Gitiles
Code Review Sign In
review.evervolv.com / android_frameworks_av / 6d988df316533c7e189b266ad01e66356b6992d1 / . / media / libaudioclient / fuzzer / audioflinger_fuzzer.cpp
blob: 84309ee27676b11ea104ff04b0d2ab33dca1f08e [file] [log] [blame]
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18/**
19 * NOTE
20 * 1) The input to AudioFlinger binder calls are fuzzed in this fuzzer
21 * 2) AudioFlinger crashes due to the fuzzer are detected by the
22 Binder DeathRecipient, where the fuzzer aborts if AudioFlinger dies
23 */
24
25#include <android_audio_policy_configuration_V7_0-enums.h>
26#include <binder/IServiceManager.h>
27#include <binder/MemoryDealer.h>
28#include <media/AudioEffect.h>
29#include <media/AudioRecord.h>
30#include <media/AudioSystem.h>
31#include <media/AudioTrack.h>
32#include <media/IAudioFlinger.h>
33#include "fuzzer/FuzzedDataProvider.h"
34
35#define MAX_STRING_LENGTH 256
36#define MAX_ARRAY_LENGTH 256
37
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]38constexpr int32_t kMinSampleRateHz = 4000;
39constexpr int32_t kMaxSampleRateHz = 192000;
40constexpr int32_t kSampleRateUnspecified = 0;
41
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]42using namespace std;
43using namespace android;
44
45namespace xsd {
46using namespace ::android::audio::policy::configuration::V7_0;
47}
48
49constexpr audio_unique_id_use_t kUniqueIds[] = {
50 AUDIO_UNIQUE_ID_USE_UNSPECIFIED, AUDIO_UNIQUE_ID_USE_SESSION, AUDIO_UNIQUE_ID_USE_MODULE,
51 AUDIO_UNIQUE_ID_USE_EFFECT, AUDIO_UNIQUE_ID_USE_PATCH, AUDIO_UNIQUE_ID_USE_OUTPUT,
52 AUDIO_UNIQUE_ID_USE_INPUT, AUDIO_UNIQUE_ID_USE_CLIENT, AUDIO_UNIQUE_ID_USE_MAX,
53};
54
55constexpr audio_mode_t kModes[] = {
56 AUDIO_MODE_INVALID, AUDIO_MODE_CURRENT, AUDIO_MODE_NORMAL, AUDIO_MODE_RINGTONE,
57 AUDIO_MODE_IN_CALL, AUDIO_MODE_IN_COMMUNICATION, AUDIO_MODE_CALL_SCREEN};
58
59constexpr audio_session_t kSessionId[] = {AUDIO_SESSION_NONE, AUDIO_SESSION_OUTPUT_STAGE,
60 AUDIO_SESSION_DEVICE};
61
62constexpr audio_encapsulation_mode_t kEncapsulation[] = {
63 AUDIO_ENCAPSULATION_MODE_NONE,
64 AUDIO_ENCAPSULATION_MODE_ELEMENTARY_STREAM,
65 AUDIO_ENCAPSULATION_MODE_HANDLE,
66};
67
68constexpr audio_port_role_t kPortRoles[] = {
69 AUDIO_PORT_ROLE_NONE,
70 AUDIO_PORT_ROLE_SOURCE,
71 AUDIO_PORT_ROLE_SINK,
72};
73
74constexpr audio_port_type_t kPortTypes[] = {
75 AUDIO_PORT_TYPE_NONE,
76 AUDIO_PORT_TYPE_DEVICE,
77 AUDIO_PORT_TYPE_MIX,
78 AUDIO_PORT_TYPE_SESSION,
79};
80
81template <typename T, typename X, typename FUNC>
82std::vector<T> getFlags(const xsdc_enum_range<X> &range, const FUNC &func,
83 const std::string &findString = {}) {
84 std::vector<T> vec;
85 for (const auto &xsdEnumVal : range) {
86 T enumVal;
87 std::string enumString = toString(xsdEnumVal);
88 if (enumString.find(findString) != std::string::npos &&
89 func(enumString.c_str(), &enumVal)) {
90 vec.push_back(enumVal);
91 }
92 }
93 return vec;
94}
95
96static const std::vector<audio_stream_type_t> kStreamtypes =
97 getFlags<audio_stream_type_t, xsd::AudioStreamType, decltype(audio_stream_type_from_string)>(
98 xsdc_enum_range<xsd::AudioStreamType>{}, audio_stream_type_from_string);
99
100static const std::vector<audio_format_t> kFormats =
101 getFlags<audio_format_t, xsd::AudioFormat, decltype(audio_format_from_string)>(
102 xsdc_enum_range<xsd::AudioFormat>{}, audio_format_from_string);
103
104static const std::vector<audio_channel_mask_t> kChannelMasks =
105 getFlags<audio_channel_mask_t, xsd::AudioChannelMask, decltype(audio_channel_mask_from_string)>(
106 xsdc_enum_range<xsd::AudioChannelMask>{}, audio_channel_mask_from_string);
107
108static const std::vector<audio_usage_t> kUsages =
109 getFlags<audio_usage_t, xsd::AudioUsage, decltype(audio_usage_from_string)>(
110 xsdc_enum_range<xsd::AudioUsage>{}, audio_usage_from_string);
111
112static const std::vector<audio_content_type_t> kContentType =
113 getFlags<audio_content_type_t, xsd::AudioContentType, decltype(audio_content_type_from_string)>(
114 xsdc_enum_range<xsd::AudioContentType>{}, audio_content_type_from_string);
115
116static const std::vector<audio_source_t> kInputSources =
117 getFlags<audio_source_t, xsd::AudioSource, decltype(audio_source_from_string)>(
118 xsdc_enum_range<xsd::AudioSource>{}, audio_source_from_string);
119
120static const std::vector<audio_gain_mode_t> kGainModes =
121 getFlags<audio_gain_mode_t, xsd::AudioGainMode, decltype(audio_gain_mode_from_string)>(
122 xsdc_enum_range<xsd::AudioGainMode>{}, audio_gain_mode_from_string);
123
124static const std::vector<audio_devices_t> kDevices =
125 getFlags<audio_devices_t, xsd::AudioDevice, decltype(audio_device_from_string)>(
126 xsdc_enum_range<xsd::AudioDevice>{}, audio_device_from_string);
127
128static const std::vector<audio_input_flags_t> kInputFlags =
129 getFlags<audio_input_flags_t, xsd::AudioInOutFlag, decltype(audio_input_flag_from_string)>(
130 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_input_flag_from_string, "_INPUT_");
131
132static const std::vector<audio_output_flags_t> kOutputFlags =
133 getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(
134 xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");
135
136template <typename T, size_t size>
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]137T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]138 return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]139}
140
141template <typename T>
142T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]143 return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];
144}
145
146int32_t getSampleRate(FuzzedDataProvider *fdp) {
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]147 if (fdp->ConsumeBool()) {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]148 return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]149 }
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]150 return kSampleRateUnspecified;
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]151}
152
153class DeathNotifier : public IBinder::DeathRecipient {
154 public:
155 void binderDied(const wp<IBinder> &) { abort(); }
156};
157
158class AudioFlingerFuzzer {
159 public:
160 AudioFlingerFuzzer(const uint8_t *data, size_t size);
161 void process();
162
163 private:
164 FuzzedDataProvider mFdp;
165 void invokeAudioTrack();
166 void invokeAudioRecord();
167 status_t invokeAudioEffect();
168 void invokeAudioSystem();
169 status_t invokeAudioInputDevice();
170 status_t invokeAudioOutputDevice();
171 void invokeAudioPatch();
172
173 sp<DeathNotifier> mDeathNotifier;
174};
175
176AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp(data, size) {
177 sp<IServiceManager> sm = defaultServiceManager();
178 sp<IBinder> binder = sm->getService(String16("media.audio_flinger"));
179 if (binder == nullptr) {
180 return;
181 }
182 mDeathNotifier = new DeathNotifier();
183 binder->linkToDeath(mDeathNotifier);
184}
185
186void AudioFlingerFuzzer::invokeAudioTrack() {
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]187 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]188 audio_format_t format = getValue(&mFdp, kFormats);
189 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
190 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
191 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
192 uint32_t useSharedBuffer = mFdp.ConsumeBool();
193 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
194 audio_session_t sessionId = getValue(&mFdp, kSessionId);
195 audio_usage_t usage = getValue(&mFdp, kUsages);
196 audio_content_type_t contentType = getValue(&mFdp, kContentType);
197 audio_attributes_t attributes = {};
198 sp<IMemory> sharedBuffer;
199 sp<MemoryDealer> heap = nullptr;
200 audio_offload_info_t offloadInfo = AUDIO_INFO_INITIALIZER;
201
202 bool offload = false;
203 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
204
205 if (useSharedBuffer != 0) {
206 size_t heapSize = audio_channel_count_from_out_mask(channelMask) *
207 audio_bytes_per_sample(format) * frameCount;
208 heap = new MemoryDealer(heapSize, "AudioTrack Heap Base");
209 sharedBuffer = heap->allocate(heapSize);
210 frameCount = 0;
211 notificationFrames = 0;
212 }
213 if ((flags & AUDIO_OUTPUT_FLAG_COMPRESS_OFFLOAD) != 0) {
214 offloadInfo.sample_rate = sampleRate;
215 offloadInfo.channel_mask = channelMask;
216 offloadInfo.format = format;
217 offload = true;
218 }
219
220 attributes.content_type = contentType;
221 attributes.usage = usage;
222 sp<AudioTrack> track = new AudioTrack();
223
224 track->set(AUDIO_STREAM_DEFAULT, sampleRate, format, channelMask, frameCount, flags, nullptr,
225 nullptr, notificationFrames, sharedBuffer, false, sessionId,
226 ((fast && sharedBuffer == 0) || offload) ? AudioTrack::TRANSFER_CALLBACK
227 : AudioTrack::TRANSFER_DEFAULT,
228 offload ? &offloadInfo : nullptr, getuid(), getpid(), &attributes, false, 1.0f,
229 AUDIO_PORT_HANDLE_NONE);
230
231 status_t status = track->initCheck();
232 if (status != NO_ERROR) {
233 track.clear();
234 return;
235 }
236 track->getSampleRate();
237 track->latency();
238 track->getUnderrunCount();
239 track->streamType();
240 track->channelCount();
241 track->getNotificationPeriodInFrames();
242 uint32_t bufferSizeInFrames = mFdp.ConsumeIntegral<uint32_t>();
243 track->setBufferSizeInFrames(bufferSizeInFrames);
244 track->getBufferSizeInFrames();
245
246 int64_t duration = mFdp.ConsumeIntegral<int64_t>();
247 track->getBufferDurationInUs(&duration);
248 sp<IMemory> sharedBuffer2 = track->sharedBuffer();
249 track->setCallerName(mFdp.ConsumeRandomLengthString(MAX_STRING_LENGTH));
250
251 track->setVolume(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
252 track->setVolume(mFdp.ConsumeFloatingPoint<float>());
253 track->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>());
254
255 float auxEffectSendLevel;
256 track->getAuxEffectSendLevel(&auxEffectSendLevel);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]257 track->setSampleRate(getSampleRate(&mFdp));
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]258 track->getSampleRate();
259 track->getOriginalSampleRate();
260
261 AudioPlaybackRate playbackRate = {};
262 playbackRate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
263 playbackRate.mPitch = mFdp.ConsumeFloatingPoint<float>();
264 track->setPlaybackRate(playbackRate);
265 track->getPlaybackRate();
266 track->setLoop(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),
267 mFdp.ConsumeIntegral<uint32_t>());
268 track->setMarkerPosition(mFdp.ConsumeIntegral<uint32_t>());
269
270 uint32_t marker = {};
271 track->getMarkerPosition(&marker);
272 track->setPositionUpdatePeriod(mFdp.ConsumeIntegral<uint32_t>());
273
274 uint32_t updatePeriod = {};
275 track->getPositionUpdatePeriod(&updatePeriod);
276 track->setPosition(mFdp.ConsumeIntegral<uint32_t>());
277 uint32_t position = {};
278 track->getPosition(&position);
279 track->getBufferPosition(&position);
280 track->reload();
281 track->start();
282 track->pause();
283 track->flush();
284 track->stop();
285 track->stopped();
286}
287
288void AudioFlingerFuzzer::invokeAudioRecord() {
289 int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]290 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]291 size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
292 audio_format_t format = getValue(&mFdp, kFormats);
293 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
294 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
295 audio_session_t sessionId = getValue(&mFdp, kSessionId);
296 audio_source_t inputSource = getValue(&mFdp, kInputSources);
297
298 audio_attributes_t attributes = {};
299 bool fast = ((flags & AUDIO_OUTPUT_FLAG_FAST) != 0);
300
301 attributes.source = inputSource;
302
303 sp<AudioRecord> record = new AudioRecord(String16(mFdp.ConsumeRandomLengthString().c_str()));
304 record->set(AUDIO_SOURCE_DEFAULT, sampleRate, format, channelMask, frameCount, nullptr, nullptr,
305 notificationFrames, false, sessionId,
306 fast ? AudioRecord::TRANSFER_CALLBACK : AudioRecord::TRANSFER_DEFAULT, flags,
307 getuid(), getpid(), &attributes, AUDIO_PORT_HANDLE_NONE);
308 status_t status = record->initCheck();
309 if (status != NO_ERROR) {
310 return;
311 }
312 record->latency();
313 record->format();
314 record->channelCount();
315 record->frameCount();
316 record->frameSize();
317 record->inputSource();
318 record->getNotificationPeriodInFrames();
319 record->start();
320 record->stop();
321 record->stopped();
322
323 uint32_t marker = mFdp.ConsumeIntegral<uint32_t>();
324 record->setMarkerPosition(marker);
325 record->getMarkerPosition(&marker);
326
327 uint32_t updatePeriod = mFdp.ConsumeIntegral<uint32_t>();
328 record->setPositionUpdatePeriod(updatePeriod);
329 record->getPositionUpdatePeriod(&updatePeriod);
330
331 uint32_t position;
332 record->getPosition(&position);
333
334 ExtendedTimestamp timestamp;
335 record->getTimestamp(&timestamp);
336 record->getSessionId();
337 record->getCallerName();
338 android::AudioRecord::Buffer audioBuffer;
339 int32_t waitCount = mFdp.ConsumeIntegral<int32_t>();
340 size_t nonContig = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
341 audioBuffer.frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
342 record->obtainBuffer(&audioBuffer, waitCount, &nonContig);
343 bool blocking = false;
344 record->read(audioBuffer.raw, audioBuffer.size, blocking);
345 record->getInputFramesLost();
346 record->getFlags();
347
348 std::vector<media::MicrophoneInfo> activeMicrophones;
349 record->getActiveMicrophones(&activeMicrophones);
350 record->releaseBuffer(&audioBuffer);
351
352 audio_port_handle_t deviceId =
353 static_cast<audio_port_handle_t>(mFdp.ConsumeIntegral<int32_t>());
354 record->setInputDevice(deviceId);
355 record->getInputDevice();
356 record->getRoutedDeviceId();
357 record->getPortId();
358}
359
360struct EffectClient : public android::media::BnEffectClient {
361 EffectClient() {}
362 binder::Status controlStatusChanged(bool controlGranted __unused) override {
363 return binder::Status::ok();
364 }
365 binder::Status enableStatusChanged(bool enabled __unused) override {
366 return binder::Status::ok();
367 }
368 binder::Status commandExecuted(int32_t cmdCode __unused,
369 const std::vector<uint8_t> &cmdData __unused,
370 const std::vector<uint8_t> &replyData __unused) override {
371 return binder::Status::ok();
372 }
373};
374
375status_t AudioFlingerFuzzer::invokeAudioEffect() {
376 effect_uuid_t type;
377 type.timeLow = mFdp.ConsumeIntegral<uint32_t>();
378 type.timeMid = mFdp.ConsumeIntegral<uint16_t>();
379 type.timeHiAndVersion = mFdp.ConsumeIntegral<uint16_t>();
380 type.clockSeq = mFdp.ConsumeIntegral<uint16_t>();
381 for (int i = 0; i < 6; ++i) {
382 type.node[i] = mFdp.ConsumeIntegral<uint8_t>();
383 }
384
385 effect_descriptor_t descriptor = {};
386 descriptor.type = type;
387 descriptor.uuid = *EFFECT_UUID_NULL;
388
389 sp<EffectClient> effectClient(new EffectClient());
390
391 const int32_t priority = mFdp.ConsumeIntegral<int32_t>();
392 audio_session_t sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
393 const audio_io_handle_t io = mFdp.ConsumeIntegral<int32_t>();
394 String16 opPackageName = static_cast<String16>(mFdp.ConsumeRandomLengthString().c_str());
395 AudioDeviceTypeAddr device;
396
397 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
398 if (!af) {
399 return NO_ERROR;
400 }
401
402 media::CreateEffectRequest request{};
403 request.desc =
404 VALUE_OR_RETURN_STATUS(legacy2aidl_effect_descriptor_t_EffectDescriptor(descriptor));
405 request.client = effectClient;
406 request.priority = priority;
407 request.output = io;
408 request.sessionId = sessionId;
409 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(device));
410 request.opPackageName = VALUE_OR_RETURN_STATUS(legacy2aidl_String16_string(opPackageName));
411 request.pid = getpid();
412 request.probe = false;
413
414 media::CreateEffectResponse response{};
415 status_t status = af->createEffect(request, &response);
416
417 if (status != OK) {
418 return NO_ERROR;
419 }
420
421 descriptor =
422 VALUE_OR_RETURN_STATUS(aidl2legacy_EffectDescriptor_effect_descriptor_t(response.desc));
423
424 uint32_t numEffects;
425 af->queryNumberEffects(&numEffects);
426
427 uint32_t queryIndex = mFdp.ConsumeIntegral<uint32_t>();
428 af->queryEffect(queryIndex, &descriptor);
429
430 effect_descriptor_t getDescriptor;
431 uint32_t preferredTypeFlag = mFdp.ConsumeIntegral<int32_t>();
432 af->getEffectDescriptor(&descriptor.uuid, &descriptor.type, preferredTypeFlag, &getDescriptor);
433
434 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
435 audio_io_handle_t srcOutput = mFdp.ConsumeIntegral<int32_t>();
436 audio_io_handle_t dstOutput = mFdp.ConsumeIntegral<int32_t>();
437 af->moveEffects(sessionId, srcOutput, dstOutput);
438
439 int effectId = mFdp.ConsumeIntegral<int32_t>();
440 sessionId = static_cast<audio_session_t>(mFdp.ConsumeIntegral<int32_t>());
441 af->setEffectSuspended(effectId, sessionId, mFdp.ConsumeBool());
442 return NO_ERROR;
443}
444
445void AudioFlingerFuzzer::invokeAudioSystem() {
446 AudioSystem::muteMicrophone(mFdp.ConsumeBool());
447 AudioSystem::setMasterMute(mFdp.ConsumeBool());
448 AudioSystem::setMasterVolume(mFdp.ConsumeFloatingPoint<float>());
449 AudioSystem::setMasterBalance(mFdp.ConsumeFloatingPoint<float>());
450 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
451
452 float volume;
453 AudioSystem::getMasterVolume(&volume);
454
455 bool state;
456 AudioSystem::getMasterMute(&state);
457 AudioSystem::isMicrophoneMuted(&state);
458
459 audio_stream_type_t stream = getValue(&mFdp, kStreamtypes);
460 AudioSystem::setStreamMute(getValue(&mFdp, kStreamtypes), mFdp.ConsumeBool());
461
462 stream = getValue(&mFdp, kStreamtypes);
463 AudioSystem::setStreamVolume(stream, mFdp.ConsumeFloatingPoint<float>(),
464 mFdp.ConsumeIntegral<int32_t>());
465
466 audio_mode_t mode = getValue(&mFdp, kModes);
467 AudioSystem::setMode(mode);
468
469 size_t frameCount;
470 stream = getValue(&mFdp, kStreamtypes);
471 AudioSystem::getOutputFrameCount(&frameCount, stream);
472
473 uint32_t latency;
474 stream = getValue(&mFdp, kStreamtypes);
475 AudioSystem::getOutputLatency(&latency, stream);
476
477 stream = getValue(&mFdp, kStreamtypes);
478 AudioSystem::getStreamVolume(stream, &volume, mFdp.ConsumeIntegral<int32_t>());
479
480 stream = getValue(&mFdp, kStreamtypes);
481 AudioSystem::getStreamMute(stream, &state);
482
483 uint32_t samplingRate;
484 AudioSystem::getSamplingRate(mFdp.ConsumeIntegral<int32_t>(), &samplingRate);
485
486 AudioSystem::getFrameCount(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
487 AudioSystem::getLatency(mFdp.ConsumeIntegral<int32_t>(), &latency);
488 AudioSystem::setVoiceVolume(mFdp.ConsumeFloatingPoint<float>());
489
490 uint32_t halFrames;
491 uint32_t dspFrames;
492 AudioSystem::getRenderPosition(mFdp.ConsumeIntegral<int32_t>(), &halFrames, &dspFrames);
493
494 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
495 AudioSystem::getInputFramesLost(mFdp.ConsumeIntegral<int32_t>());
496
497 audio_unique_id_use_t uniqueIdUse = getValue(&mFdp, kUniqueIds);
498 AudioSystem::newAudioUniqueId(uniqueIdUse);
499
500 audio_session_t sessionId = getValue(&mFdp, kSessionId);
501 pid_t pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
502 uid_t uid = mFdp.ConsumeBool() ? getuid() : mFdp.ConsumeIntegral<int32_t>();
503 AudioSystem::acquireAudioSessionId(sessionId, pid, uid);
504
505 pid = mFdp.ConsumeBool() ? getpid() : mFdp.ConsumeIntegral<int32_t>();
506 sessionId = getValue(&mFdp, kSessionId);
507 AudioSystem::releaseAudioSessionId(sessionId, pid);
508
509 sessionId = getValue(&mFdp, kSessionId);
510 AudioSystem::getAudioHwSyncForSession(sessionId);
511
512 AudioSystem::systemReady();
513 AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);
514
515 size_t buffSize;
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]516 uint32_t sampleRate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]517 audio_format_t format = getValue(&mFdp, kFormats);
518 audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
519 AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
520
521 AudioSystem::getPrimaryOutputSamplingRate();
522 AudioSystem::getPrimaryOutputFrameCount();
523 AudioSystem::setLowRamDevice(mFdp.ConsumeBool(), mFdp.ConsumeIntegral<int64_t>());
524
525 std::vector<media::MicrophoneInfo> microphones;
526 AudioSystem::getMicrophones(&microphones);
527
528 std::vector<pid_t> pids;
529 pids.insert(pids.begin(), getpid());
530 for (int i = 1; i < mFdp.ConsumeIntegralInRange<int32_t>(2, MAX_ARRAY_LENGTH); ++i) {
531 pids.insert(pids.begin() + i, static_cast<pid_t>(mFdp.ConsumeIntegral<int32_t>()));
532 }
533 AudioSystem::setAudioHalPids(pids);
534 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
535 if (!af) {
536 return;
537 }
538 af->setRecordSilenced(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeBool());
539
540 float balance = mFdp.ConsumeFloatingPoint<float>();
541 af->getMasterBalance(&balance);
542 af->invalidateStream(static_cast<audio_stream_type_t>(mFdp.ConsumeIntegral<uint32_t>()));
543}
544
545status_t AudioFlingerFuzzer::invokeAudioInputDevice() {
546 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
547 if (!af) {
548 return NO_ERROR;
549 }
550
551 audio_config_t config = {};
552 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
553 audio_io_handle_t input = mFdp.ConsumeIntegral<int32_t>();
554 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
555 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
556
557 config.channel_mask = getValue(&mFdp, kChannelMasks);
558 config.format = getValue(&mFdp, kFormats);
559
560 config.offload_info = AUDIO_INFO_INITIALIZER;
561 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
562 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
563 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
564 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
565 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
566 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
567 config.offload_info.format = getValue(&mFdp, kFormats);
568 config.offload_info.has_video = mFdp.ConsumeBool();
569 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]570 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]571 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
572 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
573 config.offload_info.usage = getValue(&mFdp, kUsages);
574
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]575 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]576
577 audio_devices_t device = getValue(&mFdp, kDevices);
578 audio_source_t source = getValue(&mFdp, kInputSources);
579 audio_input_flags_t flags = getValue(&mFdp, kInputFlags);
580
581 AudioDeviceTypeAddr deviceTypeAddr(device, address.c_str());
582
583 media::OpenInputRequest request{};
584 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
585 request.input = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_io_handle_t_int32_t(input));
586 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
587 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_AudioDeviceTypeAddress(deviceTypeAddr));
588 request.source = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_source_t_AudioSourceType(source));
589 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_input_flags_t_int32_t_mask(flags));
590
591 media::OpenInputResponse response{};
592 status_t status = af->openInput(request, &response);
593 if (status != NO_ERROR) {
594 return NO_ERROR;
595 }
596
597 input = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_module_handle_t(response.input));
598 af->closeInput(input);
599 return NO_ERROR;
600}
601
602status_t AudioFlingerFuzzer::invokeAudioOutputDevice() {
603 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
604 if (!af) {
605 return NO_ERROR;
606 }
607
608 audio_config_t config = {};
609 audio_module_handle_t module = mFdp.ConsumeIntegral<int32_t>();
610 audio_io_handle_t output = mFdp.ConsumeIntegral<int32_t>();
611 config.frame_count = mFdp.ConsumeIntegral<uint32_t>();
612 String8 address = static_cast<String8>(mFdp.ConsumeRandomLengthString().c_str());
613
614 config.channel_mask = getValue(&mFdp, kChannelMasks);
615
616 config.offload_info = AUDIO_INFO_INITIALIZER;
617 config.offload_info.bit_rate = mFdp.ConsumeIntegral<uint32_t>();
618 config.offload_info.bit_width = mFdp.ConsumeIntegral<uint32_t>();
619 config.offload_info.channel_mask = getValue(&mFdp, kChannelMasks);
620 config.offload_info.content_id = mFdp.ConsumeIntegral<uint32_t>();
621 config.offload_info.duration_us = mFdp.ConsumeIntegral<int64_t>();
622 config.offload_info.encapsulation_mode = getValue(&mFdp, kEncapsulation);
623 config.offload_info.format = getValue(&mFdp, kFormats);
624 config.offload_info.has_video = mFdp.ConsumeBool();
625 config.offload_info.is_streaming = mFdp.ConsumeBool();
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]626 config.offload_info.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]627 config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);
628 config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();
629 config.offload_info.usage = getValue(&mFdp, kUsages);
630
631 config.format = getValue(&mFdp, kFormats);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]632 config.sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]633
634 sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));
635 audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
636
637 media::OpenOutputRequest request{};
638 media::OpenOutputResponse response{};
639
640 request.module = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_module_handle_t_int32_t(module));
641 request.config = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_config_t_AudioConfig(config));
642 request.device = VALUE_OR_RETURN_STATUS(legacy2aidl_DeviceDescriptorBase(device));
643 request.flags = VALUE_OR_RETURN_STATUS(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
644
645 status_t status = af->openOutput(request, &response);
646 if (status != NO_ERROR) {
647 return NO_ERROR;
648 }
649 output = VALUE_OR_RETURN_STATUS(aidl2legacy_int32_t_audio_io_handle_t(response.output));
650
651 audio_io_handle_t output1 = mFdp.ConsumeIntegral<int32_t>();
652 af->openDuplicateOutput(output, output1);
653 af->suspendOutput(output);
654 af->restoreOutput(output);
655 af->closeOutput(output);
656 return NO_ERROR;
657}
658
659void AudioFlingerFuzzer::invokeAudioPatch() {
660 sp<IAudioFlinger> af = AudioSystem::get_audio_flinger();
661 if (!af) {
662 return;
663 }
664 struct audio_patch patch = {};
665 audio_patch_handle_t handle = mFdp.ConsumeIntegral<int32_t>();
666
667 patch.id = mFdp.ConsumeIntegral<int32_t>();
668 patch.num_sources = mFdp.ConsumeIntegral<uint32_t>();
669 patch.num_sinks = mFdp.ConsumeIntegral<uint32_t>();
670
671 for (int i = 0; i < AUDIO_PATCH_PORTS_MAX; ++i) {
672 patch.sources[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
673 patch.sources[i].channel_mask = getValue(&mFdp, kChannelMasks);
674 patch.sources[i].format = getValue(&mFdp, kFormats);
675 patch.sources[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
676 patch.sources[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
677 patch.sources[i].gain.mode = getValue(&mFdp, kGainModes);
678 patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
679 patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
680 patch.sources[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]681 patch.sources[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]682 patch.sources[i].type = getValue(&mFdp, kPortTypes);
683
684 patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
685 patch.sinks[i].channel_mask = getValue(&mFdp, kChannelMasks);
686 patch.sinks[i].format = getValue(&mFdp, kFormats);
687 patch.sinks[i].gain.channel_mask = getValue(&mFdp, kChannelMasks);
688 patch.sinks[i].gain.index = mFdp.ConsumeIntegral<int32_t>();
689 patch.sinks[i].gain.mode = getValue(&mFdp, kGainModes);
690 patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();
691 patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());
692 patch.sinks[i].role = getValue(&mFdp, kPortRoles);
Ayushi Khopkar1e047662021-02-24 11:53:17 +0530[diff] [blame]693 patch.sinks[i].sample_rate = getSampleRate(&mFdp);
Ayushi Khopkar0d0cba22021-01-06 15:41:22 +0530[diff] [blame]694 patch.sinks[i].type = getValue(&mFdp, kPortTypes);
695 }
696
697 status_t status = af->createAudioPatch(&patch, &handle);
698 if (status != NO_ERROR) {
699 return;
700 }
701
702 unsigned int num_patches = mFdp.ConsumeIntegral<uint32_t>();
703 struct audio_patch patches = {};
704 af->listAudioPatches(&num_patches, &patches);
705 af->releaseAudioPatch(handle);
706}
707
708void AudioFlingerFuzzer::process() {
709 invokeAudioEffect();
710 invokeAudioInputDevice();
711 invokeAudioOutputDevice();
712 invokeAudioPatch();
713 invokeAudioRecord();
714 invokeAudioSystem();
715 invokeAudioTrack();
716}
717
718extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
719 if (size < 1) {
720 return 0;
721 }
722 AudioFlingerFuzzer audioFuzzer(data, size);
723 audioFuzzer.process();
724 return 0;
725}