1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <iostream>
17 #include <cstddef>
18 #include <cstdint>
19
20 #include "accesstoken_kit.h"
21 #include "message_parcel.h"
22 #include "nativetoken_kit.h"
23 #include "token_setproc.h"
24 #include "access_token.h"
25 #include "securec.h"
26 #include "parameter.h"
27
28 #include "audio_info.h"
29 #include "audio_server.h"
30 #include "audio_service.h"
31 #include "audio_process_config.h"
32 #include "audio_utils.h"
33 #include "audio_stream_info.h"
34
35 namespace OHOS {
36 namespace AudioStandard {
37 const std::u16string FORMMGR_INTERFACE_TOKEN = u"IStandardAudioService";
38 const int32_t SYSTEM_ABILITY_ID = 3001;
39 const int32_t POLICY_SYSTEM_ABILITY_ID = 3009;
40 const uint32_t LIMIT_TWO = 2;
41 const bool RUN_ON_CREATE = false;
42
43 bool g_hasServerInit = false;
44
45 const uint8_t *g_baseFuzzData = nullptr;
46 size_t g_baseFuzzSize = 0;
47 size_t g_baseFuzzPos;
48
GetData()49 template <class T> T GetData()
50 {
51 T object{};
52 size_t objectSize = sizeof(object);
53 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
54 return object;
55 }
56 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
57 if (ret != EOK) {
58 return {};
59 }
60 g_baseFuzzPos += objectSize;
61 return object;
62 }
63
AudioFuzzTestGetPermission()64 void AudioFuzzTestGetPermission()
65 {
66 uint64_t tokenId;
67 constexpr int perNum = 10;
68 const char *perms[perNum] = {
69 "ohos.permission.MICROPHONE",
70 "ohos.permission.RECORD_VOICE_CALL",
71 "ohos.permission.CAST_AUDIO_OUTPUT",
72 "ohos.permission.MANAGE_INTELLIGENT_VOICE",
73 "ohos.permission.MANAGE_AUDIO_CONFIG",
74 "ohos.permission.MICROPHONE_CONTROL",
75 "ohos.permission.MODIFY_AUDIO_SETTINGS",
76 };
77
78 NativeTokenInfoParams infoInstance = {
79 .dcapsNum = 0,
80 .permsNum = 10,
81 .aclsNum = 0,
82 .dcaps = nullptr,
83 .perms = perms,
84 .acls = nullptr,
85 .processName = "audiofuzztest",
86 .aplStr = "system_basic",
87 };
88 tokenId = GetAccessTokenId(&infoInstance);
89 SetSelfTokenID(tokenId);
90 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
91 }
92
GetServerPtr()93 AudioServer* GetServerPtr()
94 {
95 static AudioServer server(SYSTEM_ABILITY_ID, RUN_ON_CREATE);
96 if (!g_hasServerInit) {
97 server.OnAddSystemAbility(POLICY_SYSTEM_ABILITY_ID, "");
98 g_hasServerInit = true;
99 }
100 return &server;
101 }
102
ModifyStreamInfoFormat(AudioProcessConfig & config)103 void ModifyStreamInfoFormat(AudioProcessConfig &config)
104 {
105 if (config.streamInfo.samplingRate > SAMPLE_RATE_48000) {
106 config.streamInfo.samplingRate = SAMPLE_RATE_96000;
107 } else {
108 config.streamInfo.samplingRate = SAMPLE_RATE_48000;
109 }
110
111 config.streamInfo.format = static_cast<AudioSampleFormat>(config.streamInfo.format % (SAMPLE_F32LE + 1));
112
113 config.streamInfo.encoding = static_cast<AudioEncodingType>(config.streamInfo.encoding % LIMIT_TWO);
114
115 config.streamInfo.channelLayout = CH_LAYOUT_STEREO;
116
117 if (config.audioMode == AUDIO_MODE_PLAYBACK) {
118 config.streamInfo.channels = static_cast<AudioChannel>(config.streamInfo.channels % (CHANNEL_16 + 1));
119 }
120
121 if (config.audioMode == AUDIO_MODE_RECORD) {
122 config.streamInfo.channels = static_cast<AudioChannel>(config.streamInfo.channels % (CHANNEL_6 + 1));
123 }
124 }
125
ModifyRendererConfig(AudioProcessConfig & config)126 void ModifyRendererConfig(AudioProcessConfig &config)
127 {
128 config.rendererInfo.streamUsage = static_cast<StreamUsage>(config.rendererInfo.streamUsage %
129 (STREAM_USAGE_MAX + 1));
130
131 config.rendererInfo.rendererFlags = config.rendererInfo.rendererFlags % (AUDIO_FLAG_VOIP_DIRECT + 1);
132
133 config.rendererInfo.pipeType = static_cast<AudioPipeType>(config.rendererInfo.pipeType %
134 (PIPE_TYPE_DIRECT_VOIP + 1));
135 }
136
ModifyRecorderConfig(AudioProcessConfig & config)137 void ModifyRecorderConfig(AudioProcessConfig &config)
138 {
139 config.capturerInfo.sourceType = static_cast<SourceType>(config.capturerInfo.sourceType % (SOURCE_TYPE_MAX + 1));
140
141 config.capturerInfo.capturerFlags = config.rendererInfo.rendererFlags % (AUDIO_FLAG_VOIP_DIRECT + 1);
142
143 config.capturerInfo.pipeType = static_cast<AudioPipeType>(config.capturerInfo.pipeType %
144 (PIPE_TYPE_DIRECT_VOIP + 1));
145 }
146
ModifyProcessConfig(AudioProcessConfig & config)147 void ModifyProcessConfig(AudioProcessConfig &config)
148 {
149 config.audioMode = static_cast<AudioMode>(config.audioMode % LIMIT_TWO);
150 ModifyStreamInfoFormat(config);
151
152 if (config.audioMode == AUDIO_MODE_PLAYBACK) {
153 ModifyRendererConfig(config);
154 }
155
156 if (config.audioMode == AUDIO_MODE_RECORD) {
157 ModifyRecorderConfig(config);
158 }
159 }
160
CallStreamFuncs(sptr<IpcStreamInServer> ipcStream)161 void CallStreamFuncs(sptr<IpcStreamInServer> ipcStream)
162 {
163 if (ipcStream == nullptr) {
164 return;
165 }
166
167 std::shared_ptr<OHAudioBuffer> buffer = nullptr;
168 ipcStream->ResolveBuffer(buffer);
169 ipcStream->UpdatePosition();
170 ipcStream->UpdatePosition();
171 uint32_t sessionId = 0;
172 ipcStream->GetAudioSessionID(sessionId);
173 ipcStream->Start();
174 ipcStream->Pause();
175 ipcStream->Stop();
176 ipcStream->Release();
177 ipcStream->Flush();
178 ipcStream->Drain();
179 AudioPlaybackCaptureConfig config = {{{STREAM_USAGE_MUSIC}, FilterMode::INCLUDE, {0}, FilterMode::INCLUDE}, false};
180 ipcStream->UpdatePlaybackCaptureConfig(config);
181 uint64_t framePos = 0;
182 uint64_t timestamp = 0;
183 uint64_t latency = 0;
184 ipcStream->GetAudioTime(framePos, timestamp);
185 ipcStream->GetAudioPosition(framePos, timestamp, latency);
186 ipcStream->GetLatency(timestamp);
187 int32_t param = 0;
188 ipcStream->SetRate(param);
189 ipcStream->GetRate(param);
190 float volume = 0.0f;
191 ipcStream->SetLowPowerVolume(volume);
192 ipcStream->GetLowPowerVolume(volume);
193 ipcStream->SetAudioEffectMode(param);
194 ipcStream->GetAudioEffectMode(param);
195 ipcStream->SetPrivacyType(param);
196 ipcStream->GetPrivacyType(param);
197 ipcStream->SetOffloadMode(param, false);
198 ipcStream->UnsetOffloadMode();
199 ipcStream->GetOffloadApproximatelyCacheTime(framePos, timestamp, timestamp, timestamp);
200 ipcStream->OffloadSetVolume(volume);
201 ipcStream->UpdateSpatializationState(true, false);
202 ipcStream->GetStreamManagerType();
203 ipcStream->SetSilentModeAndMixWithOthers(false);
204 ipcStream->SetClientVolume();
205 std::string name = "fuzz_test";
206 ipcStream->RegisterThreadPriority(0, name);
207 }
208
DoStreamFuzzTest(const AudioProcessConfig & config,const uint8_t * rawData,size_t size)209 void DoStreamFuzzTest(const AudioProcessConfig &config, const uint8_t *rawData, size_t size)
210 {
211 int32_t ret = 0;
212 sptr<IpcStreamInServer> ipcStream = AudioService::GetInstance()->GetIpcStream(config, ret);
213 if (ipcStream == nullptr || rawData == nullptr || size < sizeof(uint32_t)) {
214 return;
215 }
216
217 g_baseFuzzData = rawData;
218 g_baseFuzzSize = size;
219 g_baseFuzzPos = 0;
220 uint32_t code = GetData<uint32_t>() % (IpcStream::IpcStreamMsg::IPC_STREAM_MAX_MSG);
221
222 rawData = rawData + sizeof(uint32_t);
223 size = size - sizeof(uint32_t);
224
225 MessageParcel data;
226 data.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
227 data.WriteBuffer(rawData, size);
228 data.RewindRead(0);
229
230 MessageParcel reply;
231 MessageOption option;
232
233 ipcStream->OnRemoteRequest(code, data, reply, option);
234
235 CallStreamFuncs(ipcStream);
236 }
237
AudioServerFuzzTest(const uint8_t * rawData,size_t size)238 void AudioServerFuzzTest(const uint8_t *rawData, size_t size)
239 {
240 g_baseFuzzData = rawData;
241 g_baseFuzzSize = size;
242 g_baseFuzzPos = 0;
243
244 if (size < sizeof(AudioProcessConfig)) {
245 return;
246 }
247
248 AudioProcessConfig config = {};
249 config.callerUid = GetData<int32_t>();
250 config.appInfo = GetData<AppInfo>();
251 config.streamInfo = GetData<AudioStreamInfo>();
252 config.audioMode = GetData<AudioMode>();
253
254 config.rendererInfo.contentType = GetData<ContentType>();
255 config.rendererInfo.streamUsage = GetData<StreamUsage>();
256 config.rendererInfo.rendererFlags = GetData<int32_t>();
257
258 config.rendererInfo.sceneType = ""; // in plan
259
260 config.rendererInfo.originalFlag = GetData<int32_t>();
261 config.rendererInfo.pipeType = GetData<AudioPipeType>();
262 config.rendererInfo.samplingRate = GetData<AudioSamplingRate>();
263 config.rendererInfo.format = GetData<AudioSampleFormat>();
264
265 config.capturerInfo.sourceType = GetData<SourceType>();
266 config.capturerInfo.capturerFlags = GetData<int32_t>();
267 config.capturerInfo.pipeType = GetData<AudioPipeType>();
268 config.capturerInfo.samplingRate = GetData<AudioSamplingRate>();
269 config.capturerInfo.encodingType = GetData<uint8_t>();
270 config.capturerInfo.channelLayout = GetData<uint64_t>();
271 config.capturerInfo.sceneType = ""; // in plan
272 config.capturerInfo.originalFlag = GetData<int32_t>();
273
274 config.streamType = GetData<AudioStreamType>();
275 config.deviceType = GetData<DeviceType>();
276 config.privacyType = GetData<AudioPrivacyType>();
277 config.innerCapMode = GetData<InnerCapMode>();
278
279 ModifyProcessConfig(config);
280
281 int32_t errorCode = 0;
282 auto remoteObj = GetServerPtr()->CreateAudioProcess(config, errorCode);
283 if (remoteObj != nullptr) {
284 DoStreamFuzzTest(config, rawData, size);
285 }
286 }
287 } // namespace AudioStandard
288 } // namesapce OHOS
289
LLVMFuzzerInitialize(const uint8_t * data,size_t size)290 extern "C" int LLVMFuzzerInitialize(const uint8_t *data, size_t size)
291 {
292 OHOS::AudioStandard::AudioFuzzTestGetPermission();
293 SetParameter("persist.multimedia.audioflag.fast.disableseparate", "1");
294 return 0;
295 }
296
297 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)298 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
299 {
300 /* Run your code on data */
301 OHOS::AudioStandard::AudioServerFuzzTest(data, size);
302 return 0;
303 }
304