1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  */
17 
18 #include <fuzzer/FuzzedDataProvider.h>
19 
20 #include "audio_hal_interface/a2dp_encoding.h"
21 #include "include/btif_av.h"
22 #include "include/btif_av_co.h"
23 #include "osi/include/properties.h"
24 
25 using ::bluetooth::audio::a2dp::update_codec_offloading_capabilities;
26 
27 extern "C" {
android_get_exported_namespace(const char *)28 struct android_namespace_t* android_get_exported_namespace(const char*) {
29   return nullptr;
30 }
31 }
32 
33 constexpr tA2DP_CTRL_ACK kCtrlAckStatus[] = {
34     A2DP_CTRL_ACK_SUCCESS,        A2DP_CTRL_ACK_FAILURE,
35     A2DP_CTRL_ACK_INCALL_FAILURE, A2DP_CTRL_ACK_UNSUPPORTED,
36     A2DP_CTRL_ACK_PENDING,        A2DP_CTRL_ACK_DISCONNECT_IN_PROGRESS};
37 
38 constexpr int32_t kRandomStringLength = 256;
39 
source_init_delayed(void)40 static void source_init_delayed(void) {}
41 
42 constexpr btav_a2dp_codec_index_t kCodecIndices[] = {
43     BTAV_A2DP_CODEC_INDEX_SOURCE_SBC,  BTAV_A2DP_CODEC_INDEX_SOURCE_AAC,
44     BTAV_A2DP_CODEC_INDEX_SOURCE_APTX, BTAV_A2DP_CODEC_INDEX_SOURCE_APTX_HD,
45     BTAV_A2DP_CODEC_INDEX_SOURCE_LDAC, BTAV_A2DP_CODEC_INDEX_SINK_SBC,
46     BTAV_A2DP_CODEC_INDEX_SINK_AAC,    BTAV_A2DP_CODEC_INDEX_SINK_LDAC};
47 
48 std::vector<std::vector<btav_a2dp_codec_config_t>>
CodecOffloadingPreferenceGenerator()49 CodecOffloadingPreferenceGenerator() {
50   std::vector<std::vector<btav_a2dp_codec_config_t>> offloadingPreferences = {
51       std::vector<btav_a2dp_codec_config_t>(0)};
52   btav_a2dp_codec_config_t btavCodecConfig = {};
53   for (btav_a2dp_codec_index_t i : kCodecIndices) {
54     btavCodecConfig.codec_type = i;
55     auto duplicated_preferences = offloadingPreferences;
56     for (auto iter = duplicated_preferences.begin();
57          iter != duplicated_preferences.end(); ++iter) {
58       iter->push_back(btavCodecConfig);
59     }
60     offloadingPreferences.insert(offloadingPreferences.end(),
61                                  duplicated_preferences.begin(),
62                                  duplicated_preferences.end());
63   }
64   return offloadingPreferences;
65 }
66 
67 class A2dpEncodingFuzzer {
68  public:
~A2dpEncodingFuzzer()69   ~A2dpEncodingFuzzer() {
70     delete (mCodec);
71     mCodec = nullptr;
72   }
73   void process(const uint8_t* data, size_t size);
74   static A2dpCodecConfig* mCodec;
75 };
76 
77 A2dpCodecConfig* A2dpEncodingFuzzer::mCodec{nullptr};
78 
process(const uint8_t * data,size_t size)79 void A2dpEncodingFuzzer::process(const uint8_t* data, size_t size) {
80   FuzzedDataProvider fdp(data, size);
81   if (!mCodec) {
82     mCodec = A2dpCodecConfig::createCodec(fdp.PickValueInArray(kCodecIndices));
83   }
84 
85   osi_property_set("persist.bluetooth.a2dp_offload.disabled",
86                    fdp.PickValueInArray({"true", "false"}));
87 
88   std::string name = fdp.ConsumeRandomLengthString(kRandomStringLength);
89   bluetooth::common::MessageLoopThread messageLoopThread(name);
90   messageLoopThread.StartUp();
91   messageLoopThread.DoInThread(FROM_HERE, base::BindOnce(&source_init_delayed));
92 
93   uint16_t delayReport = fdp.ConsumeIntegral<uint16_t>();
94   bluetooth::audio::a2dp::set_remote_delay(delayReport);
95 
96   if (!bluetooth::audio::a2dp::init(&messageLoopThread)) {
97     return;
98   }
99 
100   if (!bluetooth::audio::a2dp::setup_codec()) {
101     return;
102   }
103 
104   bluetooth::audio::a2dp::start_session();
105 
106   tA2DP_CTRL_ACK status = fdp.PickValueInArray(kCtrlAckStatus);
107   bluetooth::audio::a2dp::ack_stream_started(status);
108 
109   for (auto offloadingPreference : CodecOffloadingPreferenceGenerator()) {
110     update_codec_offloading_capabilities(offloadingPreference, false);
111   }
112   status = fdp.PickValueInArray(kCtrlAckStatus);
113   bluetooth::audio::a2dp::ack_stream_suspended(status);
114   bluetooth::audio::a2dp::cleanup();
115   messageLoopThread.ShutDown();
116 }
117 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)118 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
119   A2dpEncodingFuzzer a2dpEncodingFuzzer;
120   a2dpEncodingFuzzer.process(data, size);
121   return 0;
122 }
123