1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "avmetadata_service_proxy_fuzzer.h"
17 #include <iostream>
18 #include <fcntl.h>
19 #include <unistd.h>
20 #include <sys/stat.h>
21
22 namespace OHOS {
23 namespace Media {
AVMetadataServiceProxyFuzzer(const sptr<IRemoteObject> & impl)24 AVMetadataServiceProxyFuzzer::AVMetadataServiceProxyFuzzer(const sptr<IRemoteObject> &impl)
25 : IRemoteProxy<IStandardAVMetadataHelperService>(impl)
26 {
27 avmetaFuncs_[SET_URI_SOURCE] = &AVMetadataServiceProxyFuzzer::SetUriSource;
28 avmetaFuncs_[SET_FD_SOURCE] = &AVMetadataServiceProxyFuzzer::SetFdSource;
29 avmetaFuncs_[RESOLVE_METADATA] = &AVMetadataServiceProxyFuzzer::ResolveMetadata;
30 avmetaFuncs_[RESOLVE_METADATA_MAP] = &AVMetadataServiceProxyFuzzer::ResolveMetadataMap;
31 avmetaFuncs_[FETCH_ART_PICTURE] = &AVMetadataServiceProxyFuzzer::FetchArtPicture;
32 avmetaFuncs_[FETCH_FRAME_AT_TIME] = &AVMetadataServiceProxyFuzzer::FetchFrameAtTime;
33 avmetaFuncs_[RELEASE] = &AVMetadataServiceProxyFuzzer::Release;
34 avmetaFuncs_[DESTROY] = &AVMetadataServiceProxyFuzzer::DestroyStub;
35 }
36
Create()37 sptr<AVMetadataServiceProxyFuzzer> AVMetadataServiceProxyFuzzer::Create()
38 {
39 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
40 sptr<IRemoteObject> object = samgr->GetSystemAbility(OHOS::PLAYER_DISTRIBUTED_SERVICE_ID);
41 if (object == nullptr) {
42 std::cout << "media object is nullptr." << std::endl;
43 return nullptr;
44 }
45 sptr<IStandardMediaService> mediaProxy = iface_cast<IStandardMediaService>(object);
46 if (mediaProxy == nullptr) {
47 std::cout << "mediaProxy is nullptr." << std::endl;
48 return nullptr;
49 }
50 sptr<IRemoteObject> listenerStub = new(std::nothrow) MediaListenerStubFuzzer();
51 sptr<IRemoteObject> avmetaObject = mediaProxy->GetSubSystemAbility(
52 IStandardMediaService::MediaSystemAbility::MEDIA_AVMETADATAHELPER, listenerStub);
53 if (avmetaObject == nullptr) {
54 std::cout << "avmetaObject is nullptr." << std::endl;
55 return nullptr;
56 }
57
58 sptr<AVMetadataServiceProxyFuzzer> avmetaProxy = iface_cast<AVMetadataServiceProxyFuzzer>(avmetaObject);
59 if (avmetaProxy == nullptr) {
60 std::cout << "avmetaProxy is nullptr." << std::endl;
61 return nullptr;
62 }
63 return avmetaProxy;
64 }
65
SendRequest(int32_t code,uint8_t * inputData,size_t size,bool isFuzz)66 void AVMetadataServiceProxyFuzzer::SendRequest(int32_t code, uint8_t *inputData, size_t size, bool isFuzz)
67 {
68 auto itFunc = avmetaFuncs_.find(code);
69 if (itFunc != avmetaFuncs_.end()) {
70 auto memberFunc = itFunc->second;
71 if (memberFunc != nullptr) {
72 (this->*memberFunc)(inputData, size, isFuzz);
73 }
74 }
75 }
76
SetUriSource(uint8_t * inputData,size_t size,bool isFuzz)77 int32_t AVMetadataServiceProxyFuzzer::SetUriSource(uint8_t *inputData, size_t size, bool isFuzz)
78 {
79 MessageParcel data;
80 MessageParcel reply;
81 MessageOption option;
82
83 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
84 if (!token) {
85 std::cout << "Failed to write descriptor!" << std::endl;
86 return false;
87 }
88 std::string url(reinterpret_cast<const char *>(inputData), size);
89 (void)data.WriteString(url);
90 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
91 return SendRequest(SET_URI_SOURCE, data, reply, option);
92 }
93
SetFdSource(uint8_t * inputData,size_t size,bool isFuzz)94 int32_t AVMetadataServiceProxyFuzzer::SetFdSource(uint8_t *inputData, size_t size, bool isFuzz)
95 {
96 MessageParcel data;
97 MessageParcel reply;
98 MessageOption option;
99
100 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
101 if (!token) {
102 std::cout << "Failed to write descriptor!" << std::endl;
103 return false;
104 }
105
106 int32_t fdValue;
107 int64_t offsetValue;
108 int64_t lengthValue;
109 int32_t usage;
110 if (isFuzz) {
111 fdValue = *reinterpret_cast<int32_t *>(inputData);
112 lengthValue = *reinterpret_cast<int64_t *>(inputData);
113 offsetValue = *reinterpret_cast<uint32_t *>(inputData) % *reinterpret_cast<int64_t *>(inputData);
114 usage = *reinterpret_cast<int32_t *>(inputData);
115 (void)data.WriteFileDescriptor(fdValue);
116 (void)data.WriteInt64(offsetValue);
117 (void)data.WriteInt64(lengthValue);
118 (void)data.WriteInt32(usage);
119 return SendRequest(SET_FD_SOURCE, data, reply, option);
120 } else {
121 const std::string path = "/data/test/media/H264_AAC.mp4";
122 fdValue = open(path.c_str(), O_RDONLY);
123 offsetValue = 0;
124 if (fdValue < 0) {
125 std::cout << "Open file failed" << std::endl;
126 (void)close(fdValue);
127 return -1;
128 }
129
130 struct stat64 buffer;
131 if (fstat64(fdValue, &buffer) != 0) {
132 std::cout << "Get file state failed" << std::endl;
133 (void)close(fdValue);
134 return -1;
135 }
136 lengthValue = static_cast<int64_t>(buffer.st_size);
137 usage = AVMetadataUsage::AV_META_USAGE_PIXEL_MAP;
138 (void)data.WriteFileDescriptor(fdValue);
139 (void)data.WriteInt64(offsetValue);
140 (void)data.WriteInt64(lengthValue);
141 (void)data.WriteInt32(usage);
142 int32_t ret = SendRequest(SET_FD_SOURCE, data, reply, option);
143 (void)close(fdValue);
144 return ret;
145 }
146 }
147
ResolveMetadata(uint8_t * inputData,size_t size,bool isFuzz)148 int32_t AVMetadataServiceProxyFuzzer::ResolveMetadata(uint8_t *inputData, size_t size, bool isFuzz)
149 {
150 (void)size;
151 (void)isFuzz;
152 MessageParcel data;
153 MessageParcel reply;
154 MessageOption option;
155
156 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
157 if (!token) {
158 std::cout << "Failed to write descriptor!" << std::endl;
159 return false;
160 }
161 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
162 return SendRequest(RESOLVE_METADATA, data, reply, option);
163 }
164
ResolveMetadataMap(uint8_t * inputData,size_t size,bool isFuzz)165 int32_t AVMetadataServiceProxyFuzzer::ResolveMetadataMap(uint8_t *inputData, size_t size, bool isFuzz)
166 {
167 (void)size;
168 (void)isFuzz;
169 MessageParcel data;
170 MessageParcel reply;
171 MessageOption option;
172
173 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
174 if (!token) {
175 std::cout << "Failed to write descriptor!" << std::endl;
176 return false;
177 }
178 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
179 return SendRequest(RESOLVE_METADATA_MAP, data, reply, option);
180 }
181
FetchArtPicture(uint8_t * inputData,size_t size,bool isFuzz)182 int32_t AVMetadataServiceProxyFuzzer::FetchArtPicture(uint8_t *inputData, size_t size, bool isFuzz)
183 {
184 (void)size;
185 (void)isFuzz;
186 MessageParcel data;
187 MessageParcel reply;
188 MessageOption option;
189
190 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
191 if (!token) {
192 std::cout << "Failed to write descriptor!" << std::endl;
193 return false;
194 }
195 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
196 return SendRequest(FETCH_ART_PICTURE, data, reply, option);
197 }
198
FetchFrameAtTime(uint8_t * inputData,size_t size,bool isFuzz)199 int32_t AVMetadataServiceProxyFuzzer::FetchFrameAtTime(uint8_t *inputData, size_t size, bool isFuzz)
200 {
201 (void)size;
202 (void)isFuzz;
203 MessageParcel data;
204 MessageParcel reply;
205 MessageOption option;
206
207 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
208 if (!token) {
209 std::cout << "Failed to write descriptor!" << std::endl;
210 return false;
211 }
212 (void)data.WriteInt64(*reinterpret_cast<int64_t *>(inputData));
213 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
214 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
215 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
216 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
217 return SendRequest(FETCH_FRAME_AT_TIME, data, reply, option);
218 }
219
Release(uint8_t * inputData,size_t size,bool isFuzz)220 int32_t AVMetadataServiceProxyFuzzer::Release(uint8_t *inputData, size_t size, bool isFuzz)
221 {
222 (void)size;
223 (void)isFuzz;
224 MessageParcel data;
225 MessageParcel reply;
226 MessageOption option;
227
228 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
229 if (!token) {
230 std::cout << "Failed to write descriptor!" << std::endl;
231 return false;
232 }
233 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
234 return SendRequest(RELEASE, data, reply, option);
235 }
236
DestroyStub(uint8_t * inputData,size_t size,bool isFuzz)237 int32_t AVMetadataServiceProxyFuzzer::DestroyStub(uint8_t *inputData, size_t size, bool isFuzz)
238 {
239 (void)size;
240 MessageParcel data;
241 MessageParcel reply;
242 MessageOption option;
243
244 bool token = data.WriteInterfaceToken(AVMetadataServiceProxyFuzzer::GetDescriptor());
245 if (!token) {
246 std::cout << "Failed to write descriptor!" << std::endl;
247 return false;
248 }
249 if (isFuzz) {
250 (void)data.WriteInt32(*reinterpret_cast<int32_t *>(inputData));
251 }
252 return SendRequest(DESTROY, data, reply, option);
253 }
254
SendRequest(uint32_t code,MessageParcel & data,MessageParcel & reply,MessageOption & option)255 int32_t AVMetadataServiceProxyFuzzer::SendRequest(uint32_t code,
256 MessageParcel &data, MessageParcel &reply, MessageOption &option)
257 {
258 return Remote()->SendRequest(code, data, reply, option);
259 }
260 }
261 }