1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "hstream_capture_stub_fuzzer.h"
17 #include "camera_log.h"
18 #include "hstream_capture.h"
19 #include "iservice_registry.h"
20 #include "message_parcel.h"
21 #include "nativetoken_kit.h"
22 #include "string_ex.h"
23 #include "token_setproc.h"
24 #include "accesstoken_kit.h"
25 #include "camera_metadata_info.h"
26 #include "metadata_utils.h"
27 #include "iconsumer_surface.h"
28 #include "securec.h"
29 #include "stream_capture_callback_proxy.h"
30 #include "stream_capture_photo_asset_callback_proxy.h"
31 #include "system_ability_definition.h"
32 #include "iservice_registry.h"
33
34 namespace OHOS {
35 namespace CameraStandard {
36 static const uint8_t *RAW_DATA = nullptr;
37 const size_t THRESHOLD = 10;
38 static size_t g_dataSize = 0;
39 size_t max_length = 64;
40 static const std::u16string g_interfaceToken = u"OHOS.CameraStandard.IStreamCapture";
41 static size_t g_pos;
42 const int32_t NUM_10 = 10;
43 const int32_t NUM_100 = 100;
44 std::shared_ptr<HStreamCaptureStubFuzz> HStreamCaptureStubFuzzer::fuzz_{nullptr};
45
46 /*
47 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
48 * tips: only support basic type
49 */
50 template <class T>
GetData()51 T GetData()
52 {
53 T object{};
54 size_t objectSize = sizeof(object);
55 if (RAW_DATA == nullptr || objectSize > g_dataSize - g_pos) {
56 return object;
57 }
58 errno_t ret = memcpy_s(&object, objectSize, RAW_DATA + g_pos, objectSize);
59 if (ret != EOK) {
60 return {};
61 }
62 g_pos += objectSize;
63 return object;
64 }
65
66 template <class T>
GetArrLength(T & arr)67 uint32_t GetArrLength(T &arr)
68 {
69 if (arr == nullptr) {
70 MEDIA_INFO_LOG("%{public}s: The array length is equal to 0", __func__);
71 return 0;
72 }
73 return sizeof(arr) / sizeof(arr[0]);
74 }
75
HStreamCaptureStubFuzzTest1(FuzzedDataProvider & fdp)76 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest1(FuzzedDataProvider &fdp)
77 {
78 MessageParcel data;
79 MessageParcel reply;
80 MessageOption option;
81 sptr<IConsumerSurface> photoSurface = IConsumerSurface::Create();
82 CHECK_RETURN(photoSurface == nullptr);
83 sptr<IBufferProducer> producer = photoSurface->GetProducer();
84 data.WriteInterfaceToken(g_interfaceToken);
85 data.WriteString16(Str8ToStr16(fdp.ConsumeRandomLengthString(max_length)));
86 data.WriteRemoteObject(producer->AsObject());
87 fuzz_->OnRemoteRequestInner(
88 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_BUFFER_PRODUCER_INFO), data, reply, option);
89 }
90
HStreamCaptureStubFuzzTest2(FuzzedDataProvider & fdp)91 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest2(FuzzedDataProvider &fdp)
92 {
93 MessageParcel data;
94 MessageParcel reply;
95 MessageOption option;
96 sptr<IConsumerSurface> photoSurface = IConsumerSurface::Create();
97 CHECK_RETURN(photoSurface == nullptr);
98 sptr<IBufferProducer> producer = photoSurface->GetProducer();
99 auto value = fdp.ConsumeBool();
100 data.WriteInterfaceToken(g_interfaceToken);
101 data.WriteInt32(value);
102 data.WriteRemoteObject(producer->AsObject());
103 fuzz_->OnRemoteRequestInner(
104 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_THUMBNAIL), data, reply, option);
105 }
106
HStreamCaptureStubFuzzTest3()107 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest3()
108 {
109 MessageParcel data;
110 auto value = GetData<int32_t>();
111 data.WriteInt32(value);
112 }
113
HStreamCaptureStubFuzzTest4(FuzzedDataProvider & fdp)114 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest4(FuzzedDataProvider &fdp)
115 {
116 MessageParcel data;
117 MessageParcel reply;
118 MessageOption option;
119 auto value = fdp.ConsumeIntegral<int32_t>();
120 data.WriteInterfaceToken(g_interfaceToken);
121 data.WriteInt32(value);
122 fuzz_->OnRemoteRequestInner(
123 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_DEFER_IMAGE_DELIVERY_FOR), data, reply, option);
124 }
125
HStreamCaptureStubFuzzTest5(FuzzedDataProvider & fdp)126 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest5(FuzzedDataProvider &fdp)
127 {
128 MessageParcel data;
129 MessageParcel reply;
130 MessageOption option;
131 auto value = fdp.ConsumeIntegral<int32_t>();
132 data.WriteInterfaceToken(g_interfaceToken);
133 data.WriteInt32(value);
134 fuzz_->OnRemoteRequestInner(
135 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_MOVING_PHOTO_VIDEO_CODEC_TYPE), data, reply, option);
136 }
137
HStreamCaptureStubFuzzTest6(FuzzedDataProvider & fdp)138 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest6(FuzzedDataProvider &fdp)
139 {
140 MessageParcel data;
141 MessageParcel reply;
142 MessageOption option;
143 auto value = fdp.ConsumeIntegral<int32_t>();
144 data.WriteInterfaceToken(g_interfaceToken);
145 data.WriteInt32(value);
146 fuzz_->OnRemoteRequestInner(
147 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_CONFIRM_CAPTURE), data, reply, option);
148 }
149
HStreamCaptureStubFuzzTest7(FuzzedDataProvider & fdp)150 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest7(FuzzedDataProvider &fdp)
151 {
152 MessageParcel data;
153 MessageParcel reply;
154 MessageOption option;
155 auto value = fdp.ConsumeBool();
156 data.WriteInterfaceToken(g_interfaceToken);
157 data.WriteInt32(value);
158 fuzz_->OnRemoteRequestInner(
159 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_ENABLE_RAW_DELIVERY), data, reply, option);
160 }
161
HStreamCaptureStubFuzzTest8(FuzzedDataProvider & fdp)162 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest8(FuzzedDataProvider &fdp)
163 {
164 MessageParcel data;
165 MessageParcel reply;
166 MessageOption option;
167 auto value = fdp.ConsumeBool();
168 data.WriteInterfaceToken(g_interfaceToken);
169 data.WriteInt32(value);
170 fuzz_->OnRemoteRequestInner(
171 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_ENABLE_MOVING_PHOTO), data, reply, option);
172 }
173
HStreamCaptureStubFuzzTest9(FuzzedDataProvider & fdp)174 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest9(FuzzedDataProvider &fdp)
175 {
176 MessageParcel data;
177 MessageParcel reply;
178 MessageOption option;
179 auto value = fdp.ConsumeBool();
180 data.WriteInterfaceToken(g_interfaceToken);
181 data.WriteInt32(value);
182 fuzz_->OnRemoteRequestInner(
183 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_CAMERA_PHOTO_ROTATION), data, reply, option);
184 }
185
HStreamCaptureStubFuzzTest10(FuzzedDataProvider & fdp)186 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest10(FuzzedDataProvider &fdp)
187 {
188 MessageParcel data;
189 MessageParcel reply;
190 MessageOption option;
191 auto value = fdp.ConsumeBool();
192 data.WriteInterfaceToken(g_interfaceToken);
193 data.WriteInt32(value);
194 fuzz_->OnRemoteRequestInner(
195 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_ENABLE_OFFLINE_PHOTO), data, reply, option);
196 }
197
HStreamCaptureStubFuzzTest11()198 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest11()
199 {
200 MessageParcel data;
201 MessageParcel reply;
202 MessageOption option;
203 std::shared_ptr<OHOS::Camera::CameraMetadata> captureSettings =
204 std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
205 data.WriteInterfaceToken(g_interfaceToken);
206 data.WriteParcelable(captureSettings.get());
207 fuzz_->OnRemoteRequestInner(
208 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_CAPTURE), data, reply, option);
209 }
210
HStreamCaptureStubFuzzTest12()211 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest12()
212 {
213 MessageParcel data;
214 MessageParcel reply;
215 MessageOption option;
216 data.WriteInterfaceToken(g_interfaceToken);
217 fuzz_->OnRemoteRequestInner(
218 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_CANCEL_CAPTURE), data, reply, option);
219 }
220
HStreamCaptureStubFuzzTest13()221 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest13()
222 {
223 MessageParcel data;
224 MessageParcel reply;
225 MessageOption option;
226 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
227 auto object = samgr->GetSystemAbility(CAMERA_SERVICE_ID);
228 auto proxy = std::make_shared<StreamCaptureCallbackProxy>(object);
229 data.WriteInterfaceToken(g_interfaceToken);
230 data.WriteRemoteObject(proxy->AsObject());
231 fuzz_->OnRemoteRequestInner(
232 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_CALLBACK), data, reply, option);
233 }
234
HStreamCaptureStubFuzzTest14()235 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest14()
236 {
237 MessageParcel data;
238 MessageParcel reply;
239 MessageOption option;
240 data.WriteInterfaceToken(g_interfaceToken);
241 fuzz_->OnRemoteRequestInner(
242 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_RELEASE), data, reply, option);
243 }
244
HStreamCaptureStubFuzzTest15()245 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest15()
246 {
247 MessageParcel data;
248 MessageParcel reply;
249 MessageOption option;
250 data.WriteInterfaceToken(g_interfaceToken);
251 fuzz_->OnRemoteRequestInner(
252 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_IS_DEFERRED_PHOTO_ENABLED), data, reply, option);
253 }
254
HStreamCaptureStubFuzzTest16()255 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest16()
256 {
257 MessageParcel data;
258 MessageParcel reply;
259 MessageOption option;
260 data.WriteInterfaceToken(g_interfaceToken);
261 fuzz_->OnRemoteRequestInner(
262 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_IS_DEFERRED_VIDEO_ENABLED), data, reply, option);
263 }
264
HStreamCaptureStubFuzzTest17()265 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest17()
266 {
267 MessageParcel data;
268 MessageParcel reply;
269 MessageOption option;
270 data.WriteInterfaceToken(g_interfaceToken);
271 fuzz_->OnRemoteRequestInner(
272 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_UN_SET_CALLBACK), data, reply, option);
273 }
274
HStreamCaptureStubFuzzTest18()275 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest18()
276 {
277 MessageParcel data;
278 MessageParcel reply;
279 MessageOption option;
280 auto samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
281 auto object = samgr->GetSystemAbility(CAMERA_SERVICE_ID);
282 auto proxy = std::make_shared<StreamCapturePhotoAssetCallbackProxy>(object);
283 data.WriteInterfaceToken(g_interfaceToken);
284 data.WriteRemoteObject(proxy->AsObject());
285 fuzz_->OnRemoteRequestInner(
286 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_SET_PHOTO_ASSET_AVAILABLE_CALLBACK), data, reply, option);
287 }
288
HStreamCaptureStubFuzzTest19()289 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest19()
290 {
291 MessageParcel data;
292 MessageParcel reply;
293 MessageOption option;
294 data.WriteInterfaceToken(g_interfaceToken);
295 fuzz_->OnRemoteRequestInner(
296 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_UN_SET_PHOTO_AVAILABLE_CALLBACK), data, reply, option);
297 }
298
HStreamCaptureStubFuzzTest20()299 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest20()
300 {
301 MessageParcel data;
302 MessageParcel reply;
303 MessageOption option;
304 data.WriteInterfaceToken(g_interfaceToken);
305 fuzz_->OnRemoteRequestInner(
306 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_UN_SET_PHOTO_ASSET_AVAILABLE_CALLBACK),
307 data, reply, option);
308 }
309
HStreamCaptureStubFuzzTest21()310 void HStreamCaptureStubFuzzer::HStreamCaptureStubFuzzTest21()
311 {
312 MessageParcel data;
313 MessageParcel reply;
314 MessageOption option;
315 data.WriteInterfaceToken(g_interfaceToken);
316 fuzz_->OnRemoteRequestInner(
317 static_cast<uint32_t>(IStreamCaptureIpcCode::COMMAND_UN_SET_THUMBNAIL_CALLBACK), data, reply, option);
318 }
319
FuzzTest(const uint8_t * rawData,size_t size)320 void FuzzTest(const uint8_t *rawData, size_t size)
321 {
322 FuzzedDataProvider fdp(rawData, size);
323 auto hstreamCaptureStub = std::make_unique<HStreamCaptureStubFuzzer>();
324 if (hstreamCaptureStub == nullptr) {
325 MEDIA_INFO_LOG("hstreamCaptureStub is null");
326 return;
327 }
328 HStreamCaptureStubFuzzer::fuzz_ = std::make_shared<HStreamCaptureStubFuzz>();
329 hstreamCaptureStub->HStreamCaptureStubFuzzTest1(fdp);
330 hstreamCaptureStub->HStreamCaptureStubFuzzTest2(fdp);
331 hstreamCaptureStub->HStreamCaptureStubFuzzTest3();
332 hstreamCaptureStub->HStreamCaptureStubFuzzTest4(fdp);
333 hstreamCaptureStub->HStreamCaptureStubFuzzTest5(fdp);
334 hstreamCaptureStub->HStreamCaptureStubFuzzTest6(fdp);
335 hstreamCaptureStub->HStreamCaptureStubFuzzTest7(fdp);
336 hstreamCaptureStub->HStreamCaptureStubFuzzTest8(fdp);
337 hstreamCaptureStub->HStreamCaptureStubFuzzTest9(fdp);
338 hstreamCaptureStub->HStreamCaptureStubFuzzTest10(fdp);
339 hstreamCaptureStub->HStreamCaptureStubFuzzTest11();
340 hstreamCaptureStub->HStreamCaptureStubFuzzTest12();
341 hstreamCaptureStub->HStreamCaptureStubFuzzTest13();
342 hstreamCaptureStub->HStreamCaptureStubFuzzTest14();
343 hstreamCaptureStub->HStreamCaptureStubFuzzTest15();
344 hstreamCaptureStub->HStreamCaptureStubFuzzTest16();
345 hstreamCaptureStub->HStreamCaptureStubFuzzTest17();
346 hstreamCaptureStub->HStreamCaptureStubFuzzTest18();
347 hstreamCaptureStub->HStreamCaptureStubFuzzTest19();
348 hstreamCaptureStub->HStreamCaptureStubFuzzTest20();
349 hstreamCaptureStub->HStreamCaptureStubFuzzTest21();
350 }
351 } // namespace CameraStandard
352 } // namespace OHOS
353
354 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)355 extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size)
356 {
357 if (size < OHOS::CameraStandard::THRESHOLD) {
358 return 0;
359 }
360
361 OHOS::CameraStandard::FuzzTest(data, size);
362 return 0;
363 }