| /* |
| * Copyright (C) 2021 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <media/IDrm.h> |
| #include "../includes/common.h" |
| |
| #define private public |
| #include <media/ICrypto.h> |
| |
| using namespace android; |
| |
| const uint16_t kDataSize = 4096; |
| const void *vulnPtr = nullptr; |
| bool isVectorCleared = false; |
| bool isTrackingEnabled = false; |
| |
| void VectorImpl::clear() { |
| if (isTrackingEnabled && (this == vulnPtr)) { |
| isVectorCleared = true; |
| } |
| } |
| |
| class PocBnCrypto : public BnCrypto { |
| public: |
| status_t initCheck() const { return OK; } |
| |
| bool isCryptoSchemeSupported(const uint8_t *) { return true; } |
| |
| status_t createPlugin(const uint8_t *, const void *, size_t) { return OK; } |
| |
| status_t destroyPlugin() { return OK; } |
| |
| bool requiresSecureDecoderComponent(const char *) const { return true; } |
| |
| void notifyResolution(uint32_t, uint32_t) {} |
| |
| status_t setMediaDrmSession(const Vector<uint8_t> &) { return OK; } |
| |
| ssize_t decrypt(const uint8_t *, const uint8_t *, CryptoPlugin::Mode, |
| const CryptoPlugin::Pattern &, const SourceBuffer &, size_t, |
| const CryptoPlugin::SubSample *, size_t, const DestinationBuffer &, AString *) { |
| return 0; |
| } |
| |
| int32_t setHeap(const sp<IMemoryHeap> &) { return 0; } |
| |
| void unsetHeap(int32_t) {} |
| }; |
| |
| int main() { |
| PocBnCrypto obj; |
| Parcel data, reply; |
| status_t status = data.writeInterfaceToken(String16("android.hardware.ICrypto")); |
| FAIL_CHECK(status == OK); |
| data.writeInt32(kDataSize); |
| Vector<uint8_t> sessionId; |
| isTrackingEnabled = true; |
| vulnPtr = &sessionId; |
| obj.readVector(data, sessionId); |
| isTrackingEnabled = false; |
| return (!isVectorCleared) ? EXIT_VULNERABLE : EXIT_SUCCESS; |
| } |