1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18 #include <stdint.h>
19 #include <sys/wait.h>
20 #include <unistd.h>
21 #include <algorithm>
22 #include <memory>
23 #include <string>
24 #include <utility>
25 #include <vector>
26
27 #include <Serializer.h>
28 #include <android-base/file.h>
29 #include <android/content/AttributionSourceState.h>
30 #include <libxml/parser.h>
31 #include <libxml/xinclude.h>
32 #include <media/AudioPolicy.h>
33 #include <media/AudioProfile.h>
34 #include <media/PatchBuilder.h>
35 #include <media/RecordingActivityTracker.h>
36
37 #include <AudioPolicyInterface.h>
38 #include <android_audio_policy_configuration_V7_0-enums.h>
39 #include <fuzzer/FuzzedDataProvider.h>
40 #include <tests/AudioPolicyManagerTestClient.h>
41 #include <tests/AudioPolicyTestClient.h>
42 #include <tests/AudioPolicyTestManager.h>
43 #include <xsdc/XsdcSupport.h>
44
45 using namespace android;
46
47 namespace xsd {
48 using namespace ::android::audio::policy::configuration::V7_0;
49 }
50
51 using content::AttributionSourceState;
52
__anond87a0cfc0102null53 static const std::vector<audio_format_t> kAudioFormats = [] {
54 std::vector<audio_format_t> result;
55 for (const auto enumVal : xsdc_enum_range<xsd::AudioFormat>{}) {
56 audio_format_t audioFormatHal;
57 std::string audioFormat = toString(enumVal);
58 if (audio_format_from_string(audioFormat.c_str(), &audioFormatHal)) {
59 result.push_back(audioFormatHal);
60 }
61 }
62 return result;
63 }();
64
__anond87a0cfc0202null65 static const std::vector<audio_channel_mask_t> kAudioChannelOutMasks = [] {
66 std::vector<audio_channel_mask_t> result;
67 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
68 audio_channel_mask_t audioChannelMaskHal;
69 std::string audioChannelMask = toString(enumVal);
70 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
71 audioChannelMask.find("_IN_") == std::string::npos &&
72 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
73 result.push_back(audioChannelMaskHal);
74 }
75 }
76 return result;
77 }();
78
__anond87a0cfc0302null79 static const std::vector<audio_channel_mask_t> kAudioChannelInMasks = [] {
80 std::vector<audio_channel_mask_t> result;
81 for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
82 audio_channel_mask_t audioChannelMaskHal;
83 std::string audioChannelMask = toString(enumVal);
84 if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
85 audioChannelMask.find("_OUT_") == std::string::npos &&
86 audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
87 result.push_back(audioChannelMaskHal);
88 }
89 }
90 return result;
91 }();
92
__anond87a0cfc0402null93 static const std::vector<audio_output_flags_t> kAudioOutputFlags = [] {
94 std::vector<audio_output_flags_t> result;
95 for (const auto enumVal : xsdc_enum_range<xsd::AudioInOutFlag>{}) {
96 audio_output_flags_t audioOutputFlagHal;
97 std::string audioOutputFlag = toString(enumVal);
98 if (audioOutputFlag.find("_OUTPUT_") != std::string::npos &&
99 audio_output_flag_from_string(audioOutputFlag.c_str(), &audioOutputFlagHal)) {
100 result.push_back(audioOutputFlagHal);
101 }
102 }
103 return result;
104 }();
105
__anond87a0cfc0502null106 static const std::vector<audio_devices_t> kAudioDevices = [] {
107 std::vector<audio_devices_t> result;
108 for (const auto enumVal : xsdc_enum_range<xsd::AudioDevice>{}) {
109 audio_devices_t audioDeviceHal;
110 std::string audioDevice = toString(enumVal);
111 if (audio_device_from_string(audioDevice.c_str(), &audioDeviceHal)) {
112 result.push_back(audioDeviceHal);
113 }
114 }
115 return result;
116 }();
117
__anond87a0cfc0602null118 static const std::vector<audio_usage_t> kAudioUsages = [] {
119 std::vector<audio_usage_t> result;
120 for (const auto enumVal : xsdc_enum_range<xsd::AudioUsage>{}) {
121 audio_usage_t audioUsageHal;
122 std::string audioUsage = toString(enumVal);
123 if (audio_usage_from_string(audioUsage.c_str(), &audioUsageHal)) {
124 result.push_back(audioUsageHal);
125 }
126 }
127 return result;
128 }();
129
130 /**
131 * AudioSource - AUDIO_SOURCE_VOICE_COMMUNICATION and AUDIO_SOURCE_HOTWORD
132 * are excluded from kAudioSources[] in order to avoid the abort triggered
133 * for these two types of AudioSource in Engine::getDeviceForInputSource()
134 */
__anond87a0cfc0702null135 static const std::vector<audio_source_t> kAudioSources = [] {
136 std::vector<audio_source_t> result;
137 for (const auto enumVal : xsdc_enum_range<xsd::AudioSource>{}) {
138 audio_source_t audioSourceHal;
139 std::string audioSource = toString(enumVal);
140 if (enumVal != xsd::AudioSource::AUDIO_SOURCE_VOICE_COMMUNICATION &&
141 enumVal != xsd::AudioSource::AUDIO_SOURCE_HOTWORD &&
142 audio_source_from_string(audioSource.c_str(), &audioSourceHal)) {
143 result.push_back(audioSourceHal);
144 }
145 }
146 return result;
147 }();
148
__anond87a0cfc0802null149 static const std::vector<audio_content_type_t> kAudioContentTypes = [] {
150 std::vector<audio_content_type_t> result;
151 for (const auto enumVal : xsdc_enum_range<xsd::AudioContentType>{}) {
152 audio_content_type_t audioContentTypeHal;
153 std::string audioContentType = toString(enumVal);
154 if (audio_content_type_from_string(audioContentType.c_str(), &audioContentTypeHal)) {
155 result.push_back(audioContentTypeHal);
156 }
157 }
158 return result;
159 }();
160
161 std::vector<int> kMixTypes = {MIX_TYPE_PLAYERS, MIX_TYPE_RECORDERS};
162
163 std::vector<int> kMixRouteFlags = {MIX_ROUTE_FLAG_RENDER, MIX_ROUTE_FLAG_LOOP_BACK,
164 MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER, MIX_ROUTE_FLAG_ALL};
165
166 std::vector<audio_flags_mask_t> kAudioFlagMasks = {
167 AUDIO_FLAG_NONE, AUDIO_FLAG_AUDIBILITY_ENFORCED,
168 AUDIO_FLAG_SECURE, AUDIO_FLAG_SCO,
169 AUDIO_FLAG_BEACON, AUDIO_FLAG_HW_AV_SYNC,
170 AUDIO_FLAG_HW_HOTWORD, AUDIO_FLAG_BYPASS_INTERRUPTION_POLICY,
171 AUDIO_FLAG_BYPASS_MUTE, AUDIO_FLAG_LOW_LATENCY,
172 AUDIO_FLAG_DEEP_BUFFER, AUDIO_FLAG_NO_MEDIA_PROJECTION,
173 AUDIO_FLAG_MUTE_HAPTIC, AUDIO_FLAG_NO_SYSTEM_CAPTURE,
174 AUDIO_FLAG_CAPTURE_PRIVATE, AUDIO_FLAG_CONTENT_SPATIALIZED,
175 AUDIO_FLAG_NEVER_SPATIALIZE,
176 };
177
178 std::vector<audio_policy_dev_state_t> kAudioPolicyDeviceStates = {
179 AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
180 AUDIO_POLICY_DEVICE_STATE_AVAILABLE,
181 AUDIO_POLICY_DEVICE_STATE_CNT,
182 };
183
184 std::vector<uint32_t> kSamplingRates = {8000, 16000, 44100, 48000, 88200, 96000};
185
186 template <typename T>
getValueFromVector(FuzzedDataProvider * fdp,std::vector<T> arr)187 T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> arr) {
188 if (fdp->ConsumeBool()) {
189 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, arr.size() - 1)];
190 } else {
191 return (T)fdp->ConsumeIntegral<uint32_t>();
192 }
193 }
194
195 class AudioPolicyManagerFuzzer {
196 public:
197 explicit AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp);
198 virtual ~AudioPolicyManagerFuzzer() = default;
199 virtual bool initialize();
200 virtual void SetUpManagerConfig();
201 bool getOutputForAttr(DeviceIdVector *selectedDeviceIds, audio_format_t format,
202 audio_channel_mask_t channelMask, int sampleRate,
203 audio_output_flags_t flags = AUDIO_OUTPUT_FLAG_NONE,
204 audio_io_handle_t *output = nullptr,
205 audio_port_handle_t *portId = nullptr, audio_attributes_t attr = {});
206 bool getInputForAttr(const audio_attributes_t &attr, audio_unique_id_t riid,
207 audio_port_handle_t *selectedDeviceId, audio_format_t format,
208 audio_channel_mask_t channelMask, int sampleRate,
209 audio_input_flags_t flags = AUDIO_INPUT_FLAG_NONE,
210 audio_port_handle_t *portId = nullptr,
211 uint32_t *virtualDeviceId = nullptr);
212 bool findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
213 const std::string &address, audio_port_v7 *foundPort);
214 static audio_port_handle_t getDeviceIdFromPatch(const struct audio_patch *patch);
215 audio_patch createFuzzedPatch();
216 void fuzzPatchCreation();
217 virtual void process();
218
219 protected:
220 sp<AudioPolicyConfig> mConfig{AudioPolicyConfig::createWritableForTests()};
221 std::unique_ptr<AudioPolicyManagerTestClient> mClient{new AudioPolicyManagerTestClient};
222 std::unique_ptr<AudioPolicyTestManager> mManager;
223 FuzzedDataProvider *mFdp;
224 };
225
AudioPolicyManagerFuzzer(FuzzedDataProvider * fdp)226 AudioPolicyManagerFuzzer::AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp)
227 : mFdp(fdp) {}
228
initialize()229 bool AudioPolicyManagerFuzzer::initialize() {
230 if (mFdp->remaining_bytes() < 1) {
231 return false;
232 }
233 // init code
234 SetUpManagerConfig();
235 if (mConfig == nullptr) {
236 return false;
237 }
238 mManager.reset(new AudioPolicyTestManager(mConfig, mClient.get()));
239 if (mManager->initialize() != NO_ERROR) {
240 return false;
241 }
242 if (mManager->initCheck() != NO_ERROR) {
243 return false;
244 }
245 return true;
246 }
247
SetUpManagerConfig()248 void AudioPolicyManagerFuzzer::SetUpManagerConfig() { mConfig->setDefault(); }
249
getOutputForAttr(DeviceIdVector * selectedDeviceIds,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_output_flags_t flags,audio_io_handle_t * output,audio_port_handle_t * portId,audio_attributes_t attr)250 bool AudioPolicyManagerFuzzer::getOutputForAttr(
251 DeviceIdVector *selectedDeviceIds, audio_format_t format, audio_channel_mask_t channelMask,
252 int sampleRate, audio_output_flags_t flags, audio_io_handle_t *output,
253 audio_port_handle_t *portId, audio_attributes_t attr) {
254 audio_io_handle_t localOutput;
255 if (!output) output = &localOutput;
256 *output = AUDIO_IO_HANDLE_NONE;
257 audio_stream_type_t stream = AUDIO_STREAM_DEFAULT;
258 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
259 config.sample_rate = sampleRate;
260 config.channel_mask = channelMask;
261 config.format = format;
262 audio_port_handle_t localPortId;
263 if (!portId) portId = &localPortId;
264 *portId = AUDIO_PORT_HANDLE_NONE;
265 AudioPolicyInterface::output_type_t outputType;
266 bool isSpatialized;
267 bool isBitPerfect;
268 float volume;
269 bool muted;
270
271 // TODO b/182392769: use attribution source util
272 AttributionSourceState attributionSource;
273 attributionSource.uid = 0;
274 attributionSource.token = sp<BBinder>::make();
275 if (mManager->getOutputForAttr(&attr, output, AUDIO_SESSION_NONE, &stream, attributionSource,
276 &config, &flags, selectedDeviceIds, portId, {}, &outputType, &isSpatialized,
277 &isBitPerfect, &volume, &muted) != OK) {
278 return false;
279 }
280 if (*output == AUDIO_IO_HANDLE_NONE || *portId == AUDIO_PORT_HANDLE_NONE) {
281 return false;
282 }
283 return true;
284 }
285
getInputForAttr(const audio_attributes_t & attr,audio_unique_id_t riid,audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_input_flags_t flags,audio_port_handle_t * portId,uint32_t *)286 bool AudioPolicyManagerFuzzer::getInputForAttr(
287 const audio_attributes_t &attr, audio_unique_id_t riid, audio_port_handle_t *selectedDeviceId,
288 audio_format_t format, audio_channel_mask_t channelMask, int sampleRate,
289 audio_input_flags_t flags, audio_port_handle_t *portId, uint32_t*) {
290 audio_io_handle_t input = AUDIO_IO_HANDLE_NONE;
291 audio_config_base_t config = AUDIO_CONFIG_BASE_INITIALIZER;
292 config.sample_rate = sampleRate;
293 config.channel_mask = channelMask;
294 config.format = format;
295 audio_port_handle_t localPortId;
296 if (!portId) portId = &localPortId;
297 *portId = AUDIO_PORT_HANDLE_NONE;
298
299 AttributionSourceState attributionSource;
300 attributionSource.uid = 0;
301 attributionSource.token = sp<BBinder>::make();
302 const auto inputRes = mManager->getInputForAttr(attr, input, *selectedDeviceId, config, flags,
303 riid, AUDIO_SESSION_NONE, attributionSource);
304 if (!inputRes.has_value()) return false;
305
306 if (inputRes->portId == AUDIO_PORT_HANDLE_NONE || inputRes->input == AUDIO_IO_HANDLE_NONE) {
307 return false;
308 }
309 return true;
310 }
311
findDevicePort(audio_port_role_t role,audio_devices_t deviceType,const std::string & address,audio_port_v7 * foundPort)312 bool AudioPolicyManagerFuzzer::findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
313 const std::string &address,
314 audio_port_v7 *foundPort) {
315 uint32_t numPorts = 0;
316 uint32_t generation1;
317 status_t ret;
318
319 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, nullptr, &generation1);
320 if (ret != NO_ERROR) {
321 return false;
322 }
323
324 uint32_t generation2;
325 struct audio_port_v7 ports[numPorts];
326 ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, ports, &generation2);
327 if (ret != NO_ERROR) {
328 return false;
329 }
330
331 for (const auto &port : ports) {
332 if (port.role == role && port.ext.device.type == deviceType &&
333 (strncmp(port.ext.device.address, address.c_str(), AUDIO_DEVICE_MAX_ADDRESS_LEN) ==
334 0)) {
335 if (foundPort) *foundPort = port;
336 return true;
337 }
338 }
339 return false;
340 }
341
getDeviceIdFromPatch(const struct audio_patch * patch)342 audio_port_handle_t AudioPolicyManagerFuzzer::getDeviceIdFromPatch(
343 const struct audio_patch *patch) {
344 if (patch->num_sources != 0 && patch->num_sinks != 0) {
345 if (patch->sources[0].type == AUDIO_PORT_TYPE_MIX) {
346 return patch->sinks[0].id;
347 } else {
348 return patch->sources[0].id;
349 }
350 }
351 return AUDIO_PORT_HANDLE_NONE;
352 }
353
createFuzzedPatch()354 audio_patch AudioPolicyManagerFuzzer::createFuzzedPatch() {
355 audio_patch patch{};
356 patch.id = mFdp->ConsumeIntegral<uint32_t>();
357 patch.num_sources = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
358 for (int i = 0; i < patch.num_sources; ++i) {
359 audio_port_config config{};
360 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
361 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
362 patch.sources[i] = config;
363 }
364 patch.num_sinks = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
365 for (int i = 0; i < patch.num_sinks; ++i) {
366 audio_port_config config{};
367 std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
368 memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
369 patch.sinks[i] = config;
370 }
371 return patch;
372 }
373
fuzzPatchCreation()374 void AudioPolicyManagerFuzzer::fuzzPatchCreation() {
375 if (mFdp->remaining_bytes()) {
376 audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE;
377 uid_t uid = mFdp->ConsumeIntegral<uint32_t>();
378
379 // create a fuzzed patch
380 handle = AUDIO_PATCH_HANDLE_NONE;
381 audio_patch patch = createFuzzedPatch();
382 uid = mFdp->ConsumeIntegral<uint32_t>();
383 if (mManager->createAudioPatch(&patch, &handle, uid) == NO_ERROR) {
384 mManager->releaseAudioPatch(handle, uid);
385 }
386 }
387 }
388
process()389 void AudioPolicyManagerFuzzer::process() {
390 if (initialize()) {
391 fuzzPatchCreation();
392 }
393 }
394
395 class AudioPolicyManagerFuzzerWithConfigurationFile : public AudioPolicyManagerFuzzer {
396 public:
AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider * fdp)397 explicit AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider *fdp)
398 : AudioPolicyManagerFuzzer(fdp){};
399
400 protected:
401 void SetUpManagerConfig() override;
402 virtual std::string getConfigFile();
403 void traverseAndFuzzXML(xmlDocPtr pDoc, xmlNodePtr curr);
404 std::string fuzzXML(std::string xmlPath);
405
406 static inline const std::string sExecutableDir = base::GetExecutableDirectory() + "/";
407 static inline const std::string sDefaultConfig =
408 sExecutableDir + "data/test_audio_policy_configuration.xml";
409 static inline const std::string sFuzzedConfig = sExecutableDir + "fuzzed.xml";;
410 };
411
getConfigFile()412 std::string AudioPolicyManagerFuzzerWithConfigurationFile::getConfigFile() {
413 return fuzzXML(sDefaultConfig);
414 }
415
SetUpManagerConfig()416 void AudioPolicyManagerFuzzerWithConfigurationFile::SetUpManagerConfig() {
417 const std::string configFilePath = getConfigFile();
418 auto result = AudioPolicyConfig::loadFromCustomXmlConfigForTests(configFilePath);
419 mConfig = result.ok() ? mConfig = result.value() : nullptr;
420 ALOGE_IF(!result.ok(), "%s: Failed to deserialize \"%s\": %d",
421 __func__, configFilePath.c_str(), result.error());
422 }
423
traverseAndFuzzXML(xmlDocPtr pDoc,xmlNodePtr curr)424 void AudioPolicyManagerFuzzerWithConfigurationFile::traverseAndFuzzXML(xmlDocPtr pDoc,
425 xmlNodePtr curr) {
426 if (curr == nullptr) {
427 return;
428 }
429
430 xmlAttr *attribute = curr->properties;
431 while (attribute) {
432 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("format"))) {
433 const char *newFormat =
434 audio_format_to_string(getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
435 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFormat));
436 }
437 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("flags"))) {
438 std::string newFlag = "";
439 uint16_t numFlags = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
440 for (uint16_t i = 0; i < numFlags; ++i) {
441 newFlag += std::string(audio_output_flag_to_string(
442 getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags)));
443 if (i != (numFlags - 1)) {
444 newFlag += std::string("|");
445 }
446 }
447 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFlag.c_str()));
448 }
449 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("samplingRates"))) {
450 std::string newRate = "";
451 uint16_t numRates = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
452 for (uint16_t i = 0; i < numRates; ++i) {
453 newRate += std::to_string(getValueFromVector<uint32_t>(mFdp, kSamplingRates));
454 if (i != (numRates - 1)) {
455 newRate += std::string(",");
456 }
457 }
458 xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newRate.c_str()));
459 }
460 if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("channelMasks"))) {
461 int isOutMask = -1;
462 char *value =
463 reinterpret_cast<char *>(xmlNodeListGetString(pDoc, attribute->children, 1));
464 if (std::string(value).find(std::string("_OUT_")) != std::string::npos) {
465 // OUT mask
466 isOutMask = 1;
467 } else if (std::string(value).find(std::string("_IN_")) != std::string::npos) {
468 // IN mask
469 isOutMask = 0;
470 }
471 if (isOutMask != -1) {
472 std::string newMask = "";
473 uint16_t numMasks = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
474 for (uint16_t i = 0; i < numMasks; ++i) {
475 if (isOutMask) {
476 newMask += std::string(audio_channel_out_mask_to_string(
477 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks)));
478 } else {
479 newMask += std::string(audio_channel_in_mask_to_string(
480 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks)));
481 }
482 if (i != (numMasks - 1)) {
483 newMask += std::string(",");
484 }
485 }
486 xmlSetProp(curr, attribute->name,
487 reinterpret_cast<const xmlChar *>(newMask.c_str()));
488 }
489 xmlFree(value);
490 }
491 attribute = attribute->next;
492 }
493
494 curr = curr->xmlChildrenNode;
495 while (curr != nullptr) {
496 traverseAndFuzzXML(pDoc, curr);
497 curr = curr->next;
498 }
499 }
500
fuzzXML(std::string xmlPath)501 std::string AudioPolicyManagerFuzzerWithConfigurationFile::fuzzXML(std::string xmlPath) {
502 std::string outPath = sFuzzedConfig;
503
504 // Load in the xml file from disk
505 xmlDocPtr pDoc = xmlParseFile(xmlPath.c_str());
506 xmlNodePtr root = xmlDocGetRootElement(pDoc);
507
508 traverseAndFuzzXML(pDoc, root);
509
510 // Save the document back out to disk.
511 xmlSaveFileEnc(outPath.c_str(), pDoc, "UTF-8");
512 xmlFreeDoc(pDoc);
513
514 return outPath;
515 }
516
517 class AudioPolicyManagerFuzzerMsd : public AudioPolicyManagerFuzzerWithConfigurationFile {
518 public:
AudioPolicyManagerFuzzerMsd(FuzzedDataProvider * fdp)519 explicit AudioPolicyManagerFuzzerMsd(FuzzedDataProvider *fdp)
520 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp) {}
521
522 protected:
523 std::string getConfigFile() override;
524
525 static inline const std::string sMsdConfig =
526 sExecutableDir + "data/test_audio_policy_msd_configuration.xml";
527 };
528
getConfigFile()529 std::string AudioPolicyManagerFuzzerMsd::getConfigFile() { return fuzzXML(sMsdConfig); }
530
531 using PolicyMixTuple = std::tuple<audio_usage_t, audio_source_t, uint32_t>;
532
533 class AudioPolicyManagerFuzzerDynamicPolicy : public AudioPolicyManagerFuzzerWithConfigurationFile {
534 public:
AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider * fdp)535 explicit AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider *fdp)
536 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
537 ~AudioPolicyManagerFuzzerDynamicPolicy() override;
538 void process() override;
539
540 protected:
541 status_t addPolicyMix(int mixType, int mixFlag, audio_devices_t deviceType,
542 std::string mixAddress, const audio_config_t &audioConfig,
543 const std::vector<PolicyMixTuple> &rules);
544 void clearPolicyMix();
545 void registerPolicyMixes();
546 void unregisterPolicyMixes();
547
548 Vector<AudioMix> mAudioMixes;
549 const std::string mMixAddress = "remote_submix_media";
550 };
551
~AudioPolicyManagerFuzzerDynamicPolicy()552 AudioPolicyManagerFuzzerDynamicPolicy::~AudioPolicyManagerFuzzerDynamicPolicy() {
553 clearPolicyMix();
554 }
555
addPolicyMix(int mixType,int mixFlag,audio_devices_t deviceType,std::string mixAddress,const audio_config_t & audioConfig,const std::vector<PolicyMixTuple> & rules)556 status_t AudioPolicyManagerFuzzerDynamicPolicy::addPolicyMix(
557 int mixType, int mixFlag, audio_devices_t deviceType, std::string mixAddress,
558 const audio_config_t &audioConfig, const std::vector<PolicyMixTuple> &rules) {
559 std::vector<AudioMixMatchCriterion> myMixMatchCriteria;
560
561 myMixMatchCriteria.reserve(rules.size());
562 for (const auto &rule : rules) {
563 myMixMatchCriteria.push_back(
564 AudioMixMatchCriterion(std::get<0>(rule), std::get<1>(rule), std::get<2>(rule)));
565 }
566
567 AudioMix myAudioMix(myMixMatchCriteria, mixType, audioConfig, mixFlag,
568 String8(mixAddress.c_str()), 0);
569 myAudioMix.mDeviceType = deviceType;
570 // Clear mAudioMix before add new one to make sure we don't add already existing mixes.
571 mAudioMixes.clear();
572 mAudioMixes.add(myAudioMix);
573
574 // As the policy mixes registration may fail at some case,
575 // caller need to check the returned status.
576 status_t ret = mManager->registerPolicyMixes(mAudioMixes);
577 return ret;
578 }
579
clearPolicyMix()580 void AudioPolicyManagerFuzzerDynamicPolicy::clearPolicyMix() {
581 if (mManager != nullptr) {
582 mManager->unregisterPolicyMixes(mAudioMixes);
583 }
584 mAudioMixes.clear();
585 }
586
registerPolicyMixes()587 void AudioPolicyManagerFuzzerDynamicPolicy::registerPolicyMixes() {
588 const uint32_t numPolicies = mFdp->ConsumeIntegralInRange<uint32_t>(1, MAX_MIXES_PER_POLICY);
589
590 for (int i = 0; i < numPolicies; ++i) {
591 audio_config_t audioConfig = AUDIO_CONFIG_INITIALIZER;
592 audioConfig.channel_mask = getValueFromVector<audio_channel_mask_t>(
593 mFdp, mFdp->ConsumeBool() ? kAudioChannelInMasks : kAudioChannelOutMasks);
594 audioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
595 audioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
596 addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
597 getValueFromVector<int>(mFdp, kMixRouteFlags),
598 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), "", audioConfig,
599 std::vector<PolicyMixTuple>());
600 }
601 }
602
unregisterPolicyMixes()603 void AudioPolicyManagerFuzzerDynamicPolicy::unregisterPolicyMixes() {
604 mManager->unregisterPolicyMixes(mAudioMixes);
605 }
606
process()607 void AudioPolicyManagerFuzzerDynamicPolicy::process() {
608 if (initialize()) {
609 registerPolicyMixes();
610 fuzzPatchCreation();
611 unregisterPolicyMixes();
612 }
613 }
614
615 class AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
616 : public AudioPolicyManagerFuzzerDynamicPolicy {
617 public:
AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider * fdp)618 explicit AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider *fdp)
619 : AudioPolicyManagerFuzzerDynamicPolicy(fdp){};
620
621 protected:
622 std::string getConfigFile() override;
623
624 static inline const std::string sPrimaryOnlyConfig =
625 sExecutableDir + "data/test_audio_policy_primary_only_configuration.xml";
626 };
627
getConfigFile()628 std::string AudioPolicyManagerFuzzerDPNoRemoteSubmixModule::getConfigFile() {
629 return fuzzXML(sPrimaryOnlyConfig);
630 }
631
632 class AudioPolicyManagerFuzzerDPPlaybackReRouting : public AudioPolicyManagerFuzzerDynamicPolicy {
633 public:
634 explicit AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider *fdp);
635 ~AudioPolicyManagerFuzzerDPPlaybackReRouting() override;
636 void process() override;
637
638 protected:
639 bool initialize() override;
640 void playBackReRouting();
641
642 std::unique_ptr<RecordingActivityTracker> mTracker;
643
644 std::vector<PolicyMixTuple> mUsageRules = {
645 {AUDIO_USAGE_MEDIA, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE},
646 {AUDIO_USAGE_ALARM, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE}};
647
648 struct audio_port_v7 mInjectionPort;
649 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
650 audio_config_t mAudioConfig;
651 };
652
AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider * fdp)653 AudioPolicyManagerFuzzerDPPlaybackReRouting::AudioPolicyManagerFuzzerDPPlaybackReRouting(
654 FuzzedDataProvider *fdp)
655 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
656 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
657 for (int i = 0; i < numRules; ++i) {
658 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
659 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
660 RULE_MATCH_ATTRIBUTE_USAGE};
661 mUsageRules.push_back(rule);
662 }
663 }
664
~AudioPolicyManagerFuzzerDPPlaybackReRouting()665 AudioPolicyManagerFuzzerDPPlaybackReRouting::~AudioPolicyManagerFuzzerDPPlaybackReRouting() {
666 if (mManager) {
667 mManager->stopInput(mPortId);
668 }
669 }
670
initialize()671 bool AudioPolicyManagerFuzzerDPPlaybackReRouting::initialize() {
672 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
673 return false;
674 }
675 mTracker.reset(new RecordingActivityTracker());
676
677 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
678 mAudioConfig.channel_mask =
679 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
680 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
681 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
682 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
683 getValueFromVector<int>(mFdp, kMixRouteFlags),
684 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
685 mMixAddress, mAudioConfig, mUsageRules);
686 if (ret != NO_ERROR) {
687 return false;
688 }
689
690 struct audio_port_v7 extractionPort;
691 findDevicePort(AUDIO_PORT_ROLE_SOURCE, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
692 mMixAddress, &extractionPort);
693
694 audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
695 audio_source_t source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
696 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_USAGE_UNKNOWN, source,
697 AUDIO_FLAG_NONE, ""};
698 std::string tags = "addr=" + mMixAddress;
699 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
700 getInputForAttr(attr, mTracker->getRiid(), &selectedDeviceId, mAudioConfig.format,
701 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
702 &mPortId);
703
704 ret = mManager->startInput(mPortId);
705 if (ret != NO_ERROR) {
706 return false;
707 }
708 if (!findDevicePort(AUDIO_PORT_ROLE_SINK,
709 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
710 &mInjectionPort)) {
711 return false;
712 }
713
714 return true;
715 }
716
playBackReRouting()717 void AudioPolicyManagerFuzzerDPPlaybackReRouting::playBackReRouting() {
718 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
719 for (int i = 0; i < numTestCases; ++i) {
720 audio_attributes_t attr;
721 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
722 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
723 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
724 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
725 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
726 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
727
728 DeviceIdVector playbackRoutedPortIds;
729 getOutputForAttr(&playbackRoutedPortIds, mAudioConfig.format, mAudioConfig.channel_mask,
730 mAudioConfig.sample_rate, AUDIO_OUTPUT_FLAG_NONE, nullptr /*output*/,
731 nullptr /*portId*/, attr);
732 }
733 }
734
process()735 void AudioPolicyManagerFuzzerDPPlaybackReRouting::process() {
736 if (initialize()) {
737 playBackReRouting();
738 registerPolicyMixes();
739 fuzzPatchCreation();
740 unregisterPolicyMixes();
741 }
742 }
743
744 class AudioPolicyManagerFuzzerDPMixRecordInjection : public AudioPolicyManagerFuzzerDynamicPolicy {
745 public:
746 explicit AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider *fdp);
747 ~AudioPolicyManagerFuzzerDPMixRecordInjection() override;
748 void process() override;
749
750 protected:
751 bool initialize() override;
752 void recordingInjection();
753
754 std::unique_ptr<RecordingActivityTracker> mTracker;
755
756 std::vector<PolicyMixTuple> mSourceRules = {
757 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_CAMCORDER, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
758 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_MIC, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
759 {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_VOICE_COMMUNICATION,
760 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET}};
761
762 struct audio_port_v7 mExtractionPort;
763 audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
764 audio_config_t mAudioConfig;
765 };
766
AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider * fdp)767 AudioPolicyManagerFuzzerDPMixRecordInjection::AudioPolicyManagerFuzzerDPMixRecordInjection(
768 FuzzedDataProvider *fdp)
769 : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
770 const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
771 for (int i = 0; i < numRules; ++i) {
772 PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
773 getValueFromVector<audio_source_t>(mFdp, kAudioSources),
774 RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET};
775 mSourceRules.push_back(rule);
776 }
777 }
778
~AudioPolicyManagerFuzzerDPMixRecordInjection()779 AudioPolicyManagerFuzzerDPMixRecordInjection::~AudioPolicyManagerFuzzerDPMixRecordInjection() {
780 if (mManager) {
781 mManager->stopOutput(mPortId);
782 }
783 }
784
initialize()785 bool AudioPolicyManagerFuzzerDPMixRecordInjection::initialize() {
786 if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
787 return false;
788 }
789
790 mTracker.reset(new RecordingActivityTracker());
791
792 mAudioConfig = AUDIO_CONFIG_INITIALIZER;
793 mAudioConfig.channel_mask =
794 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks);
795 mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
796 mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
797 status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
798 getValueFromVector<int>(mFdp, kMixRouteFlags),
799 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
800 mMixAddress, mAudioConfig, mSourceRules);
801 if (ret != NO_ERROR) {
802 return false;
803 }
804
805 struct audio_port_v7 injectionPort;
806 findDevicePort(AUDIO_PORT_ROLE_SINK, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
807 mMixAddress, &injectionPort);
808
809 DeviceIdVector selectedDeviceIds;
810 audio_usage_t usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
811 audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, usage, AUDIO_SOURCE_DEFAULT,
812 AUDIO_FLAG_NONE, ""};
813 std::string tags = std::string("addr=") + mMixAddress;
814 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
815 getOutputForAttr(&selectedDeviceIds, mAudioConfig.format, mAudioConfig.channel_mask,
816 mAudioConfig.sample_rate /*sampleRate*/, AUDIO_OUTPUT_FLAG_NONE,
817 nullptr /*output*/, &mPortId, attr);
818 ret = mManager->startOutput(mPortId);
819 if (ret != NO_ERROR) {
820 return false;
821 }
822 getDeviceIdFromPatch(mClient->getLastAddedPatch());
823 if (!findDevicePort(AUDIO_PORT_ROLE_SOURCE,
824 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
825 &mExtractionPort)) {
826 return false;
827 }
828
829 return true;
830 }
831
recordingInjection()832 void AudioPolicyManagerFuzzerDPMixRecordInjection::recordingInjection() {
833 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
834 for (int i = 0; i < numTestCases; ++i) {
835 audio_attributes_t attr;
836 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
837 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
838 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
839 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
840 std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
841 strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
842
843 audio_port_handle_t captureRoutedPortId = AUDIO_PORT_HANDLE_NONE;
844 audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE;
845 getInputForAttr(attr, mTracker->getRiid(), &captureRoutedPortId, mAudioConfig.format,
846 mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
847 &portId);
848 }
849 }
850
process()851 void AudioPolicyManagerFuzzerDPMixRecordInjection::process() {
852 if (initialize()) {
853 recordingInjection();
854 registerPolicyMixes();
855 fuzzPatchCreation();
856 unregisterPolicyMixes();
857 }
858 }
859
860 using DeviceConnectionTestParams =
861 std::tuple<audio_devices_t /*type*/, std::string /*name*/, std::string /*address*/>;
862
863 class AudioPolicyManagerFuzzerDeviceConnection
864 : public AudioPolicyManagerFuzzerWithConfigurationFile {
865 public:
AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider * fdp)866 explicit AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider *fdp)
867 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
868 void process() override;
869
870 void fuzzGetDirectPlaybackSupport();
871 void fuzzGetDirectProfilesForAttributes();
872
873 protected:
874 void setDeviceConnectionState();
875 void explicitlyRoutingAfterConnection();
876 };
877
setDeviceConnectionState()878 void AudioPolicyManagerFuzzerDeviceConnection::setDeviceConnectionState() {
879 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
880 for (int i = 0; i < numTestCases; ++i) {
881 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
882 const std::string name = mFdp->ConsumeRandomLengthString();
883 const std::string address = mFdp->ConsumeRandomLengthString();
884 mManager->setDeviceConnectionState(
885 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
886 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
887 }
888 }
889
explicitlyRoutingAfterConnection()890 void AudioPolicyManagerFuzzerDeviceConnection::explicitlyRoutingAfterConnection() {
891 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
892 for (int i = 0; i < numTestCases; ++i) {
893 const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
894 const std::string name = mFdp->ConsumeRandomLengthString();
895 const std::string address = mFdp->ConsumeRandomLengthString();
896 mManager->setDeviceConnectionState(
897 type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
898 address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
899
900 audio_port_v7 devicePort;
901 const audio_port_role_t role =
902 audio_is_output_device(type) ? AUDIO_PORT_ROLE_SINK : AUDIO_PORT_ROLE_SOURCE;
903 findDevicePort(role, type, address, &devicePort);
904
905 // Try start input or output according to the device type
906 if (audio_is_output_devices(type)) {
907 DeviceIdVector routedPortIds = { devicePort.id };
908 getOutputForAttr(&routedPortIds,
909 getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
910 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
911 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
912 AUDIO_OUTPUT_FLAG_NONE);
913 } else if (audio_is_input_device(type)) {
914 RecordingActivityTracker tracker;
915 audio_port_handle_t routedPortId = devicePort.id;
916 getInputForAttr({}, tracker.getRiid(), &routedPortId,
917 getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
918 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks),
919 getValueFromVector<uint32_t>(mFdp, kSamplingRates),
920 AUDIO_INPUT_FLAG_NONE);
921 }
922 }
923 }
924
fuzzGetDirectPlaybackSupport()925 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectPlaybackSupport() {
926 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
927 for (int i = 0; i < numTestCases; ++i) {
928 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
929 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
930 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
931 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
932 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
933 audio_config_t config = AUDIO_CONFIG_INITIALIZER;
934 config.channel_mask = getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
935 config.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
936 config.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
937 mManager->getDirectPlaybackSupport(&attr, &config);
938 }
939 }
940
fuzzGetDirectProfilesForAttributes()941 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectProfilesForAttributes() {
942 const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
943 for (int i = 0; i < numTestCases; ++i) {
944 AudioProfileVector audioProfiles;
945 audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
946 attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
947 attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
948 attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
949 attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
950 mManager->getDirectProfilesForAttributes(&attr, audioProfiles);
951 }
952 }
953
process()954 void AudioPolicyManagerFuzzerDeviceConnection::process() {
955 if (initialize()) {
956 setDeviceConnectionState();
957 explicitlyRoutingAfterConnection();
958 fuzzGetDirectPlaybackSupport();
959 fuzzGetDirectProfilesForAttributes();
960 fuzzPatchCreation();
961 }
962 }
963
964 class AudioPolicyManagerTVFuzzer : public AudioPolicyManagerFuzzerWithConfigurationFile {
965 public:
AudioPolicyManagerTVFuzzer(FuzzedDataProvider * fdp)966 explicit AudioPolicyManagerTVFuzzer(FuzzedDataProvider *fdp)
967 : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
968 void process() override;
969
970 protected:
971 std::string getConfigFile();
972 void testHDMIPortSelection(audio_output_flags_t flags);
973
974 static inline const std::string sTvConfig =
975 AudioPolicyManagerTVFuzzer::sExecutableDir + "data/test_tv_apm_configuration.xml";
976 };
977
getConfigFile()978 std::string AudioPolicyManagerTVFuzzer::getConfigFile() { return fuzzXML(sTvConfig); }
979
testHDMIPortSelection(audio_output_flags_t flags)980 void AudioPolicyManagerTVFuzzer::testHDMIPortSelection(audio_output_flags_t flags) {
981 audio_devices_t audioDevice = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
982 audio_format_t audioFormat = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
983 status_t ret = mManager->setDeviceConnectionState(
984 audioDevice, AUDIO_POLICY_DEVICE_STATE_AVAILABLE, "" /*address*/, "" /*name*/, audioFormat);
985 if (ret != NO_ERROR) {
986 return;
987 }
988 DeviceIdVector selectedDeviceIds;
989 audio_io_handle_t output;
990 audio_port_handle_t portId;
991 getOutputForAttr(&selectedDeviceIds, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
992 getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
993 getValueFromVector<uint32_t>(mFdp, kSamplingRates), flags, &output, &portId);
994 sp<SwAudioOutputDescriptor> outDesc = mManager->getOutputs().valueFor(output);
995 if (outDesc.get() == nullptr) {
996 return;
997 }
998 audio_port_v7 port = {};
999 outDesc->toAudioPort(&port);
1000 mManager->releaseOutput(portId);
1001 mManager->setDeviceConnectionState(audioDevice, AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
1002 "" /*address*/, "" /*name*/, audioFormat);
1003 }
1004
process()1005 void AudioPolicyManagerTVFuzzer::process() {
1006 if (initialize()) {
1007 testHDMIPortSelection(getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags));
1008 fuzzPatchCreation();
1009 }
1010 }
1011
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)1012 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
1013 if (size < 1) {
1014 return 0;
1015 }
1016 FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
1017 while (fdp.remaining_bytes() > 0) {
1018 AudioPolicyManagerFuzzer audioPolicyManagerFuzzer(&fdp);
1019 audioPolicyManagerFuzzer.process();
1020
1021 AudioPolicyManagerFuzzerMsd audioPolicyManagerFuzzerMsd(&fdp);
1022 audioPolicyManagerFuzzerMsd.process();
1023
1024 AudioPolicyManagerFuzzerWithConfigurationFile audioPolicyManagerFuzzerWithConfigurationFile(
1025 &fdp);
1026 audioPolicyManagerFuzzerWithConfigurationFile.process();
1027
1028 AudioPolicyManagerFuzzerDynamicPolicy audioPolicyManagerFuzzerDynamicPolicy(&fdp);
1029 audioPolicyManagerFuzzerDynamicPolicy.process();
1030
1031 AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
1032 audioPolicyManagerFuzzerDPNoRemoteSubmixModule(&fdp);
1033 audioPolicyManagerFuzzerDPNoRemoteSubmixModule.process();
1034
1035 AudioPolicyManagerFuzzerDPPlaybackReRouting audioPolicyManagerFuzzerDPPlaybackReRouting(
1036 &fdp);
1037 audioPolicyManagerFuzzerDPPlaybackReRouting.process();
1038
1039 AudioPolicyManagerFuzzerDPMixRecordInjection audioPolicyManagerFuzzerDPMixRecordInjection(
1040 &fdp);
1041 audioPolicyManagerFuzzerDPMixRecordInjection.process();
1042
1043 AudioPolicyManagerFuzzerDeviceConnection audioPolicyManagerFuzzerDeviceConnection(&fdp);
1044 audioPolicyManagerFuzzerDeviceConnection.process();
1045
1046 AudioPolicyManagerTVFuzzer audioPolicyManagerTVFuzzer(&fdp);
1047 audioPolicyManagerTVFuzzer.process();
1048 }
1049 return 0;
1050 }
1051