1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18 #include <stdint.h>
19 #include <sys/wait.h>
20 #include <unistd.h>
21 #include <algorithm>
22 #include <memory>
23 #include <string>
24 #include <utility>
25 #include <vector>
26
27 #include <Serializer.h>
28 #include <android-base/file.h>
29 #include <android/content/AttributionSourceState.h>
30 #include <libxml/parser.h>
31 #include <libxml/xinclude.h>
32 #include <media/AudioPolicy.h>
33 #include <media/AudioProfile.h>
34 #include <media/PatchBuilder.h>
35 #include <media/RecordingActivityTracker.h>
36
37 #include <AudioPolicyInterface.h>
38 #include <android_audio_policy_configuration_V7_0-enums.h>
39 #include <fuzzer/FuzzedDataProvider.h>
40 #include <tests/AudioPolicyManagerTestClient.h>
41 #include <tests/AudioPolicyTestClient.h>
42 #include <tests/AudioPolicyTestManager.h>
43 #include <xsdc/XsdcSupport.h>
44
45 using namespace android;
46
47 namespace xsd {
48 using namespace ::android::audio::policy::configuration::V7_0;
49 }
50
51 using content::AttributionSourceState;
52
__anon6238bcf20102null53 static const std::vector<audio_format_t> kAudioFormats = [] {
54 std::vector<audio_format_t> result;
55 for (const auto enumVal : xsdc_enum_range<xsd::AudioFormat>{}) {
56 audio_format_t audioFormatHal;
57 std::string audioFormat = toString(enumVal);
58 if (audio_format_from_string(audioFormat.c_str(), &audioFormatHal)) {
59 result.push_back(audioFormatHal);
60 }
61 }
62 return result;
63 }();
64
__anon6238bcf20202null65 static const std::vector<audio_channel_mask_t> kAudioChannelOutMasks = [] {
66 std::vector<audio_channel_mask_t> result;
67 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
68 audio_channel_mask_t audioChannelMaskHal;
69 std::string audioChannelMask = toString(enumVal);
70 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
71 audioChannelMask.find("_IN_") == std::string::npos &&
72 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
73 result.push_back(audioChannelMaskHal);
74 }
75 }
76 return result;
77 }();
78
__anon6238bcf20302null79 static const std::vector<audio_channel_mask_t> kAudioChannelInMasks = [] {
80 std::vector<audio_channel_mask_t> result;
81 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
82 audio_channel_mask_t audioChannelMaskHal;
83 std::string audioChannelMask = toString(enumVal);
84 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
85 audioChannelMask.find("_OUT_") == std::string::npos &&
86 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
87 result.push_back(audioChannelMaskHal);
88 }
89 }
90 return result;
91 }();
92
__anon6238bcf20402null93 static const std::vector<audio_output_flags_t> kAudioOutputFlags = [] {
94 std::vector<audio_output_flags_t> result;
95 for (const auto enumVal : xsdc_enum_range<xsd::AudioInOutFlag>{}) {
96 audio_output_flags_t audioOutputFlagHal;
97 std::string audioOutputFlag = toString(enumVal);
98 if (audioOutputFlag.find("_OUTPUT_") != std::string::npos &&
99 audio_output_flag_from_string(audioOutputFlag.c_str(), &audioOutputFlagHal)) {
100 result.push_back(audioOutputFlagHal);
101 }
102 }
103 return result;
104 }();
105
__anon6238bcf20502null106 static const std::vector<audio_devices_t> kAudioDevices = [] {
107 std::vector<audio_devices_t> result;
108 for (const auto enumVal : xsdc_enum_range<xsd::AudioDevice>{}) {
109 audio_devices_t audioDeviceHal;
110 std::string audioDevice = toString(enumVal);
111 if (audio_device_from_string(audioDevice.c_str(), &audioDeviceHal)) {
112 result.push_back(audioDeviceHal);
113 }
114 }
115 return result;
116 }();
117
__anon6238bcf20602null118 static const std::vector<audio_usage_t> kAudioUsages = [] {
119 std::vector<audio_usage_t> result;
120 for (const auto enumVal : xsdc_enum_range<xsd::AudioUsage>{}) {
121 audio_usage_t audioUsageHal;
122 std::string audioUsage = toString(enumVal);
123 if (audio_usage_from_string(audioUsage.c_str(), &audioUsageHal)) {
124 result.push_back(audioUsageHal);
125 }
126 }
127 return result;
128 }();
129
130 /**
131 * AudioSource - AUDIO_SOURCE_VOICE_COMMUNICATION and AUDIO_SOURCE_HOTWORD
132 * are excluded from kAudioSources[] in order to avoid the abort triggered
133 * for these two types of AudioSource in Engine::getDeviceForInputSource()
134 */
__anon6238bcf20702null135 static const std::vector<audio_source_t> kAudioSources = [] {
136 std::vector<audio_source_t> result;
137 for (const auto enumVal : xsdc_enum_range<xsd::AudioSource>{}) {
138 audio_source_t audioSourceHal;
139 std::string audioSource = toString(enumVal);
140 if (enumVal != xsd::AudioSource::AUDIO_SOURCE_VOICE_COMMUNICATION &&
141 enumVal != xsd::AudioSource::AUDIO_SOURCE_HOTWORD &&
142 audio_source_from_string(audioSource.c_str(), &audioSourceHal)) {
143 result.push_back(audioSourceHal);
144 }
145 }
146 return result;
147 }();
148
__anon6238bcf20802null149 static const std::vector<audio_content_type_t> kAudioContentTypes = [] {
150 std::vector<audio_content_type_t> result;
151 for (const auto enumVal : xsdc_enum_range<xsd::AudioContentType>{}) {
152 audio_content_type_t audioContentTypeHal;
153 std::string audioContentType = toString(enumVal);
154 if (audio_content_type_from_string(audioContentType.c_str(), &audioContentTypeHal)) {
155 result.push_back(audioContentTypeHal);
156 }
157 }
158 return result;
159 }();
160
161 std::vector<int> kMixTypes = {MIX_TYPE_PLAYERS, MIX_TYPE_RECORDERS};
162
163 std::vector<int> kMixRouteFlags = {MIX_ROUTE_FLAG_RENDER, MIX_ROUTE_FLAG_LOOP_BACK,
164 MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER, MIX_ROUTE_FLAG_ALL};
165
166 std::vector<audio_flags_mask_t> kAudioFlagMasks = {
167 AUDIO_FLAG_NONE, AUDIO_FLAG_AUDIBILITY_ENFORCED,
168 AUDIO_FLAG_SECURE, AUDIO_FLAG_SCO,
169 AUDIO_FLAG_BEACON, AUDIO_FLAG_HW_AV_SYNC,
170 AUDIO_FLAG_HW_HOTWORD, AUDIO_FLAG_BYPASS_INTERRUPTION_POLICY,
171 AUDIO_FLAG_BYPASS_MUTE, AUDIO_FLAG_LOW_LATENCY,
172 AUDIO_FLAG_DEEP_BUFFER, AUDIO_FLAG_NO_MEDIA_PROJECTION,
173 AUDIO_FLAG_MUTE_HAPTIC, AUDIO_FLAG_NO_SYSTEM_CAPTURE,
174 AUDIO_FLAG_CAPTURE_PRIVATE, AUDIO_FLAG_CONTENT_SPATIALIZED,
175 AUDIO_FLAG_NEVER_SPATIALIZE,
176 };
177
178 std::vector<audio_policy_dev_state_t> kAudioPolicyDeviceStates = {
179 AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
180 AUDIO_POLICY_DEVICE_STATE_AVAILABLE,
181 AUDIO_POLICY_DEVICE_STATE_CNT,
182 };
183
184 std::vector<uint32_t> kSamplingRates = {8000, 16000, 44100, 48000, 88200, 96000};
185
186 template <typename T>
getValueFromVector(FuzzedDataProvider * fdp,std::vector<T> arr)187 T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> arr) {
188 if (fdp->ConsumeBool()) {
189 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, arr.size() - 1)];
190 } else {
191 return (T)fdp->ConsumeIntegral<uint32_t>();
192 }
193 }
194
195 class AudioPolicyManagerFuzzer {
196 public:
197 explicit AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp);
198 virtual ~AudioPolicyManagerFuzzer() = default;
199 virtual bool initialize();
200 virtual void SetUpManagerConfig();
201 bool getOutputForAttr(audio_port_handle_t *selectedDeviceId, audio_format_t format,
202 audio_channel_mask_t channelMask, int sampleRate,
203 audio_output_flags_t flags = AUDIO_OUTPUT_FLAG_NONE,
204 audio_io_handle_t *output = nullptr,
205 audio_port_handle_t *portId = nullptr, audio_attributes_t attr = {});
206 bool getInputForAttr(const audio_attributes_t &attr, audio_unique_id_t riid,
207 audio_port_handle_t *selectedDeviceId, audio_format_t format,
208 audio_channel_mask_t channelMask, int sampleRate,
209 audio_input_flags_t flags = AUDIO_INPUT_FLAG_NONE,
210 audio_port_handle_t *portId = nullptr);
211 bool findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
212 const std::string &address, audio_port_v7 *foundPort);
213 static audio_port_handle_t getDeviceIdFromPatch(const struct audio_patch *patch);
214 audio_patch createFuzzedPatch();
215 void fuzzPatchCreation();
216 virtual void process();
217
218 protected:
219 std::unique_ptr<AudioPolicyManagerTestClient> mClient{new AudioPolicyManagerTestClient};
220 std::unique_ptr<AudioPolicyTestManager> mManager{new AudioPolicyTestManager(mClient.get())};
221 FuzzedDataProvider *mFdp;
222 };
223
AudioPolicyManagerFuzzer(FuzzedDataProvider * fdp)224 AudioPolicyManagerFuzzer::AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp)
225 : mFdp(fdp) {}
226
initialize()227 bool AudioPolicyManagerFuzzer::initialize() {
228 if (mFdp->remaining_bytes() < 1) {
229 return false;
230 }
231 // init code
232 SetUpManagerConfig();
233
234 if (mManager->initialize() != NO_ERROR) {
235 return false;
236 }
237 if (mManager->initCheck() != NO_ERROR) {
238 return false;
239 }
240 return true;
241 }
242
SetUpManagerConfig()243 void AudioPolicyManagerFuzzer::SetUpManagerConfig() { mManager->getConfig().setDefault(); }
244
getOutputForAttr(audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_output_flags_t flags,audio_io_handle_t * output,audio_port_handle_t * portId,audio_attributes_t attr)245 bool AudioPolicyManagerFuzzer::getOutputForAttr(
246 audio_port_handle_t *selectedDeviceId, audio_format_t format, audio_channel_mask_t channelMask,
247 int sampleRate, audio_output_flags_t flags, audio_io_handle_t *output,
248 audio_port_handle_t *portId, audio_attributes_t attr) {
249 audio_io_handle_t localOutput;
250 if (!output) output = &localOutput;
251 *output = AUDIO_IO_HANDLE_NONE;
252 audio_stream_type_t stream = AUDIO_STREAM_DEFAULT;
253 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
254 config.sample_rate = sampleRate;
255 config.channel_mask = channelMask;
256 config.format = format;
257 audio_port_handle_t localPortId;
258 if (!portId) portId = &localPortId;
259 *portId = AUDIO_PORT_HANDLE_NONE;
260 AudioPolicyInterface::output_type_t outputType;
261 bool isSpatialized;
262
263 // TODO b/182392769: use attribution source util
264 AttributionSourceState attributionSource;
265 attributionSource.uid = 0;
266 attributionSource.token = sp<BBinder>::make();
267 if (mManager->getOutputForAttr(&attr, output, AUDIO_SESSION_NONE, &stream, attributionSource,
268 &config, &flags, selectedDeviceId, portId, {}, &outputType, &isSpatialized) != OK) {
269 return false;
270 }
271 if (*output == AUDIO_IO_HANDLE_NONE || *portId == AUDIO_PORT_HANDLE_NONE) {
272 return false;
273 }
274 return true;
275 }
276
getInputForAttr(const audio_attributes_t & attr,audio_unique_id_t riid,audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_input_flags_t flags,audio_port_handle_t * portId)277 bool AudioPolicyManagerFuzzer::getInputForAttr(
278 const audio_attributes_t &attr, audio_unique_id_t riid, audio_port_handle_t *selectedDeviceId,
279 audio_format_t format, audio_channel_mask_t channelMask, int sampleRate,
280 audio_input_flags_t flags, audio_port_handle_t *portId) {
281 audio_io_handle_t input = AUDIO_IO_HANDLE_NONE;
282 audio_config_base_t config = AUDIO_CONFIG_BASE_INITIALIZER;
283 config.sample_rate = sampleRate;
284 config.channel_mask = channelMask;
285 config.format = format;
286 audio_port_handle_t localPortId;
287 if (!portId) portId = &localPortId;
288 *portId = AUDIO_PORT_HANDLE_NONE;
289 AudioPolicyInterface::input_type_t inputType;
290
291 AttributionSourceState attributionSource;
292 attributionSource.uid = 0;
293 attributionSource.token = sp<BBinder>::make();
294 if (mManager->getInputForAttr(&attr, &input, riid, AUDIO_SESSION_NONE, attributionSource,
295 &config, flags, selectedDeviceId, &inputType, portId) != OK) {
296 return false;
297 }
298 if (*portId == AUDIO_PORT_HANDLE_NONE || input == AUDIO_IO_HANDLE_NONE) {
299 return false;
300 }
301 return true;
302 }
303
findDevicePort(audio_port_role_t role,audio_devices_t deviceType,const std::string & address,audio_port_v7 * foundPort)304 bool AudioPolicyManagerFuzzer::findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
305 const std::string &address,
306 audio_port_v7 *foundPort) {
307 uint32_t numPorts = 0;
308 uint32_t generation1;
309 status_t ret;
310
311 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, nullptr, &generation1);
312 if (ret != NO_ERROR) {
313 return false;
314 }
315
316 uint32_t generation2;
317 struct audio_port_v7 ports[numPorts];
318 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, ports, &generation2);
319 if (ret != NO_ERROR) {
320 return false;
321 }
322
323 for (const auto &port : ports) {
324 if (port.role == role && port.ext.device.type == deviceType &&
325 (strncmp(port.ext.device.address, address.c_str(), AUDIO_DEVICE_MAX_ADDRESS_LEN) ==
326 0)) {
327 if (foundPort) *foundPort = port;
328 return true;
329 }
330 }
331 return false;
332 }
333
getDeviceIdFromPatch(const struct audio_patch * patch)334 audio_port_handle_t AudioPolicyManagerFuzzer::getDeviceIdFromPatch(
335 const struct audio_patch *patch) {
336 if (patch->num_sources != 0 && patch->num_sinks != 0) {
337 if (patch->sources[0].type == AUDIO_PORT_TYPE_MIX) {
338 return patch->sinks[0].id;
339 } else {
340 return patch->sources[0].id;
341 }
342 }
343 return AUDIO_PORT_HANDLE_NONE;
344 }
345
createFuzzedPatch()346 audio_patch AudioPolicyManagerFuzzer::createFuzzedPatch() {
347 audio_patch patch{};
348 patch.id = mFdp->ConsumeIntegral<uint32_t>();
349 patch.num_sources = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
350 for (int i = 0; i < patch.num_sources; ++i) {
351 audio_port_config config{};
352 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
353 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
354 patch.sources[i] = config;
355 }
356 patch.num_sinks = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
357 for (int i = 0; i < patch.num_sinks; ++i) {
358 audio_port_config config{};
359 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
360 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
361 patch.sinks[i] = config;
362 }
363 return patch;
364 }
365
fuzzPatchCreation()366 void AudioPolicyManagerFuzzer::fuzzPatchCreation() {
367 if (mFdp->remaining_bytes()) {
368 audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE;
369 uid_t uid = mFdp->ConsumeIntegral<uint32_t>();
370
371 // create a fuzzed patch
372 handle = AUDIO_PATCH_HANDLE_NONE;
373 audio_patch patch = createFuzzedPatch();
374 uid = mFdp->ConsumeIntegral<uint32_t>();
375 if (mManager->createAudioPatch(&patch, &handle, uid) == NO_ERROR) {
376 mManager->releaseAudioPatch(handle, uid);
377 }
378 }
379 }
380
process()381 void AudioPolicyManagerFuzzer::process() {
382 if (initialize()) {
383 fuzzPatchCreation();
384 }
385 }
386
387 class AudioPolicyManagerFuzzerWithConfigurationFile : public AudioPolicyManagerFuzzer {
388 public:
AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider * fdp)389 explicit AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider *fdp)
390 : AudioPolicyManagerFuzzer(fdp){};
391
392 protected:
393 void SetUpManagerConfig() override;
394 virtual std::string getConfigFile();
395 void traverseAndFuzzXML(xmlDocPtr pDoc, xmlNodePtr curr);
396 std::string fuzzXML(std::string xmlPath);
397
398 static inline const std::string sExecutableDir = base::GetExecutableDirectory() + "/";
399 static inline const std::string sDefaultConfig =
400 sExecutableDir + "data/test_audio_policy_configuration.xml";
401 static inline const std::string sFuzzedConfig = sExecutableDir + "fuzzed.xml";;
402 };
403
getConfigFile()404 std::string AudioPolicyManagerFuzzerWithConfigurationFile::getConfigFile() {
405 return fuzzXML(sDefaultConfig);
406 }
407
SetUpManagerConfig()408 void AudioPolicyManagerFuzzerWithConfigurationFile::SetUpManagerConfig() {
409 deserializeAudioPolicyFile(getConfigFile().c_str(), &mManager->getConfig());
410 }
411
traverseAndFuzzXML(xmlDocPtr pDoc,xmlNodePtr curr)412 void AudioPolicyManagerFuzzerWithConfigurationFile::traverseAndFuzzXML(xmlDocPtr pDoc,
413 xmlNodePtr curr) {
414 if (curr == nullptr) {
415 return;
416 }
417
418 xmlAttr *attribute = curr->properties;
419 while (attribute) {
420 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("format"))) {
421 const char *newFormat =
422 audio_format_to_string(getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
423 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFormat));
424 }
425 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("flags"))) {
426 std::string newFlag = "";
427 uint16_t numFlags = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
428 for (uint16_t i = 0; i < numFlags; ++i) {
429 newFlag += std::string(audio_output_flag_to_string(
430 getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags)));
431 if (i != (numFlags - 1)) {
432 newFlag += std::string("|");
433 }
434 }
435 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFlag.c_str()));
436 }
437 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("samplingRates"))) {
438 std::string newRate = "";
439 uint16_t numRates = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
440 for (uint16_t i = 0; i < numRates; ++i) {
441 newRate += std::to_string(getValueFromVector<uint32_t>(mFdp, kSamplingRates));
442 if (i != (numRates - 1)) {
443 newRate += std::string(",");
444 }
445 }
446 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newRate.c_str()));
447 }
448 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("channelMasks"))) {
449 int isOutMask = -1;
450 char *value =
451 reinterpret_cast<char *>(xmlNodeListGetString(pDoc, attribute->children, 1));
452 if (std::string(value).find(std::string("_OUT_")) != std::string::npos) {
453 // OUT mask
454 isOutMask = 1;
455 } else if (std::string(value).find(std::string("_IN_")) != std::string::npos) {
456 // IN mask
457 isOutMask = 0;
458 }
459 if (isOutMask != -1) {
460 std::string newMask = "";
461 uint16_t numMasks = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
462 for (uint16_t i = 0; i < numMasks; ++i) {
463 if (isOutMask) {
464 newMask += std::string(audio_channel_out_mask_to_string(
465 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks)));
466 } else {
467 newMask += std::string(audio_channel_in_mask_to_string(
468 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks)));
469 }
470 if (i != (numMasks - 1)) {
471 newMask += std::string(",");
472 }
473 }
474 xmlSetProp(curr, attribute->name,
475 reinterpret_cast<const xmlChar *>(newMask.c_str()));
476 }
477 xmlFree(value);
478 }
479 attribute = attribute->next;
480 }
481
482 curr = curr->xmlChildrenNode;
483 while (curr != nullptr) {
484 traverseAndFuzzXML(pDoc, curr);
485 curr = curr->next;
486 }
487 }
488
fuzzXML(std::string xmlPath)489 std::string AudioPolicyManagerFuzzerWithConfigurationFile::fuzzXML(std::string xmlPath) {
490 std::string outPath = sFuzzedConfig;
491
492 // Load in the xml file from disk
493 xmlDocPtr pDoc = xmlParseFile(xmlPath.c_str());
494 xmlNodePtr root = xmlDocGetRootElement(pDoc);
495
496 traverseAndFuzzXML(pDoc, root);
497
498 // Save the document back out to disk.
499 xmlSaveFileEnc(outPath.c_str(), pDoc, "UTF-8");
500 xmlFreeDoc(pDoc);
501
502 return outPath;
503 }
504
505 class AudioPolicyManagerFuzzerMsd : public AudioPolicyManagerFuzzerWithConfigurationFile {
506 public:
AudioPolicyManagerFuzzerMsd(FuzzedDataProvider * fdp)507 explicit AudioPolicyManagerFuzzerMsd(FuzzedDataProvider *fdp)
508 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp) {}
509
510 protected:
511 std::string getConfigFile() override;
512
513 static inline const std::string sMsdConfig =
514 sExecutableDir + "data/test_audio_policy_msd_configuration.xml";
515 };
516
getConfigFile()517 std::string AudioPolicyManagerFuzzerMsd::getConfigFile() { return fuzzXML(sMsdConfig); }
518
519 using PolicyMixTuple = std::tuple<audio_usage_t, audio_source_t, uint32_t>;
520
521 class AudioPolicyManagerFuzzerDynamicPolicy : public AudioPolicyManagerFuzzerWithConfigurationFile {
522 public:
AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider * fdp)523 explicit AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider *fdp)
524 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
525 ~AudioPolicyManagerFuzzerDynamicPolicy() override;
526 void process() override;
527
528 protected:
529 status_t addPolicyMix(int mixType, int mixFlag, audio_devices_t deviceType,
530 std::string mixAddress, const audio_config_t &audioConfig,
531 const std::vector<PolicyMixTuple> &rules);
532 void clearPolicyMix();
533 void registerPolicyMixes();
534 void unregisterPolicyMixes();
535
536 Vector<AudioMix> mAudioMixes;
537 const std::string mMixAddress = "remote_submix_media";
538 };
539
~AudioPolicyManagerFuzzerDynamicPolicy()540 AudioPolicyManagerFuzzerDynamicPolicy::~AudioPolicyManagerFuzzerDynamicPolicy() {
541 clearPolicyMix();
542 }
543
addPolicyMix(int mixType,int mixFlag,audio_devices_t deviceType,std::string mixAddress,const audio_config_t & audioConfig,const std::vector<PolicyMixTuple> & rules)544 status_t AudioPolicyManagerFuzzerDynamicPolicy::addPolicyMix(
545 int mixType, int mixFlag, audio_devices_t deviceType, std::string mixAddress,
546 const audio_config_t &audioConfig, const std::vector<PolicyMixTuple> &rules) {
547 Vector<AudioMixMatchCriterion> myMixMatchCriteria;
548
549 for (const auto &rule : rules) {
550 myMixMatchCriteria.add(
551 AudioMixMatchCriterion(std::get<0>(rule), std::get<1>(rule), std::get<2>(rule)));
552 }
553
554 AudioMix myAudioMix(myMixMatchCriteria, mixType, audioConfig, mixFlag,
555 String8(mixAddress.c_str()), 0);
556 myAudioMix.mDeviceType = deviceType;
557 // Clear mAudioMix before add new one to make sure we don't add already existing mixes.
558 mAudioMixes.clear();
559 mAudioMixes.add(myAudioMix);
560
561 // As the policy mixes registration may fail at some case,
562 // caller need to check the returned status.
563 status_t ret = mManager->registerPolicyMixes(mAudioMixes);
564 return ret;
565 }
566
clearPolicyMix()567 void AudioPolicyManagerFuzzerDynamicPolicy::clearPolicyMix() {
568 if (mManager != nullptr) {
569 mManager->unregisterPolicyMixes(mAudioMixes);
570 }
571 mAudioMixes.clear();
572 }
573
registerPolicyMixes()574 void AudioPolicyManagerFuzzerDynamicPolicy::registerPolicyMixes() {
575 const uint32_t numPolicies = mFdp->ConsumeIntegralInRange<uint32_t>(1, MAX_MIXES_PER_POLICY);
576
577 for (int i = 0; i < numPolicies; ++i) {
578 audio_config_t audioConfig = AUDIO_CONFIG_INITIALIZER;
579 audioConfig.channel_mask = getValueFromVector<audio_channel_mask_t>(
580 mFdp, mFdp->ConsumeBool() ? kAudioChannelInMasks : kAudioChannelOutMasks);
581 audioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
582 audioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
583 addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
584 getValueFromVector<int>(mFdp, kMixRouteFlags),
585 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), "", audioConfig,
586 std::vector<PolicyMixTuple>());
587 }
588 }
589
unregisterPolicyMixes()590 void AudioPolicyManagerFuzzerDynamicPolicy::unregisterPolicyMixes() {
591 mManager->unregisterPolicyMixes(mAudioMixes);
592 }
593
process()594 void AudioPolicyManagerFuzzerDynamicPolicy::process() {
595 if (initialize()) {
596 registerPolicyMixes();
597 fuzzPatchCreation();
598 unregisterPolicyMixes();
599 }
600 }
601
602 class AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
603 : public AudioPolicyManagerFuzzerDynamicPolicy {
604 public:
AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider * fdp)605 explicit AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider *fdp)
606 : AudioPolicyManagerFuzzerDynamicPolicy(fdp){};
607
608 protected:
609 std::string getConfigFile() override;
610
611 static inline const std::string sPrimaryOnlyConfig =
612 sExecutableDir + "data/test_audio_policy_primary_only_configuration.xml";
613 };
614
getConfigFile()615 std::string AudioPolicyManagerFuzzerDPNoRemoteSubmixModule::getConfigFile() {
616 return fuzzXML(sPrimaryOnlyConfig);
617 }
618
619 class AudioPolicyManagerFuzzerDPPlaybackReRouting : public AudioPolicyManagerFuzzerDynamicPolicy {
620 public:
621 explicit AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider *fdp);
622 ~AudioPolicyManagerFuzzerDPPlaybackReRouting() override;
623 void process() override;
624
625 protected:
626 bool initialize() override;
627 void playBackReRouting();
628
629 std::unique_ptr<RecordingActivityTracker> mTracker;
630
631 std::vector<PolicyMixTuple> mUsageRules = {
632 {AUDIO_USAGE_MEDIA, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE},
633 {AUDIO_USAGE_ALARM, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE}};
634
635 struct audio_port_v7 mInjectionPort;
636 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
637 audio_config_t mAudioConfig;
638 };
639
AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider * fdp)640 AudioPolicyManagerFuzzerDPPlaybackReRouting::AudioPolicyManagerFuzzerDPPlaybackReRouting(
641 FuzzedDataProvider *fdp)
642 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
643 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
644 for (int i = 0; i < numRules; ++i) {
645 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
646 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
647 RULE_MATCH_ATTRIBUTE_USAGE};
648 mUsageRules.push_back(rule);
649 }
650 }
651
~AudioPolicyManagerFuzzerDPPlaybackReRouting()652 AudioPolicyManagerFuzzerDPPlaybackReRouting::~AudioPolicyManagerFuzzerDPPlaybackReRouting() {
653 mManager->stopInput(mPortId);
654 }
655
initialize()656 bool AudioPolicyManagerFuzzerDPPlaybackReRouting::initialize() {
657 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
658 return false;
659 }
660 mTracker.reset(new RecordingActivityTracker());
661
662 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
663 mAudioConfig.channel_mask =
664 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
665 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
666 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
667 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
668 getValueFromVector<int>(mFdp, kMixRouteFlags),
669 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
670 mMixAddress, mAudioConfig, mUsageRules);
671 if (ret != NO_ERROR) {
672 return false;
673 }
674
675 struct audio_port_v7 extractionPort;
676 findDevicePort(AUDIO_PORT_ROLE_SOURCE, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
677 mMixAddress, &extractionPort);
678
679 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
680 audio_source_t source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
681 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_USAGE_UNKNOWN, source,
682 AUDIO_FLAG_NONE, ""};
683 std::string tags = "addr=" + mMixAddress;
684 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
685 getInputForAttr(attr, mTracker->getRiid(), &selectedDeviceId, mAudioConfig.format,
686 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
687 &mPortId);
688
689 ret = mManager->startInput(mPortId);
690 if (ret != NO_ERROR) {
691 return false;
692 }
693 if (!findDevicePort(AUDIO_PORT_ROLE_SINK,
694 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
695 &mInjectionPort)) {
696 return false;
697 }
698
699 return true;
700 }
701
playBackReRouting()702 void AudioPolicyManagerFuzzerDPPlaybackReRouting::playBackReRouting() {
703 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
704 for (int i = 0; i < numTestCases; ++i) {
705 audio_attributes_t attr;
706 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
707 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
708 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
709 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
710 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
711 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
712
713 audio_port_handle_t playbackRoutedPortId = AUDIO_PORT_HANDLE_NONE;
714 getOutputForAttr(&playbackRoutedPortId, mAudioConfig.format, mAudioConfig.channel_mask,
715 mAudioConfig.sample_rate, AUDIO_OUTPUT_FLAG_NONE, nullptr /*output*/,
716 nullptr /*portId*/, attr);
717 }
718 }
719
process()720 void AudioPolicyManagerFuzzerDPPlaybackReRouting::process() {
721 if (initialize()) {
722 playBackReRouting();
723 registerPolicyMixes();
724 fuzzPatchCreation();
725 unregisterPolicyMixes();
726 }
727 }
728
729 class AudioPolicyManagerFuzzerDPMixRecordInjection : public AudioPolicyManagerFuzzerDynamicPolicy {
730 public:
731 explicit AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider *fdp);
732 ~AudioPolicyManagerFuzzerDPMixRecordInjection() override;
733 void process() override;
734
735 protected:
736 bool initialize() override;
737 void recordingInjection();
738
739 std::unique_ptr<RecordingActivityTracker> mTracker;
740
741 std::vector<PolicyMixTuple> mSourceRules = {
742 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_CAMCORDER, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
743 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_MIC, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
744 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_VOICE_COMMUNICATION,
745 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET}};
746
747 struct audio_port_v7 mExtractionPort;
748 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
749 audio_config_t mAudioConfig;
750 };
751
AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider * fdp)752 AudioPolicyManagerFuzzerDPMixRecordInjection::AudioPolicyManagerFuzzerDPMixRecordInjection(
753 FuzzedDataProvider *fdp)
754 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
755 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
756 for (int i = 0; i < numRules; ++i) {
757 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
758 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
759 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET};
760 mSourceRules.push_back(rule);
761 }
762 }
763
~AudioPolicyManagerFuzzerDPMixRecordInjection()764 AudioPolicyManagerFuzzerDPMixRecordInjection::~AudioPolicyManagerFuzzerDPMixRecordInjection() {
765 mManager->stopOutput(mPortId);
766 }
767
initialize()768 bool AudioPolicyManagerFuzzerDPMixRecordInjection::initialize() {
769 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
770 return false;
771 }
772
773 mTracker.reset(new RecordingActivityTracker());
774
775 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
776 mAudioConfig.channel_mask =
777 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks);
778 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
779 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
780 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
781 getValueFromVector<int>(mFdp, kMixRouteFlags),
782 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
783 mMixAddress, mAudioConfig, mSourceRules);
784 if (ret != NO_ERROR) {
785 return false;
786 }
787
788 struct audio_port_v7 injectionPort;
789 findDevicePort(AUDIO_PORT_ROLE_SINK, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
790 mMixAddress, &injectionPort);
791
792 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
793 audio_usage_t usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
794 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, usage, AUDIO_SOURCE_DEFAULT,
795 AUDIO_FLAG_NONE, ""};
796 std::string tags = std::string("addr=") + mMixAddress;
797 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
798 getOutputForAttr(&selectedDeviceId, mAudioConfig.format, mAudioConfig.channel_mask,
799 mAudioConfig.sample_rate /*sampleRate*/, AUDIO_OUTPUT_FLAG_NONE,
800 nullptr /*output*/, &mPortId, attr);
801 ret = mManager->startOutput(mPortId);
802 if (ret != NO_ERROR) {
803 return false;
804 }
805 getDeviceIdFromPatch(mClient->getLastAddedPatch());
806 if (!findDevicePort(AUDIO_PORT_ROLE_SOURCE,
807 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
808 &mExtractionPort)) {
809 return false;
810 }
811
812 return true;
813 }
814
recordingInjection()815 void AudioPolicyManagerFuzzerDPMixRecordInjection::recordingInjection() {
816 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
817 for (int i = 0; i < numTestCases; ++i) {
818 audio_attributes_t attr;
819 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
820 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
821 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
822 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
823 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
824 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
825
826 audio_port_handle_t captureRoutedPortId = AUDIO_PORT_HANDLE_NONE;
827 audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE;
828 getInputForAttr(attr, mTracker->getRiid(), &captureRoutedPortId, mAudioConfig.format,
829 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
830 &portId);
831 }
832 }
833
process()834 void AudioPolicyManagerFuzzerDPMixRecordInjection::process() {
835 if (initialize()) {
836 recordingInjection();
837 registerPolicyMixes();
838 fuzzPatchCreation();
839 unregisterPolicyMixes();
840 }
841 }
842
843 using DeviceConnectionTestParams =
844 std::tuple<audio_devices_t /*type*/, std::string /*name*/, std::string /*address*/>;
845
846 class AudioPolicyManagerFuzzerDeviceConnection
847 : public AudioPolicyManagerFuzzerWithConfigurationFile {
848 public:
AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider * fdp)849 explicit AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider *fdp)
850 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
851 void process() override;
852
853 void fuzzGetDirectPlaybackSupport();
854 void fuzzGetDirectProfilesForAttributes();
855
856 protected:
857 void setDeviceConnectionState();
858 void explicitlyRoutingAfterConnection();
859 };
860
setDeviceConnectionState()861 void AudioPolicyManagerFuzzerDeviceConnection::setDeviceConnectionState() {
862 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
863 for (int i = 0; i < numTestCases; ++i) {
864 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
865 const std::string name = mFdp->ConsumeRandomLengthString();
866 const std::string address = mFdp->ConsumeRandomLengthString();
867 mManager->setDeviceConnectionState(
868 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
869 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
870 }
871 }
872
explicitlyRoutingAfterConnection()873 void AudioPolicyManagerFuzzerDeviceConnection::explicitlyRoutingAfterConnection() {
874 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
875 for (int i = 0; i < numTestCases; ++i) {
876 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
877 const std::string name = mFdp->ConsumeRandomLengthString();
878 const std::string address = mFdp->ConsumeRandomLengthString();
879 mManager->setDeviceConnectionState(
880 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
881 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
882
883 audio_port_v7 devicePort;
884 const audio_port_role_t role =
885 audio_is_output_device(type) ? AUDIO_PORT_ROLE_SINK : AUDIO_PORT_ROLE_SOURCE;
886 findDevicePort(role, type, address, &devicePort);
887
888 audio_port_handle_t routedPortId = devicePort.id;
889 // Try start input or output according to the device type
890 if (audio_is_output_devices(type)) {
891 getOutputForAttr(&routedPortId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
892 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
893 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
894 AUDIO_OUTPUT_FLAG_NONE);
895 } else if (audio_is_input_device(type)) {
896 RecordingActivityTracker tracker;
897 getInputForAttr({}, tracker.getRiid(), &routedPortId,
898 getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
899 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks),
900 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
901 AUDIO_INPUT_FLAG_NONE);
902 }
903 }
904 }
905
fuzzGetDirectPlaybackSupport()906 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectPlaybackSupport() {
907 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
908 for (int i = 0; i < numTestCases; ++i) {
909 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
910 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
911 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
912 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
913 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
914 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
915 config.channel_mask = getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
916 config.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
917 config.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
918 mManager->getDirectPlaybackSupport(&attr, &config);
919 }
920 }
921
fuzzGetDirectProfilesForAttributes()922 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectProfilesForAttributes() {
923 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
924 for (int i = 0; i < numTestCases; ++i) {
925 AudioProfileVector audioProfiles;
926 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
927 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
928 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
929 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
930 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
931 mManager->getDirectProfilesForAttributes(&attr, audioProfiles);
932 }
933 }
934
process()935 void AudioPolicyManagerFuzzerDeviceConnection::process() {
936 if (initialize()) {
937 setDeviceConnectionState();
938 explicitlyRoutingAfterConnection();
939 fuzzGetDirectPlaybackSupport();
940 fuzzGetDirectProfilesForAttributes();
941 fuzzPatchCreation();
942 }
943 }
944
945 class AudioPolicyManagerTVFuzzer : public AudioPolicyManagerFuzzerWithConfigurationFile {
946 public:
AudioPolicyManagerTVFuzzer(FuzzedDataProvider * fdp)947 explicit AudioPolicyManagerTVFuzzer(FuzzedDataProvider *fdp)
948 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
949 void process() override;
950
951 protected:
952 std::string getConfigFile();
953 void testHDMIPortSelection(audio_output_flags_t flags);
954
955 static inline const std::string sTvConfig =
956 AudioPolicyManagerTVFuzzer::sExecutableDir + "data/test_tv_apm_configuration.xml";
957 };
958
getConfigFile()959 std::string AudioPolicyManagerTVFuzzer::getConfigFile() { return fuzzXML(sTvConfig); }
960
testHDMIPortSelection(audio_output_flags_t flags)961 void AudioPolicyManagerTVFuzzer::testHDMIPortSelection(audio_output_flags_t flags) {
962 audio_devices_t audioDevice = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
963 audio_format_t audioFormat = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
964 status_t ret = mManager->setDeviceConnectionState(
965 audioDevice, AUDIO_POLICY_DEVICE_STATE_AVAILABLE, "" /*address*/, "" /*name*/, audioFormat);
966 if (ret != NO_ERROR) {
967 return;
968 }
969 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
970 audio_io_handle_t output;
971 audio_port_handle_t portId;
972 getOutputForAttr(&selectedDeviceId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
973 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
974 getValueFromVector<uint32_t>(mFdp, kSamplingRates), flags, &output, &portId);
975 sp<SwAudioOutputDescriptor> outDesc = mManager->getOutputs().valueFor(output);
976 if (outDesc.get() == nullptr) {
977 return;
978 }
979 audio_port_v7 port = {};
980 outDesc->toAudioPort(&port);
981 mManager->releaseOutput(portId);
982 mManager->setDeviceConnectionState(audioDevice, AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
983 "" /*address*/, "" /*name*/, audioFormat);
984 }
985
process()986 void AudioPolicyManagerTVFuzzer::process() {
987 if (initialize()) {
988 testHDMIPortSelection(getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags));
989 fuzzPatchCreation();
990 }
991 }
992
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)993 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
994 if (size < 1) {
995 return 0;
996 }
997 FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
998 while (fdp.remaining_bytes() > 0) {
999 AudioPolicyManagerFuzzer audioPolicyManagerFuzzer(&fdp);
1000 audioPolicyManagerFuzzer.process();
1001
1002 AudioPolicyManagerFuzzerMsd audioPolicyManagerFuzzerMsd(&fdp);
1003 audioPolicyManagerFuzzerMsd.process();
1004
1005 AudioPolicyManagerFuzzerWithConfigurationFile audioPolicyManagerFuzzerWithConfigurationFile(
1006 &fdp);
1007 audioPolicyManagerFuzzerWithConfigurationFile.process();
1008
1009 AudioPolicyManagerFuzzerDynamicPolicy audioPolicyManagerFuzzerDynamicPolicy(&fdp);
1010 audioPolicyManagerFuzzerDynamicPolicy.process();
1011
1012 AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
1013 audioPolicyManagerFuzzerDPNoRemoteSubmixModule(&fdp);
1014 audioPolicyManagerFuzzerDPNoRemoteSubmixModule.process();
1015
1016 AudioPolicyManagerFuzzerDPPlaybackReRouting audioPolicyManagerFuzzerDPPlaybackReRouting(
1017 &fdp);
1018 audioPolicyManagerFuzzerDPPlaybackReRouting.process();
1019
1020 AudioPolicyManagerFuzzerDPMixRecordInjection audioPolicyManagerFuzzerDPMixRecordInjection(
1021 &fdp);
1022 audioPolicyManagerFuzzerDPMixRecordInjection.process();
1023
1024 AudioPolicyManagerFuzzerDeviceConnection audioPolicyManagerFuzzerDeviceConnection(&fdp);
1025 audioPolicyManagerFuzzerDeviceConnection.process();
1026
1027 AudioPolicyManagerTVFuzzer audioPolicyManagerTVFuzzer(&fdp);
1028 audioPolicyManagerTVFuzzer.process();
1029 }
1030 return 0;
1031 }
1032