1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * 17 * This code was provided to AOSP by Zimperium Inc and was 18 * written by: 19 * 20 * Simone "evilsocket" Margaritelli 21 * Joshua "jduck" Drake 22 */ 23 package android.security.cts; 24 25 import android.app.Instrumentation; 26 import android.content.Context; 27 import android.content.res.AssetFileDescriptor; 28 import android.content.res.Resources; 29 import android.graphics.Bitmap; 30 import android.graphics.BitmapFactory; 31 import android.graphics.SurfaceTexture; 32 import android.media.MediaCodec; 33 import android.media.MediaCodecInfo; 34 import android.media.MediaCodecList; 35 import android.media.MediaExtractor; 36 import android.media.MediaFormat; 37 import android.media.MediaMetadataRetriever; 38 import android.media.MediaPlayer; 39 import android.opengl.GLES20; 40 import android.opengl.GLES11Ext; 41 import android.os.Looper; 42 import android.os.SystemClock; 43 import android.platform.test.annotations.AppModeFull; 44 import android.os.Parcel; 45 import android.platform.test.annotations.AsbSecurityTest; 46 import android.util.Log; 47 import android.view.Surface; 48 import android.webkit.cts.CtsTestServer; 49 50 import com.android.compatibility.common.util.CrashUtils; 51 import com.android.compatibility.common.util.mainline.MainlineModule; 52 import com.android.compatibility.common.util.mainline.ModuleDetector; 53 54 import java.io.BufferedInputStream; 55 import java.io.BufferedReader; 56 import java.io.FileInputStream; 57 import java.io.FileReader; 58 import java.io.IOException; 59 import java.io.InputStream; 60 import java.net.URL; 61 import java.nio.ByteBuffer; 62 import java.io.FileOutputStream; 63 import java.io.ObjectInputStream; 64 import java.io.OutputStream; 65 import java.io.InputStream; 66 import java.net.BindException; 67 import java.net.Socket; 68 import java.net.ServerSocket; 69 import java.io.File; 70 import java.util.ArrayList; 71 import java.util.HashMap; 72 import java.util.concurrent.locks.Condition; 73 import java.util.concurrent.locks.ReentrantLock; 74 import java.util.regex.Pattern; 75 76 import org.json.JSONArray; 77 import org.json.JSONException; 78 import org.json.JSONObject; 79 80 import android.security.cts.R; 81 82 import android.security.NetworkSecurityPolicy; 83 import android.media.TimedText; 84 85 import androidx.test.InstrumentationRegistry; 86 import androidx.test.runner.AndroidJUnit4; 87 88 import org.junit.Rule; 89 import org.junit.rules.TestName; 90 import org.junit.Before; 91 import org.junit.Test; 92 import org.junit.runner.RunWith; 93 94 import static org.junit.Assume.*; 95 import static org.junit.Assert.*; 96 97 /** 98 * Verify that the device is not vulnerable to any known Stagefright 99 * vulnerabilities. 100 */ 101 @AppModeFull 102 @RunWith(AndroidJUnit4.class) 103 public class StagefrightTest { 104 static final String TAG = "StagefrightTest"; 105 private Instrumentation mInstrumentation; 106 107 private final long TIMEOUT_NS = 10000000000L; // 10 seconds. 108 private final static long CHECK_INTERVAL = 50; 109 110 @Rule public TestName name = new TestName(); 111 112 @Before setup()113 public void setup() { 114 mInstrumentation = InstrumentationRegistry.getInstrumentation(); 115 } 116 117 class CodecConfig { 118 boolean isAudio; 119 /* Video Parameters - valid only when isAudio is false */ 120 int initWidth; 121 int initHeight; 122 /* Audio Parameters - valid only when isAudio is true */ 123 int sampleRate; 124 int channelCount; 125 setVideoParams(int initWidth, int initHeight)126 public CodecConfig setVideoParams(int initWidth, int initHeight) { 127 this.isAudio = false; 128 this.initWidth = initWidth; 129 this.initHeight = initHeight; 130 return this; 131 } 132 setAudioParams(int sampleRate, int channelCount)133 public CodecConfig setAudioParams(int sampleRate, int channelCount) { 134 this.isAudio = true; 135 this.sampleRate = sampleRate; 136 this.channelCount = channelCount; 137 return this; 138 } 139 } 140 141 /*********************************************************** 142 to prevent merge conflicts, add K tests below this comment, 143 before any existing test methods 144 ***********************************************************/ 145 146 @Test 147 @AsbSecurityTest(cveBugId = 122472139) testStagefright_cve_2019_2244()148 public void testStagefright_cve_2019_2244() throws Exception { 149 doStagefrightTestRawBlob(R.raw.cve_2019_2244, "video/mpeg2", 320, 420); 150 } 151 152 @Test 153 @AsbSecurityTest(cveBugId = 36725407) testStagefright_bug_36725407()154 public void testStagefright_bug_36725407() throws Exception { 155 doStagefrightTest(R.raw.bug_36725407); 156 } 157 158 @Test 159 @AsbSecurityTest(cveBugId = 29023649) testStagefright_cve_2016_3829()160 public void testStagefright_cve_2016_3829() throws Exception { 161 doStagefrightTest(R.raw.cve_2016_3829, new CrashUtils.Config().checkMinAddress(false)); 162 } 163 164 @Test 165 @AsbSecurityTest(cveBugId = 35645051) testStagefright_cve_2017_0643()166 public void testStagefright_cve_2017_0643() throws Exception { 167 doStagefrightTest(R.raw.cve_2017_0643, new CrashUtils.Config().checkMinAddress(false)); 168 } 169 170 @Test 171 @AsbSecurityTest(cveBugId = 37469795) testStagefright_cve_2017_0728()172 public void testStagefright_cve_2017_0728() throws Exception { 173 doStagefrightTest(R.raw.cve_2017_0728, new CrashUtils.Config().checkMinAddress(false)); 174 } 175 176 @Test 177 @AsbSecurityTest(cveBugId = 62187433) testStagefright_bug_62187433()178 public void testStagefright_bug_62187433() throws Exception { 179 doStagefrightTest(R.raw.bug_62187433); 180 } 181 182 @Test 183 @AsbSecurityTest(cveBugId = 62673844) testStagefrightANR_bug_62673844()184 public void testStagefrightANR_bug_62673844() throws Exception { 185 doStagefrightTestANR(R.raw.bug_62673844); 186 } 187 188 @Test 189 @AsbSecurityTest(cveBugId = 37079296) testStagefright_bug_37079296()190 public void testStagefright_bug_37079296() throws Exception { 191 doStagefrightTest(R.raw.bug_37079296); 192 } 193 194 @Test 195 @AsbSecurityTest(cveBugId = 38342499) testStagefright_bug_38342499()196 public void testStagefright_bug_38342499() throws Exception { 197 doStagefrightTest(R.raw.bug_38342499); 198 } 199 200 @Test 201 @AsbSecurityTest(cveBugId = 22771132) testStagefright_bug_22771132()202 public void testStagefright_bug_22771132() throws Exception { 203 doStagefrightTest(R.raw.bug_22771132); 204 } 205 206 @Test 207 @AsbSecurityTest(cveBugId = 21443020) testStagefright_bug_21443020()208 public void testStagefright_bug_21443020() throws Exception { 209 doStagefrightTest(R.raw.bug_21443020_webm); 210 } 211 212 @Test 213 @AsbSecurityTest(cveBugId = 34360591) testStagefright_bug_34360591()214 public void testStagefright_bug_34360591() throws Exception { 215 doStagefrightTest(R.raw.bug_34360591); 216 } 217 218 @Test 219 @AsbSecurityTest(cveBugId = 35763994) testStagefright_bug_35763994()220 public void testStagefright_bug_35763994() throws Exception { 221 doStagefrightTest(R.raw.bug_35763994, new CrashUtils.Config().checkMinAddress(false)); 222 } 223 224 @Test 225 @AsbSecurityTest(cveBugId = 33137046) testStagefright_bug_33137046()226 public void testStagefright_bug_33137046() throws Exception { 227 doStagefrightTest(R.raw.bug_33137046); 228 } 229 230 @Test 231 @AsbSecurityTest(cveBugId = 28532266) testStagefright_cve_2016_2507()232 public void testStagefright_cve_2016_2507() throws Exception { 233 doStagefrightTest(R.raw.cve_2016_2507, new CrashUtils.Config().checkMinAddress(false)); 234 } 235 236 @Test 237 @AsbSecurityTest(cveBugId = 31647370) testStagefright_bug_31647370()238 public void testStagefright_bug_31647370() throws Exception { 239 doStagefrightTest(R.raw.bug_31647370); 240 } 241 242 @Test 243 @AsbSecurityTest(cveBugId = 32577290) testStagefright_bug_32577290()244 public void testStagefright_bug_32577290() throws Exception { 245 doStagefrightTest(R.raw.bug_32577290); 246 } 247 248 @Test 249 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_1()250 public void testStagefright_cve_2015_1538_1() throws Exception { 251 doStagefrightTest(R.raw.cve_2015_1538_1); 252 } 253 254 @Test 255 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_2()256 public void testStagefright_cve_2015_1538_2() throws Exception { 257 doStagefrightTest(R.raw.cve_2015_1538_2); 258 } 259 260 @Test 261 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_3()262 public void testStagefright_cve_2015_1538_3() throws Exception { 263 doStagefrightTest(R.raw.cve_2015_1538_3); 264 } 265 266 @Test 267 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_4()268 public void testStagefright_cve_2015_1538_4() throws Exception { 269 doStagefrightTest(R.raw.cve_2015_1538_4); 270 } 271 272 @Test 273 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1539()274 public void testStagefright_cve_2015_1539() throws Exception { 275 doStagefrightTest(R.raw.cve_2015_1539); 276 } 277 278 @Test 279 @AsbSecurityTest(cveBugId = 21468251) testStagefright_cve_2015_3824()280 public void testStagefright_cve_2015_3824() throws Exception { 281 doStagefrightTest(R.raw.cve_2015_3824); 282 } 283 284 @Test 285 @AsbSecurityTest(cveBugId = 21467632) testStagefright_cve_2015_3826()286 public void testStagefright_cve_2015_3826() throws Exception { 287 doStagefrightTest(R.raw.cve_2015_3826); 288 } 289 290 @Test 291 @AsbSecurityTest(cveBugId = 21468053) testStagefright_cve_2015_3827()292 public void testStagefright_cve_2015_3827() throws Exception { 293 doStagefrightTest(R.raw.cve_2015_3827); 294 } 295 296 @Test 297 @AsbSecurityTest(cveBugId = 21467634) testStagefright_cve_2015_3828()298 public void testStagefright_cve_2015_3828() throws Exception { 299 doStagefrightTest(R.raw.cve_2015_3828); 300 } 301 302 @Test 303 @AsbSecurityTest(cveBugId = 21467767) testStagefright_cve_2015_3829()304 public void testStagefright_cve_2015_3829() throws Exception { 305 doStagefrightTest(R.raw.cve_2015_3829); 306 } 307 308 @Test 309 @AsbSecurityTest(cveBugId = 21132860) testStagefright_cve_2015_3836()310 public void testStagefright_cve_2015_3836() throws Exception { 311 doStagefrightTest(R.raw.cve_2015_3836); 312 } 313 314 @Test 315 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864()316 public void testStagefright_cve_2015_3864() throws Exception { 317 doStagefrightTest(R.raw.cve_2015_3864); 318 } 319 320 @Test 321 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864_b23034759()322 public void testStagefright_cve_2015_3864_b23034759() throws Exception { 323 doStagefrightTest(R.raw.cve_2015_3864_b23034759); 324 } 325 326 @Test 327 @AsbSecurityTest(cveBugId = 23306638) testStagefright_cve_2015_6598()328 public void testStagefright_cve_2015_6598() throws Exception { 329 doStagefrightTest(R.raw.cve_2015_6598); 330 } 331 332 @Test 333 @AsbSecurityTest(cveBugId = 31318219) testStagefright_cve_2016_6766()334 public void testStagefright_cve_2016_6766() throws Exception { 335 doStagefrightTest(R.raw.cve_2016_6766); 336 } 337 338 @Test 339 @AsbSecurityTest(cveBugId = 27211885) testStagefright_cve_2016_2429_b_27211885()340 public void testStagefright_cve_2016_2429_b_27211885() throws Exception { 341 doStagefrightTest(R.raw.cve_2016_2429_b_27211885, 342 new CrashUtils.Config().checkMinAddress(false)); 343 } 344 345 @Test 346 @AsbSecurityTest(cveBugId = 34031018) testStagefright_bug_34031018()347 public void testStagefright_bug_34031018() throws Exception { 348 doStagefrightTest(R.raw.bug_34031018_32bit, new CrashUtils.Config().checkMinAddress(false)); 349 doStagefrightTest(R.raw.bug_34031018_64bit, new CrashUtils.Config().checkMinAddress(false)); 350 } 351 352 /*********************************************************** 353 to prevent merge conflicts, add L tests below this comment, 354 before any existing test methods 355 ***********************************************************/ 356 357 @Test 358 @AsbSecurityTest(cveBugId = 65123471) testStagefright_bug_65123471()359 public void testStagefright_bug_65123471() throws Exception { 360 doStagefrightTest(R.raw.bug_65123471); 361 } 362 363 @Test 364 @AsbSecurityTest(cveBugId = 72165027) testStagefright_bug_72165027()365 public void testStagefright_bug_72165027() throws Exception { 366 doStagefrightTest(R.raw.bug_72165027); 367 } 368 369 @Test 370 @AsbSecurityTest(cveBugId = 65483665) testStagefright_bug_65483665()371 public void testStagefright_bug_65483665() throws Exception { 372 doStagefrightTest(R.raw.bug_65483665); 373 } 374 375 @Test 376 @AsbSecurityTest(cveBugId = 62815506) testStagefright_cve_2017_0852_b_62815506()377 public void testStagefright_cve_2017_0852_b_62815506() throws Exception { 378 doStagefrightTest(R.raw.cve_2017_0852_b_62815506, 379 new CrashUtils.Config().checkMinAddress(false)); 380 } 381 382 @Test 383 @AsbSecurityTest(cveBugId = 68160703) testStagefright_cve_2017_13229()384 public void testStagefright_cve_2017_13229() throws Exception { 385 doStagefrightTest(R.raw.cve_2017_13229); 386 } 387 388 @Test 389 @AsbSecurityTest(cveBugId = 62534693) testStagefright_cve_2017_0763()390 public void testStagefright_cve_2017_0763() throws Exception { 391 doStagefrightTest(R.raw.cve_2017_0763); 392 } 393 394 /*********************************************************** 395 to prevent merge conflicts, add M tests below this comment, 396 before any existing test methods 397 ***********************************************************/ 398 399 @Test 400 @AsbSecurityTest(cveBugId = 73965890) testBug_73965890()401 public void testBug_73965890() throws Exception { 402 int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen); 403 doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes); 404 } 405 406 @Test 407 @AsbSecurityTest(cveBugId = 30744884) testStagefright_cve_2016_3920()408 public void testStagefright_cve_2016_3920() throws Exception { 409 doStagefrightTest(R.raw.cve_2016_3920, new CrashUtils.Config().checkMinAddress(false)); 410 } 411 412 @Test 413 @AsbSecurityTest(cveBugId = 38448381) testStagefright_bug_38448381()414 public void testStagefright_bug_38448381() throws Exception { 415 doStagefrightTest(R.raw.bug_38448381); 416 } 417 418 @Test 419 @AsbSecurityTest(cveBugId = 28166152) testStagefright_cve_2016_3821()420 public void testStagefright_cve_2016_3821() throws Exception { 421 doStagefrightTest(R.raw.cve_2016_3821, new CrashUtils.Config().checkMinAddress(false)); 422 } 423 424 @Test 425 @AsbSecurityTest(cveBugId = 70897454) testStagefright_bug_70897454()426 public void testStagefright_bug_70897454() throws Exception { 427 doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420); 428 } 429 430 @Test 431 @AsbSecurityTest(cveBugId = 28165659) testStagefright_cve_2016_3742_b_28165659()432 public void testStagefright_cve_2016_3742_b_28165659() throws Exception { 433 doStagefrightTest(R.raw.cve_2016_3742_b_28165659); 434 } 435 436 @Test 437 @AsbSecurityTest(cveBugId = 35039946) testStagefright_bug_35039946()438 public void testStagefright_bug_35039946() throws Exception { 439 doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420); 440 } 441 442 @Test 443 @AsbSecurityTest(cveBugId = 38115076) testStagefright_bug_38115076()444 public void testStagefright_bug_38115076() throws Exception { 445 doStagefrightTest(R.raw.bug_38115076, new CrashUtils.Config().checkMinAddress(false)); 446 } 447 448 @Test 449 @AsbSecurityTest(cveBugId = 34618607) testStagefright_bug_34618607()450 public void testStagefright_bug_34618607() throws Exception { 451 doStagefrightTest(R.raw.bug_34618607, new CrashUtils.Config().checkMinAddress(false)); 452 } 453 454 @Test 455 @AsbSecurityTest(cveBugId = 69478425) testStagefright_bug_69478425()456 public void testStagefright_bug_69478425() throws Exception { 457 doStagefrightTest(R.raw.bug_69478425); 458 } 459 460 @Test 461 @AsbSecurityTest(cveBugId = 65735716) testStagefright_bug_65735716()462 public void testStagefright_bug_65735716() throws Exception { 463 doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240); 464 } 465 466 @Test 467 @AsbSecurityTest(cveBugId = 65717533) testStagefright_bug_65717533()468 public void testStagefright_bug_65717533() throws Exception { 469 doStagefrightTest(R.raw.bug_65717533_header_corrupt); 470 } 471 472 @Test 473 @AsbSecurityTest(cveBugId = 38239864) testStagefright_bug_38239864()474 public void testStagefright_bug_38239864() throws Exception { 475 doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000)); 476 } 477 478 @Test 479 @AsbSecurityTest(cveBugId = 35269635) testStagefright_cve_2017_0600()480 public void testStagefright_cve_2017_0600() throws Exception { 481 doStagefrightTest(R.raw.cve_2017_0600, new CrashUtils.Config().checkMinAddress(false)); 482 } 483 484 @Test 485 @AsbSecurityTest(cveBugId = 38014992) testBug_38014992()486 public void testBug_38014992() throws Exception { 487 int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen); 488 doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes, 489 new CrashUtils.Config().checkMinAddress(false)); 490 } 491 492 @Test 493 @AsbSecurityTest(cveBugId = 35584425) testBug_35584425()494 public void testBug_35584425() throws Exception { 495 int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen); 496 doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes); 497 } 498 499 @Test 500 @AsbSecurityTest(cveBugId = 31092462) testBug_31092462()501 public void testBug_31092462() throws Exception { 502 int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen); 503 doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes); 504 } 505 506 @Test 507 @AsbSecurityTest(cveBugId = 34097866) testBug_34097866()508 public void testBug_34097866() throws Exception { 509 int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len); 510 doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes); 511 } 512 513 @Test 514 @AsbSecurityTest(cveBugId = 33862021) testBug_33862021()515 public void testBug_33862021() throws Exception { 516 int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len); 517 doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes); 518 } 519 520 @Test 521 @AsbSecurityTest(cveBugId = 33387820) testBug_33387820()522 public void testBug_33387820() throws Exception { 523 int[] frameSizes = {45, 3202, 430, 2526}; 524 doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes, 525 new CrashUtils.Config().checkMinAddress(false)); 526 } 527 528 @Test 529 @AsbSecurityTest(cveBugId = 37008096) testBug_37008096()530 public void testBug_37008096() throws Exception { 531 int[] frameSizes = {245, 12, 33, 140, 164}; 532 doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes); 533 } 534 535 @Test 536 @AsbSecurityTest(cveBugId = 34231163) testStagefright_bug_34231163()537 public void testStagefright_bug_34231163() throws Exception { 538 int[] frameSizes = {22, 357, 217, 293, 175}; 539 doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes); 540 } 541 542 @Test 543 @AsbSecurityTest(cveBugId = 33933140) testStagefright_bug_33933140()544 public void testStagefright_bug_33933140() throws Exception { 545 int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen); 546 doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes); 547 } 548 549 @Test 550 @AsbSecurityTest(cveBugId = 34097915) testStagefright_bug_34097915()551 public void testStagefright_bug_34097915() throws Exception { 552 int[] frameSizes = {4140, 593, 0, 15495}; 553 doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes); 554 } 555 556 @Test 557 @AsbSecurityTest(cveBugId = 34097213) testStagefright_bug_34097213()558 public void testStagefright_bug_34097213() throws Exception { 559 int[] frameSizes = {2571, 210, 33858}; 560 doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes); 561 } 562 563 @Test 564 @AsbSecurityTest(cveBugId = 28816956) testBug_28816956()565 public void testBug_28816956() throws Exception { 566 int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen); 567 doStagefrightTestRawBlob( 568 R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes, 569 new CrashUtils.Config().checkMinAddress(false)); 570 } 571 572 @Test 573 @AsbSecurityTest(cveBugId = 33818500) testBug_33818500()574 public void testBug_33818500() throws Exception { 575 int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen); 576 doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes, 577 new CrashUtils.Config().checkMinAddress(false)); 578 } 579 580 @Test 581 @AsbSecurityTest(cveBugId = 64784973) testBug_64784973()582 public void testBug_64784973() throws Exception { 583 int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen); 584 doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes); 585 } 586 587 @Test 588 @AsbSecurityTest(cveBugId = 34231231) testBug_34231231()589 public void testBug_34231231() throws Exception { 590 int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen); 591 doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes); 592 } 593 594 @Test 595 @AsbSecurityTest(cveBugId = 63045918) testBug_63045918()596 public void testBug_63045918() throws Exception { 597 int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen); 598 doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes); 599 } 600 601 @Test 602 @AsbSecurityTest(cveBugId = 33298089) testBug_33298089()603 public void testBug_33298089() throws Exception { 604 int[] frameSizes = {3247, 430, 221, 2305}; 605 doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes); 606 } 607 608 @Test 609 @AsbSecurityTest(cveBugId = 34672748) testStagefright_cve_2017_0599()610 public void testStagefright_cve_2017_0599() throws Exception { 611 doStagefrightTest(R.raw.cve_2017_0599, new CrashUtils.Config().checkMinAddress(false)); 612 } 613 614 @Test 615 @AsbSecurityTest(cveBugId = 36492741) testStagefright_bug_36492741()616 public void testStagefright_bug_36492741() throws Exception { 617 doStagefrightTest(R.raw.bug_36492741); 618 } 619 620 @Test 621 @AsbSecurityTest(cveBugId = 38487564) testStagefright_bug_38487564()622 public void testStagefright_bug_38487564() throws Exception { 623 doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000)); 624 } 625 626 @Test 627 @AsbSecurityTest(cveBugId = 37237396) testStagefright_bug_37237396()628 public void testStagefright_bug_37237396() throws Exception { 629 doStagefrightTest(R.raw.bug_37237396); 630 } 631 632 @Test 633 @AsbSecurityTest(cveBugId = 25818142) testStagefright_cve_2016_0842()634 public void testStagefright_cve_2016_0842() throws Exception { 635 doStagefrightTest(R.raw.cve_2016_0842); 636 } 637 638 @Test 639 @AsbSecurityTest(cveBugId = 63121644) testStagefright_bug_63121644()640 public void testStagefright_bug_63121644() throws Exception { 641 doStagefrightTest(R.raw.bug_63121644); 642 } 643 644 @Test 645 @AsbSecurityTest(cveBugId = 30593752) testStagefright_cve_2016_6712()646 public void testStagefright_cve_2016_6712() throws Exception { 647 doStagefrightTest(R.raw.cve_2016_6712, new CrashUtils.Config().checkMinAddress(false)); 648 } 649 650 @Test 651 @AsbSecurityTest(cveBugId = 34097231) testStagefright_bug_34097231()652 public void testStagefright_bug_34097231() throws Exception { 653 doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240); 654 } 655 656 @Test 657 @AsbSecurityTest(cveBugId = 34097672) testStagefright_bug_34097672()658 public void testStagefright_bug_34097672() throws Exception { 659 doStagefrightTest(R.raw.bug_34097672); 660 } 661 662 663 @Test 664 @AsbSecurityTest(cveBugId = 33751193) testStagefright_bug_33751193()665 public void testStagefright_bug_33751193() throws Exception { 666 doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240); 667 } 668 669 @Test 670 @AsbSecurityTest(cveBugId = 36993291) testBug_36993291()671 public void testBug_36993291() throws Exception { 672 doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240); 673 } 674 675 @Test 676 @AsbSecurityTest(cveBugId = 33818508) testStagefright_bug_33818508()677 public void testStagefright_bug_33818508() throws Exception { 678 doStagefrightTest(R.raw.bug_33818508, new CrashUtils.Config().checkMinAddress(false)); 679 } 680 681 @Test 682 @AsbSecurityTest(cveBugId = 32873375) testStagefright_bug_32873375()683 public void testStagefright_bug_32873375() throws Exception { 684 doStagefrightTest(R.raw.bug_32873375, new CrashUtils.Config().checkMinAddress(false)); 685 } 686 687 @Test 688 @AsbSecurityTest(cveBugId = 63522067) testStagefright_bug_63522067()689 public void testStagefright_bug_63522067() throws Exception { 690 doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420); 691 doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420); 692 doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420); 693 doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420); 694 } 695 696 @Test 697 @AsbSecurityTest(cveBugId = 25765591) testStagefright_bug_25765591()698 public void testStagefright_bug_25765591() throws Exception { 699 doStagefrightTest(R.raw.bug_25765591); 700 } 701 702 @Test 703 @AsbSecurityTest(cveBugId = 62673179) testStagefright_bug_62673179()704 public void testStagefright_bug_62673179() throws Exception { 705 doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000)); 706 } 707 708 @Test 709 @AsbSecurityTest(cveBugId = 69269702) testStagefright_bug_69269702()710 public void testStagefright_bug_69269702() throws Exception { 711 doStagefrightTest(R.raw.bug_69269702); 712 } 713 714 @Test 715 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867()716 public void testStagefright_cve_2015_3867() throws Exception { 717 doStagefrightTest(R.raw.cve_2015_3867); 718 } 719 720 @Test 721 @AsbSecurityTest(cveBugId = 65398821) testStagefright_bug_65398821()722 public void testStagefright_bug_65398821() throws Exception { 723 doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) ); 724 } 725 726 @Test 727 @AsbSecurityTest(cveBugId = 23036083) testStagefright_cve_2015_3869()728 public void testStagefright_cve_2015_3869() throws Exception { 729 doStagefrightTest(R.raw.cve_2015_3869); 730 } 731 732 @Test 733 @AsbSecurityTest(cveBugId = 23452792) testStagefright_bug_23452792()734 public void testStagefright_bug_23452792() throws Exception { 735 doStagefrightTest(R.raw.bug_23452792); 736 } 737 738 @Test 739 @AsbSecurityTest(cveBugId = 28673410) testStagefright_cve_2016_3820()740 public void testStagefright_cve_2016_3820() throws Exception { 741 doStagefrightTest(R.raw.cve_2016_3820); 742 } 743 744 @Test 745 @AsbSecurityTest(cveBugId = 28165661) testStagefright_cve_2016_3741()746 public void testStagefright_cve_2016_3741() throws Exception { 747 doStagefrightTest(R.raw.cve_2016_3741); 748 } 749 750 @Test 751 @AsbSecurityTest(cveBugId = 28175045) testStagefright_cve_2016_2506()752 public void testStagefright_cve_2016_2506() throws Exception { 753 doStagefrightTest(R.raw.cve_2016_2506); 754 } 755 756 @Test 757 @AsbSecurityTest(cveBugId = 26751339) testStagefright_cve_2016_2428()758 public void testStagefright_cve_2016_2428() throws Exception { 759 doStagefrightTest(R.raw.cve_2016_2428, new CrashUtils.Config().checkMinAddress(false)); 760 } 761 762 @Test 763 @AsbSecurityTest(cveBugId = 28556125) testStagefright_cve_2016_3756()764 public void testStagefright_cve_2016_3756() throws Exception { 765 doStagefrightTest(R.raw.cve_2016_3756); 766 } 767 768 @Test 769 @AsbSecurityTest(cveBugId = 36592202) testStagefright_bug_36592202()770 public void testStagefright_bug_36592202() throws Exception { 771 Resources resources = getInstrumentation().getContext().getResources(); 772 AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202); 773 final int oggPageSize = 25627; 774 byte [] blob = new byte[oggPageSize]; 775 // 127 bytes read and 25500 zeros constitute one Ogg page 776 FileInputStream fis = fd.createInputStream(); 777 int numRead = fis.read(blob); 778 fis.close(); 779 // Creating temp file 780 final File tempFile = File.createTempFile("poc_tmp", ".ogg", null); 781 try { 782 final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath()); 783 int bytesWritten = 0; 784 final long oggPagesRequired = 50000; 785 long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize; 786 long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable); 787 // Repeat data for specified number of pages 788 for (int i = 0; i < numOggPages; i++) { 789 tempFos.write(blob); 790 bytesWritten += oggPageSize; 791 } 792 tempFos.close(); 793 final int fileSize = bytesWritten; 794 final int timeout = (10 * 60 * 1000); 795 runWithTimeout(new Runnable() { 796 @Override 797 public void run() { 798 try { 799 doStagefrightTestMediaCodec(tempFile.getAbsolutePath(), 800 new CrashUtils.Config().checkMinAddress(false)); 801 } catch (Exception | AssertionError e) { 802 if (!tempFile.delete()) { 803 Log.e(TAG, "Failed to delete temporary PoC file"); 804 } 805 fail("Operation was not successful"); 806 } 807 } 808 }, timeout); 809 } catch (Exception e) { 810 fail("Failed to test b/36592202"); 811 } finally { 812 if (!tempFile.delete()) { 813 Log.e(TAG, "Failed to delete temporary PoC file"); 814 } 815 } 816 } 817 818 @Test 819 @AsbSecurityTest(cveBugId = 30822755) testStagefright_bug_30822755()820 public void testStagefright_bug_30822755() throws Exception { 821 doStagefrightTest(R.raw.bug_30822755); 822 } 823 824 @Test 825 @AsbSecurityTest(cveBugId = 32322258) testStagefright_bug_32322258()826 public void testStagefright_bug_32322258() throws Exception { 827 doStagefrightTest(R.raw.bug_32322258, new CrashUtils.Config().checkMinAddress(false)); 828 } 829 830 @Test 831 @AsbSecurityTest(cveBugId = 23248776) testStagefright_cve_2015_3873_b_23248776()832 public void testStagefright_cve_2015_3873_b_23248776() throws Exception { 833 doStagefrightTest(R.raw.cve_2015_3873_b_23248776); 834 } 835 836 @Test 837 @AsbSecurityTest(cveBugId = 35472997) testStagefright_bug_35472997()838 public void testStagefright_bug_35472997() throws Exception { 839 doStagefrightTest(R.raw.bug_35472997); 840 } 841 842 @Test 843 @AsbSecurityTest(cveBugId = 20718524) testStagefright_cve_2015_3873_b_20718524()844 public void testStagefright_cve_2015_3873_b_20718524() throws Exception { 845 doStagefrightTest(R.raw.cve_2015_3873_b_20718524); 846 } 847 848 @Test 849 @AsbSecurityTest(cveBugId = 34896431) testStagefright_bug_34896431()850 public void testStagefright_bug_34896431() throws Exception { 851 doStagefrightTest(R.raw.bug_34896431); 852 } 853 854 @Test 855 @AsbSecurityTest(cveBugId = 33641588) testBug_33641588()856 public void testBug_33641588() throws Exception { 857 doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240); 858 } 859 860 @Test 861 @AsbSecurityTest(cveBugId = 22954006) testStagefright_cve_2015_3862_b_22954006()862 public void testStagefright_cve_2015_3862_b_22954006() throws Exception { 863 doStagefrightTest(R.raw.cve_2015_3862_b_22954006, 864 new CrashUtils.Config().checkMinAddress(false)); 865 } 866 867 @Test 868 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867_b_23213430()869 public void testStagefright_cve_2015_3867_b_23213430() throws Exception { 870 doStagefrightTest(R.raw.cve_2015_3867_b_23213430); 871 } 872 873 @Test 874 @AsbSecurityTest(cveBugId = 21814993) testStagefright_cve_2015_3873_b_21814993()875 public void testStagefright_cve_2015_3873_b_21814993() throws Exception { 876 doStagefrightTest(R.raw.cve_2015_3873_b_21814993); 877 } 878 879 @Test 880 @AsbSecurityTest(cveBugId = 25812590) testStagefright_bug_25812590()881 public void testStagefright_bug_25812590() throws Exception { 882 doStagefrightTest(R.raw.bug_25812590); 883 } 884 885 @Test 886 @AsbSecurityTest(cveBugId = 22882938) testStagefright_cve_2015_6600()887 public void testStagefright_cve_2015_6600() throws Exception { 888 doStagefrightTest(R.raw.cve_2015_6600); 889 } 890 891 @Test 892 @AsbSecurityTest(cveBugId = 23227354) testStagefright_cve_2015_6603()893 public void testStagefright_cve_2015_6603() throws Exception { 894 doStagefrightTest(R.raw.cve_2015_6603); 895 } 896 897 @Test 898 @AsbSecurityTest(cveBugId = 23129786) testStagefright_cve_2015_6604()899 public void testStagefright_cve_2015_6604() throws Exception { 900 doStagefrightTest(R.raw.cve_2015_6604); 901 } 902 903 @Test 904 @AsbSecurityTest(cveBugId = 24157524) testStagefright_bug_24157524()905 public void testStagefright_bug_24157524() throws Exception { 906 doStagefrightTestMediaCodec(R.raw.bug_24157524); 907 } 908 909 @Test 910 @AsbSecurityTest(cveBugId = 23031033) testStagefright_cve_2015_3871()911 public void testStagefright_cve_2015_3871() throws Exception { 912 doStagefrightTest(R.raw.cve_2015_3871); 913 } 914 915 @Test 916 @AsbSecurityTest(cveBugId = 26070014) testStagefright_bug_26070014()917 public void testStagefright_bug_26070014() throws Exception { 918 doStagefrightTest(R.raw.bug_26070014); 919 } 920 921 @Test 922 @AsbSecurityTest(cveBugId = 32915871) testStagefright_bug_32915871()923 public void testStagefright_bug_32915871() throws Exception { 924 doStagefrightTest(R.raw.bug_32915871); 925 } 926 927 @Test 928 @AsbSecurityTest(cveBugId = 28333006) testStagefright_bug_28333006()929 public void testStagefright_bug_28333006() throws Exception { 930 doStagefrightTest(R.raw.bug_28333006); 931 } 932 933 @Test 934 @AsbSecurityTest(cveBugId = 14388161) testStagefright_bug_14388161()935 public void testStagefright_bug_14388161() throws Exception { 936 doStagefrightTestMediaPlayer(R.raw.bug_14388161); 937 } 938 939 @Test 940 @AsbSecurityTest(cveBugId = 28470138) testStagefright_cve_2016_3755()941 public void testStagefright_cve_2016_3755() throws Exception { 942 doStagefrightTest(R.raw.cve_2016_3755, new CrashUtils.Config().checkMinAddress(false)); 943 } 944 945 @Test 946 @AsbSecurityTest(cveBugId = 29493002) testStagefright_cve_2016_3878_b_29493002()947 public void testStagefright_cve_2016_3878_b_29493002() throws Exception { 948 doStagefrightTest(R.raw.cve_2016_3878_b_29493002, 949 new CrashUtils.Config().checkMinAddress(false)); 950 } 951 952 @Test 953 @AsbSecurityTest(cveBugId = 36819262) testBug_36819262()954 public void testBug_36819262() throws Exception { 955 doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480); 956 } 957 958 @Test 959 @AsbSecurityTest(cveBugId = 23680780) testStagefright_cve_2015_6608_b_23680780()960 public void testStagefright_cve_2015_6608_b_23680780() throws Exception { 961 doStagefrightTest(R.raw.cve_2015_6608_b_23680780); 962 } 963 964 @Test 965 @AsbSecurityTest(cveBugId = 36715268) testStagefright_bug_36715268()966 public void testStagefright_bug_36715268() throws Exception { 967 doStagefrightTest(R.raw.bug_36715268); 968 } 969 970 @Test 971 @AsbSecurityTest(cveBugId = 27855419) testStagefright_bug_27855419_CVE_2016_2463()972 public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception { 973 doStagefrightTest(R.raw.bug_27855419, new CrashUtils.Config().checkMinAddress(false)); 974 } 975 976 @Test 977 @AsbSecurityTest(cveBugId = 19779574) testStagefright_bug_19779574()978 public void testStagefright_bug_19779574() throws Exception { 979 doStagefrightTest(R.raw.bug_19779574, new CrashUtils.Config().checkMinAddress(false)); 980 } 981 982 /*********************************************************** 983 to prevent merge conflicts, add N tests below this comment, 984 before any existing test methods 985 ***********************************************************/ 986 987 @Test 988 @AsbSecurityTest(cveBugId = 33090864) testBug_33090864()989 public void testBug_33090864() throws Exception { 990 int[] frameSizes = getFrameSizes(R.raw.bug_33090864_framelen); 991 doStagefrightTestRawBlob(R.raw.bug_33090864_avc, "video/avc", 320, 240, frameSizes); 992 } 993 994 @Test 995 @AsbSecurityTest(cveBugId = 36279112) testStagefright_bug_36279112()996 public void testStagefright_bug_36279112() throws Exception { 997 doStagefrightTest(R.raw.bug_36279112, new CrashUtils.Config().checkMinAddress(false)); 998 } 999 1000 @Test 1001 @AsbSecurityTest(cveBugId = 33129467) testStagefright_cve_2017_0640()1002 public void testStagefright_cve_2017_0640() throws Exception { 1003 int[] frameSizes = {21, 4}; 1004 doStagefrightTestRawBlob(R.raw.cve_2017_0640_avc, "video/avc", 640, 480, 1005 frameSizes); 1006 } 1007 1008 @Test 1009 @AsbSecurityTest(cveBugId = 37203196) testBug_37203196()1010 public void testBug_37203196() throws Exception { 1011 int[] frameSizes = getFrameSizes(R.raw.bug_37203196_framelen); 1012 doStagefrightTestRawBlob(R.raw.bug_37203196_mpeg2, "video/mpeg2", 48, 48, frameSizes); 1013 } 1014 1015 @Test 1016 @AsbSecurityTest(cveBugId = 73552574) testBug_73552574()1017 public void testBug_73552574() throws Exception { 1018 int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen); 1019 doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes); 1020 } 1021 1022 @Test 1023 @AsbSecurityTest(cveBugId = 23285192) testStagefright_bug_23285192()1024 public void testStagefright_bug_23285192() throws Exception { 1025 doStagefrightTest(R.raw.bug_23285192); 1026 } 1027 1028 @Test 1029 @AsbSecurityTest(cveBugId = 25928803) testStagefright_bug_25928803()1030 public void testStagefright_bug_25928803() throws Exception { 1031 doStagefrightTest(R.raw.bug_25928803); 1032 } 1033 1034 @Test 1035 @AsbSecurityTest(cveBugId = 26399350) testBug_26399350()1036 public void testBug_26399350() throws Exception { 1037 int[] frameSizes = {657, 54930}; 1038 doStagefrightTestRawBlob(R.raw.bug_26399350_avc, "video/avc", 640, 480, 1039 frameSizes); 1040 } 1041 1042 @Test 1043 @AsbSecurityTest(cveBugId = 113260892) testBug_113260892()1044 public void testBug_113260892() throws Exception { 1045 doStagefrightTestRawBlob(R.raw.bug_113260892_hevc, "video/hevc", 320, 240); 1046 } 1047 1048 @Test 1049 @AsbSecurityTest(cveBugId = 68342866) testStagefright_bug_68342866()1050 public void testStagefright_bug_68342866() throws Exception { 1051 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1052 policy.setCleartextTrafficPermitted(true); 1053 Thread server = new Thread() { 1054 @Override 1055 public void run() { 1056 try (ServerSocket serverSocket = new ServerSocket(8080) { 1057 {setSoTimeout(10_000);} // time out after 10 seconds 1058 }; 1059 Socket conn = serverSocket.accept(); 1060 ) { 1061 OutputStream outputstream = conn.getOutputStream(); 1062 InputStream inputStream = conn.getInputStream(); 1063 byte input[] = new byte[65536]; 1064 inputStream.read(input, 0, 65536); 1065 String inputStr = new String(input); 1066 if (inputStr.contains("bug_68342866.m3u8")) { 1067 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n") 1068 .getBytes(); 1069 byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54, 1070 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54, 1071 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41, 1072 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23, 1073 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A, 1074 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF, 1075 (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 1076 (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E, 1077 0x46, 0x00, 0x00 }; 1078 outputstream.write(http); 1079 outputstream.write(playlist); 1080 } 1081 } catch (IOException e) { 1082 } 1083 } 1084 }; 1085 server.start(); 1086 String uri = "http://127.0.0.1:8080/bug_68342866.m3u8"; 1087 final MediaPlayerCrashListener mpcl = 1088 new MediaPlayerCrashListener(new CrashUtils.Config().checkMinAddress(false)); 1089 LooperThread t = new LooperThread(new Runnable() { 1090 @Override 1091 public void run() { 1092 MediaPlayer mp = new MediaPlayer(); 1093 mp.setOnErrorListener(mpcl); 1094 mp.setOnPreparedListener(mpcl); 1095 mp.setOnCompletionListener(mpcl); 1096 RenderTarget renderTarget = RenderTarget.create(); 1097 Surface surface = renderTarget.getSurface(); 1098 mp.setSurface(surface); 1099 AssetFileDescriptor fd = null; 1100 try { 1101 mp.setDataSource(uri); 1102 mp.prepareAsync(); 1103 } catch (IOException e) { 1104 Log.e(TAG, e.toString()); 1105 } finally { 1106 closeQuietly(fd); 1107 } 1108 Looper.loop(); 1109 mp.release(); 1110 renderTarget.destroy(); 1111 } 1112 }); 1113 t.start(); 1114 assertFalse("Device *IS* vulnerable to BUG-68342866", 1115 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1116 t.stopLooper(); 1117 t.join(); 1118 policy.setCleartextTrafficPermitted(false); 1119 server.join(); 1120 } 1121 1122 @Test 1123 @AsbSecurityTest(cveBugId = 74114680) testStagefright_bug_74114680()1124 public void testStagefright_bug_74114680() throws Exception { 1125 doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000)); 1126 } 1127 1128 @Test 1129 @AsbSecurityTest(cveBugId = 70239507) testStagefright_bug_70239507()1130 public void testStagefright_bug_70239507() throws Exception { 1131 doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L); 1132 } 1133 1134 @Test 1135 @AsbSecurityTest(cveBugId = 33250932) testBug_33250932()1136 public void testBug_33250932() throws Exception { 1137 int[] frameSizes = {65, 11, 102, 414}; 1138 doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes); 1139 } 1140 1141 @Test 1142 @AsbSecurityTest(cveBugId = 37430213) testStagefright_bug_37430213()1143 public void testStagefright_bug_37430213() throws Exception { 1144 doStagefrightTest(R.raw.bug_37430213); 1145 } 1146 1147 @Test 1148 @AsbSecurityTest(cveBugId = 68664359) testStagefright_bug_68664359()1149 public void testStagefright_bug_68664359() throws Exception { 1150 doStagefrightTest(R.raw.bug_68664359, 60000); 1151 } 1152 1153 @Test 1154 @AsbSecurityTest(cveBugId = 110435401) testStagefright_bug_110435401()1155 public void testStagefright_bug_110435401() throws Exception { 1156 doStagefrightTest(R.raw.bug_110435401, 60000); 1157 } 1158 1159 @Test 1160 @AsbSecurityTest(cveBugId = 32589224) testStagefright_cve_2017_0474()1161 public void testStagefright_cve_2017_0474() throws Exception { 1162 doStagefrightTest(R.raw.cve_2017_0474, 120000); 1163 } 1164 1165 @Test 1166 @AsbSecurityTest(cveBugId = 62872863) testStagefright_cve_2017_0765()1167 public void testStagefright_cve_2017_0765() throws Exception { 1168 doStagefrightTest(R.raw.cve_2017_0765); 1169 } 1170 1171 @Test 1172 @AsbSecurityTest(cveBugId = 70637599) testStagefright_cve_2017_13276()1173 public void testStagefright_cve_2017_13276() throws Exception { 1174 doStagefrightTest(R.raw.cve_2017_13276); 1175 } 1176 1177 @Test 1178 @AsbSecurityTest(cveBugId = 31681434) testStagefright_cve_2016_6764()1179 public void testStagefright_cve_2016_6764() throws Exception { 1180 doStagefrightTest(R.raw.cve_2016_6764, new CrashUtils.Config().checkMinAddress(false)); 1181 } 1182 1183 @Test 1184 @AsbSecurityTest(cveBugId = 38495900) testStagefright_cve_2017_13214()1185 public void testStagefright_cve_2017_13214() throws Exception { 1186 doStagefrightTest(R.raw.cve_2017_13214); 1187 } 1188 1189 @Test 1190 @AsbSecurityTest(cveBugId = 35467107) testStagefright_bug_35467107()1191 public void testStagefright_bug_35467107() throws Exception { 1192 doStagefrightTest(R.raw.bug_35467107, new CrashUtils.Config().checkMinAddress(false)); 1193 } 1194 1195 /*********************************************************** 1196 to prevent merge conflicts, add O tests below this comment, 1197 before any existing test methods 1198 ***********************************************************/ 1199 @Test 1200 @AsbSecurityTest(cveBugId = 162756352) testStagefright_cve_2020_11184()1201 public void testStagefright_cve_2020_11184() throws Exception { 1202 doStagefrightTest(R.raw.cve_2020_11184); 1203 } 1204 1205 @Test 1206 @AsbSecurityTest(cveBugId = 130024844) testStagefright_cve_2019_2107()1207 public void testStagefright_cve_2019_2107() throws Exception { 1208 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1209 getInstrumentation().getContext().getPackageManager(), 1210 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1211 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen); 1212 doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920, 1213 1080, frameSizes); 1214 } 1215 1216 @Test 1217 @AsbSecurityTest(cveBugId = 122473145) testStagefright_cve_2019_2245()1218 public void testStagefright_cve_2019_2245() throws Exception { 1219 doStagefrightTest(R.raw.cve_2019_2245); 1220 } 1221 1222 @Test 1223 @AsbSecurityTest(cveBugId = 120483842) testStagefright_cve_2018_13925()1224 public void testStagefright_cve_2018_13925() throws Exception { 1225 doStagefrightTest(R.raw.cve_2018_13925); 1226 } 1227 1228 @Test 1229 @AsbSecurityTest(cveBugId = 157905659) testStagefright_cve_2020_11139()1230 public void testStagefright_cve_2020_11139() throws Exception { 1231 doStagefrightTest(R.raw.cve_2020_11139); 1232 } 1233 1234 @Test 1235 @AsbSecurityTest(cveBugId = 150697436) testStagefright_cve_2020_3663()1236 public void testStagefright_cve_2020_3663() throws Exception { 1237 doStagefrightTest(R.raw.cve_2020_3663); 1238 } 1239 1240 @Test 1241 @AsbSecurityTest(cveBugId = 155653312) testStagefright_cve_2020_11122()1242 public void testStagefright_cve_2020_11122() throws Exception { 1243 doStagefrightTest(R.raw.cve_2020_11122); 1244 } 1245 1246 @Test 1247 @AsbSecurityTest(cveBugId = 153345450) testStagefright_cve_2020_3688()1248 public void testStagefright_cve_2020_3688() throws Exception { 1249 doStagefrightTest(R.raw.cve_2020_3688); 1250 } 1251 1252 @Test 1253 @AsbSecurityTest(cveBugId = 162756122) testStagefright_cve_2020_11168()1254 public void testStagefright_cve_2020_11168() throws Exception { 1255 doStagefrightTest(R.raw.cve_2020_11168); 1256 } 1257 1258 @Test 1259 @AsbSecurityTest(cveBugId = 150697838) testStagefright_cve_2020_3658()1260 public void testStagefright_cve_2020_3658() throws Exception { 1261 doStagefrightTest(R.raw.cve_2020_3658); 1262 } 1263 1264 @Test 1265 @AsbSecurityTest(cveBugId = 148816216) testStagefright_cve_2020_3633()1266 public void testStagefright_cve_2020_3633() throws Exception { 1267 doStagefrightTest(R.raw.cve_2020_3633); 1268 } 1269 1270 @Test 1271 @AsbSecurityTest(cveBugId = 150695050) testStagefright_cve_2020_3660()1272 public void testStagefright_cve_2020_3660() throws Exception { 1273 doStagefrightTest(R.raw.cve_2020_3660); 1274 } 1275 1276 @Test 1277 @AsbSecurityTest(cveBugId = 150695169) testStagefright_cve_2020_3661()1278 public void testStagefright_cve_2020_3661() throws Exception { 1279 doStagefrightTest(R.raw.cve_2020_3661); 1280 } 1281 1282 @Test 1283 @AsbSecurityTest(cveBugId = 142271944) testStagefright_cve_2019_14013()1284 public void testStagefright_cve_2019_14013() throws Exception { 1285 doStagefrightTest(R.raw.cve_2019_14013); 1286 } 1287 1288 @Test 1289 @AsbSecurityTest(cveBugId = 150696661) testStagefright_cve_2020_3662()1290 public void testStagefright_cve_2020_3662() throws Exception { 1291 doStagefrightTest(R.raw.cve_2020_3662); 1292 } 1293 1294 @Test 1295 @AsbSecurityTest(cveBugId = 170583712) testStagefright_cve_2021_0312()1296 public void testStagefright_cve_2021_0312() throws Exception { 1297 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1298 getInstrumentation().getContext().getPackageManager(), 1299 MainlineModule.MEDIA)); 1300 doStagefrightTestExtractorSeek(R.raw.cve_2021_0312, 2, new CrashUtils.Config() 1301 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1302 } 1303 1304 @Test 1305 @AsbSecurityTest(cveBugId = 77600398) testStagefright_cve_2018_9474()1306 public void testStagefright_cve_2018_9474() throws Exception { 1307 MediaPlayer mp = new MediaPlayer(); 1308 RenderTarget renderTarget = RenderTarget.create(); 1309 Surface surface = renderTarget.getSurface(); 1310 mp.setSurface(surface); 1311 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1312 .openRawResourceFd(R.raw.cve_2018_9474); 1313 1314 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 1315 mp.prepare(); 1316 1317 MediaPlayer.TrackInfo[] trackInfos = mp.getTrackInfo(); 1318 if (trackInfos == null || trackInfos.length == 0) { 1319 return; 1320 } 1321 1322 MediaPlayer.TrackInfo trackInfo = trackInfos[0]; 1323 1324 int trackType = trackInfo.getTrackType(); 1325 MediaFormat format = trackInfo.getFormat(); 1326 1327 Parcel data = Parcel.obtain(); 1328 trackInfo.writeToParcel(data, 0); 1329 1330 data.setDataPosition(0); 1331 int trackTypeFromParcel = data.readInt(); 1332 String mimeTypeFromParcel = data.readString(); 1333 data.recycle(); 1334 1335 if (trackType == trackTypeFromParcel) { 1336 assertFalse("Device *IS* vulnerable to CVE-2018-9474", 1337 mimeTypeFromParcel.equals("und")); 1338 } 1339 } 1340 1341 @Test 1342 @AsbSecurityTest(cveBugId = 130025324) testStagefright_cve_2019_2108()1343 public void testStagefright_cve_2019_2108() throws Exception { 1344 doStagefrightTestRawBlob(R.raw.cve_2019_2108_hevc, "video/hevc", 320, 240, 1345 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1346 CrashUtils.SIGABRT)); 1347 } 1348 1349 @Test 1350 @AsbSecurityTest(cveBugId = 25747670) testStagefright_cve_2016_3880()1351 public void testStagefright_cve_2016_3880() throws Exception { 1352 Thread server = new Thread() { 1353 @Override 1354 public void run() { 1355 try (ServerSocket serverSocket = new ServerSocket(8080) { 1356 {setSoTimeout(10_000);} // time out after 10 seconds 1357 }; 1358 Socket conn = serverSocket.accept() 1359 ) { 1360 OutputStream outputstream = conn.getOutputStream(); 1361 InputStream inputStream = conn.getInputStream(); 1362 byte input[] = new byte[65536]; 1363 inputStream.read(input, 0, 65536); 1364 String inputStr = new String(input); 1365 if (inputStr.contains("DESCRIBE rtsp://127.0.0.1:8080/cve_2016_3880")) { 1366 byte http[] = ("RTSP/1.0 200 OK\r\n" 1367 + "Server: stagefright/1.2 (Linux;Android 9)\r\n" 1368 + "Content-Type: application/sdp\r\n" 1369 + "Content-Base: rtsp://127.0.0.1:8080/cve_2016_3880\r\n" 1370 + "Content-Length: 379\r\n" 1371 + "Cache-Control: no-cache\r\nCSeq: 1\r\n\r\n").getBytes(); 1372 1373 byte sdp[] = ("v=0\r\no=- 64 233572944 IN IP4 127.0.0.0\r\n" 1374 + "s=QuickTime\r\nt=0 0\r\na=range:npt=now-\r\n" 1375 + "m=video 5434 RTP/AVP 96123456\r\nc=IN IP4 127.0.0.1\r\n" 1376 + "b=AS:320000\r\na=rtpmap:96123456 H264/90000\r\n" 1377 + "a=fmtp:96123456 packetization-mode=1;profile-level-id=42001E;" 1378 + "sprop-parameter-sets=Z0IAHpZUBaHogA==,aM44gA==\r\n" 1379 + "a=cliprect:0,0,480,270\r\na=framesize:96123456 720-480\r\n" 1380 + "a=control:track1\r\n").getBytes(); 1381 1382 outputstream.write(http); 1383 outputstream.write(sdp); 1384 outputstream.flush(); 1385 } 1386 } catch (IOException e) { 1387 } 1388 } 1389 }; 1390 server.start(); 1391 String uri = "rtsp://127.0.0.1:8080/cve_2016_3880"; 1392 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(new CrashUtils.Config() 1393 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1394 LooperThread t = new LooperThread(new Runnable() { 1395 @Override 1396 public void run() { 1397 MediaPlayer mp = new MediaPlayer(); 1398 mp.setOnErrorListener(mpcl); 1399 mp.setOnPreparedListener(mpcl); 1400 mp.setOnCompletionListener(mpcl); 1401 RenderTarget renderTarget = RenderTarget.create(); 1402 Surface surface = renderTarget.getSurface(); 1403 mp.setSurface(surface); 1404 AssetFileDescriptor fd = null; 1405 try { 1406 mp.setDataSource(uri); 1407 mp.prepareAsync(); 1408 } catch (IOException e) { 1409 Log.e(TAG, e.toString()); 1410 } finally { 1411 closeQuietly(fd); 1412 } 1413 Looper.loop(); 1414 mp.release(); 1415 } 1416 }); 1417 t.start(); 1418 assertFalse("Device *IS* vulnerable to CVE-2016-3880", 1419 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1420 t.stopLooper(); 1421 t.join(); 1422 server.join(); 1423 } 1424 1425 @Test 1426 @AsbSecurityTest(cveBugId = 170240631) testStagefright_bug170240631()1427 public void testStagefright_bug170240631() throws Exception { 1428 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1429 getInstrumentation().getContext().getPackageManager(), 1430 MainlineModule.MEDIA)); 1431 doStagefrightTest(R.raw.bug170240631_ts); 1432 } 1433 1434 @Test 1435 @AsbSecurityTest(cveBugId = 148816624) testStagefright_cve_2020_3641()1436 public void testStagefright_cve_2020_3641() throws Exception { 1437 doStagefrightTest(R.raw.cve_2020_3641); 1438 } 1439 1440 @Test 1441 @AsbSecurityTest(cveBugId = 147103871) testStagefright_cve_2019_14127()1442 public void testStagefright_cve_2019_14127() throws Exception { 1443 doStagefrightTest(R.raw.cve_2019_14127); 1444 } 1445 1446 @Test 1447 @AsbSecurityTest(cveBugId = 147104052) testStagefright_cve_2019_14132()1448 public void testStagefright_cve_2019_14132() throws Exception { 1449 doStagefrightTest(R.raw.cve_2019_14132); 1450 } 1451 1452 @Test 1453 @AsbSecurityTest(cveBugId = 145545283) testStagefright_cve_2019_10591()1454 public void testStagefright_cve_2019_10591() throws Exception { 1455 doStagefrightTest(R.raw.cve_2019_10591); 1456 } 1457 1458 @Test 1459 @AsbSecurityTest(cveBugId = 143903858) testStagefright_cve_2019_10590()1460 public void testStagefright_cve_2019_10590() throws Exception { 1461 doStagefrightTest(R.raw.cve_2019_10590); 1462 } 1463 1464 @Test 1465 @AsbSecurityTest(cveBugId = 142271848) testStagefright_cve_2019_14004()1466 public void testStagefright_cve_2019_14004() throws Exception { 1467 doStagefrightTest(R.raw.cve_2019_14004); 1468 } 1469 1470 @Test 1471 @AsbSecurityTest(cveBugId = 142271498) testStagefright_cve_2019_14003()1472 public void testStagefright_cve_2019_14003() throws Exception { 1473 doStagefrightTest(R.raw.cve_2019_14003); 1474 } 1475 1476 @Test 1477 @AsbSecurityTest(cveBugId = 143903018) testStagefright_cve_2019_14057()1478 public void testStagefright_cve_2019_14057() throws Exception { 1479 doStagefrightTest(R.raw.cve_2019_14057); 1480 } 1481 1482 @Test 1483 @AsbSecurityTest(cveBugId = 142271634) testStagefright_cve_2019_10532()1484 public void testStagefright_cve_2019_10532() throws Exception { 1485 doStagefrightTest(R.raw.cve_2019_10532); 1486 } 1487 1488 @Test 1489 @AsbSecurityTest(cveBugId = 142268949) testStagefright_cve_2019_10578()1490 public void testStagefright_cve_2019_10578() throws Exception { 1491 doStagefrightTest(R.raw.cve_2019_10578); 1492 } 1493 1494 @Test 1495 @AsbSecurityTest(cveBugId = 145545758) testStagefright_cve_2019_14061()1496 public void testStagefright_cve_2019_14061() throws Exception { 1497 doStagefrightTest(R.raw.cve_2019_14061, 180000); 1498 } 1499 1500 @Test 1501 @AsbSecurityTest(cveBugId = 142271615) testStagefright_cve_2019_10611()1502 public void testStagefright_cve_2019_10611() throws Exception { 1503 doStagefrightTest(R.raw.cve_2019_10611); 1504 } 1505 1506 @Test 1507 @AsbSecurityTest(cveBugId = 132108754) testStagefright_cve_2019_10489()1508 public void testStagefright_cve_2019_10489() throws Exception { 1509 doStagefrightTest(R.raw.cve_2019_10489); 1510 } 1511 1512 @Test 1513 @AsbSecurityTest(cveBugId = 145545282) testStagefright_cve_2019_14048()1514 public void testStagefright_cve_2019_14048() throws Exception { 1515 doStagefrightTest(R.raw.cve_2019_14048); 1516 } 1517 1518 @Test 1519 @AsbSecurityTest(cveBugId = 129766432) testStagefright_cve_2019_2253()1520 public void testStagefright_cve_2019_2253() throws Exception { 1521 doStagefrightTest(R.raw.cve_2019_2253); 1522 } 1523 1524 @Test 1525 @AsbSecurityTest(cveBugId = 142271692) testStagefright_cve_2019_10579()1526 public void testStagefright_cve_2019_10579() throws Exception { 1527 doStagefrightTestANR(R.raw.cve_2019_10579); 1528 } 1529 1530 @Test 1531 @AsbSecurityTest(cveBugId = 142271965) testStagefright_cve_2019_14005()1532 public void testStagefright_cve_2019_14005() throws Exception { 1533 doStagefrightTest(R.raw.cve_2019_14005); 1534 } 1535 1536 @Test 1537 @AsbSecurityTest(cveBugId = 142271827) testStagefright_cve_2019_14006()1538 public void testStagefright_cve_2019_14006() throws Exception { 1539 doStagefrightTest(R.raw.cve_2019_14006); 1540 } 1541 1542 @Test 1543 @AsbSecurityTest(cveBugId = 142270646) testStagefright_CVE_2019_14016()1544 public void testStagefright_CVE_2019_14016() throws Exception { 1545 doStagefrightTest(R.raw.cve_2019_14016); 1546 } 1547 1548 @Test 1549 @AsbSecurityTest(cveBugId = 142271515) testStagefright_CVE_2019_14017()1550 public void testStagefright_CVE_2019_14017() throws Exception { 1551 doStagefrightTest(R.raw.cve_2019_14017); 1552 } 1553 1554 @Test 1555 @AsbSecurityTest(cveBugId = 78029004) testStagefright_cve_2018_9412()1556 public void testStagefright_cve_2018_9412() throws Exception { 1557 doStagefrightTest(R.raw.cve_2018_9412, 180000); 1558 } 1559 1560 @Test 1561 @AsbSecurityTest(cveBugId = 142641801) testStagefright_bug_142641801()1562 public void testStagefright_bug_142641801() throws Exception { 1563 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1564 getInstrumentation().getContext().getPackageManager(), 1565 MainlineModule.MEDIA)); 1566 doStagefrightTest(R.raw.bug_142641801); 1567 } 1568 1569 @Test 1570 @AsbSecurityTest(cveBugId = 134437379) testStagefright_cve_2019_10534()1571 public void testStagefright_cve_2019_10534() throws Exception { 1572 doStagefrightTest(R.raw.cve_2019_10534); 1573 } 1574 1575 @Test 1576 @AsbSecurityTest(cveBugId = 134437210) testStagefright_cve_2019_10533()1577 public void testStagefright_cve_2019_10533() throws Exception { 1578 doStagefrightTest(R.raw.cve_2019_10533); 1579 } 1580 1581 @Test 1582 @AsbSecurityTest(cveBugId = 134437115) testStagefright_cve_2019_10541()1583 public void testStagefright_cve_2019_10541() throws Exception { 1584 doStagefrightTest(R.raw.cve_2019_10541); 1585 } 1586 1587 @Test 1588 @AsbSecurityTest(cveBugId = 62851602) testStagefright_cve_2017_13233()1589 public void testStagefright_cve_2017_13233() throws Exception { 1590 doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640, 1591 480); 1592 } 1593 1594 @Test 1595 @AsbSecurityTest(cveBugId = 130023983) testStagefright_cve_2019_2106()1596 public void testStagefright_cve_2019_2106() throws Exception { 1597 int[] frameSizes = {943, 3153}; 1598 doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320, 1599 240, frameSizes); 1600 } 1601 1602 @Test 1603 @AsbSecurityTest(cveBugId = 34064500) testStagefright_cve_2017_0637()1604 public void testStagefright_cve_2017_0637() throws Exception { 1605 doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000); 1606 } 1607 1608 @Test 1609 @AsbSecurityTest(cveBugId = 109678380) testStagefright_cve_2018_11287()1610 public void testStagefright_cve_2018_11287() throws Exception { 1611 doStagefrightTest(R.raw.cve_2018_11287, 180000); 1612 } 1613 1614 @Test 1615 @AsbSecurityTest(cveBugId = 129766125) testStagefright_cve_2019_2327()1616 public void testStagefright_cve_2019_2327() throws Exception { 1617 doStagefrightTest(R.raw.cve_2019_2327); 1618 } 1619 1620 @Test 1621 @AsbSecurityTest(cveBugId = 129766496) testStagefright_cve_2019_2322()1622 public void testStagefright_cve_2019_2322() throws Exception { 1623 doStagefrightTest(R.raw.cve_2019_2322); 1624 } 1625 1626 @Test 1627 @AsbSecurityTest(cveBugId = 129766099) testStagefright_cve_2019_2334()1628 public void testStagefright_cve_2019_2334() throws Exception { 1629 doStagefrightTest(R.raw.cve_2019_2334); 1630 } 1631 1632 @Test 1633 @AsbSecurityTest(cveBugId = 64380237) testStagefright_cve_2017_13204()1634 public void testStagefright_cve_2017_13204() throws Exception { 1635 int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen); 1636 doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes); 1637 } 1638 1639 @Test 1640 @AsbSecurityTest(cveBugId = 70221445) testStagefright_cve_2017_17773()1641 public void testStagefright_cve_2017_17773() throws Exception { 1642 doStagefrightTest(R.raw.cve_2017_17773); 1643 } 1644 1645 @Test 1646 @AsbSecurityTest(cveBugId = 68326816) testStagefright_cve_2017_18074()1647 public void testStagefright_cve_2017_18074() throws Exception { 1648 doStagefrightTest(R.raw.cve_2017_18074); 1649 } 1650 1651 @Test 1652 @AsbSecurityTest(cveBugId = 74236854) testStagefright_cve_2018_5894()1653 public void testStagefright_cve_2018_5894() throws Exception { 1654 doStagefrightTest(R.raw.cve_2018_5894); 1655 } 1656 1657 @Test 1658 @AsbSecurityTest(cveBugId = 77485139) testStagefright_cve_2018_5874()1659 public void testStagefright_cve_2018_5874() throws Exception { 1660 doStagefrightTest(R.raw.cve_2018_5874); 1661 } 1662 1663 @Test 1664 @AsbSecurityTest(cveBugId = 77485183) testStagefright_cve_2018_5875()1665 public void testStagefright_cve_2018_5875() throws Exception { 1666 doStagefrightTest(R.raw.cve_2018_5875); 1667 } 1668 1669 @Test 1670 @AsbSecurityTest(cveBugId = 77485022) testStagefright_cve_2018_5876()1671 public void testStagefright_cve_2018_5876() throws Exception { 1672 doStagefrightTest(R.raw.cve_2018_5876); 1673 } 1674 1675 @Test 1676 @AsbSecurityTest(cveBugId = 77483830) testStagefright_cve_2018_5882()1677 public void testStagefright_cve_2018_5882() throws Exception { 1678 doStagefrightTest(R.raw.cve_2018_5882); 1679 } 1680 1681 @Test 1682 @AsbSecurityTest(cveBugId = 65186291) testBug_65186291()1683 public void testBug_65186291() throws Exception { 1684 int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen); 1685 doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes); 1686 } 1687 1688 @Test 1689 @AsbSecurityTest(cveBugId = 67737022) testBug_67737022()1690 public void testBug_67737022() throws Exception { 1691 doStagefrightTest(R.raw.bug_67737022); 1692 } 1693 1694 @Test 1695 @AsbSecurityTest(cveBugId = 37093318) testStagefright_bug_37093318()1696 public void testStagefright_bug_37093318() throws Exception { 1697 doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000)); 1698 } 1699 1700 @Test 1701 @AsbSecurityTest(cveBugId = 73172046) testStagefright_bug_73172046()1702 public void testStagefright_bug_73172046() throws Exception { 1703 doStagefrightTest(R.raw.bug_73172046); 1704 1705 Bitmap bitmap = BitmapFactory.decodeResource( 1706 getInstrumentation().getContext().getResources(), R.raw.bug_73172046); 1707 // OK if the decoding failed, but shouldn't cause crashes 1708 if (bitmap != null) { 1709 bitmap.recycle(); 1710 } 1711 } 1712 1713 @Test 1714 @AsbSecurityTest(cveBugId = 25765591) testStagefright_cve_2016_0824()1715 public void testStagefright_cve_2016_0824() throws Exception { 1716 doStagefrightTest(R.raw.cve_2016_0824); 1717 } 1718 1719 @Test 1720 @AsbSecurityTest(cveBugId = 26365349) testStagefright_cve_2016_0815()1721 public void testStagefright_cve_2016_0815() throws Exception { 1722 doStagefrightTest(R.raw.cve_2016_0815); 1723 } 1724 1725 @Test 1726 @AsbSecurityTest(cveBugId = 26221024) testStagefright_cve_2016_2454()1727 public void testStagefright_cve_2016_2454() throws Exception { 1728 doStagefrightTest(R.raw.cve_2016_2454); 1729 } 1730 1731 @Test 1732 @AsbSecurityTest(cveBugId = 31449945) testStagefright_cve_2016_6765()1733 public void testStagefright_cve_2016_6765() throws Exception { 1734 doStagefrightTest(R.raw.cve_2016_6765, new CrashUtils.Config().checkMinAddress(false)); 1735 } 1736 1737 @Test 1738 @AsbSecurityTest(cveBugId = 28799341) testStagefright_cve_2016_2508()1739 public void testStagefright_cve_2016_2508() throws Exception { 1740 doStagefrightTest(R.raw.cve_2016_2508, new CrashUtils.Config().checkMinAddress(false)); 1741 } 1742 1743 @Test 1744 @AsbSecurityTest(cveBugId = 31373622) testStagefright_cve_2016_6699()1745 public void testStagefright_cve_2016_6699() throws Exception { 1746 doStagefrightTest(R.raw.cve_2016_6699); 1747 } 1748 1749 @Test 1750 @AsbSecurityTest(cveBugId = 66734153) testStagefright_cve_2017_18155()1751 public void testStagefright_cve_2017_18155() throws Exception { 1752 doStagefrightTest(R.raw.cve_2017_18155); 1753 } 1754 1755 @Test 1756 @AsbSecurityTest(cveBugId = 77599438) testStagefright_cve_2018_9423()1757 public void testStagefright_cve_2018_9423() throws Exception { 1758 doStagefrightTest(R.raw.cve_2018_9423); 1759 } 1760 1761 @Test 1762 @AsbSecurityTest(cveBugId = 29770686) testStagefright_cve_2016_3879()1763 public void testStagefright_cve_2016_3879() throws Exception { 1764 doStagefrightTest(R.raw.cve_2016_3879, new CrashUtils.Config().checkMinAddress(false)); 1765 } 1766 1767 /*********************************************************** 1768 to prevent merge conflicts, add P tests below this comment, 1769 before any existing test methods 1770 ***********************************************************/ 1771 1772 @Test 1773 @AsbSecurityTest(cveBugId = 162756960) testStagefright_cve_2020_11196()1774 public void testStagefright_cve_2020_11196() throws Exception { 1775 doStagefrightTest(R.raw.cve_2020_11196); 1776 } 1777 1778 @Test 1779 @AsbSecurityTest(cveBugId = 112661641) testStagefright_cve_2018_9531()1780 public void testStagefright_cve_2018_9531() throws Exception { 1781 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1782 getInstrumentation().getContext().getPackageManager(), 1783 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1784 int[] frameSizes = getFrameSizes(R.raw.cve_2018_9531_framelen); 1785 CodecConfig codecConfig = new CodecConfig().setAudioParams(48000, 8); 1786 doStagefrightTestRawBlob(R.raw.cve_2018_9531_aac, "audio/mp4a-latm", codecConfig, 1787 frameSizes, new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, 1788 CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1789 } 1790 1791 @Test 1792 @AsbSecurityTest(cveBugId = 140322595) testStagefright_cve_2019_2222()1793 public void testStagefright_cve_2019_2222() throws Exception { 1794 // TODO(b/170987914): This also skips testing hw_codecs. 1795 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1796 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1797 getInstrumentation().getContext().getPackageManager(), 1798 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1799 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2222_framelen); 1800 doStagefrightTestRawBlob(R.raw.cve_2019_2222_hevc, "video/hevc", 320, 240, frameSizes); 1801 } 1802 doStagefrightTest(final int rid)1803 private void doStagefrightTest(final int rid) throws Exception { 1804 doStagefrightTest(rid, null); 1805 } 1806 1807 /*********************************************************** 1808 to prevent merge conflicts, add Q tests below this comment, 1809 before any existing test methods 1810 ***********************************************************/ 1811 1812 @Test 1813 @AsbSecurityTest(cveBugId = 140692129) testStagefright_cve_2019_2223()1814 public void testStagefright_cve_2019_2223() throws Exception { 1815 // TODO(b/170987914): This also skips testing hw_codecs. 1816 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1817 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1818 getInstrumentation().getContext().getPackageManager(), 1819 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1820 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2223_framelen); 1821 doStagefrightTestRawBlob(R.raw.cve_2019_2223_hevc, "video/hevc", 320, 240, frameSizes); 1822 } 1823 1824 @Test 1825 @AsbSecurityTest(cveBugId = 118399205) testStagefright_cve_2019_1989()1826 public void testStagefright_cve_2019_1989() throws Exception { 1827 Object obj[] = getFrameInfo(R.raw.cve_2019_1989_info); 1828 int[] isHeader = (int[])obj [0]; 1829 int[] frameSizes = (int[])obj [1]; 1830 doStagefrightTestRawBlob(R.raw.cve_2019_1989_h264, "video/avc", 1831 1920, 1080, frameSizes, isHeader, new CrashUtils.Config()); 1832 } 1833 doStagefrightTest(final int rid, CrashUtils.Config config)1834 private void doStagefrightTest(final int rid, CrashUtils.Config config) throws Exception { 1835 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1836 policy.setCleartextTrafficPermitted(true); 1837 doStagefrightTestMediaPlayer(rid, config); 1838 doStagefrightTestMediaCodec(rid, config); 1839 doStagefrightTestMediaMetadataRetriever(rid, config); 1840 1841 Context context = getInstrumentation().getContext(); 1842 CtsTestServer server = null; 1843 try { 1844 server = new CtsTestServer(context); 1845 } catch (BindException e) { 1846 // Instant Apps security policy does not allow 1847 // listening for incoming connections. 1848 // Server based tests cannot be run. 1849 return; 1850 } 1851 Resources resources = context.getResources(); 1852 String rname = resources.getResourceEntryName(rid); 1853 String url = server.getAssetUrl("raw/" + rname); 1854 verifyServer(rid, url); 1855 doStagefrightTestMediaPlayer(url, config); 1856 doStagefrightTestMediaCodec(url, config); 1857 doStagefrightTestMediaMetadataRetriever(url, config); 1858 policy.setCleartextTrafficPermitted(false); 1859 server.shutdown(); 1860 } 1861 1862 // verify that CtsTestServer is functional by retrieving the asset 1863 // and comparing it to the resource verifyServer(final int rid, final String uri)1864 private void verifyServer(final int rid, final String uri) throws Exception { 1865 Log.i(TAG, "checking server"); 1866 URL url = new URL(uri); 1867 InputStream in1 = new BufferedInputStream(url.openStream()); 1868 1869 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1870 .openRawResourceFd(rid); 1871 InputStream in2 = new BufferedInputStream(fd.createInputStream()); 1872 1873 while (true) { 1874 int b1 = in1.read(); 1875 int b2 = in2.read(); 1876 assertEquals("CtsTestServer fail", b1, b2); 1877 if (b1 < 0) { 1878 break; 1879 } 1880 } 1881 1882 in1.close(); 1883 in2.close(); 1884 Log.i(TAG, "checked server"); 1885 } 1886 doStagefrightTest(final int rid, int timeout)1887 private void doStagefrightTest(final int rid, int timeout) throws Exception { 1888 doStagefrightTest(rid, null, timeout); 1889 } 1890 doStagefrightTest( final int rid, CrashUtils.Config config, int timeout)1891 private void doStagefrightTest( 1892 final int rid, CrashUtils.Config config, int timeout) throws Exception { 1893 runWithTimeout(new Runnable() { 1894 @Override 1895 public void run() { 1896 try { 1897 doStagefrightTest(rid, config); 1898 } catch (Exception e) { 1899 fail(e.toString()); 1900 } 1901 } 1902 }, timeout); 1903 } 1904 doStagefrightTestANR(final int rid)1905 private void doStagefrightTestANR(final int rid) throws Exception { 1906 doStagefrightTestANR(rid, null); 1907 } 1908 doStagefrightTestANR( final int rid, CrashUtils.Config config)1909 private void doStagefrightTestANR( 1910 final int rid, CrashUtils.Config config) throws Exception { 1911 doStagefrightTestMediaPlayerANR(rid, null, config); 1912 } 1913 getCrashReport(String testname, long timeout)1914 public JSONArray getCrashReport(String testname, long timeout) 1915 throws InterruptedException { 1916 Log.i(TAG, CrashUtils.UPLOAD_REQUEST); 1917 File reportFile = new File(CrashUtils.DEVICE_PATH, testname); 1918 File lockFile = new File(CrashUtils.DEVICE_PATH, CrashUtils.LOCK_FILENAME); 1919 while ((!reportFile.exists() || !lockFile.exists()) && timeout > 0) { 1920 Thread.sleep(CHECK_INTERVAL); 1921 timeout -= CHECK_INTERVAL; 1922 } 1923 1924 if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { 1925 Log.e(TAG, "couldn't get the report or lock file"); 1926 return null; 1927 } 1928 try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { 1929 StringBuilder json = new StringBuilder(); 1930 String line = reader.readLine(); 1931 while (line != null) { 1932 json.append(line); 1933 line = reader.readLine(); 1934 } 1935 return new JSONArray(json.toString()); 1936 } catch (IOException | JSONException e) { 1937 Log.e(TAG, "Failed to deserialize crash list with error " + e.getMessage()); 1938 return null; 1939 } 1940 } 1941 1942 class MediaPlayerCrashListener 1943 implements MediaPlayer.OnErrorListener, 1944 MediaPlayer.OnPreparedListener, 1945 MediaPlayer.OnCompletionListener { 1946 1947 CrashUtils.Config config; 1948 1949 private final Pattern[] validProcessPatterns = { 1950 Pattern.compile("adsprpcd"), 1951 Pattern.compile("android\\.hardware\\.cas@\\d+?\\.\\d+?-service"), 1952 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service"), 1953 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.clearkey"), 1954 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.widevine"), 1955 Pattern.compile("omx@\\d+?\\.\\d+?-service"), // name:omx@1.0-service 1956 Pattern.compile("android\\.process\\.media"), 1957 Pattern.compile("mediadrmserver"), 1958 Pattern.compile("mediaextractor"), 1959 Pattern.compile("media\\.extractor"), 1960 Pattern.compile("media\\.metrics"), 1961 Pattern.compile("mediaserver"), 1962 Pattern.compile("media\\.codec"), 1963 Pattern.compile("media\\.swcodec"), 1964 Pattern.compile("\\[?sdcard\\]?"), // name:/system/bin/sdcard, user:media_rw 1965 // Match any vendor processes. 1966 // It should only catch crashes that happen during the test. 1967 Pattern.compile("vendor.*"), 1968 }; 1969 MediaPlayerCrashListener()1970 MediaPlayerCrashListener() { 1971 this(null); 1972 } 1973 MediaPlayerCrashListener(CrashUtils.Config config)1974 MediaPlayerCrashListener(CrashUtils.Config config) { 1975 if (config == null) { 1976 config = new CrashUtils.Config(); 1977 } 1978 // if a different process is needed for a test, it should be added to the main list. 1979 config.setProcessPatterns(validProcessPatterns); 1980 this.config = config; 1981 } 1982 1983 @Override onError(MediaPlayer mp, int newWhat, int extra)1984 public boolean onError(MediaPlayer mp, int newWhat, int extra) { 1985 Log.i(TAG, "error: " + newWhat + "/" + extra); 1986 // don't overwrite a more severe error with a less severe one 1987 if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 1988 what = newWhat; 1989 } 1990 1991 lock.lock(); 1992 errored = true; 1993 condition.signal(); 1994 lock.unlock(); 1995 1996 return true; // don't call oncompletion 1997 } 1998 1999 @Override onPrepared(MediaPlayer mp)2000 public void onPrepared(MediaPlayer mp) { 2001 mp.start(); 2002 } 2003 2004 @Override onCompletion(MediaPlayer mp)2005 public void onCompletion(MediaPlayer mp) { 2006 // preserve error condition, if any 2007 lock.lock(); 2008 completed = true; 2009 condition.signal(); 2010 lock.unlock(); 2011 } 2012 waitForError()2013 public int waitForError() throws InterruptedException { 2014 lock.lock(); 2015 if (!errored && !completed) { 2016 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2017 Log.d(TAG, "timed out on waiting for error. " + 2018 "errored: " + errored + ", completed: " + completed); 2019 } 2020 } 2021 lock.unlock(); 2022 if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 2023 // Sometimes mediaserver signals a decoding error first, and *then* crashes 2024 // due to additional in-flight buffers being processed, so wait a little 2025 // and see if more errors show up. 2026 Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); 2027 SystemClock.sleep(1000); 2028 JSONArray crashes = getCrashReport(name.getMethodName(), 5000); 2029 if (crashes == null) { 2030 Log.e(TAG, "Crash results not found for test " + name.getMethodName()); 2031 return what; 2032 } else if (CrashUtils.securityCrashDetected(crashes, config)) { 2033 return what; 2034 } else { 2035 Log.i(TAG, "Crash ignored due to no security crash found for test " + 2036 name.getMethodName()); 2037 // 0 is the code for no error. 2038 return 0; 2039 } 2040 } 2041 Log.d(TAG, "waitForError finished with no errors."); 2042 return what; 2043 } 2044 waitForErrorOrCompletion()2045 public boolean waitForErrorOrCompletion() throws InterruptedException { 2046 lock.lock(); 2047 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2048 Log.d(TAG, "timed out on waiting for error or completion"); 2049 } 2050 lock.unlock(); 2051 return (what != 0 && what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) || completed; 2052 } 2053 2054 ReentrantLock lock = new ReentrantLock(); 2055 Condition condition = lock.newCondition(); 2056 int what; 2057 boolean completed = false; 2058 boolean errored = false; 2059 } 2060 2061 class LooperThread extends Thread { 2062 private Looper mLooper; 2063 LooperThread(Runnable runner)2064 LooperThread(Runnable runner) { 2065 super(runner); 2066 } 2067 2068 @Override run()2069 public void run() { 2070 Looper.prepare(); 2071 mLooper = Looper.myLooper(); 2072 super.run(); 2073 } 2074 stopLooper()2075 public void stopLooper() { 2076 mLooper.quitSafely(); 2077 } 2078 } 2079 doStagefrightTestMediaPlayer(final int rid)2080 private void doStagefrightTestMediaPlayer(final int rid) throws Exception { 2081 doStagefrightTestMediaPlayer(rid, null, null); 2082 } 2083 doStagefrightTestMediaPlayer( final int rid, CrashUtils.Config config)2084 private void doStagefrightTestMediaPlayer( 2085 final int rid, CrashUtils.Config config) throws Exception { 2086 doStagefrightTestMediaPlayer(rid, null, config); 2087 } 2088 doStagefrightTestMediaPlayer(final String url)2089 private void doStagefrightTestMediaPlayer(final String url) throws Exception { 2090 doStagefrightTestMediaPlayer(url, null); 2091 } 2092 doStagefrightTestMediaPlayer( final String url, CrashUtils.Config config)2093 private void doStagefrightTestMediaPlayer( 2094 final String url, CrashUtils.Config config) throws Exception { 2095 doStagefrightTestMediaPlayer(-1, url, config); 2096 } 2097 closeQuietly(AutoCloseable closeable)2098 private void closeQuietly(AutoCloseable closeable) { 2099 if (closeable != null) { 2100 try { 2101 closeable.close(); 2102 } catch (RuntimeException rethrown) { 2103 throw rethrown; 2104 } catch (Exception ignored) { 2105 } 2106 } 2107 } 2108 doStagefrightTestMediaPlayer(final int rid, final String uri)2109 private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception { 2110 doStagefrightTestMediaPlayer(rid, uri, null); 2111 } 2112 doStagefrightTestMediaPlayer(final int rid, final String uri, CrashUtils.Config config)2113 private void doStagefrightTestMediaPlayer(final int rid, final String uri, 2114 CrashUtils.Config config) throws Exception { 2115 2116 String name = uri != null ? uri : 2117 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2118 Log.i(TAG, "start mediaplayer test for: " + name); 2119 2120 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2121 2122 LooperThread t = new LooperThread(new Runnable() { 2123 @Override 2124 public void run() { 2125 2126 MediaPlayer mp = new MediaPlayer(); 2127 mp.setOnErrorListener(mpcl); 2128 mp.setOnPreparedListener(mpcl); 2129 mp.setOnCompletionListener(mpcl); 2130 RenderTarget renderTarget = RenderTarget.create(); 2131 Surface surface = renderTarget.getSurface(); 2132 mp.setSurface(surface); 2133 AssetFileDescriptor fd = null; 2134 try { 2135 if (uri == null) { 2136 fd = getInstrumentation().getContext().getResources() 2137 .openRawResourceFd(rid); 2138 2139 mp.setDataSource(fd.getFileDescriptor(), 2140 fd.getStartOffset(), 2141 fd.getLength()); 2142 2143 } else { 2144 mp.setDataSource(uri); 2145 } 2146 mp.prepareAsync(); 2147 } catch (Exception e) { 2148 } finally { 2149 closeQuietly(fd); 2150 } 2151 2152 Looper.loop(); 2153 mp.release(); 2154 renderTarget.destroy(); 2155 } 2156 }); 2157 2158 t.start(); 2159 assertNotEquals("MediaPlayer encountered a security crash when testing MediaPlayer.", 2160 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2161 t.stopLooper(); 2162 t.join(); // wait for thread to exit so we're sure the player was released 2163 } 2164 2165 /* 2166 * b/135207745 2167 */ 2168 @Test 2169 @AsbSecurityTest(cveBugId = 124781927) testStagefright_cve_2019_2129()2170 public void testStagefright_cve_2019_2129() throws Exception { 2171 final int rid = R.raw.cve_2019_2129; 2172 String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2173 Log.i(TAG, "start mediaplayer test for: " + name); 2174 2175 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener() { 2176 @Override 2177 public void onPrepared(MediaPlayer mp) { 2178 super.onPrepared(mp); 2179 mp.setLooping(true); 2180 } 2181 }; 2182 2183 LooperThread t = new LooperThread(new Runnable() { 2184 @Override 2185 public void run() { 2186 MediaPlayer mp = new MediaPlayer(); 2187 mp.setOnErrorListener(mpcl); 2188 mp.setOnPreparedListener(mpcl); 2189 mp.setOnCompletionListener(mpcl); 2190 RenderTarget renderTarget = RenderTarget.create(); 2191 Surface surface = renderTarget.getSurface(); 2192 mp.setSurface(surface); 2193 AssetFileDescriptor fd = null; 2194 try { 2195 fd = getInstrumentation().getContext().getResources().openRawResourceFd(rid); 2196 mp.setOnTimedTextListener(new MediaPlayer.OnTimedTextListener() { 2197 @Override 2198 public void onTimedText(MediaPlayer p, TimedText text) { 2199 if (text != null) { 2200 Log.d(TAG, "text = " + text.getText()); 2201 } 2202 } 2203 }); 2204 mp.setDataSource(fd.getFileDescriptor(), 2205 fd.getStartOffset(), 2206 fd.getLength()); 2207 // keep the original as in poc by not using prepareAsync 2208 mp.prepare(); 2209 mp.selectTrack(2); 2210 } catch (Exception e) { 2211 Log.e(TAG, "Exception is caught " + e.getMessage()); 2212 e.printStackTrace(); 2213 } finally { 2214 closeQuietly(fd); 2215 } 2216 2217 try { 2218 // here to catch & swallow the runtime crash in exception 2219 // after the place where original poc failed in 2220 // java.lang.IllegalArgumentException: parseParcel() 2221 // which is beyond test control. 2222 Looper.loop(); 2223 } catch (RuntimeException e) { 2224 Log.e(TAG, "Exception is caught on Looper.loop() " + e.getMessage()); 2225 e.printStackTrace(); 2226 } 2227 mp.release(); 2228 renderTarget.destroy(); 2229 } 2230 }); 2231 2232 t.start(); 2233 assertNotEquals("MediaPlayer encountered a security crash when testing CVE-2019-2129.", 2234 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2235 t.stopLooper(); 2236 t.join(); // wait for thread to exit so we're sure the player was released 2237 } 2238 doStagefrightTestMediaCodec(final int rid)2239 private void doStagefrightTestMediaCodec(final int rid) throws Exception { 2240 doStagefrightTestMediaCodec(rid, null, null); 2241 } 2242 doStagefrightTestMediaCodec( final int rid, CrashUtils.Config config)2243 private void doStagefrightTestMediaCodec( 2244 final int rid, CrashUtils.Config config) throws Exception { 2245 doStagefrightTestMediaCodec(rid, null, config); 2246 } 2247 doStagefrightTestMediaCodec(final String url)2248 private void doStagefrightTestMediaCodec(final String url) throws Exception { 2249 doStagefrightTestMediaCodec(url, null); 2250 } 2251 doStagefrightTestMediaCodec( final String url, CrashUtils.Config config)2252 private void doStagefrightTestMediaCodec( 2253 final String url, CrashUtils.Config config) throws Exception { 2254 doStagefrightTestMediaCodec(-1, url, config); 2255 } 2256 doStagefrightTestMediaCodec(final int rid, final String url)2257 private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception { 2258 doStagefrightTestMediaCodec(rid, url, null); 2259 } 2260 doStagefrightTestMediaCodec( final int rid, final String url, CrashUtils.Config config)2261 private void doStagefrightTestMediaCodec( 2262 final int rid, final String url, CrashUtils.Config config) throws Exception { 2263 2264 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2265 2266 LooperThread thr = new LooperThread(new Runnable() { 2267 @Override 2268 public void run() { 2269 2270 MediaPlayer mp = new MediaPlayer(); 2271 mp.setOnErrorListener(mpcl); 2272 try { 2273 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 2274 .openRawResourceFd(R.raw.good); 2275 2276 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2277 // setDataSource has been called 2278 mp.setDataSource(fd.getFileDescriptor(), 2279 fd.getStartOffset(), 2280 fd.getLength()); 2281 fd.close(); 2282 } catch (Exception e) { 2283 // this is a known-good file, so no failure should occur 2284 fail("setDataSource of known-good file failed"); 2285 } 2286 2287 synchronized(mpcl) { 2288 mpcl.notify(); 2289 } 2290 Looper.loop(); 2291 mp.release(); 2292 } 2293 }); 2294 thr.start(); 2295 // wait until the thread has initialized the MediaPlayer 2296 synchronized(mpcl) { 2297 mpcl.wait(); 2298 } 2299 2300 Resources resources = getInstrumentation().getContext().getResources(); 2301 MediaExtractor ex = new MediaExtractor(); 2302 if (url == null) { 2303 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2304 try { 2305 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2306 } catch (IOException e) { 2307 // ignore 2308 } finally { 2309 closeQuietly(fd); 2310 } 2311 } else { 2312 try { 2313 ex.setDataSource(url); 2314 } catch (Exception e) { 2315 // indicative of problems with our tame CTS test web server 2316 } 2317 } 2318 int numtracks = ex.getTrackCount(); 2319 String rname = url != null ? url: resources.getResourceEntryName(rid); 2320 Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks"); 2321 for (int t = 0; t < numtracks; t++) { 2322 // find all the available decoders for this format 2323 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2324 MediaFormat format = null; 2325 try { 2326 format = ex.getTrackFormat(t); 2327 } catch (IllegalArgumentException e) { 2328 Log.e(TAG, "could not get track format for track " + t); 2329 continue; 2330 } 2331 String mime = format.getString(MediaFormat.KEY_MIME); 2332 int numCodecs = MediaCodecList.getCodecCount(); 2333 for (int i = 0; i < numCodecs; i++) { 2334 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2335 if (info.isEncoder()) { 2336 continue; 2337 } 2338 try { 2339 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2340 if (caps != null) { 2341 matchingCodecs.add(info.getName()); 2342 Log.i(TAG, "Found matching codec " + info.getName() + " for track " + t); 2343 } 2344 } catch (IllegalArgumentException e) { 2345 // type is not supported 2346 } 2347 } 2348 2349 if (matchingCodecs.size() == 0) { 2350 Log.w(TAG, "no codecs for track " + t + ", type " + mime); 2351 } 2352 // decode this track once with each matching codec 2353 try { 2354 ex.selectTrack(t); 2355 } catch (IllegalArgumentException e) { 2356 Log.w(TAG, "couldn't select track " + t); 2357 // continue on with codec initialization anyway, since that might still crash 2358 } 2359 for (String codecName: matchingCodecs) { 2360 Log.i(TAG, "Decoding track " + t + " using codec " + codecName); 2361 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 2362 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2363 RenderTarget renderTarget = RenderTarget.create(); 2364 Surface surface = null; 2365 if (mime.startsWith("video/")) { 2366 surface = renderTarget.getSurface(); 2367 } 2368 try { 2369 codec.configure(format, surface, null, 0); 2370 codec.start(); 2371 } catch (Exception e) { 2372 Log.i(TAG, "Failed to start/configure:", e); 2373 } 2374 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2375 try { 2376 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2377 while (true) { 2378 int flags = ex.getSampleFlags(); 2379 long time = ex.getSampleTime(); 2380 ex.getCachedDuration(); 2381 int bufidx = codec.dequeueInputBuffer(5000); 2382 if (bufidx >= 0) { 2383 int n = ex.readSampleData(inputBuffers[bufidx], 0); 2384 if (n < 0) { 2385 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2386 time = 0; 2387 n = 0; 2388 } 2389 codec.queueInputBuffer(bufidx, 0, n, time, flags); 2390 ex.advance(); 2391 } 2392 int status = codec.dequeueOutputBuffer(info, 5000); 2393 if (status >= 0) { 2394 if ((info.flags & MediaCodec.BUFFER_FLAG_END_OF_STREAM) != 0) { 2395 break; 2396 } 2397 if (info.presentationTimeUs > TIMEOUT_NS / 1000) { 2398 Log.d(TAG, "stopping after 10 seconds worth of data"); 2399 break; 2400 } 2401 codec.releaseOutputBuffer(status, true); 2402 } 2403 } 2404 } catch (Exception e) { 2405 // local exceptions ignored, not security issues 2406 } finally { 2407 codec.release(); 2408 renderTarget.destroy(); 2409 } 2410 } 2411 try { 2412 ex.unselectTrack(t); 2413 } catch (IllegalArgumentException e) { 2414 // since we're just cleaning up, we don't care if it fails 2415 } 2416 } 2417 ex.release(); 2418 assertNotEquals("MediaPlayer encountered a security crash when testing media codecs.", 2419 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2420 thr.stopLooper(); 2421 thr.join(); 2422 } 2423 doStagefrightTestMediaMetadataRetriever(final int rid)2424 private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception { 2425 doStagefrightTestMediaMetadataRetriever(rid, null, null); 2426 } doStagefrightTestMediaMetadataRetriever( final int rid, CrashUtils.Config config)2427 private void doStagefrightTestMediaMetadataRetriever( 2428 final int rid, CrashUtils.Config config) throws Exception { 2429 doStagefrightTestMediaMetadataRetriever(rid, null, config); 2430 } 2431 doStagefrightTestMediaMetadataRetriever(final String url)2432 private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception { 2433 doStagefrightTestMediaMetadataRetriever(url, null); 2434 } 2435 doStagefrightTestMediaMetadataRetriever( final String url, CrashUtils.Config config)2436 private void doStagefrightTestMediaMetadataRetriever( 2437 final String url, CrashUtils.Config config) throws Exception { 2438 doStagefrightTestMediaMetadataRetriever(-1, url, config); 2439 } 2440 doStagefrightTestMediaMetadataRetriever( final int rid, final String url)2441 private void doStagefrightTestMediaMetadataRetriever( 2442 final int rid, final String url) throws Exception { 2443 doStagefrightTestMediaMetadataRetriever(rid, url, null); 2444 } 2445 doStagefrightTestMediaMetadataRetriever( final int rid, final String url, CrashUtils.Config config)2446 private void doStagefrightTestMediaMetadataRetriever( 2447 final int rid, final String url, CrashUtils.Config config) throws Exception { 2448 2449 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2450 2451 LooperThread thr = new LooperThread(new Runnable() { 2452 @Override 2453 public void run() { 2454 2455 MediaPlayer mp = new MediaPlayer(); 2456 mp.setOnErrorListener(mpcl); 2457 AssetFileDescriptor fd = null; 2458 try { 2459 fd = getInstrumentation().getContext().getResources() 2460 .openRawResourceFd(R.raw.good); 2461 2462 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2463 // setDataSource has been called 2464 mp.setDataSource(fd.getFileDescriptor(), 2465 fd.getStartOffset(), 2466 fd.getLength()); 2467 fd.close(); 2468 } catch (Exception e) { 2469 // this is a known-good file, so no failure should occur 2470 fail("setDataSource of known-good file failed"); 2471 } 2472 2473 synchronized(mpcl) { 2474 mpcl.notify(); 2475 } 2476 Looper.loop(); 2477 mp.release(); 2478 } 2479 }); 2480 thr.start(); 2481 // wait until the thread has initialized the MediaPlayer 2482 synchronized(mpcl) { 2483 mpcl.wait(); 2484 } 2485 2486 Resources resources = getInstrumentation().getContext().getResources(); 2487 MediaMetadataRetriever retriever = new MediaMetadataRetriever(); 2488 if (url == null) { 2489 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2490 try { 2491 retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2492 } catch (Exception e) { 2493 // ignore 2494 } finally { 2495 closeQuietly(fd); 2496 } 2497 } else { 2498 try { 2499 retriever.setDataSource(url, new HashMap<String, String>()); 2500 } catch (Exception e) { 2501 // indicative of problems with our tame CTS test web server 2502 } 2503 } 2504 retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION); 2505 retriever.getEmbeddedPicture(); 2506 retriever.getFrameAtTime(); 2507 2508 retriever.release(); 2509 String rname = url != null ? url : resources.getResourceEntryName(rid); 2510 assertNotEquals("MediaPlayer encountered a security crash when retrieving media metadata.", 2511 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2512 thr.stopLooper(); 2513 thr.join(); 2514 } 2515 2516 @Test 2517 @AsbSecurityTest(cveBugId = 36215950) testBug36215950()2518 public void testBug36215950() throws Exception { 2519 doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240); 2520 } 2521 2522 @Test 2523 @AsbSecurityTest(cveBugId = 36816007) testBug36816007()2524 public void testBug36816007() throws Exception { 2525 doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240, 2526 new CrashUtils.Config().checkMinAddress(false)); 2527 } 2528 2529 @Test 2530 @AsbSecurityTest(cveBugId = 36895511) testBug36895511()2531 public void testBug36895511() throws Exception { 2532 doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240, 2533 new CrashUtils.Config().checkMinAddress(false)); 2534 } 2535 2536 @Test 2537 @AsbSecurityTest(cveBugId = 64836894) testBug64836894()2538 public void testBug64836894() throws Exception { 2539 doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240); 2540 } 2541 2542 @Test 2543 @AsbSecurityTest(cveBugId = 35583675) testCve_2017_0687()2544 public void testCve_2017_0687() throws Exception { 2545 doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240); 2546 } 2547 2548 @Test 2549 @AsbSecurityTest(cveBugId = 37207120) testCve_2017_0696()2550 public void testCve_2017_0696() throws Exception { 2551 doStagefrightTestRawBlob(R.raw.cve_2017_0696, "video/avc", 320, 240); 2552 } 2553 2554 @Test 2555 @AsbSecurityTest(cveBugId = 37930177) testBug_37930177()2556 public void testBug_37930177() throws Exception { 2557 doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240); 2558 } 2559 2560 @Test 2561 @AsbSecurityTest(cveBugId = 37712181) testBug_37712181()2562 public void testBug_37712181() throws Exception { 2563 doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240); 2564 } 2565 2566 @Test 2567 @AsbSecurityTest(cveBugId = 70897394) testBug_70897394()2568 public void testBug_70897394() throws Exception { 2569 doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240, 2570 new CrashUtils.Config().checkMinAddress(false)); 2571 } 2572 2573 @Test 2574 @AsbSecurityTest(cveBugId = 123700383) testBug_123700383()2575 public void testBug_123700383() throws Exception { 2576 assertExtractorDoesNotHang(R.raw.bug_123700383); 2577 } 2578 2579 @Test 2580 @AsbSecurityTest(cveBugId = 127310810) testBug_127310810()2581 public void testBug_127310810() throws Exception { 2582 assertExtractorDoesNotHang(R.raw.bug_127310810); 2583 } 2584 2585 @Test 2586 @AsbSecurityTest(cveBugId = 127312550) testBug_127312550()2587 public void testBug_127312550() throws Exception { 2588 assertExtractorDoesNotHang(R.raw.bug_127312550); 2589 } 2590 2591 @Test 2592 @AsbSecurityTest(cveBugId = 127313223) testBug_127313223()2593 public void testBug_127313223() throws Exception { 2594 assertExtractorDoesNotHang(R.raw.bug_127313223); 2595 } 2596 2597 @Test 2598 @AsbSecurityTest(cveBugId = 127313537) testBug_127313537()2599 public void testBug_127313537() throws Exception { 2600 assertExtractorDoesNotHang(R.raw.bug_127313537); 2601 } 2602 2603 @Test 2604 @AsbSecurityTest(cveBugId = 127313764) testBug_127313764()2605 public void testBug_127313764() throws Exception { 2606 assertExtractorDoesNotHang(R.raw.bug_127313764); 2607 } 2608 getFrameSizes(int rid)2609 private int[] getFrameSizes(int rid) throws IOException { 2610 final Context context = getInstrumentation().getContext(); 2611 final Resources resources = context.getResources(); 2612 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2613 FileInputStream fis = fd.createInputStream(); 2614 byte[] frameInfo = new byte[(int) fd.getLength()]; 2615 fis.read(frameInfo); 2616 fis.close(); 2617 String[] valueStr = new String(frameInfo).trim().split("\\s+"); 2618 int[] frameSizes = new int[valueStr.length]; 2619 for (int i = 0; i < valueStr.length; i++) 2620 frameSizes[i] = Integer.parseInt(valueStr[i]); 2621 return frameSizes; 2622 } 2623 getFrameInfo(int rid)2624 private Object[] getFrameInfo(int rid) throws IOException { 2625 final Context context = getInstrumentation().getContext(); 2626 final Resources resources = context.getResources(); 2627 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2628 FileInputStream fis = fd.createInputStream(); 2629 byte[] frameInfo = new byte[(int) fd.getLength()]; 2630 fis.read(frameInfo); 2631 fis.close(); 2632 String[] lines = new String(frameInfo).trim().split("\\r?\\n"); 2633 int isHeader[] = new int[lines.length]; 2634 int frameSizes[] = new int[lines.length]; 2635 for (int i = 0; i < lines.length; i++) { 2636 String[] values = lines[i].trim().split("\\s+"); 2637 isHeader[i] = Integer.parseInt(values[0]); 2638 frameSizes[i] = Integer.parseInt(values[1]); 2639 } 2640 return new Object[] {isHeader, frameSizes}; 2641 } 2642 runWithTimeout(Runnable runner, int timeout)2643 private void runWithTimeout(Runnable runner, int timeout) { 2644 Thread t = new Thread(runner); 2645 t.start(); 2646 try { 2647 t.join(timeout); 2648 } catch (InterruptedException e) { 2649 fail("operation was interrupted"); 2650 } 2651 if (t.isAlive()) { 2652 fail("operation not completed within timeout of " + timeout + "ms"); 2653 } 2654 } 2655 releaseCodec(final MediaCodec codec)2656 private void releaseCodec(final MediaCodec codec) { 2657 runWithTimeout(new Runnable() { 2658 @Override 2659 public void run() { 2660 codec.release(); 2661 } 2662 }, 5000); 2663 } 2664 doStagefrightTestRawBlob( int rid, String mime, int initWidth, int initHeight)2665 private void doStagefrightTestRawBlob( 2666 int rid, String mime, int initWidth, int initHeight) throws Exception { 2667 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, new CrashUtils.Config()); 2668 } 2669 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, CrashUtils.Config config)2670 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2671 CrashUtils.Config config) throws Exception { 2672 2673 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2674 final Context context = getInstrumentation().getContext(); 2675 final Resources resources = context.getResources(); 2676 2677 LooperThread thr = new LooperThread(new Runnable() { 2678 @Override 2679 public void run() { 2680 2681 MediaPlayer mp = new MediaPlayer(); 2682 mp.setOnErrorListener(mpcl); 2683 AssetFileDescriptor fd = null; 2684 try { 2685 fd = resources.openRawResourceFd(R.raw.good); 2686 2687 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2688 // setDataSource has been called 2689 mp.setDataSource(fd.getFileDescriptor(), 2690 fd.getStartOffset(), 2691 fd.getLength()); 2692 fd.close(); 2693 } catch (Exception e) { 2694 // this is a known-good file, so no failure should occur 2695 fail("setDataSource of known-good file failed"); 2696 } 2697 2698 synchronized(mpcl) { 2699 mpcl.notify(); 2700 } 2701 Looper.loop(); 2702 mp.release(); 2703 } 2704 }); 2705 thr.start(); 2706 // wait until the thread has initialized the MediaPlayer 2707 synchronized(mpcl) { 2708 mpcl.wait(); 2709 } 2710 2711 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2712 byte [] blob = new byte[(int)fd.getLength()]; 2713 FileInputStream fis = fd.createInputStream(); 2714 int numRead = fis.read(blob); 2715 fis.close(); 2716 2717 // find all the available decoders for this format 2718 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2719 int numCodecs = MediaCodecList.getCodecCount(); 2720 for (int i = 0; i < numCodecs; i++) { 2721 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2722 if (info.isEncoder()) { 2723 continue; 2724 } 2725 try { 2726 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2727 if (caps != null) { 2728 matchingCodecs.add(info.getName()); 2729 } 2730 } catch (IllegalArgumentException e) { 2731 // type is not supported 2732 } 2733 } 2734 2735 if (matchingCodecs.size() == 0) { 2736 Log.w(TAG, "no codecs for mime type " + mime); 2737 } 2738 String rname = resources.getResourceEntryName(rid); 2739 // decode this blob once with each matching codec 2740 for (String codecName: matchingCodecs) { 2741 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2742 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2743 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2744 try { 2745 codec.configure(format, null, null, 0); 2746 codec.start(); 2747 } catch (Exception e) { 2748 Log.i(TAG, "Exception from codec " + codecName); 2749 releaseCodec(codec); 2750 continue; 2751 } 2752 2753 try { 2754 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2755 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2756 // enqueue the bad data a number of times, in case 2757 // the codec needs multiple buffers to fail. 2758 for(int i = 0; i < 64; i++) { 2759 int bufidx = codec.dequeueInputBuffer(5000); 2760 if (bufidx >= 0) { 2761 Log.i(TAG, "got input buffer of size " + inputBuffers[bufidx].capacity()); 2762 inputBuffers[bufidx].rewind(); 2763 inputBuffers[bufidx].put(blob, 0, numRead); 2764 codec.queueInputBuffer(bufidx, 0, numRead, 0, 0); 2765 } else { 2766 Log.i(TAG, "no input buffer"); 2767 } 2768 bufidx = codec.dequeueOutputBuffer(info, 5000); 2769 if (bufidx >= 0) { 2770 Log.i(TAG, "got output buffer"); 2771 codec.releaseOutputBuffer(bufidx, false); 2772 } else { 2773 Log.i(TAG, "no output buffer"); 2774 } 2775 } 2776 } catch (Exception e) { 2777 // ignore, not a security issue 2778 } finally { 2779 releaseCodec(codec); 2780 } 2781 } 2782 2783 assertNotEquals("MediaPlayer encountered a security crash when testing raw blobs.", 2784 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2785 thr.stopLooper(); 2786 thr.join(); 2787 } 2788 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[])2789 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2790 int frameSizes[]) throws Exception { 2791 // check crash address by default 2792 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, frameSizes, new CrashUtils.Config()); 2793 } 2794 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], CrashUtils.Config config)2795 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2796 int frameSizes[], CrashUtils.Config config) throws Exception { 2797 CodecConfig codecConfig = new CodecConfig().setVideoParams(initWidth, initHeight); 2798 doStagefrightTestRawBlob(rid, mime, codecConfig, frameSizes, config); 2799 } 2800 doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, int frameSizes[], CrashUtils.Config config)2801 private void doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, 2802 int frameSizes[], CrashUtils.Config config) throws Exception { 2803 2804 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2805 final Context context = getInstrumentation().getContext(); 2806 final Resources resources = context.getResources(); 2807 2808 LooperThread thr = new LooperThread(new Runnable() { 2809 @Override 2810 public void run() { 2811 2812 MediaPlayer mp = new MediaPlayer(); 2813 mp.setOnErrorListener(mpcl); 2814 AssetFileDescriptor fd = null; 2815 try { 2816 fd = resources.openRawResourceFd(R.raw.good); 2817 2818 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2819 // setDataSource has been called 2820 mp.setDataSource(fd.getFileDescriptor(), 2821 fd.getStartOffset(), 2822 fd.getLength()); 2823 fd.close(); 2824 } catch (Exception e) { 2825 // this is a known-good file, so no failure should occur 2826 fail("setDataSource of known-good file failed"); 2827 } 2828 2829 synchronized(mpcl) { 2830 mpcl.notify(); 2831 } 2832 Looper.loop(); 2833 mp.release(); 2834 } 2835 }); 2836 thr.start(); 2837 // wait until the thread has initialized the MediaPlayer 2838 synchronized(mpcl) { 2839 mpcl.wait(); 2840 } 2841 2842 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2843 byte [] blob = new byte[(int)fd.getLength()]; 2844 FileInputStream fis = fd.createInputStream(); 2845 int numRead = fis.read(blob); 2846 fis.close(); 2847 2848 // find all the available decoders for this format 2849 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2850 int numCodecs = MediaCodecList.getCodecCount(); 2851 for (int i = 0; i < numCodecs; i++) { 2852 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2853 if (info.isEncoder()) { 2854 continue; 2855 } 2856 try { 2857 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2858 if (caps != null) { 2859 matchingCodecs.add(info.getName()); 2860 } 2861 } catch (IllegalArgumentException e) { 2862 // type is not supported 2863 } 2864 } 2865 2866 if (matchingCodecs.size() == 0) { 2867 Log.w(TAG, "no codecs for mime type " + mime); 2868 } 2869 String rname = resources.getResourceEntryName(rid); 2870 // decode this blob once with each matching codec 2871 for (String codecName: matchingCodecs) { 2872 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2873 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2874 MediaFormat format; 2875 if (codecConfig.isAudio) { 2876 format = MediaFormat.createAudioFormat(mime, codecConfig.sampleRate, 2877 codecConfig.channelCount); 2878 } else { 2879 format = MediaFormat.createVideoFormat(mime, codecConfig.initWidth, 2880 codecConfig.initHeight); 2881 } 2882 try { 2883 codec.configure(format, null, null, 0); 2884 codec.start(); 2885 } catch (Exception e) { 2886 Log.i(TAG, "Exception from codec " + codecName); 2887 releaseCodec(codec); 2888 continue; 2889 } 2890 2891 try { 2892 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2893 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2894 int numFrames = 0; 2895 if (frameSizes != null) { 2896 numFrames = frameSizes.length; 2897 } 2898 2899 if (0 == numFrames) { 2900 fail("Improper picture length file"); 2901 } 2902 2903 int offset = 0; 2904 int bytesToFeed = 0; 2905 byte [] tempBlob = new byte[(int)inputBuffers[0].capacity()]; 2906 for (int j = 0; j < numFrames; j++) { 2907 int flags = 0; 2908 int bufidx = codec.dequeueInputBuffer(5000); 2909 if (bufidx >= 0) { 2910 inputBuffers[bufidx].rewind(); 2911 if(j == (numFrames - 1)) { 2912 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2913 } 2914 if (codecConfig.isAudio) { 2915 if (j == 0) { 2916 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 2917 } 2918 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 2919 bytesToFeed = frameSizes[j]; 2920 } else { 2921 bytesToFeed = Math.min((int) (fd.getLength() - offset), 2922 inputBuffers[bufidx].capacity()); 2923 System.arraycopy(blob, offset, tempBlob, 0, bytesToFeed); 2924 inputBuffers[bufidx].put(tempBlob, 0, inputBuffers[bufidx].capacity()); 2925 } 2926 codec.queueInputBuffer(bufidx, 0, bytesToFeed, 0, flags); 2927 offset = offset + frameSizes[j]; 2928 } else { 2929 Log.i(TAG, "no input buffer"); 2930 } 2931 bufidx = codec.dequeueOutputBuffer(info, 5000); 2932 if (bufidx >= 0) { 2933 codec.releaseOutputBuffer(bufidx, false); 2934 } else { 2935 Log.i(TAG, "no output buffer"); 2936 } 2937 } 2938 } catch (Exception e) { 2939 // ignore, not a security issue 2940 } finally { 2941 releaseCodec(codec); 2942 } 2943 } 2944 2945 assertNotEquals( 2946 "MediaPlayer encountered a security crash when testing raw blobs with frame sizes.", 2947 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2948 thr.stopLooper(); 2949 thr.join(); 2950 } 2951 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], int isHeader[], CrashUtils.Config config)2952 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2953 int frameSizes[], int isHeader[], CrashUtils.Config config) throws Exception { 2954 2955 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2956 final Context context = getInstrumentation().getContext(); 2957 final Resources resources = context.getResources(); 2958 LooperThread thr = new LooperThread(new Runnable() { 2959 @Override 2960 public void run() { 2961 MediaPlayer mp = new MediaPlayer(); 2962 mp.setOnErrorListener(mpcl); 2963 AssetFileDescriptor fd = null; 2964 try { 2965 fd = resources.openRawResourceFd(R.raw.good); 2966 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2967 // setDataSource has been called 2968 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2969 fd.close(); 2970 } catch (Exception e) { 2971 // this is a known-good file, so no failure should occur 2972 fail("setDataSource of known-good file failed"); 2973 } 2974 synchronized (mpcl) { 2975 mpcl.notify(); 2976 } 2977 Looper.loop(); 2978 mp.release(); 2979 } 2980 }); 2981 thr.start(); 2982 // wait until the thread has initialized the MediaPlayer 2983 synchronized (mpcl) { 2984 mpcl.wait(); 2985 } 2986 2987 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2988 byte[] blob = new byte[(int) fd.getLength()]; 2989 FileInputStream fis = fd.createInputStream(); 2990 int numRead = fis.read(blob); 2991 fis.close(); 2992 2993 // find all the available decoders for this format 2994 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2995 int numCodecs = MediaCodecList.getCodecCount(); 2996 for (int i = 0; i < numCodecs; i++) { 2997 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2998 if (info.isEncoder()) { 2999 continue; 3000 } 3001 try { 3002 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 3003 if (caps != null) { 3004 matchingCodecs.add(info.getName()); 3005 } 3006 } catch (IllegalArgumentException e) { 3007 // type is not supported 3008 } 3009 } 3010 3011 if (matchingCodecs.size() == 0) { 3012 Log.w(TAG, "no codecs for mime type " + mime); 3013 } 3014 String rname = resources.getResourceEntryName(rid); 3015 // decode this blob once with each matching codec 3016 for (String codecName : matchingCodecs) { 3017 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 3018 MediaCodec codec = MediaCodec.createByCodecName(codecName); 3019 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 3020 try { 3021 codec.configure(format, null, null, 0); 3022 codec.start(); 3023 } catch (Exception e) { 3024 Log.i(TAG, "Exception from codec " + codecName); 3025 releaseCodec(codec); 3026 continue; 3027 } 3028 try { 3029 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 3030 ByteBuffer[] inputBuffers = codec.getInputBuffers(); 3031 int numFrames = 0; 3032 if (frameSizes != null) { 3033 numFrames = frameSizes.length; 3034 } 3035 if (0 == numFrames) { 3036 fail("Improper picture length file"); 3037 } 3038 int offset = 0; 3039 int j = 0; 3040 while (j < numFrames) { 3041 int flags = 0; 3042 int bufidx = codec.dequeueInputBuffer(5000); 3043 if (bufidx >= 0) { 3044 inputBuffers[bufidx].rewind(); 3045 Log.i(TAG, "Got buffer index " + bufidx + " with length " 3046 + inputBuffers[bufidx].capacity()); 3047 if (isHeader[j] == 1) { 3048 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 3049 } 3050 if (j == (numFrames - 1)) { 3051 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 3052 } 3053 Log.i(TAG, "Feeding frame " + j + " with framelen " + frameSizes[j] 3054 + " offset " + offset + " and flags " + flags); 3055 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 3056 codec.queueInputBuffer(bufidx, 0, frameSizes[j], 0, flags); 3057 offset = offset + frameSizes[j]; 3058 j++; 3059 } else { 3060 Log.i(TAG, "no input buffer"); 3061 } 3062 bufidx = codec.dequeueOutputBuffer(info, 5000); 3063 if (bufidx >= 0) { 3064 codec.releaseOutputBuffer(bufidx, false); 3065 } else { 3066 Log.i(TAG, "no output buffer"); 3067 } 3068 } 3069 } catch (Exception e) { 3070 // ignore, not a security issue 3071 } finally { 3072 releaseCodec(codec); 3073 } 3074 } 3075 String cve = rname.replace("_", "-").toUpperCase(); 3076 assertFalse("Device *IS* vulnerable to " + cve, 3077 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 3078 thr.stopLooper(); 3079 thr.join(); 3080 } 3081 doStagefrightTestMediaPlayerANR(final int rid, final String uri)3082 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri) throws Exception { 3083 doStagefrightTestMediaPlayerANR(rid, uri, null); 3084 } 3085 doStagefrightTestMediaPlayerANR(final int rid, final String uri, CrashUtils.Config config)3086 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri, 3087 CrashUtils.Config config) throws Exception { 3088 String name = uri != null ? uri : 3089 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 3090 Log.i(TAG, "start mediaplayerANR test for: " + name); 3091 3092 final MediaPlayerCrashListener mpl = new MediaPlayerCrashListener(config); 3093 3094 LooperThread t = new LooperThread(new Runnable() { 3095 @Override 3096 public void run() { 3097 MediaPlayer mp = new MediaPlayer(); 3098 mp.setOnErrorListener(mpl); 3099 mp.setOnPreparedListener(mpl); 3100 mp.setOnCompletionListener(mpl); 3101 RenderTarget renderTarget = RenderTarget.create(); 3102 Surface surface = renderTarget.getSurface(); 3103 mp.setSurface(surface); 3104 AssetFileDescriptor fd = null; 3105 try { 3106 if (uri == null) { 3107 fd = getInstrumentation().getContext().getResources() 3108 .openRawResourceFd(rid); 3109 3110 mp.setDataSource(fd.getFileDescriptor(), 3111 fd.getStartOffset(), 3112 fd.getLength()); 3113 } else { 3114 mp.setDataSource(uri); 3115 } 3116 mp.prepareAsync(); 3117 } catch (Exception e) { 3118 } finally { 3119 closeQuietly(fd); 3120 } 3121 3122 Looper.loop(); 3123 mp.release(); 3124 renderTarget.destroy(); 3125 } 3126 }); 3127 3128 t.start(); 3129 assertTrue("MediaPlayer failed to complete when testing ANR.", 3130 mpl.waitForErrorOrCompletion()); 3131 t.stopLooper(); 3132 t.join(); // wait for thread to exit so we're sure the player was released 3133 } 3134 doStagefrightTestExtractorSeek(final int rid, final long offset)3135 private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception { 3136 doStagefrightTestExtractorSeek(rid, offset, new CrashUtils.Config()); // check crash address by default 3137 } 3138 doStagefrightTestExtractorSeek(final int rid, final long offset, CrashUtils.Config config)3139 private void doStagefrightTestExtractorSeek(final int rid, final long offset, 3140 CrashUtils.Config config) throws Exception { 3141 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 3142 LooperThread thr = new LooperThread(new Runnable() { 3143 @Override 3144 public void run() { 3145 MediaPlayer mp = new MediaPlayer(); 3146 mp.setOnErrorListener(mpcl); 3147 try { 3148 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 3149 .openRawResourceFd(R.raw.good); 3150 mp.setDataSource(fd.getFileDescriptor(), 3151 fd.getStartOffset(), 3152 fd.getLength()); 3153 fd.close(); 3154 } catch (Exception e) { 3155 fail("setDataSource of known-good file failed"); 3156 } 3157 synchronized(mpcl) { 3158 mpcl.notify(); 3159 } 3160 Looper.loop(); 3161 mp.release(); 3162 } 3163 }); 3164 thr.start(); 3165 synchronized(mpcl) { 3166 mpcl.wait(); 3167 } 3168 Resources resources = getInstrumentation().getContext().getResources(); 3169 MediaExtractor ex = new MediaExtractor(); 3170 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3171 try { 3172 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3173 } catch (IOException e) { 3174 } finally { 3175 closeQuietly(fd); 3176 } 3177 int numtracks = ex.getTrackCount(); 3178 String rname = resources.getResourceEntryName(rid); 3179 Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks"); 3180 for (int t = 0; t < numtracks; t++) { 3181 try { 3182 ex.selectTrack(t); 3183 } catch (IllegalArgumentException e) { 3184 Log.w(TAG, "couldn't select track " + t); 3185 } 3186 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 3187 ex.advance(); 3188 ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC); 3189 try 3190 { 3191 ex.unselectTrack(t); 3192 } 3193 catch (Exception e) { 3194 } 3195 } 3196 ex.release(); 3197 assertNotEquals("MediaPlayer encountered a security crash when testing extractor seeking.", 3198 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 3199 thr.stopLooper(); 3200 thr.join(); 3201 } 3202 assertExtractorDoesNotHang(int rid)3203 protected void assertExtractorDoesNotHang(int rid) throws Exception { 3204 // The media extractor has a watchdog, currently set to 10 seconds. 3205 final long timeoutMs = 12 * 1000; 3206 3207 Thread thread = new Thread(() -> { 3208 MediaExtractor ex = new MediaExtractor(); 3209 AssetFileDescriptor fd = 3210 getInstrumentation().getContext().getResources().openRawResourceFd(rid); 3211 try { 3212 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3213 } catch (IOException e) { 3214 // It is OK for the call to fail, we're only making sure it doesn't hang. 3215 } finally { 3216 closeQuietly(fd); 3217 ex.release(); 3218 } 3219 }); 3220 thread.start(); 3221 3222 thread.join(timeoutMs); 3223 boolean hung = thread.isAlive(); 3224 if (hung) { 3225 // We don't have much to do at this point. Attempt to un-hang the thread, the media 3226 // extractor process is likely still spinning. At least we found a bug... 3227 // TODO: reboot the media extractor process. 3228 thread.interrupt(); 3229 } 3230 3231 assertFalse(hung); 3232 } 3233 getInstrumentation()3234 private Instrumentation getInstrumentation() { 3235 return mInstrumentation; 3236 } 3237 } 3238