1 /*
2 * Copyright 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <gui/BufferQueueConsumer.h>
17 #include <gui/BufferQueueCore.h>
18 #include <gui/BufferQueueProducer.h>
19 #include <gui/LayerMetadata.h>
20 #include <gui/OccupancyTracker.h>
21 #include <gui/StreamSplitter.h>
22 #include <gui/Surface.h>
23 #include <gui/SurfaceControl.h>
24 #include <gui/view/Surface.h>
25 #include <libgui_fuzzer_utils.h>
26 #include "android/view/LayerMetadataKey.h"
27
28 using namespace android;
29
30 constexpr int32_t kMaxBytes = 256;
31 constexpr int32_t kMatrixSize = 4;
32 constexpr int32_t kLayerMetadataKeyCount = 8;
33
34 constexpr uint32_t kMetadataKey[] = {
35 (uint32_t)view::LayerMetadataKey::METADATA_OWNER_UID,
36 (uint32_t)view::LayerMetadataKey::METADATA_WINDOW_TYPE,
37 (uint32_t)view::LayerMetadataKey::METADATA_TASK_ID,
38 (uint32_t)view::LayerMetadataKey::METADATA_MOUSE_CURSOR,
39 (uint32_t)view::LayerMetadataKey::METADATA_ACCESSIBILITY_ID,
40 (uint32_t)view::LayerMetadataKey::METADATA_OWNER_PID,
41 (uint32_t)view::LayerMetadataKey::METADATA_DEQUEUE_TIME,
42 (uint32_t)view::LayerMetadataKey::METADATA_GAME_MODE,
43 };
44
45 class ParcelableFuzzer {
46 public:
ParcelableFuzzer(const uint8_t * data,size_t size)47 ParcelableFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};
48 void process();
49
50 private:
51 void invokeStreamSplitter();
52 void invokeOccupancyTracker();
53 void invokeLayerDebugInfo();
54 void invokeLayerMetadata();
55 void invokeViewSurface();
56
57 FuzzedDataProvider mFdp;
58 };
59
invokeViewSurface()60 void ParcelableFuzzer::invokeViewSurface() {
61 view::Surface surface;
62 surface.name = String16((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str());
63 Parcel parcel;
64 surface.writeToParcel(&parcel);
65 parcel.setDataPosition(0);
66 surface.readFromParcel(&parcel);
67 bool nameAlreadyWritten = mFdp.ConsumeBool();
68 surface.writeToParcel(&parcel, nameAlreadyWritten);
69 parcel.setDataPosition(0);
70 surface.readFromParcel(&parcel, mFdp.ConsumeBool());
71 }
72
invokeLayerMetadata()73 void ParcelableFuzzer::invokeLayerMetadata() {
74 std::unordered_map<uint32_t, std::vector<uint8_t>> map;
75 for (size_t idx = 0; idx < kLayerMetadataKeyCount; ++idx) {
76 std::vector<uint8_t> data;
77 for (size_t idx1 = 0; idx1 < mFdp.ConsumeIntegral<uint32_t>(); ++idx1) {
78 data.push_back(mFdp.ConsumeIntegral<uint8_t>());
79 }
80 map[kMetadataKey[idx]] = data;
81 }
82 LayerMetadata metadata(map);
83 uint32_t key = mFdp.PickValueInArray(kMetadataKey);
84 metadata.setInt32(key, mFdp.ConsumeIntegral<int32_t>());
85 metadata.itemToString(key, (mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str());
86
87 Parcel parcel;
88 metadata.writeToParcel(&parcel);
89 parcel.setDataPosition(0);
90 metadata.readFromParcel(&parcel);
91 }
92
invokeLayerDebugInfo()93 void ParcelableFuzzer::invokeLayerDebugInfo() {
94 gui::LayerDebugInfo info;
95 info.mName = mFdp.ConsumeRandomLengthString(kMaxBytes);
96 info.mParentName = mFdp.ConsumeRandomLengthString(kMaxBytes);
97 info.mType = mFdp.ConsumeRandomLengthString(kMaxBytes);
98 info.mLayerStack = mFdp.ConsumeIntegral<uint32_t>();
99 info.mX = mFdp.ConsumeFloatingPoint<float>();
100 info.mY = mFdp.ConsumeFloatingPoint<float>();
101 info.mZ = mFdp.ConsumeIntegral<uint32_t>();
102 info.mWidth = mFdp.ConsumeIntegral<int32_t>();
103 info.mHeight = mFdp.ConsumeIntegral<int32_t>();
104 info.mActiveBufferWidth = mFdp.ConsumeIntegral<int32_t>();
105 info.mActiveBufferHeight = mFdp.ConsumeIntegral<int32_t>();
106 info.mActiveBufferStride = mFdp.ConsumeIntegral<int32_t>();
107 info.mActiveBufferFormat = mFdp.ConsumeIntegral<int32_t>();
108 info.mNumQueuedFrames = mFdp.ConsumeIntegral<int32_t>();
109
110 info.mFlags = mFdp.ConsumeIntegral<uint32_t>();
111 info.mPixelFormat = mFdp.ConsumeIntegral<int32_t>();
112 info.mTransparentRegion = Region(getRect(&mFdp));
113 info.mVisibleRegion = Region(getRect(&mFdp));
114 info.mSurfaceDamageRegion = Region(getRect(&mFdp));
115 info.mCrop = getRect(&mFdp);
116 info.mDataSpace = static_cast<android_dataspace>(mFdp.PickValueInArray(kDataspaces));
117 info.mColor = half4(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
118 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
119 for (size_t idx = 0; idx < kMatrixSize; ++idx) {
120 info.mMatrix[idx / 2][idx % 2] = mFdp.ConsumeFloatingPoint<float>();
121 }
122 info.mIsOpaque = mFdp.ConsumeBool();
123 info.mContentDirty = mFdp.ConsumeBool();
124 info.mStretchEffect.width = mFdp.ConsumeFloatingPoint<float>();
125 info.mStretchEffect.height = mFdp.ConsumeFloatingPoint<float>();
126 info.mStretchEffect.vectorX = mFdp.ConsumeFloatingPoint<float>();
127 info.mStretchEffect.vectorY = mFdp.ConsumeFloatingPoint<float>();
128 info.mStretchEffect.maxAmountX = mFdp.ConsumeFloatingPoint<float>();
129 info.mStretchEffect.maxAmountY = mFdp.ConsumeFloatingPoint<float>();
130 info.mStretchEffect.mappedChildBounds =
131 FloatRect(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>(),
132 mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeFloatingPoint<float>());
133
134 Parcel parcel;
135 info.writeToParcel(&parcel);
136 parcel.setDataPosition(0);
137 info.readFromParcel(&parcel);
138 }
139
invokeOccupancyTracker()140 void ParcelableFuzzer::invokeOccupancyTracker() {
141 nsecs_t totalTime = mFdp.ConsumeIntegral<uint32_t>();
142 size_t numFrames = mFdp.ConsumeIntegral<size_t>();
143 float occupancyAverage = mFdp.ConsumeFloatingPoint<float>();
144 OccupancyTracker::Segment segment(totalTime, numFrames, occupancyAverage,
145 mFdp.ConsumeBool() /*usedThirdBuffer*/);
146 Parcel parcel;
147 segment.writeToParcel(&parcel);
148 parcel.setDataPosition(0);
149 segment.readFromParcel(&parcel);
150 }
151
invokeStreamSplitter()152 void ParcelableFuzzer::invokeStreamSplitter() {
153 sp<IGraphicBufferProducer> producer;
154 sp<IGraphicBufferConsumer> consumer;
155 BufferQueue::createBufferQueue(&producer, &consumer);
156 sp<StreamSplitter> splitter;
157 StreamSplitter::createSplitter(consumer, &splitter);
158 splitter->addOutput(producer);
159 std::string name = mFdp.ConsumeRandomLengthString(kMaxBytes);
160 splitter->setName(String8(name.c_str()));
161 }
162
process()163 void ParcelableFuzzer::process() {
164 invokeStreamSplitter();
165 invokeOccupancyTracker();
166 invokeLayerDebugInfo();
167 invokeLayerMetadata();
168 invokeViewSurface();
169 }
170
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)171 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
172 ParcelableFuzzer libGuiFuzzer(data, size);
173 libGuiFuzzer.process();
174 return 0;
175 }
176