1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "layer_fuzzer.h"
17
18 #include <cstddef>
19 #include <cstdint>
20 #include <securec.h>
21
22 #include "display_common_fuzzer.h"
23
24 namespace OHOS {
25 using namespace OHOS::HDI::Display::Buffer::V1_0;
26 using namespace OHOS::HDI::Display::Composer::V1_0;
27
28 static sptr<IDisplayComposerInterface> g_composerInterface = nullptr;
29 static std::shared_ptr<IDisplayBuffer> g_bufferInterface = nullptr;
30
31 static bool g_isInit = false;
32 static const uint8_t* g_data = nullptr;
33 static size_t g_dataSize = 0;
34 static size_t g_pos;
35
36 /*
37 * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
38 * tips: only support basic type
39 */
40 template<class T>
GetData()41 T GetData()
42 {
43 T object {};
44 size_t objectSize = sizeof(object);
45 if (g_data == nullptr || objectSize > g_dataSize - g_pos) {
46 return object;
47 }
48 errno_t ret = memcpy_s(&object, objectSize, g_data + g_pos, objectSize);
49 if (ret != EOK) {
50 return {};
51 }
52 g_pos += objectSize;
53 return object;
54 }
55
GetLayerInfo(LayerInfo & layerInfo)56 static int32_t GetLayerInfo(LayerInfo& layerInfo)
57 {
58 uint32_t lenLayerType = GetArrLength(CONVERT_TABLE_LAYER_TYPE);
59 if (lenLayerType == 0) {
60 HDF_LOGE("%{public}s: CONVERT_TABLE_LAYER_TYPE length is equal to 0", __func__);
61 return DISPLAY_FAILURE;
62 }
63
64 uint32_t lenFormat = GetArrLength(CONVERT_TABLE_FORMAT);
65 if (lenFormat == 0) {
66 HDF_LOGE("%{public}s: CONVERT_TABLE_FORMAT length is equal to 0", __func__);
67 return DISPLAY_FAILURE;
68 }
69 layerInfo.width = GetData<uint32_t>() % WIDTH;
70 layerInfo.height = GetData<uint32_t>() % HEIGHT;
71 layerInfo.type = CONVERT_TABLE_LAYER_TYPE[GetData<uint32_t>() % lenLayerType];
72 layerInfo.bpp = GetData<uint32_t>();
73 layerInfo.pixFormat = CONVERT_TABLE_FORMAT[GetData<uint32_t>() % lenFormat];
74 return DISPLAY_SUCCESS;
75 }
76
GetLayerAlpha(LayerAlpha & alpha)77 static int32_t GetLayerAlpha(LayerAlpha& alpha)
78 {
79 alpha.enGlobalAlpha = GetRandBoolValue(GetData<uint32_t>());
80 alpha.enPixelAlpha = GetRandBoolValue(GetData<uint32_t>());
81 alpha.alpha0 = GetData<uint32_t>() % ALPHA_VALUE_RANGE;
82 alpha.alpha1 = GetData<uint32_t>() % ALPHA_VALUE_RANGE;
83 alpha.gAlpha = GetData<uint32_t>() % ALPHA_VALUE_RANGE;
84 return DISPLAY_SUCCESS;
85 }
86
GetAllocInfo(AllocInfo & info)87 static int32_t GetAllocInfo(AllocInfo& info)
88 {
89 uint32_t lenUsage = GetArrLength(CONVERT_TABLE_USAGE);
90 if (lenUsage == 0) {
91 HDF_LOGE("%{public}s: CONVERT_TABLE_USAGE length is equal to 0", __func__);
92 return DISPLAY_FAILURE;
93 }
94 uint32_t lenFormat = GetArrLength(CONVERT_TABLE_FORMAT);
95 if (lenFormat == 0) {
96 HDF_LOGE("%{public}s: CONVERT_TABLE_FORMAT length is equal to 0", __func__);
97 return DISPLAY_FAILURE;
98 }
99
100 info.width = GetData<uint32_t>() % WIDTH;
101 info.height = GetData<uint32_t>() % HEIGHT;
102 info.usage = CONVERT_TABLE_USAGE[GetData<uint32_t>() % lenUsage];
103 info.format = CONVERT_TABLE_FORMAT[GetData<uint32_t>() % lenFormat];
104 info.expectedSize = info.width * info.height;
105 return DISPLAY_SUCCESS;
106 }
107
GetIRect(IRect & rect)108 static int32_t GetIRect(IRect& rect)
109 {
110 rect.x = GetData<int32_t>();
111 rect.y = GetData<int32_t>();
112 rect.w = GetData<int32_t>();
113 rect.h = GetData<int32_t>();
114 return DISPLAY_SUCCESS;
115 }
116
UsingAllocmem()117 BufferHandle* UsingAllocmem()
118 {
119 AllocInfo info = { 0 };
120 int32_t ret = GetAllocInfo(info);
121 if (ret != DISPLAY_SUCCESS) {
122 HDF_LOGE("%{public}s: function GetAllocInfo failed", __func__);
123 return nullptr;
124 }
125
126 BufferHandle* handle = nullptr;
127 ret = g_bufferInterface->AllocMem(info, handle);
128 if (ret != DISPLAY_SUCCESS) {
129 HDF_LOGE("%{public}s: function AllocMem failed", __func__);
130 return nullptr;
131 }
132 return handle;
133 }
134
UsingCreateLayer(uint32_t devId,uint32_t & layerId)135 int32_t UsingCreateLayer(uint32_t devId, uint32_t& layerId)
136 {
137 LayerInfo layerInfo;
138 int32_t ret = GetLayerInfo(layerInfo);
139 if (ret != DISPLAY_SUCCESS) {
140 HDF_LOGE("%{public}s: function GetLayerInfo failed", __func__);
141 return DISPLAY_FAILURE;
142 }
143
144 uint32_t bufferCount = 3;
145 ret = g_composerInterface->CreateLayer(devId, layerInfo, bufferCount, layerId);
146 if (ret != DISPLAY_SUCCESS) {
147 HDF_LOGE("%{public}s: function CreateLayer failed", __func__);
148 }
149 return ret;
150 }
151
UsingCloseLayer(uint32_t devId,uint32_t layerId)152 int32_t UsingCloseLayer(uint32_t devId, uint32_t layerId)
153 {
154 int32_t ret = g_composerInterface->DestroyLayer(devId, layerId);
155 if (ret != DISPLAY_SUCCESS) {
156 HDF_LOGE("%{public}s: function CloseLayer failed", __func__);
157 return DISPLAY_FAILURE;
158 }
159 return ret;
160 }
161
TestSetLayerAlpha(uint32_t devId,uint32_t layerId)162 int32_t TestSetLayerAlpha(uint32_t devId, uint32_t layerId)
163 {
164 LayerAlpha alpha = {0};
165 int32_t ret = GetLayerAlpha(alpha);
166 if (ret != DISPLAY_SUCCESS) {
167 HDF_LOGE("%{public}s: function GetLayerAlpha failed", __func__);
168 return DISPLAY_FAILURE;
169 }
170 ret = g_composerInterface->SetLayerAlpha(0, 0, alpha);
171 if (ret != DISPLAY_SUCCESS) {
172 HDF_LOGE("%{public}s: function SetLyerAlpha failed", __func__);
173 return DISPLAY_FAILURE;
174 }
175 return ret;
176 }
177
TestSetLayerRegion(uint32_t devId,uint32_t layerId)178 int32_t TestSetLayerRegion(uint32_t devId, uint32_t layerId)
179 {
180 IRect rect;
181 int32_t ret = GetIRect(rect);
182 if (ret != DISPLAY_SUCCESS) {
183 HDF_LOGE("%{public}s: function GetIRect failed", __func__);
184 return DISPLAY_FAILURE;
185 }
186 ret = g_composerInterface->SetLayerRegion(devId, layerId, rect);
187 if (ret != DISPLAY_SUCCESS) {
188 HDF_LOGE("%{public}s: function SetLayerRegion failed", __func__);
189 }
190 return ret;
191 }
192
TestSetLayerCrop(uint32_t devId,uint32_t layerId)193 int32_t TestSetLayerCrop(uint32_t devId, uint32_t layerId)
194 {
195 IRect rect;
196 int32_t ret = GetIRect(rect);
197 if (ret != DISPLAY_SUCCESS) {
198 HDF_LOGE("%{public}s: function GetIRect failed", __func__);
199 return DISPLAY_FAILURE;
200 }
201 ret = g_composerInterface->SetLayerCrop(devId, layerId, rect);
202 if (ret != DISPLAY_SUCCESS) {
203 HDF_LOGE("%{public}s: function SetLayerCrop failed", __func__);
204 }
205 return ret;
206 }
207
TestSetLayerZorder(uint32_t devId,uint32_t layerId)208 int32_t TestSetLayerZorder(uint32_t devId, uint32_t layerId)
209 {
210 uint32_t zorder = GetData<uint32_t>();
211 int32_t ret = g_composerInterface->SetLayerZorder(devId, layerId, zorder);
212 if (ret != DISPLAY_SUCCESS) {
213 HDF_LOGE("%{public}s: function SetLayerZorder failed", __func__);
214 }
215 return ret;
216 }
217
TestSetLayerPreMulti(uint32_t devId,uint32_t layerId)218 int32_t TestSetLayerPreMulti(uint32_t devId, uint32_t layerId)
219 {
220 bool preMul = GetRandBoolValue(GetData<uint32_t>());
221 int32_t ret = g_composerInterface->SetLayerPreMulti(devId, layerId, preMul);
222 if (ret != DISPLAY_SUCCESS) {
223 HDF_LOGE("%{public}s: function SetLayerPreMulti failed", __func__);
224 }
225 return ret;
226 }
227
TestSetLayerTransformMode(uint32_t devId,uint32_t layerId)228 int32_t TestSetLayerTransformMode(uint32_t devId, uint32_t layerId)
229 {
230 uint32_t len = GetArrLength(CONVERT_TABLE_ROTATE);
231 if (len == 0) {
232 HDF_LOGE("%{public}s: CONVERT_TABLE_ROTATE length is equal to 0", __func__);
233 return DISPLAY_FAILURE;
234 }
235 TransformType type = CONVERT_TABLE_ROTATE[GetData<uint32_t>() % len];
236 int32_t ret = g_composerInterface->SetLayerTransformMode(devId, layerId, type);
237 if (ret != DISPLAY_SUCCESS) {
238 HDF_LOGE("%{public}s: function SetLayerTransformMode failed", __func__);
239 }
240 return ret;
241 }
242
TestSetLayerDirtyRegion(uint32_t devId,uint32_t layerId)243 int32_t TestSetLayerDirtyRegion(uint32_t devId, uint32_t layerId)
244 {
245 IRect region;
246 int32_t ret = GetIRect(region);
247 if (ret != DISPLAY_SUCCESS) {
248 HDF_LOGE("%{public}s: function GetIRect failed", __func__);
249 return DISPLAY_FAILURE;
250 }
251 std::vector<IRect> vRects;
252 vRects.push_back(region);
253 ret = g_composerInterface->SetLayerDirtyRegion(devId, layerId, vRects);
254 if (ret != DISPLAY_SUCCESS) {
255 HDF_LOGE("%{public}s: function SetLayerDirtyRegion failed", __func__);
256 }
257 return ret;
258 }
259
TestSetLayerVisibleRegion(uint32_t devId,uint32_t layerId)260 int32_t TestSetLayerVisibleRegion(uint32_t devId, uint32_t layerId)
261 {
262 IRect rect;
263 int32_t ret = GetIRect(rect);
264 if (ret != DISPLAY_SUCCESS) {
265 HDF_LOGE("%{public}s: function GetIRect failed", __func__);
266 return DISPLAY_FAILURE;
267 }
268 std::vector<IRect> vRects;
269 vRects.push_back(rect);
270 ret = g_composerInterface->SetLayerVisibleRegion(devId, layerId, vRects);
271 if (ret != DISPLAY_SUCCESS) {
272 HDF_LOGE("%{public}s: function SetLayerVisibleRegion failed", __func__);
273 }
274 return ret;
275 }
276
TestSetLayerBuffer(uint32_t devId,uint32_t layerId)277 int32_t TestSetLayerBuffer(uint32_t devId, uint32_t layerId)
278 {
279 int32_t fence = GetData<int32_t>();
280 BufferHandle* buffer = UsingAllocmem();
281 if (buffer == nullptr) {
282 HDF_LOGE("%{public}s: Failed to UsingAllocmem", __func__);
283 return DISPLAY_FAILURE;
284 }
285 uint32_t seqNo = GetData<uint32_t>();
286 std::vector<uint32_t> deletingList;
287 int32_t ret = g_composerInterface->SetLayerBuffer(devId, layerId, buffer, seqNo, fence, deletingList);
288 if (ret != DISPLAY_SUCCESS) {
289 HDF_LOGE("%{public}s: function SetLayerBuffer failed", __func__);
290 }
291 g_bufferInterface->FreeMem(*buffer);
292 return ret;
293 }
294
TestSetLayerCompositionType(uint32_t devId,uint32_t layerId)295 int32_t TestSetLayerCompositionType(uint32_t devId, uint32_t layerId)
296 {
297 uint32_t len = GetArrLength(CONVERT_TABLE_COMPOSITION);
298 if (len == 0) {
299 HDF_LOGE("%{public}s: CONVERT_TABLE_COMPOSITION length is equal to 0", __func__);
300 return DISPLAY_FAILURE;
301 }
302 CompositionType type = CONVERT_TABLE_COMPOSITION[GetData<uint32_t>() % len];
303 int32_t ret = g_composerInterface->SetLayerCompositionType(devId, layerId, type);
304 if (ret != DISPLAY_SUCCESS) {
305 HDF_LOGE("%{public}s: function SetLayerCompositionType failed", __func__);
306 }
307 return ret;
308 }
309
TestSetLayerBlendType(uint32_t devId,uint32_t layerId)310 int32_t TestSetLayerBlendType(uint32_t devId, uint32_t layerId)
311 {
312 uint32_t len = GetArrLength(CONVERT_TABLE_BLEND);
313 if (len == 0) {
314 HDF_LOGE("%{public}s: CONVERT_TABLE_BLEND length is equal to 0", __func__);
315 return DISPLAY_FAILURE;
316 }
317 BlendType type = CONVERT_TABLE_BLEND[GetData<uint32_t>() % len];
318 int32_t ret = g_composerInterface->SetLayerBlendType(devId, layerId, type);
319 if (ret != DISPLAY_SUCCESS) {
320 HDF_LOGE("%{public}s: function SetLayerBlendType failed", __func__);
321 }
322 return ret;
323 }
324
TestSetLayerMaskInfo(uint32_t devId,uint32_t layerId)325 int32_t TestSetLayerMaskInfo(uint32_t devId, uint32_t layerId)
326 {
327 uint32_t len = GetArrLength(CONVERT_TABLE_MASK);
328 if (len == 0) {
329 HDF_LOGE("%{public}s: CONVERT_TABLE_MASK length is equal to 0", __func__);
330 return DISPLAY_FAILURE;
331 }
332 MaskInfo maskInfo = CONVERT_TABLE_MASK[GetData<uint32_t>() % len];
333 int32_t ret = g_composerInterface->SetLayerMaskInfo(devId, layerId, maskInfo);
334 if (ret != DISPLAY_SUCCESS) {
335 HDF_LOGE("%{public}s: function SetLayerMaskInfo failed", __func__);
336 }
337 return ret;
338 }
339
TestSetLayerColor(uint32_t devId,uint32_t layerId)340 int32_t TestSetLayerColor(uint32_t devId, uint32_t layerId)
341 {
342 LayerColor layerColor = {
343 .r = GetData<uint32_t>() % ALPHA_VALUE_RANGE,
344 .g = GetData<uint32_t>() % ALPHA_VALUE_RANGE,
345 .b = GetData<uint32_t>() % ALPHA_VALUE_RANGE,
346 .a = GetData<uint32_t>() % ALPHA_VALUE_RANGE
347 };
348 int32_t ret = g_composerInterface->SetLayerColor(devId, layerId, layerColor);
349 if (ret != DISPLAY_SUCCESS) {
350 HDF_LOGE("%{public}s: function SetLayerColor failed", __func__);
351 }
352 return ret;
353 }
354
355 typedef int32_t (*TestFuncs[])(uint32_t, uint32_t);
356
357 TestFuncs g_testFuncs = {
358 TestSetLayerAlpha,
359 TestSetLayerRegion,
360 TestSetLayerCrop,
361 TestSetLayerZorder,
362 TestSetLayerPreMulti,
363 TestSetLayerTransformMode,
364 TestSetLayerDirtyRegion,
365 TestSetLayerVisibleRegion,
366 TestSetLayerBuffer,
367 TestSetLayerCompositionType,
368 TestSetLayerBlendType,
369 TestSetLayerColor,
370 TestSetLayerMaskInfo
371 };
372
FuzzTest(const uint8_t * rawData,size_t size)373 bool FuzzTest(const uint8_t* rawData, size_t size)
374 {
375 if (rawData == nullptr) {
376 return false;
377 }
378
379 if (!g_isInit) {
380 g_isInit = true;
381 g_composerInterface = IDisplayComposerInterface::Get();
382 if (g_composerInterface == nullptr) {
383 HDF_LOGE("%{public}s: get IDisplayComposerInterface failed", __func__);
384 return false;
385 }
386 g_bufferInterface.reset(IDisplayBuffer::Get());
387 if (g_bufferInterface == nullptr) {
388 HDF_LOGE("%{public}s: get IDisplayBuffer failed", __func__);
389 return false;
390 }
391 }
392
393 // initialize data
394 g_data = rawData;
395 g_dataSize = size;
396 g_pos = 0;
397
398 uint32_t code = GetData<uint32_t>();
399 uint32_t devId = GetData<uint32_t>();
400 uint32_t layerId = GetData<uint32_t>();
401 int32_t ret = UsingCreateLayer(devId, layerId);
402 if (ret != DISPLAY_SUCCESS) {
403 HDF_LOGE("%{public}s: function UsingCreateLayer failed", __func__);
404 return false;
405 }
406
407 uint32_t len = GetArrLength(g_testFuncs);
408 if (len == 0) {
409 HDF_LOGE("%{public}s: g_testFuncs length is equal to 0", __func__);
410 return false;
411 }
412
413 ret = g_testFuncs[code % len](devId, layerId);
414 if (ret != DISPLAY_SUCCESS) {
415 HDF_LOGE("function %{public}u failed", code % len);
416 return false;
417 }
418
419 ret = UsingCloseLayer(devId, layerId);
420 if (ret != DISPLAY_SUCCESS) {
421 HDF_LOGE("%{public}s: function UsingCloseLayer failed", __func__);
422 return false;
423 }
424
425 return true;
426 }
427 } // OHOS
428
429 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)430 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
431 {
432 if (size < OHOS::THRESHOLD) {
433 return 0;
434 }
435
436 OHOS::FuzzTest(data, size);
437 return 0;
438 }
439