Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1e04766f authored by Ayushi Khopkar's avatar Ayushi Khopkar Committed by Andy Hung
Browse files

audioflinger_fuzzer : Avoid configuration of invalid values 

This update avoids configuring of invalid values which lead to abort

Test: ./audioflinger_fuzzer -rss_limit_mb=2560 -timeout=90 -runs=100
      clusterfuzz-testcase-minimized-audioflinger_fuzzer-5701813725167616
Bug: 180357329

Change-Id: Iedc5d35e3f0c445c6e9278292462e0edf6c022f0
(cherry picked from commit 95b1327f7d6b0ff127960dd6012414ea1e8f8169)
parent b2d4b7b0

media/libaudioclient/fuzzer/audioflinger_fuzzer.cpp

+19 −24
Original line number Diff line number Diff line
@@ -35,6 +35,10 @@ 
#define MAX_STRING_LENGTH 256

#define MAX_ARRAY_LENGTH 256



constexpr int32_t kMinSampleRateHz = 4000;

constexpr int32_t kMaxSampleRateHz = 192000;

constexpr int32_t kSampleRateUnspecified = 0;



using namespace std;

using namespace android;
@@ -129,30 +133,21 @@ static const std::vector<audio_output_flags_t> kOutputFlags = 
    getFlags<audio_output_flags_t, xsd::AudioInOutFlag, decltype(audio_output_flag_from_string)>(

        xsdc_enum_range<xsd::AudioInOutFlag>{}, audio_output_flag_from_string, "_OUTPUT_");



template <typename T, size_t size>

T getValueFromArray(FuzzedDataProvider *fdp, const T (&arr)[size]) {

    return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];

}



template <typename T, size_t size>

T getValue(FuzzedDataProvider *fdp, const T (&arr)[size]) {

    if (fdp->ConsumeBool()) {

        return static_cast<T>(fdp->ConsumeIntegral<int32_t>());

    }

    return getValueFromArray(fdp, arr);

    return arr[fdp->ConsumeIntegralInRange<int32_t>(0, size - 1)];

}



template <typename T>

T getValueFromVector(FuzzedDataProvider *fdp, std::vector<T> vec) {

T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {

    return vec[fdp->ConsumeIntegralInRange<int32_t>(0, vec.size() - 1)];

}



template <typename T>

T getValue(FuzzedDataProvider *fdp, std::vector<T> vec) {

int32_t getSampleRate(FuzzedDataProvider *fdp) {

    if (fdp->ConsumeBool()) {

        return static_cast<T>(fdp->ConsumeIntegral<int32_t>());

        return fdp->ConsumeIntegralInRange<int32_t>(kMinSampleRateHz, kMaxSampleRateHz);

    }

    return getValueFromVector(fdp, vec);

    return kSampleRateUnspecified;

}



class DeathNotifier : public IBinder::DeathRecipient {
@@ -189,7 +184,7 @@ AudioFlingerFuzzer::AudioFlingerFuzzer(const uint8_t *data, size_t size) : mFdp( 
}



void AudioFlingerFuzzer::invokeAudioTrack() {

    uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t sampleRate = getSampleRate(&mFdp);

    audio_format_t format = getValue(&mFdp, kFormats);

    audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);

    size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());
@@ -259,7 +254,7 @@ void AudioFlingerFuzzer::invokeAudioTrack() { 


    float auxEffectSendLevel;

    track->getAuxEffectSendLevel(&auxEffectSendLevel);

    track->setSampleRate(mFdp.ConsumeIntegral<uint32_t>());

    track->setSampleRate(getSampleRate(&mFdp));

    track->getSampleRate();

    track->getOriginalSampleRate();
@@ -292,7 +287,7 @@ void AudioFlingerFuzzer::invokeAudioTrack() { 


void AudioFlingerFuzzer::invokeAudioRecord() {

    int32_t notificationFrames = mFdp.ConsumeIntegral<int32_t>();

    uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t sampleRate = getSampleRate(&mFdp);

    size_t frameCount = static_cast<size_t>(mFdp.ConsumeIntegral<uint32_t>());

    audio_format_t format = getValue(&mFdp, kFormats);

    audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);
@@ -518,7 +513,7 @@ void AudioFlingerFuzzer::invokeAudioSystem() { 
    AudioSystem::getFrameCountHAL(mFdp.ConsumeIntegral<int32_t>(), &frameCount);



    size_t buffSize;

    uint32_t sampleRate = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t sampleRate = getSampleRate(&mFdp);

    audio_format_t format = getValue(&mFdp, kFormats);

    audio_channel_mask_t channelMask = getValue(&mFdp, kChannelMasks);

    AudioSystem::getInputBufferSize(sampleRate, format, channelMask, &buffSize);
@@ -572,12 +567,12 @@ status_t AudioFlingerFuzzer::invokeAudioInputDevice() { 
    config.offload_info.format = getValue(&mFdp, kFormats);

    config.offload_info.has_video = mFdp.ConsumeBool();

    config.offload_info.is_streaming = mFdp.ConsumeBool();

    config.offload_info.sample_rate = (mFdp.ConsumeIntegral<uint32_t>());

    config.offload_info.sample_rate = getSampleRate(&mFdp);

    config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();

    config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);

    config.offload_info.usage = getValue(&mFdp, kUsages);



    config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();

    config.sample_rate = getSampleRate(&mFdp);



    audio_devices_t device = getValue(&mFdp, kDevices);

    audio_source_t source = getValue(&mFdp, kInputSources);
@@ -628,13 +623,13 @@ status_t AudioFlingerFuzzer::invokeAudioOutputDevice() { 
    config.offload_info.format = getValue(&mFdp, kFormats);

    config.offload_info.has_video = mFdp.ConsumeBool();

    config.offload_info.is_streaming = mFdp.ConsumeBool();

    config.offload_info.sample_rate = mFdp.ConsumeIntegral<uint32_t>();

    config.offload_info.sample_rate = getSampleRate(&mFdp);

    config.offload_info.stream_type = getValue(&mFdp, kStreamtypes);

    config.offload_info.sync_id = mFdp.ConsumeIntegral<uint32_t>();

    config.offload_info.usage = getValue(&mFdp, kUsages);



    config.format = getValue(&mFdp, kFormats);

    config.sample_rate = mFdp.ConsumeIntegral<uint32_t>();

    config.sample_rate = getSampleRate(&mFdp);



    sp<DeviceDescriptorBase> device = new DeviceDescriptorBase(getValue(&mFdp, kDevices));

    audio_output_flags_t flags = getValue(&mFdp, kOutputFlags);
@@ -683,7 +678,7 @@ void AudioFlingerFuzzer::invokeAudioPatch() { 
        patch.sources[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();

        patch.sources[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());

        patch.sources[i].role = getValue(&mFdp, kPortRoles);

        patch.sources[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();

        patch.sources[i].sample_rate = getSampleRate(&mFdp);

        patch.sources[i].type = getValue(&mFdp, kPortTypes);



        patch.sinks[i].config_mask = mFdp.ConsumeIntegral<uint32_t>();
@@ -695,7 +690,7 @@ void AudioFlingerFuzzer::invokeAudioPatch() { 
        patch.sinks[i].gain.ramp_duration_ms = mFdp.ConsumeIntegral<uint32_t>();

        patch.sinks[i].id = static_cast<audio_format_t>(mFdp.ConsumeIntegral<int32_t>());

        patch.sinks[i].role = getValue(&mFdp, kPortRoles);

        patch.sinks[i].sample_rate = mFdp.ConsumeIntegral<uint32_t>();

        patch.sinks[i].sample_rate = getSampleRate(&mFdp);

        patch.sinks[i].type = getValue(&mFdp, kPortTypes);

    }