1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
/**
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <stdlib.h>
#ifdef TEST_ARM32
#include <unistd.h>
#include "../includes/common.h"
#include <string.h>
#include <algorithm>
#include <vector>
#include "vpx/vp8dx.h"
#include "vpx/vpx_decoder.h"
#include "vpx_ports/mem_ops.h"
#define IVF_FILE_HDR_SZ 32
#define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
FILE *fp = nullptr;
void exitHandler(void) {
if (fp) {
fclose(fp);
}
}
bool testInProgress = false;
struct sigaction new_action, old_action;
void sigabrt_handler(int32_t signum, siginfo_t *info, void* context) {
if (testInProgress && info->si_signo == SIGABRT) {
(*old_action.sa_sigaction)(signum, info, context);
return;
}
_exit(EXIT_FAILURE);
}
#endif
int32_t main(int32_t argc, char **argv) {
(void)argc;
(void)argv;
#ifdef TEST_ARM32
atexit(exitHandler);
sigemptyset(&new_action.sa_mask);
new_action.sa_flags = SA_SIGINFO;
new_action.sa_sigaction = sigabrt_handler;
sigaction(SIGABRT, &new_action, &old_action);
FAIL_CHECK(argc >= 2);
fp = fopen(argv[1], "rb");
FAIL_CHECK(fp);
fseek(fp, 0, SEEK_END);
size_t size = ftell(fp);
fseek(fp, 0, SEEK_SET);
FAIL_CHECK(size > IVF_FILE_HDR_SZ);
std::vector<uint8_t> buffer(size);
FAIL_CHECK(fread((void *)buffer.data(), sizeof(uint8_t), size, fp) == size);
vpx_codec_ctx_t codec;
vpx_codec_dec_cfg_t cfg;
memset(&cfg, 0, sizeof(vpx_codec_dec_cfg_t));
cfg.threads = 1;
FAIL_CHECK(vpx_codec_dec_init(&codec, &vpx_codec_vp8_dx_algo, &cfg, 0) == VPX_CODEC_OK);
uint8_t *data = buffer.data();
data += IVF_FILE_HDR_SZ;
size -= IVF_FILE_HDR_SZ;
while (size > IVF_FRAME_HDR_SZ) {
size_t frame_size = mem_get_le32(data);
size -= IVF_FRAME_HDR_SZ;
data += IVF_FRAME_HDR_SZ;
frame_size = std::min(size, frame_size);
testInProgress = true;
vpx_codec_decode(&codec, data, frame_size, nullptr, 0);
testInProgress = false;
vpx_codec_iter_t iter = nullptr;
vpx_image_t *img = nullptr;
while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) {
if (img->d_w > img->w || img->d_h > img->h) {
return EXIT_VULNERABLE;
}
}
data += frame_size;
size -= frame_size;
}
vpx_codec_destroy(&codec);
#endif
return EXIT_SUCCESS;
}
|
