1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18 #include <stdint.h>
19 #include <sys/wait.h>
20 #include <unistd.h>
21 #include <algorithm>
22 #include <memory>
23 #include <string>
24 #include <utility>
25 #include <vector>
26
27 #include <Serializer.h>
28 #include <android-base/file.h>
29 #include <android/content/AttributionSourceState.h>
30 #include <libxml/parser.h>
31 #include <libxml/xinclude.h>
32 #include <media/AudioPolicy.h>
33 #include <media/AudioProfile.h>
34 #include <media/PatchBuilder.h>
35 #include <media/RecordingActivityTracker.h>
36
37 #include <AudioPolicyInterface.h>
38 #include <android_audio_policy_configuration_V7_0-enums.h>
39 #include <fuzzer/FuzzedDataProvider.h>
40 #include <tests/AudioPolicyManagerTestClient.h>
41 #include <tests/AudioPolicyTestClient.h>
42 #include <tests/AudioPolicyTestManager.h>
43 #include <xsdc/XsdcSupport.h>
44
45 using namespace android;
46
47 namespace xsd {
48 using namespace ::android::audio::policy::configuration::V7_0;
49 }
50
51 using content::AttributionSourceState;
52
__anon9ad17c4b0102null53 static const std::vector<audio_format_t> kAudioFormats = [] {
54 std::vector<audio_format_t> result;
55 for (const auto enumVal : xsdc_enum_range<xsd::AudioFormat>{}) {
56 audio_format_t audioFormatHal;
57 std::string audioFormat = toString(enumVal);
58 if (audio_format_from_string(audioFormat.c_str(), &audioFormatHal)) {
59 result.push_back(audioFormatHal);
60 }
61 }
62 return result;
63 }();
64
__anon9ad17c4b0202null65 static const std::vector<audio_channel_mask_t> kAudioChannelOutMasks = [] {
66 std::vector<audio_channel_mask_t> result;
67 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
68 audio_channel_mask_t audioChannelMaskHal;
69 std::string audioChannelMask = toString(enumVal);
70 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
71 audioChannelMask.find("_IN_") == std::string::npos &&
72 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
73 result.push_back(audioChannelMaskHal);
74 }
75 }
76 return result;
77 }();
78
__anon9ad17c4b0302null79 static const std::vector<audio_channel_mask_t> kAudioChannelInMasks = [] {
80 std::vector<audio_channel_mask_t> result;
81 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
82 audio_channel_mask_t audioChannelMaskHal;
83 std::string audioChannelMask = toString(enumVal);
84 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
85 audioChannelMask.find("_OUT_") == std::string::npos &&
86 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
87 result.push_back(audioChannelMaskHal);
88 }
89 }
90 return result;
91 }();
92
__anon9ad17c4b0402null93 static const std::vector<audio_output_flags_t> kAudioOutputFlags = [] {
94 std::vector<audio_output_flags_t> result;
95 for (const auto enumVal : xsdc_enum_range<xsd::AudioInOutFlag>{}) {
96 audio_output_flags_t audioOutputFlagHal;
97 std::string audioOutputFlag = toString(enumVal);
98 if (audioOutputFlag.find("_OUTPUT_") != std::string::npos &&
99 audio_output_flag_from_string(audioOutputFlag.c_str(), &audioOutputFlagHal)) {
100 result.push_back(audioOutputFlagHal);
101 }
102 }
103 return result;
104 }();
105
__anon9ad17c4b0502null106 static const std::vector<audio_devices_t> kAudioDevices = [] {
107 std::vector<audio_devices_t> result;
108 for (const auto enumVal : xsdc_enum_range<xsd::AudioDevice>{}) {
109 audio_devices_t audioDeviceHal;
110 std::string audioDevice = toString(enumVal);
111 if (audio_device_from_string(audioDevice.c_str(), &audioDeviceHal)) {
112 result.push_back(audioDeviceHal);
113 }
114 }
115 return result;
116 }();
117
__anon9ad17c4b0602null118 static const std::vector<audio_usage_t> kAudioUsages = [] {
119 std::vector<audio_usage_t> result;
120 for (const auto enumVal : xsdc_enum_range<xsd::AudioUsage>{}) {
121 audio_usage_t audioUsageHal;
122 std::string audioUsage = toString(enumVal);
123 if (audio_usage_from_string(audioUsage.c_str(), &audioUsageHal)) {
124 result.push_back(audioUsageHal);
125 }
126 }
127 return result;
128 }();
129
130 /**
131 * AudioSource - AUDIO_SOURCE_VOICE_COMMUNICATION and AUDIO_SOURCE_HOTWORD
132 * are excluded from kAudioSources[] in order to avoid the abort triggered
133 * for these two types of AudioSource in Engine::getDeviceForInputSource()
134 */
__anon9ad17c4b0702null135 static const std::vector<audio_source_t> kAudioSources = [] {
136 std::vector<audio_source_t> result;
137 for (const auto enumVal : xsdc_enum_range<xsd::AudioSource>{}) {
138 audio_source_t audioSourceHal;
139 std::string audioSource = toString(enumVal);
140 if (enumVal != xsd::AudioSource::AUDIO_SOURCE_VOICE_COMMUNICATION &&
141 enumVal != xsd::AudioSource::AUDIO_SOURCE_HOTWORD &&
142 audio_source_from_string(audioSource.c_str(), &audioSourceHal)) {
143 result.push_back(audioSourceHal);
144 }
145 }
146 return result;
147 }();
148
__anon9ad17c4b0802null149 static const std::vector<audio_content_type_t> kAudioContentTypes = [] {
150 std::vector<audio_content_type_t> result;
151 for (const auto enumVal : xsdc_enum_range<xsd::AudioContentType>{}) {
152 audio_content_type_t audioContentTypeHal;
153 std::string audioContentType = toString(enumVal);
154 if (audio_content_type_from_string(audioContentType.c_str(), &audioContentTypeHal)) {
155 result.push_back(audioContentTypeHal);
156 }
157 }
158 return result;
159 }();
160
161 std::vector<int> kMixTypes = {MIX_TYPE_PLAYERS, MIX_TYPE_RECORDERS};
162
163 std::vector<int> kMixRouteFlags = {MIX_ROUTE_FLAG_RENDER, MIX_ROUTE_FLAG_LOOP_BACK,
164 MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER, MIX_ROUTE_FLAG_ALL};
165
166 std::vector<audio_flags_mask_t> kAudioFlagMasks = {
167 AUDIO_FLAG_NONE, AUDIO_FLAG_AUDIBILITY_ENFORCED,
168 AUDIO_FLAG_SECURE, AUDIO_FLAG_SCO,
169 AUDIO_FLAG_BEACON, AUDIO_FLAG_HW_AV_SYNC,
170 AUDIO_FLAG_HW_HOTWORD, AUDIO_FLAG_BYPASS_INTERRUPTION_POLICY,
171 AUDIO_FLAG_BYPASS_MUTE, AUDIO_FLAG_LOW_LATENCY,
172 AUDIO_FLAG_DEEP_BUFFER, AUDIO_FLAG_NO_MEDIA_PROJECTION,
173 AUDIO_FLAG_MUTE_HAPTIC, AUDIO_FLAG_NO_SYSTEM_CAPTURE,
174 AUDIO_FLAG_CAPTURE_PRIVATE, AUDIO_FLAG_CONTENT_SPATIALIZED,
175 AUDIO_FLAG_NEVER_SPATIALIZE,
176 };
177
178 std::vector<audio_policy_dev_state_t> kAudioPolicyDeviceStates = {
179 AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
180 AUDIO_POLICY_DEVICE_STATE_AVAILABLE,
181 AUDIO_POLICY_DEVICE_STATE_CNT,
182 };
183
184 std::vector<uint32_t> kSamplingRates = {8000, 16000, 44100, 48000, 88200, 96000};
185
186 template <typename T>
getValueFromVector(FuzzedDataProvider * fdp,std::vector<T> arr)187 T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> arr) {
188 if (fdp->ConsumeBool()) {
189 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, arr.size() - 1)];
190 } else {
191 return (T)fdp->ConsumeIntegral<uint32_t>();
192 }
193 }
194
195 class AudioPolicyManagerFuzzer {
196 public:
197 explicit AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp);
198 virtual ~AudioPolicyManagerFuzzer() = default;
199 virtual bool initialize();
200 virtual void SetUpManagerConfig();
201 bool getOutputForAttr(audio_port_handle_t *selectedDeviceId, audio_format_t format,
202 audio_channel_mask_t channelMask, int sampleRate,
203 audio_output_flags_t flags = AUDIO_OUTPUT_FLAG_NONE,
204 audio_io_handle_t *output = nullptr,
205 audio_port_handle_t *portId = nullptr, audio_attributes_t attr = {});
206 bool getInputForAttr(const audio_attributes_t &attr, audio_unique_id_t riid,
207 audio_port_handle_t *selectedDeviceId, audio_format_t format,
208 audio_channel_mask_t channelMask, int sampleRate,
209 audio_input_flags_t flags = AUDIO_INPUT_FLAG_NONE,
210 audio_port_handle_t *portId = nullptr);
211 bool findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
212 const std::string &address, audio_port_v7 *foundPort);
213 static audio_port_handle_t getDeviceIdFromPatch(const struct audio_patch *patch);
214 audio_patch createFuzzedPatch();
215 void fuzzPatchCreation();
216 virtual void process();
217
218 protected:
219 sp<AudioPolicyConfig> mConfig{AudioPolicyConfig::createWritableForTests()};
220 std::unique_ptr<AudioPolicyManagerTestClient> mClient{new AudioPolicyManagerTestClient};
221 std::unique_ptr<AudioPolicyTestManager> mManager;
222 FuzzedDataProvider *mFdp;
223 };
224
AudioPolicyManagerFuzzer(FuzzedDataProvider * fdp)225 AudioPolicyManagerFuzzer::AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp)
226 : mFdp(fdp) {}
227
initialize()228 bool AudioPolicyManagerFuzzer::initialize() {
229 if (mFdp->remaining_bytes() < 1) {
230 return false;
231 }
232 // init code
233 SetUpManagerConfig();
234 if (mConfig == nullptr) {
235 return false;
236 }
237 mManager.reset(new AudioPolicyTestManager(mConfig, mClient.get()));
238 if (mManager->initialize() != NO_ERROR) {
239 return false;
240 }
241 if (mManager->initCheck() != NO_ERROR) {
242 return false;
243 }
244 return true;
245 }
246
SetUpManagerConfig()247 void AudioPolicyManagerFuzzer::SetUpManagerConfig() { mConfig->setDefault(); }
248
getOutputForAttr(audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_output_flags_t flags,audio_io_handle_t * output,audio_port_handle_t * portId,audio_attributes_t attr)249 bool AudioPolicyManagerFuzzer::getOutputForAttr(
250 audio_port_handle_t *selectedDeviceId, audio_format_t format, audio_channel_mask_t channelMask,
251 int sampleRate, audio_output_flags_t flags, audio_io_handle_t *output,
252 audio_port_handle_t *portId, audio_attributes_t attr) {
253 audio_io_handle_t localOutput;
254 if (!output) output = &localOutput;
255 *output = AUDIO_IO_HANDLE_NONE;
256 audio_stream_type_t stream = AUDIO_STREAM_DEFAULT;
257 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
258 config.sample_rate = sampleRate;
259 config.channel_mask = channelMask;
260 config.format = format;
261 audio_port_handle_t localPortId;
262 if (!portId) portId = &localPortId;
263 *portId = AUDIO_PORT_HANDLE_NONE;
264 AudioPolicyInterface::output_type_t outputType;
265 bool isSpatialized;
266 bool isBitPerfect;
267
268 // TODO b/182392769: use attribution source util
269 AttributionSourceState attributionSource;
270 attributionSource.uid = 0;
271 attributionSource.token = sp<BBinder>::make();
272 if (mManager->getOutputForAttr(&attr, output, AUDIO_SESSION_NONE, &stream, attributionSource,
273 &config, &flags, selectedDeviceId, portId, {}, &outputType, &isSpatialized,
274 &isBitPerfect) != OK) {
275 return false;
276 }
277 if (*output == AUDIO_IO_HANDLE_NONE || *portId == AUDIO_PORT_HANDLE_NONE) {
278 return false;
279 }
280 return true;
281 }
282
getInputForAttr(const audio_attributes_t & attr,audio_unique_id_t riid,audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_input_flags_t flags,audio_port_handle_t * portId)283 bool AudioPolicyManagerFuzzer::getInputForAttr(
284 const audio_attributes_t &attr, audio_unique_id_t riid, audio_port_handle_t *selectedDeviceId,
285 audio_format_t format, audio_channel_mask_t channelMask, int sampleRate,
286 audio_input_flags_t flags, audio_port_handle_t *portId) {
287 audio_io_handle_t input = AUDIO_IO_HANDLE_NONE;
288 audio_config_base_t config = AUDIO_CONFIG_BASE_INITIALIZER;
289 config.sample_rate = sampleRate;
290 config.channel_mask = channelMask;
291 config.format = format;
292 audio_port_handle_t localPortId;
293 if (!portId) portId = &localPortId;
294 *portId = AUDIO_PORT_HANDLE_NONE;
295 AudioPolicyInterface::input_type_t inputType;
296
297 AttributionSourceState attributionSource;
298 attributionSource.uid = 0;
299 attributionSource.token = sp<BBinder>::make();
300 if (mManager->getInputForAttr(&attr, &input, riid, AUDIO_SESSION_NONE, attributionSource,
301 &config, flags, selectedDeviceId, &inputType, portId) != OK) {
302 return false;
303 }
304 if (*portId == AUDIO_PORT_HANDLE_NONE || input == AUDIO_IO_HANDLE_NONE) {
305 return false;
306 }
307 return true;
308 }
309
findDevicePort(audio_port_role_t role,audio_devices_t deviceType,const std::string & address,audio_port_v7 * foundPort)310 bool AudioPolicyManagerFuzzer::findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
311 const std::string &address,
312 audio_port_v7 *foundPort) {
313 uint32_t numPorts = 0;
314 uint32_t generation1;
315 status_t ret;
316
317 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, nullptr, &generation1);
318 if (ret != NO_ERROR) {
319 return false;
320 }
321
322 uint32_t generation2;
323 struct audio_port_v7 ports[numPorts];
324 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, ports, &generation2);
325 if (ret != NO_ERROR) {
326 return false;
327 }
328
329 for (const auto &port : ports) {
330 if (port.role == role && port.ext.device.type == deviceType &&
331 (strncmp(port.ext.device.address, address.c_str(), AUDIO_DEVICE_MAX_ADDRESS_LEN) ==
332 0)) {
333 if (foundPort) *foundPort = port;
334 return true;
335 }
336 }
337 return false;
338 }
339
getDeviceIdFromPatch(const struct audio_patch * patch)340 audio_port_handle_t AudioPolicyManagerFuzzer::getDeviceIdFromPatch(
341 const struct audio_patch *patch) {
342 if (patch->num_sources != 0 && patch->num_sinks != 0) {
343 if (patch->sources[0].type == AUDIO_PORT_TYPE_MIX) {
344 return patch->sinks[0].id;
345 } else {
346 return patch->sources[0].id;
347 }
348 }
349 return AUDIO_PORT_HANDLE_NONE;
350 }
351
createFuzzedPatch()352 audio_patch AudioPolicyManagerFuzzer::createFuzzedPatch() {
353 audio_patch patch{};
354 patch.id = mFdp->ConsumeIntegral<uint32_t>();
355 patch.num_sources = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
356 for (int i = 0; i < patch.num_sources; ++i) {
357 audio_port_config config{};
358 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
359 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
360 patch.sources[i] = config;
361 }
362 patch.num_sinks = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
363 for (int i = 0; i < patch.num_sinks; ++i) {
364 audio_port_config config{};
365 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
366 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
367 patch.sinks[i] = config;
368 }
369 return patch;
370 }
371
fuzzPatchCreation()372 void AudioPolicyManagerFuzzer::fuzzPatchCreation() {
373 if (mFdp->remaining_bytes()) {
374 audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE;
375 uid_t uid = mFdp->ConsumeIntegral<uint32_t>();
376
377 // create a fuzzed patch
378 handle = AUDIO_PATCH_HANDLE_NONE;
379 audio_patch patch = createFuzzedPatch();
380 uid = mFdp->ConsumeIntegral<uint32_t>();
381 if (mManager->createAudioPatch(&patch, &handle, uid) == NO_ERROR) {
382 mManager->releaseAudioPatch(handle, uid);
383 }
384 }
385 }
386
process()387 void AudioPolicyManagerFuzzer::process() {
388 if (initialize()) {
389 fuzzPatchCreation();
390 }
391 }
392
393 class AudioPolicyManagerFuzzerWithConfigurationFile : public AudioPolicyManagerFuzzer {
394 public:
AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider * fdp)395 explicit AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider *fdp)
396 : AudioPolicyManagerFuzzer(fdp){};
397
398 protected:
399 void SetUpManagerConfig() override;
400 virtual std::string getConfigFile();
401 void traverseAndFuzzXML(xmlDocPtr pDoc, xmlNodePtr curr);
402 std::string fuzzXML(std::string xmlPath);
403
404 static inline const std::string sExecutableDir = base::GetExecutableDirectory() + "/";
405 static inline const std::string sDefaultConfig =
406 sExecutableDir + "data/test_audio_policy_configuration.xml";
407 static inline const std::string sFuzzedConfig = sExecutableDir + "fuzzed.xml";;
408 };
409
getConfigFile()410 std::string AudioPolicyManagerFuzzerWithConfigurationFile::getConfigFile() {
411 return fuzzXML(sDefaultConfig);
412 }
413
SetUpManagerConfig()414 void AudioPolicyManagerFuzzerWithConfigurationFile::SetUpManagerConfig() {
415 const std::string configFilePath = getConfigFile();
416 auto result = AudioPolicyConfig::loadFromCustomXmlConfigForTests(configFilePath);
417 mConfig = result.ok() ? mConfig = result.value() : nullptr;
418 ALOGE_IF(!result.ok(), "%s: Failed to deserialize \"%s\": %d",
419 __func__, configFilePath.c_str(), result.error());
420 }
421
traverseAndFuzzXML(xmlDocPtr pDoc,xmlNodePtr curr)422 void AudioPolicyManagerFuzzerWithConfigurationFile::traverseAndFuzzXML(xmlDocPtr pDoc,
423 xmlNodePtr curr) {
424 if (curr == nullptr) {
425 return;
426 }
427
428 xmlAttr *attribute = curr->properties;
429 while (attribute) {
430 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("format"))) {
431 const char *newFormat =
432 audio_format_to_string(getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
433 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFormat));
434 }
435 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("flags"))) {
436 std::string newFlag = "";
437 uint16_t numFlags = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
438 for (uint16_t i = 0; i < numFlags; ++i) {
439 newFlag += std::string(audio_output_flag_to_string(
440 getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags)));
441 if (i != (numFlags - 1)) {
442 newFlag += std::string("|");
443 }
444 }
445 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFlag.c_str()));
446 }
447 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("samplingRates"))) {
448 std::string newRate = "";
449 uint16_t numRates = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
450 for (uint16_t i = 0; i < numRates; ++i) {
451 newRate += std::to_string(getValueFromVector<uint32_t>(mFdp, kSamplingRates));
452 if (i != (numRates - 1)) {
453 newRate += std::string(",");
454 }
455 }
456 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newRate.c_str()));
457 }
458 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("channelMasks"))) {
459 int isOutMask = -1;
460 char *value =
461 reinterpret_cast<char *>(xmlNodeListGetString(pDoc, attribute->children, 1));
462 if (std::string(value).find(std::string("_OUT_")) != std::string::npos) {
463 // OUT mask
464 isOutMask = 1;
465 } else if (std::string(value).find(std::string("_IN_")) != std::string::npos) {
466 // IN mask
467 isOutMask = 0;
468 }
469 if (isOutMask != -1) {
470 std::string newMask = "";
471 uint16_t numMasks = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
472 for (uint16_t i = 0; i < numMasks; ++i) {
473 if (isOutMask) {
474 newMask += std::string(audio_channel_out_mask_to_string(
475 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks)));
476 } else {
477 newMask += std::string(audio_channel_in_mask_to_string(
478 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks)));
479 }
480 if (i != (numMasks - 1)) {
481 newMask += std::string(",");
482 }
483 }
484 xmlSetProp(curr, attribute->name,
485 reinterpret_cast<const xmlChar *>(newMask.c_str()));
486 }
487 xmlFree(value);
488 }
489 attribute = attribute->next;
490 }
491
492 curr = curr->xmlChildrenNode;
493 while (curr != nullptr) {
494 traverseAndFuzzXML(pDoc, curr);
495 curr = curr->next;
496 }
497 }
498
fuzzXML(std::string xmlPath)499 std::string AudioPolicyManagerFuzzerWithConfigurationFile::fuzzXML(std::string xmlPath) {
500 std::string outPath = sFuzzedConfig;
501
502 // Load in the xml file from disk
503 xmlDocPtr pDoc = xmlParseFile(xmlPath.c_str());
504 xmlNodePtr root = xmlDocGetRootElement(pDoc);
505
506 traverseAndFuzzXML(pDoc, root);
507
508 // Save the document back out to disk.
509 xmlSaveFileEnc(outPath.c_str(), pDoc, "UTF-8");
510 xmlFreeDoc(pDoc);
511
512 return outPath;
513 }
514
515 class AudioPolicyManagerFuzzerMsd : public AudioPolicyManagerFuzzerWithConfigurationFile {
516 public:
AudioPolicyManagerFuzzerMsd(FuzzedDataProvider * fdp)517 explicit AudioPolicyManagerFuzzerMsd(FuzzedDataProvider *fdp)
518 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp) {}
519
520 protected:
521 std::string getConfigFile() override;
522
523 static inline const std::string sMsdConfig =
524 sExecutableDir + "data/test_audio_policy_msd_configuration.xml";
525 };
526
getConfigFile()527 std::string AudioPolicyManagerFuzzerMsd::getConfigFile() { return fuzzXML(sMsdConfig); }
528
529 using PolicyMixTuple = std::tuple<audio_usage_t, audio_source_t, uint32_t>;
530
531 class AudioPolicyManagerFuzzerDynamicPolicy : public AudioPolicyManagerFuzzerWithConfigurationFile {
532 public:
AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider * fdp)533 explicit AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider *fdp)
534 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
535 ~AudioPolicyManagerFuzzerDynamicPolicy() override;
536 void process() override;
537
538 protected:
539 status_t addPolicyMix(int mixType, int mixFlag, audio_devices_t deviceType,
540 std::string mixAddress, const audio_config_t &audioConfig,
541 const std::vector<PolicyMixTuple> &rules);
542 void clearPolicyMix();
543 void registerPolicyMixes();
544 void unregisterPolicyMixes();
545
546 Vector<AudioMix> mAudioMixes;
547 const std::string mMixAddress = "remote_submix_media";
548 };
549
~AudioPolicyManagerFuzzerDynamicPolicy()550 AudioPolicyManagerFuzzerDynamicPolicy::~AudioPolicyManagerFuzzerDynamicPolicy() {
551 clearPolicyMix();
552 }
553
addPolicyMix(int mixType,int mixFlag,audio_devices_t deviceType,std::string mixAddress,const audio_config_t & audioConfig,const std::vector<PolicyMixTuple> & rules)554 status_t AudioPolicyManagerFuzzerDynamicPolicy::addPolicyMix(
555 int mixType, int mixFlag, audio_devices_t deviceType, std::string mixAddress,
556 const audio_config_t &audioConfig, const std::vector<PolicyMixTuple> &rules) {
557 std::vector<AudioMixMatchCriterion> myMixMatchCriteria;
558
559 myMixMatchCriteria.reserve(rules.size());
560 for (const auto &rule : rules) {
561 myMixMatchCriteria.push_back(
562 AudioMixMatchCriterion(std::get<0>(rule), std::get<1>(rule), std::get<2>(rule)));
563 }
564
565 AudioMix myAudioMix(myMixMatchCriteria, mixType, audioConfig, mixFlag,
566 String8(mixAddress.c_str()), 0);
567 myAudioMix.mDeviceType = deviceType;
568 // Clear mAudioMix before add new one to make sure we don't add already existing mixes.
569 mAudioMixes.clear();
570 mAudioMixes.add(myAudioMix);
571
572 // As the policy mixes registration may fail at some case,
573 // caller need to check the returned status.
574 status_t ret = mManager->registerPolicyMixes(mAudioMixes);
575 return ret;
576 }
577
clearPolicyMix()578 void AudioPolicyManagerFuzzerDynamicPolicy::clearPolicyMix() {
579 if (mManager != nullptr) {
580 mManager->unregisterPolicyMixes(mAudioMixes);
581 }
582 mAudioMixes.clear();
583 }
584
registerPolicyMixes()585 void AudioPolicyManagerFuzzerDynamicPolicy::registerPolicyMixes() {
586 const uint32_t numPolicies = mFdp->ConsumeIntegralInRange<uint32_t>(1, MAX_MIXES_PER_POLICY);
587
588 for (int i = 0; i < numPolicies; ++i) {
589 audio_config_t audioConfig = AUDIO_CONFIG_INITIALIZER;
590 audioConfig.channel_mask = getValueFromVector<audio_channel_mask_t>(
591 mFdp, mFdp->ConsumeBool() ? kAudioChannelInMasks : kAudioChannelOutMasks);
592 audioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
593 audioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
594 addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
595 getValueFromVector<int>(mFdp, kMixRouteFlags),
596 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), "", audioConfig,
597 std::vector<PolicyMixTuple>());
598 }
599 }
600
unregisterPolicyMixes()601 void AudioPolicyManagerFuzzerDynamicPolicy::unregisterPolicyMixes() {
602 mManager->unregisterPolicyMixes(mAudioMixes);
603 }
604
process()605 void AudioPolicyManagerFuzzerDynamicPolicy::process() {
606 if (initialize()) {
607 registerPolicyMixes();
608 fuzzPatchCreation();
609 unregisterPolicyMixes();
610 }
611 }
612
613 class AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
614 : public AudioPolicyManagerFuzzerDynamicPolicy {
615 public:
AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider * fdp)616 explicit AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider *fdp)
617 : AudioPolicyManagerFuzzerDynamicPolicy(fdp){};
618
619 protected:
620 std::string getConfigFile() override;
621
622 static inline const std::string sPrimaryOnlyConfig =
623 sExecutableDir + "data/test_audio_policy_primary_only_configuration.xml";
624 };
625
getConfigFile()626 std::string AudioPolicyManagerFuzzerDPNoRemoteSubmixModule::getConfigFile() {
627 return fuzzXML(sPrimaryOnlyConfig);
628 }
629
630 class AudioPolicyManagerFuzzerDPPlaybackReRouting : public AudioPolicyManagerFuzzerDynamicPolicy {
631 public:
632 explicit AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider *fdp);
633 ~AudioPolicyManagerFuzzerDPPlaybackReRouting() override;
634 void process() override;
635
636 protected:
637 bool initialize() override;
638 void playBackReRouting();
639
640 std::unique_ptr<RecordingActivityTracker> mTracker;
641
642 std::vector<PolicyMixTuple> mUsageRules = {
643 {AUDIO_USAGE_MEDIA, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE},
644 {AUDIO_USAGE_ALARM, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE}};
645
646 struct audio_port_v7 mInjectionPort;
647 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
648 audio_config_t mAudioConfig;
649 };
650
AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider * fdp)651 AudioPolicyManagerFuzzerDPPlaybackReRouting::AudioPolicyManagerFuzzerDPPlaybackReRouting(
652 FuzzedDataProvider *fdp)
653 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
654 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
655 for (int i = 0; i < numRules; ++i) {
656 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
657 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
658 RULE_MATCH_ATTRIBUTE_USAGE};
659 mUsageRules.push_back(rule);
660 }
661 }
662
~AudioPolicyManagerFuzzerDPPlaybackReRouting()663 AudioPolicyManagerFuzzerDPPlaybackReRouting::~AudioPolicyManagerFuzzerDPPlaybackReRouting() {
664 mManager->stopInput(mPortId);
665 }
666
initialize()667 bool AudioPolicyManagerFuzzerDPPlaybackReRouting::initialize() {
668 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
669 return false;
670 }
671 mTracker.reset(new RecordingActivityTracker());
672
673 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
674 mAudioConfig.channel_mask =
675 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
676 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
677 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
678 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
679 getValueFromVector<int>(mFdp, kMixRouteFlags),
680 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
681 mMixAddress, mAudioConfig, mUsageRules);
682 if (ret != NO_ERROR) {
683 return false;
684 }
685
686 struct audio_port_v7 extractionPort;
687 findDevicePort(AUDIO_PORT_ROLE_SOURCE, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
688 mMixAddress, &extractionPort);
689
690 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
691 audio_source_t source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
692 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_USAGE_UNKNOWN, source,
693 AUDIO_FLAG_NONE, ""};
694 std::string tags = "addr=" + mMixAddress;
695 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
696 getInputForAttr(attr, mTracker->getRiid(), &selectedDeviceId, mAudioConfig.format,
697 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
698 &mPortId);
699
700 ret = mManager->startInput(mPortId);
701 if (ret != NO_ERROR) {
702 return false;
703 }
704 if (!findDevicePort(AUDIO_PORT_ROLE_SINK,
705 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
706 &mInjectionPort)) {
707 return false;
708 }
709
710 return true;
711 }
712
playBackReRouting()713 void AudioPolicyManagerFuzzerDPPlaybackReRouting::playBackReRouting() {
714 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
715 for (int i = 0; i < numTestCases; ++i) {
716 audio_attributes_t attr;
717 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
718 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
719 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
720 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
721 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
722 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
723
724 audio_port_handle_t playbackRoutedPortId = AUDIO_PORT_HANDLE_NONE;
725 getOutputForAttr(&playbackRoutedPortId, mAudioConfig.format, mAudioConfig.channel_mask,
726 mAudioConfig.sample_rate, AUDIO_OUTPUT_FLAG_NONE, nullptr /*output*/,
727 nullptr /*portId*/, attr);
728 }
729 }
730
process()731 void AudioPolicyManagerFuzzerDPPlaybackReRouting::process() {
732 if (initialize()) {
733 playBackReRouting();
734 registerPolicyMixes();
735 fuzzPatchCreation();
736 unregisterPolicyMixes();
737 }
738 }
739
740 class AudioPolicyManagerFuzzerDPMixRecordInjection : public AudioPolicyManagerFuzzerDynamicPolicy {
741 public:
742 explicit AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider *fdp);
743 ~AudioPolicyManagerFuzzerDPMixRecordInjection() override;
744 void process() override;
745
746 protected:
747 bool initialize() override;
748 void recordingInjection();
749
750 std::unique_ptr<RecordingActivityTracker> mTracker;
751
752 std::vector<PolicyMixTuple> mSourceRules = {
753 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_CAMCORDER, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
754 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_MIC, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
755 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_VOICE_COMMUNICATION,
756 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET}};
757
758 struct audio_port_v7 mExtractionPort;
759 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
760 audio_config_t mAudioConfig;
761 };
762
AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider * fdp)763 AudioPolicyManagerFuzzerDPMixRecordInjection::AudioPolicyManagerFuzzerDPMixRecordInjection(
764 FuzzedDataProvider *fdp)
765 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
766 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
767 for (int i = 0; i < numRules; ++i) {
768 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
769 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
770 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET};
771 mSourceRules.push_back(rule);
772 }
773 }
774
~AudioPolicyManagerFuzzerDPMixRecordInjection()775 AudioPolicyManagerFuzzerDPMixRecordInjection::~AudioPolicyManagerFuzzerDPMixRecordInjection() {
776 mManager->stopOutput(mPortId);
777 }
778
initialize()779 bool AudioPolicyManagerFuzzerDPMixRecordInjection::initialize() {
780 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
781 return false;
782 }
783
784 mTracker.reset(new RecordingActivityTracker());
785
786 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
787 mAudioConfig.channel_mask =
788 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks);
789 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
790 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
791 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
792 getValueFromVector<int>(mFdp, kMixRouteFlags),
793 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
794 mMixAddress, mAudioConfig, mSourceRules);
795 if (ret != NO_ERROR) {
796 return false;
797 }
798
799 struct audio_port_v7 injectionPort;
800 findDevicePort(AUDIO_PORT_ROLE_SINK, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
801 mMixAddress, &injectionPort);
802
803 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
804 audio_usage_t usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
805 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, usage, AUDIO_SOURCE_DEFAULT,
806 AUDIO_FLAG_NONE, ""};
807 std::string tags = std::string("addr=") + mMixAddress;
808 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
809 getOutputForAttr(&selectedDeviceId, mAudioConfig.format, mAudioConfig.channel_mask,
810 mAudioConfig.sample_rate /*sampleRate*/, AUDIO_OUTPUT_FLAG_NONE,
811 nullptr /*output*/, &mPortId, attr);
812 ret = mManager->startOutput(mPortId);
813 if (ret != NO_ERROR) {
814 return false;
815 }
816 getDeviceIdFromPatch(mClient->getLastAddedPatch());
817 if (!findDevicePort(AUDIO_PORT_ROLE_SOURCE,
818 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
819 &mExtractionPort)) {
820 return false;
821 }
822
823 return true;
824 }
825
recordingInjection()826 void AudioPolicyManagerFuzzerDPMixRecordInjection::recordingInjection() {
827 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
828 for (int i = 0; i < numTestCases; ++i) {
829 audio_attributes_t attr;
830 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
831 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
832 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
833 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
834 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
835 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
836
837 audio_port_handle_t captureRoutedPortId = AUDIO_PORT_HANDLE_NONE;
838 audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE;
839 getInputForAttr(attr, mTracker->getRiid(), &captureRoutedPortId, mAudioConfig.format,
840 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
841 &portId);
842 }
843 }
844
process()845 void AudioPolicyManagerFuzzerDPMixRecordInjection::process() {
846 if (initialize()) {
847 recordingInjection();
848 registerPolicyMixes();
849 fuzzPatchCreation();
850 unregisterPolicyMixes();
851 }
852 }
853
854 using DeviceConnectionTestParams =
855 std::tuple<audio_devices_t /*type*/, std::string /*name*/, std::string /*address*/>;
856
857 class AudioPolicyManagerFuzzerDeviceConnection
858 : public AudioPolicyManagerFuzzerWithConfigurationFile {
859 public:
AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider * fdp)860 explicit AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider *fdp)
861 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
862 void process() override;
863
864 void fuzzGetDirectPlaybackSupport();
865 void fuzzGetDirectProfilesForAttributes();
866
867 protected:
868 void setDeviceConnectionState();
869 void explicitlyRoutingAfterConnection();
870 };
871
setDeviceConnectionState()872 void AudioPolicyManagerFuzzerDeviceConnection::setDeviceConnectionState() {
873 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
874 for (int i = 0; i < numTestCases; ++i) {
875 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
876 const std::string name = mFdp->ConsumeRandomLengthString();
877 const std::string address = mFdp->ConsumeRandomLengthString();
878 mManager->setDeviceConnectionState(
879 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
880 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
881 }
882 }
883
explicitlyRoutingAfterConnection()884 void AudioPolicyManagerFuzzerDeviceConnection::explicitlyRoutingAfterConnection() {
885 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
886 for (int i = 0; i < numTestCases; ++i) {
887 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
888 const std::string name = mFdp->ConsumeRandomLengthString();
889 const std::string address = mFdp->ConsumeRandomLengthString();
890 mManager->setDeviceConnectionState(
891 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
892 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
893
894 audio_port_v7 devicePort;
895 const audio_port_role_t role =
896 audio_is_output_device(type) ? AUDIO_PORT_ROLE_SINK : AUDIO_PORT_ROLE_SOURCE;
897 findDevicePort(role, type, address, &devicePort);
898
899 audio_port_handle_t routedPortId = devicePort.id;
900 // Try start input or output according to the device type
901 if (audio_is_output_devices(type)) {
902 getOutputForAttr(&routedPortId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
903 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
904 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
905 AUDIO_OUTPUT_FLAG_NONE);
906 } else if (audio_is_input_device(type)) {
907 RecordingActivityTracker tracker;
908 getInputForAttr({}, tracker.getRiid(), &routedPortId,
909 getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
910 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks),
911 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
912 AUDIO_INPUT_FLAG_NONE);
913 }
914 }
915 }
916
fuzzGetDirectPlaybackSupport()917 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectPlaybackSupport() {
918 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
919 for (int i = 0; i < numTestCases; ++i) {
920 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
921 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
922 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
923 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
924 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
925 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
926 config.channel_mask = getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
927 config.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
928 config.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
929 mManager->getDirectPlaybackSupport(&attr, &config);
930 }
931 }
932
fuzzGetDirectProfilesForAttributes()933 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectProfilesForAttributes() {
934 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
935 for (int i = 0; i < numTestCases; ++i) {
936 AudioProfileVector audioProfiles;
937 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
938 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
939 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
940 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
941 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
942 mManager->getDirectProfilesForAttributes(&attr, audioProfiles);
943 }
944 }
945
process()946 void AudioPolicyManagerFuzzerDeviceConnection::process() {
947 if (initialize()) {
948 setDeviceConnectionState();
949 explicitlyRoutingAfterConnection();
950 fuzzGetDirectPlaybackSupport();
951 fuzzGetDirectProfilesForAttributes();
952 fuzzPatchCreation();
953 }
954 }
955
956 class AudioPolicyManagerTVFuzzer : public AudioPolicyManagerFuzzerWithConfigurationFile {
957 public:
AudioPolicyManagerTVFuzzer(FuzzedDataProvider * fdp)958 explicit AudioPolicyManagerTVFuzzer(FuzzedDataProvider *fdp)
959 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
960 void process() override;
961
962 protected:
963 std::string getConfigFile();
964 void testHDMIPortSelection(audio_output_flags_t flags);
965
966 static inline const std::string sTvConfig =
967 AudioPolicyManagerTVFuzzer::sExecutableDir + "data/test_tv_apm_configuration.xml";
968 };
969
getConfigFile()970 std::string AudioPolicyManagerTVFuzzer::getConfigFile() { return fuzzXML(sTvConfig); }
971
testHDMIPortSelection(audio_output_flags_t flags)972 void AudioPolicyManagerTVFuzzer::testHDMIPortSelection(audio_output_flags_t flags) {
973 audio_devices_t audioDevice = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
974 audio_format_t audioFormat = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
975 status_t ret = mManager->setDeviceConnectionState(
976 audioDevice, AUDIO_POLICY_DEVICE_STATE_AVAILABLE, "" /*address*/, "" /*name*/, audioFormat);
977 if (ret != NO_ERROR) {
978 return;
979 }
980 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
981 audio_io_handle_t output;
982 audio_port_handle_t portId;
983 getOutputForAttr(&selectedDeviceId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
984 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
985 getValueFromVector<uint32_t>(mFdp, kSamplingRates), flags, &output, &portId);
986 sp<SwAudioOutputDescriptor> outDesc = mManager->getOutputs().valueFor(output);
987 if (outDesc.get() == nullptr) {
988 return;
989 }
990 audio_port_v7 port = {};
991 outDesc->toAudioPort(&port);
992 mManager->releaseOutput(portId);
993 mManager->setDeviceConnectionState(audioDevice, AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
994 "" /*address*/, "" /*name*/, audioFormat);
995 }
996
process()997 void AudioPolicyManagerTVFuzzer::process() {
998 if (initialize()) {
999 testHDMIPortSelection(getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags));
1000 fuzzPatchCreation();
1001 }
1002 }
1003
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)1004 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
1005 if (size < 1) {
1006 return 0;
1007 }
1008 FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
1009 while (fdp.remaining_bytes() > 0) {
1010 AudioPolicyManagerFuzzer audioPolicyManagerFuzzer(&fdp);
1011 audioPolicyManagerFuzzer.process();
1012
1013 AudioPolicyManagerFuzzerMsd audioPolicyManagerFuzzerMsd(&fdp);
1014 audioPolicyManagerFuzzerMsd.process();
1015
1016 AudioPolicyManagerFuzzerWithConfigurationFile audioPolicyManagerFuzzerWithConfigurationFile(
1017 &fdp);
1018 audioPolicyManagerFuzzerWithConfigurationFile.process();
1019
1020 AudioPolicyManagerFuzzerDynamicPolicy audioPolicyManagerFuzzerDynamicPolicy(&fdp);
1021 audioPolicyManagerFuzzerDynamicPolicy.process();
1022
1023 AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
1024 audioPolicyManagerFuzzerDPNoRemoteSubmixModule(&fdp);
1025 audioPolicyManagerFuzzerDPNoRemoteSubmixModule.process();
1026
1027 AudioPolicyManagerFuzzerDPPlaybackReRouting audioPolicyManagerFuzzerDPPlaybackReRouting(
1028 &fdp);
1029 audioPolicyManagerFuzzerDPPlaybackReRouting.process();
1030
1031 AudioPolicyManagerFuzzerDPMixRecordInjection audioPolicyManagerFuzzerDPMixRecordInjection(
1032 &fdp);
1033 audioPolicyManagerFuzzerDPMixRecordInjection.process();
1034
1035 AudioPolicyManagerFuzzerDeviceConnection audioPolicyManagerFuzzerDeviceConnection(&fdp);
1036 audioPolicyManagerFuzzerDeviceConnection.process();
1037
1038 AudioPolicyManagerTVFuzzer audioPolicyManagerTVFuzzer(&fdp);
1039 audioPolicyManagerTVFuzzer.process();
1040 }
1041 return 0;
1042 }
1043