1 /******************************************************************************
2  *
3  * Copyright (C) 2021 The Android Open Source Project
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  ******************************************************************************/
18 #include <stdint.h>
19 #include <sys/wait.h>
20 #include <unistd.h>
21 #include <algorithm>
22 #include <memory>
23 #include <string>
24 #include <utility>
25 #include <vector>
26 
27 #include <Serializer.h>
28 #include <android-base/file.h>
29 #include <android/content/AttributionSourceState.h>
30 #include <libxml/parser.h>
31 #include <libxml/xinclude.h>
32 #include <media/AudioPolicy.h>
33 #include <media/AudioProfile.h>
34 #include <media/PatchBuilder.h>
35 #include <media/RecordingActivityTracker.h>
36 
37 #include <AudioPolicyInterface.h>
38 #include <android_audio_policy_configuration_V7_0-enums.h>
39 #include <fuzzer/FuzzedDataProvider.h>
40 #include <tests/AudioPolicyManagerTestClient.h>
41 #include <tests/AudioPolicyTestClient.h>
42 #include <tests/AudioPolicyTestManager.h>
43 #include <xsdc/XsdcSupport.h>
44 
45 using namespace android;
46 
47 namespace xsd {
48 using namespace ::android::audio::policy::configuration::V7_0;
49 }
50 
51 using content::AttributionSourceState;
52 
__anon862681c60102null53 static const std::vector<audio_format_t> kAudioFormats = [] {
54     std::vector<audio_format_t> result;
55     for (const auto enumVal : xsdc_enum_range<xsd::AudioFormat>{}) {
56         audio_format_t audioFormatHal;
57         std::string audioFormat = toString(enumVal);
58         if (audio_format_from_string(audioFormat.c_str(), &audioFormatHal)) {
59             result.push_back(audioFormatHal);
60         }
61     }
62     return result;
63 }();
64 
__anon862681c60202null65 static const std::vector<audio_channel_mask_t> kAudioChannelOutMasks = [] {
66     std::vector<audio_channel_mask_t> result;
67     for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
68         audio_channel_mask_t audioChannelMaskHal;
69         std::string audioChannelMask = toString(enumVal);
70         if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
71             audioChannelMask.find("_IN_") == std::string::npos &&
72             audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
73             result.push_back(audioChannelMaskHal);
74         }
75     }
76     return result;
77 }();
78 
__anon862681c60302null79 static const std::vector<audio_channel_mask_t> kAudioChannelInMasks = [] {
80     std::vector<audio_channel_mask_t> result;
81     for (const auto enumVal : xsdc_enum_range<xsd::AudioChannelMask>{}) {
82         audio_channel_mask_t audioChannelMaskHal;
83         std::string audioChannelMask = toString(enumVal);
84         if (enumVal != xsd::AudioChannelMask::AUDIO_CHANNEL_NONE &&
85             audioChannelMask.find("_OUT_") == std::string::npos &&
86             audio_channel_mask_from_string(audioChannelMask.c_str(), &audioChannelMaskHal)) {
87             result.push_back(audioChannelMaskHal);
88         }
89     }
90     return result;
91 }();
92 
__anon862681c60402null93 static const std::vector<audio_output_flags_t> kAudioOutputFlags = [] {
94     std::vector<audio_output_flags_t> result;
95     for (const auto enumVal : xsdc_enum_range<xsd::AudioInOutFlag>{}) {
96         audio_output_flags_t audioOutputFlagHal;
97         std::string audioOutputFlag = toString(enumVal);
98         if (audioOutputFlag.find("_OUTPUT_") != std::string::npos &&
99             audio_output_flag_from_string(audioOutputFlag.c_str(), &audioOutputFlagHal)) {
100             result.push_back(audioOutputFlagHal);
101         }
102     }
103     return result;
104 }();
105 
__anon862681c60502null106 static const std::vector<audio_devices_t> kAudioDevices = [] {
107     std::vector<audio_devices_t> result;
108     for (const auto enumVal : xsdc_enum_range<xsd::AudioDevice>{}) {
109         audio_devices_t audioDeviceHal;
110         std::string audioDevice = toString(enumVal);
111         if (audio_device_from_string(audioDevice.c_str(), &audioDeviceHal)) {
112             result.push_back(audioDeviceHal);
113         }
114     }
115     return result;
116 }();
117 
__anon862681c60602null118 static const std::vector<audio_usage_t> kAudioUsages = [] {
119     std::vector<audio_usage_t> result;
120     for (const auto enumVal : xsdc_enum_range<xsd::AudioUsage>{}) {
121         audio_usage_t audioUsageHal;
122         std::string audioUsage = toString(enumVal);
123         if (audio_usage_from_string(audioUsage.c_str(), &audioUsageHal)) {
124             result.push_back(audioUsageHal);
125         }
126     }
127     return result;
128 }();
129 
130 /**
131  * AudioSource - AUDIO_SOURCE_VOICE_COMMUNICATION and AUDIO_SOURCE_HOTWORD
132  * are excluded from kAudioSources[] in order to avoid the abort triggered
133  * for these two types of AudioSource in Engine::getDeviceForInputSource()
134  */
__anon862681c60702null135 static const std::vector<audio_source_t> kAudioSources = [] {
136     std::vector<audio_source_t> result;
137     for (const auto enumVal : xsdc_enum_range<xsd::AudioSource>{}) {
138         audio_source_t audioSourceHal;
139         std::string audioSource = toString(enumVal);
140         if (enumVal != xsd::AudioSource::AUDIO_SOURCE_VOICE_COMMUNICATION &&
141             enumVal != xsd::AudioSource::AUDIO_SOURCE_HOTWORD &&
142             audio_source_from_string(audioSource.c_str(), &audioSourceHal)) {
143           result.push_back(audioSourceHal);
144         }
145     }
146     return result;
147 }();
148 
__anon862681c60802null149 static const std::vector<audio_content_type_t> kAudioContentTypes = [] {
150     std::vector<audio_content_type_t> result;
151     for (const auto enumVal : xsdc_enum_range<xsd::AudioContentType>{}) {
152         audio_content_type_t audioContentTypeHal;
153         std::string audioContentType = toString(enumVal);
154         if (audio_content_type_from_string(audioContentType.c_str(), &audioContentTypeHal)) {
155             result.push_back(audioContentTypeHal);
156         }
157     }
158     return result;
159 }();
160 
161 std::vector<int> kMixTypes = {MIX_TYPE_PLAYERS, MIX_TYPE_RECORDERS};
162 
163 std::vector<int> kMixRouteFlags = {MIX_ROUTE_FLAG_RENDER, MIX_ROUTE_FLAG_LOOP_BACK,
164                                    MIX_ROUTE_FLAG_LOOP_BACK_AND_RENDER, MIX_ROUTE_FLAG_ALL};
165 
166 std::vector<audio_flags_mask_t> kAudioFlagMasks = {
167     AUDIO_FLAG_NONE,           AUDIO_FLAG_AUDIBILITY_ENFORCED,
168     AUDIO_FLAG_SECURE,         AUDIO_FLAG_SCO,
169     AUDIO_FLAG_BEACON,         AUDIO_FLAG_HW_AV_SYNC,
170     AUDIO_FLAG_HW_HOTWORD,     AUDIO_FLAG_BYPASS_INTERRUPTION_POLICY,
171     AUDIO_FLAG_BYPASS_MUTE,    AUDIO_FLAG_LOW_LATENCY,
172     AUDIO_FLAG_DEEP_BUFFER,    AUDIO_FLAG_NO_MEDIA_PROJECTION,
173     AUDIO_FLAG_MUTE_HAPTIC,    AUDIO_FLAG_NO_SYSTEM_CAPTURE,
174     AUDIO_FLAG_CAPTURE_PRIVATE, AUDIO_FLAG_CONTENT_SPATIALIZED,
175     AUDIO_FLAG_NEVER_SPATIALIZE,
176     };
177 
178 std::vector<audio_policy_dev_state_t> kAudioPolicyDeviceStates = {
179     AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
180     AUDIO_POLICY_DEVICE_STATE_AVAILABLE,
181     AUDIO_POLICY_DEVICE_STATE_CNT,
182 };
183 
184 std::vector<uint32_t> kSamplingRates = {8000, 16000, 44100, 48000, 88200, 96000};
185 
186 template <typename T>
getValueFromVector(FuzzedDataProvider * fdp,std::vector<T> arr)187 T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> arr) {
188     if (fdp->ConsumeBool()) {
189         return arr[fdp->ConsumeIntegralInRange<int32_t>(0, arr.size() - 1)];
190     } else {
191         return (T)fdp->ConsumeIntegral<uint32_t>();
192     }
193 }
194 
195 class AudioPolicyManagerFuzzer {
196    public:
197     explicit AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp);
198     virtual ~AudioPolicyManagerFuzzer() = default;
199     virtual bool initialize();
200     virtual void SetUpManagerConfig();
201     bool getOutputForAttr(audio_port_handle_t *selectedDeviceId, audio_format_t format,
202                           audio_channel_mask_t channelMask, int sampleRate,
203                           audio_output_flags_t flags = AUDIO_OUTPUT_FLAG_NONE,
204                           audio_io_handle_t *output = nullptr,
205                           audio_port_handle_t *portId = nullptr, audio_attributes_t attr = {});
206     bool getInputForAttr(const audio_attributes_t &attr, audio_unique_id_t riid,
207                          audio_port_handle_t *selectedDeviceId, audio_format_t format,
208                          audio_channel_mask_t channelMask, int sampleRate,
209                          audio_input_flags_t flags = AUDIO_INPUT_FLAG_NONE,
210                          audio_port_handle_t *portId = nullptr,
211                          uint32_t *virtualDeviceId = nullptr);
212     bool findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
213                         const std::string &address, audio_port_v7 *foundPort);
214     static audio_port_handle_t getDeviceIdFromPatch(const struct audio_patch *patch);
215     audio_patch createFuzzedPatch();
216     void fuzzPatchCreation();
217     virtual void process();
218 
219    protected:
220     sp<AudioPolicyConfig> mConfig{AudioPolicyConfig::createWritableForTests()};
221     std::unique_ptr<AudioPolicyManagerTestClient> mClient{new AudioPolicyManagerTestClient};
222     std::unique_ptr<AudioPolicyTestManager> mManager;
223     FuzzedDataProvider *mFdp;
224 };
225 
AudioPolicyManagerFuzzer(FuzzedDataProvider * fdp)226 AudioPolicyManagerFuzzer::AudioPolicyManagerFuzzer(FuzzedDataProvider *fdp)
227         : mFdp(fdp) {}
228 
initialize()229 bool AudioPolicyManagerFuzzer::initialize() {
230     if (mFdp->remaining_bytes() < 1) {
231         return false;
232     }
233     // init code
234     SetUpManagerConfig();
235     if (mConfig == nullptr) {
236         return false;
237     }
238     mManager.reset(new AudioPolicyTestManager(mConfig, mClient.get()));
239     if (mManager->initialize() != NO_ERROR) {
240         return false;
241     }
242     if (mManager->initCheck() != NO_ERROR) {
243         return false;
244     }
245     return true;
246 }
247 
SetUpManagerConfig()248 void AudioPolicyManagerFuzzer::SetUpManagerConfig() { mConfig->setDefault(); }
249 
getOutputForAttr(audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_output_flags_t flags,audio_io_handle_t * output,audio_port_handle_t * portId,audio_attributes_t attr)250 bool AudioPolicyManagerFuzzer::getOutputForAttr(
251     audio_port_handle_t *selectedDeviceId, audio_format_t format, audio_channel_mask_t channelMask,
252     int sampleRate, audio_output_flags_t flags, audio_io_handle_t *output,
253     audio_port_handle_t *portId, audio_attributes_t attr) {
254     audio_io_handle_t localOutput;
255     if (!output) output = &localOutput;
256     *output = AUDIO_IO_HANDLE_NONE;
257     audio_stream_type_t stream = AUDIO_STREAM_DEFAULT;
258     audio_config_t config = AUDIO_CONFIG_INITIALIZER;
259     config.sample_rate = sampleRate;
260     config.channel_mask = channelMask;
261     config.format = format;
262     audio_port_handle_t localPortId;
263     if (!portId) portId = &localPortId;
264     *portId = AUDIO_PORT_HANDLE_NONE;
265     AudioPolicyInterface::output_type_t outputType;
266     bool isSpatialized;
267     bool isBitPerfect;
268 
269     // TODO b/182392769: use attribution source util
270     AttributionSourceState attributionSource;
271     attributionSource.uid = 0;
272     attributionSource.token = sp<BBinder>::make();
273     if (mManager->getOutputForAttr(&attr, output, AUDIO_SESSION_NONE, &stream, attributionSource,
274             &config, &flags, selectedDeviceId, portId, {}, &outputType, &isSpatialized,
275             &isBitPerfect) != OK) {
276         return false;
277     }
278     if (*output == AUDIO_IO_HANDLE_NONE || *portId == AUDIO_PORT_HANDLE_NONE) {
279         return false;
280     }
281     return true;
282 }
283 
getInputForAttr(const audio_attributes_t & attr,audio_unique_id_t riid,audio_port_handle_t * selectedDeviceId,audio_format_t format,audio_channel_mask_t channelMask,int sampleRate,audio_input_flags_t flags,audio_port_handle_t * portId,uint32_t * virtualDeviceId)284 bool AudioPolicyManagerFuzzer::getInputForAttr(
285     const audio_attributes_t &attr, audio_unique_id_t riid, audio_port_handle_t *selectedDeviceId,
286     audio_format_t format, audio_channel_mask_t channelMask, int sampleRate,
287     audio_input_flags_t flags, audio_port_handle_t *portId, uint32_t *virtualDeviceId) {
288     audio_io_handle_t input = AUDIO_IO_HANDLE_NONE;
289     audio_config_base_t config = AUDIO_CONFIG_BASE_INITIALIZER;
290     config.sample_rate = sampleRate;
291     config.channel_mask = channelMask;
292     config.format = format;
293     audio_port_handle_t localPortId;
294     if (!portId) portId = &localPortId;
295     *portId = AUDIO_PORT_HANDLE_NONE;
296     AudioPolicyInterface::input_type_t inputType;
297 
298     AttributionSourceState attributionSource;
299     attributionSource.uid = 0;
300     attributionSource.token = sp<BBinder>::make();
301     if (mManager->getInputForAttr(&attr, &input, riid, AUDIO_SESSION_NONE, attributionSource,
302             &config, flags, selectedDeviceId, &inputType, portId, virtualDeviceId) != OK) {
303         return false;
304     }
305     if (*portId == AUDIO_PORT_HANDLE_NONE || input == AUDIO_IO_HANDLE_NONE) {
306         return false;
307     }
308     return true;
309 }
310 
findDevicePort(audio_port_role_t role,audio_devices_t deviceType,const std::string & address,audio_port_v7 * foundPort)311 bool AudioPolicyManagerFuzzer::findDevicePort(audio_port_role_t role, audio_devices_t deviceType,
312                                               const std::string &address,
313                                               audio_port_v7 *foundPort) {
314     uint32_t numPorts = 0;
315     uint32_t generation1;
316     status_t ret;
317 
318     ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, nullptr, &generation1);
319     if (ret != NO_ERROR) {
320         return false;
321     }
322 
323     uint32_t generation2;
324     struct audio_port_v7 ports[numPorts];
325     ret = mManager->listAudioPorts(role, AUDIO_PORT_TYPE_DEVICE, &numPorts, ports, &generation2);
326     if (ret != NO_ERROR) {
327         return false;
328     }
329 
330     for (const auto &port : ports) {
331         if (port.role == role && port.ext.device.type == deviceType &&
332             (strncmp(port.ext.device.address, address.c_str(), AUDIO_DEVICE_MAX_ADDRESS_LEN) ==
333              0)) {
334             if (foundPort) *foundPort = port;
335             return true;
336         }
337     }
338     return false;
339 }
340 
getDeviceIdFromPatch(const struct audio_patch * patch)341 audio_port_handle_t AudioPolicyManagerFuzzer::getDeviceIdFromPatch(
342     const struct audio_patch *patch) {
343     if (patch->num_sources != 0 && patch->num_sinks != 0) {
344         if (patch->sources[0].type == AUDIO_PORT_TYPE_MIX) {
345             return patch->sinks[0].id;
346         } else {
347             return patch->sources[0].id;
348         }
349     }
350     return AUDIO_PORT_HANDLE_NONE;
351 }
352 
createFuzzedPatch()353 audio_patch AudioPolicyManagerFuzzer::createFuzzedPatch() {
354     audio_patch patch{};
355     patch.id = mFdp->ConsumeIntegral<uint32_t>();
356     patch.num_sources = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
357     for (int i = 0; i < patch.num_sources; ++i) {
358         audio_port_config config{};
359         std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
360         memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
361         patch.sources[i] = config;
362     }
363     patch.num_sinks = mFdp->ConsumeIntegralInRange(0, AUDIO_PATCH_PORTS_MAX);
364     for (int i = 0; i < patch.num_sinks; ++i) {
365         audio_port_config config{};
366         std::vector<uint8_t> bytes = mFdp->ConsumeBytes<uint8_t>(sizeof(config));
367         memcpy(reinterpret_cast<uint8_t *>(&config), &bytes[0], bytes.size());
368         patch.sinks[i] = config;
369     }
370     return patch;
371 }
372 
fuzzPatchCreation()373 void AudioPolicyManagerFuzzer::fuzzPatchCreation() {
374     if (mFdp->remaining_bytes()) {
375         audio_patch_handle_t handle = AUDIO_PATCH_HANDLE_NONE;
376         uid_t uid = mFdp->ConsumeIntegral<uint32_t>();
377 
378         // create a fuzzed patch
379         handle = AUDIO_PATCH_HANDLE_NONE;
380         audio_patch patch = createFuzzedPatch();
381         uid = mFdp->ConsumeIntegral<uint32_t>();
382         if (mManager->createAudioPatch(&patch, &handle, uid) == NO_ERROR) {
383             mManager->releaseAudioPatch(handle, uid);
384         }
385     }
386 }
387 
process()388 void AudioPolicyManagerFuzzer::process() {
389     if (initialize()) {
390         fuzzPatchCreation();
391     }
392 }
393 
394 class AudioPolicyManagerFuzzerWithConfigurationFile : public AudioPolicyManagerFuzzer {
395    public:
AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider * fdp)396     explicit AudioPolicyManagerFuzzerWithConfigurationFile(FuzzedDataProvider *fdp)
397         : AudioPolicyManagerFuzzer(fdp){};
398 
399    protected:
400     void SetUpManagerConfig() override;
401     virtual std::string getConfigFile();
402     void traverseAndFuzzXML(xmlDocPtr pDoc, xmlNodePtr curr);
403     std::string fuzzXML(std::string xmlPath);
404 
405     static inline const std::string sExecutableDir = base::GetExecutableDirectory() + "/";
406     static inline const std::string sDefaultConfig =
407             sExecutableDir + "data/test_audio_policy_configuration.xml";
408     static inline const std::string sFuzzedConfig = sExecutableDir + "fuzzed.xml";;
409 };
410 
getConfigFile()411 std::string AudioPolicyManagerFuzzerWithConfigurationFile::getConfigFile() {
412     return fuzzXML(sDefaultConfig);
413 }
414 
SetUpManagerConfig()415 void AudioPolicyManagerFuzzerWithConfigurationFile::SetUpManagerConfig() {
416     const std::string configFilePath = getConfigFile();
417     auto result = AudioPolicyConfig::loadFromCustomXmlConfigForTests(configFilePath);
418     mConfig = result.ok() ? mConfig = result.value() : nullptr;
419     ALOGE_IF(!result.ok(), "%s: Failed to deserialize \"%s\": %d",
420             __func__, configFilePath.c_str(), result.error());
421 }
422 
traverseAndFuzzXML(xmlDocPtr pDoc,xmlNodePtr curr)423 void AudioPolicyManagerFuzzerWithConfigurationFile::traverseAndFuzzXML(xmlDocPtr pDoc,
424                                                                        xmlNodePtr curr) {
425     if (curr == nullptr) {
426         return;
427     }
428 
429     xmlAttr *attribute = curr->properties;
430     while (attribute) {
431         if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("format"))) {
432             const char *newFormat =
433                 audio_format_to_string(getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
434             xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFormat));
435         }
436         if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("flags"))) {
437             std::string newFlag = "";
438             uint16_t numFlags = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
439             for (uint16_t i = 0; i < numFlags; ++i) {
440                 newFlag += std::string(audio_output_flag_to_string(
441                     getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags)));
442                 if (i != (numFlags - 1)) {
443                     newFlag += std::string("|");
444                 }
445             }
446             xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newFlag.c_str()));
447         }
448         if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("samplingRates"))) {
449             std::string newRate = "";
450             uint16_t numRates = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
451             for (uint16_t i = 0; i < numRates; ++i) {
452                 newRate += std::to_string(getValueFromVector<uint32_t>(mFdp, kSamplingRates));
453                 if (i != (numRates - 1)) {
454                     newRate += std::string(",");
455                 }
456             }
457             xmlSetProp(curr, attribute->name, reinterpret_cast<const xmlChar *>(newRate.c_str()));
458         }
459         if (!xmlStrcmp(attribute->name, reinterpret_cast<const xmlChar *>("channelMasks"))) {
460             int isOutMask = -1;
461             char *value =
462                 reinterpret_cast<char *>(xmlNodeListGetString(pDoc, attribute->children, 1));
463             if (std::string(value).find(std::string("_OUT_")) != std::string::npos) {
464                 // OUT mask
465                 isOutMask = 1;
466             } else if (std::string(value).find(std::string("_IN_")) != std::string::npos) {
467                 // IN mask
468                 isOutMask = 0;
469             }
470             if (isOutMask != -1) {
471                 std::string newMask = "";
472                 uint16_t numMasks = std::max((uint16_t)1, mFdp->ConsumeIntegral<uint16_t>());
473                 for (uint16_t i = 0; i < numMasks; ++i) {
474                     if (isOutMask) {
475                         newMask += std::string(audio_channel_out_mask_to_string(
476                             getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks)));
477                     } else {
478                         newMask += std::string(audio_channel_in_mask_to_string(
479                             getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks)));
480                     }
481                     if (i != (numMasks - 1)) {
482                         newMask += std::string(",");
483                     }
484                 }
485                 xmlSetProp(curr, attribute->name,
486                            reinterpret_cast<const xmlChar *>(newMask.c_str()));
487             }
488             xmlFree(value);
489         }
490         attribute = attribute->next;
491     }
492 
493     curr = curr->xmlChildrenNode;
494     while (curr != nullptr) {
495         traverseAndFuzzXML(pDoc, curr);
496         curr = curr->next;
497     }
498 }
499 
fuzzXML(std::string xmlPath)500 std::string AudioPolicyManagerFuzzerWithConfigurationFile::fuzzXML(std::string xmlPath) {
501     std::string outPath = sFuzzedConfig;
502 
503     // Load in the xml file from disk
504     xmlDocPtr pDoc = xmlParseFile(xmlPath.c_str());
505     xmlNodePtr root = xmlDocGetRootElement(pDoc);
506 
507     traverseAndFuzzXML(pDoc, root);
508 
509     // Save the document back out to disk.
510     xmlSaveFileEnc(outPath.c_str(), pDoc, "UTF-8");
511     xmlFreeDoc(pDoc);
512 
513     return outPath;
514 }
515 
516 class AudioPolicyManagerFuzzerMsd : public AudioPolicyManagerFuzzerWithConfigurationFile {
517    public:
AudioPolicyManagerFuzzerMsd(FuzzedDataProvider * fdp)518     explicit AudioPolicyManagerFuzzerMsd(FuzzedDataProvider *fdp)
519         : AudioPolicyManagerFuzzerWithConfigurationFile(fdp) {}
520 
521    protected:
522     std::string getConfigFile() override;
523 
524     static inline const std::string sMsdConfig =
525             sExecutableDir + "data/test_audio_policy_msd_configuration.xml";
526 };
527 
getConfigFile()528 std::string AudioPolicyManagerFuzzerMsd::getConfigFile() { return fuzzXML(sMsdConfig); }
529 
530 using PolicyMixTuple = std::tuple<audio_usage_t, audio_source_t, uint32_t>;
531 
532 class AudioPolicyManagerFuzzerDynamicPolicy : public AudioPolicyManagerFuzzerWithConfigurationFile {
533    public:
AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider * fdp)534     explicit AudioPolicyManagerFuzzerDynamicPolicy(FuzzedDataProvider *fdp)
535         : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
536     ~AudioPolicyManagerFuzzerDynamicPolicy() override;
537     void process() override;
538 
539    protected:
540     status_t addPolicyMix(int mixType, int mixFlag, audio_devices_t deviceType,
541                           std::string mixAddress, const audio_config_t &audioConfig,
542                           const std::vector<PolicyMixTuple> &rules);
543     void clearPolicyMix();
544     void registerPolicyMixes();
545     void unregisterPolicyMixes();
546 
547     Vector<AudioMix> mAudioMixes;
548     const std::string mMixAddress = "remote_submix_media";
549 };
550 
~AudioPolicyManagerFuzzerDynamicPolicy()551 AudioPolicyManagerFuzzerDynamicPolicy::~AudioPolicyManagerFuzzerDynamicPolicy() {
552     clearPolicyMix();
553 }
554 
addPolicyMix(int mixType,int mixFlag,audio_devices_t deviceType,std::string mixAddress,const audio_config_t & audioConfig,const std::vector<PolicyMixTuple> & rules)555 status_t AudioPolicyManagerFuzzerDynamicPolicy::addPolicyMix(
556     int mixType, int mixFlag, audio_devices_t deviceType, std::string mixAddress,
557     const audio_config_t &audioConfig, const std::vector<PolicyMixTuple> &rules) {
558     std::vector<AudioMixMatchCriterion> myMixMatchCriteria;
559 
560     myMixMatchCriteria.reserve(rules.size());
561     for (const auto &rule : rules) {
562         myMixMatchCriteria.push_back(
563             AudioMixMatchCriterion(std::get<0>(rule), std::get<1>(rule), std::get<2>(rule)));
564     }
565 
566     AudioMix myAudioMix(myMixMatchCriteria, mixType, audioConfig, mixFlag,
567                         String8(mixAddress.c_str()), 0);
568     myAudioMix.mDeviceType = deviceType;
569     // Clear mAudioMix before add new one to make sure we don't add already existing mixes.
570     mAudioMixes.clear();
571     mAudioMixes.add(myAudioMix);
572 
573     // As the policy mixes registration may fail at some case,
574     // caller need to check the returned status.
575     status_t ret = mManager->registerPolicyMixes(mAudioMixes);
576     return ret;
577 }
578 
clearPolicyMix()579 void AudioPolicyManagerFuzzerDynamicPolicy::clearPolicyMix() {
580     if (mManager != nullptr) {
581         mManager->unregisterPolicyMixes(mAudioMixes);
582     }
583     mAudioMixes.clear();
584 }
585 
registerPolicyMixes()586 void AudioPolicyManagerFuzzerDynamicPolicy::registerPolicyMixes() {
587     const uint32_t numPolicies = mFdp->ConsumeIntegralInRange<uint32_t>(1, MAX_MIXES_PER_POLICY);
588 
589     for (int i = 0; i < numPolicies; ++i) {
590         audio_config_t audioConfig = AUDIO_CONFIG_INITIALIZER;
591         audioConfig.channel_mask = getValueFromVector<audio_channel_mask_t>(
592             mFdp, mFdp->ConsumeBool() ? kAudioChannelInMasks : kAudioChannelOutMasks);
593         audioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
594         audioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
595         addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
596                      getValueFromVector<int>(mFdp, kMixRouteFlags),
597                      getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), "", audioConfig,
598                      std::vector<PolicyMixTuple>());
599     }
600 }
601 
unregisterPolicyMixes()602 void AudioPolicyManagerFuzzerDynamicPolicy::unregisterPolicyMixes() {
603     mManager->unregisterPolicyMixes(mAudioMixes);
604 }
605 
process()606 void AudioPolicyManagerFuzzerDynamicPolicy::process() {
607     if (initialize()) {
608         registerPolicyMixes();
609         fuzzPatchCreation();
610         unregisterPolicyMixes();
611     }
612 }
613 
614 class AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
615     : public AudioPolicyManagerFuzzerDynamicPolicy {
616    public:
AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider * fdp)617     explicit AudioPolicyManagerFuzzerDPNoRemoteSubmixModule(FuzzedDataProvider *fdp)
618         : AudioPolicyManagerFuzzerDynamicPolicy(fdp){};
619 
620    protected:
621     std::string getConfigFile() override;
622 
623     static inline const std::string sPrimaryOnlyConfig =
624             sExecutableDir + "data/test_audio_policy_primary_only_configuration.xml";
625 };
626 
getConfigFile()627 std::string AudioPolicyManagerFuzzerDPNoRemoteSubmixModule::getConfigFile() {
628     return fuzzXML(sPrimaryOnlyConfig);
629 }
630 
631 class AudioPolicyManagerFuzzerDPPlaybackReRouting : public AudioPolicyManagerFuzzerDynamicPolicy {
632    public:
633     explicit AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider *fdp);
634     ~AudioPolicyManagerFuzzerDPPlaybackReRouting() override;
635     void process() override;
636 
637    protected:
638     bool initialize() override;
639     void playBackReRouting();
640 
641     std::unique_ptr<RecordingActivityTracker> mTracker;
642 
643     std::vector<PolicyMixTuple> mUsageRules = {
644         {AUDIO_USAGE_MEDIA, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE},
645         {AUDIO_USAGE_ALARM, AUDIO_SOURCE_DEFAULT, RULE_MATCH_ATTRIBUTE_USAGE}};
646 
647     struct audio_port_v7 mInjectionPort;
648     audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
649     audio_config_t mAudioConfig;
650 };
651 
AudioPolicyManagerFuzzerDPPlaybackReRouting(FuzzedDataProvider * fdp)652 AudioPolicyManagerFuzzerDPPlaybackReRouting::AudioPolicyManagerFuzzerDPPlaybackReRouting(
653         FuzzedDataProvider *fdp)
654         : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
655     const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
656     for (int i = 0; i < numRules; ++i) {
657         PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
658                                getValueFromVector<audio_source_t>(mFdp, kAudioSources),
659                                RULE_MATCH_ATTRIBUTE_USAGE};
660         mUsageRules.push_back(rule);
661     }
662 }
663 
~AudioPolicyManagerFuzzerDPPlaybackReRouting()664 AudioPolicyManagerFuzzerDPPlaybackReRouting::~AudioPolicyManagerFuzzerDPPlaybackReRouting() {
665     if (mManager) {
666         mManager->stopInput(mPortId);
667     }
668 }
669 
initialize()670 bool AudioPolicyManagerFuzzerDPPlaybackReRouting::initialize() {
671     if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
672         return false;
673     }
674     mTracker.reset(new RecordingActivityTracker());
675 
676     mAudioConfig = AUDIO_CONFIG_INITIALIZER;
677     mAudioConfig.channel_mask =
678         getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
679     mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
680     mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
681     status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
682                                 getValueFromVector<int>(mFdp, kMixRouteFlags),
683                                 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
684                                 mMixAddress, mAudioConfig, mUsageRules);
685     if (ret != NO_ERROR) {
686         return false;
687     }
688 
689     struct audio_port_v7 extractionPort;
690     findDevicePort(AUDIO_PORT_ROLE_SOURCE, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
691                    mMixAddress, &extractionPort);
692 
693     audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
694     audio_source_t source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
695     audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_USAGE_UNKNOWN, source,
696                                AUDIO_FLAG_NONE, ""};
697     std::string tags = "addr=" + mMixAddress;
698     strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
699     getInputForAttr(attr, mTracker->getRiid(), &selectedDeviceId, mAudioConfig.format,
700                     mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
701                     &mPortId);
702 
703     ret = mManager->startInput(mPortId);
704     if (ret != NO_ERROR) {
705         return false;
706     }
707     if (!findDevicePort(AUDIO_PORT_ROLE_SINK,
708                         getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
709                         &mInjectionPort)) {
710         return false;
711     }
712 
713     return true;
714 }
715 
playBackReRouting()716 void AudioPolicyManagerFuzzerDPPlaybackReRouting::playBackReRouting() {
717     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
718     for (int i = 0; i < numTestCases; ++i) {
719         audio_attributes_t attr;
720         attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
721         attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
722         attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
723         attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
724         std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
725         strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
726 
727         audio_port_handle_t playbackRoutedPortId = AUDIO_PORT_HANDLE_NONE;
728         getOutputForAttr(&playbackRoutedPortId, mAudioConfig.format, mAudioConfig.channel_mask,
729                          mAudioConfig.sample_rate, AUDIO_OUTPUT_FLAG_NONE, nullptr /*output*/,
730                          nullptr /*portId*/, attr);
731     }
732 }
733 
process()734 void AudioPolicyManagerFuzzerDPPlaybackReRouting::process() {
735     if (initialize()) {
736         playBackReRouting();
737         registerPolicyMixes();
738         fuzzPatchCreation();
739         unregisterPolicyMixes();
740     }
741 }
742 
743 class AudioPolicyManagerFuzzerDPMixRecordInjection : public AudioPolicyManagerFuzzerDynamicPolicy {
744    public:
745     explicit AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider *fdp);
746     ~AudioPolicyManagerFuzzerDPMixRecordInjection() override;
747     void process() override;
748 
749    protected:
750     bool initialize() override;
751     void recordingInjection();
752 
753     std::unique_ptr<RecordingActivityTracker> mTracker;
754 
755     std::vector<PolicyMixTuple> mSourceRules = {
756         {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_CAMCORDER, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
757         {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_MIC, RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET},
758         {AUDIO_USAGE_UNKNOWN, AUDIO_SOURCE_VOICE_COMMUNICATION,
759          RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET}};
760 
761     struct audio_port_v7 mExtractionPort;
762     audio_port_handle_t mPortId = AUDIO_PORT_HANDLE_NONE;
763     audio_config_t mAudioConfig;
764 };
765 
AudioPolicyManagerFuzzerDPMixRecordInjection(FuzzedDataProvider * fdp)766 AudioPolicyManagerFuzzerDPMixRecordInjection::AudioPolicyManagerFuzzerDPMixRecordInjection(
767         FuzzedDataProvider *fdp)
768         : AudioPolicyManagerFuzzerDynamicPolicy(fdp) {
769     const uint32_t numRules = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
770     for (int i = 0; i < numRules; ++i) {
771         PolicyMixTuple rule = {getValueFromVector<audio_usage_t>(mFdp, kAudioUsages),
772                                getValueFromVector<audio_source_t>(mFdp, kAudioSources),
773                                RULE_MATCH_ATTRIBUTE_CAPTURE_PRESET};
774         mSourceRules.push_back(rule);
775     }
776 }
777 
~AudioPolicyManagerFuzzerDPMixRecordInjection()778 AudioPolicyManagerFuzzerDPMixRecordInjection::~AudioPolicyManagerFuzzerDPMixRecordInjection() {
779     if (mManager) {
780         mManager->stopOutput(mPortId);
781     }
782 }
783 
initialize()784 bool AudioPolicyManagerFuzzerDPMixRecordInjection::initialize() {
785     if (!AudioPolicyManagerFuzzerDynamicPolicy::initialize()) {
786         return false;
787     }
788 
789     mTracker.reset(new RecordingActivityTracker());
790 
791     mAudioConfig = AUDIO_CONFIG_INITIALIZER;
792     mAudioConfig.channel_mask =
793         getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks);
794     mAudioConfig.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
795     mAudioConfig.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
796     status_t ret = addPolicyMix(getValueFromVector<int>(mFdp, kMixTypes),
797                                 getValueFromVector<int>(mFdp, kMixRouteFlags),
798                                 getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
799                                 mMixAddress, mAudioConfig, mSourceRules);
800     if (ret != NO_ERROR) {
801         return false;
802     }
803 
804     struct audio_port_v7 injectionPort;
805     findDevicePort(AUDIO_PORT_ROLE_SINK, getValueFromVector<audio_devices_t>(mFdp, kAudioDevices),
806                    mMixAddress, &injectionPort);
807 
808     audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
809     audio_usage_t usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
810     audio_attributes_t attr = {AUDIO_CONTENT_TYPE_UNKNOWN, usage, AUDIO_SOURCE_DEFAULT,
811                                AUDIO_FLAG_NONE, ""};
812     std::string tags = std::string("addr=") + mMixAddress;
813     strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
814     getOutputForAttr(&selectedDeviceId, mAudioConfig.format, mAudioConfig.channel_mask,
815                      mAudioConfig.sample_rate /*sampleRate*/, AUDIO_OUTPUT_FLAG_NONE,
816                      nullptr /*output*/, &mPortId, attr);
817     ret = mManager->startOutput(mPortId);
818     if (ret != NO_ERROR) {
819         return false;
820     }
821     getDeviceIdFromPatch(mClient->getLastAddedPatch());
822     if (!findDevicePort(AUDIO_PORT_ROLE_SOURCE,
823                         getValueFromVector<audio_devices_t>(mFdp, kAudioDevices), mMixAddress,
824                         &mExtractionPort)) {
825         return false;
826     }
827 
828     return true;
829 }
830 
recordingInjection()831 void AudioPolicyManagerFuzzerDPMixRecordInjection::recordingInjection() {
832     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
833     for (int i = 0; i < numTestCases; ++i) {
834         audio_attributes_t attr;
835         attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
836         attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
837         attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
838         attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
839         std::string tags(mFdp->ConsumeBool() ? "" : "addr=remote_submix_media");
840         strncpy(attr.tags, tags.c_str(), AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1);
841 
842         audio_port_handle_t captureRoutedPortId = AUDIO_PORT_HANDLE_NONE;
843         audio_port_handle_t portId = AUDIO_PORT_HANDLE_NONE;
844         getInputForAttr(attr, mTracker->getRiid(), &captureRoutedPortId, mAudioConfig.format,
845                         mAudioConfig.channel_mask, mAudioConfig.sample_rate, AUDIO_INPUT_FLAG_NONE,
846                         &portId);
847     }
848 }
849 
process()850 void AudioPolicyManagerFuzzerDPMixRecordInjection::process() {
851     if (initialize()) {
852         recordingInjection();
853         registerPolicyMixes();
854         fuzzPatchCreation();
855         unregisterPolicyMixes();
856     }
857 }
858 
859 using DeviceConnectionTestParams =
860     std::tuple<audio_devices_t /*type*/, std::string /*name*/, std::string /*address*/>;
861 
862 class AudioPolicyManagerFuzzerDeviceConnection
863     : public AudioPolicyManagerFuzzerWithConfigurationFile {
864    public:
AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider * fdp)865     explicit AudioPolicyManagerFuzzerDeviceConnection(FuzzedDataProvider *fdp)
866         : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
867     void process() override;
868 
869     void fuzzGetDirectPlaybackSupport();
870     void fuzzGetDirectProfilesForAttributes();
871 
872    protected:
873     void setDeviceConnectionState();
874     void explicitlyRoutingAfterConnection();
875 };
876 
setDeviceConnectionState()877 void AudioPolicyManagerFuzzerDeviceConnection::setDeviceConnectionState() {
878     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
879     for (int i = 0; i < numTestCases; ++i) {
880         const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
881         const std::string name = mFdp->ConsumeRandomLengthString();
882         const std::string address = mFdp->ConsumeRandomLengthString();
883         mManager->setDeviceConnectionState(
884             type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
885             address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
886     }
887 }
888 
explicitlyRoutingAfterConnection()889 void AudioPolicyManagerFuzzerDeviceConnection::explicitlyRoutingAfterConnection() {
890     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
891     for (int i = 0; i < numTestCases; ++i) {
892         const audio_devices_t type = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
893         const std::string name = mFdp->ConsumeRandomLengthString();
894         const std::string address = mFdp->ConsumeRandomLengthString();
895         mManager->setDeviceConnectionState(
896             type, getValueFromVector<audio_policy_dev_state_t>(mFdp, kAudioPolicyDeviceStates),
897             address.c_str(), name.c_str(), getValueFromVector<audio_format_t>(mFdp, kAudioFormats));
898 
899         audio_port_v7 devicePort;
900         const audio_port_role_t role =
901             audio_is_output_device(type) ? AUDIO_PORT_ROLE_SINK : AUDIO_PORT_ROLE_SOURCE;
902         findDevicePort(role, type, address, &devicePort);
903 
904         audio_port_handle_t routedPortId = devicePort.id;
905         // Try start input or output according to the device type
906         if (audio_is_output_devices(type)) {
907             getOutputForAttr(&routedPortId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
908                              getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
909                              getValueFromVector<uint32_t>(mFdp, kSamplingRates),
910                              AUDIO_OUTPUT_FLAG_NONE);
911         } else if (audio_is_input_device(type)) {
912             RecordingActivityTracker tracker;
913             getInputForAttr({}, tracker.getRiid(), &routedPortId,
914                             getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
915                             getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelInMasks),
916                             getValueFromVector<uint32_t>(mFdp, kSamplingRates),
917                             AUDIO_INPUT_FLAG_NONE);
918         }
919     }
920 }
921 
fuzzGetDirectPlaybackSupport()922 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectPlaybackSupport() {
923     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
924     for (int i = 0; i < numTestCases; ++i) {
925         audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
926         attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
927         attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
928         attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
929         attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
930         audio_config_t config = AUDIO_CONFIG_INITIALIZER;
931         config.channel_mask = getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks);
932         config.format = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
933         config.sample_rate = getValueFromVector<uint32_t>(mFdp, kSamplingRates);
934         mManager->getDirectPlaybackSupport(&attr, &config);
935     }
936 }
937 
fuzzGetDirectProfilesForAttributes()938 void AudioPolicyManagerFuzzerDeviceConnection::fuzzGetDirectProfilesForAttributes() {
939     const uint32_t numTestCases = mFdp->ConsumeIntegralInRange<uint32_t>(1, 10);
940     for (int i = 0; i < numTestCases; ++i) {
941         AudioProfileVector audioProfiles;
942         audio_attributes_t attr = AUDIO_ATTRIBUTES_INITIALIZER;
943         attr.content_type = getValueFromVector<audio_content_type_t>(mFdp, kAudioContentTypes);
944         attr.usage = getValueFromVector<audio_usage_t>(mFdp, kAudioUsages);
945         attr.source = getValueFromVector<audio_source_t>(mFdp, kAudioSources);
946         attr.flags = getValueFromVector<audio_flags_mask_t>(mFdp, kAudioFlagMasks);
947         mManager->getDirectProfilesForAttributes(&attr, audioProfiles);
948     }
949 }
950 
process()951 void AudioPolicyManagerFuzzerDeviceConnection::process() {
952     if (initialize()) {
953         setDeviceConnectionState();
954         explicitlyRoutingAfterConnection();
955         fuzzGetDirectPlaybackSupport();
956         fuzzGetDirectProfilesForAttributes();
957         fuzzPatchCreation();
958     }
959 }
960 
961 class AudioPolicyManagerTVFuzzer : public AudioPolicyManagerFuzzerWithConfigurationFile {
962    public:
AudioPolicyManagerTVFuzzer(FuzzedDataProvider * fdp)963     explicit AudioPolicyManagerTVFuzzer(FuzzedDataProvider *fdp)
964         : AudioPolicyManagerFuzzerWithConfigurationFile(fdp){};
965     void process() override;
966 
967    protected:
968     std::string getConfigFile();
969     void testHDMIPortSelection(audio_output_flags_t flags);
970 
971     static inline const std::string sTvConfig =
972             AudioPolicyManagerTVFuzzer::sExecutableDir + "data/test_tv_apm_configuration.xml";
973 };
974 
getConfigFile()975 std::string AudioPolicyManagerTVFuzzer::getConfigFile() { return fuzzXML(sTvConfig); }
976 
testHDMIPortSelection(audio_output_flags_t flags)977 void AudioPolicyManagerTVFuzzer::testHDMIPortSelection(audio_output_flags_t flags) {
978     audio_devices_t audioDevice = getValueFromVector<audio_devices_t>(mFdp, kAudioDevices);
979     audio_format_t audioFormat = getValueFromVector<audio_format_t>(mFdp, kAudioFormats);
980     status_t ret = mManager->setDeviceConnectionState(
981         audioDevice, AUDIO_POLICY_DEVICE_STATE_AVAILABLE, "" /*address*/, "" /*name*/, audioFormat);
982     if (ret != NO_ERROR) {
983         return;
984     }
985     audio_port_handle_t selectedDeviceId = AUDIO_PORT_HANDLE_NONE;
986     audio_io_handle_t output;
987     audio_port_handle_t portId;
988     getOutputForAttr(&selectedDeviceId, getValueFromVector<audio_format_t>(mFdp, kAudioFormats),
989                      getValueFromVector<audio_channel_mask_t>(mFdp, kAudioChannelOutMasks),
990                      getValueFromVector<uint32_t>(mFdp, kSamplingRates), flags, &output, &portId);
991     sp<SwAudioOutputDescriptor> outDesc = mManager->getOutputs().valueFor(output);
992     if (outDesc.get() == nullptr) {
993         return;
994     }
995     audio_port_v7 port = {};
996     outDesc->toAudioPort(&port);
997     mManager->releaseOutput(portId);
998     mManager->setDeviceConnectionState(audioDevice, AUDIO_POLICY_DEVICE_STATE_UNAVAILABLE,
999                                        "" /*address*/, "" /*name*/, audioFormat);
1000 }
1001 
process()1002 void AudioPolicyManagerTVFuzzer::process() {
1003     if (initialize()) {
1004         testHDMIPortSelection(getValueFromVector<audio_output_flags_t>(mFdp, kAudioOutputFlags));
1005         fuzzPatchCreation();
1006     }
1007 }
1008 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)1009 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
1010     if (size < 1) {
1011         return 0;
1012     }
1013     FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
1014     while (fdp.remaining_bytes() > 0) {
1015         AudioPolicyManagerFuzzer audioPolicyManagerFuzzer(&fdp);
1016         audioPolicyManagerFuzzer.process();
1017 
1018         AudioPolicyManagerFuzzerMsd audioPolicyManagerFuzzerMsd(&fdp);
1019         audioPolicyManagerFuzzerMsd.process();
1020 
1021         AudioPolicyManagerFuzzerWithConfigurationFile audioPolicyManagerFuzzerWithConfigurationFile(
1022             &fdp);
1023         audioPolicyManagerFuzzerWithConfigurationFile.process();
1024 
1025         AudioPolicyManagerFuzzerDynamicPolicy audioPolicyManagerFuzzerDynamicPolicy(&fdp);
1026         audioPolicyManagerFuzzerDynamicPolicy.process();
1027 
1028         AudioPolicyManagerFuzzerDPNoRemoteSubmixModule
1029             audioPolicyManagerFuzzerDPNoRemoteSubmixModule(&fdp);
1030         audioPolicyManagerFuzzerDPNoRemoteSubmixModule.process();
1031 
1032         AudioPolicyManagerFuzzerDPPlaybackReRouting audioPolicyManagerFuzzerDPPlaybackReRouting(
1033             &fdp);
1034         audioPolicyManagerFuzzerDPPlaybackReRouting.process();
1035 
1036         AudioPolicyManagerFuzzerDPMixRecordInjection audioPolicyManagerFuzzerDPMixRecordInjection(
1037             &fdp);
1038         audioPolicyManagerFuzzerDPMixRecordInjection.process();
1039 
1040         AudioPolicyManagerFuzzerDeviceConnection audioPolicyManagerFuzzerDeviceConnection(&fdp);
1041         audioPolicyManagerFuzzerDeviceConnection.process();
1042 
1043         AudioPolicyManagerTVFuzzer audioPolicyManagerTVFuzzer(&fdp);
1044         audioPolicyManagerTVFuzzer.process();
1045     }
1046     return 0;
1047 }
1048