1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <iostream>
17 #include <cstddef>
18 #include <cstdint>
19
20 #include "accesstoken_kit.h"
21 #include "message_parcel.h"
22 #include "nativetoken_kit.h"
23 #include "token_setproc.h"
24 #include "access_token.h"
25 #include "securec.h"
26 #include "parameter.h"
27
28 #include "audio_info.h"
29 #include "audio_server.h"
30 #include "audio_service.h"
31 #include "audio_process_config.h"
32 #include "audio_utils.h"
33 #include "audio_stream_info.h"
34
35 namespace OHOS {
36 namespace AudioStandard {
37 const std::u16string FORMMGR_INTERFACE_TOKEN = u"IStandardAudioService";
38 const int32_t SYSTEM_ABILITY_ID = 3001;
39 const int32_t POLICY_SYSTEM_ABILITY_ID = 3009;
40 const uint32_t LIMIT_TWO = 2;
41 const bool RUN_ON_CREATE = false;
42
43 bool g_hasServerInit = false;
44
45 const uint8_t *g_baseFuzzData = nullptr;
46 size_t g_baseFuzzSize = 0;
47 size_t g_baseFuzzPos;
48
GetData()49 template <class T> T GetData()
50 {
51 T object{};
52 size_t objectSize = sizeof(object);
53 if (g_baseFuzzData == nullptr || objectSize > g_baseFuzzSize - g_baseFuzzPos) {
54 return object;
55 }
56 errno_t ret = memcpy_s(&object, objectSize, g_baseFuzzData + g_baseFuzzPos, objectSize);
57 if (ret != EOK) {
58 return {};
59 }
60 g_baseFuzzPos += objectSize;
61 return object;
62 }
63
AudioFuzzTestGetPermission()64 void AudioFuzzTestGetPermission()
65 {
66 uint64_t tokenId;
67 constexpr int perNum = 10;
68 const char *perms[perNum] = {
69 "ohos.permission.MICROPHONE",
70 "ohos.permission.RECORD_VOICE_CALL",
71 "ohos.permission.CAST_AUDIO_OUTPUT",
72 "ohos.permission.MANAGE_INTELLIGENT_VOICE",
73 "ohos.permission.MANAGE_AUDIO_CONFIG",
74 "ohos.permission.MICROPHONE_CONTROL",
75 "ohos.permission.MODIFY_AUDIO_SETTINGS",
76 };
77
78 NativeTokenInfoParams infoInstance = {
79 .dcapsNum = 0,
80 .permsNum = 10,
81 .aclsNum = 0,
82 .dcaps = nullptr,
83 .perms = perms,
84 .acls = nullptr,
85 .processName = "audiofuzztest",
86 .aplStr = "system_basic",
87 };
88 tokenId = GetAccessTokenId(&infoInstance);
89 SetSelfTokenID(tokenId);
90 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
91 }
92
GetServerPtr()93 AudioServer* GetServerPtr()
94 {
95 static AudioServer server(SYSTEM_ABILITY_ID, RUN_ON_CREATE);
96 if (!g_hasServerInit) {
97 server.OnAddSystemAbility(POLICY_SYSTEM_ABILITY_ID, "");
98 g_hasServerInit = true;
99 }
100 return &server;
101 }
102
ModifyStreamInfoFormat(AudioProcessConfig & config)103 void ModifyStreamInfoFormat(AudioProcessConfig &config)
104 {
105 if (config.streamInfo.samplingRate > SAMPLE_RATE_48000) {
106 config.streamInfo.samplingRate = SAMPLE_RATE_96000;
107 } else {
108 config.streamInfo.samplingRate = SAMPLE_RATE_48000;
109 }
110
111 config.streamInfo.format = static_cast<AudioSampleFormat>(config.streamInfo.format % (SAMPLE_F32LE + 1));
112
113 config.streamInfo.encoding = static_cast<AudioEncodingType>(config.streamInfo.encoding % LIMIT_TWO);
114
115 config.streamInfo.channelLayout = CH_LAYOUT_STEREO;
116
117 if (config.audioMode == AUDIO_MODE_PLAYBACK) {
118 config.streamInfo.channels = static_cast<AudioChannel>(config.streamInfo.channels % (CHANNEL_16 + 1));
119 }
120
121 if (config.audioMode == AUDIO_MODE_RECORD) {
122 config.streamInfo.channels = static_cast<AudioChannel>(config.streamInfo.channels % (CHANNEL_6 + 1));
123 }
124 }
125
ModifyRendererConfig(AudioProcessConfig & config)126 void ModifyRendererConfig(AudioProcessConfig &config)
127 {
128 config.rendererInfo.streamUsage = static_cast<StreamUsage>(config.rendererInfo.streamUsage %
129 (STREAM_USAGE_MAX + 1));
130
131 config.rendererInfo.rendererFlags = config.rendererInfo.rendererFlags % (AUDIO_FLAG_VOIP_DIRECT + 1);
132
133 config.rendererInfo.pipeType = static_cast<AudioPipeType>(config.rendererInfo.pipeType %
134 (PIPE_TYPE_DIRECT_VOIP + 1));
135 }
136
ModifyRecorderConfig(AudioProcessConfig & config)137 void ModifyRecorderConfig(AudioProcessConfig &config)
138 {
139 config.capturerInfo.sourceType = static_cast<SourceType>(config.capturerInfo.sourceType % (SOURCE_TYPE_MAX + 1));
140
141 config.capturerInfo.capturerFlags = config.rendererInfo.rendererFlags % (AUDIO_FLAG_VOIP_DIRECT + 1);
142
143 config.capturerInfo.pipeType = static_cast<AudioPipeType>(config.capturerInfo.pipeType %
144 (PIPE_TYPE_DIRECT_VOIP + 1));
145 }
146
ModifyProcessConfig(AudioProcessConfig & config)147 void ModifyProcessConfig(AudioProcessConfig &config)
148 {
149 config.audioMode = static_cast<AudioMode>(config.audioMode % LIMIT_TWO);
150 ModifyStreamInfoFormat(config);
151
152 if (config.audioMode == AUDIO_MODE_PLAYBACK) {
153 ModifyRendererConfig(config);
154 }
155
156 if (config.audioMode == AUDIO_MODE_RECORD) {
157 ModifyRecorderConfig(config);
158 }
159 }
160
CallStreamFuncs(sptr<IpcStreamInServer> ipcStream)161 void CallStreamFuncs(sptr<IpcStreamInServer> ipcStream)
162 {
163 if (ipcStream == nullptr) {
164 return;
165 }
166
167 std::shared_ptr<OHAudioBuffer> buffer = nullptr;
168 ipcStream->ResolveBuffer(buffer);
169 ipcStream->UpdatePosition();
170 ipcStream->UpdatePosition();
171 uint32_t sessionId = 0;
172 ipcStream->GetAudioSessionID(sessionId);
173 ipcStream->Start();
174 ipcStream->Pause();
175 ipcStream->Stop();
176 ipcStream->Release();
177 ipcStream->Flush();
178 ipcStream->Drain();
179 AudioPlaybackCaptureConfig config = {{{STREAM_USAGE_MUSIC}, FilterMode::INCLUDE, {0}, FilterMode::INCLUDE}, false};
180 ipcStream->UpdatePlaybackCaptureConfig(config);
181 uint64_t framePos = 0;
182 uint64_t timestamp = 0;
183 uint64_t latency = 0;
184 ipcStream->GetAudioTime(framePos, timestamp);
185 ipcStream->GetAudioPosition(framePos, timestamp, latency);
186 ipcStream->GetLatency(timestamp);
187 int32_t param = 0;
188 ipcStream->SetRate(param);
189 ipcStream->GetRate(param);
190 float volume = 0.0f;
191 ipcStream->SetLowPowerVolume(volume);
192 ipcStream->GetLowPowerVolume(volume);
193 ipcStream->SetAudioEffectMode(param);
194 ipcStream->GetAudioEffectMode(param);
195 ipcStream->SetPrivacyType(param);
196 ipcStream->GetPrivacyType(param);
197 ipcStream->SetOffloadMode(param, false);
198 ipcStream->UnsetOffloadMode();
199 ipcStream->GetOffloadApproximatelyCacheTime(framePos, timestamp, timestamp, timestamp);
200 ipcStream->UpdateSpatializationState(true, false);
201 ipcStream->GetStreamManagerType();
202 ipcStream->SetSilentModeAndMixWithOthers(false);
203 ipcStream->SetClientVolume();
204 ipcStream->SetMute(false);
205 ipcStream->SetDuckFactor(volume);
206 std::string name = "fuzz_test";
207 ipcStream->RegisterThreadPriority(0, name);
208 }
209
DoStreamFuzzTest(const AudioProcessConfig & config,const uint8_t * rawData,size_t size)210 void DoStreamFuzzTest(const AudioProcessConfig &config, const uint8_t *rawData, size_t size)
211 {
212 int32_t ret = 0;
213 sptr<IpcStreamInServer> ipcStream = AudioService::GetInstance()->GetIpcStream(config, ret);
214 if (ipcStream == nullptr || rawData == nullptr || size < sizeof(uint32_t)) {
215 return;
216 }
217
218 g_baseFuzzData = rawData;
219 g_baseFuzzSize = size;
220 g_baseFuzzPos = 0;
221 uint32_t code = GetData<uint32_t>() % (IpcStream::IpcStreamMsg::IPC_STREAM_MAX_MSG);
222
223 rawData = rawData + sizeof(uint32_t);
224 size = size - sizeof(uint32_t);
225
226 MessageParcel data;
227 data.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
228 data.WriteBuffer(rawData, size);
229 data.RewindRead(0);
230
231 MessageParcel reply;
232 MessageOption option;
233
234 ipcStream->OnRemoteRequest(code, data, reply, option);
235
236 CallStreamFuncs(ipcStream);
237 }
238
AudioServerFuzzTest(const uint8_t * rawData,size_t size)239 void AudioServerFuzzTest(const uint8_t *rawData, size_t size)
240 {
241 g_baseFuzzData = rawData;
242 g_baseFuzzSize = size;
243 g_baseFuzzPos = 0;
244
245 if (size < sizeof(AudioProcessConfig)) {
246 return;
247 }
248
249 AudioProcessConfig config = {};
250 config.callerUid = GetData<int32_t>();
251 config.appInfo = GetData<AppInfo>();
252 config.streamInfo = GetData<AudioStreamInfo>();
253 config.audioMode = GetData<AudioMode>();
254
255 config.rendererInfo.contentType = GetData<ContentType>();
256 config.rendererInfo.streamUsage = GetData<StreamUsage>();
257 config.rendererInfo.rendererFlags = GetData<int32_t>();
258
259 config.rendererInfo.sceneType = ""; // in plan
260
261 config.rendererInfo.originalFlag = GetData<int32_t>();
262 config.rendererInfo.pipeType = GetData<AudioPipeType>();
263 config.rendererInfo.samplingRate = GetData<AudioSamplingRate>();
264 config.rendererInfo.format = GetData<AudioSampleFormat>();
265
266 config.capturerInfo.sourceType = GetData<SourceType>();
267 config.capturerInfo.capturerFlags = GetData<int32_t>();
268 config.capturerInfo.pipeType = GetData<AudioPipeType>();
269 config.capturerInfo.samplingRate = GetData<AudioSamplingRate>();
270 config.capturerInfo.encodingType = GetData<uint8_t>();
271 config.capturerInfo.channelLayout = GetData<uint64_t>();
272 config.capturerInfo.sceneType = ""; // in plan
273 config.capturerInfo.originalFlag = GetData<int32_t>();
274
275 config.streamType = GetData<AudioStreamType>();
276 config.deviceType = GetData<DeviceType>();
277 config.privacyType = GetData<AudioPrivacyType>();
278 config.innerCapMode = GetData<InnerCapMode>();
279
280 ModifyProcessConfig(config);
281
282 int32_t errorCode = 0;
283 auto remoteObj = GetServerPtr()->CreateAudioProcess(config, errorCode);
284 if (remoteObj != nullptr) {
285 DoStreamFuzzTest(config, rawData, size);
286 }
287 }
288 } // namespace AudioStandard
289 } // namesapce OHOS
290
LLVMFuzzerInitialize(const uint8_t * data,size_t size)291 extern "C" int LLVMFuzzerInitialize(const uint8_t *data, size_t size)
292 {
293 OHOS::AudioStandard::AudioFuzzTestGetPermission();
294 SetParameter("persist.multimedia.audioflag.fast.disableseparate", "1");
295 return 0;
296 }
297
298 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)299 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
300 {
301 /* Run your code on data */
302 OHOS::AudioStandard::AudioServerFuzzTest(data, size);
303 return 0;
304 }
305