commit d527765f2f23b5b931ea74e8009dce3d938c6235
author Devendra Singhi <devendra.singhi@ittiam.com> Mon May 23 12:15:35 2022 +0530
committer Ayushi Khopkar <akhopkar@google.com> Mon May 23 07:23:07 2022 +0000
tree 08d284e77d856a93fcf17395f8148e9c2c4fd102
parent 9cdf185fe6e691977aa7d10909d91bf0db8fe1f2

camera_service_fuzzer: Bug Fix

Resolved Null Pointer Dereference

Test: ./camera_service_fuzzer clusterfuzz-testcase-minimized-camera_service_fuzzer-5154728196833280
Bug: 232984975

Change-Id: Ie5a0bc1bd2cd3ffae95cc6b07b03439809350a07

services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp

diff --git a/services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp b/services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp
index 7a61f38..71c26ea 100644
--- a/services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp
+++ b/services/camera/libcameraservice/libcameraservice_fuzzer/camera_service_fuzzer.cpp
@@ -392,14 +392,16 @@
                 String8("Test Surface"), previewWidth, previewHeight,
                 CameraParameters::previewFormatToEnum(params.getPreviewFormat()), layerMetaData);
 
-        if (surfaceControl.get() != nullptr) {
+        if (surfaceControl.get()) {
             SurfaceComposerClient::Transaction{}
                     .setLayer(surfaceControl, 0x7fffffff)
                     .show(surfaceControl)
                     .apply();
 
             previewSurface = surfaceControl->getSurface();
-            cameraDevice->setPreviewTarget(previewSurface->getIGraphicBufferProducer());
+            if (previewSurface.get()) {
+                cameraDevice->setPreviewTarget(previewSurface->getIGraphicBufferProducer());
+            }
         }
         cameraDevice->setPreviewCallbackFlag(CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER);
 
@@ -442,7 +444,20 @@
             waitForPreviewStart();
             cameraDevice->setVideoBufferMode(
                     android::hardware::BnCamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE);
-            cameraDevice->setVideoTarget(previewSurface->getIGraphicBufferProducer());
+            sp<SurfaceControl> surfaceControlVideo = mComposerClient->createSurface(
+                    String8("Test Surface Video"), previewWidth, previewHeight,
+                    CameraParameters::previewFormatToEnum(params.getPreviewFormat()),
+                    layerMetaData);
+            if (surfaceControlVideo.get()) {
+                SurfaceComposerClient::Transaction{}
+                        .setLayer(surfaceControlVideo, 0x7fffffff)
+                        .show(surfaceControlVideo)
+                        .apply();
+                sp<Surface> previewSurfaceVideo = surfaceControlVideo->getSurface();
+                if (previewSurfaceVideo.get()) {
+                    cameraDevice->setVideoTarget(previewSurfaceVideo->getIGraphicBufferProducer());
+                }
+            }
             cameraDevice->stopPreview();
             cameraDevice->startRecording();
             waitForEvent(mRecordingLock, mRecordingCondition, mRecordingNotification);