1 /*
2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18 #include <iostream>
19 #include <memory>
20
21 #include "securec.h"
22 #include "int_wrapper.h"
23 #include "string_wrapper.h"
24 #include "avsession_item.h"
25 #include "iav_session.h"
26 #include "avsession_stub.h"
27 #include "avsession_service.h"
28 #include "system_ability_definition.h"
29 #include "avcontrol_command.h"
30 #include "avcall_meta_data.h"
31 #include "avcall_state.h"
32 #include "avsessionitem_fuzzer.h"
33
34 using namespace std;
35 namespace OHOS {
36 namespace AVSession {
37 static const int32_t MAX_CODE_TEST = 24;
38 static const int32_t MAX_CODE_LEN = 20;
39 static const int32_t MIN_SIZE_NUM = 10;
40 static const uint8_t *RAW_DATA = nullptr;
41 static size_t g_totalSize = 0;
42 static size_t g_sizePos;
43
44 /*
45 * describe: get data from FUZZ untrusted data(RAW_DATA) which size is according to sizeof(T)
46 * tips: only support basic type
47 */
48 template<class T>
GetData()49 T GetData()
50 {
51 T object {};
52 size_t objectSize = sizeof(object);
53 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
54 return object;
55 }
56 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_sizePos, objectSize);
57 if (ret != EOK) {
58 return {};
59 }
60 g_sizePos += objectSize;
61 return object;
62 }
63
GetString()64 std::string GetString()
65 {
66 size_t objectSize = (GetData<int8_t>() % MAX_CODE_LEN) + 1;
67 if (RAW_DATA == nullptr || objectSize > g_totalSize - g_sizePos) {
68 return "OVER_SIZE";
69 }
70 char object[objectSize + 1];
71 errno_t ret = memcpy_s(object, sizeof(object), RAW_DATA + g_sizePos, objectSize);
72 if (ret != EOK) {
73 return "";
74 }
75 g_sizePos += objectSize;
76 std::string output(object);
77 return output;
78 }
79
80 template<class T>
GetArrLength(T & arr)81 uint32_t GetArrLength(T& arr)
82 {
83 if (arr == nullptr) {
84 SLOGE("%{public}s: The array length is equal to 0", __func__);
85 return 0;
86 }
87 return sizeof(arr) / sizeof(arr[0]);
88 }
89
90 typedef void (*TestFuncs[2])();
91
92 TestFuncs g_allFuncs = {
93 AvSessionItemOnRemoteRequest,
94 AvSessionItemTest
95 };
96
FuzzTest(const uint8_t * rawData,size_t size)97 bool FuzzTest(const uint8_t* rawData, size_t size)
98 {
99 if (rawData == nullptr) {
100 return false;
101 }
102
103 // initialize data
104 RAW_DATA = rawData;
105 g_totalSize = size;
106 g_sizePos = 0;
107
108 uint32_t code = GetData<uint32_t>();
109 uint32_t len = GetArrLength(g_allFuncs);
110 if (len > 0) {
111 g_allFuncs[code % len]();
112 } else {
113 SLOGE("%{public}s: The len length is equal to 0", __func__);
114 }
115
116 return true;
117 }
118
AvSessionItemFuzzerTest()119 void AvSessionItemFuzzer::AvSessionItemFuzzerTest()
120 {
121 uint32_t code = GetData<uint32_t>();
122 if (code >= MAX_CODE_TEST) {
123 return;
124 }
125 std::string tag = GetString();
126 int32_t type = GetData<int32_t>();
127 std::string bundleName = GetString();
128 std::string abilityName = GetString();
129
130 AppExecFwk::ElementName elementName;
131 elementName.SetBundleName(bundleName);
132 elementName.SetAbilityName(abilityName);
133
134 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
135 if (!service) {
136 SLOGI("service is null");
137 return;
138 }
139 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
140 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
141 if (!avSessionItem) {
142 SLOGI("avSessionItem is null");
143 return;
144 }
145 MessageParcel dataMessageParcel;
146 MessageParcel reply;
147 MessageOption option;
148 if (!dataMessageParcel.WriteInterfaceToken(IAVSession::GetDescriptor())) {
149 return;
150 }
151 dataMessageParcel.WriteBuffer(RAW_DATA, g_sizePos);
152 g_sizePos += sizeof(uint32_t);
153 dataMessageParcel.RewindRead(0);
154 avSessionItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
155 }
156
AvSessionItemTest()157 void AvSessionItemTest()
158 {
159 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
160 if (!service) {
161 SLOGI("service is null");
162 return;
163 }
164 std::string tag("audio");
165 int32_t type = 0;
166 AppExecFwk::ElementName elementName;
167 elementName.SetBundleName("bundleName");
168 elementName.SetAbilityName("abilityName");
169 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
170 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
171 if (!avSessionItem) {
172 SLOGI("avSessionItem is null");
173 return;
174 }
175 AvSessionItemTestImpl(avSessionItem);
176 AvSessionCallItemTest(avSessionItem);
177 AvSessionItemTestImplExtension(avSessionItem);
178 AvSessionCallItemTestExtension(avSessionItem);
179 BundleStatusAdapter::ReleaseInstance();
180 }
181
AvSessionItemTestImpl(sptr<AVSessionItem> avSessionItem)182 void AvSessionItemTestImpl(sptr<AVSessionItem> avSessionItem)
183 {
184 AVPlaybackState avState;
185 int32_t state = GetData<int32_t>();
186 avState.SetState(state);
187
188 AVMetaData metaData;
189 std::string assetId = GetString();
190 metaData.SetAssetId(assetId);
191
192 std::vector<int32_t> cmds;
193 int32_t fuzzCmds = GetData<int32_t>();
194 cmds.push_back(fuzzCmds);
195
196 bool top = GetData<bool>();
197
198 AVControlCommand controlCommand;
199 int32_t cmd = GetData<int32_t>();
200 controlCommand.SetCommand(cmd);
201
202 OutputDeviceInfo info;
203 DeviceInfo deviceInfo;
204 deviceInfo.castCategory_ = 0;
205 std::string deviceId = GetString();
206 deviceInfo.deviceId_= deviceId;
207 std::string deviceName = GetString();
208 deviceInfo.deviceName_ = deviceName;
209 info.deviceInfos_.push_back(deviceInfo);
210
211 avSessionItem->ExecuteControllerCommand(controlCommand);
212 avSessionItem->SetTop(top);
213 avSessionItem->SetOutputDevice(info);
214 avSessionItem->GetOutputDevice(info);
215 avSessionItem->AddSupportCommand(controlCommand.GetCommand());
216 avSessionItem->DeleteSupportCommand(controlCommand.GetCommand());
217 avSessionItem->GetSessionId();
218 avSessionItem->GetAVMetaData(metaData);
219 avSessionItem->SetAVMetaData(metaData);
220 avSessionItem->GetAVPlaybackState(avState);
221 avSessionItem->Activate();
222 avSessionItem->Deactivate();
223 avSessionItem->IsActive();
224 avSessionItem->Destroy();
225 avSessionItem->SetAVPlaybackState(avState);
226 avSessionItem->GetPlaybackState();
227 avSessionItem->GetMetaData();
228 avSessionItem->GetSupportCommand();
229 avSessionItem->GetPid();
230 avSessionItem->GetUid();
231 avSessionItem->GetAbilityName();
232 avSessionItem->GetRemoteSource();
233 avSessionItem->GetAnonymousDeviceId(GetString());
234 #ifdef CASTPLUS_CAST_ENGINE_ENABLE
235 avSessionItem->RegisterListenerStreamToCast(std::make_pair(GetString(), GetString()), deviceInfo);
236 #endif
237 }
238
AvSessionItemTestCustomData(sptr<AVSessionItem> avSessionItem)239 void AvSessionItemTestCustomData(sptr<AVSessionItem> avSessionItem)
240 {
241 AAFwk::WantParams wantParams;
242 std::string deviceId = GetString();
243 wantParams.SetParam("request-tv-client", AAFwk::Integer::Box(GetData<uint8_t>()));
244 avSessionItem->SetSpid(wantParams);
245 avSessionItem->SearchSpidInCapability(deviceId);
246 wantParams.SetParam("customData", AAFwk::String::Box(GetString()));
247 avSessionItem->SendCustomData(wantParams);
248 avSessionItem->ExecuteCustomData(wantParams);
249 }
250
AvSessionItemTestImplExtension(sptr<AVSessionItem> avSessionItem)251 void AvSessionItemTestImplExtension(sptr<AVSessionItem> avSessionItem)
252 {
253 int32_t state = GetData<int32_t>();
254 int32_t itemId = GetData<int32_t>();
255 int32_t pid = GetData<int32_t>();
256 int32_t uid = GetData<int32_t>();
257
258 OutputDeviceInfo info;
259 DeviceInfo deviceInfo;
260 deviceInfo.castCategory_ = 0;
261 std::string deviceId = GetString();
262 deviceInfo.deviceId_= deviceId;
263 std::string deviceName = GetString();
264 deviceInfo.deviceName_ = deviceName;
265 info.deviceInfos_.push_back(deviceInfo);
266
267 std::vector<AVQueueItem> avQueueItems;
268 AVQueueItem avQueueItem;
269 avQueueItem.SetItemId(GetData<int32_t>());
270 avQueueItems.push_back(avQueueItem);
271
272 std::string title = GetString();
273 std::string commonCommand = GetString();
274
275 auto wantAgentPtr = std::make_shared<AbilityRuntime::WantAgent::WantAgent>();
276
277 AAFwk::WantParams wantParams;
278
279 auto keyEvent = MMI::KeyEvent::Create();
280 keyEvent->SetKeyCode(GetData<int32_t>());
281 MMI::KeyEvent::KeyItem keyItem;
282 keyItem.SetKeyCode(GetData<int32_t>());
283 keyEvent->AddKeyItem(keyItem);
284
285 sptr<AVControllerItem> avControllerItem = new(std::nothrow) AVControllerItem(pid, avSessionItem);
286 if (avControllerItem == nullptr) {
287 return;
288 }
289
290 avSessionItem->SetAVQueueItems(avQueueItems);
291 avSessionItem->GetAVQueueItems(avQueueItems);
292 avSessionItem->SetAVQueueTitle(title);
293 avSessionItem->GetAVQueueTitle(title);
294 avSessionItem->SetLaunchAbility(*wantAgentPtr);
295 avSessionItem->SetExtras(wantParams);
296 avSessionItem->GetExtras(wantParams);
297 avSessionItem->HandleMediaKeyEvent(*keyEvent);
298 avSessionItem->HandleOutputDeviceChange(state, info);
299 avSessionItem->HandleSkipToQueueItem(itemId);
300 avSessionItem->ExecueCommonCommand(commonCommand, wantParams);
301 avSessionItem->AddController(pid, avControllerItem);
302 avSessionItem->SetPid(pid);
303 avSessionItem->SetUid(uid);
304 avSessionItem->HandleControllerRelease(pid);
305
306 AvSessionItemTestCustomData(avSessionItem);
307 }
308
AvSessionCallItemTest(sptr<AVSessionItem> avSessionItem)309 void AvSessionCallItemTest(sptr<AVSessionItem> avSessionItem)
310 {
311 AVCallMetaData callMetaData;
312 int32_t numberDate = GetData<int32_t>();
313 std::string dataToS(std::to_string(numberDate));
314 std::string strCallMetaData(dataToS);
315 callMetaData.SetName(strCallMetaData);
316 callMetaData.SetPhoneNumber(strCallMetaData);
317
318 AVCallState avCallState;
319 int32_t callState = std::stoi(dataToS);
320 avCallState.SetAVCallState(callState);
321 bool mute = std::stoi(dataToS);
322 avCallState.SetAVCallMuted(mute);
323
324 avSessionItem->SetAVCallMetaData(callMetaData);
325 avSessionItem->SetAVCallState(avCallState);
326 }
327
AvSessionCallItemTestExtension(sptr<AVSessionItem> avSessionItem)328 void AvSessionCallItemTestExtension(sptr<AVSessionItem> avSessionItem)
329 {
330 string sinkDevice = GetString();
331 string event = GetString();
332
333 auto releaseAndStartCallback = [](AVSessionItem& item) {};
334 auto updateSessionCallback = [](string str, bool flag) {};
335
336 AAFwk::WantParams wantParams;
337
338 avSessionItem->GetSessionType();
339 avSessionItem->DestroyTask();
340 avSessionItem->GetDescriptor();
341 avSessionItem->GetAVCallState();
342 avSessionItem->GetAVCallMetaData();
343 avSessionItem->GetQueueItems();
344 avSessionItem->GetQueueTitle();
345 avSessionItem->GetExtras();
346 avSessionItem->GetLaunchAbility();
347 avSessionItem->GetBundleName();
348 avSessionItem->SetServiceCallbackForRelease(releaseAndStartCallback);
349 avSessionItem->SetServiceCallbackForCallStart(releaseAndStartCallback);
350 avSessionItem->SourceCancelCastAudio(sinkDevice);
351 avSessionItem->SinkCancelCastAudio();
352 avSessionItem->SetSessionEvent(event, wantParams);
353 avSessionItem->SetServiceCallbackForAVQueueInfo(releaseAndStartCallback);
354 avSessionItem->SetServiceCallbackForUpdateSession(updateSessionCallback);
355 }
356
AvSessionItemOnRemoteRequest()357 void AvSessionItemOnRemoteRequest()
358 {
359 auto avSessionItem = std::make_unique<AvSessionItemFuzzer>();
360 if (avSessionItem == nullptr) {
361 SLOGI("avSessionItem is null");
362 return;
363 }
364 avSessionItem->AvSessionItemFuzzerTest();
365 BundleStatusAdapter::ReleaseInstance();
366 }
367
368 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)369 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
370 {
371 if (size < MIN_SIZE_NUM) {
372 return 0;
373 }
374 /* Run your code on data */
375 FuzzTest(data, size);
376 return 0;
377 }
378 } // namespace AVSession
379 } // namespace OHOS
380