Snap for 7547121 from ae98dded0afe43f2a4ddd0cc01b5d878cc416920 to mainline-permission-release
Change-Id: I905c8d992c7ec36bbbc46402eb10da0a3cf8c872
diff --git a/Android.bp b/Android.bp
index c7215e1..0681e93 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1,3 +1,46 @@
+// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE
+// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+// DEPENDING ON IT IN YOUR PROJECT. ***
+package {
+ default_applicable_licenses: ["external_dng_sdk_license"],
+}
+
+// Added automatically by a large-scale-change that took the approach of
+// 'apply every license found to every target'. While this makes sure we respect
+// every license restriction, it may not be entirely correct.
+//
+// e.g. GPL in an MIT project might only apply to the contrib/ directory.
+//
+// Please consider splitting the single license below into multiple licenses,
+// taking care not to lose any license_kind information, and overriding the
+// default license using the 'licenses: [...]' property on targets as needed.
+//
+// For unused files, consider creating a 'fileGroup' with "//visibility:private"
+// to attach the license to, and including a comment whether the files may be
+// used in the current project.
+//
+// large-scale-change included anything that looked like it might be a license
+// text as a license_text. e.g. LICENSE, NOTICE, COPYING etc.
+//
+// Please consider removing redundant or irrelevant files from 'license_text:'.
+// See: http://go/android-license-faq
+license {
+ name: "external_dng_sdk_license",
+ visibility: [":__subpackages__"],
+ license_kinds: [
+ "SPDX-license-identifier-Apache-2.0",
+ "SPDX-license-identifier-MIT",
+ "legacy_by_exception_only", // by exception only
+ ],
+ license_text: [
+ "LICENSE",
+ "LICENSE.source_code",
+ "LICENSE.technology",
+ "NOTICE",
+ "PATENTS",
+ ],
+}
+
cc_defaults {
name: "libdng_sdk-defaults",
srcs: [
diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..3814b8d
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,6 @@
+# *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE
+# CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+# DEPENDING ON IT IN YOUR PROJECT. ***
+third_party {
+ license_type: BY_EXCEPTION_ONLY
+}
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..26e2fa6
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,39 @@
+// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE
+// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+// DEPENDING ON IT IN YOUR PROJECT. ***
+package {
+ // See: http://go/android-license-faq
+ // A large-scale-change added 'default_applicable_licenses' to import
+ // all of the 'license_kinds' from "external_dng_sdk_license"
+ // to get the below license kinds:
+ // SPDX-license-identifier-MIT
+ // legacy_by_exception_only (by exception only)
+ default_applicable_licenses: ["external_dng_sdk_license"],
+}
+
+cc_fuzz {
+ name: "dng_parser_fuzzer",
+ host_supported: true,
+ srcs: [
+ "dng_parser_fuzzer.cpp",
+ ],
+ cflags: [
+ "-Wno-unused-parameter",
+ "-fexceptions",
+ ],
+ static_libs: [
+ "libdng_sdk",
+ "libjpeg",
+ "liblog",
+ "libz",
+ ],
+ target: {
+ darwin: {
+ enabled: false,
+ },
+ },
+ corpus: [
+ "seeds/CVE_2020_9589/original.dng",
+ "seeds/CVE_2020_9589/poc.dng",
+ ],
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..edc7ef2
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,47 @@
+# Fuzzing DNG SDK
+
+This fuzzer is intented to do a varian analysis of the issue reported
+in b/156261521.
+
+Here is a list of some CVEs previously discovered in DNG SDK:
+
+* CVE-2020-9589
+* CVE-2020-9590
+* CVE-2020-9620
+* CVE-2020-9621
+* CVE-2020-9622
+* CVE-2020-9623
+* CVE-2020-9624
+* CVE-2020-9625
+* CVE-2020-9626
+* CVE-2020-9627
+* CVE-2020-9628
+* CVE-2020-9629
+
+## Building & running the fuzz target: Android device
+
+It is recommended to set rss limit to higher values (such as 4096) when running
+the fuzzer to avoid frequent OOM libFuzzer crashes.
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_arm64-eng
+$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer
+$ adb sync data
+$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit=4096 \
+$ /data/fuzz/arm64/dng_parser_fuzzer/corpus
+```
+
+## Building & running the fuzz target: Host
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_x86_64-eng
+$ SANITIZE_HOST=address make dng_parser_fuzzer
+$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit_mb=4096 \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/
+```
+
diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp
new file mode 100644
index 0000000..84db0f3
--- /dev/null
+++ b/fuzzer/dng_parser_fuzzer.cpp
@@ -0,0 +1,36 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "dng_exceptions.h"
+#include "dng_host.h"
+#include "dng_info.h"
+#include "dng_memory_stream.h"
+#include "dng_negative.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ dng_host host;
+ dng_memory_stream stream(host.Allocator());
+
+ stream.Put(data, size);
+ stream.SetReadPosition(0);
+
+ std::unique_ptr<dng_negative> negative(host.Make_dng_negative());
+
+ try {
+ dng_info info;
+ info.Parse(host, stream);
+ info.PostParse(host);
+
+ if (info.IsValidDNG()) {
+ negative->Parse(host, stream, info);
+ negative->PostParse(host, stream, info);
+ negative->ReadStage1Image(host, stream, info);
+ }
+ } catch (dng_exception &e) {
+ // dng_sdk throws C++ exceptions on errors
+ // catch them here to prevent libFuzzer from crashing.
+ }
+
+ return 0;
+}
diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng
new file mode 100755
index 0000000..a30ac76
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/original.dng
Binary files differ
diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng
new file mode 100755
index 0000000..b838844
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/poc.dng
Binary files differ
diff --git a/source/dng_date_time.cpp b/source/dng_date_time.cpp
index bede131..b143181 100644
--- a/source/dng_date_time.cpp
+++ b/source/dng_date_time.cpp
@@ -806,32 +806,44 @@
#if qMacOS
CFTimeZoneRef zoneRef = CFTimeZoneCopyDefault ();
-
+
+ CFReleaseHelper<CFTimeZoneRef> zoneRefDeleter (zoneRef);
+
if (zoneRef)
{
-
- CFGregorianDate gregDate;
- gregDate.year = dt.fYear;
- gregDate.month = (SInt8) dt.fMonth;
- gregDate.day = (SInt8) dt.fDay;
- gregDate.hour = (SInt8) dt.fHour;
- gregDate.minute = (SInt8) dt.fMinute;
- gregDate.second = (SInt8) dt.fSecond;
-
- CFAbsoluteTime absTime = CFGregorianDateGetAbsoluteTime (gregDate, zoneRef);
-
- CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime);
-
- CFRelease (zoneRef);
-
- result.SetOffsetSeconds (Round_int32 (secondsDelta));
-
- if (result.IsValid ())
+ // New path that doesn't use deprecated CFGregorian-based APIs.
+
+ CFCalendarRef calendar =
+ CFCalendarCreateWithIdentifier (kCFAllocatorDefault,
+ kCFGregorianCalendar);
+
+ CFReleaseHelper<CFCalendarRef> calendarDeleter (calendar);
+
+ CFAbsoluteTime absTime;
+
+ if (CFCalendarComposeAbsoluteTime (calendar,
+ &absTime,
+ "yMdHms",
+ dt.fYear,
+ dt.fMonth,
+ dt.fDay,
+ dt.fHour,
+ dt.fMinute,
+ dt.fSecond))
{
- return result;
+
+ CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime);
+
+ result.SetOffsetSeconds (Round_int32 (secondsDelta));
+
+ if (result.IsValid ())
+ {
+ return result;
+ }
+
}
-
+
}
#endif
diff --git a/source/dng_utils.h b/source/dng_utils.h
index 691f0b9..db38599 100644
--- a/source/dng_utils.h
+++ b/source/dng_utils.h
@@ -1259,6 +1259,46 @@
/*****************************************************************************/
+#if qMacOS
+
+/*****************************************************************************/
+
+template<typename T>
+class CFReleaseHelper
+ {
+
+ private:
+
+ T fRef;
+
+ public:
+
+ CFReleaseHelper (T ref)
+ : fRef (ref)
+ {
+ }
+
+ ~CFReleaseHelper ()
+ {
+ if (fRef)
+ {
+ CFRelease (fRef);
+ }
+ }
+
+ T Get () const
+ {
+ return fRef;
+ }
+
+ };
+
+/*****************************************************************************/
+
+#endif // qMacOS
+
+/*****************************************************************************/
+
#endif
/*****************************************************************************/
