Loading system/audio_hal_interface/fuzzer/Android.bp +6 −0 Original line number Diff line number Diff line Loading @@ -152,6 +152,12 @@ cc_fuzz { srcs: [ "libbt_audio_hal_hearing_aid_software_encoding_fuzzer.cpp", ], static_libs: [ "libbinder_random_parcel", ], shared_libs: [ "libbinder", ], } cc_fuzz { Loading system/audio_hal_interface/fuzzer/libbt_audio_hal_hearing_aid_software_encoding_fuzzer.cpp +45 −9 Original line number Diff line number Diff line Loading @@ -15,12 +15,19 @@ * */ #include <binder/IServiceManager.h> #include <fuzzbinder/random_binder.h> #include <fuzzer/FuzzedDataProvider.h> #include "audio_hal_interface/hearing_aid_software_encoding.h" #include "osi/include/properties.h" using namespace android; [[clang::no_destroy]] static std::once_flag gSmOnce; constexpr int32_t kRandomStringLength = 256; constexpr int32_t kPropertyValueMax = 92; constexpr int32_t kMaxBytes = 1000; extern "C" { struct android_namespace_t* android_get_exported_namespace(const char*) { Loading @@ -30,18 +37,47 @@ struct android_namespace_t* android_get_exported_namespace(const char*) { static void source_init_delayed(void) {} bool hearingAidOnResumeReq(bool /*start_media_task*/) { return true; } bool hearingAidOnSuspendReq() { return true; } auto streamCb = bluetooth::audio::hearing_aid::StreamCallbacks{ .on_resume_ = hearingAidOnResumeReq, .on_suspend_ = hearingAidOnSuspendReq, }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider fdp(data, size); osi_property_set("persist.bluetooth.a2dp_offload.disabled", fdp.PickValueInArray({"true", "false"})); const std::string property = "persist.bluetooth.a2dp_offload.disabled"; char received[kPropertyValueMax]; osi_property_get(property.c_str(), received, NULL); osi_property_set(property.c_str(), fdp.PickValueInArray({"true", "false"})); std::call_once(gSmOnce, [&] { auto sm = defaultServiceManager(); auto binder = getRandomBinder(&fdp); sm->addService(String16("android.hardware.bluetooth.audio." "IBluetoothAudioProviderFactory.ProviderInfo"), binder); if (fdp.ConsumeBool()) { uint16_t delay = fdp.ConsumeIntegral<uint16_t>(); bluetooth::audio::hearing_aid::set_remote_delay(delay); } std::string name = fdp.ConsumeRandomLengthString(kRandomStringLength); bluetooth::common::MessageLoopThread messageLoopThread(name); messageLoopThread.StartUp(); messageLoopThread.DoInThread(FROM_HERE, base::BindOnce(&source_init_delayed)); bluetooth::audio::hearing_aid::init(streamCb, &messageLoopThread); }); uint16_t delay = fdp.ConsumeIntegral<uint16_t>(); bluetooth::audio::hearing_aid::set_remote_delay(delay); bluetooth::audio::hearing_aid::start_session(); std::vector<uint8_t> buffer = fdp.ConsumeBytes<uint8_t>(kMaxBytes); bluetooth::audio::hearing_aid::read(buffer.data(), buffer.size()); bluetooth::audio::hearing_aid::end_session(); osi_property_set(property.c_str(), received); messageLoopThread.ShutDown(); return 0; } Loading
system/audio_hal_interface/fuzzer/Android.bp +6 −0 Original line number Diff line number Diff line Loading @@ -152,6 +152,12 @@ cc_fuzz { srcs: [ "libbt_audio_hal_hearing_aid_software_encoding_fuzzer.cpp", ], static_libs: [ "libbinder_random_parcel", ], shared_libs: [ "libbinder", ], } cc_fuzz { Loading
system/audio_hal_interface/fuzzer/libbt_audio_hal_hearing_aid_software_encoding_fuzzer.cpp +45 −9 Original line number Diff line number Diff line Loading @@ -15,12 +15,19 @@ * */ #include <binder/IServiceManager.h> #include <fuzzbinder/random_binder.h> #include <fuzzer/FuzzedDataProvider.h> #include "audio_hal_interface/hearing_aid_software_encoding.h" #include "osi/include/properties.h" using namespace android; [[clang::no_destroy]] static std::once_flag gSmOnce; constexpr int32_t kRandomStringLength = 256; constexpr int32_t kPropertyValueMax = 92; constexpr int32_t kMaxBytes = 1000; extern "C" { struct android_namespace_t* android_get_exported_namespace(const char*) { Loading @@ -30,18 +37,47 @@ struct android_namespace_t* android_get_exported_namespace(const char*) { static void source_init_delayed(void) {} bool hearingAidOnResumeReq(bool /*start_media_task*/) { return true; } bool hearingAidOnSuspendReq() { return true; } auto streamCb = bluetooth::audio::hearing_aid::StreamCallbacks{ .on_resume_ = hearingAidOnResumeReq, .on_suspend_ = hearingAidOnSuspendReq, }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { FuzzedDataProvider fdp(data, size); osi_property_set("persist.bluetooth.a2dp_offload.disabled", fdp.PickValueInArray({"true", "false"})); const std::string property = "persist.bluetooth.a2dp_offload.disabled"; char received[kPropertyValueMax]; osi_property_get(property.c_str(), received, NULL); osi_property_set(property.c_str(), fdp.PickValueInArray({"true", "false"})); std::call_once(gSmOnce, [&] { auto sm = defaultServiceManager(); auto binder = getRandomBinder(&fdp); sm->addService(String16("android.hardware.bluetooth.audio." "IBluetoothAudioProviderFactory.ProviderInfo"), binder); if (fdp.ConsumeBool()) { uint16_t delay = fdp.ConsumeIntegral<uint16_t>(); bluetooth::audio::hearing_aid::set_remote_delay(delay); } std::string name = fdp.ConsumeRandomLengthString(kRandomStringLength); bluetooth::common::MessageLoopThread messageLoopThread(name); messageLoopThread.StartUp(); messageLoopThread.DoInThread(FROM_HERE, base::BindOnce(&source_init_delayed)); bluetooth::audio::hearing_aid::init(streamCb, &messageLoopThread); }); uint16_t delay = fdp.ConsumeIntegral<uint16_t>(); bluetooth::audio::hearing_aid::set_remote_delay(delay); bluetooth::audio::hearing_aid::start_session(); std::vector<uint8_t> buffer = fdp.ConsumeBytes<uint8_t>(kMaxBytes); bluetooth::audio::hearing_aid::read(buffer.data(), buffer.size()); bluetooth::audio::hearing_aid::end_session(); osi_property_set(property.c_str(), received); messageLoopThread.ShutDown(); return 0; }
