1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "camera_device_fuzzer.h"
17 #include "camera_log.h"
18 #include "camera_xcollie.h"
19 #include "input/camera_manager.h"
20 #include "metadata_utils.h"
21 #include "ipc_skeleton.h"
22 #include "access_token.h"
23 #include "hap_token_info.h"
24 #include "accesstoken_kit.h"
25 #include "nativetoken_kit.h"
26 #include "token_setproc.h"
27 using namespace std;
28
29 namespace OHOS {
30 namespace CameraStandard {
31 const std::u16string FORMMGR_INTERFACE_TOKEN = u"ICameraDeviceService";
32 const size_t LIMITCOUNT = 4;
33 const int32_t NUM_2 = 2;
34 const int32_t NUM_10 = 10;
35 const int32_t NUM_100 = 100;
36 bool g_isCameraDevicePermission = false;
37 sptr<HCameraHostManager> fuzzCameraHostManager = nullptr;
38 HCameraDevice *fuzzCameraDevice = nullptr;
39
CameraDeviceFuzzTestGetPermission()40 void CameraDeviceFuzzTestGetPermission()
41 {
42 if (!g_isCameraDevicePermission) {
43 uint64_t tokenId;
44 const char *perms[0];
45 perms[0] = "ohos.permission.CAMERA";
46 NativeTokenInfoParams infoInstance = { .dcapsNum = 0, .permsNum = 1, .aclsNum = 0, .dcaps = NULL,
47 .perms = perms, .acls = NULL, .processName = "camera_capture", .aplStr = "system_basic",
48 };
49 tokenId = GetAccessTokenId(&infoInstance);
50 SetSelfTokenID(tokenId);
51 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
52 g_isCameraDevicePermission = true;
53 }
54 }
55
CameraDeviceFuzzTest(uint8_t * rawData,size_t size)56 void CameraDeviceFuzzTest(uint8_t *rawData, size_t size)
57 {
58 if (rawData == nullptr || size < NUM_2) {
59 return;
60 }
61 CameraDeviceFuzzTestGetPermission();
62
63 int32_t itemCount = NUM_10;
64 int32_t dataSize = NUM_100;
65 int32_t *streams = reinterpret_cast<int32_t *>(rawData);
66 std::shared_ptr<OHOS::Camera::CameraMetadata> ability;
67 ability = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
68 ability->addEntry(OHOS_ABILITY_STREAM_AVAILABLE_EXTEND_CONFIGURATIONS, streams, size / LIMITCOUNT);
69 int32_t compensationRange[2] = {rawData[0], rawData[1]};
70 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_RANGE, compensationRange,
71 sizeof(compensationRange) / sizeof(compensationRange[0]));
72 float focalLength = rawData[0];
73 ability->addEntry(OHOS_ABILITY_FOCAL_LENGTH, &focalLength, 1);
74
75 int32_t sensorOrientation = rawData[0];
76 ability->addEntry(OHOS_SENSOR_ORIENTATION, &sensorOrientation, 1);
77
78 int32_t cameraPosition = rawData[0];
79 ability->addEntry(OHOS_ABILITY_CAMERA_POSITION, &cameraPosition, 1);
80
81 const camera_rational_t aeCompensationStep[] = {{rawData[0], rawData[1]}};
82 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_STEP, &aeCompensationStep,
83 sizeof(aeCompensationStep) / sizeof(aeCompensationStep[0]));
84
85 MessageParcel data;
86 data.WriteInterfaceToken(FORMMGR_INTERFACE_TOKEN);
87 CHECK_AND_RETURN_LOG(OHOS::Camera::MetadataUtils::EncodeCameraMetadata(ability, data),
88 "CameraDeviceFuzzer: EncodeCameraMetadata Error");
89 data.RewindRead(0);
90 MessageParcel reply;
91 MessageOption option;
92 if (fuzzCameraDevice == nullptr || fuzzCameraHostManager == nullptr) {
93 fuzzCameraHostManager = new(std::nothrow) HCameraHostManager(nullptr);
94 if (fuzzCameraHostManager == nullptr) {
95 return;
96 }
97 fuzzCameraDevice = new(std::nothrow) HCameraDevice(fuzzCameraHostManager, "", 0);
98 if (fuzzCameraDevice == nullptr) {
99 return;
100 }
101 }
102 if (fuzzCameraDevice) {
103 uint32_t code = 4;
104 fuzzCameraDevice->OnRemoteRequest(code, data, reply, option);
105 }
106 }
107
CameraDeviceFuzzTestUpdateSetting(uint8_t * rawData,size_t size)108 void CameraDeviceFuzzTestUpdateSetting(uint8_t *rawData, size_t size)
109 {
110 if (rawData == nullptr || size < NUM_2) {
111 return;
112 }
113 CameraDeviceFuzzTestGetPermission();
114
115 int32_t itemCount = NUM_10;
116 int32_t dataSize = NUM_100;
117 int32_t *streams = reinterpret_cast<int32_t *>(rawData);
118 auto ability = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
119 ability->addEntry(OHOS_ABILITY_STREAM_AVAILABLE_EXTEND_CONFIGURATIONS, streams, size / LIMITCOUNT);
120 int32_t compensationRange[2] = {rawData[0], rawData[1]};
121 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_RANGE, compensationRange,
122 sizeof(compensationRange) / sizeof(compensationRange[0]));
123 float focalLength = rawData[0];
124 ability->addEntry(OHOS_ABILITY_FOCAL_LENGTH, &focalLength, 1);
125
126 int32_t sensorOrientation = rawData[0];
127 ability->addEntry(OHOS_SENSOR_ORIENTATION, &sensorOrientation, 1);
128
129 int32_t cameraPosition = rawData[0];
130 ability->addEntry(OHOS_ABILITY_CAMERA_POSITION, &cameraPosition, 1);
131
132 const camera_rational_t aeCompensationStep[] = {{rawData[0], rawData[1]}};
133 ability->addEntry(OHOS_CONTROL_AE_COMPENSATION_STEP, &aeCompensationStep,
134 sizeof(aeCompensationStep) / sizeof(aeCompensationStep[0]));
135 if (fuzzCameraDevice) {
136 fuzzCameraDevice->UpdateSettingOnce(ability);
137 fuzzCameraDevice->UpdateSetting(ability);
138 auto out = std::make_shared<OHOS::Camera::CameraMetadata>(itemCount, dataSize);
139 fuzzCameraDevice->GetStatus(ability, out);
140 std::vector<HDI::Camera::V1_1::StreamInfo_V1_1> streamInfos;
141 fuzzCameraDevice->UpdateStreams(streamInfos);
142 MessageParcel data;
143 data.WriteRawData(rawData, size);
144 fuzzCameraDevice->CreateAndCommitStreams(streamInfos, ability, data.ReadInt32());
145 vector<uint8_t> result;
146 OHOS::Camera::MetadataUtils::ConvertMetadataToVec(ability, result);
147 fuzzCameraDevice->OnResult(data.ReadUint64(), result);
148 auto type = OHOS::HDI::Camera::V1_0::ErrorType::REQUEST_TIMEOUT;
149 fuzzCameraDevice->OnError(type, data.ReadInt32());
150 }
151 }
152
CameraDeviceFuzzTest2Case1(uint8_t * rawData,size_t size)153 void CameraDeviceFuzzTest2Case1(uint8_t *rawData, size_t size)
154 {
155 MessageParcel data;
156 data.WriteRawData(rawData, size);
157 if (fuzzCameraDevice) {
158 fuzzCameraDevice->GetStreamOperatorCallback();
159 fuzzCameraDevice->GetCallerToken();
160 fuzzCameraDevice->GetDeviceAbility();
161 fuzzCameraDevice->GetCameraType();
162 fuzzCameraDevice->GetCameraId();
163 fuzzCameraDevice->GetStreamOperator();
164 }
165 }
166
CameraDeviceFuzzTest2Case2(uint8_t * rawData,size_t size)167 void CameraDeviceFuzzTest2Case2(uint8_t *rawData, size_t size)
168 {
169 // 运行会出错
170 MessageParcel data;
171 data.WriteRawData(rawData, size);
172 sptr<ICameraDeviceServiceCallback> callback(new ICameraDeviceServiceCallbackMock());
173 fuzzCameraDevice->SetCallback(callback);
174 wptr<IStreamOperatorCallback> opCallback(new IStreamOperatorCallbackMock());
175 fuzzCameraDevice->SetStreamOperatorCallback(opCallback);
176 vector<int32_t> results{data.ReadInt32()};
177 fuzzCameraDevice->EnableResult(results);
178 fuzzCameraDevice->DisableResult(results);
179 fuzzCameraDevice->CloneCachedSettings();
180 fuzzCameraDevice->DispatchDefaultSettingToHdi();
181 fuzzCameraDevice->Release();
182 fuzzCameraDevice->Close();
183 uint64_t secureSeqId;
184 fuzzCameraDevice->GetSecureCameraSeq(&secureSeqId);
185 fuzzCameraDevice->OpenSecureCamera(&secureSeqId);
186 }
187
CameraDeviceFuzzTest2Case3(uint8_t * rawData,size_t size)188 void CameraDeviceFuzzTest2Case3(uint8_t *rawData, size_t size)
189 {
190 // 运行会出错
191 MessageParcel data;
192 data.WriteRawData(rawData, size);
193 if (fuzzCameraDevice) {
194 vector<int32_t> streamIds{data.ReadInt32()};
195 fuzzCameraDevice->OnFrameShutter(data.ReadInt32(), streamIds, data.ReadUint64());
196 fuzzCameraDevice->OnFrameShutterEnd(data.ReadInt32(), streamIds, data.ReadUint64());
197 fuzzCameraDevice->OnCaptureReady(data.ReadInt32(), streamIds, data.ReadUint64());
198 vector<OHOS::HDI::Camera::V1_2::CaptureStartedInfo> infos{{data.ReadInt32(), data.ReadInt32()}};
199 fuzzCameraDevice->OnCaptureStarted_V1_2(data.ReadInt32(), infos);
200 vector<CaptureEndedInfo> endedInfos{{data.ReadInt32(), data.ReadInt32()}};
201 fuzzCameraDevice->OnCaptureEnded(data.ReadInt32(), endedInfos);
202 vector<OHOS::HDI::Camera::V1_3::CaptureEndedInfoExt> endedInfosExt;
203 fuzzCameraDevice->OnCaptureEndedExt(data.ReadInt32(), endedInfosExt);
204 auto err = static_cast<OHOS::HDI::Camera::V1_0::StreamError>(data.ReadInt32());
205 vector<CaptureErrorInfo> errorInfos{{data.ReadInt32(), err}};
206 fuzzCameraDevice->OnCaptureError(data.ReadInt32(), errorInfos);
207 fuzzCameraDevice->OnCaptureStarted(data.ReadInt32(), streamIds);
208 }
209 }
210
CameraDeviceFuzzTest2(uint8_t * rawData,size_t size)211 void CameraDeviceFuzzTest2(uint8_t *rawData, size_t size)
212 {
213 if (rawData == nullptr || size < NUM_2) {
214 return;
215 }
216 MessageParcel data;
217 data.WriteRawData(rawData, size);
218 if (fuzzCameraDevice) {
219 fuzzCameraDevice->OperatePermissionCheck(data.ReadUint32());
220 fuzzCameraDevice->CheckMovingPhotoSupported(data.ReadInt32());
221 fuzzCameraDevice->NotifyCameraStatus(data.ReadInt32());
222 fuzzCameraDevice->RemoveResourceWhenHostDied();
223 fuzzCameraDevice->NotifyCameraSessionStatus(data.ReadBool());
224 std::vector<int32_t> releaseStreamIds;
225 fuzzCameraDevice->ReleaseStreams(releaseStreamIds);
226 fuzzCameraDevice->Open();
227 CameraDeviceFuzzTest2Case1(rawData, size);
228 fuzzCameraDevice->ResetDeviceSettings();
229 fuzzCameraDevice->SetDeviceMuteMode(data.ReadBool());
230 fuzzCameraDevice->IsOpenedCameraDevice();
231 fuzzCameraDevice->CloseDevice();
232 }
233 fuzzCameraDevice = nullptr;
234 }
235
GetPermission()236 void GetPermission()
237 {
238 uint64_t tokenId;
239 const char* perms[2];
240 perms[0] = "ohos.permission.DISTRIBUTED_DATASYNC";
241 perms[1] = "ohos.permission.CAMERA";
242 NativeTokenInfoParams infoInstance = {
243 .dcapsNum = 0,
244 .permsNum = 2,
245 .aclsNum = 0,
246 .dcaps = NULL,
247 .perms = perms,
248 .acls = NULL,
249 .processName = "native_camera_tdd",
250 .aplStr = "system_basic",
251 };
252 tokenId = GetAccessTokenId(&infoInstance);
253 SetSelfTokenID(tokenId);
254 OHOS::Security::AccessToken::AccessTokenKit::ReloadNativeTokenInfo();
255 }
256
Test3(uint8_t * rawData,size_t size)257 void Test3(uint8_t *rawData, size_t size)
258 {
259 if (rawData == nullptr || size < NUM_2) {
260 return;
261 }
262 GetPermission();
263 auto manager = CameraManager::GetInstance();
264 auto cameras = manager->GetSupportedCameras();
265 CHECK_AND_RETURN_LOG(cameras.size() >= NUM_2, "PhotoOutputFuzzer: GetSupportedCameras Error");
266 MessageParcel data;
267 data.WriteRawData(rawData, size);
268 sptr<CameraDevice> camera = cameras[data.ReadUint32() % cameras.size()];
269 camera->GetID();
270 camera->GetMetadata();
271 camera->ResetMetadata();
272 camera->GetCameraAbility();
273 camera->GetPosition();
274 camera->GetCameraType();
275 camera->GetConnectionType();
276 camera->GetCameraFoldScreenType();
277 camera->GetHostName();
278 camera->GetDeviceType();
279 camera->GetNetWorkId();
280 camera->GetCameraOrientation();
281 camera->GetZoomRatioRange();
282 camera->GetExposureBiasRange();
283 camera->GetModuleType();
284 CameraFormat format = static_cast<CameraFormat>(data.ReadInt32());
285 auto capability = manager->GetSupportedOutputCapability(camera);
286 CHECK_AND_RETURN_LOG(capability, "PhotoOutputFuzzer: GetSupportedOutputCapability Error");
287 vector<Profile> profiles = capability->GetPhotoProfiles();
288 camera->GetMaxSizeProfile(profiles, data.ReadFloat(), format);
289 auto profiles2 = capability->GetVideoProfiles();
290 camera->GetMaxSizeProfile(profiles2, data.ReadFloat(), format);
291 }
292
TestXCollie(uint8_t * rawData,size_t size)293 void TestXCollie(uint8_t *rawData, size_t size)
294 {
295 CHECK_ERROR_RETURN(rawData == nullptr || size < NUM_2);
296 MessageParcel data;
297 data.WriteRawData(rawData, size);
298 string tag = data.ReadString();
299 uint32_t flag = data.ReadInt32();
300 uint32_t timeoutSeconds = data.ReadUint32();
301 auto func = [](void*) {};
302 #ifndef HICOLLIE_ENABLE
303 #define HICOLLIE_ENABLE
304 #endif
305 {
306 CameraXCollie collie(tag, flag, timeoutSeconds, func, nullptr);
307 collie.CancelCameraXCollie();
308 }
309 #undef HICOLLIE_ENABLE
310 {
311 CameraXCollie collie(tag, flag, timeoutSeconds, func, nullptr);
312 collie.CancelCameraXCollie();
313 }
314 }
315 } // namespace CameraStandard
316 } // namespace OHOS
317
318 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(uint8_t * data,size_t size)319 extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size)
320 {
321 /* Run your code on data */
322 OHOS::CameraStandard::CameraDeviceFuzzTest(data, size);
323 OHOS::CameraStandard::CameraDeviceFuzzTestUpdateSetting(data, size);
324 OHOS::CameraStandard::CameraDeviceFuzzTest2(data, size);
325 OHOS::CameraStandard::Test3(data, size);
326 OHOS::CameraStandard::TestXCollie(data, size);
327 return 0;
328 }
329
330