diff options
author | Robert Shih <robertshih@google.com> | 2015-08-25 15:24:08 -0700 |
---|---|---|
committer | The Android Automerger <android-build@android.com> | 2015-09-01 19:04:59 -0700 |
commit | bf0aad424d6885493706392cc5caa72da7757412 (patch) | |
tree | 03941b8ae745c81691c3d4d62929d9bf2a2eac18 | |
parent | e4f1a594be21abe6712ceaadaeebed9a42234353 (diff) | |
download | cts-lollipop-mr1-fi-release.tar.gz |
test if libFLAC is patched against CVE-2014-9028android-5.1.1_r29android-5.1.1_r23lollipop-mr1-fi-release
Overview of CVE-2014-9028:
Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1
allows remote attackers to execute arbitrary code via a crafted .flac
file.
(source: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9028)
heap_oob_flac has a .mp3 extension to avoid compresstion by aapt. When a
resource file is compressed openRawResourceFd would fail. Please refer
to kNoCompressExt in frameworks/base/tools/aapt/Package.cpp for more
details.
Bug: 23238405
Change-Id: I7c13b19beb83c10fced360537a84b2f053ce8a26
-rw-r--r-- | tests/tests/media/res/raw/heap_oob_flac.mp3 | bin | 0 -> 6863 bytes | |||
-rw-r--r-- | tests/tests/media/src/android/media/cts/MediaPlayerTest.java | 31 |
2 files changed, 31 insertions, 0 deletions
diff --git a/tests/tests/media/res/raw/heap_oob_flac.mp3 b/tests/tests/media/res/raw/heap_oob_flac.mp3 Binary files differnew file mode 100644 index 00000000000..ae542d04f7f --- /dev/null +++ b/tests/tests/media/res/raw/heap_oob_flac.mp3 diff --git a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java index e058981dfc1..7cdc483e7f7 100644 --- a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java +++ b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java @@ -89,6 +89,37 @@ public class MediaPlayerTest extends MediaPlayerTestBase { } } + public void testFlacHeapOverflow() throws Exception { + testIfMediaServerDied(R.raw.heap_oob_flac); + } + + private void testIfMediaServerDied(int res) throws Exception { + mMediaPlayer.setOnErrorListener(new MediaPlayer.OnErrorListener() { + @Override + public boolean onError(MediaPlayer mp, int what, int extra) { + assertTrue(mp == mMediaPlayer); + assertTrue("mediaserver process died", what != MediaPlayer.MEDIA_ERROR_SERVER_DIED); + return false; + } + }); + + mMediaPlayer.setOnCompletionListener(new MediaPlayer.OnCompletionListener() { + @Override + public void onCompletion(MediaPlayer mp) { + assertTrue(mp == mMediaPlayer); + mOnCompletionCalled.signal(); + } + }); + + AssetFileDescriptor afd = mResources.openRawResourceFd(res); + mMediaPlayer.setDataSource(afd.getFileDescriptor(), afd.getStartOffset(), afd.getLength()); + afd.close(); + mMediaPlayer.prepare(); + mMediaPlayer.start(); + mOnCompletionCalled.waitForSignal(); + mMediaPlayer.release(); + } + // Bug 13652927 public void testVorbisCrash() throws Exception { MediaPlayer mp = mMediaPlayer; |