/src/adhd/cras/fuzz/rclient_message.cc

Source (jump to first uncovered line)
/* Copyright 2017 The ChromiumOS Authors
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */

#include <fuzzer/FuzzedDataProvider.h>
#include <stddef.h>
#include <stdint.h>

#include "cras/common/check.h"
#include "cras/src/server/cras_bt_log.h"
#include "cras/src/server/cras_dsp.h"
#include "cras/src/server/cras_iodev_list.h"
#include "cras/src/server/cras_mix.h"
#include "cras/src/server/cras_observer.h"
#include "cras/src/server/cras_rclient.h"
#include "cras/src/server/cras_stream_apm.h"
#include "cras/src/server/cras_system_state.h"
#include "cras_shm.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  cras_rclient* client = cras_rclient_create(0, 0, CRAS_CONTROL);
  if (size < 300) {
    // Feeds input data directly if the given bytes is too short.
    cras_rclient_buffer_from_client(client, data, size, NULL, 0);
  } else {
    FuzzedDataProvider data_provider(data, size);
    int fds[1] = {0};
    int num_fds = data_provider.ConsumeIntegralInRange(0, 1);
    std::vector<uint8_t> msg = data_provider.ConsumeRemainingBytes<uint8_t>();
    cras_rclient_buffer_from_client(client, msg.data(), msg.size(), fds,
                                    num_fds);
  }
  cras_rclient_destroy(client);

  return 0;
}

extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
  char* shm_name;
  if (asprintf(&shm_name, "/cras-%d", getpid()) < 0) {
    exit(-ENOMEM);
  }
  struct cras_server_state* exp_state =
      (struct cras_server_state*)calloc(1, sizeof(*exp_state));
  if (!exp_state) {
    exit(-1);
  }
  int rw_shm_fd = open("/dev/null", O_RDWR);
  int ro_shm_fd = open("/dev/null", O_RDONLY);
  cras_system_state_init("/tmp", shm_name, rw_shm_fd, ro_shm_fd, exp_state,
                         sizeof(*exp_state));
  free(shm_name);

  cras_observer_server_init();
  cras_mix_init();
  cras_stream_apm_init("/etc/cras");
  cras_iodev_list_init();
  /* For cros fuzz, emerge adhd with USE=fuzzer will copy dsp.ini.sample to
   * etc/cras. For OSS-Fuzz the Dockerfile will be responsible for copying the
   * file. This shouldn't crash CRAS even if the dsp file does not exist. */
  cras_dsp_init("/etc/cras/dsp.ini.sample");
  // Initializes btlog for CRAS_SERVER_DUMP_BT path with CRAS_DBUS defined.
  btlog = cras_bt_event_log_init();
  return 0;
}

Line	Count	Source (jump to first uncovered line)
1		/* Copyright 2017 The ChromiumOS Authors
2		* Use of this source code is governed by a BSD-style license that can be
3		* found in the LICENSE file.
4		*/
5
6		#include <fuzzer/FuzzedDataProvider.h>
7		#include <stddef.h>
8		#include <stdint.h>
9
10		#include "cras/common/check.h"
11		#include "cras/src/server/cras_bt_log.h"
12		#include "cras/src/server/cras_dsp.h"
13		#include "cras/src/server/cras_iodev_list.h"
14		#include "cras/src/server/cras_mix.h"
15		#include "cras/src/server/cras_observer.h"
16		#include "cras/src/server/cras_rclient.h"
17		#include "cras/src/server/cras_stream_apm.h"
18		#include "cras/src/server/cras_system_state.h"
19		#include "cras_shm.h"
20
21	5.61k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
22	5.61k	cras_rclient* client = cras_rclient_create(0, 0, CRAS_CONTROL);
23	5.61k	if (size < 300) {
24		// Feeds input data directly if the given bytes is too short.
25	3.61k	cras_rclient_buffer_from_client(client, data, size, NULL, 0);
26	3.61k	} else {
27	1.99k	FuzzedDataProvider data_provider(data, size);
28	1.99k	int fds[1] = {0};
29	1.99k	int num_fds = data_provider.ConsumeIntegralInRange(0, 1);
30	1.99k	std::vector<uint8_t> msg = data_provider.ConsumeRemainingBytes<uint8_t>();
31	1.99k	cras_rclient_buffer_from_client(client, msg.data(), msg.size(), fds,
32	1.99k	num_fds);
33	1.99k	}
34	5.61k	cras_rclient_destroy(client);
35
36	5.61k	return 0;
37	5.61k	}
38
39	4	extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
40	4	char* shm_name;
41	4	if (asprintf(&shm_name, "/cras-%d", getpid()) < 0) {
42	0	exit(-ENOMEM);
43	0	}
44	4	struct cras_server_state* exp_state =
45	4	(struct cras_server_state)calloc(1, sizeof(exp_state));
46	4	if (!exp_state) {
47	0	exit(-1);
48	0	}
49	4	int rw_shm_fd = open("/dev/null", O_RDWR);
50	4	int ro_shm_fd = open("/dev/null", O_RDONLY);
51	4	cras_system_state_init("/tmp", shm_name, rw_shm_fd, ro_shm_fd, exp_state,
52	4	sizeof(*exp_state));
53	4	free(shm_name);
54
55	4	cras_observer_server_init();
56	4	cras_mix_init();
57	4	cras_stream_apm_init("/etc/cras");
58	4	cras_iodev_list_init();
59		/* For cros fuzz, emerge adhd with USE=fuzzer will copy dsp.ini.sample to
60		* etc/cras. For OSS-Fuzz the Dockerfile will be responsible for copying the
61		* file. This shouldn't crash CRAS even if the dsp file does not exist. */
62	4	cras_dsp_init("/etc/cras/dsp.ini.sample");
63		// Initializes btlog for CRAS_SERVER_DUMP_BT path with CRAS_DBUS defined.
64	4	btlog = cras_bt_event_log_init();
65	4	return 0;
66	4	}

Coverage Report

Created: 2025-06-24 06:17