1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************
18 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19 */
20
21 #define LOG_TAG "CameraServiceFuzzer"
22 //#define LOG_NDEBUG 0
23
24 #include <CameraService.h>
25 #include <device3/Camera3StreamInterface.h>
26 #include <android/hardware/BnCameraServiceListener.h>
27 #include <android/hardware/camera2/BnCameraDeviceCallbacks.h>
28 #include <android/hardware/ICameraServiceListener.h>
29 #include <android/hardware/camera2/ICameraDeviceUser.h>
30 #include <camera/camera2/OutputConfiguration.h>
31 #include <gui/BufferItemConsumer.h>
32 #include <gui/IGraphicBufferProducer.h>
33 #include <gui/Surface.h>
34 #include <gui/SurfaceComposerClient.h>
35 #include <private/android_filesystem_config.h>
36 #include "fuzzer/FuzzedDataProvider.h"
37
38 using namespace android;
39 using namespace hardware;
40 using namespace std;
41
42 const int32_t kPreviewThreshold = 8;
43 const int32_t kNumRequestsTested = 8;
44 const nsecs_t kPreviewTimeout = 5000000000; // .5 [s.]
45 const nsecs_t kEventTimeout = 10000000000; // 1 [s.]
46 const size_t kMaxNumLines = USHRT_MAX;
47 const size_t kMinArgs = 1;
48 const size_t kMaxArgs = 5;
49 const int32_t kCamType[] = {hardware::ICameraService::CAMERA_TYPE_BACKWARD_COMPATIBLE,
50 hardware::ICameraService::CAMERA_TYPE_ALL};
51 const int kCameraApiVersion[] = {android::CameraService::API_VERSION_1,
52 android::CameraService::API_VERSION_2};
53 const uint8_t kSensorPixelModes[] = {ANDROID_SENSOR_PIXEL_MODE_DEFAULT,
54 ANDROID_SENSOR_PIXEL_MODE_MAXIMUM_RESOLUTION};
55 const int32_t kRequestTemplates[] = {
56 hardware::camera2::ICameraDeviceUser::TEMPLATE_PREVIEW,
57 hardware::camera2::ICameraDeviceUser::TEMPLATE_STILL_CAPTURE,
58 hardware::camera2::ICameraDeviceUser::TEMPLATE_RECORD,
59 hardware::camera2::ICameraDeviceUser::TEMPLATE_VIDEO_SNAPSHOT,
60 hardware::camera2::ICameraDeviceUser::TEMPLATE_MANUAL,
61 hardware::camera2::ICameraDeviceUser::TEMPLATE_ZERO_SHUTTER_LAG
62 };
63
64 const int32_t kRotations[] = {
65 camera3::CAMERA_STREAM_ROTATION_0,
66 camera3::CAMERA_STREAM_ROTATION_90,
67 camera3::CAMERA_STREAM_ROTATION_270
68 };
69
70 const int kLayerMetadata[] = {
71 0x00100000 /*GRALLOC_USAGE_RENDERSCRIPT*/, 0x00000003 /*GRALLOC_USAGE_SW_READ_OFTEN*/,
72 0x00000100 /*GRALLOC_USAGE_HW_TEXTURE*/, 0x00000800 /*GRALLOC_USAGE_HW_COMPOSER*/,
73 0x00000200 /*GRALLOC_USAGE_HW_RENDER*/, 0x00010000 /*GRALLOC_USAGE_HW_VIDEO_ENCODER*/};
74 const int kCameraMsg[] = {0x001 /*CAMERA_MSG_ERROR*/,
75 0x002 /*CAMERA_MSG_SHUTTER*/,
76 0x004 /*CAMERA_MSG_FOCUS*/,
77 0x008 /*CAMERA_MSG_ZOOM*/,
78 0x010 /*CAMERA_MSG_PREVIEW_FRAME*/,
79 0x020 /*CAMERA_MSG_VIDEO_FRAME */,
80 0x040 /*CAMERA_MSG_POSTVIEW_FRAME*/,
81 0x080 /*CAMERA_MSG_RAW_IMAGE */,
82 0x100 /*CAMERA_MSG_COMPRESSED_IMAGE*/,
83 0x200 /*CAMERA_MSG_RAW_IMAGE_NOTIFY*/,
84 0x400 /*CAMERA_MSG_PREVIEW_METADATA*/,
85 0x800 /*CAMERA_MSG_FOCUS_MOVE*/};
86 const int32_t kEventId[] = {ICameraService::EVENT_USER_SWITCHED, ICameraService::EVENT_NONE};
87 const android::CameraService::sound_kind kSoundKind[] = {
88 android::CameraService::SOUND_SHUTTER, android::CameraService::SOUND_RECORDING_START,
89 android::CameraService::SOUND_RECORDING_STOP};
90 const String16 kShellCmd[] = {String16("set-uid-state"), String16("reset-uid-state"),
91 String16("get-uid-state"), String16("set-rotate-and-crop"),
92 String16("get-rotate-and-crop"), String16("help")};
93 const size_t kNumLayerMetaData = size(kLayerMetadata);
94 const size_t kNumCameraMsg = size(kCameraMsg);
95 const size_t kNumSoundKind = size(kSoundKind);
96 const size_t kNumShellCmd = size(kShellCmd);
97
98 class CameraFuzzer : public ::android::hardware::BnCameraClient {
99 public:
CameraFuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)100 CameraFuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
101 mCameraService(cs), mFuzzedDataProvider(fp) {};
~CameraFuzzer()102 ~CameraFuzzer() { deInit(); }
103 void process();
104 void deInit();
105
106 private:
107 sp<CameraService> mCameraService = nullptr;
108 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
109 sp<SurfaceComposerClient> mComposerClient = nullptr;
110 int32_t mNumCameras = 0;
111 size_t mPreviewBufferCount = 0;
112 bool mAutoFocusMessage = false;
113 bool mSnapshotNotification = false;
114 mutable Mutex mPreviewLock;
115 mutable Condition mPreviewCondition;
116 mutable Mutex mAutoFocusLock;
117 mutable Condition mAutoFocusCondition;
118 mutable Mutex mSnapshotLock;
119 mutable Condition mSnapshotCondition;
120
121 void getNumCameras();
122 void getCameraInformation(int32_t cameraId);
123 void invokeCameraAPIs();
124 void invokeCameraSound();
125 void invokeDump();
126 void invokeShellCommand();
127 void invokeNotifyCalls();
128
129 // CameraClient interface
130 void notifyCallback(int32_t msgType, int32_t, int32_t) override;
131 void dataCallback(int32_t msgType, const sp<IMemory> &, camera_frame_metadata_t *) override;
dataCallbackTimestamp(nsecs_t,int32_t,const sp<IMemory> &)132 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory> &) override{};
recordingFrameHandleCallbackTimestamp(nsecs_t,native_handle_t *)133 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t *) override{};
recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t> &,const std::vector<native_handle_t * > &)134 void recordingFrameHandleCallbackTimestampBatch(
135 const std::vector<nsecs_t> &, const std::vector<native_handle_t *> &) override{};
136 status_t waitForPreviewStart();
137 status_t waitForEvent(Mutex &mutex, Condition &condition, bool &flag);
138 };
139
notifyCallback(int32_t msgType,int32_t,int32_t)140 void CameraFuzzer::notifyCallback(int32_t msgType, int32_t, int32_t) {
141 if (CAMERA_MSG_FOCUS == msgType) {
142 Mutex::Autolock l(mAutoFocusLock);
143 mAutoFocusMessage = true;
144 mAutoFocusCondition.broadcast();
145 }
146 };
147
dataCallback(int32_t msgType,const sp<IMemory> &,camera_frame_metadata_t *)148 void CameraFuzzer::dataCallback(int32_t msgType, const sp<IMemory> & /*data*/,
149 camera_frame_metadata_t *) {
150 switch (msgType) {
151 case CAMERA_MSG_PREVIEW_FRAME: {
152 Mutex::Autolock l(mPreviewLock);
153 ++mPreviewBufferCount;
154 mPreviewCondition.broadcast();
155 break;
156 }
157 case CAMERA_MSG_COMPRESSED_IMAGE: {
158 Mutex::Autolock l(mSnapshotLock);
159 mSnapshotNotification = true;
160 mSnapshotCondition.broadcast();
161 break;
162 }
163 default:
164 break;
165 }
166 };
167
waitForPreviewStart()168 status_t CameraFuzzer::waitForPreviewStart() {
169 status_t rc = NO_ERROR;
170 Mutex::Autolock l(mPreviewLock);
171 mPreviewBufferCount = 0;
172
173 while (mPreviewBufferCount < kPreviewThreshold) {
174 rc = mPreviewCondition.waitRelative(mPreviewLock, kPreviewTimeout);
175 if (NO_ERROR != rc) {
176 break;
177 }
178 }
179
180 return rc;
181 }
182
waitForEvent(Mutex & mutex,Condition & condition,bool & flag)183 status_t CameraFuzzer::waitForEvent(Mutex &mutex, Condition &condition, bool &flag) {
184 status_t rc = NO_ERROR;
185 Mutex::Autolock l(mutex);
186 flag = false;
187
188 while (!flag) {
189 rc = condition.waitRelative(mutex, kEventTimeout);
190 if (NO_ERROR != rc) {
191 break;
192 }
193 }
194
195 return rc;
196 }
197
deInit()198 void CameraFuzzer::deInit() {
199 if (mComposerClient) {
200 mComposerClient->dispose();
201 }
202 }
203
getNumCameras()204 void CameraFuzzer::getNumCameras() {
205 bool shouldPassInvalidCamType = mFuzzedDataProvider->ConsumeBool();
206 int32_t camType;
207 if (shouldPassInvalidCamType) {
208 camType = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
209 } else {
210 camType = kCamType[mFuzzedDataProvider->ConsumeBool()];
211 }
212 mCameraService->getNumberOfCameras(camType, &mNumCameras);
213 }
214
getCameraInformation(int32_t cameraId)215 void CameraFuzzer::getCameraInformation(int32_t cameraId) {
216 String16 cameraIdStr = String16(String8::format("%d", cameraId));
217 bool isSupported = false;
218 mCameraService->supportsCameraApi(
219 cameraIdStr, kCameraApiVersion[mFuzzedDataProvider->ConsumeBool()], &isSupported);
220 mCameraService->isHiddenPhysicalCamera(cameraIdStr, &isSupported);
221
222 String16 parameters;
223 mCameraService->getLegacyParameters(cameraId, ¶meters);
224
225 std::vector<hardware::camera2::utils::ConcurrentCameraIdCombination> concurrentCameraIds;
226 mCameraService->getConcurrentCameraIds(&concurrentCameraIds);
227
228 hardware::camera2::params::VendorTagDescriptorCache cache;
229 mCameraService->getCameraVendorTagCache(&cache);
230
231 CameraInfo cameraInfo;
232 mCameraService->getCameraInfo(cameraId, &cameraInfo);
233
234 CameraMetadata metadata;
235 mCameraService->getCameraCharacteristics(cameraIdStr,
236 /*targetSdkVersion*/__ANDROID_API_FUTURE__, &metadata);
237 }
238
invokeCameraSound()239 void CameraFuzzer::invokeCameraSound() {
240 mCameraService->increaseSoundRef();
241 mCameraService->decreaseSoundRef();
242 bool shouldPassInvalidPlaySound = mFuzzedDataProvider->ConsumeBool();
243 bool shouldPassInvalidLockSound = mFuzzedDataProvider->ConsumeBool();
244 android::CameraService::sound_kind playSound, lockSound;
245 if (shouldPassInvalidPlaySound) {
246 playSound = static_cast<android::CameraService::sound_kind>(
247 mFuzzedDataProvider->ConsumeIntegral<size_t>());
248 } else {
249 playSound =
250 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
251 }
252
253 if (shouldPassInvalidLockSound) {
254 lockSound = static_cast<android::CameraService::sound_kind>(
255 mFuzzedDataProvider->ConsumeIntegral<size_t>());
256 } else {
257 lockSound =
258 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
259 }
260 mCameraService->playSound(playSound);
261 mCameraService->loadSoundLocked(lockSound);
262 }
263
invokeDump()264 void CameraFuzzer::invokeDump() {
265 Vector<String16> args;
266 size_t numberOfLines = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kMaxNumLines);
267 for (size_t lineIdx = 0; lineIdx < numberOfLines; ++lineIdx) {
268 args.add(static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
269 }
270 const char *fileName = "logDumpFile";
271 int fd = memfd_create(fileName, MFD_ALLOW_SEALING);
272 mCameraService->dump(fd, args);
273 close(fd);
274 }
275
invokeShellCommand()276 void CameraFuzzer::invokeShellCommand() {
277 int in = mFuzzedDataProvider->ConsumeIntegral<int>();
278 int out = mFuzzedDataProvider->ConsumeIntegral<int>();
279 int err = mFuzzedDataProvider->ConsumeIntegral<int>();
280 Vector<String16> args;
281 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
282 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
283 bool shouldPassInvalidCommand = mFuzzedDataProvider->ConsumeBool();
284 if (shouldPassInvalidCommand) {
285 args.add(
286 static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
287 } else {
288 args.add(kShellCmd[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
289 0, kNumShellCmd - 1)]);
290 }
291 }
292 mCameraService->shellCommand(in, out, err, args);
293 }
294
invokeNotifyCalls()295 void CameraFuzzer::invokeNotifyCalls() {
296 mCameraService->notifyMonitoredUids();
297 int64_t newState = mFuzzedDataProvider->ConsumeIntegral<int64_t>();
298 mCameraService->notifyDeviceStateChange(newState);
299 std::vector<int32_t> args;
300 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
301 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
302 args.push_back(mFuzzedDataProvider->ConsumeIntegral<int32_t>());
303 }
304 bool shouldPassInvalidEvent = mFuzzedDataProvider->ConsumeBool();
305 int32_t eventId;
306 if (shouldPassInvalidEvent) {
307 eventId = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
308 } else {
309 eventId = kEventId[mFuzzedDataProvider->ConsumeBool()];
310 }
311 mCameraService->notifySystemEvent(eventId, args);
312 }
313
invokeCameraAPIs()314 void CameraFuzzer::invokeCameraAPIs() {
315 for (int32_t cameraId = 0; cameraId < mNumCameras; ++cameraId) {
316 getCameraInformation(cameraId);
317
318 ::android::binder::Status rc;
319 sp<ICamera> cameraDevice;
320
321 rc = mCameraService->connect(this, cameraId, String16(),
322 android::CameraService::USE_CALLING_UID, android::CameraService::USE_CALLING_PID,
323 /*targetSdkVersion*/__ANDROID_API_FUTURE__, &cameraDevice);
324 if (!rc.isOk()) {
325 // camera not connected
326 return;
327 }
328 if (cameraDevice) {
329 sp<Surface> previewSurface;
330 sp<SurfaceControl> surfaceControl;
331 CameraParameters params(cameraDevice->getParameters());
332 String8 focusModes(params.get(CameraParameters::KEY_SUPPORTED_FOCUS_MODES));
333 bool isAFSupported = false;
334 const char *focusMode = nullptr;
335
336 if (focusModes.contains(CameraParameters::FOCUS_MODE_AUTO)) {
337 isAFSupported = true;
338 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE)) {
339 isAFSupported = true;
340 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE;
341 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO)) {
342 isAFSupported = true;
343 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO;
344 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_MACRO)) {
345 isAFSupported = true;
346 focusMode = CameraParameters::FOCUS_MODE_MACRO;
347 }
348 if (nullptr != focusMode) {
349 params.set(CameraParameters::KEY_FOCUS_MODE, focusMode);
350 cameraDevice->setParameters(params.flatten());
351 }
352 int previewWidth, previewHeight;
353 params.getPreviewSize(&previewWidth, &previewHeight);
354
355 mComposerClient = new SurfaceComposerClient;
356 mComposerClient->initCheck();
357
358 bool shouldPassInvalidLayerMetaData = mFuzzedDataProvider->ConsumeBool();
359 int layerMetaData;
360 if (shouldPassInvalidLayerMetaData) {
361 layerMetaData = mFuzzedDataProvider->ConsumeIntegral<int>();
362 } else {
363 layerMetaData = kLayerMetadata[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
364 0, kNumLayerMetaData - 1)];
365 }
366 surfaceControl = mComposerClient->createSurface(
367 String8("Test Surface"), previewWidth, previewHeight,
368 CameraParameters::previewFormatToEnum(params.getPreviewFormat()), layerMetaData);
369
370 if (surfaceControl.get() != nullptr) {
371 SurfaceComposerClient::Transaction{}
372 .setLayer(surfaceControl, 0x7fffffff)
373 .show(surfaceControl)
374 .apply();
375
376 previewSurface = surfaceControl->getSurface();
377 cameraDevice->setPreviewTarget(previewSurface->getIGraphicBufferProducer());
378 }
379 cameraDevice->setPreviewCallbackFlag(CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER);
380
381 Vector<Size> pictureSizes;
382 params.getSupportedPictureSizes(pictureSizes);
383
384 for (size_t i = 0; i < pictureSizes.size(); ++i) {
385 params.setPictureSize(pictureSizes[i].width, pictureSizes[i].height);
386 cameraDevice->setParameters(params.flatten());
387 cameraDevice->startPreview();
388 waitForPreviewStart();
389 cameraDevice->autoFocus();
390 waitForEvent(mAutoFocusLock, mAutoFocusCondition, mAutoFocusMessage);
391 bool shouldPassInvalidCameraMsg = mFuzzedDataProvider->ConsumeBool();
392 int msgType;
393 if (shouldPassInvalidCameraMsg) {
394 msgType = mFuzzedDataProvider->ConsumeIntegral<int>();
395 } else {
396 msgType = kCameraMsg[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
397 0, kNumCameraMsg - 1)];
398 }
399 cameraDevice->takePicture(msgType);
400
401 waitForEvent(mSnapshotLock, mSnapshotCondition, mSnapshotNotification);
402 }
403
404 Vector<Size> videoSizes;
405 params.getSupportedVideoSizes(videoSizes);
406
407 for (size_t i = 0; i < videoSizes.size(); ++i) {
408 params.setVideoSize(videoSizes[i].width, videoSizes[i].height);
409
410 cameraDevice->setParameters(params.flatten());
411 cameraDevice->startPreview();
412 waitForPreviewStart();
413 cameraDevice->setVideoBufferMode(
414 android::hardware::BnCamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE);
415 cameraDevice->setVideoTarget(previewSurface->getIGraphicBufferProducer());
416 cameraDevice->startRecording();
417 cameraDevice->stopRecording();
418 }
419 cameraDevice->stopPreview();
420 cameraDevice->disconnect();
421 }
422 }
423 }
424
process()425 void CameraFuzzer::process() {
426 getNumCameras();
427 invokeCameraSound();
428 if (mNumCameras > 0) {
429 invokeCameraAPIs();
430 }
431 invokeDump();
432 invokeShellCommand();
433 invokeNotifyCalls();
434 }
435
436 class TestCameraServiceListener : public hardware::BnCameraServiceListener {
437 public:
~TestCameraServiceListener()438 virtual ~TestCameraServiceListener() {};
439
onStatusChanged(int32_t,const String16 &)440 virtual binder::Status onStatusChanged(int32_t , const String16&) {
441 return binder::Status::ok();
442 };
443
onPhysicalCameraStatusChanged(int32_t,const String16 &,const String16 &)444 virtual binder::Status onPhysicalCameraStatusChanged(int32_t /*status*/,
445 const String16& /*cameraId*/, const String16& /*physicalCameraId*/) {
446 // No op
447 return binder::Status::ok();
448 };
449
onTorchStatusChanged(int32_t,const String16 &)450 virtual binder::Status onTorchStatusChanged(int32_t /*status*/, const String16& /*cameraId*/) {
451 return binder::Status::ok();
452 };
453
onCameraAccessPrioritiesChanged()454 virtual binder::Status onCameraAccessPrioritiesChanged() {
455 // No op
456 return binder::Status::ok();
457 }
458
onCameraOpened(const String16 &,const String16 &)459 virtual binder::Status onCameraOpened(const String16& /*cameraId*/,
460 const String16& /*clientPackageName*/) {
461 // No op
462 return binder::Status::ok();
463 }
464
onCameraClosed(const String16 &)465 virtual binder::Status onCameraClosed(const String16& /*cameraId*/) {
466 // No op
467 return binder::Status::ok();
468 }
469 };
470
471 class TestCameraDeviceCallbacks : public hardware::camera2::BnCameraDeviceCallbacks {
472 public:
TestCameraDeviceCallbacks()473 TestCameraDeviceCallbacks() {}
474
~TestCameraDeviceCallbacks()475 virtual ~TestCameraDeviceCallbacks() {}
476
onDeviceError(int,const CaptureResultExtras &)477 virtual binder::Status onDeviceError(int /*errorCode*/,
478 const CaptureResultExtras& /*resultExtras*/) {
479 return binder::Status::ok();
480 }
481
onDeviceIdle()482 virtual binder::Status onDeviceIdle() {
483 return binder::Status::ok();
484 }
485
onCaptureStarted(const CaptureResultExtras &,int64_t)486 virtual binder::Status onCaptureStarted(const CaptureResultExtras& /*resultExtras*/,
487 int64_t /*timestamp*/) {
488 return binder::Status::ok();
489 }
490
onResultReceived(const CameraMetadata &,const CaptureResultExtras &,const std::vector<PhysicalCaptureResultInfo> &)491 virtual binder::Status onResultReceived(const CameraMetadata& /*metadata*/,
492 const CaptureResultExtras& /*resultExtras*/,
493 const std::vector<PhysicalCaptureResultInfo>& /*physicalResultInfos*/) {
494 return binder::Status::ok();
495 }
496
onPrepared(int)497 virtual binder::Status onPrepared(int /*streamId*/) {
498 return binder::Status::ok();
499 }
500
onRepeatingRequestError(int64_t,int32_t)501 virtual binder::Status onRepeatingRequestError(
502 int64_t /*lastFrameNumber*/, int32_t /*stoppedSequenceId*/) {
503 return binder::Status::ok();
504 }
505
onRequestQueueEmpty()506 virtual binder::Status onRequestQueueEmpty() {
507 return binder::Status::ok();
508 }
509 };
510
511 class Camera2Fuzzer {
512 public:
Camera2Fuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)513 Camera2Fuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
514 mCameraService(cs), mFuzzedDataProvider(fp) { };
~Camera2Fuzzer()515 ~Camera2Fuzzer() {}
516 void process();
517 private:
518 sp<CameraService> mCameraService = nullptr;
519 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
520 };
521
process()522 void Camera2Fuzzer::process() {
523 sp<TestCameraServiceListener> listener = new TestCameraServiceListener();
524 std::vector<hardware::CameraStatus> statuses;
525 mCameraService->addListenerTest(listener, &statuses);
526 for (auto s : statuses) {
527 sp<TestCameraDeviceCallbacks> callbacks(new TestCameraDeviceCallbacks());
528 sp<hardware::camera2::ICameraDeviceUser> device;
529 mCameraService->connectDevice(callbacks, String16(s.cameraId), String16(), {},
530 android::CameraService::USE_CALLING_UID, 0/*oomScoreDiff*/,
531 /*targetSdkVersion*/__ANDROID_API_FUTURE__, &device);
532 if (device == nullptr) {
533 continue;
534 }
535 device->beginConfigure();
536 sp<IGraphicBufferProducer> gbProducer;
537 sp<IGraphicBufferConsumer> gbConsumer;
538 BufferQueue::createBufferQueue(&gbProducer, &gbConsumer);
539 sp<BufferItemConsumer> opaqueConsumer = new BufferItemConsumer(gbConsumer,
540 GRALLOC_USAGE_SW_READ_NEVER, /*maxImages*/8, /*controlledByApp*/true);
541 opaqueConsumer->setName(String8("Roger"));
542
543 // Set to VGA dimension for default, as that is guaranteed to be present
544 gbConsumer->setDefaultBufferSize(640, 480);
545 gbConsumer->setDefaultBufferFormat(HAL_PIXEL_FORMAT_IMPLEMENTATION_DEFINED);
546
547 sp<Surface> surface(new Surface(gbProducer, /*controlledByApp*/false));
548
549 String16 noPhysicalId;
550 size_t rotations = sizeof(kRotations) / sizeof(int32_t) - 1;
551 OutputConfiguration output(gbProducer,
552 kRotations[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, rotations)],
553 noPhysicalId);
554 int streamId;
555 device->createStream(output, &streamId);
556 CameraMetadata sessionParams;
557 std::vector<int> offlineStreamIds;
558 device->endConfigure(/*isConstrainedHighSpeed*/ mFuzzedDataProvider->ConsumeBool(),
559 sessionParams, ns2ms(systemTime()), &offlineStreamIds);
560
561 CameraMetadata requestTemplate;
562 size_t requestTemplatesSize = sizeof(kRequestTemplates) /sizeof(int32_t) - 1;
563 device->createDefaultRequest(kRequestTemplates[
564 mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, requestTemplatesSize)],
565 /*out*/&requestTemplate);
566 hardware::camera2::CaptureRequest request;
567 request.mSurfaceList.add(surface);
568 request.mIsReprocess = false;
569 hardware::camera2::utils::SubmitInfo info;
570 for (int i = 0; i < kNumRequestsTested; i++) {
571 uint8_t sensorPixelMode =
572 kSensorPixelModes[mFuzzedDataProvider->ConsumeBool() ? 1 : 0];
573 requestTemplate.update(ANDROID_SENSOR_PIXEL_MODE, &sensorPixelMode, 1);
574 request.mPhysicalCameraSettings.clear();
575 request.mPhysicalCameraSettings.push_back({s.cameraId.string(), requestTemplate});
576 device->submitRequest(request, /*streaming*/false, /*out*/&info);
577 ALOGV("%s : camera id %s submit request id %d",__FUNCTION__, s.cameraId.string(),
578 info.mRequestId);
579 }
580 device->disconnect();
581 }
582 }
583
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)584 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
585 if (size < 1) {
586 return 0;
587 }
588 setuid(AID_CAMERASERVER);
589 std::shared_ptr<FuzzedDataProvider> fp = std::make_shared<FuzzedDataProvider>(data, size);
590 sp<CameraService> cs = new CameraService();
591 cs->clearCachedVariables();
592 sp<CameraFuzzer> camerafuzzer = new CameraFuzzer(cs, fp);
593 if (!camerafuzzer) {
594 return 0;
595 }
596 camerafuzzer->process();
597 Camera2Fuzzer camera2fuzzer(cs, fp);
598 camera2fuzzer.process();
599 return 0;
600 }
601