1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
/* Copyright 2020 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include <assert.h>
#include <fuzzer/FuzzedDataProvider.h>
#include <stddef.h>
#include <stdint.h>
extern "C" {
#include "cras_bt_device.h"
#include "cras_bt_log.h"
#include "cras_hfp_slc.h"
#include "cras_iodev_list.h"
#include "cras_mix.h"
#include "cras_observer.h"
#include "cras_shm.h"
#include "cras_system_state.h"
struct cras_bt_event_log* btlog;
}
int disconnect_cb(struct hfp_slc_handle*) {
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
FuzzedDataProvider data_provider(data, size);
bool is_hsp = data_provider.ConsumeIntegralInRange(0, 1);
int ag_supported_features = data_provider.ConsumeIntegral<int>();
std::string command = data_provider.ConsumeRemainingBytesAsString();
int fd = open("/dev/null", O_RDWR);
struct cras_bt_device* bt_dev = cras_bt_device_create(NULL, "");
struct hfp_slc_handle* handle = hfp_slc_create(
fd, is_hsp, ag_supported_features, bt_dev, NULL, &disconnect_cb);
if (!handle)
return 0;
handle_at_command_for_test(handle, command.c_str());
hfp_slc_destroy(handle);
cras_bt_device_remove(bt_dev);
return 0;
}
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
char* shm_name;
if (asprintf(&shm_name, "/cras-%d", getpid()) < 0)
exit(-ENOMEM);
struct cras_server_state* exp_state =
(struct cras_server_state*)calloc(1, sizeof(*exp_state));
if (!exp_state)
exit(-1);
int rw_shm_fd = open("/dev/null", O_RDWR);
int ro_shm_fd = open("/dev/null", O_RDONLY);
cras_system_state_init("/tmp", shm_name, rw_shm_fd, ro_shm_fd, exp_state,
sizeof(*exp_state));
free(shm_name);
cras_observer_server_init();
cras_mix_init(0);
cras_iodev_list_init();
btlog = cras_bt_event_log_init();
return 0;
}
|
