Loading system/build/Android.bp +22 −5 Original line number Diff line number Diff line Loading @@ -29,9 +29,10 @@ fluoride_defaults { }, } // Fuzzable defaults are the subset of defaults that are used in fuzzing, which // requires no shared libraries, and no explicit sanitization. fluoride_defaults { name: "fluoride_types_defaults", defaults: ["libchrome_support_defaults"], name: "fluoride_types_defaults_fuzzable", cflags: [ "-DEXPORT_SYMBOL=__attribute__((visibility(\"default\")))", "-fvisibility=hidden", Loading @@ -54,15 +55,22 @@ fluoride_defaults { } fluoride_defaults { name: "fluoride_defaults", name: "fluoride_types_defaults", defaults: [ "fluoride_types_defaults_fuzzable", "libchrome_support_defaults" ], } fluoride_defaults { name: "fluoride_defaults_fuzzable", target: { android: { test_config_template: ":BluetoothTestConfigTemplate", }, }, defaults: ["fluoride_types_defaults"], defaults: ["fluoride_types_defaults_fuzzable"], header_libs: ["libbluetooth_headers"], shared_libs: ["libstatslog"], static_libs: [ "libbluetooth-types", "libbt-platform-protos-lite", Loading @@ -73,6 +81,15 @@ fluoride_defaults { }, } fluoride_defaults { name: "fluoride_defaults", defaults: ["fluoride_defaults_fuzzable", "fluoride_types_defaults"], shared_libs: ["libstatslog"], sanitize: { misc_undefined: ["bounds"], }, } // Enables code coverage for a set of source files. Must be combined with // "clang_coverage_bin" in order to work. See //test/gen_coverage.py for more information // on generating code coverage. Loading system/profile/avrcp/Android.bp +32 −0 Original line number Diff line number Diff line Loading @@ -62,3 +62,35 @@ cc_test { cflags: ["-DBUILDCFG"], } cc_fuzz { name: "avrcp_device_fuzz", host_supported: true, defaults: [ "fluoride_defaults_fuzzable", ], srcs: [ "tests/avrcp_device_fuzz/avrcp_device_fuzz.cc", ], include_dirs: [ "packages/modules/Bluetooth/system", "packages/modules/Bluetooth/system/packet/tests", "packages/modules/Bluetooth/system/btcore/include", "packages/modules/Bluetooth/system/internal_include", "packages/modules/Bluetooth/system/stack/include", ], static_libs: [ "avrcp-target-service", "lib-bt-packets", "libbase", "libchrome", "libcutils", "libevent", "liblog", "libstatslog", ], header_libs: ["libbluetooth_headers"], corpus: [ "tests/avrcp_device_fuzz/corpus/*", ], } system/profile/avrcp/tests/avrcp_device_fuzz/avrcp_device_fuzz.cc 0 → 100644 +86 −0 Original line number Diff line number Diff line #include <cstddef> #include <cstdint> #include "avrcp_packet.h" #include "device.h" #include "packet_test_helper.h" #include "stack_config.h" namespace bluetooth { namespace avrcp { class FakeMediaInterface : public MediaInterface { public: virtual void SendKeyEvent(uint8_t key, KeyState state) {} using SongInfoCallback = base::Callback<void(SongInfo)>; virtual void GetSongInfo(SongInfoCallback info_cb) {} using PlayStatusCallback = base::Callback<void(PlayStatus)>; virtual void GetPlayStatus(PlayStatusCallback status_cb) {} using NowPlayingCallback = base::Callback<void(std::string, std::vector<SongInfo>)>; virtual void GetNowPlayingList(NowPlayingCallback now_playing_cb) {} using MediaListCallback = base::Callback<void(uint16_t curr_player, std::vector<MediaPlayerInfo>)>; virtual void GetMediaPlayerList(MediaListCallback list_cb) {} using FolderItemsCallback = base::Callback<void(std::vector<ListItem>)>; virtual void GetFolderItems(uint16_t player_id, std::string media_id, FolderItemsCallback folder_cb) {} using SetBrowsedPlayerCallback = base::Callback<void( bool success, std::string root_id, uint32_t num_items)>; virtual void SetBrowsedPlayer(uint16_t player_id, SetBrowsedPlayerCallback browse_cb) {} virtual void PlayItem(uint16_t player_id, bool now_playing, std::string media_id) {} virtual void SetActiveDevice(const RawAddress& address) {} virtual void RegisterUpdateCallback(MediaCallbacks* callback) {} virtual void UnregisterUpdateCallback(MediaCallbacks* callback) {} }; class FakeVolumeInterface : public VolumeInterface { public: virtual void DeviceConnected(const RawAddress& bdaddr) {} virtual void DeviceConnected(const RawAddress& bdaddr, VolumeChangedCb cb) {} virtual void DeviceDisconnected(const RawAddress& bdaddr) {} virtual void SetVolume(int8_t volume) {} }; class FakeA2dpInterface : public A2dpInterface { public: virtual RawAddress active_peer() { return RawAddress(); } virtual bool is_peer_in_silence_mode(const RawAddress& peer_address) { return false; } }; bool get_pts_avrcp_test(void) { return false; } const stack_config_t interface = { nullptr, get_pts_avrcp_test, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}; void Callback(uint8_t, bool, std::unique_ptr<::bluetooth::PacketBuilder>) {} extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) { FakeMediaInterface fmi; FakeVolumeInterface fvi; FakeA2dpInterface fai; std::vector<uint8_t> Packet(Data, Data + Size); Device device(RawAddress::kAny, true, base::Bind([](uint8_t, bool, std::unique_ptr<::bluetooth::PacketBuilder>) {}), 0xFFFF, 0xFFFF); device.RegisterInterfaces(&fmi, &fai, &fvi); auto browse_request = TestPacketType<BrowsePacket>::Make(Packet); device.BrowseMessageReceived(1, browse_request); auto avrcp_request = TestPacketType<avrcp::Packet>::Make(Packet); device.MessageReceived(1, avrcp_request); return 0; } } // namespace avrcp } // namespace bluetooth const stack_config_t* stack_config_get_interface(void) { return &bluetooth::avrcp::interface; } No newline at end of file system/profile/avrcp/tests/avrcp_device_fuzz/corpus/change_path_error_response 0 → 100644 +4 B File added.No diff preview for this file type. View file system/profile/avrcp/tests/avrcp_device_fuzz/corpus/change_path_request 0 → 100644 +14 B File added.No diff preview for this file type. View file Loading
system/build/Android.bp +22 −5 Original line number Diff line number Diff line Loading @@ -29,9 +29,10 @@ fluoride_defaults { }, } // Fuzzable defaults are the subset of defaults that are used in fuzzing, which // requires no shared libraries, and no explicit sanitization. fluoride_defaults { name: "fluoride_types_defaults", defaults: ["libchrome_support_defaults"], name: "fluoride_types_defaults_fuzzable", cflags: [ "-DEXPORT_SYMBOL=__attribute__((visibility(\"default\")))", "-fvisibility=hidden", Loading @@ -54,15 +55,22 @@ fluoride_defaults { } fluoride_defaults { name: "fluoride_defaults", name: "fluoride_types_defaults", defaults: [ "fluoride_types_defaults_fuzzable", "libchrome_support_defaults" ], } fluoride_defaults { name: "fluoride_defaults_fuzzable", target: { android: { test_config_template: ":BluetoothTestConfigTemplate", }, }, defaults: ["fluoride_types_defaults"], defaults: ["fluoride_types_defaults_fuzzable"], header_libs: ["libbluetooth_headers"], shared_libs: ["libstatslog"], static_libs: [ "libbluetooth-types", "libbt-platform-protos-lite", Loading @@ -73,6 +81,15 @@ fluoride_defaults { }, } fluoride_defaults { name: "fluoride_defaults", defaults: ["fluoride_defaults_fuzzable", "fluoride_types_defaults"], shared_libs: ["libstatslog"], sanitize: { misc_undefined: ["bounds"], }, } // Enables code coverage for a set of source files. Must be combined with // "clang_coverage_bin" in order to work. See //test/gen_coverage.py for more information // on generating code coverage. Loading
system/profile/avrcp/Android.bp +32 −0 Original line number Diff line number Diff line Loading @@ -62,3 +62,35 @@ cc_test { cflags: ["-DBUILDCFG"], } cc_fuzz { name: "avrcp_device_fuzz", host_supported: true, defaults: [ "fluoride_defaults_fuzzable", ], srcs: [ "tests/avrcp_device_fuzz/avrcp_device_fuzz.cc", ], include_dirs: [ "packages/modules/Bluetooth/system", "packages/modules/Bluetooth/system/packet/tests", "packages/modules/Bluetooth/system/btcore/include", "packages/modules/Bluetooth/system/internal_include", "packages/modules/Bluetooth/system/stack/include", ], static_libs: [ "avrcp-target-service", "lib-bt-packets", "libbase", "libchrome", "libcutils", "libevent", "liblog", "libstatslog", ], header_libs: ["libbluetooth_headers"], corpus: [ "tests/avrcp_device_fuzz/corpus/*", ], }
system/profile/avrcp/tests/avrcp_device_fuzz/avrcp_device_fuzz.cc 0 → 100644 +86 −0 Original line number Diff line number Diff line #include <cstddef> #include <cstdint> #include "avrcp_packet.h" #include "device.h" #include "packet_test_helper.h" #include "stack_config.h" namespace bluetooth { namespace avrcp { class FakeMediaInterface : public MediaInterface { public: virtual void SendKeyEvent(uint8_t key, KeyState state) {} using SongInfoCallback = base::Callback<void(SongInfo)>; virtual void GetSongInfo(SongInfoCallback info_cb) {} using PlayStatusCallback = base::Callback<void(PlayStatus)>; virtual void GetPlayStatus(PlayStatusCallback status_cb) {} using NowPlayingCallback = base::Callback<void(std::string, std::vector<SongInfo>)>; virtual void GetNowPlayingList(NowPlayingCallback now_playing_cb) {} using MediaListCallback = base::Callback<void(uint16_t curr_player, std::vector<MediaPlayerInfo>)>; virtual void GetMediaPlayerList(MediaListCallback list_cb) {} using FolderItemsCallback = base::Callback<void(std::vector<ListItem>)>; virtual void GetFolderItems(uint16_t player_id, std::string media_id, FolderItemsCallback folder_cb) {} using SetBrowsedPlayerCallback = base::Callback<void( bool success, std::string root_id, uint32_t num_items)>; virtual void SetBrowsedPlayer(uint16_t player_id, SetBrowsedPlayerCallback browse_cb) {} virtual void PlayItem(uint16_t player_id, bool now_playing, std::string media_id) {} virtual void SetActiveDevice(const RawAddress& address) {} virtual void RegisterUpdateCallback(MediaCallbacks* callback) {} virtual void UnregisterUpdateCallback(MediaCallbacks* callback) {} }; class FakeVolumeInterface : public VolumeInterface { public: virtual void DeviceConnected(const RawAddress& bdaddr) {} virtual void DeviceConnected(const RawAddress& bdaddr, VolumeChangedCb cb) {} virtual void DeviceDisconnected(const RawAddress& bdaddr) {} virtual void SetVolume(int8_t volume) {} }; class FakeA2dpInterface : public A2dpInterface { public: virtual RawAddress active_peer() { return RawAddress(); } virtual bool is_peer_in_silence_mode(const RawAddress& peer_address) { return false; } }; bool get_pts_avrcp_test(void) { return false; } const stack_config_t interface = { nullptr, get_pts_avrcp_test, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr}; void Callback(uint8_t, bool, std::unique_ptr<::bluetooth::PacketBuilder>) {} extern "C" int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size) { FakeMediaInterface fmi; FakeVolumeInterface fvi; FakeA2dpInterface fai; std::vector<uint8_t> Packet(Data, Data + Size); Device device(RawAddress::kAny, true, base::Bind([](uint8_t, bool, std::unique_ptr<::bluetooth::PacketBuilder>) {}), 0xFFFF, 0xFFFF); device.RegisterInterfaces(&fmi, &fai, &fvi); auto browse_request = TestPacketType<BrowsePacket>::Make(Packet); device.BrowseMessageReceived(1, browse_request); auto avrcp_request = TestPacketType<avrcp::Packet>::Make(Packet); device.MessageReceived(1, avrcp_request); return 0; } } // namespace avrcp } // namespace bluetooth const stack_config_t* stack_config_get_interface(void) { return &bluetooth::avrcp::interface; } No newline at end of file
system/profile/avrcp/tests/avrcp_device_fuzz/corpus/change_path_error_response 0 → 100644 +4 B File added.No diff preview for this file type. View file
system/profile/avrcp/tests/avrcp_device_fuzz/corpus/change_path_request 0 → 100644 +14 B File added.No diff preview for this file type. View file
