audioflinger_fuzzer : Avoid configuration of invalid values
This update avoids configuring of invalid values which lead to abort
Test: ./audioflinger_fuzzer -rss_limit_mb=2560 -timeout=90 -runs=100
clusterfuzz-testcase-minimized-audioflinger_fuzzer-5701813725167616
Bug: 180357329
Change-Id: Iedc5d35e3f0c445c6e9278292462e0edf6c022f0
(cherry picked from commit 95b1327f7d6b0ff127960dd6012414ea1e8f8169)
diff --git a/media/libaudioclient/fuzzer/audioflinger_fuzzer.cpp b/media/libaudioclient/fuzzer/audioflinger_fuzzer.cpp
index db2b0b8..84309ee 100644
--- a/media/libaudioclient/fuzzer/audioflinger_fuzzer.cpp
+++ b/media/libaudioclient/fuzzer/audioflinger_fuzzer.cpp
@@ -35,6 +35,10 @@
#define MAX_STRING_LENGTH 256
#define MAX_ARRAY_LENGTH 256
+constexpr int32_t kMinSampleRateHz = 4000;
+constexpr int32_t kMaxSampleRateHz = 192000;
+constexpr int32_t kSampleRateUnspecified = 0;
+
using namespace std;
using namespace android;
@@ -130,29 +134,20 @@
xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
template <typename T, size_t size>
-T getValueFromArray(FuzzedDataProvider *fdp, const T (&arr)[size]) {
- return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
-}
-
-template <typename T, size_t size>
T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
- if (fdp->ConsumeBool()) {
- return static_cast<T>(fdp->ConsumeIntegral<int32_t>());
- }
- return getValueFromArray(fdp, arr);
-}
-
-template <typename T>
-T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> vec) {
- return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
+ return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
}
template <typename T>
T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
+ return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
+}
+
+int32_t getSampleRate(FuzzedDataProvider *fdp) {
if (fdp->ConsumeBool()) {
- return static_cast<T>(fdp->ConsumeIntegral<int32_t>());
+ return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
}
- return getValueFromVector(fdp, vec);
+ return kSampleRateUnspecified;
}
class DeathNotifier : public IBinder::DeathRecipient {
@@ -189,7 +184,7 @@
}
void AudioFlingerFuzzer::invokeAudioTrack() {
- uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
+ uint32_t sampleRate = getSampleRate(&mFdp);
audio_format_t format = getValue(&mFdp, kFormats);
audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
@@ -259,7 +254,7 @@
float auxEffectSendLevel;
track->getAuxEffectSendLevel(&auxEffectSendLevel);
- track->setSampleRate(mFdp.ConsumeIntegral<uint32_t>());
+ track->setSampleRate(getSampleRate(&mFdp));
track->getSampleRate();
track->getOriginalSampleRate();
@@ -292,7 +287,7 @@
void AudioFlingerFuzzer::invokeAudioRecord() {
int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
- uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
+ uint32_t sampleRate = getSampleRate(&mFdp);
size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
audio_format_t format = getValue(&mFdp, kFormats);
audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
@@ -518,7 +513,7 @@
AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
size_t buffSize;
- uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();
+ uint32_t sampleRate = getSampleRate(&mFdp);
audio_format_t format = getValue(&mFdp, kFormats);
audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
@@ -572,12 +567,12 @@
config.offload_info.format = getValue(&mFdp, kFormats);
config.offload_info.has_video = mFdp.ConsumeBool();
config.offload_info.is_streaming = mFdp.ConsumeBool();
- config.offload_info.sample_rate = (mFdp.ConsumeIntegral<uint32_t>());
+ config.offload_info.sample_rate = getSampleRate(&mFdp);
config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
config.offload_info.usage = getValue(&mFdp, kUsages);
- config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
+ config.sample_rate = getSampleRate(&mFdp);
audio_devices_t device = getValue(&mFdp, kDevices);
audio_source_t source = getValue(&mFdp, kInputSources);
@@ -628,13 +623,13 @@
config.offload_info.format = getValue(&mFdp, kFormats);
config.offload_info.has_video = mFdp.ConsumeBool();
config.offload_info.is_streaming = mFdp.ConsumeBool();
- config.offload_info.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
+ config.offload_info.sample_rate = getSampleRate(&mFdp);
config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
config.offload_info.usage = getValue(&mFdp, kUsages);
config.format = getValue(&mFdp, kFormats);
- config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();
+ config.sample_rate = getSampleRate(&mFdp);
sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
@@ -683,7 +678,7 @@
patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
patch.sources[i].role = getValue(&mFdp, kPortRoles);
- patch.sources[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();
+ patch.sources[i].sample_rate = getSampleRate(&mFdp);
patch.sources[i].type = getValue(&mFdp, kPortTypes);
patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
@@ -695,7 +690,7 @@
patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
patch.sinks[i].role = getValue(&mFdp, kPortRoles);
- patch.sinks[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();
+ patch.sinks[i].sample_rate = getSampleRate(&mFdp);
patch.sinks[i].type = getValue(&mFdp, kPortTypes);
}