1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <CameraMetadata.h>
18 #include <camera/StringUtils.h>
19 #include <camera2/CaptureRequest.h>
20 #include <fuzzer/FuzzedDataProvider.h>
21 #include <gui/Surface.h>
22 #include <gui/SurfaceComposerClient.h>
23 #include <gui/view/Surface.h>
24 #include "camera2common.h"
25 
26 using namespace std;
27 using namespace android;
28 
29 constexpr int32_t kNonZeroRangeMin = 0;
30 constexpr int32_t kRangeMax = 1000;
31 constexpr int32_t kSizeMin = 1;
32 constexpr int32_t kSizeMax = 1000;
33 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)34 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
35     FuzzedDataProvider fdp = FuzzedDataProvider(data, size);
36 
37     sp<CaptureRequest> captureRequest = new CaptureRequest();
38     Parcel parcelCamCaptureReq;
39 
40     size_t physicalCameraSettingsSize =
41             fdp.ConsumeIntegralInRange<size_t>(kNonZeroRangeMin, kRangeMax);
42     if (fdp.ConsumeBool()) {
43         parcelCamCaptureReq.writeInt32(physicalCameraSettingsSize);
44     }
45 
46     for (size_t idx = 0; idx < physicalCameraSettingsSize; ++idx) {
47         string id = fdp.ConsumeRandomLengthString(kMaxBytes);
48         if (fdp.ConsumeBool()) {
49             parcelCamCaptureReq.writeString16(toString16(id));
50         }
51         CameraMetadata cameraMetadata;
52         if (fdp.ConsumeBool()) {
53             cameraMetadata = CameraMetadata();
54         } else {
55             size_t entryCapacity = fdp.ConsumeIntegralInRange<size_t>(kNonZeroRangeMin, kRangeMax);
56             size_t dataCapacity = fdp.ConsumeIntegralInRange<size_t>(kNonZeroRangeMin, kRangeMax);
57             cameraMetadata = CameraMetadata(entryCapacity, dataCapacity);
58         }
59         captureRequest->mPhysicalCameraSettings.push_back({id, cameraMetadata});
60         if (fdp.ConsumeBool()) {
61             cameraMetadata.writeToParcel(&parcelCamCaptureReq);
62         }
63     }
64 
65     captureRequest->mIsReprocess = fdp.ConsumeBool();
66     if (fdp.ConsumeBool()) {
67         parcelCamCaptureReq.writeInt32(captureRequest->mIsReprocess);
68     }
69 
70     captureRequest->mSurfaceConverted = fdp.ConsumeBool();
71     if (fdp.ConsumeBool() && captureRequest->mSurfaceConverted) {
72         // 0-sized array
73         parcelCamCaptureReq.writeInt32(0);
74     }
75 
76     if (!captureRequest->mSurfaceConverted) {
77         size_t surfaceListSize = fdp.ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
78         if (fdp.ConsumeBool()) {
79             parcelCamCaptureReq.writeInt32(surfaceListSize);
80         }
81         for (size_t idx = 0; idx < surfaceListSize; ++idx) {
82             sp<SurfaceComposerClient> composerClient = new SurfaceComposerClient;
83             sp<SurfaceControl> surfaceControl = composerClient->createSurface(
84                     static_cast<String8>(fdp.ConsumeRandomLengthString().c_str()) /* name */,
85                     fdp.ConsumeIntegral<uint32_t>() /* width */,
86                     fdp.ConsumeIntegral<uint32_t>() /* height */,
87                     fdp.ConsumeIntegral<int32_t>() /* format */,
88                     fdp.ConsumeIntegral<int32_t>() /* flags */);
89             if (surfaceControl) {
90                 sp<Surface> surface = surfaceControl->getSurface();
91                 captureRequest->mSurfaceList.push_back(surface);
92                 if (fdp.ConsumeBool()) {
93                     view::Surface surfaceShim;
94                     surfaceShim.name = String16((fdp.ConsumeRandomLengthString()).c_str());
95                     surfaceShim.graphicBufferProducer = surface->getIGraphicBufferProducer();
96                     surfaceShim.writeToParcel(&parcelCamCaptureReq);
97                 }
98                 surface.clear();
99             }
100             composerClient.clear();
101             surfaceControl.clear();
102         }
103     }
104 
105     size_t indexListSize = fdp.ConsumeIntegralInRange<size_t>(kSizeMin, kSizeMax);
106     if (fdp.ConsumeBool()) {
107         parcelCamCaptureReq.writeInt32(indexListSize);
108     }
109 
110     for (size_t idx = 0; idx < indexListSize; ++idx) {
111         int32_t streamIdx = fdp.ConsumeIntegral<int32_t>();
112         int32_t surfaceIdx = fdp.ConsumeIntegral<int32_t>();
113         captureRequest->mStreamIdxList.push_back(streamIdx);
114         captureRequest->mSurfaceIdxList.push_back(surfaceIdx);
115         if (fdp.ConsumeBool()) {
116             parcelCamCaptureReq.writeInt32(streamIdx);
117         }
118         if (fdp.ConsumeBool()) {
119             parcelCamCaptureReq.writeInt32(surfaceIdx);
120         }
121     }
122 
123     if (fdp.ConsumeBool()) {
124         invokeReadWriteParcelsp<CaptureRequest>(captureRequest);
125     } else {
126         invokeNewReadWriteParcelsp<CaptureRequest>(captureRequest, fdp);
127     }
128     invokeReadWriteNullParcelsp<CaptureRequest>(captureRequest);
129     parcelCamCaptureReq.setDataPosition(0);
130     captureRequest->readFromParcel(&parcelCamCaptureReq);
131     captureRequest.clear();
132     return 0;
133 }
134