1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "profession_session_fuzzer.h"
17 #include "camera_log.h"
18 #include "message_parcel.h"
19 #include "securec.h"
20 #include <cstddef>
21 #include <cstdint>
22 #include <memory>
23 #include "token_setproc.h"
24 #include "nativetoken_kit.h"
25 #include "accesstoken_kit.h"
26 #include "os_account_manager.h"
27 #include "ipc_skeleton.h"
28
29 namespace OHOS {
30 namespace CameraStandard {
31 static constexpr int32_t MAX_CODE_LEN = 512;
32 static constexpr int32_t MIN_SIZE_NUM = 4;
33 static const uint8_t* RAW_DATA = nullptr;
34 const size_t THRESHOLD = 10;
35 static size_t g_dataSize = 0;
36 static size_t g_pos;
37
38 const int32_t NUM_FOUR = 4;
39 const int32_t NUM_THREE = 3;
40 sptr<ProfessionSession> ProfessionSessionFuzzer::fuzz_{nullptr};
41 sptr<CameraManager> manager_;
42
43 /*
44 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
45 * tips: only support basic type
46 */
47 template<class T>
GetData()48 T GetData()
49 {
50 T object {};
51 size_t objectSize = sizeof(object);
52 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
53 return object;
54 }
55 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
56 if (ret != EOK) {
57 return {};
58 }
59 g_pos += objectSize;
60 return object;
61 }
62
63 template<class T>
GetArrLength(T & arr)64 uint32_t GetArrLength(T& arr)
65 {
66 if (arr == nullptr) {
67 MEDIA_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
68 return 0;
69 }
70 return sizeof(arr) / sizeof(arr[0]);
71 }
72
GetPermission()73 void GetPermission()
74 {
75 uint64_t tokenId;
76 const char* perms[2];
77 perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC";
78 perms[1] = "ohos.permission.CAMERA";
79 NativeTokenInfoParams infoInstance = {
80 .dcapsNum = 0,
81 .permsNum = 2,
82 .aclsNum = 0,
83 .dcaps = NULL,
84 .perms = perms,
85 .acls = NULL,
86 .processName = "native_camera_tdd",
87 .aplStr = "system_basic",
88 };
89 tokenId = GetAccessTokenId(&infoInstance);
90 SetSelfTokenID(tokenId);
91 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
92 }
93
CreatePreviewOutput(Profile & profile)94 sptr<CaptureOutput> CreatePreviewOutput(Profile& profile)
95 {
96 sptr<IConsumerSurface> previewSurface = IConsumerSurface::Create();
97 Size previewSize = profile.GetSize();
98 previewSurface->SetUserData(CameraManager::surfaceFormat, std::to_string(profile.GetCameraFormat()));
99 previewSurface->SetDefaultWidthAndHeight(previewSize.width, previewSize.height);
100
101 sptr<IBufferProducer> bp = previewSurface->GetProducer();
102 sptr<Surface> pSurface = Surface::CreateSurfaceAsProducer(bp);
103
104 sptr<CaptureOutput> previewOutput = nullptr;
105 previewOutput = manager_->CreatePreviewOutput(profile, pSurface);
106 return previewOutput;
107 }
108
CreateVideoOutput(VideoProfile & videoProfile)109 sptr<CaptureOutput> CreateVideoOutput(VideoProfile& videoProfile)
110 {
111 sptr<IConsumerSurface> surface = IConsumerSurface::Create();
112 sptr<IBufferProducer> videoProducer = surface->GetProducer();
113 sptr<Surface> videoSurface = Surface::CreateSurfaceAsProducer(videoProducer);
114 sptr<CaptureOutput> videoOutput = nullptr;
115 videoOutput = manager_->CreateVideoOutput(videoProfile, videoSurface);
116 return videoOutput;
117 }
118
ProfessionSessionFuzzTest1()119 void ProfessionSessionFuzzer::ProfessionSessionFuzzTest1()
120 {
121 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
122 return;
123 }
124 MeteringMode meteringModes = static_cast<MeteringMode>(GetData<int32_t>() % NUM_FOUR);
125 std::vector<MeteringMode> supportedMeteringModes = {};
126 supportedMeteringModes.push_back(meteringModes);
127 fuzz_->GetSupportedMeteringModes(supportedMeteringModes);
128 bool isSupported = GetData<bool>();
129 fuzz_->IsMeteringModeSupported(meteringModes, isSupported);
130 fuzz_->SetMeteringMode(meteringModes);
131 fuzz_->GetMeteringMode(meteringModes);
132 }
133
ProfessionSessionFuzzTest2()134 void ProfessionSessionFuzzer::ProfessionSessionFuzzTest2()
135 {
136 if ((RAW_DATA == nullptr) || (g_dataSize > MAX_CODE_LEN) || (g_dataSize < MIN_SIZE_NUM)) {
137 return;
138 }
139 bool isSupported = GetData<bool>();
140 fuzz_->HasFlash(isSupported);
141 ColorEffect colorEffects = static_cast<ColorEffect>(GetData<int32_t>() % NUM_FOUR);
142 vector<ColorEffect> supportedColorEffects;
143 fuzz_->GetSupportedColorEffects(supportedColorEffects);
144 fuzz_->GetColorEffect(colorEffects);
145 fuzz_->SetColorEffect(colorEffects);
146 vector<int32_t> isoRange;
147 fuzz_->GetIsoRange(isoRange);
148 int32_t range = GetData<int32_t>();
149 fuzz_->SetISO(range);
150 fuzz_->GetISO(range);
151 fuzz_->IsManualIsoSupported();
152 FocusMode focusMode = static_cast<FocusMode>(GetData<int32_t>() % NUM_FOUR);
153 vector<FocusMode> supportedFocusModes;
154 supportedFocusModes.push_back(focusMode);
155 fuzz_->GetSupportedFocusModes(supportedFocusModes);
156 fuzz_->IsFocusModeSupported(focusMode, isSupported);
157 fuzz_->SetFocusMode(focusMode);
158 fuzz_->GetFocusMode(focusMode);
159 ExposureHintMode exposureHintModes = static_cast<ExposureHintMode>(GetData<int32_t>() % NUM_THREE);
160 vector<ExposureHintMode> supportedExposureHintModes;
161 fuzz_->GetSupportedExposureHintModes(supportedExposureHintModes);
162 fuzz_->SetExposureHintMode(exposureHintModes);
163 fuzz_->GetExposureHintMode(exposureHintModes);
164 FocusAssistFlashMode focusAssistFlashModes = static_cast<FocusAssistFlashMode>(GetData<int32_t>() % NUM_FOUR);
165 vector<FocusAssistFlashMode> supportedFocusAssistFlashModes;
166 fuzz_->GetSupportedFocusAssistFlashModes(supportedFocusAssistFlashModes);
167 fuzz_->IsFocusAssistFlashModeSupported(focusAssistFlashModes, isSupported);
168 fuzz_->SetFocusAssistFlashMode(focusAssistFlashModes);
169 fuzz_->GetFocusAssistFlashMode(focusAssistFlashModes);
170 }
171
Test()172 void Test()
173 {
174 auto professionSession = std::make_unique<ProfessionSessionFuzzer>();
175 if (professionSession == nullptr) {
176 MEDIA_INFO_LOG("professionSession is null");
177 return;
178 }
179 GetPermission();
180 manager_ = CameraManager::GetInstance();
181 sptr<CaptureSession> captureSession = manager_->CreateCaptureSession(SceneMode::PROFESSIONAL_VIDEO);
182 ProfessionSessionFuzzer::fuzz_ = static_cast<ProfessionSession*>(captureSession.GetRefPtr());
183 CHECK_ERROR_RETURN_LOG(!ProfessionSessionFuzzer::fuzz_, "Create fuzz_ Error");
184 SceneMode sceneMode_ = SceneMode::PROFESSIONAL_VIDEO;
185 std::vector<sptr<CameraDevice>> cameras;
186 cameras = manager_->GetSupportedCameras();
187 CHECK_ERROR_RETURN_LOG(cameras.empty(), "GetCameraDeviceListFromServer Error");
188 sptr<CaptureInput> input = manager_->CreateCameraInput(cameras[0]);
189 CHECK_ERROR_RETURN_LOG(!input, "CreateCameraInput Error");
190 sptr<CameraOutputCapability> modeAbility =
191 manager_->GetSupportedOutputCapability(cameras[0], sceneMode_);
192 captureSession->BeginConfig();
193 captureSession->AddInput(input);
194 input->Open();
195 Profile previewProfile;
196 VideoProfile videoProfile;
197 auto previewProfiles = modeAbility->GetPreviewProfiles();
198 auto videoProfiles = modeAbility->GetVideoProfiles();
199 for (const auto &vProfile : videoProfiles) {
200 for (const auto &pProfile : previewProfiles) {
201 if (vProfile.size_.width == pProfile.size_.width) {
202 previewProfile = pProfile;
203 videoProfile = vProfile;
204 break;
205 }
206 }
207 }
208 sptr<CaptureOutput> previewOutput = CreatePreviewOutput(previewProfile);
209 captureSession->AddOutput(previewOutput);
210 sptr<CaptureOutput> videoOutput = CreateVideoOutput(videoProfile);
211 captureSession->AddOutput(videoOutput);
212 captureSession->CommitConfig();
213 professionSession->ProfessionSessionFuzzTest1();
214 professionSession->ProfessionSessionFuzzTest2();
215 }
216
217 typedef void (*TestFuncs[1])();
218 TestFuncs g_testFuncs = {
219 Test,
220 };
221
FuzzTest(const uint8_t * rawData,size_t size)222 bool FuzzTest(const uint8_t* rawData, size_t size)
223 {
224 // initialize data
225 RAW_DATA = rawData;
226 g_dataSize = size;
227 g_pos = 0;
228
229 uint32_t code = GetData<uint32_t>();
230 uint32_t len = GetArrLength(g_testFuncs);
231 if (len > 0) {
232 g_testFuncs[code % len]();
233 } else {
234 MEDIA_INFO_LOG("%{public}s: The len length is equal to 0", __func__);
235 }
236
237 return true;
238 }
239
240 } // namespace CameraStandard
241 } // namespace OHOS
242
243 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)244 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size)
245 {
246 if (size < OHOS::CameraStandard::THRESHOLD) {
247 return 0;
248 }
249
250 OHOS::CameraStandard::FuzzTest(data, size);
251 return 0;
252 }