nullptr) {
344 SLOGI("avSessionItem is null");
345 return;
346 }
347 avSessionItem->AvSessionItemFuzzerTest();
348 }
349
350 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)351 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
352 {
353 if (size < MIN_SIZE_NUM) {
354 return 0;
355 }
356 /* Run your code on data */
357 FuzzTest(data, size);
358 return 0;
359 }
360 } // namespace AVSession
361 } // namespace OHOS
362