Blame - camera/tests/fuzzer/camera_fuzzer.cpp - android_frameworks_av

blob: f45500e5d68d4310855e8fb48b1118e3960e9435 [file] [log] [blame]

Aditya Wazir	d16f5df	2021-07-28 17:57:32 +0530	[diff] [blame^]	1	/*
				2	* Copyright (C) 2022 The Android Open Source Project
				3	*
				4	* Licensed under the Apache License, Version 2.0 (the "License");
				5	* you may not use this file except in compliance with the License.
				6	* You may obtain a copy of the License at
				7	*
				8	* http://www.apache.org/licenses/LICENSE-2.0
				9	*
				10	* Unless required by applicable law or agreed to in writing, software
				11	* distributed under the License is distributed on an "AS IS" BASIS,
				12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	* See the License for the specific language governing permissions and
				14	* limitations under the License.
				15	*/
				16
				17	#include <Camera.h>
				18	#include <CameraBase.h>
				19	#include <CameraMetadata.h>
				20	#include <CameraParameters.h>
				21	#include <CameraUtils.h>
				22	#include <VendorTagDescriptor.h>
				23	#include <binder/IMemory.h>
				24	#include <binder/MemoryDealer.h>
				25	#include <fuzzer/FuzzedDataProvider.h>
				26	#include <gui/IGraphicBufferProducer.h>
				27	#include <gui/Surface.h>
				28	#include <gui/SurfaceComposerClient.h>
				29	#include <utils/Log.h>
				30	#include "camera2common.h"
				31	#include <android/hardware/ICameraService.h>
				32
				33	using namespace std;
				34	using namespace android;
				35	using namespace android::hardware;
				36
				37	constexpr int32_t kFrameRateMin = 1;
				38	constexpr int32_t kFrameRateMax = 120;
				39	constexpr int32_t kCamIdMin = 0;
				40	constexpr int32_t kCamIdMax = 1;
				41	constexpr int32_t kNumMin = 0;
				42	constexpr int32_t kNumMax = 1024;
				43	constexpr int32_t kMemoryDealerSize = 1000;
				44	constexpr int32_t kRangeMin = 0;
				45	constexpr int32_t kRangeMax = 1000;
				46	constexpr int32_t kSizeMin = 0;
				47	constexpr int32_t kSizeMax = 1000;
				48
				49	constexpr int32_t kValidCMD[] = {CAMERA_CMD_START_SMOOTH_ZOOM,
				50	CAMERA_CMD_STOP_SMOOTH_ZOOM,
				51	CAMERA_CMD_SET_DISPLAY_ORIENTATION,
				52	CAMERA_CMD_ENABLE_SHUTTER_SOUND,
				53	CAMERA_CMD_PLAY_RECORDING_SOUND,
				54	CAMERA_CMD_START_FACE_DETECTION,
				55	CAMERA_CMD_STOP_FACE_DETECTION,
				56	CAMERA_CMD_ENABLE_FOCUS_MOVE_MSG,
				57	CAMERA_CMD_PING,
				58	CAMERA_CMD_SET_VIDEO_BUFFER_COUNT,
				59	CAMERA_CMD_SET_VIDEO_FORMAT};
				60
				61	constexpr int32_t kValidVideoBufferMode[] = {ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_YUV,
				62	ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_METADATA,
				63	ICamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE};
				64
				65	constexpr int32_t kValidPreviewCallbackFlag[] = {
				66	CAMERA_FRAME_CALLBACK_FLAG_ENABLE_MASK, CAMERA_FRAME_CALLBACK_FLAG_ONE_SHOT_MASK,
				67	CAMERA_FRAME_CALLBACK_FLAG_COPY_OUT_MASK, CAMERA_FRAME_CALLBACK_FLAG_NOOP,
				68	CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER, CAMERA_FRAME_CALLBACK_FLAG_CAMERA,
				69	CAMERA_FRAME_CALLBACK_FLAG_BARCODE_SCANNER};
				70
				71	constexpr int32_t kValidFacing[] = {android::hardware::CAMERA_FACING_BACK,
				72	android::hardware::CAMERA_FACING_FRONT};
				73
				74	constexpr int32_t kValidOrientation[] = {0, 90, 180, 270};
				75
				76	class TestCameraListener : public CameraListener {
				77	public:
				78	virtual ~TestCameraListener() = default;
				79
				80	void notify(int32_t /msgType/, int32_t /ext1/, int32_t /ext2/) override { return; };
				81	void postData(int32_t /msgType/, const sp<IMemory>& /dataPtr/,
				82	camera_frame_metadata_t* /metadata/) override {
				83	return;
				84	};
				85	void postDataTimestamp(nsecs_t /timestamp/, int32_t /msgType/,
				86	const sp<IMemory>& /dataPtr/) override {
				87	return;
				88	};
				89	void postRecordingFrameHandleTimestamp(nsecs_t /timestamp/,
				90	native_handle_t* /handle/) override {
				91	return;
				92	};
				93	void postRecordingFrameHandleTimestampBatch(
				94	const std::vector<nsecs_t>& /timestamps/,
				95	const std::vector<native_handle_t>& /handles*/) override {
				96	return;
				97	};
				98	};
				99
				100	class CameraFuzzer : public ::android::hardware::BnCameraClient {
				101	public:
				102	void process(const uint8_t* data, size_t size);
				103	~CameraFuzzer() {
				104	delete mCameraMetadata;
				105	mComposerClient.clear();
				106	mSurfaceControl.clear();
				107	mSurface.clear();
				108	mCamera.clear();
				109	mMemoryDealer.clear();
				110	mIMem.clear();
				111	mCameraListener.clear();
				112	mCameraService.clear();
				113	}
				114
				115	private:
				116	bool initCamera();
				117	void initCameraMetadata();
				118	void invokeCamera();
				119	void invokeCameraUtils();
				120	void invokeCameraBase();
				121	void invokeCameraMetadata();
				122	void invokeSetParameters();
				123	sp<Camera> mCamera = nullptr;
				124	CameraMetadata* mCameraMetadata = nullptr;
				125	sp<SurfaceComposerClient> mComposerClient = nullptr;
				126	sp<SurfaceControl> mSurfaceControl = nullptr;
				127	sp<Surface> mSurface = nullptr;
				128	sp<MemoryDealer> mMemoryDealer = nullptr;
				129	sp<IMemory> mIMem = nullptr;
				130	sp<TestCameraListener> mCameraListener = nullptr;
				131	sp<ICameraService> mCameraService = nullptr;
				132	sp<ICamera> cameraDevice = nullptr;
				133	FuzzedDataProvider* mFDP = nullptr;
				134
				135	// CameraClient interface
				136	void notifyCallback(int32_t, int32_t, int32_t) override { return; };
				137	void dataCallback(int32_t, const sp<IMemory>&, camera_frame_metadata_t*) override { return; };
				138	void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory>&) override { return; };
				139	void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t*) override { return; };
				140	void recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t>&,
				141	const std::vector<native_handle_t*>&) override {
				142	return;
				143	};
				144	};
				145
				146	bool CameraFuzzer::initCamera() {
				147	ProcessState::self()->startThreadPool();
				148	sp<IServiceManager> sm = defaultServiceManager();
				149	sp<IBinder> binder = sm->getService(String16("media.camera"));
				150	mCameraService = interface_cast<ICameraService>(binder);
				151	mCameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */,
				152	String16("CAMERAFUZZ"), hardware::ICameraService::USE_CALLING_UID,
				153	hardware::ICameraService::USE_CALLING_PID,
				154	/targetSdkVersion/ __ANDROID_API_FUTURE__, &cameraDevice);
				155	mCamera = Camera::create(cameraDevice);
				156	if (!mCamera) {
				157	return false;
				158	}
				159	return true;
				160	}
				161
				162	void CameraFuzzer::invokeSetParameters() {
				163	String8 s = mCamera->getParameters();
				164	CameraParameters params(s);
				165	int32_t width = mFDP->ConsumeIntegral<int32_t>();
				166	int32_t height = mFDP->ConsumeIntegral<int32_t>();
				167	params.setVideoSize(width, height);
				168	int32_t frameRate = mFDP->ConsumeIntegralInRange<int32_t>(kFrameRateMin, kFrameRateMax);
				169	params.setPreviewFrameRate(frameRate);
				170	mCamera->setParameters(params.flatten());
				171	}
				172
				173	void CameraFuzzer::invokeCamera() {
				174	if (!initCamera()) {
				175	return;
				176	}
				177
				178	int32_t cameraId = mFDP->ConsumeIntegralInRange<int32_t>(kCamIdMin, kCamIdMax);
				179	Camera::getNumberOfCameras();
				180	CameraInfo cameraInfo;
				181	cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
				182	: mFDP->ConsumeIntegral<int>();
				183	cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
				184	: mFDP->ConsumeIntegral<int>();
				185	Camera::getCameraInfo(cameraId, &cameraInfo);
				186	mCamera->reconnect();
				187
				188	mComposerClient = new SurfaceComposerClient;
				189	mSurfaceControl = mComposerClient->createSurface(
				190	static_cast<String8>(mFDP->ConsumeRandomLengthString().c_str()) /* name */,
				191	mFDP->ConsumeIntegral<uint32_t>() /* width */,
				192	mFDP->ConsumeIntegral<uint32_t>() /* height */,
				193	mFDP->ConsumeIntegral<int32_t>() /* format */,
				194	mFDP->ConsumeIntegral<int32_t>() /* flags */);
				195	if (mSurfaceControl) {
				196	mSurface = mSurfaceControl->getSurface();
				197	mCamera->setPreviewTarget(mSurface->getIGraphicBufferProducer());
				198	mCamera->startPreview();
				199	mCamera->stopPreview();
				200	mCamera->previewEnabled();
				201	mCamera->startRecording();
				202	mCamera->stopRecording();
				203	}
				204
				205	mCamera->lock();
				206	mCamera->unlock();
				207	mCamera->autoFocus();
				208	mCamera->cancelAutoFocus();
				209
				210	int32_t msgType = mFDP->ConsumeIntegral<int32_t>();
				211	mCamera->takePicture(msgType);
				212	invokeSetParameters();
				213	int32_t cmd;
				214	if (mFDP->ConsumeBool()) {
				215	cmd = mFDP->PickValueInArray(kValidCMD);
				216	} else {
				217	cmd = mFDP->ConsumeIntegral<int32_t>();
				218	}
				219	int32_t arg1 = mFDP->ConsumeIntegral<int32_t>();
				220	int32_t arg2 = mFDP->ConsumeIntegral<int32_t>();
				221	mCamera->sendCommand(cmd, arg1, arg2);
				222
				223	int32_t videoBufferMode = mFDP->PickValueInArray(kValidVideoBufferMode);
				224	mCamera->setVideoBufferMode(videoBufferMode);
				225	if (mSurfaceControl) {
				226	mSurface = mSurfaceControl->getSurface();
				227	mCamera->setVideoTarget(mSurface->getIGraphicBufferProducer());
				228	}
				229	mCameraListener = sp<TestCameraListener>::make();
				230	mCamera->setListener(mCameraListener);
				231	int32_t previewCallbackFlag;
				232	if (mFDP->ConsumeBool()) {
				233	previewCallbackFlag = mFDP->PickValueInArray(kValidPreviewCallbackFlag);
				234	} else {
				235	previewCallbackFlag = mFDP->ConsumeIntegral<int32_t>();
				236	}
				237	mCamera->setPreviewCallbackFlags(previewCallbackFlag);
				238	if (mSurfaceControl) {
				239	mSurface = mSurfaceControl->getSurface();
				240	mCamera->setPreviewCallbackTarget(mSurface->getIGraphicBufferProducer());
				241	}
				242
				243	mCamera->getRecordingProxy();
				244	int32_t mode = mFDP->ConsumeIntegral<int32_t>();
				245	mCamera->setAudioRestriction(mode);
				246	mCamera->getGlobalAudioRestriction();
				247	mCamera->recordingEnabled();
				248
				249	mMemoryDealer = new MemoryDealer(kMemoryDealerSize);
				250	mIMem = mMemoryDealer->allocate(kMemoryDealerSize);
				251	mCamera->releaseRecordingFrame(mIMem);
				252
				253	int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
				254	int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
				255	native_handle_t* handle = native_handle_create(numFds, numInts);
				256	mCamera->releaseRecordingFrameHandle(handle);
				257
				258	int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
				259	int32_t ext = mFDP->ConsumeIntegral<int32_t>();
				260	int32_t ext2 = mFDP->ConsumeIntegral<int32_t>();
				261	mCamera->notifyCallback(msgTypeNC, ext, ext2);
				262
				263	int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
				264	mCamera->dataCallbackTimestamp(timestamp, msgTypeNC, mIMem);
				265	mCamera->recordingFrameHandleCallbackTimestamp(timestamp, handle);
				266	}
				267
				268	void CameraFuzzer::invokeCameraUtils() {
				269	CameraMetadata staticMetadata;
				270	int32_t orientVal = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
				271	: mFDP->ConsumeIntegral<int32_t>();
				272	uint8_t facingVal = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
				273	: mFDP->ConsumeIntegral<uint8_t>();
				274	staticMetadata.update(ANDROID_SENSOR_ORIENTATION, &orientVal, 1);
				275	staticMetadata.update(ANDROID_LENS_FACING, &facingVal, 1);
				276	int32_t transform = 0;
				277	CameraUtils::getRotationTransform(
				278	staticMetadata, mFDP->ConsumeIntegral<int32_t>() /* mirrorMode /, &transform /out*/);
				279	CameraUtils::isCameraServiceDisabled();
				280	}
				281
				282	void CameraFuzzer::invokeCameraBase() {
				283	CameraInfo cameraInfo;
				284	cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
				285	: mFDP->ConsumeIntegral<int>();
				286	cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
				287	: mFDP->ConsumeIntegral<int>();
				288	invokeReadWriteParcel<CameraInfo>(&cameraInfo);
				289
				290	CameraStatus* cameraStatus = nullptr;
				291
				292	if (mFDP->ConsumeBool()) {
				293	cameraStatus = new CameraStatus();
				294	} else {
				295	string cid = mFDP->ConsumeRandomLengthString();
				296	String8 id(cid.c_str());
				297	int32_t status = mFDP->ConsumeIntegral<int32_t>();
				298	size_t unavailSubIdsSize = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
				299	vector<String8> unavailSubIds;
				300	for (size_t idx = 0; idx < unavailSubIdsSize; ++idx) {
				301	string subId = mFDP->ConsumeRandomLengthString();
				302	String8 unavailSubId(subId.c_str());
				303	unavailSubIds.push_back(unavailSubId);
				304	}
				305	string clientPkg = mFDP->ConsumeRandomLengthString();
				306	String8 clientPackage(clientPkg.c_str());
				307	cameraStatus = new CameraStatus(id, status, unavailSubIds, clientPackage);
				308	}
				309
				310	invokeReadWriteParcel<CameraStatus>(cameraStatus);
				311	delete cameraStatus;
				312	}
				313
				314	void CameraFuzzer::initCameraMetadata() {
				315	if (mFDP->ConsumeBool()) {
				316	mCameraMetadata = new CameraMetadata();
				317	} else {
				318	size_t entryCapacity = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
				319	size_t dataCapacity = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
				320	mCameraMetadata = new CameraMetadata(entryCapacity, dataCapacity);
				321	}
				322	}
				323
				324	void CameraFuzzer::invokeCameraMetadata() {
				325	initCameraMetadata();
				326
				327	const camera_metadata_t* metadataBuffer = nullptr;
				328	if (mFDP->ConsumeBool()) {
				329	metadataBuffer = mCameraMetadata->getAndLock();
				330	}
				331
				332	mCameraMetadata->entryCount();
				333	mCameraMetadata->isEmpty();
				334	mCameraMetadata->bufferSize();
				335	mCameraMetadata->sort();
				336
				337	uint32_t tag = mFDP->ConsumeIntegral<uint32_t>();
				338	uint8_t dataUint8 = mFDP->ConsumeIntegral<uint8_t>();
				339	int32_t dataInt32 = mFDP->ConsumeIntegral<int32_t>();
				340	int64_t dataInt64 = mFDP->ConsumeIntegral<int64_t>();
				341	float dataFloat = mFDP->ConsumeFloatingPoint<float>();
				342	double dataDouble = mFDP->ConsumeFloatingPoint<double>();
				343	camera_metadata_rational dataRational;
				344	dataRational.numerator = mFDP->ConsumeIntegral<int32_t>();
				345	dataRational.denominator = mFDP->ConsumeIntegral<int32_t>();
				346	string dataStr = mFDP->ConsumeRandomLengthString();
				347	String8 dataString(dataStr.c_str());
				348	size_t data_count = 1;
				349	mCameraMetadata->update(tag, &dataUint8, data_count);
				350	mCameraMetadata->update(tag, &dataInt32, data_count);
				351	mCameraMetadata->update(tag, &dataFloat, data_count);
				352	mCameraMetadata->update(tag, &dataInt64, data_count);
				353	mCameraMetadata->update(tag, &dataRational, data_count);
				354	mCameraMetadata->update(tag, &dataDouble, data_count);
				355	mCameraMetadata->update(tag, dataString);
				356
				357	uint32_t tagExists = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
				358	mCameraMetadata->exists(tagExists);
				359
				360	uint32_t tagFind = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
				361	mCameraMetadata->find(tagFind);
				362
				363	uint32_t tagErase = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
				364	mCameraMetadata->erase(tagErase);
				365
				366	mCameraMetadata->unlock(metadataBuffer);
				367	std::vector<int32_t> tagsRemoved;
				368	uint64_t vendorId = mFDP->ConsumeIntegral<uint64_t>();
				369	mCameraMetadata->removePermissionEntries(vendorId, &tagsRemoved);
				370
				371	string name = mFDP->ConsumeRandomLengthString();
				372	VendorTagDescriptor vTags;
				373	uint32_t tagName = mFDP->ConsumeIntegral<uint32_t>();
				374	mCameraMetadata->getTagFromName(name.c_str(), &vTags, &tagName);
				375
				376	invokeReadWriteNullParcel<CameraMetadata>(mCameraMetadata);
				377	invokeReadWriteParcel<CameraMetadata>(mCameraMetadata);
				378
				379	int32_t fd = open("/dev/null", O_CLOEXEC \| O_RDWR \| O_CREAT);
				380	int32_t verbosity = mFDP->ConsumeIntegralInRange<int32_t>(kRangeMin, kRangeMax);
				381	int32_t indentation = mFDP->ConsumeIntegralInRange<int32_t>(kRangeMin, kRangeMax);
				382	mCameraMetadata->dump(fd, verbosity, indentation);
				383
				384	CameraMetadata metadataCopy(mCameraMetadata->release());
				385	CameraMetadata otherCameraMetadata;
				386	mCameraMetadata->swap(otherCameraMetadata);
				387	close(fd);
				388	}
				389
				390	void CameraFuzzer::process(const uint8_t* data, size_t size) {
				391	mFDP = new FuzzedDataProvider(data, size);
				392	invokeCamera();
				393	invokeCameraUtils();
				394	invokeCameraBase();
				395	invokeCameraMetadata();
				396	delete mFDP;
				397	}
				398
				399	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
				400	sp<CameraFuzzer> cameraFuzzer = new CameraFuzzer();
				401	cameraFuzzer->process(data, size);
				402	cameraFuzzer.clear();
				403	return 0;
				404	}