• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "nativewindow_fuzzer.h"
17 
18 #include <securec.h>
19 #include <vector>
20 #include <string>
21 
22 #include "surface.h"
23 #include "surface_buffer.h"
24 #include "surface_buffer_impl.h"
25 #include "ibuffer_producer.h"
26 #include "iconsumer_surface.h"
27 #include "native_window.h"
28 
29 namespace OHOS {
30     namespace {
31         constexpr size_t STR_LEN = 10;
32         constexpr int DEFAULT_FENCE = 100;
33         const uint8_t* g_data = nullptr;
34         size_t g_size = 0;
35         size_t g_pos;
36     }
37 
38     class BufferConsumerListener : public IBufferConsumerListener {
39     public:
OnBufferAvailable()40         void OnBufferAvailable() override
41         {
42         }
43     };
44 
45     /*
46     * describe: get data from outside untrusted data(g_data) which size is according to sizeof(T)
47     * tips: only support basic type
48     */
49     template<class T>
GetData()50     T GetData()
51     {
52         T object {};
53         size_t objectSize = sizeof(object);
54         if (g_data == nullptr || objectSize > g_size - g_pos) {
55             return object;
56         }
57         errno_t ret = memcpy_s(&object, objectSize, g_data + g_pos, objectSize);
58         if (ret != EOK) {
59             return {};
60         }
61         g_pos += objectSize;
62         return object;
63     }
64 
65     /*
66     * get a string from g_data
67     */
GetStringFromData(int strlen)68     std::string GetStringFromData(int strlen)
69     {
70         char cstr[strlen];
71         cstr[strlen - 1] = '\0';
72         for (int i = 0; i < strlen - 1; i++) {
73             char tmp = GetData<char>();
74             if (tmp == '\0') {
75                 tmp = '1';
76             }
77             cstr[i] = tmp;
78         }
79         std::string str(cstr);
80         return str;
81     }
82 
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)83     bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
84     {
85         if (data == nullptr) {
86             return false;
87         }
88 
89         // initialize
90         g_data = data;
91         g_size = size;
92         g_pos = 0;
93 
94         // get data
95         uint32_t seqNum = GetData<uint32_t>();
96         int fenceFd = GetData<int>() % 32768; // maximum fd of linux is 32768
97         // fd 0,1,2 represent stdin, stdout and stderr respectively, they should not be closed.
98         if (fenceFd >= 0 && fenceFd <= 2) {
99             fenceFd = DEFAULT_FENCE;
100         }
101         Region::Rect rect = GetData<Region::Rect>();
102         Region region = {.rects = &rect, .rectNumber = 1};
103         uint32_t sequence = GetData<uint32_t>();
104         OHScalingMode scalingMode = GetData<OHScalingMode>();
105         OHHDRMetaData metaData = GetData<OHHDRMetaData>();
106         OHHDRMetadataKey key = GetData<OHHDRMetadataKey>();
107         uint8_t metaData2[STR_LEN];
108         for (uint64_t i = 0; i < STR_LEN; i++) {
109             metaData2[i] = GetData<uint8_t>();
110         }
111         uint32_t reserveInts = GetData<uint32_t>() % 0x100000; // no more than 0x100000
112 
113         // test
114         sptr<OHOS::IConsumerSurface> cSurface = IConsumerSurface::Create();
115         sptr<IBufferConsumerListener> listener = new BufferConsumerListener();
116         cSurface->RegisterConsumerListener(listener);
117         sptr<OHOS::IBufferProducer> producer = cSurface->GetProducer();
118         sptr<OHOS::Surface> pSurface = Surface::CreateSurfaceAsProducer(producer);
119         cSurface->SetDefaultWidthAndHeight(0x100, 0x100); // width and height is 0x100
120         OHNativeWindow* nativeWindow = CreateNativeWindowFromSurface(&pSurface);
121         sptr<OHOS::SurfaceBuffer> sBuffer = new SurfaceBufferImpl(seqNum);
122         OHNativeWindowBuffer* nwBuffer = CreateNativeWindowBufferFromSurfaceBuffer(&sBuffer);
123         NativeWindowRequestBuffer(nativeWindow, &nwBuffer, &fenceFd);
124         NativeObjectReference(nwBuffer);
125         NativeWindowFlushBuffer(nativeWindow, nwBuffer, fenceFd, region);
126         NativeWindowCancelBuffer(nativeWindow, nwBuffer);
127         GetBufferHandleFromNative(nwBuffer);
128         NativeWindowSetScalingMode(nativeWindow, sequence, scalingMode);
129         std::vector<OHHDRMetaData> metaDatas = {metaData};
130         NativeWindowSetMetaData(nativeWindow, sequence, metaDatas.size(), metaDatas.data());
131         NativeWindowSetMetaDataSet(nativeWindow, sequence, key, STR_LEN, metaData2);
132         OHExtDataHandle *handle = reinterpret_cast<OHExtDataHandle *>(AllocExtDataHandle(reserveInts));
133         NativeWindowSetTunnelHandle(nativeWindow, reinterpret_cast<OHExtDataHandle *>(handle));
134         FreeExtDataHandle(reinterpret_cast<GraphicExtDataHandle *>(handle));
135         DestoryNativeWindow(nativeWindow);
136         DestroyNativeWindowBuffer(nwBuffer);
137 
138         return true;
139     }
140 } // namespace OHOS
141 
142 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)143 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
144 {
145     /* Run your code on data */
146     OHOS::DoSomethingInterestingWithMyAPI(data, size);
147     return 0;
148 }
149 
150