1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "migrateavsession_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <string>
21 #include <fuzzer/FuzzedDataProvider.h>
22
23 #include "avsession_errors.h"
24 #include "avsession_item.h"
25 #include "avsession_service.h"
26 #include "migrate_avsession_server.h"
27 #include "migrate_avsession_manager.h"
28 #include "system_ability_definition.h"
29 #include "securec.h"
30
31 namespace OHOS::AVSession {
32 static const int32_t MAX_CODE_LEN = 512;
33 static const int32_t MIN_SIZE_NUM = 4;
34 constexpr auto MIN_RANDOM_NUM = 2;
35
36 static const uint8_t *RAW_DATA = nullptr;
37 static size_t g_dataSize = 0;
38 static size_t g_pos;
39 static std::shared_ptr<MigrateAVSessionServer> migrateServer_;
40 AppExecFwk::ElementName elementName;
41 sptr<AVSessionItem> avsessionHere_ = nullptr;
42 static char g_testSessionTag[] = "test";
43 static char g_testAnotherBundleName[] = "testAnother.ohos.avsession";
44 static char g_testAnotherAbilityName[] = "testAnother.ability";
45
46 template<class T>
GetData()47 T GetData()
48 {
49 T object {};
50 size_t objectSize = sizeof(object);
51 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
52 return object;
53 }
54 if (g_pos >= g_dataSize) {
55 return object;
56 }
57 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
58 if (ret != EOK) {
59 return {};
60 }
61 g_pos += objectSize;
62 return object;
63 }
64
GenerateString(size_t target_len)65 static std::string GenerateString(size_t target_len)
66 {
67 if (RAW_DATA == nullptr || target_len == 0) {
68 return "";
69 }
70 const size_t available_len = (g_dataSize > g_pos) ? (g_dataSize - g_pos) : 0;
71 const size_t copy_len = std::min(target_len, available_len);
72 if (copy_len == 0) {
73 return "";
74 }
75 std::vector<char> buffer(copy_len + 1, '\0');
76 errno_t ret = memcpy_s(buffer.data(), buffer.size(),
77 RAW_DATA + g_pos, copy_len);
78 if (ret != EOK) {
79 return "";
80 }
81 g_pos += copy_len;
82 return std::string(buffer.data());
83 }
84
ConnectProxyTest()85 void ConnectProxyTest()
86 {
87 int32_t sessionId = GetData<uint8_t>();
88 std::string scene = std::to_string(GetData<uint8_t>());
89 std::string deviceId = std::to_string(GetData<uint8_t>());
90
91 MigrateAVSessionManager::GetInstance().CreateLocalSessionStub(scene, migrateServer_);
92
93 migrateServer_->ConnectProxy(sessionId);
94 migrateServer_->OnConnectProxy(deviceId);
95 migrateServer_->OnConnectSession(sessionId);
96 migrateServer_->OnDisconnectProxy(deviceId);
97
98 AVSessionDescriptor descriptor;
99 descriptor.sessionId_ = std::to_string(GetData<uint8_t>());
100 descriptor.sessionType_ = GetData<uint8_t>();
101 descriptor.sessionTag_ = std::to_string(GetData<uint8_t>());
102 descriptor.elementName_.SetBundleName(std::to_string(GetData<uint8_t>()));
103
104 migrateServer_->OnSessionCreate(descriptor);
105 migrateServer_->OnSessionRelease(descriptor);
106 migrateServer_->OnTopSessionChange(descriptor);
107 int32_t uid = GetData<uint8_t>();
108 migrateServer_->OnAudioSessionChecked(uid);
109
110 migrateServer_->OnHistoricalRecordChange();
111 MigrateAVSessionManager::GetInstance().ReleaseLocalSessionStub(scene);
112 }
113
HandleFocusMetaDataChangeTest()114 void HandleFocusMetaDataChangeTest()
115 {
116 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
117 std::string sessionId = std::to_string(GetData<uint8_t>());
118 AVMetaData data;
119 data.SetAVQueueName(std::to_string(GetData<uint8_t>()));
120 std::shared_ptr<AVSessionPixelMap> mediaImage = make_shared<AVSessionPixelMap>();
121 std::vector<uint8_t> imgBuffer;
122 constexpr int maxSize = 1024;
123 auto size = provider.ConsumeIntegralInRange(1, maxSize);
124 imgBuffer.resize(size);
125 for (size_t i = 0; i < imgBuffer.size(); ++i) {
126 imgBuffer[i] = GetData<uint8_t>();
127 }
128 mediaImage->SetInnerImgBuffer(imgBuffer);
129 data.SetMediaImage(mediaImage);
130 migrateServer_->HandleFocusMetaDataChange(sessionId, data);
131 }
132
OnMetaDataChangeTest()133 void OnMetaDataChangeTest()
134 {
135 constexpr int kMsPerSec = 1000;
136 AVMetaData meta;
137 auto randomNum = GetData<uint32_t>();
138 meta.SetAssetId(GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize));
139 meta.SetTitle("titile_" + std::to_string(GetData<uint8_t>()));
140 meta.SetArtist(GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize));
141 meta.SetAuthor(GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize));
142 meta.SetAlbum(GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize));
143 meta.SetComposer(GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize));
144 meta.SetDuration(GetData<uint8_t>() * kMsPerSec);
145 meta.SetPublishDate(GetData<double>());
146 meta.SetDisplayTags(GetData<int32_t>());
147 meta.SetSkipIntervals(GetData<int32_t>());
148
149 std::vector<std::string> drmSchemes;
150 drmSchemes.push_back("drm_" + to_string(GetData<uint32_t>()));
151 meta.SetDrmSchemes(drmSchemes);
152
153 std::string playerId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
154 migrateServer_->OnMetaDataChange(playerId, meta);
155
156 std::string sessionId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
157 migrateServer_->HandleFocusMetaDataChange(sessionId, meta);
158 bool binaryChoose = GetData<bool>();
159 if (binaryChoose) {
160 meta.metaMask_.set(AVMetaData::META_KEY_ARTIST);
161 } else {
162 meta.metaMask_.set(AVMetaData::META_KEY_SUBTITLE);
163 }
164 migrateServer_->DoMetaDataSyncToRemote(meta);
165 }
166
OnPlaybackStateChangedTest()167 void OnPlaybackStateChangedTest()
168 {
169 AVPlaybackState state;
170
171 std::vector<int32_t> playbackState {
172 AVPlaybackState::PLAYBACK_STATE_INITIAL,
173 AVPlaybackState::PLAYBACK_STATE_PREPARE,
174 AVPlaybackState::PLAYBACK_STATE_PLAY,
175 AVPlaybackState::PLAYBACK_STATE_PAUSE,
176 AVPlaybackState::PLAYBACK_STATE_FAST_FORWARD,
177 AVPlaybackState::PLAYBACK_STATE_REWIND,
178 AVPlaybackState::PLAYBACK_STATE_STOP,
179 AVPlaybackState::PLAYBACK_STATE_COMPLETED,
180 AVPlaybackState::PLAYBACK_STATE_RELEASED,
181 AVPlaybackState::PLAYBACK_STATE_ERROR,
182 AVPlaybackState::PLAYBACK_STATE_IDLE,
183 AVPlaybackState::PLAYBACK_STATE_BUFFERING,
184 AVPlaybackState::PLAYBACK_STATE_MAX
185 };
186 auto randomNum = GetData<uint32_t>();
187 state.SetState(playbackState[randomNum % playbackState.size()]);
188 state.SetSpeed(GetData<double>());
189 state.SetPosition(AVPlaybackState::Position{GetData<int64_t>(), GetData<int64_t>()});
190 state.SetBufferedTime(GetData<int64_t>());
191 state.SetLoopMode(GetData<int32_t>());
192 state.SetFavorite(GetData<bool>());
193 state.SetActiveItemId(GetData<int32_t>());
194 state.SetVolume(GetData<int32_t>());
195 state.SetMaxVolume(GetData<int32_t>());
196 state.SetMuted(GetData<bool>());
197 state.SetDuration(GetData<int32_t>());
198 state.SetVideoWidth(GetData<int32_t>());
199 state.SetVideoHeight(GetData<int32_t>());
200 state.SetExtras(std::make_shared<AAFwk::WantParams>());
201
202 std::string playerId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
203 migrateServer_->OnPlaybackStateChanged(playerId, state);
204
205 std::string sessionId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
206 migrateServer_->HandleFocusPlaybackStateChange(sessionId, state);
207 migrateServer_->DoPlaybackStateSyncToRemote(state);
208 }
209
StopObserveControllerChangedTest()210 void StopObserveControllerChangedTest()
211 {
212 auto randomNum = GetData<uint32_t>();
213 std::string deviceId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
214 migrateServer_->StopObserveControllerChanged(deviceId);
215 }
216
SendRemoteControllerListTest()217 void SendRemoteControllerListTest()
218 {
219 auto randomNum = GetData<uint32_t>();
220 std::string deviceId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
221 migrateServer_->SendRemoteControllerList(deviceId);
222 }
223
SendRemoteHistorySessionListTest()224 void SendRemoteHistorySessionListTest()
225 {
226 auto randomNum = GetData<uint32_t>();
227 std::string deviceId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
228 migrateServer_->SendRemoteHistorySessionList(deviceId);
229 }
230
ClearRemoteControllerListTest()231 void ClearRemoteControllerListTest()
232 {
233 auto randomNum = GetData<uint32_t>();
234 std::string deviceId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
235 migrateServer_->ClearRemoteControllerList(deviceId);
236 }
237
ClearRemoteHistorySessionListTest()238 void ClearRemoteHistorySessionListTest()
239 {
240 auto randomNum = GetData<uint32_t>();
241 std::string deviceId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
242 migrateServer_->ClearRemoteHistorySessionList(deviceId);
243 }
244
ResetSupportCrossMediaPlayTest()245 void ResetSupportCrossMediaPlayTest()
246 {
247 auto randomNum = GetData<uint32_t>();
248 std::string extraInfo = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
249 migrateServer_->ResetSupportCrossMediaPlay(extraInfo);
250 }
251
252 //migrate_avsession_server_for_next.cpp
LocalFrontSessionArriveTest()253 void LocalFrontSessionArriveTest()
254 {
255 auto randomNum = GetData<uint32_t>();
256 std::string sessionId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
257 migrateServer_->LocalFrontSessionArrive(sessionId);
258 }
259
LocalFrontSessionChangeTest()260 void LocalFrontSessionChangeTest()
261 {
262 auto randomNum = GetData<uint32_t>();
263 std::string sessionId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
264 migrateServer_->LocalFrontSessionChange(sessionId);
265 }
266
LocalFrontSessionLeaveTest()267 void LocalFrontSessionLeaveTest()
268 {
269 auto randomNum = GetData<uint32_t>();
270 std::string sessionId = GenerateString(static_cast<uint32_t> (randomNum) % g_dataSize);
271 migrateServer_->LocalFrontSessionLeave(sessionId);
272 }
273
DoMediaImageSyncToRemoteTest()274 void DoMediaImageSyncToRemoteTest()
275 {
276 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
277 std::shared_ptr<AVSessionPixelMap> innerPixelMap = std::make_shared<AVSessionPixelMap>();
278 if (innerPixelMap == nullptr) {
279 SLOGI("innerPixelMap is null");
280 return;
281 }
282
283 constexpr size_t maxSize = 1024 * 1024; // 1MB
284 auto imgSize = provider.ConsumeIntegralInRange<size_t>(1, maxSize);
285 std::vector<uint8_t> imgBuffer(imgSize);
286 for (size_t i = 0; i < imgBuffer.size(); ++i) {
287 imgBuffer[i] = provider.ConsumeIntegral<uint8_t>();
288 }
289 innerPixelMap->SetInnerImgBuffer(imgBuffer);
290 migrateServer_->DoMediaImageSyncToRemote(innerPixelMap);
291 }
292
DoValidCommandsSyncToRemoteTest()293 void DoValidCommandsSyncToRemoteTest()
294 {
295 std::vector<int32_t> commands;
296 commands.push_back(GetData<int32_t>());
297 commands.push_back(GetData<int32_t>());
298 commands.push_back(GetData<int32_t>());
299
300 migrateServer_->DoValidCommandsSyncToRemote(commands);
301 }
302
OnBytesReceivedTest()303 void OnBytesReceivedTest()
304 {
305 auto randomNum = GetData<uint32_t>();
306 randomNum = (randomNum < MIN_RANDOM_NUM) ? MIN_RANDOM_NUM : randomNum;
307 std::string deviceId = GenerateString(randomNum % g_dataSize);
308 std::string data = GenerateString(randomNum % g_dataSize);
309 std::vector<int32_t> commands {
310 SYNC_CONTROLLER_LIST,
311 SYNC_CONTROLLER_LIST,
312 SYNC_COMMAND,
313 SYNC_HEARTBEAT,
314 COLD_START
315 };
316 data[1] = commands[static_cast<uint32_t> (randomNum) % commands.size()];
317 migrateServer_->OnBytesReceived(deviceId, data);
318 }
319
ProcFromNextTest()320 void ProcFromNextTest()
321 {
322 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
323
324 std::string deviceId = to_string(provider.ConsumeIntegral<uint32_t>());
325 std::string data = provider.ConsumeRandomLengthString();
326 if (data.length() < MIN_SIZE_NUM) {
327 return;
328 }
329 std::vector<int32_t> messageType {
330 SYNC_COMMAND,
331 SYNC_SET_VOLUME_COMMAND,
332 SYNC_SWITCH_AUDIO_DEVICE_COMMAND,
333 COLD_START,
334 SYNC_MEDIA_CONTROL_NEED_STATE,
335 provider.ConsumeIntegral<int32_t>()
336 };
337 data[1] = messageType[provider.ConsumeIntegral<uint32_t>() % messageType.size()];
338 migrateServer_->ProcFromNext(deviceId, data);
339 }
340
ProcControlCommandFromNextTest()341 void ProcControlCommandFromNextTest()
342 {
343 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
344 cJSON* json = cJSON_CreateObject();
345 cJSON_AddNumberToObject(json, "CommandCode", provider.ConsumeIntegral<int32_t>());
346 cJSON_AddStringToObject(json, "CommandArgs", "test_arg");
347 migrateServer_->ProcControlCommandFromNext(json);
348 cJSON_Delete(json);
349 }
350
ProcessColdStartFromNextTest()351 void ProcessColdStartFromNextTest()
352 {
353 cJSON* json = cJSON_CreateObject();
354 cJSON_AddStringToObject(json, "BundleName", "test_bundleName");
355 migrateServer_->ProcessColdStartFromNext(json);
356 cJSON_Delete(json);
357 }
358
ProcessMediaControlNeedStateFromNextTest()359 void ProcessMediaControlNeedStateFromNextTest()
360 {
361 cJSON* json = cJSON_CreateObject();
362 cJSON_AddStringToObject(json, "NeedState", "test_needState");
363 migrateServer_->ProcessMediaControlNeedStateFromNext(json);
364 cJSON_Delete(json);
365 }
366
ConvertAudioDeviceDescriptorsToJsonTest()367 void ConvertAudioDeviceDescriptorsToJsonTest()
368 {
369 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
370 AudioDeviceDescriptors devices;
371 AudioDeviceDescriptorWithSptr device = std::make_shared<AudioDeviceDescriptor>();
372 device->deviceType_ = static_cast<AudioStandard::DeviceType>(provider.ConsumeIntegralInRange<int>(0,
373 AudioStandard::DeviceType::DEVICE_TYPE_USB_ARM_HEADSET));
374 device->macAddress_ = provider.ConsumeRandomLengthString();
375 device->networkId_ = provider.ConsumeRandomLengthString();
376 device->deviceRole_ = static_cast<AudioStandard::DeviceRole>(provider.ConsumeIntegralInRange<int>(
377 AudioStandard::DeviceRole::INPUT_DEVICE,
378 AudioStandard::DeviceRole::OUTPUT_DEVICE));
379 device->deviceName_ = provider.ConsumeRandomLengthString();
380 device->deviceCategory_ = static_cast<AudioStandard::DeviceCategory>(provider.ConsumeIntegralInRange<int>(
381 AudioStandard::DeviceCategory::CATEGORY_DEFAULT,
382 AudioStandard::DeviceCategory::BT_UNWEAR_HEADPHONE));
383 devices.push_back(device);
384
385 MigrateAVSessionServer::ConvertAudioDeviceDescriptorsToJson(devices);
386 }
387
VolumeControlCommandTest()388 void VolumeControlCommandTest()
389 {
390 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
391 cJSON* json = cJSON_CreateObject();
392 cJSON_AddNumberToObject(json, "AudioVolume", provider.ConsumeIntegral<uint32_t>());
393 migrateServer_->VolumeControlCommand(json);
394 cJSON_Delete(json);
395 }
396
SwitchAudioDeviceCommandTest()397 void SwitchAudioDeviceCommandTest()
398 {
399 cJSON* json = cJSON_CreateObject();
400 cJSON_AddNumberToObject(json, "AudioDeviceCategory", AudioStandard::DeviceCategory::CATEGORY_DEFAULT);
401 cJSON_AddNumberToObject(json, "AudioDeviceType", AudioStandard::DeviceType::DEVICE_TYPE_USB_ARM_HEADSET);
402 cJSON_AddNumberToObject(json, "AudioDeviceRole", AudioStandard::DeviceRole::OUTPUT_DEVICE);
403 cJSON_AddStringToObject(json, "AudioNetworkId", "test_network_id");
404 cJSON_AddStringToObject(json, "AudioDeviceName", "test_device_name");
405 cJSON_AddStringToObject(json, "AudioMacAddress", "test_mac_address");
406 migrateServer_->SwitchAudioDeviceCommand(json);
407 cJSON_Delete(json);
408 }
409
RegisterAudioCallbackAndTriggerTest()410 void RegisterAudioCallbackAndTriggerTest()
411 {
412 migrateServer_->RegisterAudioCallbackAndTrigger();
413 migrateServer_->UnregisterAudioCallback();
414
415 migrateServer_->DoPostTasksClear();
416 }
417
UpdateFrontSessionInfoToRemoteTest(sptr<AVSessionService> service)418 void UpdateFrontSessionInfoToRemoteTest(sptr<AVSessionService> service)
419 {
420 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
421 service->AddAvQueueInfoToFile(*avsessionHere_);
422 sptr<IRemoteObject> avControllerItemObj;
423 std::string sessionId = provider.ConsumeRandomLengthString();
424 uint32_t ret = service->CreateControllerInner(avsessionHere_->GetSessionId(), avControllerItemObj);
425 if (ret != AVSESSION_SUCCESS) {
426 return;
427 }
428 sptr<AVControllerItem> controller = (sptr<AVControllerItem>&)avControllerItemObj;
429 if (!controller) {
430 return;
431 }
432 migrateServer_->UpdateFrontSessionInfoToRemote(controller);
433 migrateServer_->DoBundleInfoSyncToRemote(controller);
434 }
435
HandleFocusValidCommandChangeTest()436 void HandleFocusValidCommandChangeTest()
437 {
438 FuzzedDataProvider provider(RAW_DATA, g_dataSize);
439 std::string sessionId = provider.ConsumeRandomLengthString();
440 std::vector<int32_t> cmds;
441 cmds.push_back(provider.ConsumeIntegral<int32_t>());
442 migrateServer_->HandleFocusValidCommandChange(sessionId, cmds);
443 }
444
TestFunc()445 void TestFunc()
446 {
447 ConnectProxyTest();
448 HandleFocusMetaDataChangeTest();
449 OnMetaDataChangeTest();
450 OnPlaybackStateChangedTest();
451 SendRemoteControllerListTest();
452 SendRemoteHistorySessionListTest();
453 ClearRemoteControllerListTest();
454 ClearRemoteHistorySessionListTest();
455 ResetSupportCrossMediaPlayTest();
456 LocalFrontSessionArriveTest();
457 LocalFrontSessionChangeTest();
458 LocalFrontSessionLeaveTest();
459 DoMediaImageSyncToRemoteTest();
460 DoValidCommandsSyncToRemoteTest();
461 OnBytesReceivedTest();
462 ProcFromNextTest();
463 ProcControlCommandFromNextTest();
464 ProcessColdStartFromNextTest();
465 ProcessMediaControlNeedStateFromNextTest();
466 ConvertAudioDeviceDescriptorsToJsonTest();
467 VolumeControlCommandTest();
468 SwitchAudioDeviceCommandTest();
469 RegisterAudioCallbackAndTriggerTest();
470 }
471
MigrateAVSessionFuzzerTest(const uint8_t * rawData,size_t size)472 void MigrateAVSessionFuzzerTest(const uint8_t* rawData, size_t size)
473 {
474 if (rawData == nullptr || size > MAX_CODE_LEN) {
475 return;
476 }
477 RAW_DATA = rawData;
478 g_dataSize = size;
479 g_pos = 0;
480 if(migrateServer_ == nullptr) {
481 migrateServer_ = std::make_shared<MigrateAVSessionServer>();
482 }
483 if (migrateServer_ == nullptr) {
484 return;
485 }
486 sptr<AVSessionService> avservice_ = new AVSessionService(OHOS::AVSESSION_SERVICE_ID);
487 if (!avservice_) {
488 return;
489 }
490 elementName.SetBundleName(g_testAnotherBundleName);
491 elementName.SetAbilityName(g_testAnotherAbilityName);
492 if (avsessionHere_ == nullptr) {
493 avsessionHere_ = avservice_->CreateSessionInner(g_testSessionTag,
494 AVSession::SESSION_TYPE_AUDIO, false, elementName);
495 }
496 if (avsessionHere_ == nullptr) {
497 return;
498 }
499 migrateServer_->Init(avservice_);
500 TestFunc();
501 UpdateFrontSessionInfoToRemoteTest(avservice_);
502 avservice_->OnStop();
503 SLOGI("MigrateAVSessionFuzzerTest done");
504 }
505
506 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)507 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
508 {
509 if (size < MIN_SIZE_NUM) {
510 return 0;
511 }
512
513 /* Run your code on data */
514 MigrateAVSessionFuzzerTest(data, size);
515 return 0;
516 }
517 } // namespace OHOS::AVSession
518