1 /*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <Camera.h>
18 #include <CameraBase.h>
19 #include <CameraMetadata.h>
20 #include <CameraParameters.h>
21 #include <CameraUtils.h>
22 #include <VendorTagDescriptor.h>
23 #include <binder/IMemory.h>
24 #include <binder/MemoryDealer.h>
25 #include <fuzzer/FuzzedDataProvider.h>
26 #include <gui/IGraphicBufferProducer.h>
27 #include <gui/Surface.h>
28 #include <gui/SurfaceComposerClient.h>
29 #include <utils/Log.h>
30 #include "camera2common.h"
31 #include <android/hardware/ICameraService.h>
32
33 using namespace std;
34 using namespace android;
35 using namespace android::hardware;
36
37 constexpr int32_t kFrameRateMin = 1;
38 constexpr int32_t kFrameRateMax = 120;
39 constexpr int32_t kCamIdMin = 0;
40 constexpr int32_t kCamIdMax = 1;
41 constexpr int32_t kNumMin = 0;
42 constexpr int32_t kNumMax = 1024;
43 constexpr int32_t kMemoryDealerSize = 1000;
44 constexpr int32_t kRangeMin = 0;
45 constexpr int32_t kRangeMax = 1000;
46 constexpr int32_t kSizeMin = 0;
47 constexpr int32_t kSizeMax = 1000;
48
49 constexpr int32_t kValidCMD[] = {CAMERA_CMD_START_SMOOTH_ZOOM,
50 CAMERA_CMD_STOP_SMOOTH_ZOOM,
51 CAMERA_CMD_SET_DISPLAY_ORIENTATION,
52 CAMERA_CMD_ENABLE_SHUTTER_SOUND,
53 CAMERA_CMD_PLAY_RECORDING_SOUND,
54 CAMERA_CMD_START_FACE_DETECTION,
55 CAMERA_CMD_STOP_FACE_DETECTION,
56 CAMERA_CMD_ENABLE_FOCUS_MOVE_MSG,
57 CAMERA_CMD_PING,
58 CAMERA_CMD_SET_VIDEO_BUFFER_COUNT,
59 CAMERA_CMD_SET_VIDEO_FORMAT};
60
61 constexpr int32_t kValidVideoBufferMode[] = {ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_YUV,
62 ICamera::VIDEO_BUFFER_MODE_DATA_CALLBACK_METADATA,
63 ICamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE};
64
65 constexpr int32_t kValidPreviewCallbackFlag[] = {
66 CAMERA_FRAME_CALLBACK_FLAG_ENABLE_MASK, CAMERA_FRAME_CALLBACK_FLAG_ONE_SHOT_MASK,
67 CAMERA_FRAME_CALLBACK_FLAG_COPY_OUT_MASK, CAMERA_FRAME_CALLBACK_FLAG_NOOP,
68 CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER, CAMERA_FRAME_CALLBACK_FLAG_CAMERA,
69 CAMERA_FRAME_CALLBACK_FLAG_BARCODE_SCANNER};
70
71 constexpr int32_t kValidFacing[] = {android::hardware::CAMERA_FACING_BACK,
72 android::hardware::CAMERA_FACING_FRONT};
73
74 constexpr int32_t kValidOrientation[] = {0, 90, 180, 270};
75
76 class TestCameraListener : public CameraListener {
77 public:
78 virtual ~TestCameraListener() = default;
79
notify(int32_t,int32_t,int32_t)80 void notify(int32_t /*msgType*/, int32_t /*ext1*/, int32_t /*ext2*/) override { return; };
postData(int32_t,const sp<IMemory> &,camera_frame_metadata_t *)81 void postData(int32_t /*msgType*/, const sp<IMemory>& /*dataPtr*/,
82 camera_frame_metadata_t* /*metadata*/) override {
83 return;
84 };
postDataTimestamp(nsecs_t,int32_t,const sp<IMemory> &)85 void postDataTimestamp(nsecs_t /*timestamp*/, int32_t /*msgType*/,
86 const sp<IMemory>& /*dataPtr*/) override {
87 return;
88 };
postRecordingFrameHandleTimestamp(nsecs_t,native_handle_t *)89 void postRecordingFrameHandleTimestamp(nsecs_t /*timestamp*/,
90 native_handle_t* /*handle*/) override {
91 return;
92 };
postRecordingFrameHandleTimestampBatch(const std::vector<nsecs_t> &,const std::vector<native_handle_t * > &)93 void postRecordingFrameHandleTimestampBatch(
94 const std::vector<nsecs_t>& /*timestamps*/,
95 const std::vector<native_handle_t*>& /*handles*/) override {
96 return;
97 };
98 };
99
100 class CameraFuzzer : public ::android::hardware::BnCameraClient {
101 public:
102 void process(const uint8_t* data, size_t size);
~CameraFuzzer()103 ~CameraFuzzer() {
104 delete mCameraMetadata;
105 mComposerClient.clear();
106 mSurfaceControl.clear();
107 mSurface.clear();
108 mCamera.clear();
109 mMemoryDealer.clear();
110 mIMem.clear();
111 mCameraListener.clear();
112 mCameraService.clear();
113 }
114
115 private:
116 bool initCamera();
117 void initCameraMetadata();
118 void invokeCamera();
119 void invokeCameraUtils();
120 void invokeCameraBase();
121 void invokeCameraMetadata();
122 void invokeSetParameters();
123 sp<Camera> mCamera = nullptr;
124 CameraMetadata* mCameraMetadata = nullptr;
125 sp<SurfaceComposerClient> mComposerClient = nullptr;
126 sp<SurfaceControl> mSurfaceControl = nullptr;
127 sp<Surface> mSurface = nullptr;
128 sp<MemoryDealer> mMemoryDealer = nullptr;
129 sp<IMemory> mIMem = nullptr;
130 sp<TestCameraListener> mCameraListener = nullptr;
131 sp<ICameraService> mCameraService = nullptr;
132 sp<ICamera> cameraDevice = nullptr;
133 FuzzedDataProvider* mFDP = nullptr;
134
135 // CameraClient interface
notifyCallback(int32_t,int32_t,int32_t)136 void notifyCallback(int32_t, int32_t, int32_t) override { return; };
dataCallback(int32_t,const sp<IMemory> &,camera_frame_metadata_t *)137 void dataCallback(int32_t, const sp<IMemory>&, camera_frame_metadata_t*) override { return; };
dataCallbackTimestamp(nsecs_t,int32_t,const sp<IMemory> &)138 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory>&) override { return; };
recordingFrameHandleCallbackTimestamp(nsecs_t,native_handle_t *)139 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t*) override { return; };
recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t> &,const std::vector<native_handle_t * > &)140 void recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t>&,
141 const std::vector<native_handle_t*>&) override {
142 return;
143 };
144 };
145
initCamera()146 bool CameraFuzzer::initCamera() {
147 ProcessState::self()->startThreadPool();
148 sp<IServiceManager> sm = defaultServiceManager();
149 sp<IBinder> binder = sm->getService(String16("media.camera"));
150 mCameraService = interface_cast<ICameraService>(binder);
151 mCameraService->connect(this, mFDP->ConsumeIntegral<int32_t>() /* cameraId */,
152 String16("CAMERAFUZZ"), hardware::ICameraService::USE_CALLING_UID,
153 hardware::ICameraService::USE_CALLING_PID,
154 /*targetSdkVersion*/ __ANDROID_API_FUTURE__,
155 /*overrideToPortrait*/false, /*forceSlowJpegMode*/false, &cameraDevice);
156 mCamera = Camera::create(cameraDevice);
157 if (!mCamera) {
158 return false;
159 }
160 return true;
161 }
162
invokeSetParameters()163 void CameraFuzzer::invokeSetParameters() {
164 String8 s = mCamera->getParameters();
165 CameraParameters params(s);
166 int32_t width = mFDP->ConsumeIntegral<int32_t>();
167 int32_t height = mFDP->ConsumeIntegral<int32_t>();
168 params.setVideoSize(width, height);
169 int32_t frameRate = mFDP->ConsumeIntegralInRange<int32_t>(kFrameRateMin, kFrameRateMax);
170 params.setPreviewFrameRate(frameRate);
171 mCamera->setParameters(params.flatten());
172 }
173
invokeCamera()174 void CameraFuzzer::invokeCamera() {
175 if (!initCamera()) {
176 return;
177 }
178
179 int32_t cameraId = mFDP->ConsumeIntegralInRange<int32_t>(kCamIdMin, kCamIdMax);
180 Camera::getNumberOfCameras();
181 CameraInfo cameraInfo;
182 cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
183 : mFDP->ConsumeIntegral<int>();
184 cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
185 : mFDP->ConsumeIntegral<int>();
186 Camera::getCameraInfo(cameraId, /*overrideToPortrait*/false, &cameraInfo);
187 mCamera->reconnect();
188
189 mComposerClient = new SurfaceComposerClient;
190 mSurfaceControl = mComposerClient->createSurface(
191 static_cast<String8>(mFDP->ConsumeRandomLengthString().c_str()) /* name */,
192 mFDP->ConsumeIntegral<uint32_t>() /* width */,
193 mFDP->ConsumeIntegral<uint32_t>() /* height */,
194 mFDP->ConsumeIntegral<int32_t>() /* format */,
195 mFDP->ConsumeIntegral<int32_t>() /* flags */);
196 if (mSurfaceControl) {
197 mSurface = mSurfaceControl->getSurface();
198 mCamera->setPreviewTarget(mSurface->getIGraphicBufferProducer());
199 mCamera->startPreview();
200 mCamera->stopPreview();
201 mCamera->previewEnabled();
202 mCamera->startRecording();
203 mCamera->stopRecording();
204 }
205
206 mCamera->lock();
207 mCamera->unlock();
208 mCamera->autoFocus();
209 mCamera->cancelAutoFocus();
210
211 int32_t msgType = mFDP->ConsumeIntegral<int32_t>();
212 mCamera->takePicture(msgType);
213 invokeSetParameters();
214 int32_t cmd;
215 if (mFDP->ConsumeBool()) {
216 cmd = mFDP->PickValueInArray(kValidCMD);
217 } else {
218 cmd = mFDP->ConsumeIntegral<int32_t>();
219 }
220 int32_t arg1 = mFDP->ConsumeIntegral<int32_t>();
221 int32_t arg2 = mFDP->ConsumeIntegral<int32_t>();
222 mCamera->sendCommand(cmd, arg1, arg2);
223
224 int32_t videoBufferMode = mFDP->PickValueInArray(kValidVideoBufferMode);
225 mCamera->setVideoBufferMode(videoBufferMode);
226 if (mSurfaceControl) {
227 mSurface = mSurfaceControl->getSurface();
228 mCamera->setVideoTarget(mSurface->getIGraphicBufferProducer());
229 }
230 mCameraListener = sp<TestCameraListener>::make();
231 mCamera->setListener(mCameraListener);
232 int32_t previewCallbackFlag;
233 if (mFDP->ConsumeBool()) {
234 previewCallbackFlag = mFDP->PickValueInArray(kValidPreviewCallbackFlag);
235 } else {
236 previewCallbackFlag = mFDP->ConsumeIntegral<int32_t>();
237 }
238 mCamera->setPreviewCallbackFlags(previewCallbackFlag);
239 if (mSurfaceControl) {
240 mSurface = mSurfaceControl->getSurface();
241 mCamera->setPreviewCallbackTarget(mSurface->getIGraphicBufferProducer());
242 }
243
244 mCamera->getRecordingProxy();
245 int32_t mode = mFDP->ConsumeIntegral<int32_t>();
246 mCamera->setAudioRestriction(mode);
247 mCamera->getGlobalAudioRestriction();
248 mCamera->recordingEnabled();
249
250 mMemoryDealer = new MemoryDealer(kMemoryDealerSize);
251 mIMem = mMemoryDealer->allocate(kMemoryDealerSize);
252 mCamera->releaseRecordingFrame(mIMem);
253
254 int32_t numFds = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
255 int32_t numInts = mFDP->ConsumeIntegralInRange<int32_t>(kNumMin, kNumMax);
256 native_handle_t* handle = native_handle_create(numFds, numInts);
257 mCamera->releaseRecordingFrameHandle(handle);
258
259 int32_t msgTypeNC = mFDP->ConsumeIntegral<int32_t>();
260 int32_t ext = mFDP->ConsumeIntegral<int32_t>();
261 int32_t ext2 = mFDP->ConsumeIntegral<int32_t>();
262 mCamera->notifyCallback(msgTypeNC, ext, ext2);
263
264 int64_t timestamp = mFDP->ConsumeIntegral<int64_t>();
265 mCamera->dataCallbackTimestamp(timestamp, msgTypeNC, mIMem);
266 mCamera->recordingFrameHandleCallbackTimestamp(timestamp, handle);
267 }
268
invokeCameraUtils()269 void CameraFuzzer::invokeCameraUtils() {
270 CameraMetadata staticMetadata;
271 int32_t orientVal = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
272 : mFDP->ConsumeIntegral<int32_t>();
273 uint8_t facingVal = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
274 : mFDP->ConsumeIntegral<uint8_t>();
275 staticMetadata.update(ANDROID_SENSOR_ORIENTATION, &orientVal, 1);
276 staticMetadata.update(ANDROID_LENS_FACING, &facingVal, 1);
277 int32_t transform = 0;
278 CameraUtils::getRotationTransform(
279 staticMetadata, mFDP->ConsumeIntegral<int32_t>() /* mirrorMode */, &transform /*out*/);
280 CameraUtils::isCameraServiceDisabled();
281 }
282
invokeCameraBase()283 void CameraFuzzer::invokeCameraBase() {
284 CameraInfo cameraInfo;
285 cameraInfo.facing = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidFacing)
286 : mFDP->ConsumeIntegral<int>();
287 cameraInfo.orientation = mFDP->ConsumeBool() ? mFDP->PickValueInArray(kValidOrientation)
288 : mFDP->ConsumeIntegral<int>();
289 invokeReadWriteParcel<CameraInfo>(&cameraInfo);
290
291 CameraStatus* cameraStatus = nullptr;
292
293 if (mFDP->ConsumeBool()) {
294 cameraStatus = new CameraStatus();
295 } else {
296 string cid = mFDP->ConsumeRandomLengthString();
297 String8 id(cid.c_str());
298 int32_t status = mFDP->ConsumeIntegral<int32_t>();
299 size_t unavailSubIdsSize = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
300 vector<String8> unavailSubIds;
301 for (size_t idx = 0; idx < unavailSubIdsSize; ++idx) {
302 string subId = mFDP->ConsumeRandomLengthString();
303 String8 unavailSubId(subId.c_str());
304 unavailSubIds.push_back(unavailSubId);
305 }
306 string clientPkg = mFDP->ConsumeRandomLengthString();
307 String8 clientPackage(clientPkg.c_str());
308 cameraStatus = new CameraStatus(id, status, unavailSubIds, clientPackage);
309 }
310
311 invokeReadWriteParcel<CameraStatus>(cameraStatus);
312 delete cameraStatus;
313 }
314
initCameraMetadata()315 void CameraFuzzer::initCameraMetadata() {
316 if (mFDP->ConsumeBool()) {
317 mCameraMetadata = new CameraMetadata();
318 } else {
319 size_t entryCapacity = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
320 size_t dataCapacity = mFDP->ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
321 mCameraMetadata = new CameraMetadata(entryCapacity, dataCapacity);
322 }
323 }
324
invokeCameraMetadata()325 void CameraFuzzer::invokeCameraMetadata() {
326 initCameraMetadata();
327
328 const camera_metadata_t* metadataBuffer = nullptr;
329 if (mFDP->ConsumeBool()) {
330 metadataBuffer = mCameraMetadata->getAndLock();
331 }
332
333 mCameraMetadata->entryCount();
334 mCameraMetadata->isEmpty();
335 mCameraMetadata->bufferSize();
336 mCameraMetadata->sort();
337
338 uint32_t tag = mFDP->ConsumeIntegral<uint32_t>();
339 uint8_t dataUint8 = mFDP->ConsumeIntegral<uint8_t>();
340 int32_t dataInt32 = mFDP->ConsumeIntegral<int32_t>();
341 int64_t dataInt64 = mFDP->ConsumeIntegral<int64_t>();
342 float dataFloat = mFDP->ConsumeFloatingPoint<float>();
343 double dataDouble = mFDP->ConsumeFloatingPoint<double>();
344 camera_metadata_rational dataRational;
345 dataRational.numerator = mFDP->ConsumeIntegral<int32_t>();
346 dataRational.denominator = mFDP->ConsumeIntegral<int32_t>();
347 string dataStr = mFDP->ConsumeRandomLengthString();
348 String8 dataString(dataStr.c_str());
349 size_t data_count = 1;
350 mCameraMetadata->update(tag, &dataUint8, data_count);
351 mCameraMetadata->update(tag, &dataInt32, data_count);
352 mCameraMetadata->update(tag, &dataFloat, data_count);
353 mCameraMetadata->update(tag, &dataInt64, data_count);
354 mCameraMetadata->update(tag, &dataRational, data_count);
355 mCameraMetadata->update(tag, &dataDouble, data_count);
356 mCameraMetadata->update(tag, dataString);
357
358 uint32_t tagExists = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
359 mCameraMetadata->exists(tagExists);
360
361 uint32_t tagFind = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
362 mCameraMetadata->find(tagFind);
363
364 uint32_t tagErase = mFDP->ConsumeBool() ? tag : mFDP->ConsumeIntegral<uint32_t>();
365 mCameraMetadata->erase(tagErase);
366
367 mCameraMetadata->unlock(metadataBuffer);
368 std::vector<int32_t> tagsRemoved;
369 uint64_t vendorId = mFDP->ConsumeIntegral<uint64_t>();
370 mCameraMetadata->removePermissionEntries(vendorId, &tagsRemoved);
371
372 string name = mFDP->ConsumeRandomLengthString();
373 VendorTagDescriptor vTags;
374 uint32_t tagName = mFDP->ConsumeIntegral<uint32_t>();
375 mCameraMetadata->getTagFromName(name.c_str(), &vTags, &tagName);
376
377 invokeReadWriteNullParcel<CameraMetadata>(mCameraMetadata);
378 invokeReadWriteParcel<CameraMetadata>(mCameraMetadata);
379
380 int32_t fd = open("/dev/null", O_CLOEXEC | O_RDWR | O_CREAT);
381 int32_t verbosity = mFDP->ConsumeIntegralInRange<int32_t>(kRangeMin, kRangeMax);
382 int32_t indentation = mFDP->ConsumeIntegralInRange<int32_t>(kRangeMin, kRangeMax);
383 mCameraMetadata->dump(fd, verbosity, indentation);
384
385 CameraMetadata metadataCopy(mCameraMetadata->release());
386 CameraMetadata otherCameraMetadata;
387 mCameraMetadata->swap(otherCameraMetadata);
388 close(fd);
389 }
390
process(const uint8_t * data,size_t size)391 void CameraFuzzer::process(const uint8_t* data, size_t size) {
392 mFDP = new FuzzedDataProvider(data, size);
393 invokeCamera();
394 invokeCameraUtils();
395 invokeCameraBase();
396 invokeCameraMetadata();
397 delete mFDP;
398 }
399
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)400 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
401 sp<CameraFuzzer> cameraFuzzer = new CameraFuzzer();
402 cameraFuzzer->process(data, size);
403 cameraFuzzer.clear();
404 return 0;
405 }
406