1 /*
2 * Copyright (c) 2022-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <cstddef>
17 #include <cstdint>
18
19 #include "avsession_item.h"
20 #include "ipc_skeleton.h"
21 #include "avcontroller_callback_proxy.h"
22 #include "avsession_controller_stub.h"
23 #include "avsession_errors.h"
24 #include "system_ability_definition.h"
25 #include "avsession_service.h"
26 #include "avcontrolleritem_fuzzer.h"
27
28 using namespace std;
29 namespace OHOS {
30 namespace AVSession {
31 static const int32_t MAX_CODE_TEST = 17;
32 static const int32_t MAX_CODE_LEN = 512;
33 static const int32_t MIN_SIZE_NUM = 4;
34
35 template<typename T>
36 class ResourceAutoDestroy {
37 public:
ResourceAutoDestroy(T ptr)38 explicit ResourceAutoDestroy(T ptr) : ptr_(ptr)
39 {
40 }
41
~ResourceAutoDestroy()42 ~ResourceAutoDestroy()
43 {
44 if (ptr_) {
45 ptr_->Destroy();
46 }
47 }
48
49 private:
50 T ptr_;
51 };
52
FuzzOnRemoteRequest(const uint8_t * data,size_t size)53 void AvControllerItemFuzzer::FuzzOnRemoteRequest(const uint8_t* data, size_t size)
54 {
55 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
56 return;
57 }
58 sptr<AVControllerItem> avControllerItem;
59 std::string tag(reinterpret_cast<const char*>(data), size);
60 int32_t type = *reinterpret_cast<const int32_t*>(data);
61 std::string bundleName(reinterpret_cast<const char*>(data), size);
62 std::string abilityName(reinterpret_cast<const char*>(data), size);
63 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
64 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
65 AppExecFwk::ElementName elementName;
66 elementName.SetBundleName(bundleName);
67 elementName.SetAbilityName(abilityName);
68 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
69 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
70 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
71 ResourceAutoDestroy<sptr<AVSessionItem>> avSessionItemRelease(avSessionItem);
72 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
73 CHECK_AND_RETURN_LOG(code < MAX_CODE_TEST, "Unsupport code");
74 sptr<IRemoteObject> avControllerItemObj;
75 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
76 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner failed");
77 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
78 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
79 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
80 MessageParcel dataMessageParcel;
81 MessageParcel reply;
82 MessageOption option;
83 if (!dataMessageParcel.WriteInterfaceToken(avControllerItem->GetDescriptor())) {
84 return;
85 }
86 size -= sizeof(uint32_t);
87 dataMessageParcel.WriteBuffer(data + sizeof(uint32_t), size);
88 dataMessageParcel.RewindRead(0);
89 avControllerItem->OnRemoteRequest(code, dataMessageParcel, reply, option);
90 }
91
AvControllerItemRemoteRequestTest(const uint8_t * data,size_t size)92 void AvControllerItemRemoteRequestTest(const uint8_t* data, size_t size)
93 {
94 auto avControllerItemFuzzer = std::make_unique<AvControllerItemFuzzer>();
95 if (avControllerItemFuzzer == nullptr) {
96 return;
97 }
98 SLOGE("checkcontroller in");
99 avControllerItemFuzzer->FuzzOnRemoteRequest(data, size);
100 }
101
AvControllerItemDataTest(const uint8_t * data,size_t size)102 void AvControllerItemDataTest(const uint8_t* data, size_t size)
103 {
104 CHECK_AND_RETURN_LOG((data != nullptr) && (size <= MAX_CODE_LEN) && (size >= MIN_SIZE_NUM), "Invalid data");
105 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
106 CHECK_AND_RETURN_LOG(service != nullptr, "service is null");
107 std::string tag(reinterpret_cast<const char*>(data), size);
108 int32_t type = *reinterpret_cast<const int32_t*>(data);
109 std::string bundleName(reinterpret_cast<const char*>(data), size);
110 std::string abilityName(reinterpret_cast<const char*>(data), size);
111 AppExecFwk::ElementName elementName;
112 elementName.SetBundleName(bundleName);
113 elementName.SetAbilityName(abilityName);
114 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
115 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
116 CHECK_AND_RETURN_LOG(avSessionItem != nullptr, "avSessionItem is null");
117 sptr<AVControllerItem> avControllerItem;
118 sptr<IRemoteObject> avControllerItemObj;
119 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
120 CHECK_AND_RETURN_LOG(ret == AVSESSION_SUCCESS, "CreateControllerInner fail");
121 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
122 CHECK_AND_RETURN_LOG(avControllerItem != nullptr, "avControllerItem is null");
123 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
124 AVPlaybackState playbackstate;
125 avControllerItem->GetAVPlaybackState(playbackstate);
126 AVMetaData metaData;
127 avControllerItem->GetAVMetaData(metaData);
128 std::vector<int32_t> cmds;
129 avControllerItem->GetValidCommands(cmds);
130 AVPlaybackState::PlaybackStateMaskType playBackFilter;
131 uint32_t playCode = *(reinterpret_cast<const uint32_t*>(data));
132 if (playCode <= AVPlaybackState::PLAYBACK_KEY_MAX) {
133 playBackFilter.set(playCode);
134 } else {
135 playBackFilter.set(AVPlaybackState::PLAYBACK_KEY_STATE);
136 }
137 avControllerItem->SetPlaybackFilter(playBackFilter);
138 AvControllerItemDataTestSecond(avControllerItem, data, size);
139 AvControllerItemDataTestThird(avControllerItem, data, size);
140 }
141
AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem,const uint8_t * data,size_t size)142 void AvControllerItemDataTestSecond(sptr<AVControllerItem> avControllerItem, const uint8_t* data, size_t size)
143 {
144 std::string sessionId(reinterpret_cast<const char*>(data), size);
145 avControllerItem->GetSessionId();
146 avControllerItem->GetPid();
147 avControllerItem->HasSession(sessionId);
148 auto keyEvent = MMI::KeyEvent::Create();
149 keyEvent->SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
150 MMI::KeyEvent::KeyItem item;
151 item.SetKeyCode(*(reinterpret_cast<const int32_t*>(data)));
152 keyEvent->AddKeyItem(item);
153 bool isActive = *(reinterpret_cast<const bool*>(data));
154 avControllerItem->IsSessionActive(isActive);
155 avControllerItem->SendAVKeyEvent(*(keyEvent.get()));
156 AbilityRuntime::WantAgent::WantAgent ability;
157 avControllerItem->GetLaunchAbility(ability);
158
159 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
160 AVMetaData::MetaMaskType metaFilter;
161 metaFilter.set(code % AVMetaData::META_KEY_MAX);
162 avControllerItem->SetMetaFilter(metaFilter);
163 AVControlCommand command;
164 command.SetCommand(code % AVControlCommand::SESSION_CMD_MAX);
165 avControllerItem->SendControlCommand(command);
166
167 AVCallState avCallState;
168 avControllerItem->GetAVCallState(avCallState);
169 AVCallMetaData callMetaData;
170 avControllerItem->GetAVCallMetaData(callMetaData);
171 }
172
AvControllerItemDataTestThird(sptr<AVControllerItem> avControllerItem,const uint8_t * data,size_t size)173 void AvControllerItemDataTestThird(sptr<AVControllerItem> avControllerItem, const uint8_t* data, size_t size)
174 {
175 std::vector<AVQueueItem> items;
176 avControllerItem->GetAVQueueItems(items);
177
178 std::string title;
179 avControllerItem->GetAVQueueTitle(title);
180
181 int32_t itemId = *(reinterpret_cast<const int32_t*>(data));
182 avControllerItem->SkipToQueueItem(itemId);
183
184 AAFwk::WantParams extras;
185 avControllerItem->GetExtras(extras);
186
187 std::string commonCommand(reinterpret_cast<const char*>(data), size);
188 avControllerItem->SendCommonCommand(commonCommand, extras);
189
190 uint32_t code = *(reinterpret_cast<const uint32_t*>(data));
191 AVCallMetaData::AVCallMetaMaskType avCallMetaMaskType;
192 avCallMetaMaskType.set(code % AVCallMetaData::AVCALL_META_KEY_MAX);
193 avControllerItem->SetAVCallMetaFilter(avCallMetaMaskType);
194 AVCallState::AVCallStateMaskType avCallStateMaskType;
195 avCallStateMaskType.set(code % AVCallState::AVCALL_STATE_KEY_MAX);
196 avControllerItem->SetAVCallStateFilter(avCallStateMaskType);
197 }
198
AvControllerItemTest(const uint8_t * data,size_t size)199 void AvControllerItemTest(const uint8_t* data, size_t size)
200 {
201 if ((data == nullptr) || (size > MAX_CODE_LEN) || (size < MIN_SIZE_NUM)) {
202 return;
203 }
204 sptr<AVSessionService> service = new AVSessionService(AVSESSION_SERVICE_ID);
205 if (!service) {
206 SLOGI("service is null");
207 return;
208 }
209 std::string tag(reinterpret_cast<const char*>(data), size);
210 int32_t type = *reinterpret_cast<const int32_t*>(data);
211 std::string bundleName(reinterpret_cast<const char*>(data), size);
212 std::string abilityName(reinterpret_cast<const char*>(data), size);
213 AppExecFwk::ElementName elementName;
214 elementName.SetBundleName(bundleName);
215 elementName.SetAbilityName(abilityName);
216 sptr<IRemoteObject> avSessionItemObj = service->CreateSessionInner(tag, type % MIN_SIZE_NUM, elementName);
217 sptr<AVSessionItem> avSessionItem = (sptr<AVSessionItem>&)avSessionItemObj;
218 if (!avSessionItem) {
219 SLOGI("avSessionItem is null");
220 return;
221 }
222 ResourceAutoDestroy<sptr<AVSessionItem>> avSessionItemRelease(avSessionItem);
223 sptr<AVControllerItem> avControllerItem;
224 sptr<IRemoteObject> avControllerItemObj;
225 std::string sessionId(reinterpret_cast<const char*>(data), size);
226 auto ret = service->CreateControllerInner(avSessionItem->GetSessionId(), avControllerItemObj);
227 if (ret != AVSESSION_SUCCESS) {
228 SLOGI("CreateControllerInner fail");
229 return;
230 }
231 avControllerItem = (sptr<AVControllerItem>&)avControllerItemObj;
232 if (!avControllerItem) {
233 SLOGI("avControllerItem is null");
234 return;
235 }
236 ResourceAutoDestroy<sptr<AVControllerItem>> avControllerItemRelease(avControllerItem);
237 AvControllerItemTestImpl(data, size, avControllerItem);
238 AvControllerItemTestImplSecond(data, size, avControllerItem);
239 }
240
AvControllerItemTestImpl(const uint8_t * data,size_t size,sptr<AVControllerItem> avControllerItem)241 void AvControllerItemTestImpl(const uint8_t* data, size_t size,
242 sptr<AVControllerItem> avControllerItem)
243 {
244 std::string deviceId(reinterpret_cast<const char*>(data), size);
245 AVPlaybackState controllerBackState;
246 controllerBackState.SetState(*(reinterpret_cast<const int32_t*>(data)));
247 avControllerItem->HandlePlaybackStateChange(controllerBackState);
248 AVMetaData controllerMetaData;
249 controllerMetaData.Reset();
250 controllerMetaData.SetAssetId(deviceId);
251 avControllerItem->HandleMetaDataChange(controllerMetaData);
252 avControllerItem->HandleActiveStateChange(*(reinterpret_cast<const bool*>(data)));
253 std::vector<int32_t> controlCmds;
254 controlCmds.push_back(*(reinterpret_cast<const int32_t*>(data)));
255 avControllerItem->HandleValidCommandChange(controlCmds);
256 int32_t connectionState = 0;
257 OutputDeviceInfo outputDeviceInfo;
258 DeviceInfo deviceInfo;
259 deviceInfo.castCategory_ = *(reinterpret_cast<const int32_t*>(data));
260 deviceInfo.deviceId_ = deviceId;
261 outputDeviceInfo.deviceInfos_.push_back(deviceInfo);
262 avControllerItem->HandleOutputDeviceChange(connectionState, outputDeviceInfo);
263 avControllerItem->HandleSessionDestroy();
264 }
265
AvControllerItemTestImplSecond(const uint8_t * data,size_t size,sptr<AVControllerItem> avControllerItem)266 void AvControllerItemTestImplSecond(const uint8_t* data, size_t size,
267 sptr<AVControllerItem> avControllerItem)
268 {
269 AVCallMetaData callMetaData;
270 int32_t numberDate = *(reinterpret_cast<const int32_t*>(data));
271 std::string dataToS(std::to_string(numberDate));
272 std::string strCallMetaData(dataToS);
273 callMetaData.SetName(strCallMetaData);
274 callMetaData.SetPhoneNumber(strCallMetaData);
275 avControllerItem->HandleAVCallMetaDataChange(callMetaData);
276
277 AVCallState avCallState;
278 int32_t callState = std::stoi(dataToS);
279 avCallState.SetAVCallState(callState);
280 bool mute = std::stoi(dataToS);
281 avCallState.SetAVCallMuted(mute);
282 avControllerItem->HandleAVCallStateChange(avCallState);
283
284 const std::string event(reinterpret_cast<const char*>(data), size);
285 const std::string title(reinterpret_cast<const char*>(data), size);
286 AAFwk::WantParams wantParams;
287 vector<AVQueueItem> items;
288 avControllerItem->HandleSetSessionEvent(event, wantParams);
289 avControllerItem->HandleQueueItemsChange(items);
290 avControllerItem->HandleQueueTitleChange(title);
291 avControllerItem->HandleExtrasChange(wantParams);
292
293 std::string sessionId(reinterpret_cast<const char*>(data), size);
294 auto releaseCallback = [](AVControllerItem& item) {};
295 auto avControllerCallback = std::make_shared<AVControllerObserver>(sessionId);
296 avControllerItem->SetServiceCallbackForRelease(releaseCallback);
297 avControllerItem->RegisterAVControllerCallback(avControllerCallback);
298 }
299
300 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)301 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
302 {
303 /* Run your code on data */
304 AvControllerItemRemoteRequestTest(data, size);
305 AvControllerItemDataTest(data, size);
306 AvControllerItemTest(data, size);
307 return 0;
308 }
309 } // namespace AVSession
310 } // namespace OHOS
311