1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "Common.h"
18 #include "Enumerator.h"
19 #include "HalCamera.h"
20 #include "MockHWCamera.h"
21
22 #include <fuzzer/FuzzedDataProvider.h>
23
24 #include <sys/time.h>
25
26 #include <iostream>
27
28 namespace android::automotive::evs::V1_1::implementation {
29
30 namespace {
31
32 using ::android::hardware::automotive::evs::V1_1::EvsEventDesc;
33 using ::android::hardware::automotive::evs::V1_1::EvsEventType;
34
35 enum EvsFuzzFuncs {
36 EVS_FUZZ_MAKE_VIRTUAL_CAMERA = 0, // verify makeVirtualCamera
37 EVS_FUZZ_OWN_VIRTUAL_CAMERA, // verify ownVirtualCamera
38 EVS_FUZZ_DISOWN_VIRTUAL_CAMERA, // verify disownVirtualCamera
39 EVS_FUZZ_GET_CLIENT_COUNT, // verify getClientCount
40 EVS_FUZZ_GET_ID, // verify getId
41 EVS_FUZZ_GET_STREAM_CONFIG, // verify getStreamConfig
42 EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT, // verify changeFramesInFlight
43 EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT_1, // verify overloaded changeFramesInFlight
44 EVS_FUZZ_REQUEST_NEW_FRAME, // verify requestNewFrame
45 EVS_FUZZ_CLIENT_STREAM_STARTING, // verify clientStreamStarting
46 EVS_FUZZ_CLIENT_STREAM_ENDING, // verify clientStreamEnding
47 EVS_FUZZ_GET_STATS, // verify getStats
48 EVS_FUZZ_GET_STREAM_CONFIGURATION, // verify getStreamConfiguration
49 EVS_FUZZ_DELIVER_FRAME_1_1, // verify deliverFrame_1_1
50 EVS_FUZZ_BASE_ENUM // verify common functions
51 };
52
getCurrentTimeStamp()53 int64_t getCurrentTimeStamp() {
54 struct timeval tp;
55 gettimeofday(&tp, NULL);
56 int64_t ms = tp.tv_sec * 1000 + tp.tv_usec / 1000;
57 return ms;
58 }
59
60 const int kMaxFuzzerConsumedBytes = 12;
61
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)62 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
63 FuzzedDataProvider fdp(data, size);
64 sp<IEvsCamera_1_1> mockHWCamera = new MockHWCamera();
65 sp<HalCamera> halCamera = new HalCamera(mockHWCamera);
66 std::vector<sp<VirtualCamera>> virtualCameras;
67 std::vector<BufferDesc_1_0> vBufferDesc_1_0;
68 std::vector<BufferDesc_1_1> vBufferDesc_1_1;
69
70 while (fdp.remaining_bytes() > kMaxFuzzerConsumedBytes) {
71 switch (fdp.ConsumeIntegralInRange<uint32_t>(0, EVS_FUZZ_API_SUM)) {
72 case EVS_FUZZ_MAKE_VIRTUAL_CAMERA: {
73 LOG(DEBUG) << "EVS_FUZZ_MAKE_VIRTUAL_CAMERA";
74 sp<VirtualCamera> virtualCamera = halCamera->makeVirtualCamera();
75 virtualCameras.emplace_back(virtualCamera);
76 break;
77 }
78 case EVS_FUZZ_OWN_VIRTUAL_CAMERA: {
79 LOG(DEBUG) << "EVS_FUZZ_OWN_VIRTUAL_CAMERA";
80 if (!virtualCameras.empty()) {
81 uint32_t whichCam =
82 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
83 halCamera->ownVirtualCamera(virtualCameras[whichCam]);
84 }
85 break;
86 }
87 case EVS_FUZZ_DISOWN_VIRTUAL_CAMERA: {
88 LOG(DEBUG) << "EVS_FUZZ_DISOWN_VIRTUAL_CAMERA";
89 if (!virtualCameras.empty()) {
90 uint32_t whichCam =
91 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
92 halCamera->disownVirtualCamera(virtualCameras[whichCam]);
93 }
94 break;
95 }
96 case EVS_FUZZ_GET_HW_CAMERA: {
97 LOG(DEBUG) << "EVS_FUZZ_GET_HW_CAMERA";
98 halCamera->getHwCamera();
99 break;
100 }
101 case EVS_FUZZ_GET_CLIENT_COUNT: {
102 LOG(DEBUG) << "EVS_FUZZ_GET_CLIENT_COUNT";
103 halCamera->getClientCount();
104 break;
105 }
106 case EVS_FUZZ_GET_ID: {
107 LOG(DEBUG) << "EVS_FUZZ_GET_ID";
108 halCamera->getId();
109 break;
110 }
111 case EVS_FUZZ_GET_STREAM_CONFIG: {
112 LOG(DEBUG) << "EVS_FUZZ_GET_STREAM_CONFIG";
113 halCamera->getStreamConfig();
114 break;
115 }
116 case EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT: {
117 LOG(DEBUG) << "EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT";
118 uint32_t delta = fdp.ConsumeIntegral<int32_t>();
119 halCamera->changeFramesInFlight(delta);
120 break;
121 }
122 case EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT_1: {
123 LOG(DEBUG) << "EVS_FUZZ_CHANGE_FRAMES_IN_FLIGHT_1";
124 hidl_vec<BufferDesc_1_1> buffers;
125 int32_t delta = 0;
126 halCamera->changeFramesInFlight(buffers, &delta);
127 break;
128 }
129 case EVS_FUZZ_REQUEST_NEW_FRAME: {
130 LOG(DEBUG) << "EVS_FUZZ_REQUEST_NEW_FRAME";
131 if (!virtualCameras.empty()) {
132 uint32_t whichCam =
133 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
134 halCamera->requestNewFrame(virtualCameras[whichCam], getCurrentTimeStamp());
135 }
136 break;
137 }
138 case EVS_FUZZ_CLIENT_STREAM_STARTING: {
139 LOG(DEBUG) << "EVS_FUZZ_CLIENT_STREAM_STARTING";
140 halCamera->clientStreamStarting();
141 break;
142 }
143 case EVS_FUZZ_CLIENT_STREAM_ENDING: {
144 LOG(DEBUG) << "EVS_FUZZ_CLIENT_STREAM_ENDING";
145 if (!virtualCameras.empty()) {
146 uint32_t whichCam =
147 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
148 halCamera->clientStreamEnding(virtualCameras[whichCam].get());
149 }
150 break;
151 }
152 case EVS_FUZZ_DONE_WITH_FRAME_1_0: {
153 LOG(DEBUG) << "EVS_FUZZ_DONE_WITH_FRAME_1_0";
154 if (!vBufferDesc_1_0.empty()) {
155 uint32_t whichBuffer =
156 fdp.ConsumeIntegralInRange<uint32_t>(0, vBufferDesc_1_0.size() - 1);
157 halCamera->doneWithFrame(vBufferDesc_1_0[whichBuffer]);
158 }
159 break;
160 }
161 case EVS_FUZZ_DONE_WITH_FRAME_1_1: {
162 LOG(DEBUG) << "EVS_FUZZ_DONE_WITH_FRAME_1_1";
163 if (!vBufferDesc_1_1.empty()) {
164 uint32_t whichBuffer =
165 fdp.ConsumeIntegralInRange<uint32_t>(0, vBufferDesc_1_1.size() - 1);
166 halCamera->doneWithFrame(vBufferDesc_1_1[whichBuffer]);
167 }
168 break;
169 }
170 case EVS_FUZZ_SET_PRIMARY: {
171 LOG(DEBUG) << "EVS_FUZZ_SET_PRIMARY";
172 if (!virtualCameras.empty()) {
173 uint32_t whichCam =
174 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
175 halCamera->setMaster(virtualCameras[whichCam]);
176 }
177 break;
178 }
179 case EVS_FUZZ_FORCE_PRIMARY: {
180 LOG(DEBUG) << "EVS_FUZZ_FORCE_PRIMARY";
181 if (!virtualCameras.empty()) {
182 uint32_t whichCam =
183 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
184 halCamera->forceMaster(virtualCameras[whichCam]);
185 }
186 break;
187 }
188 case EVS_FUZZ_UNSET_PRIMARY: {
189 LOG(DEBUG) << "EVS_FUZZ_UNSET_PRIMARY";
190 if (!virtualCameras.empty()) {
191 uint32_t whichCam =
192 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
193 halCamera->unsetMaster(virtualCameras[whichCam].get());
194 }
195 break;
196 }
197 case EVS_FUZZ_SET_PARAMETER: {
198 LOG(DEBUG) << "EVS_FUZZ_SET_PARAMETER";
199 if (!virtualCameras.empty()) {
200 uint32_t whichCam =
201 fdp.ConsumeIntegralInRange<uint32_t>(0, virtualCameras.size() - 1);
202 uint32_t whichParam = fdp.ConsumeIntegralInRange<
203 uint32_t>(0, static_cast<uint32_t>(CameraParam::ABSOLUTE_ZOOM));
204 int32_t value = fdp.ConsumeIntegral<int32_t>();
205 halCamera->setParameter(virtualCameras[whichCam],
206 static_cast<CameraParam>(whichParam), &value);
207 }
208 break;
209 }
210 case EVS_FUZZ_GET_PARAMETER: {
211 LOG(DEBUG) << "EVS_FUZZ_GET_PARAMETER";
212 uint32_t whichParam =
213 fdp.ConsumeIntegralInRange<uint32_t>(0,
214 static_cast<uint32_t>(
215 CameraParam::ABSOLUTE_ZOOM));
216 int32_t value = fdp.ConsumeIntegral<int32_t>();
217 halCamera->getParameter(static_cast<CameraParam>(whichParam), &value);
218 break;
219 }
220 case EVS_FUZZ_GET_STATS: {
221 LOG(DEBUG) << "EVS_FUZZ_GET_STATS";
222 halCamera->getStats();
223 break;
224 }
225 case EVS_FUZZ_GET_STREAM_CONFIGURATION: {
226 LOG(DEBUG) << "EVS_FUZZ_GET_STREAM_CONFIGURATION";
227 halCamera->getStreamConfiguration();
228 break;
229 }
230 case EVS_FUZZ_DELIVER_FRAME: {
231 LOG(DEBUG) << "EVS_FUZZ_DELIVER_FRAME";
232 BufferDesc_1_0 buffer;
233 buffer.bufferId = fdp.ConsumeIntegral<int32_t>();
234 halCamera->deliverFrame(buffer);
235 vBufferDesc_1_0.emplace_back(buffer);
236 break;
237 }
238 case EVS_FUZZ_DELIVER_FRAME_1_1: {
239 LOG(DEBUG) << "EVS_FUZZ_DELIVER_FRAME_1_1";
240 std::vector<BufferDesc_1_1> vec;
241 BufferDesc_1_1 buffer;
242 buffer.bufferId = fdp.ConsumeIntegral<int32_t>();
243 vec.push_back(buffer);
244 hardware::hidl_vec<BufferDesc_1_1> hidl_vec(vec);
245 halCamera->deliverFrame_1_1(hidl_vec);
246 vBufferDesc_1_1.emplace_back(buffer);
247 break;
248 }
249 case EVS_FUZZ_NOTIFY: {
250 LOG(DEBUG) << "EVS_FUZZ_NOTIFY";
251 EvsEventDesc event;
252 uint32_t type =
253 fdp.ConsumeIntegralInRange<uint32_t>(0,
254 static_cast<uint32_t>(
255 EvsEventType::STREAM_ERROR));
256 event.aType = static_cast<EvsEventType>(type);
257 // TODO(b/160824438) let's comment this for now because of the failure.
258 // If virtualCamera does not call startVideoStream, and notify(1) is called
259 // it will fail.
260 // halCamera->notify(event);
261 break;
262 }
263 default:
264 LOG(ERROR) << "Unexpected option, aborting...";
265 break;
266 }
267 }
268 return 0;
269 }
270
271 } // namespace
272 } // namespace android::automotive::evs::V1_1::implementation
273