From b696ecd6549e9b60679f70db1522774d754ed135 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E6=99=BA=E5=8B=87?= <zhangzhiyong43@huawei.com>
Date: Sat, 9 Aug 2025 16:41:47 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E5=85=85fuzz=E7=94=A8=E4=BE=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 张智勇 <zhangzhiyong43@huawei.com>
---
 .../fuzztest/imagefwkexifdng2_fuzzer/BUILD.gn |  43 +++++
 .../imagefwkexifdng2_fuzzer/project.xml       |  25 +++
 .../src/image_fwk_exif_dng_fuzzer.cpp         | 149 +++++++++++++++++
 .../fuzztest/imagefwkexifdng_fuzzer/BUILD.gn  |  43 +++++
 .../imagefwkexifdng_fuzzer/project.xml        |  25 +++
 .../src/image_fwk_exif_dng_fuzzer.cpp         | 130 +++++++++++++++
 .../imagefwkexifheif2_fuzzer/BUILD.gn         |  43 +++++
 .../imagefwkexifheif2_fuzzer/project.xml      |  25 +++
 .../src/image_fwk_exif_heif_fuzzer.cpp        | 149 +++++++++++++++++
 .../fuzztest/imagefwkexifheif_fuzzer/BUILD.gn |  43 +++++
 .../imagefwkexifheif_fuzzer/project.xml       |  25 +++
 .../src/image_fwk_exif_heif_fuzzer.cpp        | 130 +++++++++++++++
 .../imagefwkexifjpeg2_fuzzer/BUILD.gn         |  43 +++++
 .../imagefwkexifjpeg2_fuzzer/project.xml      |  25 +++
 .../src/image_fwk_exif_jpeg_fuzzer.cpp        | 154 ++++++++++++++++++
 .../fuzztest/imagefwkexifjpeg_fuzzer/BUILD.gn |  43 +++++
 .../imagefwkexifjpeg_fuzzer/project.xml       |  25 +++
 .../src/image_fwk_exif_jpeg_fuzzer.cpp        | 136 ++++++++++++++++
 .../fuzztest/imagefwkexifpng2_fuzzer/BUILD.gn |  43 +++++
 .../imagefwkexifpng2_fuzzer/project.xml       |  25 +++
 .../src/image_fwk_exif_png_fuzzer.cpp         | 152 +++++++++++++++++
 .../fuzztest/imagefwkexifpng_fuzzer/BUILD.gn  |  43 +++++
 .../imagefwkexifpng_fuzzer/project.xml        |  25 +++
 .../src/image_fwk_exif_png_fuzzer.cpp         | 133 +++++++++++++++
 24 files changed, 1677 insertions(+)
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/src/image_fwk_exif_png_fuzzer.cpp
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/BUILD.gn
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/project.xml
 create mode 100644 frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/src/image_fwk_exif_png_fuzzer.cpp

diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/BUILD.gn
new file mode 100644
index 000000000..7a83ff433
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifDng2FuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_dng_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/project.xml
new file mode 100644
index 000000000..138c61f16
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 50*1024*1024 -->
+    <max_len>52428800</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
new file mode 100644
index 000000000..e593290bd
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng2_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <fuzzer/FuzzedDataProvider.h>
+#include "image_fwk_exif_dng_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FWK_EXIF_DNG_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+FuzzedDataProvider* FDP;
+
+static const std::string DNG_EXIF_PATH = "/data/local/tmp/test_exif.dng";
+constexpr uint32_t OPT_SIZE = 40;
+constexpr uint32_t MEMORYMODE_MODULO = 2;
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    uint32_t index = FDP->ConsumeIntegral<uint32_t>() % KEY_VALUE_MAPS.size();
+    auto key = KEY_VALUE_MAPS[index].first;
+    for (const auto &v : KEY_VALUE_MAPS[index].second) {
+        exifMetadata->SetValue(key, v);
+        std::string value;
+        exifMetadata->GetValue(key, value);
+    }
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void DngAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(DNG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::DNG) {
+        IMAGE_LOGI("%{public}s type is not DNG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+    
+    BufferMetadataStream::MemoryMode mode = static_cast<BufferMetadataStream::MemoryMode>(FDP->ConsumeIntegral<uint8_t>() % MEMORYMODE_MODULO);
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto dngMetadataAccessor = reinterpret_cast<DngExifMetadataAccessor*>(metadataAccessor2.get());
+    dngMetadataAccessor->Read();
+    dngMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    if (size < OHOS::Media::OPT_SIZE) {
+        return -1;
+    }
+    FuzzedDataProvider fdp(data + size - OHOS::Media::OPT_SIZE, OHOS::Media::OPT_SIZE);
+    OHOS::Media::FDP = &fdp;
+    WriteDataToFile(data, size - OHOS::Media::OPT_SIZE, OHOS::Media::DNG_EXIF_PATH);
+    uint8_t action = fdp.ConsumeIntegral<uint8_t>() % 2;
+    switch(action){
+        case 0:
+            OHOS::Media::DataBufTest(data, size);
+            break;
+        case 1:
+            OHOS::Media::DngAccessorTest001(data, size);
+            break;
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/BUILD.gn
new file mode 100644
index 000000000..3a4adb505
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifDngFuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_dng_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/project.xml
new file mode 100644
index 000000000..8b63c0e57
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 50*1024*1024 -->
+    <max_len>52428800</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
new file mode 100644
index 000000000..ece690a1c
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifdng_fuzzer/src/image_fwk_exif_dng_fuzzer.cpp
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "image_fwk_exif_dng_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FWK_EXIF_DNG_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+
+static const std::string DNG_EXIF_PATH = "/data/local/tmp/test_exif.dng";
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    std::string key = "ImageWidth";
+    exifMetadata->SetValue(key, "500");
+    std::string value;
+    exifMetadata->GetValue(key, value);
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void DngAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(DNG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::DNG) {
+        IMAGE_LOGI("%{public}s type is not DNG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+    
+    BufferMetadataStream::MemoryMode mode = BufferMetadataStream::MemoryMode::Dynamic;
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto dngMetadataAccessor = reinterpret_cast<DngExifMetadataAccessor*>(metadataAccessor2.get());
+    dngMetadataAccessor->Read();
+    dngMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::Media::DataBufTest(data, size);
+    OHOS::Media::DngAccessorTest001(data, size);
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/BUILD.gn
new file mode 100644
index 000000000..eb765cf9a
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifHeif2FuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_heif_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/project.xml
new file mode 100644
index 000000000..138c61f16
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 50*1024*1024 -->
+    <max_len>52428800</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
new file mode 100644
index 000000000..776f77bd2
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif2_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "image_fwk_exif_heif_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FWK_EXIF_HEIF_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+FuzzedDataProvider* FDP;
+
+static const std::string HEIF_EXIF_PATH = "/data/local/tmp/test_exif.heic";
+constexpr uint32_t OPT_SIZE = 40;
+constexpr uint32_t MEMORYMODE_MODULO = 2;
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    uint32_t index = FDP->ConsumeIntegral<uint32_t>() % KEY_VALUE_MAPS.size();
+    auto key = KEY_VALUE_MAPS[index].first;
+    for (const auto &v : KEY_VALUE_MAPS[index].second) {
+        exifMetadata->SetValue(key, v);
+        std::string value;
+        exifMetadata->GetValue(key, value);
+    }
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void HeifAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(HEIF_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::HEIF) {
+        IMAGE_LOGI("%{public}s type is not HEIF", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+
+    BufferMetadataStream::MemoryMode mode = static_cast<BufferMetadataStream::MemoryMode>(FDP->ConsumeIntegral<uint8_t>() % MEMORYMODE_MODULO);
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto heifMetadataAccessor = reinterpret_cast<HeifExifMetadataAccessor*>(metadataAccessor2.get());
+    heifMetadataAccessor->Read();
+    heifMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    if (size < OHOS::Media::OPT_SIZE) {
+        return -1;
+    }
+    FuzzedDataProvider fdp(data + size - OHOS::Media::OPT_SIZE, OHOS::Media::OPT_SIZE);
+    OHOS::Media::FDP = &fdp;
+    WriteDataToFile(data, size - OHOS::Media::OPT_SIZE, OHOS::Media::HEIF_EXIF_PATH);
+    uint8_t action = fdp.ConsumeIntegral<uint8_t>() % 2;
+    switch(action){
+        case 0:
+            OHOS::Media::DataBufTest(data, size);
+            break;
+        case 1:
+            OHOS::Media::HeifAccessorTest001(data, size);
+            break;
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/BUILD.gn
new file mode 100644
index 000000000..3cda3b0e5
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifHeifFuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_heif_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/project.xml
new file mode 100644
index 000000000..8b63c0e57
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 50*1024*1024 -->
+    <max_len>52428800</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
new file mode 100644
index 000000000..ebb1c3625
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifheif_fuzzer/src/image_fwk_exif_heif_fuzzer.cpp
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "image_fwk_exif_heif_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FWK_EXIF_HEIF_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+
+static const std::string HEIF_EXIF_PATH = "/data/local/tmp/test_exif.heic";
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    std::string key = "ImageWidth";
+    exifMetadata->SetValue(key, "500");
+    std::string value;
+    exifMetadata->GetValue(key, value);
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void HeifAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(HEIF_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::HEIF) {
+        IMAGE_LOGI("%{public}s type is not HEIF", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+
+    BufferMetadataStream::MemoryMode mode = BufferMetadataStream::MemoryMode::Dynamic;
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto heifMetadataAccessor = reinterpret_cast<HeifExifMetadataAccessor*>(metadataAccessor2.get());
+    heifMetadataAccessor->Read();
+    heifMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::Media::DataBufTest(data, size);
+    OHOS::Media::HeifAccessorTest001(data, size);
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/BUILD.gn
new file mode 100644
index 000000000..9aca9972b
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifJpeg2FuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_jpeg_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/project.xml
new file mode 100644
index 000000000..f4306c35f
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 2000 -->
+    <max_len>2000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
new file mode 100644
index 000000000..9b4e89f22
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg2_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
@@ -0,0 +1,154 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <fuzzer/FuzzedDataProvider.h>
+#include "image_fwk_exif_jpeg_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FKW_EXIF_JPEG_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+FuzzedDataProvider* FDP;
+
+static const std::string JPEG_EXIF_PATH = "/data/local/tmp/test_exif.jpg";
+constexpr uint32_t OPT_SIZE = 40;
+constexpr uint32_t MEMORYMODE_MODULO = 2;
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    uint32_t index = FDP->ConsumeIntegral<uint32_t>() % KEY_VALUE_MAPS.size();
+    auto key = KEY_VALUE_MAPS[index].first;
+    for (const auto &v : KEY_VALUE_MAPS[index].second) {
+        exifMetadata->SetValue(key, v);
+        std::string value;
+        exifMetadata->GetValue(key, value);
+    }
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void JpegAccessorTest001(const uint8_t *data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(JPEG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::JPEG) {
+        IMAGE_LOGI("%{public}s type is not JPEG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+    BufferMetadataStream::MemoryMode mode = static_cast<BufferMetadataStream::MemoryMode>(FDP->ConsumeIntegral<uint8_t>() % MEMORYMODE_MODULO);
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto jpegMetadataAccessor = reinterpret_cast<JpegExifMetadataAccessor*>(metadataAccessor2.get());
+    jpegMetadataAccessor->Read();
+    jpegMetadataAccessor->Write();
+    DataBuf inputBuf;
+    jpegMetadataAccessor->WriteBlob(inputBuf);
+    int marker = jpegMetadataAccessor->FindNextMarker();
+    jpegMetadataAccessor->ReadSegmentLength(static_cast<uint8_t>(marker));
+    jpegMetadataAccessor->ReadNextSegment(static_cast<byte>(marker));
+    jpegMetadataAccessor->GetInsertPosAndMarkerAPP1();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    if (size < OHOS::Media::OPT_SIZE) {
+        return -1;
+    }
+    FuzzedDataProvider fdp(data + size - OHOS::Media::OPT_SIZE, OHOS::Media::OPT_SIZE);
+    OHOS::Media::FDP = &fdp;
+    WriteDataToFile(data, size - OHOS::Media::OPT_SIZE, OHOS::Media::JPEG_EXIF_PATH);
+    uint8_t action = fdp.ConsumeIntegral<uint8_t>() % 2;
+    switch(action){
+        case 0:
+            OHOS::Media::DataBufTest(data, size);
+            break;
+        case 1:
+            OHOS::Media::JpegAccessorTest001(data, size);
+            break;
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/BUILD.gn
new file mode 100644
index 000000000..642a9bedc
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifJpegFuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_jpeg_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/project.xml
new file mode 100644
index 000000000..6fe7b2a8c
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 2000 -->
+    <max_len>2000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
new file mode 100644
index 000000000..be99c5df0
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifjpeg_fuzzer/src/image_fwk_exif_jpeg_fuzzer.cpp
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "image_fwk_exif_jpeg_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FKW_EXIF_JPEG_FUZZER"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+
+static const std::string JPEG_EXIF_PATH = "/data/local/tmp/test_exif.jpg";
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    std::string key = "ImageWidth";
+    exifMetadata->SetValue(key, "500");
+    std::string value;
+    exifMetadata->GetValue(key, value);
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+}
+
+void JpegAccessorTest001(const uint8_t *data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(JPEG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::JPEG) {
+        IMAGE_LOGI("%{public}s type is not JPEG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+
+    BufferMetadataStream::MemoryMode mode = BufferMetadataStream::MemoryMode::Dynamic;
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto jpegMetadataAccessor = reinterpret_cast<JpegExifMetadataAccessor*>(metadataAccessor2.get());
+    jpegMetadataAccessor->Read();
+    jpegMetadataAccessor->Write();
+    DataBuf inputBuf;
+    jpegMetadataAccessor->WriteBlob(inputBuf);
+    int marker = jpegMetadataAccessor->FindNextMarker();
+    jpegMetadataAccessor->ReadSegmentLength(static_cast<uint8_t>(marker));
+    jpegMetadataAccessor->ReadNextSegment(static_cast<byte>(marker));
+    jpegMetadataAccessor->GetInsertPosAndMarkerAPP1();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::Media::DataBufTest(data, size);
+    OHOS::Media::JpegAccessorTest001(data, size);
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/BUILD.gn
new file mode 100644
index 000000000..5c5e94f6c
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2025 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifPng2FuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_png_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/project.xml
new file mode 100644
index 000000000..f4306c35f
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2025 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 2000 -->
+    <max_len>2000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/src/image_fwk_exif_png_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/src/image_fwk_exif_png_fuzzer.cpp
new file mode 100644
index 000000000..9a81a7dac
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng2_fuzzer/src/image_fwk_exif_png_fuzzer.cpp
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2025 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <fuzzer/FuzzedDataProvider.h>
+#include "image_fwk_exif_png_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FKW_EXIF_PNG_FUZZ"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+FuzzedDataProvider* FDP;
+
+static const std::string PNG_EXIF_PATH = "/data/local/tmp/test_exif.png";
+constexpr uint32_t OPT_SIZE = 40;
+constexpr uint32_t MEMORYMODE_MODULO = 2;
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    uint32_t index = FDP->ConsumeIntegral<uint32_t>() % KEY_VALUE_MAPS.size();
+    auto key = KEY_VALUE_MAPS[index].first;
+    for (const auto &v : KEY_VALUE_MAPS[index].second) {
+        exifMetadata->SetValue(key, v);
+        std::string value;
+        exifMetadata->GetValue(key, value);
+    }
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void PngAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(PNG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::PNG) {
+        IMAGE_LOGI("%{public}s type is not PNG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+
+    BufferMetadataStream::MemoryMode mode = static_cast<BufferMetadataStream::MemoryMode>(FDP->ConsumeIntegral<uint8_t>() % MEMORYMODE_MODULO);
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto pngMetadataAccessor = reinterpret_cast<PngExifMetadataAccessor*>(metadataAccessor2.get());
+    pngMetadataAccessor->IsPngType();
+    pngMetadataAccessor->Read();
+    pngMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    if (size < OHOS::Media::OPT_SIZE) {
+        return -1;
+    }
+    FuzzedDataProvider fdp(data + size - OHOS::Media::OPT_SIZE, OHOS::Media::OPT_SIZE);
+    OHOS::Media::FDP = &fdp;
+    WriteDataToFile(data, size - OHOS::Media::OPT_SIZE, OHOS::Media::PNG_EXIF_PATH);
+    uint8_t action = fdp.ConsumeIntegral<uint8_t>() % 2;
+    switch(action){
+        case 0:
+            OHOS::Media::DataBufTest(data, size);
+            break;
+        case 1:
+            OHOS::Media::PngAccessorTest001(data, size);
+            break;
+    }
+    return 0;
+}
\ No newline at end of file
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/BUILD.gn b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/BUILD.gn
new file mode 100644
index 000000000..de245f649
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/BUILD.gn
@@ -0,0 +1,43 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/test.gni")
+import("//foundation/multimedia/image_framework/ide/image_decode_config.gni")
+
+ohos_fuzztest("ImageFwkExifPngFuzzTest") {
+  module_out_path = "multimedia_image/image_framework"
+  fuzz_config_file = "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer"
+
+  include_dirs = [
+    "./include",
+    "$image_subsystem/interfaces/innerkits/include",
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/include",
+  ]
+
+  sources = [
+    "$image_subsystem/frameworks/innerkitsimpl/test/fuzztest/common/src/common_fuzztest_function.cpp",
+    "src/image_fwk_exif_png_fuzzer.cpp",
+  ]
+
+  deps = [
+    "$image_subsystem/interfaces/innerkits:image_native",
+    "$image_subsystem/plugins/common/libs/image/libextplugin:extplugin",
+  ]
+
+  external_deps = [
+    "c_utils:utils",
+    "graphic_2d:color_manager",
+    "hilog:libhilog",
+    "libexif:libexif",
+  ]
+}
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/project.xml b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/project.xml
new file mode 100644
index 000000000..6fe7b2a8c
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/project.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) 2024 Huawei Device Co., Ltd.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+-->
+<fuzz_config>
+  <fuzztest>
+    <!-- maximum length of a test input 2000 -->
+    <max_len>2000</max_len>
+    <!-- maximum total time in seconds to run the fuzzer -->
+    <max_total_time>300</max_total_time>
+    <!-- memory usage limit in Mb -->
+    <rss_limit_mb>4096</rss_limit_mb>
+  </fuzztest>
+</fuzz_config>
diff --git a/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/src/image_fwk_exif_png_fuzzer.cpp b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/src/image_fwk_exif_png_fuzzer.cpp
new file mode 100644
index 000000000..a8adf5038
--- /dev/null
+++ b/frameworks/innerkitsimpl/test/fuzztest/imagefwkexifpng_fuzzer/src/image_fwk_exif_png_fuzzer.cpp
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "image_fwk_exif_png_fuzzer.h"
+#define private public
+
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <unistd.h>
+#include <fcntl.h>
+#include "securec.h"
+
+#include "common_fuzztest_function.h"
+#include "metadata_accessor_factory.h"
+#include "dng_exif_metadata_accessor.h"
+#include "heif_exif_metadata_accessor.h"
+#include "jpeg_exif_metadata_accessor.h"
+#include "png_exif_metadata_accessor.h"
+#include "webp_exif_metadata_accessor.h"
+#include "file_metadata_stream.h"
+#include "image_log.h"
+
+#undef LOG_DOMAIN
+#define LOG_DOMAIN LOG_TAG_DOMAIN_ID_IMAGE
+
+#undef LOG_TAG
+#define LOG_TAG "IMAGE_FKW_EXIF_PNG_FUZZ"
+
+namespace OHOS {
+namespace Media {
+using namespace std;
+
+static const std::string PNG_EXIF_PATH = "/data/local/tmp/test_exif.png";
+
+void MetadataAccessorFuncTest001(std::shared_ptr<MetadataAccessor>& metadataAccessor)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    if (metadataAccessor == nullptr) {
+        return;
+    }
+    metadataAccessor->Read();
+    auto exifMetadata = metadataAccessor->Get();
+    if (exifMetadata == nullptr) {
+        return;
+    }
+    std::string key = "ImageWidth";
+    exifMetadata->SetValue(key, "500");
+    std::string value;
+    exifMetadata->GetValue(key, value);
+    metadataAccessor->Write();
+    metadataAccessor->Set(exifMetadata);
+    DataBuf inputBuf;
+    metadataAccessor->ReadBlob(inputBuf);
+    metadataAccessor->WriteBlob(inputBuf);
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void PngAccessorTest001(const uint8_t* data, size_t size)
+{
+    IMAGE_LOGI("%{public}s IN", __func__);
+    int fd = open(PNG_EXIF_PATH.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+    if (write(fd, data, size) != (ssize_t)size) {
+        close(fd);
+        return;
+    }
+
+    std::shared_ptr<MetadataStream> stream = std::make_shared<FileMetadataStream>(fd);
+    if (stream == nullptr || !stream->Open(OpenMode::ReadWrite)) {
+        IMAGE_LOGE("Failed to open the stream with file descriptor: %{public}d", fd);
+        close(fd);
+        return;
+    }
+    uint32_t error = 0;
+    EncodedFormat type = MetadataAccessorFactory::GetImageType(stream, error);
+    if (type != EncodedFormat::PNG) {
+        IMAGE_LOGI("%{public}s type is not PNG", __func__);
+        close(fd);
+        return;
+    }
+    std::shared_ptr<MetadataAccessor> metadataAccessor1 = MetadataAccessorFactory::Create(fd);
+    MetadataAccessorFuncTest001(metadataAccessor1);
+    close(fd);
+
+    BufferMetadataStream::MemoryMode mode = BufferMetadataStream::MemoryMode::Dynamic;
+    std::shared_ptr<MetadataAccessor> metadataAccessor2 = MetadataAccessorFactory::Create(const_cast<uint8_t*>(data),
+        size, mode);
+    if (metadataAccessor2 == nullptr) {
+        IMAGE_LOGE("Create metadata accessor failed");
+        return;
+    }
+    MetadataAccessorFuncTest001(metadataAccessor2);
+    auto pngMetadataAccessor = reinterpret_cast<PngExifMetadataAccessor*>(metadataAccessor2.get());
+    pngMetadataAccessor->IsPngType();
+    pngMetadataAccessor->Read();
+    pngMetadataAccessor->Write();
+    IMAGE_LOGI("%{public}s SUCCESS", __func__);
+}
+
+void DataBufTest(const uint8_t *data, size_t size)
+{
+    if (size == 0) {
+        return;
+    }
+    DataBuf dataBuf(data, size);
+    dataBuf.ReadUInt8(0);
+    dataBuf.Resize(size);
+    dataBuf.WriteUInt8(0, 0);
+    dataBuf.Reset();
+}
+} // namespace Media
+} // namespace OHOS
+
+/* Fuzzer entry point */
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    /* Run your code on data */
+    OHOS::Media::DataBufTest(data, size);
+    OHOS::Media::PngAccessorTest001(data, size);
+    return 0;
+}
\ No newline at end of file
-- 
Gitee