test if libFLAC is patched against CVE-2014-9028
Overview of CVE-2014-9028:
Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1
allows remote attackers to execute arbitrary code via a crafted .flac
file.
(source: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9028)
heap_oob_flac has a .mp3 extension to avoid compresstion by aapt. When a
resource file is compressed openRawResourceFd would fail. Please refer
to kNoCompressExt in frameworks/base/tools/aapt/Package.cpp for more
details.
Bug: 23238405
Change-Id: I7c13b19beb83c10fced360537a84b2f053ce8a26
diff --git a/tests/tests/media/res/raw/heap_oob_flac.mp3 b/tests/tests/media/res/raw/heap_oob_flac.mp3
new file mode 100644
index 0000000..ae542d0
--- /dev/null
+++ b/tests/tests/media/res/raw/heap_oob_flac.mp3
Binary files differ
diff --git a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
index 8e9bc29..385295b 100644
--- a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
@@ -80,6 +80,37 @@
}
}
+ public void testFlacHeapOverflow() throws Exception {
+ testIfMediaServerDied(R.raw.heap_oob_flac);
+ }
+
+ private void testIfMediaServerDied(int res) throws Exception {
+ mMediaPlayer.setOnErrorListener(new MediaPlayer.OnErrorListener() {
+ @Override
+ public boolean onError(MediaPlayer mp, int what, int extra) {
+ assertTrue(mp == mMediaPlayer);
+ assertTrue("mediaserver process died", what != MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ return false;
+ }
+ });
+
+ mMediaPlayer.setOnCompletionListener(new MediaPlayer.OnCompletionListener() {
+ @Override
+ public void onCompletion(MediaPlayer mp) {
+ assertTrue(mp == mMediaPlayer);
+ mOnCompletionCalled.signal();
+ }
+ });
+
+ AssetFileDescriptor afd = mResources.openRawResourceFd(res);
+ mMediaPlayer.setDataSource(afd.getFileDescriptor(), afd.getStartOffset(), afd.getLength());
+ afd.close();
+ mMediaPlayer.prepare();
+ mMediaPlayer.start();
+ mOnCompletionCalled.waitForSignal();
+ mMediaPlayer.release();
+ }
+
// Bug 13652927
public void testVorbisCrash() throws Exception {
MediaPlayer mp = mMediaPlayer;