Delete the libgui fuzzers

/*

 * Copyright 2021 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 * http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package {

    // See: http://go/android-license-faq

    // A large-scale-change added 'default_applicable_licenses' to import

    // all of the 'license_kinds' from "frameworks_native_license"

    // to get the below license kinds:

    //   SPDX-license-identifier-Apache-2.0

    default_applicable_licenses: ["frameworks_native_license"],

    default_team: "trendy_team_android_core_graphics_stack",

}

cc_defaults {

    name: "libgui_fuzzer_defaults",

    defaults: ["android.hardware.power-ndk_shared"],

    static_libs: [

        "android.hidl.token@1.0-utils",

        "libbinder_random_parcel",

        "libgui_aidl_static",

        "libgui_window_info_static",

        "libpdx",

        "libgmock",

        "libgui_mocks",

        "libgmock_ndk",

        "libgmock_main",

        "libgtest_ndk_c++",

        "libgmock_main_ndk",

        "librenderengine_mocks",

        "perfetto_trace_protos",

        "libcompositionengine_mocks",

        "perfetto_trace_protos",

    ],

    shared_libs: [

        "android.hardware.configstore@1.0",

        "android.hardware.configstore-utils",

        "android.hardware.graphics.bufferqueue@1.0",

        "android.hardware.graphics.bufferqueue@2.0",

        "android.hidl.token@1.0",

        "libSurfaceFlingerProp",

        "libgui",

        "libbase",

        "liblog",

        "libEGL",

        "libGLESv2",

        "libbinder",

        "libcutils",

        "libhidlbase",

        "libinput",

        "libui",

        "libutils",

        "libnativewindow",

        "libvndksupport",

    ],

    header_libs: [

        "libdvr_headers",

        "libui_fuzzableDataspaces_headers",

    ],

    fuzz_config: {

        cc: [

            "android-media-fuzzing-reports@google.com",

        ],

        componentid: 155276,

        hotlists: [

            "4593311",

        ],

        description: "The fuzzer targets the APIs of libgui library",

        vector: "local_no_privileges_required",

        service_privilege: "privileged",

        users: "multi_user",

        fuzzed_code_usage: "shipped",

    },

}

cc_fuzz {

    name: "libgui_surfaceComposer_fuzzer",

    srcs: [

        "libgui_surfaceComposer_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

        "service_fuzzer_defaults",

    ],

}

cc_fuzz {

    name: "libgui_surfaceComposerClient_fuzzer",

    srcs: [

        "libgui_surfaceComposerClient_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

        "service_fuzzer_defaults",

    ],

}

cc_fuzz {

    name: "libgui_parcelable_fuzzer",

    srcs: [

        "libgui_parcelable_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

    ],

}

cc_fuzz {

    name: "libgui_bufferQueue_fuzzer",

    srcs: [

        "libgui_bufferQueue_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

    ],

}

cc_fuzz {

    name: "libgui_consumer_fuzzer",

    srcs: [

        "libgui_consumer_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

    ],

}

cc_fuzz {

    name: "libgui_displayEvent_fuzzer",

    srcs: [

        "libgui_displayEvent_fuzzer.cpp",

    ],

    defaults: [

        "libgui_fuzzer_defaults",

    ],

}

/*

 * Copyright 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <android-base/stringprintf.h>

#include <gui/BufferQueueConsumer.h>

#include <gui/BufferQueueCore.h>

#include <gui/BufferQueueProducer.h>

#include <gui/bufferqueue/2.0/types.h>

#include <system/window.h>

#include <libgui_fuzzer_utils.h>

using namespace android;

using namespace hardware::graphics::bufferqueue;

using namespace V1_0::utils;

using namespace V2_0::utils;

constexpr int32_t kMaxBytes = 256;

constexpr int32_t kError[] = {

        OK,        NO_MEMORY,   NO_INIT,       BAD_VALUE,      DEAD_OBJECT, INVALID_OPERATION,

        TIMED_OUT, WOULD_BLOCK, UNKNOWN_ERROR, ALREADY_EXISTS,

};

constexpr int32_t kAPIConnection[] = {

        BufferQueueCore::CURRENTLY_CONNECTED_API,

        BufferQueueCore::NO_CONNECTED_API,

        NATIVE_WINDOW_API_EGL,

        NATIVE_WINDOW_API_CPU,

        NATIVE_WINDOW_API_MEDIA,

        NATIVE_WINDOW_API_CAMERA,

};

class BufferQueueFuzzer {

public:

    BufferQueueFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};

    void process();

private:

    void invokeTypes();

    void invokeH2BGraphicBufferV1();

    void invokeH2BGraphicBufferV2();

    void invokeBufferQueueConsumer();

    void invokeBufferQueueProducer();

    void invokeBlastBufferQueue();

    void invokeQuery(sp<BufferQueueProducer>);

    void invokeQuery(sp<V1_0::utils::H2BGraphicBufferProducer>);

    void invokeQuery(sp<V2_0::utils::H2BGraphicBufferProducer>);

    void invokeAcquireBuffer(sp<BufferQueueConsumer>);

    void invokeOccupancyTracker(sp<BufferQueueConsumer>);

    sp<SurfaceControl> makeSurfaceControl();

    sp<BLASTBufferQueue> makeBLASTBufferQueue(sp<SurfaceControl>);

    FuzzedDataProvider mFdp;

};

class ManageResourceHandle {

public:

    ManageResourceHandle(FuzzedDataProvider* fdp) {

        mNativeHandle = native_handle_create(0 /*numFds*/, 1 /*numInts*/);

        mShouldOwn = fdp->ConsumeBool();

        mStream = NativeHandle::create(mNativeHandle, mShouldOwn);

    }

    ~ManageResourceHandle() {

        if (!mShouldOwn) {

            native_handle_close(mNativeHandle);

            native_handle_delete(mNativeHandle);

        }

    }

    sp<NativeHandle> getStream() { return mStream; }

private:

    bool mShouldOwn;

    sp<NativeHandle> mStream;

    native_handle_t* mNativeHandle;

};

sp<SurfaceControl> BufferQueueFuzzer::makeSurfaceControl() {

    sp<IBinder> handle;

    const sp<FakeBnSurfaceComposerClient> testClient(new FakeBnSurfaceComposerClient());

    sp<SurfaceComposerClient> client = new SurfaceComposerClient(testClient);

    sp<BnGraphicBufferProducer> producer;

    uint32_t layerId = mFdp.ConsumeIntegral<uint32_t>();

    std::string layerName = base::StringPrintf("#%d", layerId);

    return sp<SurfaceControl>::make(client, handle, layerId, layerName,

                                    mFdp.ConsumeIntegral<int32_t>(),

                                    mFdp.ConsumeIntegral<uint32_t>(),

                                    mFdp.ConsumeIntegral<int32_t>(),

                                    mFdp.ConsumeIntegral<uint32_t>(),

                                    mFdp.ConsumeIntegral<uint32_t>());

}

sp<BLASTBufferQueue> BufferQueueFuzzer::makeBLASTBufferQueue(sp<SurfaceControl> surface) {

    return sp<BLASTBufferQueue>::make(mFdp.ConsumeRandomLengthString(kMaxBytes), surface,

                                      mFdp.ConsumeIntegral<uint32_t>(),

                                      mFdp.ConsumeIntegral<uint32_t>(),

                                      mFdp.ConsumeIntegral<int32_t>());

}

void BufferQueueFuzzer::invokeBlastBufferQueue() {

    sp<SurfaceControl> surface = makeSurfaceControl();

    sp<BLASTBufferQueue> queue = makeBLASTBufferQueue(surface);

    BufferItem item;

    queue->onFrameAvailable(item);

    queue->onFrameReplaced(item);

    uint64_t bufferId = mFdp.ConsumeIntegral<uint64_t>();

    queue->onFrameDequeued(bufferId);

    queue->onFrameCancelled(bufferId);

    SurfaceComposerClient::Transaction next;

    uint64_t frameNumber = mFdp.ConsumeIntegral<uint64_t>();

    queue->mergeWithNextTransaction(&next, frameNumber);

    queue->applyPendingTransactions(frameNumber);

    queue->update(surface, mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),

                  mFdp.ConsumeIntegral<int32_t>());

    queue->setFrameRate(mFdp.ConsumeFloatingPoint<float>(), mFdp.ConsumeIntegral<int8_t>(),

                        mFdp.ConsumeBool() /*shouldBeSeamless*/);

    FrameTimelineInfo info;

    queue->setFrameTimelineInfo(mFdp.ConsumeIntegral<uint64_t>(), info);

    ManageResourceHandle handle(&mFdp);

    queue->setSidebandStream(handle.getStream());

    queue->getLastTransformHint();

    queue->getLastAcquiredFrameNum();

    CompositorTiming compTiming;

    sp<Fence> previousFence = new Fence(memfd_create("pfd", MFD_ALLOW_SEALING));

    sp<Fence> gpuFence = new Fence(memfd_create("gfd", MFD_ALLOW_SEALING));

    FrameEventHistoryStats frameStats(frameNumber, mFdp.ConsumeIntegral<uint64_t>(), gpuFence,

                                      compTiming, mFdp.ConsumeIntegral<int64_t>(),

                                      mFdp.ConsumeIntegral<int64_t>());

    std::vector<SurfaceControlStats> stats;

    sp<Fence> presentFence = new Fence(memfd_create("fd", MFD_ALLOW_SEALING));

    SurfaceControlStats controlStats(surface, mFdp.ConsumeIntegral<int64_t>(),

                                     mFdp.ConsumeIntegral<int64_t>(), presentFence, previousFence,

                                     mFdp.ConsumeIntegral<uint32_t>(), frameStats,

                                     mFdp.ConsumeIntegral<uint32_t>());

    stats.push_back(controlStats);

}

void BufferQueueFuzzer::invokeQuery(sp<BufferQueueProducer> producer) {

    int32_t value;

    producer->query(mFdp.ConsumeIntegral<int32_t>(), &value);

}

void BufferQueueFuzzer::invokeQuery(sp<V1_0::utils::H2BGraphicBufferProducer> producer) {

    int32_t value;

    producer->query(mFdp.ConsumeIntegral<int32_t>(), &value);

}

void BufferQueueFuzzer::invokeQuery(sp<V2_0::utils::H2BGraphicBufferProducer> producer) {

    int32_t value;

    producer->query(mFdp.ConsumeIntegral<int32_t>(), &value);

}

void BufferQueueFuzzer::invokeBufferQueueProducer() {

    sp<BufferQueueCore> core(new BufferQueueCore());

    sp<BufferQueueProducer> producer(new BufferQueueProducer(core));

    const sp<android::IProducerListener> listener;

    android::IGraphicBufferProducer::QueueBufferOutput output;

    uint32_t api = mFdp.ConsumeIntegral<uint32_t>();

    producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output);

    sp<GraphicBuffer> buffer;

    int32_t slot = mFdp.ConsumeIntegral<int32_t>();

    uint32_t maxBuffers = mFdp.ConsumeIntegral<uint32_t>();

    producer->requestBuffer(slot, &buffer);

    producer->setMaxDequeuedBufferCount(maxBuffers);

    producer->setAsyncMode(mFdp.ConsumeBool() /*async*/);

    android::IGraphicBufferProducer::QueueBufferInput input;

    producer->attachBuffer(&slot, buffer);

    producer->queueBuffer(slot, input, &output);

    int32_t format = mFdp.ConsumeIntegral<int32_t>();

    uint32_t width = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t height = mFdp.ConsumeIntegral<uint32_t>();

    uint64_t usage = mFdp.ConsumeIntegral<uint64_t>();

    uint64_t outBufferAge;

    FrameEventHistoryDelta outTimestamps;

    sp<android::Fence> fence;

    producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge,

                            &outTimestamps);

    producer->detachBuffer(slot);

    producer->detachNextBuffer(&buffer, &fence);

    producer->cancelBuffer(slot, fence);

    invokeQuery(producer);

    ManageResourceHandle handle(&mFdp);

    producer->setSidebandStream(handle.getStream());

    producer->allocateBuffers(width, height, format, usage);

    producer->allowAllocation(mFdp.ConsumeBool() /*allow*/);

    producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/);

    producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/);

    producer->setLegacyBufferDrop(mFdp.ConsumeBool() /*drop*/);

    producer->setAutoPrerotation(mFdp.ConsumeBool() /*autoPrerotation*/);

    producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>());

    producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>());

    producer->disconnect(api);

}

void BufferQueueFuzzer::invokeAcquireBuffer(sp<BufferQueueConsumer> consumer) {

    BufferItem item;

    consumer->acquireBuffer(&item, mFdp.ConsumeIntegral<uint32_t>(),

                            mFdp.ConsumeIntegral<uint64_t>());

}

void BufferQueueFuzzer::invokeOccupancyTracker(sp<BufferQueueConsumer> consumer) {

    String8 outResult;

    String8 prefix((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str());

    consumer->dumpState(prefix, &outResult);

    std::vector<OccupancyTracker::Segment> outHistory;

    consumer->getOccupancyHistory(mFdp.ConsumeBool() /*forceFlush*/, &outHistory);

}

void BufferQueueFuzzer::invokeBufferQueueConsumer() {

    sp<BufferQueueCore> core(new BufferQueueCore());

    sp<BufferQueueConsumer> consumer(new BufferQueueConsumer(core));

    sp<android::IConsumerListener> listener;

    consumer->consumerConnect(listener, mFdp.ConsumeBool() /*controlledByApp*/);

    invokeAcquireBuffer(consumer);

    int32_t slot = mFdp.ConsumeIntegral<int32_t>();

    sp<GraphicBuffer> buffer =

            new GraphicBuffer(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),

                              mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint32_t>(),

                              mFdp.ConsumeIntegral<uint64_t>());

    consumer->attachBuffer(&slot, buffer);

    consumer->detachBuffer(slot);

    consumer->setDefaultBufferSize(mFdp.ConsumeIntegral<uint32_t>(),

                                   mFdp.ConsumeIntegral<uint32_t>());

    consumer->setMaxBufferCount(mFdp.ConsumeIntegral<int32_t>());

    consumer->setMaxAcquiredBufferCount(mFdp.ConsumeIntegral<int32_t>());

    String8 name((mFdp.ConsumeRandomLengthString(kMaxBytes)).c_str());

    consumer->setConsumerName(name);

    consumer->setDefaultBufferFormat(mFdp.ConsumeIntegral<int32_t>());

    android_dataspace dataspace =

            static_cast<android_dataspace>(mFdp.PickValueInArray(kDataspaces));

    consumer->setDefaultBufferDataSpace(dataspace);

    consumer->setTransformHint(mFdp.ConsumeIntegral<uint32_t>());

    consumer->setConsumerUsageBits(mFdp.ConsumeIntegral<uint64_t>());

    consumer->setConsumerIsProtected(mFdp.ConsumeBool() /*isProtected*/);

    invokeOccupancyTracker(consumer);

    sp<Fence> releaseFence = new Fence(memfd_create("fd", MFD_ALLOW_SEALING));

    consumer->releaseBuffer(mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint64_t>(),

                            EGL_NO_DISPLAY, EGL_NO_SYNC_KHR, releaseFence);

    consumer->consumerDisconnect();

}

void BufferQueueFuzzer::invokeTypes() {

    HStatus hStatus;

    int32_t status = mFdp.PickValueInArray(kError);

    bool bufferNeedsReallocation = mFdp.ConsumeBool();

    bool releaseAllBuffers = mFdp.ConsumeBool();

    b2h(status, &hStatus, &bufferNeedsReallocation, &releaseAllBuffers);

    h2b(hStatus, &status);

    HConnectionType type;

    int32_t apiConnection = mFdp.PickValueInArray(kAPIConnection);

    b2h(apiConnection, &type);

    h2b(type, &apiConnection);

}

void BufferQueueFuzzer::invokeH2BGraphicBufferV1() {

    sp<V1_0::utils::H2BGraphicBufferProducer> producer(

            new V1_0::utils::H2BGraphicBufferProducer(new FakeGraphicBufferProducerV1()));

    const sp<android::IProducerListener> listener;

    android::IGraphicBufferProducer::QueueBufferOutput output;

    uint32_t api = mFdp.ConsumeIntegral<uint32_t>();

    producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output);

    sp<GraphicBuffer> buffer;

    int32_t slot = mFdp.ConsumeIntegral<int32_t>();

    producer->requestBuffer(slot, &buffer);

    producer->setMaxDequeuedBufferCount(mFdp.ConsumeIntegral<int32_t>());

    producer->setAsyncMode(mFdp.ConsumeBool());

    android::IGraphicBufferProducer::QueueBufferInput input;

    input.fence = new Fence(memfd_create("ffd", MFD_ALLOW_SEALING));

    producer->attachBuffer(&slot, buffer);

    producer->queueBuffer(slot, input, &output);

    int32_t format = mFdp.ConsumeIntegral<int32_t>();

    uint32_t width = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t height = mFdp.ConsumeIntegral<uint32_t>();

    uint64_t usage = mFdp.ConsumeIntegral<uint64_t>();

    uint64_t outBufferAge;

    FrameEventHistoryDelta outTimestamps;

    sp<android::Fence> fence;

    producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge,

                            &outTimestamps);

    producer->detachBuffer(slot);

    producer->cancelBuffer(slot, fence);

    invokeQuery(producer);

    ManageResourceHandle handle(&mFdp);

    producer->setSidebandStream(handle.getStream());

    producer->allocateBuffers(width, height, format, usage);

    producer->allowAllocation(mFdp.ConsumeBool() /*allow*/);

    producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/);

    producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/);

    producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>());

    producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>());

    producer->disconnect(api);

}

void BufferQueueFuzzer::invokeH2BGraphicBufferV2() {

    sp<V2_0::utils::H2BGraphicBufferProducer> producer(

            new V2_0::utils::H2BGraphicBufferProducer(new FakeGraphicBufferProducerV2()));

    const sp<android::IProducerListener> listener;

    android::IGraphicBufferProducer::QueueBufferOutput output;

    uint32_t api = mFdp.ConsumeIntegral<uint32_t>();

    producer->connect(listener, api, mFdp.ConsumeBool() /*producerControlledByApp*/, &output);

    sp<GraphicBuffer> buffer;

    int32_t slot = mFdp.ConsumeIntegral<int32_t>();

    producer->requestBuffer(slot, &buffer);

    producer->setMaxDequeuedBufferCount(mFdp.ConsumeIntegral<uint32_t>());

    producer->setAsyncMode(mFdp.ConsumeBool());

    android::IGraphicBufferProducer::QueueBufferInput input;

    input.fence = new Fence(memfd_create("ffd", MFD_ALLOW_SEALING));

    producer->attachBuffer(&slot, buffer);

    producer->queueBuffer(slot, input, &output);

    int32_t format = mFdp.ConsumeIntegral<int32_t>();

    uint32_t width = mFdp.ConsumeIntegral<uint32_t>();

    uint32_t height = mFdp.ConsumeIntegral<uint32_t>();

    uint64_t usage = mFdp.ConsumeIntegral<uint64_t>();

    uint64_t outBufferAge;

    FrameEventHistoryDelta outTimestamps;

    sp<android::Fence> fence;

    producer->dequeueBuffer(&slot, &fence, width, height, format, usage, &outBufferAge,

                            &outTimestamps);

    producer->detachBuffer(slot);

    producer->cancelBuffer(slot, fence);

    invokeQuery(producer);

    ManageResourceHandle handle(&mFdp);

    producer->setSidebandStream(handle.getStream());

    producer->allocateBuffers(width, height, format, usage);

    producer->allowAllocation(mFdp.ConsumeBool() /*allow*/);

    producer->setSharedBufferMode(mFdp.ConsumeBool() /*sharedBufferMode*/);

    producer->setAutoRefresh(mFdp.ConsumeBool() /*autoRefresh*/);

    producer->setGenerationNumber(mFdp.ConsumeIntegral<uint32_t>());

    producer->setDequeueTimeout(mFdp.ConsumeIntegral<uint32_t>());

    producer->disconnect(api);

}

void BufferQueueFuzzer::process() {

    invokeBlastBufferQueue();

    invokeH2BGraphicBufferV1();

    invokeH2BGraphicBufferV2();

    invokeTypes();

    invokeBufferQueueConsumer();

    invokeBufferQueueProducer();

}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    BufferQueueFuzzer bufferQueueFuzzer(data, size);

    bufferQueueFuzzer.process();

    return 0;

}

/*

 * Copyright 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <gui/BufferQueueConsumer.h>

#include <gui/BufferQueueCore.h>

#include <gui/BufferQueueProducer.h>

#include <gui/GLConsumer.h>

#include <libgui_fuzzer_utils.h>

using namespace android;

constexpr int32_t kMinBuffer = 0;

constexpr int32_t kMaxBuffer = 100000;

class ConsumerFuzzer {

public:

    ConsumerFuzzer(const uint8_t* data, size_t size) : mFdp(data, size){};

    void process();

private:

    FuzzedDataProvider mFdp;

};

void ConsumerFuzzer::process() {

    sp<BufferQueueCore> core(new BufferQueueCore());

    sp<IGraphicBufferConsumer> consumer(new BufferQueueConsumer(core));

    uint64_t maxBuffers = mFdp.ConsumeIntegralInRange<uint64_t>(kMinBuffer, kMaxBuffer);

    sp<CpuConsumer> cpu(

            new CpuConsumer(consumer, maxBuffers, mFdp.ConsumeBool() /*controlledByApp*/));

    CpuConsumer::LockedBuffer lockBuffer;

    cpu->lockNextBuffer(&lockBuffer);

    cpu->unlockBuffer(lockBuffer);

    cpu->abandon();

    uint32_t tex = mFdp.ConsumeIntegral<uint32_t>();

    sp<GLConsumer> glComsumer(new GLConsumer(consumer, tex, GLConsumer::TEXTURE_EXTERNAL,

                                             mFdp.ConsumeBool() /*useFenceSync*/,

                                             mFdp.ConsumeBool() /*isControlledByApp*/));

    sp<Fence> releaseFence = new Fence(memfd_create("rfd", MFD_ALLOW_SEALING));

    glComsumer->setReleaseFence(releaseFence);

    glComsumer->updateTexImage();

    glComsumer->releaseTexImage();

    sp<GraphicBuffer> buffer =

            new GraphicBuffer(mFdp.ConsumeIntegral<uint32_t>(), mFdp.ConsumeIntegral<uint32_t>(),

                              mFdp.ConsumeIntegral<int32_t>(), mFdp.ConsumeIntegral<uint32_t>(),

                              mFdp.ConsumeIntegral<uint64_t>());

    float mtx[16];

    glComsumer->getTransformMatrix(mtx);

    glComsumer->computeTransformMatrix(mtx, buffer, getRect(&mFdp),

                                       mFdp.ConsumeIntegral<uint32_t>(),

                                       mFdp.ConsumeBool() /*filtering*/);

    glComsumer->scaleDownCrop(getRect(&mFdp), mFdp.ConsumeIntegral<uint32_t>(),

                              mFdp.ConsumeIntegral<uint32_t>());

    glComsumer->setDefaultBufferSize(mFdp.ConsumeIntegral<uint32_t>(),

                                     mFdp.ConsumeIntegral<uint32_t>());

    glComsumer->setFilteringEnabled(mFdp.ConsumeBool() /*enabled*/);

    glComsumer->setConsumerUsageBits(mFdp.ConsumeIntegral<uint64_t>());

    glComsumer->attachToContext(tex);

    glComsumer->abandon();

}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    ConsumerFuzzer consumerFuzzer(data, size);

    consumerFuzzer.process();

    return 0;

}