test if libFLAC is patched against CVE-2014-9028android-5.1.1_r28 android-5.1.1_r22 lollipop-mr1-wfc-release

Overview of CVE-2014-9028: Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. (source: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9028) heap_oob_flac has a .mp3 extension to avoid compresstion by aapt. When a resource file is compressed openRawResourceFd would fail. Please refer to kNoCompressExt in frameworks/base/tools/aapt/Package.cpp for more details. Bug: 23238405 Change-Id: I7c13b19beb83c10fced360537a84b2f053ce8a26
author: Robert Shih <robertshih@google.com> 2015-08-25 15:24:08 -0700
committer: The Android Automerger <android-build@android.com> 2015-09-02 17:40:37 -0700
commit: 7036a0c17f184ccb792e28eff616f42b55edeaf5 (patch)
tree: 101e543df31443cb29fe3990b0c12325c416c844
parent: 51ddad9dc860defc4b50d572714cccef0a18bd3e (diff)
download: cts-lollipop-mr1-wfc-release.tar.gz
2 files changed, 31 insertions, 0 deletions
diff --git a/tests/tests/media/res/raw/heap_oob_flac.mp3 b/tests/tests/media/res/raw/heap_oob_flac.mp3
new file mode 100644
index 00000000000..ae542d04f7f
--- /dev/null
+++ b/tests/tests/media/res/raw/heap_oob_flac.mp3
diff --git a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
index e058981dfc1..7cdc483e7f7 100644
--- a/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
+++ b/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
@@ -89,6 +89,37 @@ public class MediaPlayerTest extends MediaPlayerTestBase {
         }
     }
 
+    public void testFlacHeapOverflow() throws Exception {
+        testIfMediaServerDied(R.raw.heap_oob_flac);
+    }
+
+    private void testIfMediaServerDied(int res) throws Exception {
+        mMediaPlayer.setOnErrorListener(new MediaPlayer.OnErrorListener() {
+            @Override
+            public boolean onError(MediaPlayer mp, int what, int extra) {
+                assertTrue(mp == mMediaPlayer);
+                assertTrue("mediaserver process died", what != MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+                return false;
+            }
+        });
+
+        mMediaPlayer.setOnCompletionListener(new MediaPlayer.OnCompletionListener() {
+            @Override
+            public void onCompletion(MediaPlayer mp) {
+                assertTrue(mp == mMediaPlayer);
+                mOnCompletionCalled.signal();
+            }
+        });
+
+        AssetFileDescriptor afd = mResources.openRawResourceFd(res);
+        mMediaPlayer.setDataSource(afd.getFileDescriptor(), afd.getStartOffset(), afd.getLength());
+        afd.close();
+        mMediaPlayer.prepare();
+        mMediaPlayer.start();
+        mOnCompletionCalled.waitForSignal();
+        mMediaPlayer.release();
+    }
+
     // Bug 13652927
     public void testVorbisCrash() throws Exception {
         MediaPlayer mp = mMediaPlayer;
author	Robert Shih <robertshih@google.com>	2015-08-25 15:24:08 -0700
committer	The Android Automerger <android-build@android.com>	2015-09-02 17:40:37 -0700
commit	7036a0c17f184ccb792e28eff616f42b55edeaf5 (patch)
tree	101e543df31443cb29fe3990b0c12325c416c844
parent	51ddad9dc860defc4b50d572714cccef0a18bd3e (diff)
download	cts-lollipop-mr1-wfc-release.tar.gz