1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 */
17
18 #include <MediaExtractorService.h>
19 #include <MediaPlayerService.h>
20 #include <android/gui/BnSurfaceComposerClient.h>
21 #include <camera/Camera.h>
22 #include <datasource/FileSource.h>
23 #include <fuzzbinder/random_binder.h>
24 #include <gmock/gmock.h>
25 #include <gui/Surface.h>
26 #include <gui/SurfaceComposerClient.h>
27 #include <media/IMediaCodecList.h>
28 #include <media/IMediaHTTPService.h>
29 #include <media/IMediaPlayer.h>
30 #include <media/IMediaRecorder.h>
31 #include <media/IRemoteDisplay.h>
32 #include <media/IRemoteDisplayClient.h>
33 #include <media/MediaHTTPConnection.h>
34 #include <media/MediaHTTPService.h>
35 #include <media/stagefright/RemoteDataSource.h>
36 #include <media/stagefright/foundation/base64.h>
37 #include <thread>
38 #include "android-base/stringprintf.h"
39 #include "fuzzer/FuzzedDataProvider.h"
40 using namespace std;
41 using namespace android;
42
43 constexpr int32_t kUuidSize = 16;
44 constexpr int32_t kMinSize = 0;
45 constexpr int32_t kMaxSize = 100;
46 constexpr int32_t kFourCCVal = android::FOURCC('m', 't', 'r', 'X');
47 constexpr int32_t kFlagVal =
48 ISurfaceComposerClient::eCursorWindow | ISurfaceComposerClient::eOpaque;
49
50 const char dumpFile[] = "OutputDumpFile";
51
52 enum DataSourceType { HTTP, FD, STREAM, FILETYPE, SOCKET, kMaxValue = SOCKET };
53
54 constexpr audio_flags_mask_t kAudioFlagsMasks[] = {AUDIO_FLAG_NONE,
55 AUDIO_FLAG_AUDIBILITY_ENFORCED,
56 AUDIO_FLAG_SECURE,
57 AUDIO_FLAG_SCO,
58 AUDIO_FLAG_BEACON,
59 AUDIO_FLAG_HW_AV_SYNC,
60 AUDIO_FLAG_HW_HOTWORD,
61 AUDIO_FLAG_BYPASS_INTERRUPTION_POLICY,
62 AUDIO_FLAG_BYPASS_MUTE,
63 AUDIO_FLAG_LOW_LATENCY,
64 AUDIO_FLAG_DEEP_BUFFER,
65 AUDIO_FLAG_NO_MEDIA_PROJECTION,
66 AUDIO_FLAG_MUTE_HAPTIC,
67 AUDIO_FLAG_NO_SYSTEM_CAPTURE,
68 AUDIO_FLAG_CAPTURE_PRIVATE,
69 AUDIO_FLAG_CONTENT_SPATIALIZED,
70 AUDIO_FLAG_NEVER_SPATIALIZE,
71 AUDIO_FLAG_CALL_REDIRECTION};
72
73 constexpr audio_content_type_t kAudioContentTypes[] = {
74 AUDIO_CONTENT_TYPE_UNKNOWN, AUDIO_CONTENT_TYPE_SPEECH, AUDIO_CONTENT_TYPE_MUSIC,
75 AUDIO_CONTENT_TYPE_MOVIE, AUDIO_CONTENT_TYPE_SONIFICATION, AUDIO_CONTENT_TYPE_ULTRASOUND};
76
77 constexpr audio_source_t kAudioSources[] = {AUDIO_SOURCE_INVALID,
78 AUDIO_SOURCE_DEFAULT,
79 AUDIO_SOURCE_MIC,
80 AUDIO_SOURCE_VOICE_UPLINK,
81 AUDIO_SOURCE_VOICE_DOWNLINK,
82 AUDIO_SOURCE_VOICE_CALL,
83 AUDIO_SOURCE_CAMCORDER,
84 AUDIO_SOURCE_VOICE_RECOGNITION,
85 AUDIO_SOURCE_VOICE_COMMUNICATION,
86 AUDIO_SOURCE_REMOTE_SUBMIX,
87 AUDIO_SOURCE_UNPROCESSED,
88 AUDIO_SOURCE_VOICE_PERFORMANCE,
89 AUDIO_SOURCE_ECHO_REFERENCE,
90 AUDIO_SOURCE_FM_TUNER,
91 AUDIO_SOURCE_HOTWORD,
92 AUDIO_SOURCE_ULTRASOUND};
93
94 constexpr audio_usage_t kAudioUsages[] = {AUDIO_USAGE_UNKNOWN,
95 AUDIO_USAGE_MEDIA,
96 AUDIO_USAGE_VOICE_COMMUNICATION,
97 AUDIO_USAGE_VOICE_COMMUNICATION_SIGNALLING,
98 AUDIO_USAGE_ALARM,
99 AUDIO_USAGE_NOTIFICATION,
100 AUDIO_USAGE_NOTIFICATION_TELEPHONY_RINGTONE,
101 AUDIO_USAGE_NOTIFICATION_COMMUNICATION_REQUEST,
102 AUDIO_USAGE_NOTIFICATION_COMMUNICATION_INSTANT,
103 AUDIO_USAGE_NOTIFICATION_COMMUNICATION_DELAYED,
104 AUDIO_USAGE_NOTIFICATION_EVENT,
105 AUDIO_USAGE_ASSISTANCE_ACCESSIBILITY,
106 AUDIO_USAGE_ASSISTANCE_NAVIGATION_GUIDANCE,
107 AUDIO_USAGE_ASSISTANCE_SONIFICATION,
108 AUDIO_USAGE_GAME,
109 AUDIO_USAGE_VIRTUAL_SOURCE,
110 AUDIO_USAGE_ASSISTANT,
111 AUDIO_USAGE_CALL_ASSISTANT,
112 AUDIO_USAGE_EMERGENCY,
113 AUDIO_USAGE_SAFETY,
114 AUDIO_USAGE_VEHICLE_STATUS,
115 AUDIO_USAGE_ANNOUNCEMENT};
116
117 constexpr PixelFormat kPixelFormat[] = {
118 PIXEL_FORMAT_UNKNOWN, PIXEL_FORMAT_NONE, PIXEL_FORMAT_CUSTOM,
119 PIXEL_FORMAT_TRANSLUCENT, PIXEL_FORMAT_TRANSPARENT, PIXEL_FORMAT_OPAQUE,
120 PIXEL_FORMAT_RGBA_8888, PIXEL_FORMAT_RGBX_8888, PIXEL_FORMAT_RGB_888,
121 PIXEL_FORMAT_RGB_565, PIXEL_FORMAT_BGRA_8888, PIXEL_FORMAT_RGBA_5551,
122 PIXEL_FORMAT_RGBA_4444, PIXEL_FORMAT_RGBA_FP16, PIXEL_FORMAT_RGBA_1010102,
123 PIXEL_FORMAT_R_8, PIXEL_FORMAT_R_16_UINT, PIXEL_FORMAT_RG_1616_UINT,
124 PIXEL_FORMAT_RGBA_10101010,
125 };
126
127 constexpr media_parameter_keys kMediaParamKeys[] = {
128 KEY_PARAMETER_CACHE_STAT_COLLECT_FREQ_MS, KEY_PARAMETER_AUDIO_CHANNEL_COUNT,
129 KEY_PARAMETER_PLAYBACK_RATE_PERMILLE, KEY_PARAMETER_AUDIO_ATTRIBUTES,
130 KEY_PARAMETER_RTP_ATTRIBUTES};
131
132 constexpr media_event_type kMediaEventTypes[] = {MEDIA_NOP,
133 MEDIA_PREPARED,
134 MEDIA_PLAYBACK_COMPLETE,
135 MEDIA_BUFFERING_UPDATE,
136 MEDIA_SEEK_COMPLETE,
137 MEDIA_SET_VIDEO_SIZE,
138 MEDIA_STARTED,
139 MEDIA_PAUSED,
140 MEDIA_STOPPED,
141 MEDIA_SKIPPED,
142 MEDIA_NOTIFY_TIME,
143 MEDIA_TIMED_TEXT,
144 MEDIA_ERROR,
145 MEDIA_INFO,
146 MEDIA_SUBTITLE_DATA,
147 MEDIA_META_DATA,
148 MEDIA_DRM_INFO,
149 MEDIA_TIME_DISCONTINUITY,
150 MEDIA_IMS_RX_NOTICE,
151 MEDIA_AUDIO_ROUTING_CHANGED};
152
153 constexpr media_info_type kMediaInfoTypes[] = {
154 MEDIA_INFO_UNKNOWN, MEDIA_INFO_STARTED_AS_NEXT,
155 MEDIA_INFO_RENDERING_START, MEDIA_INFO_VIDEO_TRACK_LAGGING,
156 MEDIA_INFO_BUFFERING_START, MEDIA_INFO_BUFFERING_END,
157 MEDIA_INFO_NETWORK_BANDWIDTH, MEDIA_INFO_BAD_INTERLEAVING,
158 MEDIA_INFO_NOT_SEEKABLE, MEDIA_INFO_METADATA_UPDATE,
159 MEDIA_INFO_PLAY_AUDIO_ERROR, MEDIA_INFO_PLAY_VIDEO_ERROR,
160 MEDIA_INFO_TIMED_TEXT_ERROR};
161
162 const char *kUrlPrefix[] = {"data:", "http://", "https://", "rtsp://", "content://", "test://"};
163
164 struct TestStreamSource : public IStreamSource {
setListenerTestStreamSource165 void setListener(const sp<IStreamListener> & /*listener*/) override{};
setBuffersTestStreamSource166 void setBuffers(const Vector<sp<IMemory>> & /*buffers*/) override{};
onBufferAvailableTestStreamSource167 void onBufferAvailable(size_t /*index*/) override{};
onAsBinderTestStreamSource168 IBinder *onAsBinder() { return nullptr; };
169 };
170
171 struct TestMediaHTTPConnection : public MediaHTTPConnection {
172 public:
TestMediaHTTPConnectionTestMediaHTTPConnection173 TestMediaHTTPConnection() {}
~TestMediaHTTPConnectionTestMediaHTTPConnection174 virtual ~TestMediaHTTPConnection() {}
175
connectTestMediaHTTPConnection176 virtual bool connect(const char* /*uri*/, const KeyedVector<String8, String8>* /*headers*/) {
177 return true;
178 }
179
disconnectTestMediaHTTPConnection180 virtual void disconnect() { return; }
181
readAtTestMediaHTTPConnection182 virtual ssize_t readAt(off64_t /*offset*/, void* /*data*/, size_t size) { return size; }
183
getSizeTestMediaHTTPConnection184 virtual off64_t getSize() { return 0; }
getMIMETypeTestMediaHTTPConnection185 virtual status_t getMIMEType(String8* /*mimeType*/) { return NO_ERROR; }
getUriTestMediaHTTPConnection186 virtual status_t getUri(String8* /*uri*/) { return NO_ERROR; }
187
188 private:
189 DISALLOW_EVIL_CONSTRUCTORS(TestMediaHTTPConnection);
190 };
191
192 struct TestMediaHTTPService : public BnInterface<IMediaHTTPService> {
193 public:
TestMediaHTTPServiceTestMediaHTTPService194 TestMediaHTTPService() {}
~TestMediaHTTPServiceTestMediaHTTPService195 ~TestMediaHTTPService(){};
196
makeHTTPConnectionTestMediaHTTPService197 virtual sp<MediaHTTPConnection> makeHTTPConnection() {
198 mMediaHTTPConnection = sp<TestMediaHTTPConnection>::make();
199 return mMediaHTTPConnection;
200 }
201
202 private:
203 sp<TestMediaHTTPConnection> mMediaHTTPConnection = nullptr;
204 DISALLOW_EVIL_CONSTRUCTORS(TestMediaHTTPService);
205 };
206
207 class FakeBnSurfaceComposerClient : public gui::BnSurfaceComposerClient {
208 public:
209 MOCK_METHOD(binder::Status, createSurface,
210 (const std::string& name, int32_t flags, const sp<IBinder>& parent,
211 const gui::LayerMetadata& metadata, gui::CreateSurfaceResult* outResult),
212 (override));
213
214 MOCK_METHOD(binder::Status, clearLayerFrameStats, (const sp<IBinder>& handle), (override));
215
216 MOCK_METHOD(binder::Status, getLayerFrameStats,
217 (const sp<IBinder>& handle, gui::FrameStats* outStats), (override));
218
219 MOCK_METHOD(binder::Status, mirrorSurface,
220 (const sp<IBinder>& mirrorFromHandle, gui::CreateSurfaceResult* outResult),
221 (override));
222
223 MOCK_METHOD(binder::Status, mirrorDisplay,
224 (int64_t displayId, gui::CreateSurfaceResult* outResult), (override));
225
226 MOCK_METHOD(binder::Status, getSchedulingPolicy, (gui::SchedulingPolicy*), (override));
227 };
228
229 class MediaPlayerServiceFuzzer {
230 public:
MediaPlayerServiceFuzzer(const uint8_t * data,size_t size)231 MediaPlayerServiceFuzzer(const uint8_t *data, size_t size)
232 : mFdp(data, size), mDataSourceFd(memfd_create("InputFile", MFD_ALLOW_SEALING)){};
~MediaPlayerServiceFuzzer()233 ~MediaPlayerServiceFuzzer() { close(mDataSourceFd); };
234 void process(const uint8_t *data, size_t size);
235
236 private:
237 FuzzedDataProvider mFdp;
238 const int32_t mDataSourceFd;
239 sp<IMediaPlayer> mMediaPlayer = nullptr;
240 sp<IMediaPlayerClient> mMediaPlayerClient = nullptr;
241 void invokeMediaPlayer();
242 sp<SurfaceControl> makeSurfaceControl();
243 bool setDataSource(const uint8_t* data, size_t size);
244 };
245
makeSurfaceControl()246 sp<SurfaceControl> MediaPlayerServiceFuzzer::makeSurfaceControl() {
247 sp<IBinder> handle = getRandomBinder(&mFdp);
248 const sp<FakeBnSurfaceComposerClient> testClient(new FakeBnSurfaceComposerClient());
249 sp<SurfaceComposerClient> client = new SurfaceComposerClient(testClient);
250 uint32_t width = mFdp.ConsumeIntegral<uint32_t>();
251 uint32_t height = mFdp.ConsumeIntegral<uint32_t>();
252 uint32_t transformHint = mFdp.ConsumeIntegral<uint32_t>();
253 uint32_t flags = mFdp.ConsumeBool() ? kFlagVal : mFdp.ConsumeIntegral<uint32_t>();
254 int32_t format = mFdp.ConsumeBool() ? mFdp.ConsumeIntegral<uint32_t>()
255 : mFdp.PickValueInArray(kPixelFormat);
256 int32_t layerId = mFdp.ConsumeIntegral<int32_t>();
257 std::string layerName = android::base::StringPrintf("#%d", layerId);
258 return new SurfaceControl(client, handle, layerId, layerName, width, height, format,
259 transformHint, flags);
260 }
261
setDataSource(const uint8_t * data,size_t size)262 bool MediaPlayerServiceFuzzer::setDataSource(const uint8_t* data, size_t size) {
263 status_t status = UNKNOWN_ERROR;
264 switch (mFdp.ConsumeEnum<DataSourceType>()) {
265 case HTTP: {
266 KeyedVector<String8, String8> headers;
267 headers.add(String8(mFdp.ConsumeRandomLengthString().c_str()),
268 String8(mFdp.ConsumeRandomLengthString().c_str()));
269
270 uint32_t dataBlobSize = mFdp.ConsumeIntegralInRange<uint16_t>(kMinSize, size);
271 vector<uint8_t> uriSuffix = mFdp.ConsumeBytes<uint8_t>(dataBlobSize);
272
273 string uri(mFdp.PickValueInArray(kUrlPrefix));
274 uri += ";base64,";
275 AString out;
276 encodeBase64(uriSuffix.data(), uriSuffix.size(), &out);
277 uri += out.c_str();
278 sp<TestMediaHTTPService> testService = sp<TestMediaHTTPService>::make();
279 status =
280 mMediaPlayer->setDataSource(testService /*httpService*/, uri.c_str(), &headers);
281 break;
282 }
283 case FD: {
284 write(mDataSourceFd, data, size);
285 status = mMediaPlayer->setDataSource(mDataSourceFd, 0, size);
286 break;
287 }
288 case STREAM: {
289 sp<IStreamSource> streamSource = sp<TestStreamSource>::make();
290 status = mMediaPlayer->setDataSource(streamSource);
291 break;
292 }
293 case FILETYPE: {
294 write(mDataSourceFd, data, size);
295
296 sp<DataSource> dataSource = new FileSource(dup(mDataSourceFd), 0, size);
297 sp<IDataSource> iDataSource = RemoteDataSource::wrap(dataSource);
298 if (!iDataSource) {
299 return false;
300 }
301 status = mMediaPlayer->setDataSource(iDataSource);
302 break;
303 }
304 case SOCKET: {
305 String8 rtpParams = String8(mFdp.ConsumeRandomLengthString().c_str());
306 struct sockaddr_in endpoint;
307 endpoint.sin_family = mFdp.ConsumeIntegral<unsigned short>();
308 endpoint.sin_port = mFdp.ConsumeIntegral<uint16_t>();
309 mMediaPlayer->setRetransmitEndpoint(&endpoint);
310 status = mMediaPlayer->setDataSource(rtpParams);
311 break;
312 }
313 }
314 if (status != OK) {
315 return false;
316 }
317 return true;
318 }
319
invokeMediaPlayer()320 void MediaPlayerServiceFuzzer::invokeMediaPlayer() {
321 Parcel request, reply;
322 while (mFdp.remaining_bytes()) {
323 auto invokeMediaPlayerApi = mFdp.PickValueInArray<const std::function<void()>>({
324 [&]() {
325 sp<SurfaceControl> surfaceControl = makeSurfaceControl();
326 if (surfaceControl) {
327 sp<Surface> surface = surfaceControl->getSurface();
328 mMediaPlayer->setVideoSurfaceTexture(surface->getIGraphicBufferProducer());
329 }
330 },
331 [&]() {
332 BufferingSettings buffering;
333 buffering.mInitialMarkMs = mFdp.ConsumeIntegral<int32_t>();
334 buffering.mResumePlaybackMarkMs = mFdp.ConsumeIntegral<int32_t>();
335 mMediaPlayer->setBufferingSettings(buffering);
336 },
337 [&]() {
338 BufferingSettings buffering;
339 mMediaPlayer->getBufferingSettings(&buffering);
340 },
341 [&]() {
342 mMediaPlayer->prepareAsync();
343 this_thread::sleep_for(chrono::milliseconds(100)); // Time to post message
344 },
345 [&]() {
346 mMediaPlayer->start();
347 this_thread::sleep_for(chrono::milliseconds(100)); // Time to post message
348 },
349 [&]() {
350 mMediaPlayer->pause();
351 this_thread::sleep_for(chrono::milliseconds(100)); // Time to post message
352 },
353 [&]() { mMediaPlayer->stop(); },
354 [&]() {
355 bool state;
356 mMediaPlayer->isPlaying(&state);
357 },
358 [&]() {
359 AudioPlaybackRate rate;
360 rate.mSpeed = mFdp.ConsumeFloatingPoint<float>();
361 rate.mPitch = mFdp.ConsumeFloatingPoint<float>();
362 rate.mStretchMode = mFdp.ConsumeBool() ? AUDIO_TIMESTRETCH_STRETCH_DEFAULT
363 : AUDIO_TIMESTRETCH_STRETCH_VOICE;
364 rate.mFallbackMode =
365 (audio_timestretch_fallback_mode_t)mFdp.ConsumeIntegralInRange<int32_t>(
366 AUDIO_TIMESTRETCH_FALLBACK_CUT_REPEAT,
367 AUDIO_TIMESTRETCH_FALLBACK_FAIL);
368 mMediaPlayer->setPlaybackSettings(rate);
369 mMediaPlayer->getPlaybackSettings(&rate);
370 },
371 [&]() {
372 AVSyncSettings* avSyncSettings = new AVSyncSettings();
373 float videoFpsHint = mFdp.ConsumeFloatingPoint<float>();
374 mMediaPlayer->setSyncSettings(*avSyncSettings, videoFpsHint);
375 delete avSyncSettings;
376 },
377 [&]() {
378 AVSyncSettings* avSyncSettings = new AVSyncSettings();
379 float videoFpsHint = 0;
380 mMediaPlayer->getSyncSettings(avSyncSettings, &videoFpsHint);
381 delete avSyncSettings;
382 },
383 [&]() { mMediaPlayer->seekTo(mFdp.ConsumeIntegral<int32_t>()); },
384 [&]() {
385 int32_t msec;
386 mMediaPlayer->getCurrentPosition(&msec);
387 mMediaPlayer->getDuration(&msec);
388 },
389 [&]() { mMediaPlayer->reset(); },
390 [&]() { mMediaPlayer->notifyAt(mFdp.ConsumeIntegral<uint64_t>()); },
391 [&]() {
392 mMediaPlayer->setAudioStreamType(
393 (audio_stream_type_t)mFdp.ConsumeIntegralInRange<int32_t>(
394 AUDIO_STREAM_VOICE_CALL, AUDIO_STREAM_CALL_ASSISTANT));
395 },
396 [&]() { mMediaPlayer->setLooping(mFdp.ConsumeIntegral<int32_t>()); },
397 [&]() {
398 mMediaPlayer->setVolume(mFdp.ConsumeFloatingPoint<float>() /* left */,
399 mFdp.ConsumeFloatingPoint<float>() /* right */);
400 },
401 [&]() {
402 request.writeInt32(mFdp.ConsumeIntegral<int32_t>());
403 request.setDataPosition(0);
404 mMediaPlayer->invoke(request, &reply);
405 },
406 [&]() {
407 Parcel filter;
408 filter.writeInt32(mFdp.ConsumeIntegral<int32_t>());
409 filter.setDataPosition(0);
410 mMediaPlayer->setMetadataFilter(filter);
411 },
412 [&]() {
413 mMediaPlayer->getMetadata(mFdp.ConsumeBool() /* updateOnly */,
414 mFdp.ConsumeBool() /* applyFilter */, &reply);
415 },
416 [&]() { mMediaPlayer->setAuxEffectSendLevel(mFdp.ConsumeFloatingPoint<float>()); },
417 [&]() { mMediaPlayer->attachAuxEffect(mFdp.ConsumeIntegral<int32_t>()); },
418 [&]() {
419 int32_t key = mFdp.PickValueInArray(kMediaParamKeys);
420 request.writeInt32((audio_usage_t)mFdp.ConsumeIntegralInRange<int32_t>(
421 AUDIO_USAGE_UNKNOWN, AUDIO_USAGE_ANNOUNCEMENT) /* usage */);
422 request.writeInt32((audio_content_type_t)mFdp.ConsumeIntegralInRange<int32_t>(
423 AUDIO_CONTENT_TYPE_UNKNOWN,
424 AUDIO_CONTENT_TYPE_ULTRASOUND) /* content_type */);
425 request.writeInt32((audio_source_t)mFdp.ConsumeIntegralInRange<int32_t>(
426 AUDIO_SOURCE_INVALID, AUDIO_SOURCE_ULTRASOUND) /* source */);
427 request.writeInt32((audio_flags_mask_t)mFdp.ConsumeIntegralInRange<int32_t>(
428 AUDIO_FLAG_NONE, AUDIO_FLAG_CALL_REDIRECTION) /* flags */);
429 request.writeInt32(mFdp.ConsumeBool() /* hasFlattenedTag */);
430 request.writeString16(
431 String16((mFdp.ConsumeRandomLengthString()).c_str()) /* tags */);
432 request.setDataPosition(0);
433 mMediaPlayer->setParameter(key, request);
434 key = mFdp.PickValueInArray(kMediaParamKeys);
435 mMediaPlayer->getParameter(key, &reply);
436 },
437 [&]() {
438 int32_t key =
439 mFdp.ConsumeBool() ? kFourCCVal : mFdp.ConsumeIntegral<uint32_t>();
440 mMediaPlayer->getParameter(key, &reply);
441 },
442 [&]() {
443 struct sockaddr_in endpoint;
444 mMediaPlayer->getRetransmitEndpoint(&endpoint);
445 },
446 [&]() {
447 AttributionSourceState attributionSource;
448 attributionSource.packageName = mFdp.ConsumeRandomLengthString().c_str();
449 attributionSource.token = sp<BBinder>::make();
450 const sp<IMediaPlayerService> mpService(
451 IMediaDeathNotifier::getMediaPlayerService());
452 audio_session_t audioSessionId =
453 (audio_session_t)mFdp.ConsumeIntegralInRange<int32_t>(
454 AUDIO_SESSION_DEVICE, AUDIO_SESSION_OUTPUT_MIX);
455 sp<IMediaPlayer> mNextMediaPlayer = mpService->create(
456 mMediaPlayerClient, audioSessionId, attributionSource);
457 mMediaPlayer->setNextPlayer(mNextMediaPlayer);
458 },
459 [&]() {
460 const sp<media::VolumeShaper::Configuration> configuration =
461 sp<media::VolumeShaper::Configuration>::make();
462 const sp<media::VolumeShaper::Operation> operation =
463 sp<media::VolumeShaper::Operation>::make();
464 mMediaPlayer->applyVolumeShaper(configuration, operation);
465 },
466 [&]() { mMediaPlayer->getVolumeShaperState(mFdp.ConsumeIntegral<int32_t>()); },
467 [&]() {
468 uint8_t uuid[kUuidSize];
469 for (int32_t index = 0; index < kUuidSize; ++index) {
470 uuid[index] = mFdp.ConsumeIntegral<uint8_t>();
471 }
472 Vector<uint8_t> drmSessionId;
473 int32_t length = mFdp.ConsumeIntegralInRange<uint32_t>(kMinSize, kMaxSize);
474 while (length--) {
475 drmSessionId.push_back(mFdp.ConsumeIntegral<uint8_t>());
476 }
477 mMediaPlayer->prepareDrm(uuid, drmSessionId);
478 },
479 [&]() { mMediaPlayer->releaseDrm(); },
480 [&]() {
481 audio_port_handle_t deviceId = mFdp.ConsumeIntegral<int32_t>();
482 mMediaPlayer->setOutputDevice(deviceId);
483 },
484 [&]() {
485 audio_port_handle_t deviceId;
486 mMediaPlayer->getRoutedDeviceId(&deviceId);
487 },
488 [&]() { mMediaPlayer->enableAudioDeviceCallback(mFdp.ConsumeBool()); },
489 [&]() {
490 sp<MediaPlayer> mediaPlayer = (MediaPlayer*)mMediaPlayer.get();
491 Parcel obj;
492 obj.writeInt32(mFdp.ConsumeIntegral<int32_t>());
493 obj.setDataPosition(0);
494 mediaPlayer->notify(mFdp.PickValueInArray(kMediaEventTypes) /* msg */,
495 mFdp.PickValueInArray(kMediaInfoTypes) /* ext1 */,
496 mFdp.ConsumeIntegral<int32_t>() /* ext2 */, &obj);
497 },
498 [&]() {
499 sp<MediaPlayer> mediaPlayer = (MediaPlayer*)mMediaPlayer.get();
500 int32_t mediaPlayerDumpFd = memfd_create(dumpFile, MFD_ALLOW_SEALING);
501 Vector<String16> args;
502 args.push_back(String16(mFdp.ConsumeRandomLengthString().c_str()));
503 mediaPlayer->dump(mediaPlayerDumpFd, args);
504 close(mediaPlayerDumpFd);
505 },
506 [&]() { mMediaPlayer->disconnect(); },
507 });
508 invokeMediaPlayerApi();
509 }
510 }
511
process(const uint8_t * data,size_t size)512 void MediaPlayerServiceFuzzer::process(const uint8_t* data, size_t size) {
513 const sp<IMediaPlayerService> mpService(IMediaDeathNotifier::getMediaPlayerService());
514 if (!mpService) {
515 return;
516 }
517
518 sp<IMediaCodecList> mediaCodecList = mpService->getCodecList();
519
520 sp<IRemoteDisplayClient> remoteDisplayClient;
521 sp<IRemoteDisplay> remoteDisplay = mpService->listenForRemoteDisplay(
522 String16(mFdp.ConsumeRandomLengthString().c_str()) /*opPackageName*/,
523 remoteDisplayClient, String8(mFdp.ConsumeRandomLengthString().c_str()) /*iface*/);
524
525 mpService->addBatteryData(mFdp.ConsumeIntegral<uint32_t>());
526 Parcel reply;
527 mpService->pullBatteryData(&reply);
528
529 sp<MediaPlayerService> mediaPlayerService = (MediaPlayerService*)mpService.get();
530 AttributionSourceState attributionSource;
531 attributionSource.packageName = mFdp.ConsumeRandomLengthString().c_str();
532 attributionSource.token = sp<BBinder>::make();
533 mMediaPlayer =
534 mediaPlayerService->create(mMediaPlayerClient,
535 (audio_session_t)mFdp.ConsumeIntegralInRange<int32_t>(
536 AUDIO_SESSION_DEVICE, AUDIO_SESSION_OUTPUT_MIX),
537 attributionSource);
538
539 int32_t mediaPlayerServiceDumpFd = memfd_create(dumpFile, MFD_ALLOW_SEALING);
540 Vector<String16> args;
541 args.push_back(String16(mFdp.ConsumeRandomLengthString().c_str()));
542 mediaPlayerService->dump(mediaPlayerServiceDumpFd, args);
543 close(mediaPlayerServiceDumpFd);
544
545 if (!mMediaPlayer) {
546 return;
547 }
548 if (setDataSource(data, size)) {
549 invokeMediaPlayer();
550 }
551 }
552
LLVMFuzzerInitialize(int *,char ***)553 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
554 MediaPlayerService::instantiate();
555 MediaExtractorService::instantiate();
556 return 0;
557 }
558
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)559 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
560 MediaPlayerServiceFuzzer mpsFuzzer(data, size);
561 ProcessState::self()->startThreadPool();
562 mpsFuzzer.process(data, size);
563 return 0;
564 };
565