• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "bufferqueue_fuzzer.h"
17 
18 #include <securec.h>
19 
20 #include "buffer_queue.h"
21 #include "surface.h"
22 #include "surface_buffer.h"
23 #include "surface_buffer_impl.h"
24 #include "buffer_extra_data.h"
25 #include "buffer_extra_data_impl.h"
26 #include "sync_fence.h"
27 
28 namespace OHOS {
29     namespace {
30         constexpr size_t STR_LEN = 10;
31         const uint8_t* g_data = nullptr;
32         size_t g_size = 0;
33         size_t g_pos;
34     }
35 
36     /*
37     * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
38     * tips: only support basic type
39     */
40     template<class T>
GetData()41     T GetData()
42     {
43         T object {};
44         size_t objectSize = sizeof(object);
45         if (g_data == nullptr || objectSize > g_size - g_pos) {
46             return object;
47         }
48         errno_t ret = memcpy_s(&object, objectSize, g_data + g_pos, objectSize);
49         if (ret != EOK) {
50             return {};
51         }
52         g_pos += objectSize;
53         return object;
54     }
55 
56     /*
57     * get a string from g_data
58     */
GetStringFromData(int strlen)59     std::string GetStringFromData(int strlen)
60     {
61         char cstr[strlen];
62         cstr[strlen - 1] = '\0';
63         for (int i = 0; i < strlen - 1; i++) {
64             char tmp = GetData<char>();
65             if (tmp == '\0') {
66                 tmp = '1';
67             }
68             cstr[i] = tmp;
69         }
70         std::string str(cstr);
71         return str;
72     }
73 
GetBufferExtraDataFromData()74     sptr<BufferExtraData> GetBufferExtraDataFromData()
75     {
76         // get data
77         std::string keyInt32 = GetStringFromData(STR_LEN);
78         int32_t valueInt32 = GetData<int32_t>();
79         std::string keyInt64 = GetStringFromData(STR_LEN);
80         int64_t valueInt64 = GetData<int64_t>();
81         std::string keyDouble = GetStringFromData(STR_LEN);
82         double valueDouble = GetData<double>();
83         std::string keyStr = GetStringFromData(STR_LEN);
84         std::string valueStr = GetStringFromData(STR_LEN);
85 
86         // test
87         sptr<BufferExtraData> bedata = new BufferExtraDataImpl();
88         bedata->ExtraSet(keyInt32, valueInt32);
89         bedata->ExtraSet(keyInt64, valueInt64);
90         bedata->ExtraSet(keyDouble, valueDouble);
91         bedata->ExtraSet(keyStr, valueStr);
92 
93         return bedata;
94     }
95 
BufferQueueFuzzTest2()96     void BufferQueueFuzzTest2()
97     {
98         // get data
99         std::string name = GetStringFromData(STR_LEN);
100         bool isShared = GetData<bool>();
101         uint32_t queueSize = GetData<uint32_t>();
102         int32_t width = GetData<int32_t>();
103         int32_t height = GetData<int32_t>();
104         uint32_t usage = GetData<uint32_t>();
105         GraphicTransformType transform = GetData<GraphicTransformType >();
106         uint32_t sequence = GetData<uint32_t>();
107         std::vector<GraphicHDRMetaData> metaData;
108         for (int i = 0; i < 10; i++) { // add 10 elements to the vector
109             GraphicHDRMetaData hDRMetaData = GetData<GraphicHDRMetaData>();
110             metaData.push_back(hDRMetaData);
111         }
112         GraphicHDRMetadataKey key = GetData<GraphicHDRMetadataKey>();
113         std::vector<uint8_t> metaDataSet;
114         for (int i = 0; i < 10; i++) { // add 10 elements to the vector
115             uint8_t metaDataElement = GetData<uint8_t>();
116             metaDataSet.push_back(metaDataElement);
117         }
118         bool flag = GetData<bool>();
119         std::string result = GetStringFromData(STR_LEN);
120         bool status = GetData<bool>();
121         uint32_t reserveInts = GetData<uint32_t>() % 0x100000; // no more than 0x100000
122         GraphicPresentTimestamp timestamp = GetData<GraphicPresentTimestamp>();
123 
124         // test
125         sptr<BufferQueue> bufferqueue = new BufferQueue(name, isShared);
126         bufferqueue->SetQueueSize(queueSize);
127         bufferqueue->SetDefaultWidthAndHeight(width, height);
128         bufferqueue->SetDefaultUsage(usage);
129         bufferqueue->SetTransform(transform);
130         bufferqueue->SetMetaData(sequence, metaData);
131         bufferqueue->SetMetaDataSet(sequence, key, metaDataSet);
132         bufferqueue->SetProducerCacheCleanFlag(flag);
133         bufferqueue->Dump(result);
134         bufferqueue->SetStatus(status);
135         GraphicExtDataHandle *handle = AllocExtDataHandle(reserveInts);
136         sptr<SurfaceTunnelHandle> tunnelHandle = new SurfaceTunnelHandle();
137         tunnelHandle->SetHandle(handle);
138         bufferqueue->SetTunnelHandle(tunnelHandle);
139         FreeExtDataHandle(handle);
140         bufferqueue->SetPresentTimestamp(sequence, timestamp);
141     }
142 
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)143     bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
144     {
145         if (data == nullptr) {
146             return false;
147         }
148 
149         // initialize
150         g_data = data;
151         g_size = size;
152         g_pos = 0;
153 
154         // get data
155         std::string name = GetStringFromData(STR_LEN);
156         bool isShared = GetData<bool>();
157         uint32_t seqNum = GetData<uint32_t>();
158         BufferRequestConfig requestConfig = GetData<BufferRequestConfig>();
159         OHOS::Rect rect = GetData<OHOS::Rect>();
160         int64_t timestamp = GetData<int64_t>();
161         BufferFlushConfigWithDamages flushConfig = {.damages =  { rect }, .timestamp = timestamp};
162         uint32_t sequence = GetData<uint32_t>();
163         std::vector<Rect> damages;
164 
165         // test
166         sptr<BufferQueue> bufferqueue = new BufferQueue(name, isShared);
167         sptr<OHOS::SurfaceBuffer> buffer = new SurfaceBufferImpl(seqNum);
168         sptr<BufferExtraData> bedata = GetBufferExtraDataFromData();
169         IBufferProducer::RequestBufferReturnValue retval;
170         retval.buffer = buffer;
171         bufferqueue->RequestBuffer(requestConfig, bedata, retval);
172         bufferqueue->ReuseBuffer(requestConfig, bedata, retval);
173         bufferqueue->CancelBuffer(sequence, bedata);
174         sptr<SyncFence> syncFence = SyncFence::INVALID_FENCE;
175         bufferqueue->FlushBuffer(sequence, bedata, syncFence, flushConfig);
176         bufferqueue->DoFlushBuffer(sequence, bedata, syncFence, flushConfig);
177         bufferqueue->AcquireBuffer(buffer, syncFence, timestamp, damages);
178         bufferqueue->ReleaseBuffer(buffer, syncFence);
179         bufferqueue->AttachBuffer(buffer);
180         bufferqueue->DetachBuffer(buffer);
181 
182         BufferQueueFuzzTest2();
183 
184         return true;
185     }
186 }
187 
188 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)189 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
190 {
191     /* Run your code on data */
192     OHOS::DoSomethingInterestingWithMyAPI(data, size);
193     return 0;
194 }
195 
196