1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "camera_device_fuzzer.h"
17 #include "camera_log.h"
18 #include "camera_xcollie.h"
19 #include "camera_dynamic_loader.h"
20 #include "input/camera_manager.h"
21 #include "metadata_utils.h"
22 #include "ipc_skeleton.h"
23 #include "accesstoken_kit.h"
24 #include "nativetoken_kit.h"
25 #include "token_setproc.h"
26 #include <fuzzer/FuzzedDataProvider.h>
27 #include "hcamera_device.h"
28 #include "test_token.h"
29
30 using namespace std;
31
32 namespace OHOS {
33 namespace CameraStandard {
34 const std::u16string FORMMGR_INTERFACE_TOKEN = u"ICameraDeviceService";
35 const int32_t MIN_SIZE_NUM = 256;
36 const int32_t NUM_10 = 10;
37 const int32_t NUM_100 = 100;
38 const int32_t MAX_BUFFER_SIZE = 16;
39 const int32_t MAX_STRING_LEN = 4;
40 sptr<HCameraDevice> fuzzCameraDevice = nullptr;
41
PrepareHCameraDevice()42 void PrepareHCameraDevice()
43 {
44 if (fuzzCameraDevice == nullptr) {
45 sptr<HCameraHostManager> cameraHostManager = new HCameraHostManager(nullptr);
46 std::vector<std::string> cameraIds;
47 cameraHostManager->GetCameras(cameraIds);
48 CHECK_RETURN_ELOG(cameraIds.empty(), "Fuzz:PrepareHCameraDevice: GetCameras returns empty");
49 string cameraID = cameraIds[0];
50 auto callingTokenId = IPCSkeleton::GetCallingTokenID();
51 MEDIA_INFO_LOG("Fuzz:PrepareHCameraDevice: callingTokenId = %{public}d", callingTokenId);
52 string permissionName = OHOS_PERMISSION_CAMERA;
53 int32_t ret = CheckPermission(permissionName, callingTokenId);
54 CHECK_RETURN_ELOG(ret != CAMERA_OK, "Fuzz:PrepareHCameraDevice: CheckPermission Failed");
55 fuzzCameraDevice = new HCameraDevice(cameraHostManager, cameraID, callingTokenId);
56 MEDIA_INFO_LOG("Fuzz:PrepareHCameraDevice: Success");
57 }
58 }
59
CameraDeviceFuzzTest(FuzzedDataProvider & fdp)60 void CameraDeviceFuzzTest(FuzzedDataProvider& fdp)
61 {
62 int32_t itemCount = NUM_10;
63 int32_t dataSize = NUM_100;
64 uint8_t streamSize = fdp.ConsumeIntegralInRange<uint8_t>(0, MAX_BUFFER_SIZE);
65 std::vector<int32_t> streamData ;
66 for (int i = 0; i < streamSize; ++i) {
67 streamData.push_back(fdp.ConsumeIntegral<int32_t>());
68 }
69 std::shared_ptr<OHOS::Camera::CameraMetadata> ability;
70 ability = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
71
72 ability->addEntry(OHOS_ABILITY_STREAM_AVAILABLE_EXTEND_CONFIGURATIONS,
73 streamData.data(), streamData.size());
74
75 {
76 int32_t compensationRange[2] = {fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeIntegral<int32_t>()};
77 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_RANGE, compensationRange,
78 sizeof(compensationRange) / sizeof(compensationRange[0]));
79 }
80
81 {
82 float focalLength = fdp.ConsumeFloatingPoint<float>();
83 ability->addEntry(OHOS_ABILITY_FOCAL_LENGTH, &focalLength, 1);
84 }
85
86 {
87 int32_t sensorOrientation = fdp.ConsumeIntegral<int32_t>();
88 ability->addEntry(OHOS_SENSOR_ORIENTATION, &sensorOrientation, 1);
89 }
90
91 {
92 uint8_t cameraPosition = fdp.ConsumeIntegral<uint8_t>();
93 ability->addEntry(OHOS_ABILITY_CAMERA_POSITION, &cameraPosition, 1);
94 }
95
96 {
97 uint64_t aeCompensationStep = fdp.ConsumeIntegral<uint64_t>();
98 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_STEP, &aeCompensationStep, 1);
99 }
100
101 MessageParcel dataParcel;
102 dataParcel.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
103 CHECK_RETURN_ELOG(!(OHOS::Camera::MetadataUtils::EncodeCameraMetadata(ability, dataParcel)),
104 "CameraDeviceFuzzer: EncodeCameraMetadata Error");
105 dataParcel.RewindRead(0);
106 MessageParcel reply;
107 MessageOption option;
108 PrepareHCameraDevice();
109 if (fuzzCameraDevice) {
110 uint32_t code = 4;
111 fuzzCameraDevice->OnRemoteRequest(code, dataParcel, reply, option);
112 }
113 }
114
CameraDeviceFuzzTestUpdateSetting(FuzzedDataProvider & fdp)115 void CameraDeviceFuzzTestUpdateSetting(FuzzedDataProvider& fdp)
116 {
117 int32_t itemCount = NUM_10;
118 int32_t dataSize = NUM_100;
119 uint8_t streamSize = fdp.ConsumeIntegralInRange<uint8_t>(0, MAX_BUFFER_SIZE);
120 std::vector<uint8_t> streamData = fdp.ConsumeBytes<uint8_t>(streamSize);
121 auto ability = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
122
123 {
124 int32_t compensationRange[2] = {fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeIntegral<int32_t>()};
125 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_RANGE, compensationRange,
126 sizeof(compensationRange) / sizeof(compensationRange[0]));
127 }
128
129 {
130 int32_t focalLength = fdp.ConsumeIntegral<int32_t>();
131 ability->addEntry(OHOS_SENSOR_ORIENTATION, &focalLength, 1);
132 }
133
134 {
135 uint8_t sensorOrientation = fdp.ConsumeIntegral<uint8_t>();
136 ability->addEntry(OHOS_ABILITY_CAMERA_POSITION, &sensorOrientation, 1);
137 }
138
139 {
140 uint64_t cameraPosition = fdp.ConsumeIntegral<uint64_t>();
141 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_STEP, &cameraPosition, 1);
142 }
143
144 if (fuzzCameraDevice) {
145 fuzzCameraDevice->UpdateSettingOnce(ability);
146 fuzzCameraDevice->UpdateSetting(ability);
147 auto out = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
148 fuzzCameraDevice->GetStatus(ability, out);
149 vector<uint8_t> result;
150 OHOS::Camera::MetadataUtils::ConvertMetadataToVec(ability, result);
151 fuzzCameraDevice->OnResult(fdp.ConsumeIntegral<uint64_t>(), result);
152 auto type = OHOS::HDI::Camera::V1_0::ErrorType::REQUEST_TIMEOUT;
153 fuzzCameraDevice->OnError(type, fdp.ConsumeIntegral<int32_t>());
154 }
155 }
156
CameraDeviceFuzzTest2Case1()157 void CameraDeviceFuzzTest2Case1()
158 {
159 if (fuzzCameraDevice) {
160 fuzzCameraDevice->GetStreamOperatorCallback();
161 fuzzCameraDevice->GetCallerToken();
162 fuzzCameraDevice->GetDeviceAbility();
163 fuzzCameraDevice->GetCameraType();
164 fuzzCameraDevice->GetCameraId();
165 }
166 }
167
CameraDeviceFuzzTest2Case2(FuzzedDataProvider & fdp)168 void CameraDeviceFuzzTest2Case2(FuzzedDataProvider& fdp)
169 {
170 // 运行会出错
171 sptr<ICameraDeviceServiceCallback> callback(new ICameraDeviceServiceCallbackMock());
172 fuzzCameraDevice->SetCallback(callback);
173 wptr<IStreamOperatorCallback> opCallback(new IStreamOperatorCallbackMock());
174 fuzzCameraDevice->SetStreamOperatorCallback(opCallback);
175 vector<int32_t> results{fdp.ConsumeIntegral<int32_t>()};
176 fuzzCameraDevice->EnableResult(results);
177 fuzzCameraDevice->DisableResult(results);
178 fuzzCameraDevice->CloneCachedSettings();
179 fuzzCameraDevice->DispatchDefaultSettingToHdi();
180 fuzzCameraDevice->Release();
181 fuzzCameraDevice->Close();
182 uint64_t secureSeqId;
183 fuzzCameraDevice->GetSecureCameraSeq(&secureSeqId);
184 fuzzCameraDevice->OpenSecureCamera(secureSeqId);
185 }
186
CameraDeviceFuzzTest2(FuzzedDataProvider & fdp)187 void CameraDeviceFuzzTest2(FuzzedDataProvider& fdp)
188 {
189 if (fuzzCameraDevice) {
190 fuzzCameraDevice->OperatePermissionCheck(fdp.ConsumeIntegral<uint32_t>());
191 fuzzCameraDevice->Open();
192 fuzzCameraDevice->CheckMovingPhotoSupported(fdp.ConsumeIntegral<int32_t>());
193 fuzzCameraDevice->NotifyCameraStatus(fdp.ConsumeIntegral<int32_t>());
194 fuzzCameraDevice->RemoveResourceWhenHostDied();
195 CameraDeviceFuzzTest2Case1();
196 fuzzCameraDevice->ResetDeviceSettings();
197 fuzzCameraDevice->SetDeviceMuteMode(fdp.ConsumeBool());
198 fuzzCameraDevice->IsOpenedCameraDevice();
199 fuzzCameraDevice->CloseDevice();
200 }
201 }
202
Test3(FuzzedDataProvider & fdp)203 void Test3(FuzzedDataProvider& fdp)
204 {
205 auto manager = CameraManager::GetInstance();
206 auto cameras = manager->GetSupportedCameras();
207 CHECK_RETURN_ELOG(cameras.size() < MIN_SIZE_NUM, "PhotoOutputFuzzer: GetSupportedCameras Error");
208 sptr<CameraDevice> camera = cameras[fdp.ConsumeIntegral<uint32_t>() % cameras.size()];
209 camera->GetID();
210 camera->GetMetadata();
211 camera->ResetMetadata();
212 camera->GetCameraAbility();
213 camera->GetPosition();
214 camera->GetCameraType();
215 camera->GetConnectionType();
216 camera->GetCameraFoldScreenType();
217 camera->GetHostName();
218 camera->GetDeviceType();
219 camera->GetNetWorkId();
220 camera->GetCameraOrientation();
221 camera->GetExposureBiasRange();
222 camera->GetModuleType();
223 camera->GetUsedAsPosition();
224 CameraFormat format = static_cast<CameraFormat>(fdp.ConsumeIntegral<int32_t>());
225 auto capability = manager->GetSupportedOutputCapability(camera);
226 CHECK_RETURN_ELOG(!capability, "PhotoOutputFuzzer: GetSupportedOutputCapability Error");
227 vector<Profile> profiles = capability->GetPhotoProfiles();
228 camera->GetMaxSizeProfile(profiles, fdp.ConsumeFloatingPoint<float>(), format);
229 auto profiles2 = capability->GetVideoProfiles();
230 camera->GetMaxSizeProfile(profiles2, fdp.ConsumeFloatingPoint<float>(), format);
231 camera->SetProfile(capability);
232 auto modeName = fdp.ConsumeIntegral<int32_t>();
233 camera->SetProfile(capability, modeName);
234 camera->SetCameraDeviceUsedAsPosition(CameraPosition::CAMERA_POSITION_FRONT);
235 camera->GetSupportedFoldStatus();
236 auto randomNum = fdp.ConsumeIntegral<uint32_t>();
237 std::vector<std::string> testStrings = {"cameraid1", "cameraid2"};
238 std::string cameraID(testStrings[randomNum % testStrings.size()]);
239 std::shared_ptr<OHOS::Camera::CameraMetadata> metadata =
240 std::make_shared<OHOS::Camera::CameraMetadata>(NUM_10, NUM_100);
241 std::shared_ptr<CameraDevice> cameraDevice =
242 std::make_shared<CameraDevice>(cameraID, metadata);
243 }
244
TestXCollie(FuzzedDataProvider & fdp)245 void TestXCollie(FuzzedDataProvider& fdp)
246 {
247 string tag = fdp.ConsumeRandomLengthString(MAX_STRING_LEN);
248 uint32_t flag = fdp.ConsumeIntegral<int32_t>();
249 uint32_t timeoutSeconds = fdp.ConsumeIntegral<uint32_t>();
250 auto func = [](void*) {};
251 #ifndef HICOLLIE_ENABLE
252 #define HICOLLIE_ENABLE
253 #endif
254 {
255 CameraXCollie collie(tag, flag, timeoutSeconds, func, nullptr);
256 collie.CancelCameraXCollie();
257 }
258 #undef HICOLLIE_ENABLE
259 {
260 CameraXCollie collie(tag, flag, timeoutSeconds, func, nullptr);
261 collie.CancelCameraXCollie();
262 }
263 }
264
TestDynamicLoader(FuzzedDataProvider & fdp)265 void TestDynamicLoader(FuzzedDataProvider& fdp)
266 {
267 string libName = fdp.ConsumeRandomLengthString(MAX_STRING_LEN);
268 CameraDynamicLoader::GetDynamiclib(libName);
269 CameraDynamicLoader::LoadDynamiclibAsync(libName);
270 CameraDynamicLoader::FreeDynamicLibDelayed(libName);
271 }
272
TestCameraDeviceServiceCallback(FuzzedDataProvider & fdp)273 void TestCameraDeviceServiceCallback(FuzzedDataProvider& fdp)
274 {
275 auto meta = make_shared<OHOS::Camera::CameraMetadata>(10, 100);
276 int val = 1;
277 AddOrUpdateMetadata(meta, OHOS_STATUS_CAMERA_OCCLUSION_DETECTION, &val, 1);
278
279 CameraDeviceServiceCallback callback;
280 callback.OnError(fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeIntegral<int32_t>());
281 callback.OnResult(fdp.ConsumeIntegral<uint64_t>(), meta);
282
283 auto manager = CameraManager::GetInstance();
284 auto cameras = manager->GetSupportedCameras();
285 auto input = manager->CreateCameraInput(cameras[0]);
286 class ErrorCallbackMock : public ErrorCallback {
287 public:
288 void OnError(const int32_t errorType, const int32_t errorMsg) const override {}
289 };
290 input->SetErrorCallback(make_shared<ErrorCallbackMock>());
291 class ResultCallbackMock : public ResultCallback {
292 public:
293 void OnResult(const uint64_t timestamp,
294 const std::shared_ptr<OHOS::Camera::CameraMetadata> &result) const override {}
295 };
296 input->SetResultCallback(make_shared<ResultCallbackMock>());
297 class CameraOcclusionDetectCallbackMock : public CameraOcclusionDetectCallback {
298 public:
299 void OnCameraOcclusionDetected(const uint8_t isCameraOcclusion,
300 const uint8_t isCameraLensDirty) const override {}
301 };
302 input->SetOcclusionDetectCallback(make_shared<CameraOcclusionDetectCallbackMock>());
303 CameraDeviceServiceCallback callback2(input);
304 callback2.OnError(fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeIntegral<int32_t>());
305 callback2.OnResult(fdp.ConsumeIntegral<uint64_t>(), meta);
306 input->GetCameraDeviceInfo().clear();
307 callback2.OnError(fdp.ConsumeIntegral<int32_t>(), fdp.ConsumeIntegral<int32_t>());
308 callback2.OnResult(fdp.ConsumeIntegral<uint64_t>(), meta);
309 input->Release();
310 }
311 } // namespace CameraStandard
312 } // namespace OHOS
313
314 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)315 extern "C" int LLVMFuzzerTestOneInput(uint8_t* data, size_t size)
316 {
317 /* Run your code on data */
318 FuzzedDataProvider fdp(data, size);
319 if (fdp.remaining_bytes() < OHOS::CameraStandard::MIN_SIZE_NUM) {
320 return 0;
321 }
322 CHECK_RETURN_RET_ELOG(!OHOS::CameraStandard::TestToken().GetAllCameraPermission(), 0, "GetPermission error");
323 OHOS::CameraStandard::CameraDeviceFuzzTest(fdp);
324 OHOS::CameraStandard::CameraDeviceFuzzTestUpdateSetting(fdp);
325 OHOS::CameraStandard::CameraDeviceFuzzTest2(fdp);
326 OHOS::CameraStandard::Test3(fdp);
327 OHOS::CameraStandard::TestXCollie(fdp);
328 OHOS::CameraStandard::TestDynamicLoader(fdp);
329 OHOS::CameraStandard::TestCameraDeviceServiceCallback(fdp);
330 return 0;
331 }