| /** |
| * Copyright (C) 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include "../includes/common.h" |
| #include "../includes/memutils_track.h" |
| #include "hardware/sensors.h" |
| #include "sensor/Sensor.h" |
| #include "stdlib.h" |
| |
| size_t vulnerableSize = 0; |
| |
| using namespace android; |
| char enable_selective_overload = ENABLE_NONE; |
| |
| bool is_tracking_required(size_t size) { return (size == vulnerableSize); } |
| |
| static sensor_t getTestSensorT() { |
| sensor_t hwSensor = {}; |
| hwSensor.name = "Test "; |
| hwSensor.vendor = hwSensor.name; |
| hwSensor.version = 1; |
| hwSensor.handle = 2; |
| hwSensor.type = SENSOR_TYPE_ACCELEROMETER; |
| hwSensor.maxRange = 10.f; |
| hwSensor.resolution = 1.f; |
| hwSensor.power = 5.f; |
| hwSensor.minDelay = 1000; |
| hwSensor.fifoReservedEventCount = 50; |
| hwSensor.fifoMaxEventCount = 100; |
| hwSensor.stringType = SENSOR_STRING_TYPE_ACCELEROMETER; |
| hwSensor.requiredPermission = ""; |
| hwSensor.maxDelay = 5000; |
| hwSensor.flags = SENSOR_FLAG_CONTINUOUS_MODE; |
| return hwSensor; |
| } |
| |
| int main() { |
| sensor_t hwSensor = getTestSensorT(); |
| Sensor sensor1(&hwSensor, SENSORS_DEVICE_API_VERSION_1_4); |
| vulnerableSize = sensor1.getFlattenedSize(); |
| enable_selective_overload = ENABLE_MALLOC_CHECK; |
| void *buffer = malloc(vulnerableSize); |
| if (!buffer) { |
| return EXIT_FAILURE; |
| } |
| enable_selective_overload = ENABLE_NONE; |
| sensor1.flatten(buffer, vulnerableSize); |
| int status = is_memory_uninitialized(); |
| free(buffer); |
| return status; |
| } |