1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #include <fuzzer/FuzzedDataProvider.h>
19 
20 #include "audio_hal_interface/a2dp_encoding.h"
21 #include "include/btif_av.h"
22 #include "include/btif_av_co.h"
23 #include "osi/include/properties.h"
24 
25 using ::bluetooth::audio::a2dp::Status;
26 using ::bluetooth::audio::a2dp::update_codec_offloading_capabilities;
27 
28 extern "C" {
android_get_exported_namespace(const char *)29 struct android_namespace_t* android_get_exported_namespace(const char*) { return nullptr; }
30 }
31 
32 constexpr Status kStatus[] = {
33         Status::UNKNOWN, Status::SUCCESS, Status::UNSUPPORTED_CODEC_CONFIGURATION,
34         Status::FAILURE, Status::PENDING,
35 };
36 
37 constexpr int32_t kRandomStringLength = 256;
38 
source_init_delayed(void)39 static void source_init_delayed(void) {}
40 
41 constexpr btav_a2dp_codec_index_t kCodecIndices[] = {
42         BTAV_A2DP_CODEC_INDEX_SOURCE_SBC,  BTAV_A2DP_CODEC_INDEX_SOURCE_AAC,
43         BTAV_A2DP_CODEC_INDEX_SOURCE_APTX, BTAV_A2DP_CODEC_INDEX_SOURCE_APTX_HD,
44         BTAV_A2DP_CODEC_INDEX_SOURCE_LDAC, BTAV_A2DP_CODEC_INDEX_SINK_SBC,
45         BTAV_A2DP_CODEC_INDEX_SINK_AAC,    BTAV_A2DP_CODEC_INDEX_SINK_LDAC};
46 
CodecOffloadingPreferenceGenerator()47 std::vector<std::vector<btav_a2dp_codec_config_t>> CodecOffloadingPreferenceGenerator() {
48   std::vector<std::vector<btav_a2dp_codec_config_t>> offloadingPreferences = {
49           std::vector<btav_a2dp_codec_config_t>(0)};
50   btav_a2dp_codec_config_t btavCodecConfig = {};
51   for (btav_a2dp_codec_index_t i : kCodecIndices) {
52     btavCodecConfig.codec_type = i;
53     auto duplicated_preferences = offloadingPreferences;
54     for (auto iter = duplicated_preferences.begin(); iter != duplicated_preferences.end(); ++iter) {
55       iter->push_back(btavCodecConfig);
56     }
57     offloadingPreferences.insert(offloadingPreferences.end(), duplicated_preferences.begin(),
58                                  duplicated_preferences.end());
59   }
60   return offloadingPreferences;
61 }
62 
63 class A2dpEncodingFuzzer {
64 public:
~A2dpEncodingFuzzer()65   ~A2dpEncodingFuzzer() {
66     delete (mCodec);
67     mCodec = nullptr;
68   }
69   void process(const uint8_t* data, size_t size);
70   static A2dpCodecConfig* mCodec;
71 };
72 
73 class TestAudioPort : public bluetooth::audio::a2dp::StreamCallbacks {
StartStream(bool) const74   Status StartStream(bool /*low_latency*/) const override { return Status::PENDING; }
SuspendStream() const75   Status SuspendStream() const override { return Status::PENDING; }
SetLatencyMode(bool) const76   Status SetLatencyMode(bool /*low_latency*/) const override { return Status::SUCCESS; }
77 };
78 
79 A2dpCodecConfig* A2dpEncodingFuzzer::mCodec{nullptr};
80 const TestAudioPort test_audio_port;
81 
process(const uint8_t * data,size_t size)82 void A2dpEncodingFuzzer::process(const uint8_t* data, size_t size) {
83   FuzzedDataProvider fdp(data, size);
84   if (!mCodec) {
85     mCodec = A2dpCodecConfig::createCodec(fdp.PickValueInArray(kCodecIndices));
86   }
87 
88   bool offload_enabled = fdp.ConsumeBool();
89   std::string name = fdp.ConsumeRandomLengthString(kRandomStringLength);
90   uint16_t peer_mtu = fdp.ConsumeIntegral<uint16_t>();
91   int preferred_encoding_interval_us = fdp.ConsumeIntegral<int>();
92 
93   bluetooth::common::MessageLoopThread messageLoopThread(name);
94   messageLoopThread.StartUp();
95   messageLoopThread.DoInThread(FROM_HERE, base::BindOnce(&source_init_delayed));
96 
97   uint16_t delayReport = fdp.ConsumeIntegral<uint16_t>();
98   bluetooth::audio::a2dp::set_remote_delay(delayReport);
99 
100   if (!bluetooth::audio::a2dp::init(&messageLoopThread, &test_audio_port, offload_enabled)) {
101     return;
102   }
103 
104   if (!bluetooth::audio::a2dp::setup_codec(bta_av_get_a2dp_current_codec(), peer_mtu,
105                                            preferred_encoding_interval_us)) {
106     return;
107   }
108 
109   bluetooth::audio::a2dp::start_session();
110 
111   Status status = fdp.PickValueInArray(kStatus);
112   bluetooth::audio::a2dp::ack_stream_started(status);
113 
114   for (auto offloadingPreference : CodecOffloadingPreferenceGenerator()) {
115     update_codec_offloading_capabilities(offloadingPreference, false);
116   }
117   status = fdp.PickValueInArray(kStatus);
118   bluetooth::audio::a2dp::ack_stream_suspended(status);
119   bluetooth::audio::a2dp::cleanup();
120   messageLoopThread.ShutDown();
121 }
122 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)123 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
124   A2dpEncodingFuzzer a2dpEncodingFuzzer;
125   a2dpEncodingFuzzer.process(data, size);
126   return 0;
127 }
128