1 /*
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <cutils/native_handle.h>
18 #include <fuzzer/FuzzedDataProvider.h>
19 #include <gui/BufferQueue.h>
20 #include <media/NdkImageReader.h>
21 #include <functional>
22 
23 constexpr int32_t kMaxSize = INT_MAX;
24 constexpr int32_t kMinSize = 1;
25 constexpr int32_t kMinImages = 1;
26 
27 class NdkImageReaderFuzzer {
28   public:
NdkImageReaderFuzzer(const uint8_t * data,size_t size)29     NdkImageReaderFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};
30     void process();
31 
32   private:
33     FuzzedDataProvider mFdp;
onImageAvailable(void *,AImageReader *)34     static void onImageAvailable(void*, AImageReader*){};
onBufferRemoved(void *,AImageReader *,AHardwareBuffer *)35     static void onBufferRemoved(void*, AImageReader*, AHardwareBuffer*){};
36 };
37 
process()38 void NdkImageReaderFuzzer::process() {
39     AImageReader* reader = nullptr;
40     AImage* img = nullptr;
41     native_handle_t* handle = nullptr;
42     int32_t* acquireFenceFd = nullptr;
43     int32_t imageWidth = mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize);
44     int32_t imageHeight = mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize);
45     int32_t imageFormat = mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize);
46     int32_t imageUsage = mFdp.ConsumeIntegralInRange<int32_t>(kMinSize, kMaxSize);
47     int32_t imageMaxCount = mFdp.ConsumeIntegralInRange<int32_t>(
48             kMinImages, android::BufferQueue::MAX_MAX_ACQUIRED_BUFFERS);
49     AImageReader_ImageListener readerAvailableCb{this, NdkImageReaderFuzzer::onImageAvailable};
50     AImageReader_BufferRemovedListener readerDetachedCb{this, onBufferRemoved};
51 
52     if (mFdp.ConsumeBool()) {
53         AImageReader_new(imageWidth, imageHeight, imageFormat, imageMaxCount, &reader);
54     } else {
55         AImageReader_newWithUsage(imageWidth, imageHeight, imageFormat, imageUsage, imageMaxCount,
56                                   &reader);
57     }
58     while (mFdp.remaining_bytes()) {
59         auto ndkImageFunction = mFdp.PickValueInArray<const std::function<void()>>({
60                 [&]() { AImageReader_acquireNextImage(reader, &img); },
61                 [&]() { AImageReader_acquireLatestImage(reader, &img); },
62                 [&]() { AImageReader_setImageListener(reader, &readerAvailableCb); },
63                 [&]() { AImageReader_acquireNextImageAsync(reader, &img, acquireFenceFd); },
64                 [&]() { AImageReader_acquireLatestImageAsync(reader, &img, acquireFenceFd); },
65                 [&]() { AImageReader_setBufferRemovedListener(reader, &readerDetachedCb); },
66                 [&]() { AImageReader_getWindowNativeHandle(reader, &handle); },
67         });
68         ndkImageFunction();
69     }
70     AImageReader_delete(reader);
71 }
72 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)73 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
74     NdkImageReaderFuzzer ndkImageReaderFuzzer(data, size);
75     ndkImageReaderFuzzer.process();
76     return 0;
77 }
78