tests/tests/security/src/android/security/cts/BitmapFactorySecurityTests.java

/*
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.security.cts;

import android.graphics.BitmapFactory;
import android.os.ParcelFileDescriptor;
import android.platform.test.annotations.SecurityTest;
import android.test.AndroidTestCase;

import java.io.File;
import java.io.FileDescriptor;
import java.io.FileOutputStream;
import java.io.InputStream;

import java.lang.Exception;

import android.security.cts.R;

@SecurityTest
public class BitmapFactorySecurityTests extends AndroidTestCase {
    private FileDescriptor getResource(int resId) {
        try {
            InputStream is = mContext.getResources().openRawResource(resId);
            assertNotNull(is);
            File file = File.createTempFile("BitmapFactorySecurityFile" + resId, "img");
            file.deleteOnExit();
            FileOutputStream output = new FileOutputStream(file);
            byte[] buffer = new byte[1024];
            int readLength;
            while ((readLength = is.read(buffer)) != -1) {
                output.write(buffer, 0, readLength);
            }
            is.close();
            output.close();
            ParcelFileDescriptor pfd = ParcelFileDescriptor.open(file,
                    ParcelFileDescriptor.MODE_READ_ONLY);
            return pfd.getFileDescriptor();
        } catch (Exception e) {
            fail("Could not get resource " + resId + "! " + e);
            return null;
        }
    }

    /**
     * Verifies that decoding a corrupt ICO does crash.
     */
    @SecurityTest(minPatchLevel = "2017-09")
    public void test_android_bug_38116746() {
        FileDescriptor exploitImage = getResource(R.raw.bug_38116746);
        try {
            BitmapFactory.decodeFileDescriptor(exploitImage);
        } catch (OutOfMemoryError e) {
            fail("OOM attempting to decode ICO");
        }

        // This previously crashed in fread. No need to check the output.
        BitmapFactory.decodeFileDescriptor(getResource(R.raw.b38116746_new));
    }

    /**
     * Verifies that decoding a corrupt BMP does crash.
     */
    @SecurityTest(minPatchLevel = "2017-08")
    public void test_android_bug_37627194() {
        FileDescriptor exploitImage = getResource(R.raw.bug_37627194);
        try {
            BitmapFactory.decodeFileDescriptor(exploitImage);
        } catch (OutOfMemoryError e) {
            fail("OOM attempting to decode BMP");
        }
    }

    @SecurityTest
    public void test_android_bug_156261521() {
        // Previously decoding this would crash.
        FileDescriptor exploitImage = getResource(R.raw.bug_156261521);
        BitmapFactory.decodeFileDescriptor(exploitImage);
    }
}