1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
/*
* This is a sample for use by LibFuzzer.
*
* How to build:
* install clang
* CC="clang" CFLAGS="-fsanitize=address,fuzzer-no-link -O2 -g" ./configure --prefix=/usr --libdir=/usr/lib64 --enable-vusb
* make
* sudo make install
* rm usb1.* from port drivers
* in examples/
* clang -fsanitize=address,fuzzer -O2 -g sample-libfuzz.c autodetect.c context.c -lgphoto2 -lgphoto2_port -o fuzzer
* mkdir CORPUS
* ./fuzzer -detect_leaks=0 CORPUS/
*
* FIXME:
* - currently this seems to have memory leaks, it slows down and gets more and more memory over time.
* restarting cures it for a while
* - It crashes on start in 80% of the cases. You might need retry multiple times to start it.
* reason is i think the fuzzer creates a bitmap in an area where the loaded camlibs are mapped into after the fact.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <gphoto2/gphoto2-camera.h>
#include <gphoto2/gphoto2-port-log.h>
#include "samples.h"
/* Sample for AFL usage.
*
*/
void errordumper(GPLogLevel level, const char *domain, const char *str,
void *data) {
/* Do not log ... but let it appear here so we discover debug paths */
//fprintf(stderr, "%s:%s\n", domain, str);
}
void contexterror (GPContext *context, const char *text, void *data) {
}
static int
recursive_directory(Camera *camera, const char *folder, GPContext *context, int *foundfile) {
int i, ret;
CameraList *list;
const char *newfile;
CameraFileInfo fileinfo;
CameraFile *file;
ret = gp_list_new (&list);
if (ret < GP_OK) {
printf ("Could not allocate list.\n");
return ret;
}
ret = gp_camera_folder_list_folders (camera, folder, list, context);
if (ret < GP_OK) {
//fprintf (stderr, "Could not list folders.\n");
gp_list_free (list);
return ret;
}
gp_list_sort (list);
for (i = 0; i < gp_list_count (list); i++) {
const char *newfolder;
char *buf;
int havefile = 0;
gp_list_get_name (list, i, &newfolder);
if (!strlen(newfolder)) continue;
buf = (char*)malloc (strlen(folder) + 1 + strlen(newfolder) + 1);
strcpy(buf, folder);
if (strcmp(folder,"/")) /* avoid double / */
strcat(buf, "/");
strcat(buf, newfolder);
//fprintf(stderr,"newfolder=%s\n", newfolder);
ret = recursive_directory (camera, buf, context, &havefile);
free (buf);
if (ret != GP_OK) {
gp_list_free (list);
//fprintf (stderr, "Failed to recursively list folders.\n");
return ret;
}
if (havefile) /* only look for the first directory with a file */
break;
}
gp_list_reset (list);
ret = gp_camera_folder_list_files (camera, folder, list, context);
if (ret < GP_OK) {
gp_list_free (list);
//fprintf (stderr, "Could not list files.\n");
return ret;
}
gp_list_sort (list);
if (gp_list_count (list) <= 0) {
gp_list_free (list);
return GP_OK;
}
gp_list_get_name (list, 0, &newfile); /* only entry 0 needed */
ret = gp_camera_file_get_info (camera, folder, newfile, &fileinfo, context);
if (ret != GP_OK) {
gp_list_free (list);
//fprintf (stderr, "Could not get file info.\n");
return ret;
}
/* get file */
gp_file_new (&file);
ret = gp_camera_file_get (camera, folder, newfile, GP_FILE_TYPE_NORMAL, file, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
gp_list_free (list);
//fprintf (stderr, "Could not get file.\n");
return ret;
}
gp_file_unref (file);
/* get preview */
gp_file_new (&file);
ret = gp_camera_file_get (camera, folder, newfile, GP_FILE_TYPE_PREVIEW, file, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
gp_list_free (list);
// fprintf (stderr, "Could not get file preview.\n");
return ret;
}
gp_file_unref (file);
/* get exif */
gp_file_new (&file);
ret = gp_camera_file_get (camera, folder, newfile, GP_FILE_TYPE_EXIF, file, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
gp_list_free (list);
printf ("Could not get file preview.\n");
return ret;
}
gp_file_unref (file);
/* Trigger the ptp things */
gp_file_new (&file);
ret = gp_camera_file_get (camera, folder, newfile, GP_FILE_TYPE_METADATA, file, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
gp_list_free (list);
printf ("Could not get file metadata.\n");
return ret;
}
gp_file_unref (file);
if (foundfile) *foundfile = 1;
gp_list_free (list);
return GP_OK;
}
static GPPortInfoList *gpinfolist = NULL;
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
static int initialized = 0;
int ret, storagecnt;
static Camera *camera = NULL;
CameraStorageInformation *storageinfo;
GPPortInfo pi;
static GPContext *context = NULL;
char buf[200];
static const char *name;
static const char *port;
char *xpath;
char tmpfn[200] = { 0 };
int fd;
CameraWidget *rootwidget;
CameraText summary;
CameraFile *file;
/*CameraFilePath path;*/
CameraList *list;
gp_log_add_func(GP_LOG_DEBUG, errordumper, NULL);
if (!gpinfolist) {
gp_port_info_list_new (&gpinfolist);
ret = gp_port_info_list_load (gpinfolist);
if (ret < GP_OK) return 0;
}
if (!context) {
context = sample_create_context (); /* see context.c */
gp_context_set_error_func (context, contexterror, NULL);
}
if (!initialized) {
/* Detect all the cameras that can be autodetected... */
ret = gp_list_new (&list);
if (ret < GP_OK) return 0;
gp_camera_autodetect (list, context);
//fprintf(stderr, "detect list has count %d\n", gp_list_count(list));
if (gp_list_count(list) < 1) goto out;
ret = gp_list_get_name(list, 0, &name);
if (ret < GP_OK) goto out;
ret = gp_list_get_value(list, 0, &port);
if (ret < GP_OK) goto out;
//fprintf(stderr,"camera %s detected at port %s.\n", name, port);
ret = sample_open_camera (&camera, name, port, context);
if (ret < GP_OK) {
fprintf(stderr,"camera %s not found.\n", name);
goto out;
}
initialized = 1;
}
/* code that runs all the time */
strcpy(tmpfn,"/dev/shm/gphotofuzz.XXXXXX");
fd = mkstemp(tmpfn);
write (fd, Data, Size);
close(fd);
strcpy(buf,"vusb:"); strcat(buf,tmpfn);
//fprintf(stderr,"setting path %s.\n", buf);
ret = gp_port_info_list_lookup_path (gpinfolist, buf);
if (ret < GP_OK) goto out;
gp_port_info_list_get_info (gpinfolist, ret, &pi);
ret = gp_camera_set_port_info (camera, pi);
if (ret < GP_OK) {
fprintf(stderr,"portinfo not set %d.\n", ret);
goto out;
}
ret = gp_camera_init (camera, context);
if (ret < GP_OK) {
//fprintf(stderr,"Camera not initialized %d.\n", ret);
goto out;
}
ret = recursive_directory(camera, "/", context, NULL);
if (ret < GP_OK) {
//fprintf (stderr, "Could not recursive list files.\n");
goto out;
}
ret = gp_camera_get_summary (camera, &summary, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
//fprintf (stderr, "Could not get summary.\n");
goto out;
}
#if 1
ret = gp_camera_get_config (camera, &rootwidget, context);
if (ret < GP_OK) {
//fprintf (stderr,"Could not get config.\n");
goto out;
}
gp_widget_free (rootwidget);
#endif
//printf ("OK, %s\n", summary.text);
ret = gp_camera_get_storageinfo (camera, &storageinfo, &storagecnt, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
//fprintf (stderr, "Could not get storage info.\n");
goto out;
}
free(storageinfo);
ret = gp_camera_trigger_capture (camera, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
//fprintf (stderr, "Could not trigger capture.\n");
goto out;
}
while (1) {
CameraEventType evttype;
void *data = NULL;
ret = gp_camera_wait_for_event(camera, 1, &evttype, &data, context);
if (ret < GP_OK) break;
if (data) free (data);
if (evttype == GP_EVENT_TIMEOUT) break;
}
gp_file_new (&file);
ret = gp_camera_capture_preview (camera, file, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
gp_file_free (file);
//fprintf (stderr, "Could not capture preview.\n");
goto out;
}
gp_file_free (file);
#if 0
/* this gives endless event check loops occasionaly ... need review how to do this best */
ret = gp_camera_capture (camera, GP_CAPTURE_IMAGE, &path, context);
if ((ret != GP_OK) && (ret != GP_ERROR_NOT_SUPPORTED)) {
printf ("Could not capture preview.\n");
goto out;
}
#endif
/* AFL PART ENDS HERE */
out:
if (camera) gp_camera_exit (camera, context);
/*gp_context_unref (context);*/
/*gp_camera_free (camera);*/
if (tmpfn[0]) unlink (tmpfn);
return 0;
}
|
