1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <gmock/gmock.h>
18 #include <gtest/gtest.h>
19 #include <vndk/hardware_buffer.h>
20 
21 #include "InputFrame.h"
22 #include "PixelFormatUtils.h"
23 #include "PixelStreamManager.h"
24 #include "gmock/gmock-matchers.h"
25 #include "Fuzz.pb.h"
26 #include "src/libfuzzer/libfuzzer_macro.h"
27 
28 namespace android {
29 namespace automotive {
30 namespace computepipe {
31 namespace runner {
32 namespace stream_manager {
33 namespace {
34 
convertToInputFrame(const fuzz::proto::Frame & frame)35 InputFrame convertToInputFrame(const fuzz::proto::Frame &frame) {
36     uint32_t height = frame.height();
37     uint32_t width = frame.width();
38     uint32_t stride = frame.stride();
39     PixelFormat pixelFormat = static_cast<PixelFormat>(frame.format());
40     const uint8_t* data = reinterpret_cast<const uint8_t*>(frame.buffer().c_str());
41     return InputFrame(height, width, pixelFormat, stride, data);
42 }
43 
setFrameDataTest(const fuzz::proto::PixelMemHandleFuzzerInput & input)44 int setFrameDataTest(const fuzz::proto::PixelMemHandleFuzzerInput& input) {
45     int bufferId = 10;
46     int streamId = 1;
47     uint64_t timestamp = 100;
48 
49     PixelMemHandle memHandle(bufferId, streamId, AHARDWAREBUFFER_USAGE_CPU_READ_OFTEN);
50     InputFrame oldInputFrame = convertToInputFrame(input.frames().Get(0));
51     memHandle.setFrameData(timestamp, oldInputFrame);
52 
53     // overwrite frame data with different format and dimensions
54     InputFrame newInputFrame = convertToInputFrame(input.frames().Get(1));
55     memHandle.setFrameData(timestamp, newInputFrame);
56 
57     AHardwareBuffer_Desc desc;
58     AHardwareBuffer* buffer = memHandle.getHardwareBuffer();
59     AHardwareBuffer_describe(buffer, &desc);
60     return 0;
61 }
62 
isValid(const fuzz::proto::PixelMemHandleFuzzerInput & input)63 bool isValid(const fuzz::proto::PixelMemHandleFuzzerInput& input) {
64     for (auto& frame : input.frames()) {
65         uint64_t height = frame.height();
66         uint64_t width = frame.width();
67         uint64_t stride = frame.stride();
68         uint64_t size = frame.buffer().size();
69         if (stride > width * height) {
70             return false;
71         }
72 
73         if (height * width != size) {
74             return false;
75         }
76 
77         if (height * width == 0) {
78             return false;
79         }
80     }
81 
82     return true;
83 }
84 
85 // generate guided and mutated frame data for fuzzing
DEFINE_PROTO_FUZZER(const fuzz::proto::PixelMemHandleFuzzerInput & input)86 DEFINE_PROTO_FUZZER(const fuzz::proto::PixelMemHandleFuzzerInput& input) {
87     static PostProcessorRegistration reg = {
88             [](const fuzz::proto::PixelMemHandleFuzzerInput* input, unsigned int seed) {
89                 if (input->frames().size() < 2) {
90                     return;
91                 }
92 
93                 if (!isValid(*input)) {
94                     return;
95                 }
96 
97                 setFrameDataTest(*input);
98             }
99     };
100 }
101 
102 }  // namespace
103 }  // namespace stream_manager
104 }  // namespace runner
105 }  // namespace computepipe
106 }  // namespace automotive
107 }  // namespace android
108