1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18
19 #include "avsession_item.h"
20 #include "ipc_skeleton.h"
21 #include "avcontroller_callback_proxy.h"
22 #include "avsession_controller_stub.h"
23 #include "avsession_errors.h"
24 #include "system_ability_definition.h"
25 #include "avsession_service.h"
26 #include "avcontrolleritem_fuzzer.h"
27
28 using namespace std;
29 namespace OHOS {
30 namespace AVSession {
31 const int32_t MAX_CODE_TEST = 17;
32 const int32_t MAX_CODE_LEN = 512;
33 const int32_t MIN_SIZE_NUM = 4;
34
FuzzOnRemoteRequest(const uint8_t * data,size_t size)35 void AvControllerItemFuzzer::FuzzOnRemoteRequest(const uint8_t* data, size_t size)
36 {
37 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
38 return;
39 }
40 sptr<AVControllerItem> avControllerItem;
41 std::string tag(reinterpret_cast<const char*>(data), size);
42 int32_t type = *reinterpret_cast<const int32_t*>(data);
43 std::string bundleName(reinterpret_cast<const char*>(data), size);
44 std::string abilityName(reinterpret_cast<const char*>(data), size);
45 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
46 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
47 AppExecFwk::ElementName elementName;
48 elementName.SetBundleName(bundleName);
49 elementName.SetAbilityName(abilityName);
50 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
51 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
52 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
53 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
54 CHECK_AND_RETURN_LOG(code < MAX_CODE_TEST, "Unsupport code");
55 sptr<IRemoteObject> avControllerItemObj;
56 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
57 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner failed");
58 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
59 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
60 MessageParcel dataMessageParcel;
61 MessageParcel reply;
62 MessageOption option;
63 if (!dataMessageParcel.WriteInterfaceToken(avControllerItem->GetDescriptor())) {
64 return;
65 }
66 size -= sizeof(uint32_t);
67 dataMessageParcel.WriteBuffer(data + sizeof(uint32_t), size);
68 dataMessageParcel.RewindRead(0);
69 avControllerItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
70 avControllerItem->Destroy();
71 }
72
AvControllerItemRemoteRequestTest(const uint8_t * data,size_t size)73 void AvControllerItemRemoteRequestTest(const uint8_t* data, size_t size)
74 {
75 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
76 if (avControllerItemFuzzer == nullptr) {
77 return;
78 }
79 avControllerItemFuzzer->FuzzOnRemoteRequest(data, size);
80 }
81
AvControllerItemDataTest(const uint8_t * data,size_t size)82 void AvControllerItemDataTest(const uint8_t* data, size_t size)
83 {
84 CHECK_AND_RETURN_LOG((data != nullptr) && (size <= MAX_CODE_LEN) && (size >= MIN_SIZE_NUM), "Invalid data");
85 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
86 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
87 std::string tag(reinterpret_cast<const char*>(data), size);
88 int32_t type = *reinterpret_cast<const int32_t*>(data);
89 std::string bundleName(reinterpret_cast<const char*>(data), size);
90 std::string abilityName(reinterpret_cast<const char*>(data), size);
91 AppExecFwk::ElementName elementName;
92 elementName.SetBundleName(bundleName);
93 elementName.SetAbilityName(abilityName);
94 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
95 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
96 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
97 sptr<AVControllerItem> avControllerItem;
98 sptr<IRemoteObject> avControllerItemObj;
99 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
100 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner fail");
101 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
102 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
103 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
104 CHECK_AND_RETURN_LOG(avControllerItemFuzzer != nullptr, "avControllerItemFuzzer is null");
105 AVPlaybackState playbackstate;
106 avControllerItem->GetAVPlaybackState(playbackstate);
107 AVMetaData metaData;
108 avControllerItem->GetAVMetaData(metaData);
109 std::vector<int32_t> cmds;
110 avControllerItem->GetValidCommands(cmds);
111 AVPlaybackState::PlaybackStateMaskType playBackFilter;
112 playBackFilter.set(*(reinterpret_cast<const int32_t*>(data)));
113 avControllerItem->SetPlaybackFilter(playBackFilter);
114
115 AvControllerItemDataTestSecond(avControllerItem, data, size);
116 }
117
AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem,const uint8_t * data,size_t size)118 void AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem, const uint8_t* data, size_t size)
119 {
120 std::string sessionId(reinterpret_cast<const char*>(data), size);
121 avControllerItem->GetSessionId();
122 avControllerItem->GetPid();
123 avControllerItem->HasSession(sessionId);
124 auto keyEvent = MMI::KeyEvent::Create();
125 keyEvent->SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
126 MMI::KeyEvent::KeyItem item;
127 item.SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
128 keyEvent->AddKeyItem(item);
129 bool isActive = *(reinterpret_cast<const bool*>(data));
130 avControllerItem->IsSessionActive(isActive);
131 avControllerItem->SendAVKeyEvent(*(keyEvent.get()));
132 AbilityRuntime::WantAgent::WantAgent ability;
133 avControllerItem->GetLaunchAbility(ability);
134 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
135 if (code <= AVMetaData::META_KEY_MAX) {
136 AVMetaData::MetaMaskType metaFilter;
137 metaFilter.set(code);
138 avControllerItem->SetMetaFilter(metaFilter);
139 }
140 if (code <= AVControlCommand::SESSION_CMD_MAX) {
141 AVControlCommand command;
142 command.SetCommand(code);
143 avControllerItem->SendControlCommand(command);
144 }
145 avControllerItem->Destroy();
146 }
147
AvControllerItemTest(const uint8_t * data,size_t size)148 void AvControllerItemTest(const uint8_t* data, size_t size)
149 {
150 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
151 return;
152 }
153 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
154 if (!service) {
155 SLOGI("service is null");
156 return;
157 }
158 std::string tag(reinterpret_cast<const char*>(data), size);
159 int32_t type = *reinterpret_cast<const int32_t*>(data);
160 std::string bundleName(reinterpret_cast<const char*>(data), size);
161 std::string abilityName(reinterpret_cast<const char*>(data), size);
162 AppExecFwk::ElementName elementName;
163 elementName.SetBundleName(bundleName);
164 elementName.SetAbilityName(abilityName);
165 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type, elementName);
166 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
167 if (!avSessionItem) {
168 SLOGI("avSessionItem is null");
169 return;
170 }
171 sptr<AVControllerItem> avControllerItem;
172 sptr<IRemoteObject> avControllerItemObj;
173 std::string sessionId(reinterpret_cast<const char*>(data), size);
174 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
175 if (ret != AVSESSION_SUCCESS) {
176 SLOGI("CreateControllerInner fail");
177 return;
178 }
179 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
180 if (!avControllerItem) {
181 SLOGI("avControllerItem is null");
182 return;
183 }
184 AvControllerItemTestImpl(data, size, avControllerItem);
185 }
186
AvControllerItemTestImpl(const uint8_t * data,size_t size,sptr<AVControllerItem> avControllerItem)187 void AvControllerItemTestImpl(const uint8_t* data, size_t size,
188 sptr<AVControllerItem> avControllerItem)
189 {
190 std::string deviceId(reinterpret_cast<const char*>(data), size);
191 AVPlaybackState controllerBackState;
192 controllerBackState.SetState(*(reinterpret_cast<const int32_t*>(data)));
193 avControllerItem->HandlePlaybackStateChange(controllerBackState);
194 AVMetaData controllerMetaData;
195 controllerMetaData.Reset();
196 controllerMetaData.SetAssetId(deviceId);
197 avControllerItem->HandleMetaDataChange(controllerMetaData);
198 avControllerItem->HandleActiveStateChange(*(reinterpret_cast<const bool*>(data)));
199 std::vector<int32_t> controlCmds;
200 controlCmds.push_back(*(reinterpret_cast<const int32_t*>(data)));
201 avControllerItem->HandleValidCommandChange(controlCmds);
202 int32_t connectionState = 0;
203 OutputDeviceInfo outputDeviceInfo;
204 DeviceInfo deviceInfo;
205 deviceInfo.castCategory_ = *(reinterpret_cast<const int32_t*>(data));
206 deviceInfo.deviceId_ = deviceId;
207 outputDeviceInfo.deviceInfos_.push_back(deviceInfo);
208 avControllerItem->HandleOutputDeviceChange(connectionState, outputDeviceInfo);
209 avControllerItem->HandleSessionDestroy();
210 avControllerItem->Destroy();
211 }
212
213
214 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)215 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
216 {
217 /* Run your code on data */
218 AvControllerItemRemoteRequestTest(data, size);
219 AvControllerItemDataTest(data, size);
220 AvControllerItemTest(data, size);
221 return 0;
222 }
223 } // namespace AVSession
224 } // namespace OHOS
225