1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "stream_capture_stub_fuzzer.h"
17 #include "foundation/multimedia/camera_framework/common/utils/camera_log.h"
18 #include "hstream_capture.h"
19 #include "iservice_registry.h"
20 #include "message_parcel.h"
21 #include "nativetoken_kit.h"
22 #include "token_setproc.h"
23 #include "accesstoken_kit.h"
24 #include "camera_metadata_info.h"
25 #include "metadata_utils.h"
26 #include "iconsumer_surface.h"
27 #include "camera_service_ipc_interface_code.h"
28 #include <fuzzer/FuzzedDataProvider.h>
29
30 namespace OHOS {
31 namespace CameraStandard {
32 namespace StreamCaptureStubFuzzer {
33
34 const int32_t LIMITSIZE = 2;
35 const size_t LIMITCOUNT = 4;
36 const int32_t PHOTO_WIDTH = 1280;
37 const int32_t PHOTO_HEIGHT = 960;
38 const int32_t PHOTO_FORMAT = 2000;
39 const uint32_t INVALID_CODE = 9999;
40 const std::u16string FORMMGR_INTERFACE_TOKEN = u"IStreamCapture";
41 const int32_t ITEM_CAP = 10;
42 const int32_t DATA_CAP = 100;
43
44 bool g_hasPermission = false;
45 std::shared_ptr<HStreamCaptureStub> fuzz_{nullptr};
46
MakeMetadata(uint8_t * rawData,size_t size)47 std::shared_ptr<OHOS::Camera::CameraMetadata> MakeMetadata(uint8_t *rawData, size_t size)
48 {
49 int32_t itemCount = ITEM_CAP;
50 int32_t dataSize = DATA_CAP;
51 FuzzedDataProvider fdp(rawData, size);
52
53 int32_t *streams = reinterpret_cast<int32_t *>(rawData);
54 std::shared_ptr<OHOS::Camera::CameraMetadata> ability;
55 ability = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
56 ability->addEntry(OHOS_ABILITY_STREAM_AVAILABLE_EXTEND_CONFIGURATIONS, streams, size / LIMITCOUNT);
57 int32_t compensationRange[2] = {rawData[0], rawData[1]};
58 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_RANGE, compensationRange,
59 sizeof(compensationRange) / sizeof(compensationRange[0]));
60 float focalLength = fdp.ConsumeFloatingPoint<float>();
61 ability->addEntry(OHOS_ABILITY_FOCAL_LENGTH, &focalLength, 1);
62
63 int32_t sensorOrientation = fdp.ConsumeIntegral<int32_t>();
64 ability->addEntry(OHOS_SENSOR_ORIENTATION, &sensorOrientation, 1);
65
66 int32_t cameraPosition = fdp.ConsumeIntegral<int32_t>();
67 ability->addEntry(OHOS_ABILITY_CAMERA_POSITION, &cameraPosition, 1);
68
69 const camera_rational_t aeCompensationStep[] = {{rawData[0], rawData[1]}};
70 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_STEP, &aeCompensationStep,
71 sizeof(aeCompensationStep) / sizeof(aeCompensationStep[0]));
72 return ability;
73 }
74
CheckPermission()75 void CheckPermission()
76 {
77 if (!g_hasPermission) {
78 uint64_t tokenId;
79 const char *perms[0];
80 perms[0] = "ohos.permission.CAMERA";
81 NativeTokenInfoParams infoInstance = { .dcapsNum = 0, .permsNum = 1, .aclsNum = 0, .dcaps = NULL,
82 .perms = perms, .acls = NULL, .processName = "camera_capture", .aplStr = "system_basic",
83 };
84 tokenId = GetAccessTokenId(&infoInstance);
85 SetSelfTokenID(tokenId);
86 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
87 g_hasPermission = true;
88 }
89 }
90
Test(uint8_t * rawData,size_t size)91 void Test(uint8_t *rawData, size_t size)
92 {
93 if (rawData == nullptr || size < LIMITSIZE) {
94 return;
95 }
96 CheckPermission();
97
98 sptr<IConsumerSurface> photoSurface = IConsumerSurface::Create();
99 CHECK_ERROR_RETURN_LOG(!photoSurface, "StreamCaptureStubFuzzer: Create photoSurface Error");
100 sptr<IBufferProducer> producer = photoSurface->GetProducer();
101 fuzz_ = std::make_shared<HStreamCapture>(producer, PHOTO_FORMAT, PHOTO_WIDTH, PHOTO_HEIGHT);
102 CHECK_ERROR_RETURN_LOG(!fuzz_, "Create fuzz_ Error");
103
104 Test_OnRemoteRequest(rawData, size);
105 Test_HandleCapture(rawData, size);
106 Test_HandleSetThumbnail(rawData, size);
107 Test_HandleSetBufferProducerInfo(rawData, size);
108 Test_HandleEnableDeferredType(rawData, size);
109 Test_HandleSetCallback(rawData, size);
110 fuzz_->Release();
111 }
112
Request(MessageParcel & data,MessageParcel & reply,MessageOption & option,StreamCaptureInterfaceCode scic)113 void Request(MessageParcel &data, MessageParcel &reply, MessageOption &option, StreamCaptureInterfaceCode scic)
114 {
115 uint32_t code = static_cast<uint32_t>(scic);
116 data.RewindRead(0);
117 fuzz_->OnRemoteRequest(code, data, reply, option);
118 }
119
Test_OnRemoteRequest(uint8_t * rawData,size_t size)120 void Test_OnRemoteRequest(uint8_t *rawData, size_t size)
121 {
122 MessageParcel data;
123 data.RewindWrite(0);
124 data.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
125 auto metadata = MakeMetadata(rawData, size);
126 CHECK_ERROR_RETURN_LOG(!(OHOS::Camera::MetadataUtils::EncodeCameraMetadata(metadata, data)),
127 "StreamCaptureStubFuzzer: EncodeCameraMetadata Error");
128 MessageParcel reply;
129 MessageOption option;
130 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_CAPTURE_START);
131 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_CAPTURE_CANCEL);
132 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_CAPTURE_CONFIRM);
133 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_CAPTURE_SET_CALLBACK);
134 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_CAPTURE_RELEASE);
135 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_SERVICE_SET_THUMBNAIL);
136 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_SERVICE_ENABLE_DEFERREDTYPE);
137 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_GET_DEFERRED_PHOTO);
138 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_GET_DEFERRED_VIDEO);
139 Request(data, reply, option, StreamCaptureInterfaceCode::CAMERA_STREAM_SET_BUFFER_PRODUCER_INFO);
140 uint32_t code = INVALID_CODE;
141 data.RewindRead(0);
142 fuzz_->OnRemoteRequest(code, data, reply, option);
143 }
144
Test_HandleCapture(uint8_t * rawData,size_t size)145 void Test_HandleCapture(uint8_t *rawData, size_t size)
146 {
147 MessageParcel data;
148 // tagCount
149 data.WriteUint32(1);
150 // itemCapacity
151 data.WriteUint32(ITEM_CAP);
152 // dataCapacity
153 data.WriteUint32(DATA_CAP);
154 // item.index
155 data.WriteUint32(0);
156 // item.item
157 data.WriteUint32(1);
158 // item.data_type
159 data.WriteUint32(0);
160 // item.count
161 data.WriteUint32(1);
162 data.WriteInt32(1);
163 data.WriteRawData(rawData, size);
164 data.RewindRead(0);
165 fuzz_->HandleCapture(data);
166 }
167
Test_HandleSetThumbnail(uint8_t * rawData,size_t size)168 void Test_HandleSetThumbnail(uint8_t *rawData, size_t size)
169 {
170 MessageParcel data;
171 sptr<IConsumerSurface> photoSurface = IConsumerSurface::Create();
172 CHECK_ERROR_RETURN_LOG(!photoSurface, "StreamCaptureStubFuzzer: Create photoSurface Error");
173 sptr<IRemoteObject> producer = photoSurface->GetProducer()->AsObject();
174 data.WriteRemoteObject(producer);
175 data.WriteRawData(rawData, size);
176 data.RewindRead(0);
177 fuzz_->HandleSetThumbnail(data);
178 }
179
Test_HandleSetBufferProducerInfo(uint8_t * rawData,size_t size)180 void Test_HandleSetBufferProducerInfo(uint8_t *rawData, size_t size)
181 {
182 MessageParcel data;
183 sptr<IConsumerSurface> photoSurface = IConsumerSurface::Create();
184 CHECK_ERROR_RETURN_LOG(!photoSurface, "StreamCaptureStubFuzzer: Create photoSurface Error");
185 sptr<IRemoteObject> producer = photoSurface->GetProducer()->AsObject();
186 data.WriteRemoteObject(producer);
187 data.WriteRawData(rawData, size);
188 data.RewindRead(0);
189 fuzz_->HandleSetBufferProducerInfo(data);
190 }
191
Test_HandleEnableDeferredType(uint8_t * rawData,size_t size)192 void Test_HandleEnableDeferredType(uint8_t *rawData, size_t size)
193 {
194 MessageParcel data;
195 data.WriteRawData(rawData, size);
196 data.RewindRead(0);
197 fuzz_->HandleEnableDeferredType(data);
198 }
199
Test_HandleSetCallback(uint8_t * rawData,size_t size)200 void Test_HandleSetCallback(uint8_t *rawData, size_t size)
201 {
202 MessageParcel data;
203 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
204 static const int32_t AUDIO_POLICY_SERVICE_ID = 3009;
205 auto object = samgr->GetSystemAbility(AUDIO_POLICY_SERVICE_ID);
206 data.WriteRemoteObject(object);
207 data.WriteRawData(rawData, size);
208 data.RewindRead(0);
209 fuzz_->HandleSetCallback(data);
210 }
211
212 } // namespace StreamCaptureStubFuzzer
213 } // namespace CameraStandard
214 } // namespace OHOS
215
216 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)217 extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size)
218 {
219 /* Run your code on data */
220 OHOS::CameraStandard::StreamCaptureStubFuzzer::Test(data, size);
221 return 0;
222 }