1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "hcapture_session_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <memory>
21 #include "camera_log.h"
22 #include "message_parcel.h"
23 #include "token_setproc.h"
24 #include "nativetoken_kit.h"
25 #include "accesstoken_kit.h"
26 #include "system_ability_definition.h"
27 #include "iservice_registry.h"
28 #include "ipc_skeleton.h"
29 #include "buffer_extra_data_impl.h"
30 #include "picture.h"
31 #include "camera_server_photo_proxy.h"
32 #include "camera_photo_proxy.h"
33
34 namespace OHOS {
35 namespace CameraStandard {
36 static constexpr int32_t WIDE_CAMERA_ZOOM_RANGE = 0;
37 static constexpr int32_t MAIN_CAMERA_ZOOM_RANGE = 1;
38 static constexpr int32_t TWO_X_EXIT_TELE_ZOOM_RANGE = 2;
39 static constexpr int32_t TELE_CAMERA_ZOOM_RANGE = 3;
40 static constexpr int32_t MAX_CODE_LEN = 512;
41 static constexpr int32_t MIN_SIZE_NUM = 4;
42 static constexpr int32_t NUM_1 = 1;
43 static const uint8_t* RAW_DATA = nullptr;
44 const size_t THRESHOLD = 10;
45 const int NUM_10 = 10;
46 const int NUM_100 = 100;
47 static size_t g_dataSize = 0;
48 static size_t g_pos;
49
50 std::shared_ptr<HCaptureSession> HCaptureSessionFuzzer::fuzz_{nullptr};
51
52 /*
53 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
54 * tips: only support basic type
55 */
56 template<class T>
GetData()57 T GetData()
58 {
59 T object {};
60 size_t objectSize = sizeof(object);
61 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
62 return object;
63 }
64 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
65 if (ret != EOK) {
66 return {};
67 }
68 g_pos += objectSize;
69 return object;
70 }
71
72 template<class T>
GetArrLength(T & arr)73 uint32_t GetArrLength(T& arr)
74 {
75 if (arr == nullptr) {
76 MEDIA_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
77 return 0;
78 }
79 return sizeof(arr) / sizeof(arr[0]);
80 }
81
HCaptureSessionFuzzTest1()82 void HCaptureSessionFuzzer::HCaptureSessionFuzzTest1()
83 {
84 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
85 return;
86 }
87 uint32_t callerToken = IPCSkeleton::GetCallingTokenID();
88 int32_t opMode = GetData<int32_t>();
89 sptr<HCaptureSession> session;
90 sptr<HStreamOperator> hStreamOperator;
91 fuzz_ = std::make_shared<HCaptureSession>(callerToken, opMode);
92 fuzz_->NewInstance(0, 0, session);
93 hStreamOperator = HStreamOperator::NewInstance(0, 0);
94 fuzz_->SetStreamOperator(hStreamOperator);
95 CHECK_ERROR_RETURN_LOG(!fuzz_, "Create fuzz_ Error");
96 fuzz_->BeginConfig();
97 fuzz_->CommitConfig();
98 int32_t featureMode = GetData<int32_t>();
99 fuzz_->SetFeatureMode(featureMode);
100 int outFd = GetData<int32_t>();
101 CameraInfoDumper infoDumper(outFd);
102 fuzz_->DumpSessionInfo(infoDumper);
103 fuzz_->DumpSessions(infoDumper);
104 fuzz_->DumpCameraSessionSummary(infoDumper);
105 fuzz_->OperatePermissionCheck(GetData<uint32_t>());
106 fuzz_->EnableMovingPhotoMirror(GetData<bool>(), GetData<bool>());
107 ColorSpace getColorSpace;
108 fuzz_->GetActiveColorSpace(getColorSpace);
109 constexpr int32_t executionModeCount = static_cast<int32_t>(ColorSpace::P3_PQ_LIMIT) + NUM_1;
110 ColorSpace colorSpace = static_cast<ColorSpace>(GetData<uint8_t>() % executionModeCount);
111 fuzz_->SetColorSpace(colorSpace, GetData<bool>());
112 fuzz_->GetPid();
113 fuzz_->GetopMode();
114 std::vector<StreamInfo_V1_1> streamInfos;
115 fuzz_->GetCurrentStreamInfos(streamInfos);
116 fuzz_->DynamicConfigStream();
117 fuzz_->AddInput(nullptr);
118 std::string deviceClass;
119 fuzz_->SetPreviewRotation(deviceClass);
120 }
121
HCaptureSessionFuzzTest2()122 void HCaptureSessionFuzzer::HCaptureSessionFuzzTest2()
123 {
124 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
125 return;
126 }
127 uint32_t callerToken = IPCSkeleton::GetCallingTokenID();
128 int32_t opMode = GetData<int32_t>();
129 sptr<HCaptureSession> session;
130 fuzz_ = std::make_shared<HCaptureSession>(callerToken, opMode);
131 fuzz_->NewInstance(0, 0, session);
132 CHECK_ERROR_RETURN_LOG(!fuzz_, "Create fuzz_ Error");
133 StreamType streamType = StreamType::CAPTURE;
134 fuzz_->AddOutput(streamType, nullptr);
135 fuzz_->RemoveOutput(streamType, nullptr);
136 fuzz_->RemoveInput(nullptr);
137 std::vector<StreamInfo_V1_1> streamInfos;
138 fuzz_->RemoveOutputStream(nullptr);
139 fuzz_->ValidateSession();
140 CaptureSessionState sessionState = CaptureSessionState::SESSION_STARTED;
141 fuzz_->GetSessionState(sessionState);
142 float currentFps = GetData<float>();
143 float currentZoomRatio = GetData<float>();
144 std::vector<float> crossZoomAndTime;
145 int32_t operationMode = GetData<int32_t>();
146 fuzz_->QueryFpsAndZoomRatio(currentFps, currentZoomRatio, crossZoomAndTime, operationMode);
147 fuzz_->GetSensorOritation();
148 float zoomRatio = GetData<float>();
149 std::vector<float> crossZoom;
150 fuzz_->GetRangeId(zoomRatio, crossZoom);
151 float zoomPointA = GetData<float>();
152 float zoomPointB = GetData<float>();
153 fuzz_->isEqual(zoomPointA, zoomPointB);
154 std::vector<std::vector<float>> crossTime_1;
155 fuzz_->GetCrossZoomAndTime(crossZoomAndTime, crossZoom, crossTime_1);
156 }
157
HCaptureSessionFuzzTest3()158 void HCaptureSessionFuzzer::HCaptureSessionFuzzTest3()
159 {
160 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
161 return;
162 }
163 uint32_t callerToken = IPCSkeleton::GetCallingTokenID();
164 int32_t opMode = GetData<int32_t>();
165 sptr<HCaptureSession> session;
166 fuzz_ = std::make_shared<HCaptureSession>(callerToken, opMode);
167 fuzz_->NewInstance(0, 0, session);
168 CHECK_ERROR_RETURN_LOG(!fuzz_, "Create fuzz_ Error");
169 int32_t targetRangeId = TELE_CAMERA_ZOOM_RANGE;
170 int32_t currentRangeId = WIDE_CAMERA_ZOOM_RANGE;
171 int32_t waitCount = 4;
172 int32_t zoomInOutCount = 2;
173 std::vector<std::vector<float>> crossTime_2(waitCount, std::vector<float>(zoomInOutCount, 0.0f));
174 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
175 targetRangeId = WIDE_CAMERA_ZOOM_RANGE;
176 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
177 currentRangeId = MAIN_CAMERA_ZOOM_RANGE;
178 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
179 targetRangeId = TELE_CAMERA_ZOOM_RANGE;
180 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
181 currentRangeId = TWO_X_EXIT_TELE_ZOOM_RANGE;
182 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
183 targetRangeId = WIDE_CAMERA_ZOOM_RANGE;
184 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
185 targetRangeId = MAIN_CAMERA_ZOOM_RANGE;
186 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
187 currentRangeId = TELE_CAMERA_ZOOM_RANGE;
188 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
189 targetRangeId = WIDE_CAMERA_ZOOM_RANGE;
190 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
191 targetRangeId = TWO_X_EXIT_TELE_ZOOM_RANGE;
192 fuzz_->GetCrossWaitTime(crossTime_2, targetRangeId, currentRangeId);
193 int32_t smoothZoomType = GetData<int32_t>();
194 float targetZoomRatio = GetData<float>();
195 float duration = GetData<float>();
196 int32_t operationMode = GetData<int32_t>();
197 fuzz_->SetSmoothZoom(smoothZoomType, operationMode, targetZoomRatio, duration);
198 fuzz_->Start();
199 std::shared_ptr<OHOS::Camera::CameraMetadata> captureSettings;
200 captureSettings = std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
201 fuzz_->UpdateMuteSetting(true, captureSettings);
202 fuzz_->Stop();
203 }
204
HCaptureSessionFuzzTest4()205 void HCaptureSessionFuzzer::HCaptureSessionFuzzTest4()
206 {
207 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
208 return;
209 }
210 uint32_t callerToken = IPCSkeleton::GetCallingTokenID();
211 int32_t opMode = GetData<int32_t>();
212 sptr<HCaptureSession> session;
213 fuzz_ = std::make_shared<HCaptureSession>(callerToken, opMode);
214 fuzz_->NewInstance(0, 0, session);
215 CHECK_ERROR_RETURN_LOG(!fuzz_, "Create fuzz_ Error");
216 pid_t pid = 0;
217 fuzz_->DestroyStubObjectForPid(pid);
218 sptr<ICaptureSessionCallback> callback;
219 fuzz_->SetCallback(callback);
220 fuzz_->GetSessionState();
221 int32_t status = GetData<int32_t>();
222 fuzz_->GetOutputStatus(status);
223 int32_t imageSeqId = GetData<int32_t>();
224 int32_t seqId = GetData<int32_t>();
225 fuzz_->CreateBurstDisplayName(MAIN_CAMERA_ZOOM_RANGE, seqId);
226 fuzz_->CreateBurstDisplayName(imageSeqId, seqId);
227 }
228
Test()229 void Test()
230 {
231 auto hcaptureSession = std::make_unique<HCaptureSessionFuzzer>();
232 if (hcaptureSession == nullptr) {
233 MEDIA_INFO_LOG("hcaptureSession is null");
234 return;
235 }
236 hcaptureSession->HCaptureSessionFuzzTest1();
237 hcaptureSession->HCaptureSessionFuzzTest2();
238 hcaptureSession->HCaptureSessionFuzzTest3();
239 hcaptureSession->HCaptureSessionFuzzTest4();
240 }
241
242 typedef void (*TestFuncs[1])();
243
244 TestFuncs g_testFuncs = {
245 Test,
246 };
247
FuzzTest(const uint8_t * rawData,size_t size)248 bool FuzzTest(const uint8_t* rawData, size_t size)
249 {
250 // initialize data
251 RAW_DATA = rawData;
252 g_dataSize = size;
253 g_pos = 0;
254
255 uint32_t code = GetData<uint32_t>();
256 uint32_t len = GetArrLength(g_testFuncs);
257 if (len > 0) {
258 g_testFuncs[code % len]();
259 } else {
260 MEDIA_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
261 }
262
263 return true;
264 }
265 } // namespace CameraStandard
266 } // namespace OHOS
267
268 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)269 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size)
270 {
271 if (size < OHOS::CameraStandard::THRESHOLD) {
272 return 0;
273 }
274
275 OHOS::CameraStandard::FuzzTest(data, size);
276 return 0;
277 }