Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / d1ad6c6b70f775169ab5b211ff08926f1ed0f36b / . / camera / tests / fuzzer / camera_fuzzer.cpp
blob: f46d24657aae980d8f4bd4938bfce7d6e8db4b90 [file] [log] [blame]
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]1/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <Camera.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]18#include <CameraParameters.h>
Biswarup Pal37a75182024-01-16 15:53:35 +0000[diff] [blame]19#include <CameraUtils.h>
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]20#include <android/content/AttributionSourceState.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]21#include <binder/MemoryDealer.h>
22#include <fuzzer/FuzzedDataProvider.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]23#include <gui/Surface.h>
24#include <gui/SurfaceComposerClient.h>
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]25#include "camera2common.h"
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]26
27using namespace std;
28using namespace android;
29using namespace android::hardware;
30
31constexpr int32_t kFrameRateMin = 1;
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]32constexpr int32_t kFrameRateMax = 1000;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]33constexpr int32_t kNumMin = 0;
34constexpr int32_t kNumMax = 1024;
35constexpr int32_t kMemoryDealerSize = 1000;
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]36constexpr int8_t kMinElements = 1;
37constexpr int8_t kMaxElements = 10;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]38
39constexpr int32_t kValidCMD[] = {CAMERA_CMD_START_SMOOTH_ZOOM,
40 CAMERA_CMD_STOP_SMOOTH_ZOOM,
41 CAMERA_CMD_SET_DISPLAY_ORIENTATION,
42 CAMERA_CMD_ENABLE_SHUTTER_SOUND,
43 CAMERA_CMD_PLAY_RECORDING_SOUND,
44 CAMERA_CMD_START_FACE_DETECTION,
45 CAMERA_CMD_STOP_FACE_DETECTION,
46 CAMERA_CMD_ENABLE_FOCUS_MOVE_MSG,
47 CAMERA_CMD_PING,
48 CAMERA_CMD_SET_VIDEO_BUFFER_COUNT,
49 CAMERA_CMD_SET_VIDEO_FORMAT};
50
51constexpr int32_t kValidVideoBufferMode[] = {ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_YUV,
52 ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_METADATA,
53 ICamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE};
54
55constexpr int32_t kValidPreviewCallbackFlag[] = {
56 CAMERA_FRAME_CALLBACK_FLAG_ENABLE_MASK, CAMERA_FRAME_CALLBACK_FLAG_ONE_SHOT_MASK,
57 CAMERA_FRAME_CALLBACK_FLAG_COPY_OUT_MASK, CAMERA_FRAME_CALLBACK_FLAG_NOOP,
58 CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER, CAMERA_FRAME_CALLBACK_FLAG_CAMERA,
59 CAMERA_FRAME_CALLBACK_FLAG_BARCODE_SCANNER};
60
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]61class TestCameraListener : public CameraListener {
62 public:
63 virtual ~TestCameraListener() = default;
64
65 void notify(int32_t /*msgType*/, int32_t /*ext1*/, int32_t /*ext2*/) override { return; };
66 void postData(int32_t /*msgType*/, const sp<IMemory>& /*dataPtr*/,
67 camera_frame_metadata_t* /*metadata*/) override {
68 return;
69 };
70 void postDataTimestamp(nsecs_t /*timestamp*/, int32_t /*msgType*/,
71 const sp<IMemory>& /*dataPtr*/) override {
72 return;
73 };
74 void postRecordingFrameHandleTimestamp(nsecs_t /*timestamp*/,
75 native_handle_t* /*handle*/) override {
76 return;
77 };
78 void postRecordingFrameHandleTimestampBatch(
79 const std::vector<nsecs_t>& /*timestamps*/,
80 const std::vector<native_handle_t*>& /*handles*/) override {
81 return;
82 };
83};
84
85class CameraFuzzer : public ::android::hardware::BnCameraClient {
86 public:
87 void process(const uint8_t* data, size_t size);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]88
89 private:
90 bool initCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]91 void invokeCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]92 void invokeSetParameters();
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]93 native_handle_t* createNativeHandle();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]94 sp<Camera> mCamera = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]95 FuzzedDataProvider* mFDP = nullptr;
96
97 // CameraClient interface
98 void notifyCallback(int32_t, int32_t, int32_t) override { return; };
99 void dataCallback(int32_t, const sp<IMemory>&, camera_frame_metadata_t*) override { return; };
100 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory>&) override { return; };
101 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t*) override { return; };
102 void recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t>&,
103 const std::vector<native_handle_t*>&) override {
104 return;
105 };
106};
107
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]108native_handle_t* CameraFuzzer::createNativeHandle() {
109 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kMinElements, kMaxElements);
110 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
111 native_handle_t* handle = native_handle_create(numFds, numInts);
112 for (int32_t i = 0; i < numFds; ++i) {
113 std::string filename = mFDP->ConsumeRandomLengthString(kMaxBytes);
114 int32_t fd = open(filename.c_str(), O_RDWR | O_CREAT | O_TRUNC);
115 handle->data[i] = fd;
116 }
117 return handle;
118}
119
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]120bool CameraFuzzer::initCamera() {
121 ProcessState::self()->startThreadPool();
122 sp<IServiceManager> sm = defaultServiceManager();
123 sp<IBinder> binder = sm->getService(String16("media.camera"));
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]124 sp<ICameraService> cameraService = nullptr;
125 cameraService = interface_cast<ICameraService>(binder);
126 sp<ICamera> cameraDevice = nullptr;
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]127 AttributionSourceState clientAttribution;
128 clientAttribution.deviceId = kDefaultDeviceId;
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]129 if (mFDP->ConsumeBool()) {
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]130 clientAttribution.uid = hardware::ICameraService::USE_CALLING_UID;
131 clientAttribution.pid = hardware::ICameraService::USE_CALLING_PID;
Austin Borgerd1ad6c62024-07-01 11:28:31 -0700[diff] [blame^]132 clientAttribution.packageName = "CAMERAFUZZ";
133 cameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */,
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]134 /*targetSdkVersion*/ __ANDROID_API_FUTURE__,
135 /*overrideToPortrait*/ false, /*forceSlowJpegMode*/ false,
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]136 clientAttribution, /*devicePolicy*/0, &cameraDevice);
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]137 } else {
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]138 clientAttribution.uid = mFDP->ConsumeIntegral<int8_t>();
139 clientAttribution.pid = mFDP->ConsumeIntegral<int8_t>();
Austin Borgerd1ad6c62024-07-01 11:28:31 -0700[diff] [blame^]140 clientAttribution.packageName = mFDP->ConsumeRandomLengthString(kMaxBytes).c_str();
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]141 cameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */,
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]142 /*targetSdkVersion*/ mFDP->ConsumeIntegral<int32_t>(),
143 /*overrideToPortrait*/ mFDP->ConsumeBool(),
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]144 /*forceSlowJpegMode*/ mFDP->ConsumeBool(), clientAttribution,
Biswarup Pal37a75182024-01-16 15:53:35 +0000[diff] [blame]145 /*devicePolicy*/0, &cameraDevice);
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]146 }
147
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]148 mCamera = Camera::create(cameraDevice);
149 if (!mCamera) {
150 return false;
151 }
152 return true;
153}
154
155void CameraFuzzer::invokeSetParameters() {
156 String8 s = mCamera->getParameters();
157 CameraParameters params(s);
158 int32_t width = mFDP->ConsumeIntegral<int32_t>();
159 int32_t height = mFDP->ConsumeIntegral<int32_t>();
160 params.setVideoSize(width, height);
161 int32_t frameRate = mFDP->ConsumeIntegralInRange<int32_t>(kFrameRateMin, kFrameRateMax);
162 params.setPreviewFrameRate(frameRate);
163 mCamera->setParameters(params.flatten());
164}
165
166void CameraFuzzer::invokeCamera() {
167 if (!initCamera()) {
168 return;
169 }
170
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]171 int32_t cameraId = mFDP->ConsumeIntegral<int32_t>();
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]172 AttributionSourceState clientAttribution;
173 clientAttribution.deviceId = kDefaultDeviceId;
174 Camera::getNumberOfCameras(clientAttribution, /*devicePolicy*/0);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]175 CameraInfo cameraInfo;
176 cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]177 : mFDP->ConsumeIntegral<int32_t>();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]178 cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]179 : mFDP->ConsumeIntegral<int32_t>();
Austin Borger65e64642024-06-11 15:58:23 -0700[diff] [blame]180 Camera::getCameraInfo(cameraId, /*overrideToPortrait*/false, clientAttribution,
Biswarup Pal37a75182024-01-16 15:53:35 +0000[diff] [blame]181 /*devicePolicy*/0, &cameraInfo);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]182 mCamera->reconnect();
183
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]184 sp<SurfaceComposerClient> composerClient = new SurfaceComposerClient;
185 sp<SurfaceControl> surfaceControl = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]186 if (mFDP->ConsumeBool()) {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]187 surfaceControl = composerClient->createSurface(String8("FUZZSURFACE"), 1280, 800,
188 HAL_PIXEL_FORMAT_YV12);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]189 } else {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]190 surfaceControl = composerClient->createSurface(
191 static_cast<String8>(mFDP->ConsumeRandomLengthString(kMaxBytes).c_str()) /* name */,
192 mFDP->ConsumeIntegral<uint32_t>() /* width */,
193 mFDP->ConsumeIntegral<uint32_t>() /* height */,
194 mFDP->ConsumeIntegral<int32_t>() /* format */,
195 mFDP->ConsumeIntegral<int32_t>() /* flags */);
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]196 }
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]197
198 if (mFDP->ConsumeBool()) {
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]199 invokeSetParameters();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]200 }
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]201 sp<Surface> surface = nullptr;
202 if (surfaceControl) {
203 surface = surfaceControl->getSurface();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]204 }
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]205 sp<MemoryDealer> memoryDealer = nullptr;
206 sp<IMemory> iMem = nullptr;
207 sp<CameraListener> cameraListener = nullptr;
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]208
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]209 while (mFDP->remaining_bytes()) {
210 auto callCameraAPIs = mFDP->PickValueInArray<const std::function<void()>>({
211 [&]() {
212 if (surfaceControl) {
213 mCamera->setPreviewTarget(surface->getIGraphicBufferProducer());
214 }
215 },
216 [&]() {
217 if (surfaceControl) {
218 mCamera->startPreview();
219 }
220 },
221 [&]() {
222 if (surfaceControl) {
223 mCamera->stopPreview();
224 }
225 },
226 [&]() {
227 if (surfaceControl) {
228 mCamera->stopPreview();
229 }
230 },
231 [&]() {
232 if (surfaceControl) {
233 mCamera->previewEnabled();
234 }
235 },
236 [&]() {
237 if (surfaceControl) {
238 mCamera->startRecording();
239 }
240 },
241 [&]() {
242 if (surfaceControl) {
243 mCamera->stopRecording();
244 }
245 },
246 [&]() { mCamera->lock(); },
247 [&]() { mCamera->unlock(); },
248 [&]() { mCamera->autoFocus(); },
249 [&]() { mCamera->cancelAutoFocus(); },
250 [&]() {
251 int32_t msgType = mFDP->ConsumeIntegral<int32_t>();
252 mCamera->takePicture(msgType);
253 },
254 [&]() {
255 int32_t cmd;
256 cmd = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidCMD)
257 : mFDP->ConsumeIntegral<int32_t>();
258 int32_t arg1 = mFDP->ConsumeIntegral<int32_t>();
259 int32_t arg2 = mFDP->ConsumeIntegral<int32_t>();
260 mCamera->sendCommand(cmd, arg1, arg2);
261 },
262 [&]() {
263 int32_t videoBufferMode =
264 mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidVideoBufferMode)
265 : mFDP->ConsumeIntegral<int32_t>();
266 mCamera->setVideoBufferMode(videoBufferMode);
267 },
268 [&]() {
269 if (surfaceControl) {
270 mCamera->setVideoTarget(surface->getIGraphicBufferProducer());
271 }
272 },
273 [&]() {
274 cameraListener = sp<TestCameraListener>::make();
275 mCamera->setListener(cameraListener);
276 },
277 [&]() {
278 int32_t previewCallbackFlag;
279 previewCallbackFlag =
280 mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidPreviewCallbackFlag)
281 : mFDP->ConsumeIntegral<int32_t>();
282 mCamera->setPreviewCallbackFlags(previewCallbackFlag);
283 },
284 [&]() {
285 if (surfaceControl) {
286 mCamera->setPreviewCallbackTarget(surface->getIGraphicBufferProducer());
287 }
288 },
289 [&]() { mCamera->getRecordingProxy(); },
290 [&]() {
291 int32_t mode = mFDP->ConsumeIntegral<int32_t>();
292 mCamera->setAudioRestriction(mode);
293 },
294 [&]() { mCamera->getGlobalAudioRestriction(); },
295 [&]() { mCamera->recordingEnabled(); },
296 [&]() {
297 memoryDealer = new MemoryDealer(kMemoryDealerSize);
298 iMem = memoryDealer->allocate(kMemoryDealerSize);
299 },
300 [&]() {
301 int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
302 int32_t ext = mFDP->ConsumeIntegral<int32_t>();
303 int32_t ext2 = mFDP->ConsumeIntegral<int32_t>();
304 mCamera->notifyCallback(msgTypeNC, ext, ext2);
305 },
306 [&]() {
307 int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
308 int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
309 mCamera->dataCallbackTimestamp(timestamp, msgTypeNC, iMem);
310 },
311 [&]() {
312 int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]313 native_handle_t* handle = createNativeHandle();
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]314 mCamera->recordingFrameHandleCallbackTimestamp(timestamp, handle);
315 },
316 [&]() {
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]317 native_handle_t* handle = createNativeHandle();
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]318 mCamera->releaseRecordingFrameHandle(handle);
319 },
320 [&]() { mCamera->releaseRecordingFrame(iMem); },
321 [&]() {
322 std::vector<native_handle_t*> handles;
323 for (int8_t i = 0;
324 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
325 ++i) {
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]326 native_handle_t* handle = createNativeHandle();
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]327 handles.push_back(handle);
328 }
329 mCamera->releaseRecordingFrameHandleBatch(handles);
330 },
331 [&]() {
332 std::vector<native_handle_t*> handles;
333 for (int8_t i = 0;
334 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
335 ++i) {
Aditya Wazir40966bd2024-05-17 15:33:50 +0530[diff] [blame]336 native_handle_t* handle = createNativeHandle();
Kunal Raif57234d2023-11-07 10:19:41 +0000[diff] [blame]337 handles.push_back(handle);
338 }
339 std::vector<nsecs_t> timestamps;
340 for (int8_t i = 0;
341 i < mFDP->ConsumeIntegralInRange<int8_t>(kMinElements, kMaxElements);
342 ++i) {
343 timestamps.push_back(mFDP->ConsumeIntegral<int64_t>());
344 }
345 mCamera->recordingFrameHandleCallbackTimestampBatch(timestamps, handles);
346 },
347 });
348 callCameraAPIs();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]349 }
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]350}
351
352void CameraFuzzer::process(const uint8_t* data, size_t size) {
353 mFDP = new FuzzedDataProvider(data, size);
354 invokeCamera();
Aditya Wazird16f5df2021-07-28 17:57:32 +0530[diff] [blame]355 delete mFDP;
356}
357
358extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
359 sp<CameraFuzzer> cameraFuzzer = new CameraFuzzer();
360 cameraFuzzer->process(data, size);
361 cameraFuzzer.clear();
362 return 0;
363}