[RESTRICT AUTOMERGE] CTS test for Android security b/158762825

Bug: 158762825
Bug: 168717279
Test: Ran the new testcase on android-9.0.0_r39 with/without patch

Change-Id: I1440d17940e3cfe0f6558e3ef8d75c66cf24c3b6
diff --git a/hostsidetests/securitybulletin/res/cve_2020_0451.aac b/hostsidetests/securitybulletin/res/cve_2020_0451.aac
new file mode 100644
index 0000000..7b04e05
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2020_0451.aac
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.mk
new file mode 100644
index 0000000..7e8b1c7
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/Android.mk
@@ -0,0 +1,41 @@
+#Copyright (C) 2020 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2020-0451
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+LOCAL_C_INCLUDES := external/aac/libSYS/include/
+LOCAL_C_INCLUDES += external/aac/libAACdec/include/
+LOCAL_C_INCLUDES += external/aac/libSBRdec/include/
+LOCAL_C_INCLUDES += external/aac/libFDK/include/
+LOCAL_C_INCLUDES += external/aac/libAACdec/src/
+LOCAL_C_INCLUDES += external/aac/libArithCoding/include/
+LOCAL_C_INCLUDES += external/aac/libMpegTPDec/include/
+LOCAL_C_INCLUDES += external/aac/libPCMutils/include/
+LOCAL_C_INCLUDES += external/aac/libDRCdec/include/
+LOCAL_C_INCLUDES += external/aac/libSBRdec/src/
+LOCAL_SHARED_LIBRARIES := libbluetooth
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS := -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp
new file mode 100644
index 0000000..30b2fb9
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0451/poc.cpp
@@ -0,0 +1,129 @@
+/**
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fstream>
+#include <iostream>
+#include <limits>
+#include "../includes/common.h"
+#include "aacdecoder_lib.h"
+#include "aacdecoder.h"
+#include "sbr_ram.h"
+
+constexpr uint8_t kNumberOfLayers = 1;
+constexpr uint8_t kMaxChannelCount = 8;
+bool kIsVulnerable = false;
+
+class Codec {
+ public:
+  Codec() = default;
+  ~Codec() { deInitDecoder(); }
+  bool initDecoder();
+  void decodeFrames(UCHAR *data, UINT size);
+  void deInitDecoder();
+  int validateQmfDomainBounds();
+
+ private:
+  HANDLE_AACDECODER mAacDecoderHandle = nullptr;
+  AAC_DECODER_ERROR mErrorCode = AAC_DEC_OK;
+};
+
+bool Codec::initDecoder() {
+  mAacDecoderHandle = aacDecoder_Open(TT_MP4_ADIF, kNumberOfLayers);
+  if (!mAacDecoderHandle) {
+    return false;
+  }
+  return true;
+}
+
+void Codec::deInitDecoder() {
+  aacDecoder_Close(mAacDecoderHandle);
+  mAacDecoderHandle = nullptr;
+}
+
+void Codec::decodeFrames(UCHAR *data, UINT size) {
+  while (size > 0) {
+    UINT inputSize = size;
+    UINT valid = size;
+    mErrorCode = aacDecoder_Fill(mAacDecoderHandle, &data, &inputSize, &valid);
+    if (mErrorCode != AAC_DEC_OK) {
+      ++data;
+      --size;
+    } else {
+      INT_PCM outputBuf[2048 * kMaxChannelCount];
+      aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf,
+                             2048 * kMaxChannelCount, 0);
+      if (valid >= inputSize) {
+        return;
+      }
+      UINT offset = inputSize - valid;
+      data += offset;
+      size = valid;
+    }
+  }
+}
+
+int Codec::validateQmfDomainBounds() {
+  //Check OOB for qmfDomain
+  void *qmfDomainBound = &(mAacDecoderHandle->qmfModeCurr);
+
+  HANDLE_SBRDECODER hSbrDecoder = mAacDecoderHandle->hSbrDecoder;
+  // Referring sbrDecoder_AssignQmfChannels2SbrChannels()
+  {
+    void *qmfDomainInChPtr = nullptr;
+    void *qmfDomainOutChPtr = nullptr;
+    int channel = 0;
+    int element = 0;
+    int absChOffset = 0;
+    for (element = 0; element < hSbrDecoder->numSbrElements; ++element) {
+      if (hSbrDecoder->pSbrElement[element] != NULL) {
+        for (channel = 0; channel < hSbrDecoder->pSbrElement[element]->nChannels; ++channel) {
+          qmfDomainInChPtr = &hSbrDecoder->pQmfDomain->QmfDomainIn[absChOffset + channel];
+          qmfDomainOutChPtr = &hSbrDecoder->pQmfDomain->QmfDomainOut[absChOffset + channel];
+          if (qmfDomainBound <= qmfDomainInChPtr || qmfDomainBound <= qmfDomainOutChPtr) {
+              kIsVulnerable = true;
+          }
+        }
+        absChOffset += hSbrDecoder->pSbrElement[element]->nChannels;
+      }
+    }
+  }
+  return kIsVulnerable ? EXIT_VULNERABLE : EXIT_SUCCESS;
+}
+
+int main(int argc, char *argv[]) {
+  if (argc != 2) {
+    return EXIT_FAILURE;
+  }
+
+  std::ifstream file;
+  file.open(argv[1], std::ios::in | std::ios::binary);
+  if (!file.is_open()) {
+    return EXIT_FAILURE;
+  }
+  file.ignore(std::numeric_limits<std::streamsize>::max());
+  std::streamsize length = file.gcount();
+  file.clear();
+  file.seekg(0, std::ios_base::beg);
+  UCHAR *data = new UCHAR[length];
+  file.read(reinterpret_cast<char *>(data), length);
+  file.close();
+
+  Codec codec = Codec();
+  if (codec.initDecoder()) {
+    codec.decodeFrames(data, length);
+  }
+  return codec.validateQmfDomainBounds();
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index 085442e..5a68d23 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -566,6 +566,25 @@
      * existing test methods
      ******************************************************************************/
 
+     /**
+     * b/158762825
+     * Vulnerability Behaviour: SIGABRT / EXIT_VULNERABLE (113)
+     */
+    @SecurityTest(minPatchLevel = "2020-11")
+    @Test
+    public void testPocCVE_2020_0451() throws Exception {
+        String inputFiles[] = {"cve_2020_0451.aac"};
+        String binaryName = "CVE-2020-0451";
+        String signals[] = {CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT};
+        AdbUtils.pocConfig testConfig = new AdbUtils.pocConfig(binaryName, getDevice());
+        testConfig.config = new CrashUtils.Config().setProcessPatterns(binaryName);
+        testConfig.config.setSignals(signals);
+        testConfig.arguments = AdbUtils.TMP_PATH + inputFiles[0];
+        testConfig.inputFiles = Arrays.asList(inputFiles);
+        testConfig.inputFilesDestination = AdbUtils.TMP_PATH;
+        AdbUtils.runPocAssertNoCrashesNotVulnerable(testConfig);
+    }
+
     /**
      * b/112891564
      * Vulnerability Behaviour: SIGSEGV in self (Android P),