Snap for 9362339 from d9a6b3a69688224a4c650b4533a674319ef81ee7 to mainline-adservices-releaseaml_ads_331511020aml_ads_331418080

Change-Id: I8411d7b2610e6ae31a04b4d5bafe9e4271a7cb28

4 files changed, 117 insertions, 0 deletions

diff --git a/tests/PhotoPicker/src/android/photopicker/cts/RemoteVideoPreviewTest.java b/tests/PhotoPicker/src/android/photopicker/cts/RemoteVideoPreviewTest.java
index 7f4f7a62d9f..10142e81ed2 100644
--- a/tests/PhotoPicker/src/android/photopicker/cts/RemoteVideoPreviewTest.java
+++ b/tests/PhotoPicker/src/android/photopicker/cts/RemoteVideoPreviewTest.java
@@ -52,6 +52,7 @@ import androidx.test.uiautomator.UiSelector;
 
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InOrder;
@@ -111,6 +112,7 @@ public class RemoteVideoPreviewTest extends PhotoPickerBaseTest {
     }
 
     @Test
+    @Ignore("Re-enable once b/223224727 is fixed")
     public void testBasicVideoPreview() throws Exception {
         initCloudProviderWithVideo(Arrays.asList(Pair.create(null, CLOUD_ID1)));
 
@@ -143,6 +145,7 @@ public class RemoteVideoPreviewTest extends PhotoPickerBaseTest {
     }
 
     @Test
+    @Ignore("Re-enable once b/223224727 is fixed")
     public void testSwipeAdjacentVideoPreview() throws Exception {
         initCloudProviderWithVideo(
                 Arrays.asList(Pair.create(null, CLOUD_ID1), Pair.create(null, CLOUD_ID2)));
@@ -176,6 +179,7 @@ public class RemoteVideoPreviewTest extends PhotoPickerBaseTest {
     }
 
     @Test
+    @Ignore("Re-enable once b/223224727 is fixed")
     public void testSwipeImageVideoPreview() throws Exception {
         initCloudProviderWithImage(Arrays.asList(Pair.create(null, CLOUD_ID1)));
         initCloudProviderWithVideo(Arrays.asList(Pair.create(null, CLOUD_ID2)));
diff --git a/tests/tests/security/res/raw/cve_2022_33234.mkv b/tests/tests/security/res/raw/cve_2022_33234.mkv
new file mode 100644
index 00000000000..752e3cd749b
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2022_33234.mkv
diff --git a/tests/tests/security/src/android/security/cts/CVE_2022_20482.java b/tests/tests/security/src/android/security/cts/CVE_2022_20482.java
new file mode 100644
index 00000000000..a0df88cdffe
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/CVE_2022_20482.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.platform.test.annotations.AsbSecurityTest;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.ArrayList;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2022_20482 extends StsExtraBusinessLogicTestCase {
+
+    /**
+     * b/240422263
+     * Vulnerable library   : services.jar
+     * Vulnerable module    : Not applicable
+     * Is Play managed      : No
+     */
+    @AsbSecurityTest(cveBugId = 240422263)
+    @Test
+    public void testPocCVE_2022_20482() {
+        final int notificationChannelLimit = 10000; // 2 * NOTIFICATION_CHANNEL_COUNT_LIMIT
+        final String notificationChannelId = "NotificationChannelId";
+        final String notificationChannelName = "NotificationChannelName";
+        boolean isVulnerable = true;
+        int notificationChannelCount = 0;
+        NotificationManager notificationManager = null;
+        ArrayList<String> notificationChannelIds = new ArrayList<>();
+        try {
+            Context context = getApplicationContext();
+            notificationManager = context.getSystemService(NotificationManager.class);
+
+            // Store total number of notification channels present before test run
+            notificationChannelCount = notificationManager.getNotificationChannels().size();
+
+            // Create 'notificationChannelLimit' notification channels
+            for (int i = 0; i < notificationChannelLimit; ++i) {
+                String uniqueNotificationChannelId = notificationChannelId + i;
+                NotificationChannel notificationChannel =
+                        new NotificationChannel(uniqueNotificationChannelId,
+                                notificationChannelName, NotificationManager.IMPORTANCE_DEFAULT);
+
+                // Create notification channel
+                notificationManager.createNotificationChannel(notificationChannel);
+
+                // Add notification channel id in list(for deleting notification channel later)
+                notificationChannelIds.add(uniqueNotificationChannelId);
+            }
+        } catch (Exception e) {
+            isVulnerable = false;
+            if (!(e instanceof IllegalStateException)
+                    || !e.getMessage().contains("Limit exceed; cannot create more channels")) {
+                assumeNoException("Unexpected exception occurred!", e);
+            }
+        } finally {
+            try {
+                // Retrieve total number of notification channels added by test so that the
+                // test fails only if all notification channels from test were added successfully
+                notificationChannelCount = notificationManager.getNotificationChannels().size()
+                        - notificationChannelCount;
+                boolean flagAllNotificationChannelsAdded =
+                        notificationChannelCount == notificationChannelLimit;
+
+                // Delete notification channels created earlier
+                for (String id : notificationChannelIds) {
+                    notificationManager.deleteNotificationChannel(id);
+                }
+
+                // Fail if all notification channels from test were added successfully without
+                // any occurrence of IllegalStateException
+                assertFalse(
+                        "Device is vulnerable to b/240422263! Permanent denial of service"
+                                + " possible via NotificationManager#createNotificationChannel",
+                        isVulnerable && flagAllNotificationChannelsAdded);
+            } catch (Exception ignoredException) {
+            }
+        }
+    }
+}
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 9fd10146c1c..4facc062759 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -1811,6 +1811,12 @@ public class StagefrightTest extends StsExtraBusinessLogicTestCase {
      before any existing test methods
      ***********************************************************/
     @Test
+    @AsbSecurityTest(cveBugId = 240971780)
+    public void testStagefright_cve_2022_33234() throws Exception {
+         doStagefrightTest(R.raw.cve_2022_33234);
+    }
+
+    @Test
     @AsbSecurityTest(cveBugId = 235102508)
     public void testStagefright_cve_2022_25669() throws Exception {
          doStagefrightTest(R.raw.cve_2022_25669);