1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************
18 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19 */
20
21 #define LOG_TAG "CameraServiceFuzzer"
22 //#define LOG_NDEBUG 0
23
24 #include <CameraService.h>
25 #include <device3/Camera3StreamInterface.h>
26 #include <android/hardware/BnCameraServiceListener.h>
27 #include <android/hardware/camera2/BnCameraDeviceCallbacks.h>
28 #include <android/hardware/ICameraServiceListener.h>
29 #include <android/hardware/camera2/ICameraDeviceUser.h>
30 #include <camera/camera2/OutputConfiguration.h>
31 #include <gui/BufferItemConsumer.h>
32 #include <gui/IGraphicBufferProducer.h>
33 #include <gui/Surface.h>
34 #include <gui/SurfaceComposerClient.h>
35 #include <private/android_filesystem_config.h>
36 #include "fuzzer/FuzzedDataProvider.h"
37
38 using namespace android;
39 using namespace hardware;
40 using namespace std;
41
42 const int32_t kPreviewThreshold = 8;
43 const int32_t kNumRequestsTested = 8;
44 const nsecs_t kPreviewTimeout = 5000000000; // .5 [s.]
45 const nsecs_t kEventTimeout = 10000000000; // 1 [s.]
46 const size_t kMaxNumLines = USHRT_MAX;
47 const size_t kMinArgs = 1;
48 const size_t kMaxArgs = 5;
49 const int32_t kCamType[] = {hardware::ICameraService::CAMERA_TYPE_BACKWARD_COMPATIBLE,
50 hardware::ICameraService::CAMERA_TYPE_ALL};
51 const int kCameraApiVersion[] = {android::CameraService::API_VERSION_1,
52 android::CameraService::API_VERSION_2};
53 const uint8_t kSensorPixelModes[] = {ANDROID_SENSOR_PIXEL_MODE_DEFAULT,
54 ANDROID_SENSOR_PIXEL_MODE_MAXIMUM_RESOLUTION};
55 const int32_t kRequestTemplates[] = {
56 hardware::camera2::ICameraDeviceUser::TEMPLATE_PREVIEW,
57 hardware::camera2::ICameraDeviceUser::TEMPLATE_STILL_CAPTURE,
58 hardware::camera2::ICameraDeviceUser::TEMPLATE_RECORD,
59 hardware::camera2::ICameraDeviceUser::TEMPLATE_VIDEO_SNAPSHOT,
60 hardware::camera2::ICameraDeviceUser::TEMPLATE_MANUAL,
61 hardware::camera2::ICameraDeviceUser::TEMPLATE_ZERO_SHUTTER_LAG
62 };
63
64 const int32_t kRotations[] = {
65 camera3::CAMERA_STREAM_ROTATION_0,
66 camera3::CAMERA_STREAM_ROTATION_90,
67 camera3::CAMERA_STREAM_ROTATION_270
68 };
69
70 const int kLayerMetadata[] = {
71 0x00100000 /*GRALLOC_USAGE_RENDERSCRIPT*/, 0x00000003 /*GRALLOC_USAGE_SW_READ_OFTEN*/,
72 0x00000100 /*GRALLOC_USAGE_HW_TEXTURE*/, 0x00000800 /*GRALLOC_USAGE_HW_COMPOSER*/,
73 0x00000200 /*GRALLOC_USAGE_HW_RENDER*/, 0x00010000 /*GRALLOC_USAGE_HW_VIDEO_ENCODER*/};
74 const int kCameraMsg[] = {0x001 /*CAMERA_MSG_ERROR*/,
75 0x002 /*CAMERA_MSG_SHUTTER*/,
76 0x004 /*CAMERA_MSG_FOCUS*/,
77 0x008 /*CAMERA_MSG_ZOOM*/,
78 0x010 /*CAMERA_MSG_PREVIEW_FRAME*/,
79 0x020 /*CAMERA_MSG_VIDEO_FRAME */,
80 0x040 /*CAMERA_MSG_POSTVIEW_FRAME*/,
81 0x080 /*CAMERA_MSG_RAW_IMAGE */,
82 0x100 /*CAMERA_MSG_COMPRESSED_IMAGE*/,
83 0x200 /*CAMERA_MSG_RAW_IMAGE_NOTIFY*/,
84 0x400 /*CAMERA_MSG_PREVIEW_METADATA*/,
85 0x800 /*CAMERA_MSG_FOCUS_MOVE*/};
86 const int32_t kEventId[] = {ICameraService::EVENT_USER_SWITCHED, ICameraService::EVENT_NONE};
87 const android::CameraService::sound_kind kSoundKind[] = {
88 android::CameraService::SOUND_SHUTTER, android::CameraService::SOUND_RECORDING_START,
89 android::CameraService::SOUND_RECORDING_STOP};
90 const String16 kShellCmd[] = {String16("set-uid-state"), String16("reset-uid-state"),
91 String16("get-uid-state"), String16("set-rotate-and-crop"),
92 String16("get-rotate-and-crop"), String16("help")};
93 const size_t kNumLayerMetaData = size(kLayerMetadata);
94 const size_t kNumCameraMsg = size(kCameraMsg);
95 const size_t kNumSoundKind = size(kSoundKind);
96 const size_t kNumShellCmd = size(kShellCmd);
97
98 class CameraFuzzer : public ::android::hardware::BnCameraClient {
99 public:
CameraFuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)100 CameraFuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
101 mCameraService(cs), mFuzzedDataProvider(fp) {};
~CameraFuzzer()102 ~CameraFuzzer() { deInit(); }
103 void process();
104 void deInit();
105
106 private:
107 sp<CameraService> mCameraService = nullptr;
108 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
109 sp<SurfaceComposerClient> mComposerClient = nullptr;
110 int32_t mNumCameras = 0;
111 size_t mPreviewBufferCount = 0;
112 bool mAutoFocusMessage = false;
113 bool mSnapshotNotification = false;
114 mutable Mutex mPreviewLock;
115 mutable Condition mPreviewCondition;
116 mutable Mutex mAutoFocusLock;
117 mutable Condition mAutoFocusCondition;
118 mutable Mutex mSnapshotLock;
119 mutable Condition mSnapshotCondition;
120
121 void getNumCameras();
122 void getCameraInformation(int32_t cameraId);
123 void invokeCameraAPIs();
124 void invokeCameraSound();
125 void invokeDump();
126 void invokeShellCommand();
127 void invokeNotifyCalls();
128
129 // CameraClient interface
130 void notifyCallback(int32_t msgType, int32_t, int32_t) override;
131 void dataCallback(int32_t msgType, const sp<IMemory> &, camera_frame_metadata_t *) override;
dataCallbackTimestamp(nsecs_t,int32_t,const sp<IMemory> &)132 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory> &) override{};
recordingFrameHandleCallbackTimestamp(nsecs_t,native_handle_t *)133 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t *) override{};
recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t> &,const std::vector<native_handle_t * > &)134 void recordingFrameHandleCallbackTimestampBatch(
135 const std::vector<nsecs_t> &, const std::vector<native_handle_t *> &) override{};
136 status_t waitForPreviewStart();
137 status_t waitForEvent(Mutex &mutex, Condition &condition, bool &flag);
138 };
139
notifyCallback(int32_t msgType,int32_t,int32_t)140 void CameraFuzzer::notifyCallback(int32_t msgType, int32_t, int32_t) {
141 if (CAMERA_MSG_FOCUS == msgType) {
142 Mutex::Autolock l(mAutoFocusLock);
143 mAutoFocusMessage = true;
144 mAutoFocusCondition.broadcast();
145 }
146 };
147
dataCallback(int32_t msgType,const sp<IMemory> &,camera_frame_metadata_t *)148 void CameraFuzzer::dataCallback(int32_t msgType, const sp<IMemory> & /*data*/,
149 camera_frame_metadata_t *) {
150 switch (msgType) {
151 case CAMERA_MSG_PREVIEW_FRAME: {
152 Mutex::Autolock l(mPreviewLock);
153 ++mPreviewBufferCount;
154 mPreviewCondition.broadcast();
155 break;
156 }
157 case CAMERA_MSG_COMPRESSED_IMAGE: {
158 Mutex::Autolock l(mSnapshotLock);
159 mSnapshotNotification = true;
160 mSnapshotCondition.broadcast();
161 break;
162 }
163 default:
164 break;
165 }
166 };
167
waitForPreviewStart()168 status_t CameraFuzzer::waitForPreviewStart() {
169 status_t rc = NO_ERROR;
170 Mutex::Autolock l(mPreviewLock);
171 mPreviewBufferCount = 0;
172
173 while (mPreviewBufferCount < kPreviewThreshold) {
174 rc = mPreviewCondition.waitRelative(mPreviewLock, kPreviewTimeout);
175 if (NO_ERROR != rc) {
176 break;
177 }
178 }
179
180 return rc;
181 }
182
waitForEvent(Mutex & mutex,Condition & condition,bool & flag)183 status_t CameraFuzzer::waitForEvent(Mutex &mutex, Condition &condition, bool &flag) {
184 status_t rc = NO_ERROR;
185 Mutex::Autolock l(mutex);
186 flag = false;
187
188 while (!flag) {
189 rc = condition.waitRelative(mutex, kEventTimeout);
190 if (NO_ERROR != rc) {
191 break;
192 }
193 }
194
195 return rc;
196 }
197
deInit()198 void CameraFuzzer::deInit() {
199 if (mComposerClient) {
200 mComposerClient->dispose();
201 }
202 }
203
getNumCameras()204 void CameraFuzzer::getNumCameras() {
205 bool shouldPassInvalidCamType = mFuzzedDataProvider->ConsumeBool();
206 int32_t camType;
207 if (shouldPassInvalidCamType) {
208 camType = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
209 } else {
210 camType = kCamType[mFuzzedDataProvider->ConsumeBool()];
211 }
212 mCameraService->getNumberOfCameras(camType, &mNumCameras);
213 }
214
getCameraInformation(int32_t cameraId)215 void CameraFuzzer::getCameraInformation(int32_t cameraId) {
216 String16 cameraIdStr = String16(String8::format("%d", cameraId));
217 bool isSupported = false;
218 mCameraService->supportsCameraApi(
219 cameraIdStr, kCameraApiVersion[mFuzzedDataProvider->ConsumeBool()], &isSupported);
220 mCameraService->isHiddenPhysicalCamera(cameraIdStr, &isSupported);
221
222 String16 parameters;
223 mCameraService->getLegacyParameters(cameraId, ¶meters);
224
225 std::vector<hardware::camera2::utils::ConcurrentCameraIdCombination> concurrentCameraIds;
226 mCameraService->getConcurrentCameraIds(&concurrentCameraIds);
227
228 hardware::camera2::params::VendorTagDescriptorCache cache;
229 mCameraService->getCameraVendorTagCache(&cache);
230
231 CameraInfo cameraInfo;
232 mCameraService->getCameraInfo(cameraId, /*overrideToPortrait*/false, &cameraInfo);
233
234 CameraMetadata metadata;
235 mCameraService->getCameraCharacteristics(cameraIdStr,
236 /*targetSdkVersion*/__ANDROID_API_FUTURE__, /*overrideToPortrait*/false, &metadata);
237 }
238
invokeCameraSound()239 void CameraFuzzer::invokeCameraSound() {
240 mCameraService->increaseSoundRef();
241 mCameraService->decreaseSoundRef();
242 bool shouldPassInvalidPlaySound = mFuzzedDataProvider->ConsumeBool();
243 bool shouldPassInvalidLockSound = mFuzzedDataProvider->ConsumeBool();
244 android::CameraService::sound_kind playSound, lockSound;
245 if (shouldPassInvalidPlaySound) {
246 playSound = static_cast<android::CameraService::sound_kind>(
247 mFuzzedDataProvider->ConsumeIntegral<size_t>());
248 } else {
249 playSound =
250 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
251 }
252
253 if (shouldPassInvalidLockSound) {
254 lockSound = static_cast<android::CameraService::sound_kind>(
255 mFuzzedDataProvider->ConsumeIntegral<size_t>());
256 } else {
257 lockSound =
258 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
259 }
260 mCameraService->playSound(playSound);
261 mCameraService->loadSoundLocked(lockSound);
262 }
263
invokeDump()264 void CameraFuzzer::invokeDump() {
265 Vector<String16> args;
266 size_t numberOfLines = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kMaxNumLines);
267 for (size_t lineIdx = 0; lineIdx < numberOfLines; ++lineIdx) {
268 args.add(static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
269 }
270 const char *fileName = "logDumpFile";
271 int fd = memfd_create(fileName, MFD_ALLOW_SEALING);
272 mCameraService->dump(fd, args);
273 close(fd);
274 }
275
invokeShellCommand()276 void CameraFuzzer::invokeShellCommand() {
277 int in = mFuzzedDataProvider->ConsumeIntegral<int>();
278 int out = mFuzzedDataProvider->ConsumeIntegral<int>();
279 int err = mFuzzedDataProvider->ConsumeIntegral<int>();
280 Vector<String16> args;
281 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
282 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
283 bool shouldPassInvalidCommand = mFuzzedDataProvider->ConsumeBool();
284 if (shouldPassInvalidCommand) {
285 args.add(
286 static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
287 } else {
288 args.add(kShellCmd[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
289 0, kNumShellCmd - 1)]);
290 }
291 }
292 mCameraService->shellCommand(in, out, err, args);
293 }
294
invokeNotifyCalls()295 void CameraFuzzer::invokeNotifyCalls() {
296 mCameraService->notifyMonitoredUids();
297 int64_t newState = mFuzzedDataProvider->ConsumeIntegral<int64_t>();
298 mCameraService->notifyDeviceStateChange(newState);
299 std::vector<int32_t> args;
300 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
301 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
302 args.push_back(mFuzzedDataProvider->ConsumeIntegral<int32_t>());
303 }
304 bool shouldPassInvalidEvent = mFuzzedDataProvider->ConsumeBool();
305 int32_t eventId;
306 if (shouldPassInvalidEvent) {
307 eventId = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
308 } else {
309 eventId = kEventId[mFuzzedDataProvider->ConsumeBool()];
310 }
311 mCameraService->notifySystemEvent(eventId, args);
312 }
313
invokeCameraAPIs()314 void CameraFuzzer::invokeCameraAPIs() {
315 for (int32_t cameraId = 0; cameraId < mNumCameras; ++cameraId) {
316 getCameraInformation(cameraId);
317
318 ::android::binder::Status rc;
319 sp<ICamera> cameraDevice;
320
321 rc = mCameraService->connect(this, cameraId, String16(),
322 android::CameraService::USE_CALLING_UID, android::CameraService::USE_CALLING_PID,
323 /*targetSdkVersion*/__ANDROID_API_FUTURE__, /*overrideToPortrait*/true,
324 /*forceSlowJpegMode*/false,
325 &cameraDevice);
326 if (!rc.isOk()) {
327 // camera not connected
328 return;
329 }
330 if (cameraDevice) {
331 sp<Surface> previewSurface;
332 sp<SurfaceControl> surfaceControl;
333 CameraParameters params(cameraDevice->getParameters());
334 String8 focusModes(params.get(CameraParameters::KEY_SUPPORTED_FOCUS_MODES));
335 bool isAFSupported = false;
336 const char *focusMode = nullptr;
337
338 if (focusModes.contains(CameraParameters::FOCUS_MODE_AUTO)) {
339 isAFSupported = true;
340 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE)) {
341 isAFSupported = true;
342 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE;
343 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO)) {
344 isAFSupported = true;
345 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO;
346 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_MACRO)) {
347 isAFSupported = true;
348 focusMode = CameraParameters::FOCUS_MODE_MACRO;
349 }
350 if (nullptr != focusMode) {
351 params.set(CameraParameters::KEY_FOCUS_MODE, focusMode);
352 cameraDevice->setParameters(params.flatten());
353 }
354 int previewWidth, previewHeight;
355 params.getPreviewSize(&previewWidth, &previewHeight);
356
357 mComposerClient = new SurfaceComposerClient;
358 mComposerClient->initCheck();
359
360 bool shouldPassInvalidLayerMetaData = mFuzzedDataProvider->ConsumeBool();
361 int layerMetaData;
362 if (shouldPassInvalidLayerMetaData) {
363 layerMetaData = mFuzzedDataProvider->ConsumeIntegral<int>();
364 } else {
365 layerMetaData = kLayerMetadata[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
366 0, kNumLayerMetaData - 1)];
367 }
368 surfaceControl = mComposerClient->createSurface(
369 String8("Test Surface"), previewWidth, previewHeight,
370 CameraParameters::previewFormatToEnum(params.getPreviewFormat()), layerMetaData);
371
372 if (surfaceControl.get() != nullptr) {
373 SurfaceComposerClient::Transaction{}
374 .setLayer(surfaceControl, 0x7fffffff)
375 .show(surfaceControl)
376 .apply();
377
378 previewSurface = surfaceControl->getSurface();
379 cameraDevice->setPreviewTarget(previewSurface->getIGraphicBufferProducer());
380 }
381 cameraDevice->setPreviewCallbackFlag(CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER);
382
383 Vector<Size> pictureSizes;
384 params.getSupportedPictureSizes(pictureSizes);
385
386 for (size_t i = 0; i < pictureSizes.size(); ++i) {
387 params.setPictureSize(pictureSizes[i].width, pictureSizes[i].height);
388 cameraDevice->setParameters(params.flatten());
389 cameraDevice->startPreview();
390 waitForPreviewStart();
391 cameraDevice->autoFocus();
392 waitForEvent(mAutoFocusLock, mAutoFocusCondition, mAutoFocusMessage);
393 bool shouldPassInvalidCameraMsg = mFuzzedDataProvider->ConsumeBool();
394 int msgType;
395 if (shouldPassInvalidCameraMsg) {
396 msgType = mFuzzedDataProvider->ConsumeIntegral<int>();
397 } else {
398 msgType = kCameraMsg[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
399 0, kNumCameraMsg - 1)];
400 }
401 cameraDevice->takePicture(msgType);
402
403 waitForEvent(mSnapshotLock, mSnapshotCondition, mSnapshotNotification);
404 }
405
406 Vector<Size> videoSizes;
407 params.getSupportedVideoSizes(videoSizes);
408
409 for (size_t i = 0; i < videoSizes.size(); ++i) {
410 params.setVideoSize(videoSizes[i].width, videoSizes[i].height);
411
412 cameraDevice->setParameters(params.flatten());
413 cameraDevice->startPreview();
414 waitForPreviewStart();
415 cameraDevice->setVideoBufferMode(
416 android::hardware::BnCamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE);
417 cameraDevice->setVideoTarget(previewSurface->getIGraphicBufferProducer());
418 cameraDevice->startRecording();
419 cameraDevice->stopRecording();
420 }
421 cameraDevice->stopPreview();
422 cameraDevice->disconnect();
423 }
424 }
425 }
426
process()427 void CameraFuzzer::process() {
428 getNumCameras();
429 invokeCameraSound();
430 if (mNumCameras > 0) {
431 invokeCameraAPIs();
432 }
433 invokeDump();
434 invokeShellCommand();
435 invokeNotifyCalls();
436 }
437
438 class TestCameraServiceListener : public hardware::BnCameraServiceListener {
439 public:
~TestCameraServiceListener()440 virtual ~TestCameraServiceListener() {};
441
onStatusChanged(int32_t,const String16 &)442 virtual binder::Status onStatusChanged(int32_t , const String16&) {
443 return binder::Status::ok();
444 };
445
onPhysicalCameraStatusChanged(int32_t,const String16 &,const String16 &)446 virtual binder::Status onPhysicalCameraStatusChanged(int32_t /*status*/,
447 const String16& /*cameraId*/, const String16& /*physicalCameraId*/) {
448 // No op
449 return binder::Status::ok();
450 };
451
onTorchStatusChanged(int32_t,const String16 &)452 virtual binder::Status onTorchStatusChanged(int32_t /*status*/, const String16& /*cameraId*/) {
453 return binder::Status::ok();
454 };
455
onCameraAccessPrioritiesChanged()456 virtual binder::Status onCameraAccessPrioritiesChanged() {
457 // No op
458 return binder::Status::ok();
459 }
460
onCameraOpened(const String16 &,const String16 &)461 virtual binder::Status onCameraOpened(const String16& /*cameraId*/,
462 const String16& /*clientPackageName*/) {
463 // No op
464 return binder::Status::ok();
465 }
466
onCameraClosed(const String16 &)467 virtual binder::Status onCameraClosed(const String16& /*cameraId*/) {
468 // No op
469 return binder::Status::ok();
470 }
471
onTorchStrengthLevelChanged(const String16 &,int32_t)472 virtual binder::Status onTorchStrengthLevelChanged(const String16& /*cameraId*/,
473 int32_t /*torchStrength*/) {
474 // No op
475 return binder::Status::ok();
476 }
477 };
478
479 class TestCameraDeviceCallbacks : public hardware::camera2::BnCameraDeviceCallbacks {
480 public:
TestCameraDeviceCallbacks()481 TestCameraDeviceCallbacks() {}
482
~TestCameraDeviceCallbacks()483 virtual ~TestCameraDeviceCallbacks() {}
484
onDeviceError(int,const CaptureResultExtras &)485 virtual binder::Status onDeviceError(int /*errorCode*/,
486 const CaptureResultExtras& /*resultExtras*/) {
487 return binder::Status::ok();
488 }
489
onDeviceIdle()490 virtual binder::Status onDeviceIdle() {
491 return binder::Status::ok();
492 }
493
onCaptureStarted(const CaptureResultExtras &,int64_t)494 virtual binder::Status onCaptureStarted(const CaptureResultExtras& /*resultExtras*/,
495 int64_t /*timestamp*/) {
496 return binder::Status::ok();
497 }
498
onResultReceived(const CameraMetadata &,const CaptureResultExtras &,const std::vector<PhysicalCaptureResultInfo> &)499 virtual binder::Status onResultReceived(const CameraMetadata& /*metadata*/,
500 const CaptureResultExtras& /*resultExtras*/,
501 const std::vector<PhysicalCaptureResultInfo>& /*physicalResultInfos*/) {
502 return binder::Status::ok();
503 }
504
onPrepared(int)505 virtual binder::Status onPrepared(int /*streamId*/) {
506 return binder::Status::ok();
507 }
508
onRepeatingRequestError(int64_t,int32_t)509 virtual binder::Status onRepeatingRequestError(
510 int64_t /*lastFrameNumber*/, int32_t /*stoppedSequenceId*/) {
511 return binder::Status::ok();
512 }
513
onRequestQueueEmpty()514 virtual binder::Status onRequestQueueEmpty() {
515 return binder::Status::ok();
516 }
517 };
518
519 class Camera2Fuzzer {
520 public:
Camera2Fuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)521 Camera2Fuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
522 mCameraService(cs), mFuzzedDataProvider(fp) { };
~Camera2Fuzzer()523 ~Camera2Fuzzer() {}
524 void process();
525 private:
526 sp<CameraService> mCameraService = nullptr;
527 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
528 };
529
process()530 void Camera2Fuzzer::process() {
531 sp<TestCameraServiceListener> listener = new TestCameraServiceListener();
532 std::vector<hardware::CameraStatus> statuses;
533 mCameraService->addListenerTest(listener, &statuses);
534 for (auto s : statuses) {
535 sp<TestCameraDeviceCallbacks> callbacks(new TestCameraDeviceCallbacks());
536 sp<hardware::camera2::ICameraDeviceUser> device;
537 mCameraService->connectDevice(callbacks, String16(s.cameraId), String16(), {},
538 android::CameraService::USE_CALLING_UID, 0/*oomScoreDiff*/,
539 /*targetSdkVersion*/__ANDROID_API_FUTURE__, /*overrideToPortrait*/true,
540 &device);
541 if (device == nullptr) {
542 continue;
543 }
544 device->beginConfigure();
545 sp<IGraphicBufferProducer> gbProducer;
546 sp<IGraphicBufferConsumer> gbConsumer;
547 BufferQueue::createBufferQueue(&gbProducer, &gbConsumer);
548 sp<BufferItemConsumer> opaqueConsumer = new BufferItemConsumer(gbConsumer,
549 GRALLOC_USAGE_SW_READ_NEVER, /*maxImages*/8, /*controlledByApp*/true);
550 opaqueConsumer->setName(String8("Roger"));
551
552 // Set to VGA dimension for default, as that is guaranteed to be present
553 gbConsumer->setDefaultBufferSize(640, 480);
554 gbConsumer->setDefaultBufferFormat(HAL_PIXEL_FORMAT_IMPLEMENTATION_DEFINED);
555
556 sp<Surface> surface(new Surface(gbProducer, /*controlledByApp*/false));
557
558 String16 noPhysicalId;
559 size_t rotations = sizeof(kRotations) / sizeof(int32_t) - 1;
560 OutputConfiguration output(gbProducer,
561 kRotations[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, rotations)],
562 noPhysicalId);
563 int streamId;
564 device->createStream(output, &streamId);
565 CameraMetadata sessionParams;
566 std::vector<int> offlineStreamIds;
567 device->endConfigure(/*isConstrainedHighSpeed*/ mFuzzedDataProvider->ConsumeBool(),
568 sessionParams, ns2ms(systemTime()), &offlineStreamIds);
569
570 CameraMetadata requestTemplate;
571 size_t requestTemplatesSize = sizeof(kRequestTemplates) /sizeof(int32_t) - 1;
572 device->createDefaultRequest(kRequestTemplates[
573 mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, requestTemplatesSize)],
574 /*out*/&requestTemplate);
575 hardware::camera2::CaptureRequest request;
576 request.mSurfaceList.add(surface);
577 request.mIsReprocess = false;
578 hardware::camera2::utils::SubmitInfo info;
579 for (int i = 0; i < kNumRequestsTested; i++) {
580 uint8_t sensorPixelMode =
581 kSensorPixelModes[mFuzzedDataProvider->ConsumeBool() ? 1 : 0];
582 requestTemplate.update(ANDROID_SENSOR_PIXEL_MODE, &sensorPixelMode, 1);
583 request.mPhysicalCameraSettings.clear();
584 request.mPhysicalCameraSettings.push_back({s.cameraId.string(), requestTemplate});
585 device->submitRequest(request, /*streaming*/false, /*out*/&info);
586 ALOGV("%s : camera id %s submit request id %d",__FUNCTION__, s.cameraId.string(),
587 info.mRequestId);
588 }
589 device->disconnect();
590 }
591 }
592
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)593 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
594 if (size < 1) {
595 return 0;
596 }
597 setuid(AID_CAMERASERVER);
598 std::shared_ptr<FuzzedDataProvider> fp = std::make_shared<FuzzedDataProvider>(data, size);
599 sp<CameraService> cs = new CameraService();
600 cs->clearCachedVariables();
601 sp<CameraFuzzer> camerafuzzer = new CameraFuzzer(cs, fp);
602 if (!camerafuzzer) {
603 return 0;
604 }
605 camerafuzzer->process();
606 Camera2Fuzzer camera2fuzzer(cs, fp);
607 camera2fuzzer.process();
608 return 0;
609 }
610