| /** |
| * Copyright (C) 2018 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #define _GNU_SOURCE |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <unistd.h> |
| #include <sys/stat.h> |
| #include <fcntl.h> |
| #include <dlfcn.h> |
| #include <string.h> |
| #include <sys/mman.h> |
| |
| typedef struct { |
| uint32_t width; |
| uint32_t height; |
| uint32_t format; |
| const unsigned char* pixels; |
| } gdx2d_pixmap; |
| |
| gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len); |
| void (*gdx2d_free)(const gdx2d_pixmap* pixmap); |
| |
| int main() { |
| void *libgdx = dlopen("libgdx.so", RTLD_LAZY); |
| if(libgdx == NULL) { |
| return -1; |
| } |
| gdx2d_load = dlsym(libgdx, "gdx2d_load"); |
| gdx2d_free = dlsym(libgdx, "gdx2d_free"); |
| if(gdx2d_load == NULL || gdx2d_free == NULL){ |
| dlclose(libgdx); |
| return -2; |
| } |
| |
| char *fname = "/data/local/tmp/CVE-2017-0477.gif"; |
| int fd = open(fname, O_RDONLY); |
| struct stat st; |
| fstat(fd, &st); |
| void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); |
| |
| gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size); |
| if (pixmap) { |
| gdx2d_free(pixmap); |
| } |
| dlclose(libgdx); |
| return 0; |
| } |
| |
