Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / ada78eb726dd3efb27860d84c3efcb569f2f9d13 / . / camera / tests / fuzzer / camera_fuzzer.cpp
blob: c2a7549871dd0cfe0b8c5ce52a1873c9f120ba2c [file] [log] [blame]
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]1/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <Camera.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]18#include <CameraParameters.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]19#include <binder/MemoryDealer.h>
20#include <fuzzer/FuzzedDataProvider.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]21#include <gui/Surface.h>
22#include <gui/SurfaceComposerClient.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]23#include "camera2common.h"
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]24
25using namespace std;
26using namespace android;
27using namespace android::hardware;
28
29constexpr int32_t kFrameRateMin = 1;
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]30constexpr int32_t kFrameRateMax = 1000;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]31constexpr int32_t kNumMin = 0;
32constexpr int32_t kNumMax = 1024;
33constexpr int32_t kMemoryDealerSize = 1000;
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]34constexpr int8_t kMinElements = 1;
35constexpr int8_t kMaxElements = 10;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]36
37constexpr int32_t kValidCMD[] = {CAMERA_CMD_START_SMOOTH_ZOOM,
38 CAMERA_CMD_STOP_SMOOTH_ZOOM,
39 CAMERA_CMD_SET_DISPLAY_ORIENTATION,
40 CAMERA_CMD_ENABLE_SHUTTER_SOUND,
41 CAMERA_CMD_PLAY_RECORDING_SOUND,
42 CAMERA_CMD_START_FACE_DETECTION,
43 CAMERA_CMD_STOP_FACE_DETECTION,
44 CAMERA_CMD_ENABLE_FOCUS_MOVE_MSG,
45 CAMERA_CMD_PING,
46 CAMERA_CMD_SET_VIDEO_BUFFER_COUNT,
47 CAMERA_CMD_SET_VIDEO_FORMAT};
48
49constexpr int32_t kValidVideoBufferMode[] = {ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_YUV,
50 ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_METADATA,
51 ICamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE};
52
53constexpr int32_t kValidPreviewCallbackFlag[] = {
54 CAMERA_FRAME_CALLBACK_FLAG_ENABLE_MASK, CAMERA_FRAME_CALLBACK_FLAG_ONE_SHOT_MASK,
55 CAMERA_FRAME_CALLBACK_FLAG_COPY_OUT_MASK, CAMERA_FRAME_CALLBACK_FLAG_NOOP,
56 CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER, CAMERA_FRAME_CALLBACK_FLAG_CAMERA,
57 CAMERA_FRAME_CALLBACK_FLAG_BARCODE_SCANNER};
58
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]59class TestCameraListener : public CameraListener {
60 public:
61 virtual ~TestCameraListener() = default;
62
63 void notify(int32_t /*msgType*/, int32_t /*ext1*/, int32_t /*ext2*/) override { return; };
64 void postData(int32_t /*msgType*/, const sp<IMemory>& /*dataPtr*/,
65 camera_frame_metadata_t* /*metadata*/) override {
66 return;
67 };
68 void postDataTimestamp(nsecs_t /*timestamp*/, int32_t /*msgType*/,
69 const sp<IMemory>& /*dataPtr*/) override {
70 return;
71 };
72 void postRecordingFrameHandleTimestamp(nsecs_t /*timestamp*/,
73 native_handle_t* /*handle*/) override {
74 return;
75 };
76 void postRecordingFrameHandleTimestampBatch(
77 const std::vector<nsecs_t>& /*timestamps*/,
78 const std::vector<native_handle_t*>& /*handles*/) override {
79 return;
80 };
81};
82
83class CameraFuzzer : public ::android::hardware::BnCameraClient {
84 public:
85 void process(const uint8_t* data, size_t size);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]86
87 private:
88 bool initCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]89 void invokeCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]90 void invokeSetParameters();
91 sp<Camera> mCamera = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]92 FuzzedDataProvider* mFDP = nullptr;
93
94 // CameraClient interface
95 void notifyCallback(int32_t, int32_t, int32_t) override { return; };
96 void dataCallback(int32_t, const sp<IMemory>&, camera_frame_metadata_t*) override { return; };
97 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory>&) override { return; };
98 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t*) override { return; };
99 void recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t>&,
100 const std::vector<native_handle_t*>&) override {
101 return;
102 };
103};
104
105bool CameraFuzzer::initCamera() {
106 ProcessState::self()->startThreadPool();
107 sp<IServiceManager> sm = defaultServiceManager();
108 sp<IBinder> binder = sm->getService(String16("media.camera"));
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]109 sp<ICameraService> cameraService = nullptr;
110 cameraService = interface_cast<ICameraService>(binder);
111 sp<ICamera> cameraDevice = nullptr;
112 if (mFDP->ConsumeBool()) {
113 cameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */, "CAMERAFUZZ",
114 hardware::ICameraService::USE_CALLING_UID,
115 hardware::ICameraService::USE_CALLING_PID,
116 /*targetSdkVersion*/ __ANDROID_API_FUTURE__,
117 /*overrideToPortrait*/ false, /*forceSlowJpegMode*/ false,
118 &cameraDevice);
119 } else {
120 cameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */,
121 mFDP->ConsumeRandomLengthString(kMaxBytes).c_str(),
122 mFDP->ConsumeIntegral<int8_t>() /* clientUid */,
123 mFDP->ConsumeIntegral<int8_t>() /* clientPid */,
124 /*targetSdkVersion*/ mFDP->ConsumeIntegral<int32_t>(),
125 /*overrideToPortrait*/ mFDP->ConsumeBool(),
126 /*forceSlowJpegMode*/ mFDP->ConsumeBool(), &cameraDevice);
127 }
128
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]129 mCamera = Camera::create(cameraDevice);
130 if (!mCamera) {
131 return false;
132 }
133 return true;
134}
135
136void CameraFuzzer::invokeSetParameters() {
137 String8 s = mCamera->getParameters();
138 CameraParameters params(s);
139 int32_t width = mFDP->ConsumeIntegral<int32_t>();
140 int32_t height = mFDP->ConsumeIntegral<int32_t>();
141 params.setVideoSize(width, height);
142 int32_t frameRate = mFDP->ConsumeIntegralInRange<int32_t>(kFrameRateMin, kFrameRateMax);
143 params.setPreviewFrameRate(frameRate);
144 mCamera->setParameters(params.flatten());
145}
146
147void CameraFuzzer::invokeCamera() {
148 if (!initCamera()) {
149 return;
150 }
151
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]152 int32_t cameraId = mFDP->ConsumeIntegral<int32_t>();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]153 Camera::getNumberOfCameras();
154 CameraInfo cameraInfo;
155 cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]156 : mFDP->ConsumeIntegral<int32_t>();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]157 cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]158 : mFDP->ConsumeIntegral<int32_t>();
Austin Borger18b30a72022-10-27 12:20:29 -0700[diff] [blame]159 Camera::getCameraInfo(cameraId, /*overrideToPortrait*/false, &cameraInfo);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]160 mCamera->reconnect();
161
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]162 sp<SurfaceComposerClient> composerClient = new SurfaceComposerClient;
163 sp<SurfaceControl> surfaceControl = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]164 if (mFDP->ConsumeBool()) {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]165 surfaceControl = composerClient->createSurface(String8("FUZZSURFACE"), 1280, 800,
166 HAL_PIXEL_FORMAT_YV12);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]167 } else {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]168 surfaceControl = composerClient->createSurface(
169 static_cast<String8>(mFDP->ConsumeRandomLengthString(kMaxBytes).c_str()) /* name */,
170 mFDP->ConsumeIntegral<uint32_t>() /* width */,
171 mFDP->ConsumeIntegral<uint32_t>() /* height */,
172 mFDP->ConsumeIntegral<int32_t>() /* format */,
173 mFDP->ConsumeIntegral<int32_t>() /* flags */);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]174 }
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]175
176 if (mFDP->ConsumeBool()) {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]177 invokeSetParameters();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]178 }
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]179 sp<Surface> surface = nullptr;
180 if (surfaceControl) {
181 surface = surfaceControl->getSurface();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]182 }
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]183 sp<MemoryDealer> memoryDealer = nullptr;
184 sp<IMemory> iMem = nullptr;
185 sp<CameraListener> cameraListener = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]186
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]187 while (mFDP->remaining_bytes()) {
188 auto callCameraAPIs = mFDP->PickValueInArray<const std::function<void()>>({
189 [&]() {
190 if (surfaceControl) {
191 mCamera->setPreviewTarget(surface->getIGraphicBufferProducer());
192 }
193 },
194 [&]() {
195 if (surfaceControl) {
196 mCamera->startPreview();
197 }
198 },
199 [&]() {
200 if (surfaceControl) {
201 mCamera->stopPreview();
202 }
203 },
204 [&]() {
205 if (surfaceControl) {
206 mCamera->stopPreview();
207 }
208 },
209 [&]() {
210 if (surfaceControl) {
211 mCamera->previewEnabled();
212 }
213 },
214 [&]() {
215 if (surfaceControl) {
216 mCamera->startRecording();
217 }
218 },
219 [&]() {
220 if (surfaceControl) {
221 mCamera->stopRecording();
222 }
223 },
224 [&]() { mCamera->lock(); },
225 [&]() { mCamera->unlock(); },
226 [&]() { mCamera->autoFocus(); },
227 [&]() { mCamera->cancelAutoFocus(); },
228 [&]() {
229 int32_t msgType = mFDP->ConsumeIntegral<int32_t>();
230 mCamera->takePicture(msgType);
231 },
232 [&]() {
233 int32_t cmd;
234 cmd = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidCMD)
235 : mFDP->ConsumeIntegral<int32_t>();
236 int32_t arg1 = mFDP->ConsumeIntegral<int32_t>();
237 int32_t arg2 = mFDP->ConsumeIntegral<int32_t>();
238 mCamera->sendCommand(cmd, arg1, arg2);
239 },
240 [&]() {
241 int32_t videoBufferMode =
242 mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidVideoBufferMode)
243 : mFDP->ConsumeIntegral<int32_t>();
244 mCamera->setVideoBufferMode(videoBufferMode);
245 },
246 [&]() {
247 if (surfaceControl) {
248 mCamera->setVideoTarget(surface->getIGraphicBufferProducer());
249 }
250 },
251 [&]() {
252 cameraListener = sp<TestCameraListener>::make();
253 mCamera->setListener(cameraListener);
254 },
255 [&]() {
256 int32_t previewCallbackFlag;
257 previewCallbackFlag =
258 mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidPreviewCallbackFlag)
259 : mFDP->ConsumeIntegral<int32_t>();
260 mCamera->setPreviewCallbackFlags(previewCallbackFlag);
261 },
262 [&]() {
263 if (surfaceControl) {
264 mCamera->setPreviewCallbackTarget(surface->getIGraphicBufferProducer());
265 }
266 },
267 [&]() { mCamera->getRecordingProxy(); },
268 [&]() {
269 int32_t mode = mFDP->ConsumeIntegral<int32_t>();
270 mCamera->setAudioRestriction(mode);
271 },
272 [&]() { mCamera->getGlobalAudioRestriction(); },
273 [&]() { mCamera->recordingEnabled(); },
274 [&]() {
275 memoryDealer = new MemoryDealer(kMemoryDealerSize);
276 iMem = memoryDealer->allocate(kMemoryDealerSize);
277 },
278 [&]() {
279 int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
280 int32_t ext = mFDP->ConsumeIntegral<int32_t>();
281 int32_t ext2 = mFDP->ConsumeIntegral<int32_t>();
282 mCamera->notifyCallback(msgTypeNC, ext, ext2);
283 },
284 [&]() {
285 int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
286 int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
287 mCamera->dataCallbackTimestamp(timestamp, msgTypeNC, iMem);
288 },
289 [&]() {
290 int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
291 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
292 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
293 native_handle_t* handle = native_handle_create(numFds, numInts);
294 mCamera->recordingFrameHandleCallbackTimestamp(timestamp, handle);
295 },
296 [&]() {
297 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
298 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
299 native_handle_t* handle = native_handle_create(numFds, numInts);
300 mCamera->releaseRecordingFrameHandle(handle);
301 },
302 [&]() { mCamera->releaseRecordingFrame(iMem); },
303 [&]() {
304 std::vector<native_handle_t*> handles;
305 for (int8_t i = 0;
306 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
307 ++i) {
308 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
309 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
310 native_handle_t* handle = native_handle_create(numFds, numInts);
311 handles.push_back(handle);
312 }
313 mCamera->releaseRecordingFrameHandleBatch(handles);
314 },
315 [&]() {
316 std::vector<native_handle_t*> handles;
317 for (int8_t i = 0;
318 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
319 ++i) {
320 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
321 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
322 native_handle_t* handle = native_handle_create(numFds, numInts);
323 handles.push_back(handle);
324 }
325 std::vector<nsecs_t> timestamps;
326 for (int8_t i = 0;
327 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
328 ++i) {
329 timestamps.push_back(mFDP->ConsumeIntegral<int64_t>());
330 }
331 mCamera->recordingFrameHandleCallbackTimestampBatch(timestamps, handles);
332 },
333 });
334 callCameraAPIs();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]335 }
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]336}
337
338void CameraFuzzer::process(const uint8_t* data, size_t size) {
339 mFDP = new FuzzedDataProvider(data, size);
340 invokeCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]341 delete mFDP;
342}
343
344extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
345 sp<CameraFuzzer> cameraFuzzer = new CameraFuzzer();
346 cameraFuzzer->process(data, size);
347 cameraFuzzer.clear();
348 return 0;
349}