1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <iostream>
17 #include <cstddef>
18 #include <cstdint>
19 #include <cstring>
20 #include "audio_info.h"
21 #include "audio_policy_server.h"
22 #include "audio_policy_service.h"
23 #include "audio_device_info.h"
24 #include "audio_utils.h"
25 #include "accesstoken_kit.h"
26 #include "nativetoken_kit.h"
27 #include "token_setproc.h"
28 #include "access_token.h"
29 #include "audio_channel_blend.h"
30 #include "volume_ramp.h"
31 #include "audio_speed.h"
32
33 #include "audio_policy_utils.h"
34 #include "audio_stream_descriptor.h"
35 #include "audio_limiter_manager.h"
36 #include "dfx_msg_manager.h"
37
38 namespace OHOS {
39 namespace AudioStandard {
40 using namespace std;
41
42 static const uint8_t* RAW_DATA = nullptr;
43 static size_t g_dataSize = 0;
44 static size_t g_pos;
45 const size_t THRESHOLD = 10;
46 const uint8_t TESTSIZE = 15;
47 const int32_t COUNT = 100;
48 const int32_t NUM_2 = 2;
49
50 typedef void (*TestFuncs)();
51
52 template<class T>
GetData()53 T GetData()
54 {
55 T object {};
56 size_t objectSize = sizeof(object);
57 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
58 return object;
59 }
60 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
61 if (ret != EOK) {
62 return {};
63 }
64 g_pos += objectSize;
65 return object;
66 }
67
68 template<class T>
GetArrLength(T & arr)69 uint32_t GetArrLength(T& arr)
70 {
71 if (arr == nullptr) {
72 AUDIO_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
73 return 0;
74 }
75 return sizeof(arr) / sizeof(arr[0]);
76 }
77
78 const vector<DfxAppState> DfxAppStateVec = {
79 DFX_APP_STATE_UNKNOWN,
80 DFX_APP_STATE_START,
81 DFX_APP_STATE_FOREGROUND,
82 DFX_APP_STATE_BACKGROUND,
83 DFX_APP_STATE_END,
84 };
85
86 const vector<RendererStage> RendererStageVec = {
87 RENDERER_STAGE_UNKNOWN,
88 RENDERER_STAGE_START_OK,
89 RENDERER_STAGE_START_FAIL,
90 RENDERER_STAGE_PAUSE_OK,
91 RENDERER_STAGE_STOP_OK,
92 RENDERER_STAGE_STOP_BY_RELEASE,
93 RENDERER_STAGE_STANDBY_BEGIN,
94 RENDERER_STAGE_STANDBY_END,
95 RENDERER_STAGE_SET_VOLUME_ZERO,
96 RENDERER_STAGE_SET_VOLUME_NONZERO,
97 };
98
99 const vector<InterruptStage> InterruptStageVec = {
100 INTERRUPT_STAGE_START,
101 INTERRUPT_STAGE_RESTART,
102 INTERRUPT_STAGE_STOP,
103 INTERRUPT_STAGE_PAUSED,
104 INTERRUPT_STAGE_RESUMED,
105 INTERRUPT_STAGE_STOPPED,
106 INTERRUPT_STAGE_DUCK_BEGIN,
107 INTERRUPT_STAGE_DUCK_END,
108 INTERRUPT_STAGE_TIMEOUT,
109 };
110
SaveAppInfoFuzzTest()111 void SaveAppInfoFuzzTest()
112 {
113 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
114 DfxRunningAppInfo info;
115 info.appUid = 1;
116 dfxMsgManager.SaveAppInfo(info);
117 }
118
ProcessCheckFuzzTest()119 void ProcessCheckFuzzTest()
120 {
121 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
122 DfxMessage msg;
123 RenderDfxInfo renderInfo;
124 InterruptDfxInfo interruptInfo;
125 CapturerDfxInfo captureInfo;
126 msg.appUid = 1;
127
128 for (int i = 0; i < COUNT; i++) {
129 msg.renderInfo.push_back(renderInfo);
130 }
131 dfxMsgManager.ProcessCheck(msg);
132 msg.renderInfo.clear();
133
134 dfxMsgManager.isFull_ = GetData<uint32_t>() % NUM_2;
135 dfxMsgManager.ProcessCheck(msg);
136 }
137
ProcessFuzzTest()138 void ProcessFuzzTest()
139 {
140 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
141 DfxMessage msg;
142 msg.appUid = GetData<int32_t>();
143 dfxMsgManager.Process(msg);
144 }
145
ProcessInnerFuzzTest()146 void ProcessInnerFuzzTest()
147 {
148 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
149 uint32_t index = 0;
150 std::list<RenderDfxInfo> dfxInfo;
151 std::list<RenderDfxInfo> curDfxInfo;
152 RenderDfxInfo renderInfo;
153 dfxMsgManager.ProcessInner(index, dfxInfo, curDfxInfo);
154 for (int i = 0; i < COUNT; i++) {
155 dfxInfo.push_back(renderInfo);
156 }
157 dfxMsgManager.ProcessInner(index, dfxInfo, curDfxInfo);
158 }
159
EnqueueFuzzTest()160 void EnqueueFuzzTest()
161 {
162 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
163 DfxMessage msg;
164 dfxMsgManager.isFull_ = GetData<uint32_t>() % NUM_2;
165 dfxMsgManager.Enqueue(msg);
166 }
167
HandleToHiSysEventFuzzTest()168 void HandleToHiSysEventFuzzTest()
169 {
170 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
171 DfxMessage msg;
172 dfxMsgManager.reportedCnt_ = GetData<uint32_t>();
173 dfxMsgManager.reportQueue_.clear();
174 dfxMsgManager.HandleToHiSysEvent(msg);
175 }
176
GetAdapterNameBySessionIdFuzzTest()177 void GetAdapterNameBySessionIdFuzzTest()
178 {
179 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
180 DfxMessage msg;
181 RenderDfxInfo renderInfo;
182 std::unique_ptr<DfxReportResult> bean = std::make_unique<DfxReportResult>();
183 msg.appUid = 1;
184 dfxMsgManager.reportQueue_.clear();
185 for (int i = 0; i < COUNT; i++) {
186 msg.renderInfo.push_back(renderInfo);
187 }
188 dfxMsgManager.WriteRenderMsg(msg, bean);
189 }
190
WriteInterruptMsgFuzzTest()191 void WriteInterruptMsgFuzzTest()
192 {
193 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
194 DfxMessage msg;
195 InterruptDfxInfo interruptInfo;
196 std::unique_ptr<DfxReportResult> bean = std::make_unique<DfxReportResult>();
197 msg.appUid = 1;
198 for (int i = 0; i < COUNT; i++) {
199 msg.interruptInfo.push_back(interruptInfo);
200 }
201 dfxMsgManager.WriteInterruptMsg(msg, bean);
202 }
203
WritePlayAudioStatsEventFuzzTest()204 void WritePlayAudioStatsEventFuzzTest()
205 {
206 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
207 std::unique_ptr<DfxReportResult> result = nullptr;
208 dfxMsgManager.WritePlayAudioStatsEvent(result);
209 result = std::make_unique<DfxReportResult>();
210 dfxMsgManager.WritePlayAudioStatsEvent(result);
211 }
212
OnHandleFuzzTest()213 void OnHandleFuzzTest()
214 {
215 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
216 uint32_t code = 0;
217 int64_t data = 0;
218 dfxMsgManager.OnHandle(code, data);
219 code = GetData<uint32_t>();
220 dfxMsgManager.OnHandle(code, data);
221 }
222
CheckReportDfxMsgFuzzTest()223 void CheckReportDfxMsgFuzzTest()
224 {
225 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
226 DfxMessage msg;
227 msg.appUid = 1;
228 dfxMsgManager.InsertReportQueue(msg);
229 time_t now = std::chrono::system_clock::to_time_t(std::chrono::system_clock::now());
230 dfxMsgManager.lastReportTime_ = now;
231 dfxMsgManager.InsertReportQueue(msg);
232 dfxMsgManager.reportedCnt_ = GetData<uint32_t>();
233 dfxMsgManager.CheckReportDfxMsg();
234 }
235
IsMsgReadyFuzzTest()236 void IsMsgReadyFuzzTest()
237 {
238 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
239 DfxMessage msg;
240 RenderDfxInfo renderInfo;
241 InterruptDfxInfo interruptInfo;
242 CapturerDfxInfo captureInfo;
243 msg.appUid = 1;
244 for (int i = 0; i < COUNT; i++) {
245 msg.interruptInfo.push_back(interruptInfo);
246 }
247 for (int i = 0; i < COUNT; i++) {
248 msg.renderInfo.push_back(renderInfo);
249 }
250 dfxMsgManager.IsMsgReady(msg);
251 }
252
HandleThreadExitFuzzTest()253 void HandleThreadExitFuzzTest()
254 {
255 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
256 std::unique_ptr<DfxReportResult> result = std::make_unique<DfxReportResult>();
257 result->appName = "appName";
258 result->appVersion = "1.0";
259 result->summary = GetData<uint32_t>();
260 dfxMsgManager.LogDfxResult(result);
261 dfxMsgManager.HandleThreadExit();
262 }
263
WriteRunningAppMsgFuzzTest()264 void WriteRunningAppMsgFuzzTest()
265 {
266 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
267 DfxMessage msg;
268 std::unique_ptr<DfxReportResult> result = std::make_unique<DfxReportResult>();
269 DfxRunningAppInfo appinfo;
270 msg.appUid = 1;
271 appinfo.appUid = 1;
272 appinfo.appName = "appName";
273 appinfo.versionName = "1.0";
274 appinfo.appStateVec.push_back(1);
275 appinfo.appStateTimeStampVec.push_back(1);
276 dfxMsgManager.WriteRunningAppMsg(msg, result);
277 }
278
CheckCanAddAppInfoFuzzTest()279 void CheckCanAddAppInfoFuzzTest()
280 {
281 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
282 int32_t appUid = GetData<int32_t>();
283 dfxMsgManager.CheckCanAddAppInfo(appUid);
284 appUid = static_cast<int32_t>(getuid());
285 dfxMsgManager.CheckCanAddAppInfo(appUid);
286 }
287
UpdateAppStateFuzzTest()288 void UpdateAppStateFuzzTest()
289 {
290 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
291 int32_t appUid = 1;
292 uint32_t appStateCount = GetData<uint32_t>() % DfxAppStateVec.size();
293 DfxAppState appState = DfxAppStateVec[appStateCount];
294 bool forceUpdate = GetData<uint32_t>() % NUM_2;
295 DfxRunningAppInfo appinfo;
296 appinfo.appUid = 1;
297 appinfo.appName = "appName";
298 appinfo.versionName = "1.0";
299 appinfo.appStateVec.push_back(0);
300 appinfo.appStateTimeStampVec.push_back(1);
301 dfxMsgManager.appInfo_[appUid] = appinfo;
302 dfxMsgManager.UpdateAppState(appUid, appState, forceUpdate);
303 }
304
UpdateActionFuzzTest()305 void UpdateActionFuzzTest()
306 {
307 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
308 int32_t appUid = 1;
309 std::list<RenderDfxInfo> renderInfo;
310 RenderDfxInfo renderdfxInfo;
311
312 uint32_t fourthByteCount = GetData<uint32_t>() % RendererStageVec.size();
313 renderdfxInfo.rendererAction.fourthByte = RendererStageVec[fourthByteCount];
314 renderInfo.push_back(renderdfxInfo);
315 dfxMsgManager.UpdateAction(appUid, renderInfo);
316 }
317
GetDfxIndexByTypeFuzzTest()318 void GetDfxIndexByTypeFuzzTest()
319 {
320 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
321 int32_t appUid = 1;
322 int32_t typeCount = static_cast<int32_t>(DfxMsgIndexType::DFX_MSG_IDX_TYPE_INTERRUPT_EFFECT) + 1;
323 DfxMsgIndexType type = static_cast<DfxMsgIndexType>(GetData<uint8_t>() % typeCount);
324 dfxMsgManager.GetDfxIndexByType(appUid, type);
325 }
326
CheckIsInterruptedFuzzTest()327 void CheckIsInterruptedFuzzTest()
328 {
329 DfxMsgManager &dfxMsgManager = DfxMsgManager::GetInstance();
330 uint32_t interruptStageVecCount = GetData<uint32_t>() % InterruptStageVec.size();
331 InterruptStage stage = InterruptStageVec[interruptStageVecCount];
332 dfxMsgManager.CheckIsInterrupted(stage);
333 }
334
335 TestFuncs g_testFuncs[] = {
336 SaveAppInfoFuzzTest,
337 ProcessCheckFuzzTest,
338 ProcessFuzzTest,
339 ProcessInnerFuzzTest,
340 EnqueueFuzzTest,
341 HandleToHiSysEventFuzzTest,
342 GetAdapterNameBySessionIdFuzzTest,
343 WriteInterruptMsgFuzzTest,
344 WritePlayAudioStatsEventFuzzTest,
345 OnHandleFuzzTest,
346 CheckReportDfxMsgFuzzTest,
347 IsMsgReadyFuzzTest,
348 HandleThreadExitFuzzTest,
349 WriteRunningAppMsgFuzzTest,
350 CheckCanAddAppInfoFuzzTest,
351 UpdateAppStateFuzzTest,
352 UpdateActionFuzzTest,
353 GetDfxIndexByTypeFuzzTest,
354 CheckIsInterruptedFuzzTest,
355 };
356
FuzzTest(const uint8_t * rawData,size_t size)357 bool FuzzTest(const uint8_t* rawData, size_t size)
358 {
359 if (rawData == nullptr) {
360 return false;
361 }
362
363 // initialize data
364 RAW_DATA = rawData;
365 g_dataSize = size;
366 g_pos = 0;
367
368 uint32_t code = GetData<uint32_t>();
369 uint32_t len = GetArrLength(g_testFuncs);
370 if (len > 0) {
371 g_testFuncs[code % len]();
372 } else {
373 AUDIO_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
374 }
375
376 return true;
377 }
378 } // namespace AudioStandard
379 } // namesapce OHOS
380
381 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)382 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
383 {
384 if (size < OHOS::AudioStandard::THRESHOLD) {
385 return 0;
386 }
387
388 OHOS::AudioStandard::FuzzTest(data, size);
389 return 0;
390 }
391