1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * 17 * This code was provided to AOSP by Zimperium Inc and was 18 * written by: 19 * 20 * Simone "evilsocket" Margaritelli 21 * Joshua "jduck" Drake 22 */ 23 package android.security.cts; 24 25 import android.app.Instrumentation; 26 import android.content.Context; 27 import android.content.res.AssetFileDescriptor; 28 import android.content.res.Resources; 29 import android.graphics.Bitmap; 30 import android.graphics.BitmapFactory; 31 import android.graphics.SurfaceTexture; 32 import android.media.MediaCodec; 33 import android.media.MediaCodecInfo; 34 import android.media.MediaCodecList; 35 import android.media.MediaExtractor; 36 import android.media.MediaFormat; 37 import android.media.MediaMetadataRetriever; 38 import android.media.MediaPlayer; 39 import android.opengl.GLES20; 40 import android.opengl.GLES11Ext; 41 import android.os.Looper; 42 import android.os.SystemClock; 43 import android.platform.test.annotations.AppModeFull; 44 import android.os.Parcel; 45 import android.platform.test.annotations.AsbSecurityTest; 46 import android.util.Log; 47 import android.view.Surface; 48 import android.webkit.cts.CtsTestServer; 49 50 import com.android.compatibility.common.util.CrashUtils; 51 import com.android.compatibility.common.util.mainline.MainlineModule; 52 import com.android.compatibility.common.util.mainline.ModuleDetector; 53 54 import java.io.BufferedInputStream; 55 import java.io.BufferedReader; 56 import java.io.FileInputStream; 57 import java.io.FileReader; 58 import java.io.IOException; 59 import java.io.InputStream; 60 import java.net.URL; 61 import java.nio.ByteBuffer; 62 import java.io.FileOutputStream; 63 import java.io.ObjectInputStream; 64 import java.io.OutputStream; 65 import java.io.InputStream; 66 import java.net.BindException; 67 import java.net.Socket; 68 import java.net.ServerSocket; 69 import java.io.File; 70 import java.util.ArrayList; 71 import java.util.HashMap; 72 import java.util.concurrent.locks.Condition; 73 import java.util.concurrent.locks.ReentrantLock; 74 import java.util.regex.Pattern; 75 76 import org.json.JSONArray; 77 import org.json.JSONException; 78 import org.json.JSONObject; 79 80 import android.security.cts.R; 81 82 import android.security.NetworkSecurityPolicy; 83 import android.media.TimedText; 84 85 import androidx.test.InstrumentationRegistry; 86 import androidx.test.runner.AndroidJUnit4; 87 88 import org.junit.Rule; 89 import org.junit.rules.TestName; 90 import org.junit.Before; 91 import org.junit.Test; 92 import org.junit.runner.RunWith; 93 94 import static org.junit.Assume.*; 95 import static org.junit.Assert.*; 96 97 /** 98 * Verify that the device is not vulnerable to any known Stagefright 99 * vulnerabilities. 100 */ 101 @AppModeFull 102 @RunWith(AndroidJUnit4.class) 103 public class StagefrightTest { 104 static final String TAG = "StagefrightTest"; 105 private Instrumentation mInstrumentation; 106 107 private final long TIMEOUT_NS = 10000000000L; // 10 seconds. 108 private final static long CHECK_INTERVAL = 50; 109 110 @Rule public TestName name = new TestName(); 111 112 @Before setup()113 public void setup() { 114 mInstrumentation = InstrumentationRegistry.getInstrumentation(); 115 } 116 117 class CodecConfig { 118 boolean isAudio; 119 /* Video Parameters - valid only when isAudio is false */ 120 int initWidth; 121 int initHeight; 122 /* Audio Parameters - valid only when isAudio is true */ 123 int sampleRate; 124 int channelCount; 125 setVideoParams(int initWidth, int initHeight)126 public CodecConfig setVideoParams(int initWidth, int initHeight) { 127 this.isAudio = false; 128 this.initWidth = initWidth; 129 this.initHeight = initHeight; 130 return this; 131 } 132 setAudioParams(int sampleRate, int channelCount)133 public CodecConfig setAudioParams(int sampleRate, int channelCount) { 134 this.isAudio = true; 135 this.sampleRate = sampleRate; 136 this.channelCount = channelCount; 137 return this; 138 } 139 } 140 141 /*********************************************************** 142 to prevent merge conflicts, add K tests below this comment, 143 before any existing test methods 144 ***********************************************************/ 145 146 @Test 147 @AsbSecurityTest(cveBugId = 122472139) testStagefright_cve_2019_2244()148 public void testStagefright_cve_2019_2244() throws Exception { 149 doStagefrightTestRawBlob(R.raw.cve_2019_2244, "video/mpeg2", 320, 420); 150 } 151 152 @Test 153 @AsbSecurityTest(cveBugId = 36725407) testStagefright_bug_36725407()154 public void testStagefright_bug_36725407() throws Exception { 155 doStagefrightTest(R.raw.bug_36725407); 156 } 157 158 @Test 159 @AsbSecurityTest(cveBugId = 29023649) testStagefright_cve_2016_3829()160 public void testStagefright_cve_2016_3829() throws Exception { 161 doStagefrightTest(R.raw.cve_2016_3829, new CrashUtils.Config().checkMinAddress(false)); 162 } 163 164 @Test 165 @AsbSecurityTest(cveBugId = 35645051) testStagefright_cve_2017_0643()166 public void testStagefright_cve_2017_0643() throws Exception { 167 doStagefrightTest(R.raw.cve_2017_0643, new CrashUtils.Config().checkMinAddress(false)); 168 } 169 170 @Test 171 @AsbSecurityTest(cveBugId = 37469795) testStagefright_cve_2017_0728()172 public void testStagefright_cve_2017_0728() throws Exception { 173 doStagefrightTest(R.raw.cve_2017_0728, new CrashUtils.Config().checkMinAddress(false)); 174 } 175 176 @Test 177 @AsbSecurityTest(cveBugId = 62187433) testStagefright_bug_62187433()178 public void testStagefright_bug_62187433() throws Exception { 179 doStagefrightTest(R.raw.bug_62187433); 180 } 181 182 @Test 183 @AsbSecurityTest(cveBugId = 62673844) testStagefrightANR_bug_62673844()184 public void testStagefrightANR_bug_62673844() throws Exception { 185 doStagefrightTestANR(R.raw.bug_62673844); 186 } 187 188 @Test 189 @AsbSecurityTest(cveBugId = 37079296) testStagefright_bug_37079296()190 public void testStagefright_bug_37079296() throws Exception { 191 doStagefrightTest(R.raw.bug_37079296); 192 } 193 194 @Test 195 @AsbSecurityTest(cveBugId = 38342499) testStagefright_bug_38342499()196 public void testStagefright_bug_38342499() throws Exception { 197 doStagefrightTest(R.raw.bug_38342499); 198 } 199 200 @Test 201 @AsbSecurityTest(cveBugId = 22771132) testStagefright_bug_22771132()202 public void testStagefright_bug_22771132() throws Exception { 203 doStagefrightTest(R.raw.bug_22771132); 204 } 205 206 @Test 207 @AsbSecurityTest(cveBugId = 21443020) testStagefright_bug_21443020()208 public void testStagefright_bug_21443020() throws Exception { 209 doStagefrightTest(R.raw.bug_21443020_webm); 210 } 211 212 @Test 213 @AsbSecurityTest(cveBugId = 34360591) testStagefright_bug_34360591()214 public void testStagefright_bug_34360591() throws Exception { 215 doStagefrightTest(R.raw.bug_34360591); 216 } 217 218 @Test 219 @AsbSecurityTest(cveBugId = 35763994) testStagefright_bug_35763994()220 public void testStagefright_bug_35763994() throws Exception { 221 doStagefrightTest(R.raw.bug_35763994, new CrashUtils.Config().checkMinAddress(false)); 222 } 223 224 @Test 225 @AsbSecurityTest(cveBugId = 33137046) testStagefright_bug_33137046()226 public void testStagefright_bug_33137046() throws Exception { 227 doStagefrightTest(R.raw.bug_33137046); 228 } 229 230 @Test 231 @AsbSecurityTest(cveBugId = 28532266) testStagefright_cve_2016_2507()232 public void testStagefright_cve_2016_2507() throws Exception { 233 doStagefrightTest(R.raw.cve_2016_2507, new CrashUtils.Config().checkMinAddress(false)); 234 } 235 236 @Test 237 @AsbSecurityTest(cveBugId = 31647370) testStagefright_bug_31647370()238 public void testStagefright_bug_31647370() throws Exception { 239 doStagefrightTest(R.raw.bug_31647370); 240 } 241 242 @Test 243 @AsbSecurityTest(cveBugId = 32577290) testStagefright_bug_32577290()244 public void testStagefright_bug_32577290() throws Exception { 245 doStagefrightTest(R.raw.bug_32577290); 246 } 247 248 @Test 249 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_1()250 public void testStagefright_cve_2015_1538_1() throws Exception { 251 doStagefrightTest(R.raw.cve_2015_1538_1); 252 } 253 254 @Test 255 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_2()256 public void testStagefright_cve_2015_1538_2() throws Exception { 257 doStagefrightTest(R.raw.cve_2015_1538_2); 258 } 259 260 @Test 261 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_3()262 public void testStagefright_cve_2015_1538_3() throws Exception { 263 doStagefrightTest(R.raw.cve_2015_1538_3); 264 } 265 266 @Test 267 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_4()268 public void testStagefright_cve_2015_1538_4() throws Exception { 269 doStagefrightTest(R.raw.cve_2015_1538_4); 270 } 271 272 @Test 273 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1539()274 public void testStagefright_cve_2015_1539() throws Exception { 275 doStagefrightTest(R.raw.cve_2015_1539); 276 } 277 278 @Test 279 @AsbSecurityTest(cveBugId = 21468251) testStagefright_cve_2015_3824()280 public void testStagefright_cve_2015_3824() throws Exception { 281 doStagefrightTest(R.raw.cve_2015_3824); 282 } 283 284 @Test 285 @AsbSecurityTest(cveBugId = 21467632) testStagefright_cve_2015_3826()286 public void testStagefright_cve_2015_3826() throws Exception { 287 doStagefrightTest(R.raw.cve_2015_3826); 288 } 289 290 @Test 291 @AsbSecurityTest(cveBugId = 21468053) testStagefright_cve_2015_3827()292 public void testStagefright_cve_2015_3827() throws Exception { 293 doStagefrightTest(R.raw.cve_2015_3827); 294 } 295 296 @Test 297 @AsbSecurityTest(cveBugId = 21467634) testStagefright_cve_2015_3828()298 public void testStagefright_cve_2015_3828() throws Exception { 299 doStagefrightTest(R.raw.cve_2015_3828); 300 } 301 302 @Test 303 @AsbSecurityTest(cveBugId = 21467767) testStagefright_cve_2015_3829()304 public void testStagefright_cve_2015_3829() throws Exception { 305 doStagefrightTest(R.raw.cve_2015_3829); 306 } 307 308 @Test 309 @AsbSecurityTest(cveBugId = 21132860) testStagefright_cve_2015_3836()310 public void testStagefright_cve_2015_3836() throws Exception { 311 doStagefrightTest(R.raw.cve_2015_3836); 312 } 313 314 @Test 315 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864()316 public void testStagefright_cve_2015_3864() throws Exception { 317 doStagefrightTest(R.raw.cve_2015_3864); 318 } 319 320 @Test 321 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864_b23034759()322 public void testStagefright_cve_2015_3864_b23034759() throws Exception { 323 doStagefrightTest(R.raw.cve_2015_3864_b23034759); 324 } 325 326 @Test 327 @AsbSecurityTest(cveBugId = 23306638) testStagefright_cve_2015_6598()328 public void testStagefright_cve_2015_6598() throws Exception { 329 doStagefrightTest(R.raw.cve_2015_6598); 330 } 331 332 @Test 333 @AsbSecurityTest(cveBugId = 31318219) testStagefright_cve_2016_6766()334 public void testStagefright_cve_2016_6766() throws Exception { 335 doStagefrightTest(R.raw.cve_2016_6766); 336 } 337 338 @Test 339 @AsbSecurityTest(cveBugId = 27211885) testStagefright_cve_2016_2429_b_27211885()340 public void testStagefright_cve_2016_2429_b_27211885() throws Exception { 341 doStagefrightTest(R.raw.cve_2016_2429_b_27211885, 342 new CrashUtils.Config().checkMinAddress(false)); 343 } 344 345 @Test 346 @AsbSecurityTest(cveBugId = 34031018) testStagefright_bug_34031018()347 public void testStagefright_bug_34031018() throws Exception { 348 doStagefrightTest(R.raw.bug_34031018_32bit, new CrashUtils.Config().checkMinAddress(false)); 349 doStagefrightTest(R.raw.bug_34031018_64bit, new CrashUtils.Config().checkMinAddress(false)); 350 } 351 352 /*********************************************************** 353 to prevent merge conflicts, add L tests below this comment, 354 before any existing test methods 355 ***********************************************************/ 356 357 @Test 358 @AsbSecurityTest(cveBugId = 65123471) testStagefright_bug_65123471()359 public void testStagefright_bug_65123471() throws Exception { 360 doStagefrightTest(R.raw.bug_65123471); 361 } 362 363 @Test 364 @AsbSecurityTest(cveBugId = 72165027) testStagefright_bug_72165027()365 public void testStagefright_bug_72165027() throws Exception { 366 doStagefrightTest(R.raw.bug_72165027); 367 } 368 369 @Test 370 @AsbSecurityTest(cveBugId = 65483665) testStagefright_bug_65483665()371 public void testStagefright_bug_65483665() throws Exception { 372 doStagefrightTest(R.raw.bug_65483665); 373 } 374 375 @Test 376 @AsbSecurityTest(cveBugId = 62815506) testStagefright_cve_2017_0852_b_62815506()377 public void testStagefright_cve_2017_0852_b_62815506() throws Exception { 378 doStagefrightTest(R.raw.cve_2017_0852_b_62815506, 379 new CrashUtils.Config().checkMinAddress(false)); 380 } 381 382 @Test 383 @AsbSecurityTest(cveBugId = 68160703) testStagefright_cve_2017_13229()384 public void testStagefright_cve_2017_13229() throws Exception { 385 doStagefrightTest(R.raw.cve_2017_13229); 386 } 387 388 @Test 389 @AsbSecurityTest(cveBugId = 62534693) testStagefright_cve_2017_0763()390 public void testStagefright_cve_2017_0763() throws Exception { 391 doStagefrightTest(R.raw.cve_2017_0763); 392 } 393 394 /*********************************************************** 395 to prevent merge conflicts, add M tests below this comment, 396 before any existing test methods 397 ***********************************************************/ 398 399 @Test 400 @AsbSecurityTest(cveBugId = 73965890) testBug_73965890()401 public void testBug_73965890() throws Exception { 402 int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen); 403 doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes); 404 } 405 406 @Test 407 @AsbSecurityTest(cveBugId = 30744884) testStagefright_cve_2016_3920()408 public void testStagefright_cve_2016_3920() throws Exception { 409 doStagefrightTest(R.raw.cve_2016_3920, new CrashUtils.Config().checkMinAddress(false)); 410 } 411 412 @Test 413 @AsbSecurityTest(cveBugId = 38448381) testStagefright_bug_38448381()414 public void testStagefright_bug_38448381() throws Exception { 415 doStagefrightTest(R.raw.bug_38448381); 416 } 417 418 @Test 419 @AsbSecurityTest(cveBugId = 28166152) testStagefright_cve_2016_3821()420 public void testStagefright_cve_2016_3821() throws Exception { 421 doStagefrightTest(R.raw.cve_2016_3821, new CrashUtils.Config().checkMinAddress(false)); 422 } 423 424 @Test 425 @AsbSecurityTest(cveBugId = 70897454) testStagefright_bug_70897454()426 public void testStagefright_bug_70897454() throws Exception { 427 doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420); 428 } 429 430 @Test 431 @AsbSecurityTest(cveBugId = 28165659) testStagefright_cve_2016_3742_b_28165659()432 public void testStagefright_cve_2016_3742_b_28165659() throws Exception { 433 doStagefrightTest(R.raw.cve_2016_3742_b_28165659); 434 } 435 436 @Test 437 @AsbSecurityTest(cveBugId = 35039946) testStagefright_bug_35039946()438 public void testStagefright_bug_35039946() throws Exception { 439 doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420); 440 } 441 442 @Test 443 @AsbSecurityTest(cveBugId = 38115076) testStagefright_bug_38115076()444 public void testStagefright_bug_38115076() throws Exception { 445 doStagefrightTest(R.raw.bug_38115076, new CrashUtils.Config().checkMinAddress(false)); 446 } 447 448 @Test 449 @AsbSecurityTest(cveBugId = 34618607) testStagefright_bug_34618607()450 public void testStagefright_bug_34618607() throws Exception { 451 doStagefrightTest(R.raw.bug_34618607, new CrashUtils.Config().checkMinAddress(false)); 452 } 453 454 @Test 455 @AsbSecurityTest(cveBugId = 69478425) testStagefright_bug_69478425()456 public void testStagefright_bug_69478425() throws Exception { 457 doStagefrightTest(R.raw.bug_69478425); 458 } 459 460 @Test 461 @AsbSecurityTest(cveBugId = 65735716) testStagefright_bug_65735716()462 public void testStagefright_bug_65735716() throws Exception { 463 doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240); 464 } 465 466 @Test 467 @AsbSecurityTest(cveBugId = 65717533) testStagefright_bug_65717533()468 public void testStagefright_bug_65717533() throws Exception { 469 doStagefrightTest(R.raw.bug_65717533_header_corrupt); 470 } 471 472 @Test 473 @AsbSecurityTest(cveBugId = 38239864) testStagefright_bug_38239864()474 public void testStagefright_bug_38239864() throws Exception { 475 doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000)); 476 } 477 478 @Test 479 @AsbSecurityTest(cveBugId = 35269635) testStagefright_cve_2017_0600()480 public void testStagefright_cve_2017_0600() throws Exception { 481 doStagefrightTest(R.raw.cve_2017_0600, new CrashUtils.Config().checkMinAddress(false)); 482 } 483 484 @Test 485 @AsbSecurityTest(cveBugId = 38014992) testBug_38014992()486 public void testBug_38014992() throws Exception { 487 int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen); 488 doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes, 489 new CrashUtils.Config().checkMinAddress(false)); 490 } 491 492 @Test 493 @AsbSecurityTest(cveBugId = 35584425) testBug_35584425()494 public void testBug_35584425() throws Exception { 495 int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen); 496 doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes); 497 } 498 499 @Test 500 @AsbSecurityTest(cveBugId = 31092462) testBug_31092462()501 public void testBug_31092462() throws Exception { 502 int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen); 503 doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes); 504 } 505 506 @Test 507 @AsbSecurityTest(cveBugId = 34097866) testBug_34097866()508 public void testBug_34097866() throws Exception { 509 int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len); 510 doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes); 511 } 512 513 @Test 514 @AsbSecurityTest(cveBugId = 33862021) testBug_33862021()515 public void testBug_33862021() throws Exception { 516 int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len); 517 doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes); 518 } 519 520 @Test 521 @AsbSecurityTest(cveBugId = 33387820) testBug_33387820()522 public void testBug_33387820() throws Exception { 523 int[] frameSizes = {45, 3202, 430, 2526}; 524 doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes, 525 new CrashUtils.Config().checkMinAddress(false)); 526 } 527 528 @Test 529 @AsbSecurityTest(cveBugId = 37008096) testBug_37008096()530 public void testBug_37008096() throws Exception { 531 int[] frameSizes = {245, 12, 33, 140, 164}; 532 doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes); 533 } 534 535 @Test 536 @AsbSecurityTest(cveBugId = 34231163) testStagefright_bug_34231163()537 public void testStagefright_bug_34231163() throws Exception { 538 int[] frameSizes = {22, 357, 217, 293, 175}; 539 doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes); 540 } 541 542 @Test 543 @AsbSecurityTest(cveBugId = 33933140) testStagefright_bug_33933140()544 public void testStagefright_bug_33933140() throws Exception { 545 int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen); 546 doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes); 547 } 548 549 @Test 550 @AsbSecurityTest(cveBugId = 34097915) testStagefright_bug_34097915()551 public void testStagefright_bug_34097915() throws Exception { 552 int[] frameSizes = {4140, 593, 0, 15495}; 553 doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes); 554 } 555 556 @Test 557 @AsbSecurityTest(cveBugId = 34097213) testStagefright_bug_34097213()558 public void testStagefright_bug_34097213() throws Exception { 559 int[] frameSizes = {2571, 210, 33858}; 560 doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes); 561 } 562 563 @Test 564 @AsbSecurityTest(cveBugId = 28816956) testBug_28816956()565 public void testBug_28816956() throws Exception { 566 int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen); 567 doStagefrightTestRawBlob( 568 R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes, 569 new CrashUtils.Config().checkMinAddress(false)); 570 } 571 572 @Test 573 @AsbSecurityTest(cveBugId = 33818500) testBug_33818500()574 public void testBug_33818500() throws Exception { 575 int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen); 576 doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes, 577 new CrashUtils.Config().checkMinAddress(false)); 578 } 579 580 @Test 581 @AsbSecurityTest(cveBugId = 64784973) testBug_64784973()582 public void testBug_64784973() throws Exception { 583 int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen); 584 doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes); 585 } 586 587 @Test 588 @AsbSecurityTest(cveBugId = 34231231) testBug_34231231()589 public void testBug_34231231() throws Exception { 590 int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen); 591 doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes); 592 } 593 594 @Test 595 @AsbSecurityTest(cveBugId = 63045918) testBug_63045918()596 public void testBug_63045918() throws Exception { 597 int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen); 598 doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes); 599 } 600 601 @Test 602 @AsbSecurityTest(cveBugId = 33298089) testBug_33298089()603 public void testBug_33298089() throws Exception { 604 int[] frameSizes = {3247, 430, 221, 2305}; 605 doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes); 606 } 607 608 @Test 609 @AsbSecurityTest(cveBugId = 34672748) testStagefright_cve_2017_0599()610 public void testStagefright_cve_2017_0599() throws Exception { 611 doStagefrightTest(R.raw.cve_2017_0599, new CrashUtils.Config().checkMinAddress(false)); 612 } 613 614 @Test 615 @AsbSecurityTest(cveBugId = 36492741) testStagefright_bug_36492741()616 public void testStagefright_bug_36492741() throws Exception { 617 doStagefrightTest(R.raw.bug_36492741); 618 } 619 620 @Test 621 @AsbSecurityTest(cveBugId = 38487564) testStagefright_bug_38487564()622 public void testStagefright_bug_38487564() throws Exception { 623 doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000)); 624 } 625 626 @Test 627 @AsbSecurityTest(cveBugId = 37237396) testStagefright_bug_37237396()628 public void testStagefright_bug_37237396() throws Exception { 629 doStagefrightTest(R.raw.bug_37237396); 630 } 631 632 @Test 633 @AsbSecurityTest(cveBugId = 25818142) testStagefright_cve_2016_0842()634 public void testStagefright_cve_2016_0842() throws Exception { 635 doStagefrightTest(R.raw.cve_2016_0842); 636 } 637 638 @Test 639 @AsbSecurityTest(cveBugId = 63121644) testStagefright_bug_63121644()640 public void testStagefright_bug_63121644() throws Exception { 641 doStagefrightTest(R.raw.bug_63121644); 642 } 643 644 @Test 645 @AsbSecurityTest(cveBugId = 30593752) testStagefright_cve_2016_6712()646 public void testStagefright_cve_2016_6712() throws Exception { 647 doStagefrightTest(R.raw.cve_2016_6712, new CrashUtils.Config().checkMinAddress(false)); 648 } 649 650 @Test 651 @AsbSecurityTest(cveBugId = 34097231) testStagefright_bug_34097231()652 public void testStagefright_bug_34097231() throws Exception { 653 doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240); 654 } 655 656 @Test 657 @AsbSecurityTest(cveBugId = 34097672) testStagefright_bug_34097672()658 public void testStagefright_bug_34097672() throws Exception { 659 doStagefrightTest(R.raw.bug_34097672); 660 } 661 662 663 @Test 664 @AsbSecurityTest(cveBugId = 33751193) testStagefright_bug_33751193()665 public void testStagefright_bug_33751193() throws Exception { 666 doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240); 667 } 668 669 @Test 670 @AsbSecurityTest(cveBugId = 36993291) testBug_36993291()671 public void testBug_36993291() throws Exception { 672 doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240); 673 } 674 675 @Test 676 @AsbSecurityTest(cveBugId = 33818508) testStagefright_bug_33818508()677 public void testStagefright_bug_33818508() throws Exception { 678 doStagefrightTest(R.raw.bug_33818508, new CrashUtils.Config().checkMinAddress(false)); 679 } 680 681 @Test 682 @AsbSecurityTest(cveBugId = 32873375) testStagefright_bug_32873375()683 public void testStagefright_bug_32873375() throws Exception { 684 doStagefrightTest(R.raw.bug_32873375, new CrashUtils.Config().checkMinAddress(false)); 685 } 686 687 @Test 688 @AsbSecurityTest(cveBugId = 63522067) testStagefright_bug_63522067()689 public void testStagefright_bug_63522067() throws Exception { 690 doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420); 691 doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420); 692 doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420); 693 doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420); 694 } 695 696 @Test 697 @AsbSecurityTest(cveBugId = 25765591) testStagefright_bug_25765591()698 public void testStagefright_bug_25765591() throws Exception { 699 doStagefrightTest(R.raw.bug_25765591); 700 } 701 702 @Test 703 @AsbSecurityTest(cveBugId = 62673179) testStagefright_bug_62673179()704 public void testStagefright_bug_62673179() throws Exception { 705 doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000)); 706 } 707 708 @Test 709 @AsbSecurityTest(cveBugId = 69269702) testStagefright_bug_69269702()710 public void testStagefright_bug_69269702() throws Exception { 711 doStagefrightTest(R.raw.bug_69269702); 712 } 713 714 @Test 715 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867()716 public void testStagefright_cve_2015_3867() throws Exception { 717 doStagefrightTest(R.raw.cve_2015_3867); 718 } 719 720 @Test 721 @AsbSecurityTest(cveBugId = 65398821) testStagefright_bug_65398821()722 public void testStagefright_bug_65398821() throws Exception { 723 doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) ); 724 } 725 726 @Test 727 @AsbSecurityTest(cveBugId = 23036083) testStagefright_cve_2015_3869()728 public void testStagefright_cve_2015_3869() throws Exception { 729 doStagefrightTest(R.raw.cve_2015_3869); 730 } 731 732 @Test 733 @AsbSecurityTest(cveBugId = 23452792) testStagefright_bug_23452792()734 public void testStagefright_bug_23452792() throws Exception { 735 doStagefrightTest(R.raw.bug_23452792); 736 } 737 738 @Test 739 @AsbSecurityTest(cveBugId = 28673410) testStagefright_cve_2016_3820()740 public void testStagefright_cve_2016_3820() throws Exception { 741 doStagefrightTest(R.raw.cve_2016_3820); 742 } 743 744 @Test 745 @AsbSecurityTest(cveBugId = 28165661) testStagefright_cve_2016_3741()746 public void testStagefright_cve_2016_3741() throws Exception { 747 doStagefrightTest(R.raw.cve_2016_3741); 748 } 749 750 @Test 751 @AsbSecurityTest(cveBugId = 28175045) testStagefright_cve_2016_2506()752 public void testStagefright_cve_2016_2506() throws Exception { 753 doStagefrightTest(R.raw.cve_2016_2506); 754 } 755 756 @Test 757 @AsbSecurityTest(cveBugId = 26751339) testStagefright_cve_2016_2428()758 public void testStagefright_cve_2016_2428() throws Exception { 759 doStagefrightTest(R.raw.cve_2016_2428, new CrashUtils.Config().checkMinAddress(false)); 760 } 761 762 @Test 763 @AsbSecurityTest(cveBugId = 28556125) testStagefright_cve_2016_3756()764 public void testStagefright_cve_2016_3756() throws Exception { 765 doStagefrightTest(R.raw.cve_2016_3756); 766 } 767 768 @Test 769 @AsbSecurityTest(cveBugId = 36592202) testStagefright_bug_36592202()770 public void testStagefright_bug_36592202() throws Exception { 771 Resources resources = getInstrumentation().getContext().getResources(); 772 AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202); 773 final int oggPageSize = 25627; 774 byte [] blob = new byte[oggPageSize]; 775 // 127 bytes read and 25500 zeros constitute one Ogg page 776 FileInputStream fis = fd.createInputStream(); 777 int numRead = fis.read(blob); 778 fis.close(); 779 // Creating temp file 780 final File tempFile = File.createTempFile("poc_tmp", ".ogg", null); 781 try { 782 final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath()); 783 int bytesWritten = 0; 784 final long oggPagesRequired = 50000; 785 long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize; 786 long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable); 787 // Repeat data for specified number of pages 788 for (int i = 0; i < numOggPages; i++) { 789 tempFos.write(blob); 790 bytesWritten += oggPageSize; 791 } 792 tempFos.close(); 793 final int fileSize = bytesWritten; 794 final int timeout = (10 * 60 * 1000); 795 runWithTimeout(new Runnable() { 796 @Override 797 public void run() { 798 try { 799 doStagefrightTestMediaCodec(tempFile.getAbsolutePath(), 800 new CrashUtils.Config().checkMinAddress(false)); 801 } catch (Exception | AssertionError e) { 802 if (!tempFile.delete()) { 803 Log.e(TAG, "Failed to delete temporary PoC file"); 804 } 805 fail("Operation was not successful"); 806 } 807 } 808 }, timeout); 809 } catch (Exception e) { 810 fail("Failed to test b/36592202"); 811 } finally { 812 if (!tempFile.delete()) { 813 Log.e(TAG, "Failed to delete temporary PoC file"); 814 } 815 } 816 } 817 818 @Test 819 @AsbSecurityTest(cveBugId = 30822755) testStagefright_bug_30822755()820 public void testStagefright_bug_30822755() throws Exception { 821 doStagefrightTest(R.raw.bug_30822755); 822 } 823 824 @Test 825 @AsbSecurityTest(cveBugId = 32322258) testStagefright_bug_32322258()826 public void testStagefright_bug_32322258() throws Exception { 827 doStagefrightTest(R.raw.bug_32322258, new CrashUtils.Config().checkMinAddress(false)); 828 } 829 830 @Test 831 @AsbSecurityTest(cveBugId = 23248776) testStagefright_cve_2015_3873_b_23248776()832 public void testStagefright_cve_2015_3873_b_23248776() throws Exception { 833 doStagefrightTest(R.raw.cve_2015_3873_b_23248776); 834 } 835 836 @Test 837 @AsbSecurityTest(cveBugId = 35472997) testStagefright_bug_35472997()838 public void testStagefright_bug_35472997() throws Exception { 839 doStagefrightTest(R.raw.bug_35472997); 840 } 841 842 @Test 843 @AsbSecurityTest(cveBugId = 20718524) testStagefright_cve_2015_3873_b_20718524()844 public void testStagefright_cve_2015_3873_b_20718524() throws Exception { 845 doStagefrightTest(R.raw.cve_2015_3873_b_20718524); 846 } 847 848 @Test 849 @AsbSecurityTest(cveBugId = 34896431) testStagefright_bug_34896431()850 public void testStagefright_bug_34896431() throws Exception { 851 doStagefrightTest(R.raw.bug_34896431); 852 } 853 854 @Test 855 @AsbSecurityTest(cveBugId = 33641588) testBug_33641588()856 public void testBug_33641588() throws Exception { 857 doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240); 858 } 859 860 @Test 861 @AsbSecurityTest(cveBugId = 22954006) testStagefright_cve_2015_3862_b_22954006()862 public void testStagefright_cve_2015_3862_b_22954006() throws Exception { 863 doStagefrightTest(R.raw.cve_2015_3862_b_22954006, 864 new CrashUtils.Config().checkMinAddress(false)); 865 } 866 867 @Test 868 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867_b_23213430()869 public void testStagefright_cve_2015_3867_b_23213430() throws Exception { 870 doStagefrightTest(R.raw.cve_2015_3867_b_23213430); 871 } 872 873 @Test 874 @AsbSecurityTest(cveBugId = 21814993) testStagefright_cve_2015_3873_b_21814993()875 public void testStagefright_cve_2015_3873_b_21814993() throws Exception { 876 doStagefrightTest(R.raw.cve_2015_3873_b_21814993); 877 } 878 879 @Test 880 @AsbSecurityTest(cveBugId = 25812590) testStagefright_bug_25812590()881 public void testStagefright_bug_25812590() throws Exception { 882 doStagefrightTest(R.raw.bug_25812590); 883 } 884 885 @Test 886 @AsbSecurityTest(cveBugId = 22882938) testStagefright_cve_2015_6600()887 public void testStagefright_cve_2015_6600() throws Exception { 888 doStagefrightTest(R.raw.cve_2015_6600); 889 } 890 891 @Test 892 @AsbSecurityTest(cveBugId = 23227354) testStagefright_cve_2015_6603()893 public void testStagefright_cve_2015_6603() throws Exception { 894 doStagefrightTest(R.raw.cve_2015_6603); 895 } 896 897 @Test 898 @AsbSecurityTest(cveBugId = 23129786) testStagefright_cve_2015_6604()899 public void testStagefright_cve_2015_6604() throws Exception { 900 doStagefrightTest(R.raw.cve_2015_6604); 901 } 902 903 @Test 904 @AsbSecurityTest(cveBugId = 24157524) testStagefright_bug_24157524()905 public void testStagefright_bug_24157524() throws Exception { 906 doStagefrightTestMediaCodec(R.raw.bug_24157524); 907 } 908 909 @Test 910 @AsbSecurityTest(cveBugId = 23031033) testStagefright_cve_2015_3871()911 public void testStagefright_cve_2015_3871() throws Exception { 912 doStagefrightTest(R.raw.cve_2015_3871); 913 } 914 915 @Test 916 @AsbSecurityTest(cveBugId = 26070014) testStagefright_bug_26070014()917 public void testStagefright_bug_26070014() throws Exception { 918 doStagefrightTest(R.raw.bug_26070014); 919 } 920 921 @Test 922 @AsbSecurityTest(cveBugId = 32915871) testStagefright_bug_32915871()923 public void testStagefright_bug_32915871() throws Exception { 924 doStagefrightTest(R.raw.bug_32915871); 925 } 926 927 @Test 928 @AsbSecurityTest(cveBugId = 28333006) testStagefright_bug_28333006()929 public void testStagefright_bug_28333006() throws Exception { 930 doStagefrightTest(R.raw.bug_28333006); 931 } 932 933 @Test 934 @AsbSecurityTest(cveBugId = 14388161) testStagefright_bug_14388161()935 public void testStagefright_bug_14388161() throws Exception { 936 doStagefrightTestMediaPlayer(R.raw.bug_14388161); 937 } 938 939 @Test 940 @AsbSecurityTest(cveBugId = 28470138) testStagefright_cve_2016_3755()941 public void testStagefright_cve_2016_3755() throws Exception { 942 doStagefrightTest(R.raw.cve_2016_3755, new CrashUtils.Config().checkMinAddress(false)); 943 } 944 945 @Test 946 @AsbSecurityTest(cveBugId = 29493002) testStagefright_cve_2016_3878_b_29493002()947 public void testStagefright_cve_2016_3878_b_29493002() throws Exception { 948 doStagefrightTest(R.raw.cve_2016_3878_b_29493002, 949 new CrashUtils.Config().checkMinAddress(false)); 950 } 951 952 @Test 953 @AsbSecurityTest(cveBugId = 36819262) testBug_36819262()954 public void testBug_36819262() throws Exception { 955 doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480); 956 } 957 958 @Test 959 @AsbSecurityTest(cveBugId = 23680780) testStagefright_cve_2015_6608_b_23680780()960 public void testStagefright_cve_2015_6608_b_23680780() throws Exception { 961 doStagefrightTest(R.raw.cve_2015_6608_b_23680780); 962 } 963 964 @Test 965 @AsbSecurityTest(cveBugId = 36715268) testStagefright_bug_36715268()966 public void testStagefright_bug_36715268() throws Exception { 967 doStagefrightTest(R.raw.bug_36715268); 968 } 969 970 @Test 971 @AsbSecurityTest(cveBugId = 27855419) testStagefright_bug_27855419_CVE_2016_2463()972 public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception { 973 doStagefrightTest(R.raw.bug_27855419, new CrashUtils.Config().checkMinAddress(false)); 974 } 975 976 @Test 977 @AsbSecurityTest(cveBugId = 19779574) testStagefright_bug_19779574()978 public void testStagefright_bug_19779574() throws Exception { 979 doStagefrightTest(R.raw.bug_19779574, new CrashUtils.Config().checkMinAddress(false)); 980 } 981 982 /*********************************************************** 983 to prevent merge conflicts, add N tests below this comment, 984 before any existing test methods 985 ***********************************************************/ 986 987 @Test 988 @AsbSecurityTest(cveBugId = 33090864) testBug_33090864()989 public void testBug_33090864() throws Exception { 990 int[] frameSizes = getFrameSizes(R.raw.bug_33090864_framelen); 991 doStagefrightTestRawBlob(R.raw.bug_33090864_avc, "video/avc", 320, 240, frameSizes); 992 } 993 994 @Test 995 @AsbSecurityTest(cveBugId = 36279112) testStagefright_bug_36279112()996 public void testStagefright_bug_36279112() throws Exception { 997 doStagefrightTest(R.raw.bug_36279112, new CrashUtils.Config().checkMinAddress(false)); 998 } 999 1000 @Test 1001 @AsbSecurityTest(cveBugId = 33129467) testStagefright_cve_2017_0640()1002 public void testStagefright_cve_2017_0640() throws Exception { 1003 int[] frameSizes = {21, 4}; 1004 doStagefrightTestRawBlob(R.raw.cve_2017_0640_avc, "video/avc", 640, 480, 1005 frameSizes); 1006 } 1007 1008 @Test 1009 @AsbSecurityTest(cveBugId = 37203196) testBug_37203196()1010 public void testBug_37203196() throws Exception { 1011 int[] frameSizes = getFrameSizes(R.raw.bug_37203196_framelen); 1012 doStagefrightTestRawBlob(R.raw.bug_37203196_mpeg2, "video/mpeg2", 48, 48, frameSizes); 1013 } 1014 1015 @Test 1016 @AsbSecurityTest(cveBugId = 73552574) testBug_73552574()1017 public void testBug_73552574() throws Exception { 1018 int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen); 1019 doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes); 1020 } 1021 1022 @Test 1023 @AsbSecurityTest(cveBugId = 23285192) testStagefright_bug_23285192()1024 public void testStagefright_bug_23285192() throws Exception { 1025 doStagefrightTest(R.raw.bug_23285192); 1026 } 1027 1028 @Test 1029 @AsbSecurityTest(cveBugId = 25928803) testStagefright_bug_25928803()1030 public void testStagefright_bug_25928803() throws Exception { 1031 doStagefrightTest(R.raw.bug_25928803); 1032 } 1033 1034 @Test 1035 @AsbSecurityTest(cveBugId = 26399350) testBug_26399350()1036 public void testBug_26399350() throws Exception { 1037 int[] frameSizes = {657, 54930}; 1038 doStagefrightTestRawBlob(R.raw.bug_26399350_avc, "video/avc", 640, 480, 1039 frameSizes); 1040 } 1041 1042 @Test 1043 @AsbSecurityTest(cveBugId = 113260892) testBug_113260892()1044 public void testBug_113260892() throws Exception { 1045 doStagefrightTestRawBlob(R.raw.bug_113260892_hevc, "video/hevc", 320, 240); 1046 } 1047 1048 @Test 1049 @AsbSecurityTest(cveBugId = 68342866) testStagefright_bug_68342866()1050 public void testStagefright_bug_68342866() throws Exception { 1051 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1052 policy.setCleartextTrafficPermitted(true); 1053 Thread server = new Thread() { 1054 @Override 1055 public void run() { 1056 try (ServerSocket serverSocket = new ServerSocket(8080) { 1057 {setSoTimeout(10_000);} // time out after 10 seconds 1058 }; 1059 Socket conn = serverSocket.accept(); 1060 ) { 1061 OutputStream outputstream = conn.getOutputStream(); 1062 InputStream inputStream = conn.getInputStream(); 1063 byte input[] = new byte[65536]; 1064 inputStream.read(input, 0, 65536); 1065 String inputStr = new String(input); 1066 if (inputStr.contains("bug_68342866.m3u8")) { 1067 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n") 1068 .getBytes(); 1069 byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54, 1070 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54, 1071 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41, 1072 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23, 1073 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A, 1074 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF, 1075 (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 1076 (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E, 1077 0x46, 0x00, 0x00 }; 1078 outputstream.write(http); 1079 outputstream.write(playlist); 1080 } 1081 } catch (IOException e) { 1082 } 1083 } 1084 }; 1085 server.start(); 1086 String uri = "http://127.0.0.1:8080/bug_68342866.m3u8"; 1087 final MediaPlayerCrashListener mpcl = 1088 new MediaPlayerCrashListener(new CrashUtils.Config().checkMinAddress(false)); 1089 LooperThread t = new LooperThread(new Runnable() { 1090 @Override 1091 public void run() { 1092 MediaPlayer mp = new MediaPlayer(); 1093 mp.setOnErrorListener(mpcl); 1094 mp.setOnPreparedListener(mpcl); 1095 mp.setOnCompletionListener(mpcl); 1096 RenderTarget renderTarget = RenderTarget.create(); 1097 Surface surface = renderTarget.getSurface(); 1098 mp.setSurface(surface); 1099 AssetFileDescriptor fd = null; 1100 try { 1101 mp.setDataSource(uri); 1102 mp.prepareAsync(); 1103 } catch (IOException e) { 1104 Log.e(TAG, e.toString()); 1105 } finally { 1106 closeQuietly(fd); 1107 } 1108 Looper.loop(); 1109 mp.release(); 1110 renderTarget.destroy(); 1111 } 1112 }); 1113 t.start(); 1114 assertFalse("Device *IS* vulnerable to BUG-68342866", 1115 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1116 t.stopLooper(); 1117 t.join(); 1118 policy.setCleartextTrafficPermitted(false); 1119 server.join(); 1120 } 1121 1122 @Test 1123 @AsbSecurityTest(cveBugId = 74114680) testStagefright_bug_74114680()1124 public void testStagefright_bug_74114680() throws Exception { 1125 doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000)); 1126 } 1127 1128 @Test 1129 @AsbSecurityTest(cveBugId = 70239507) testStagefright_bug_70239507()1130 public void testStagefright_bug_70239507() throws Exception { 1131 doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L); 1132 } 1133 1134 @Test 1135 @AsbSecurityTest(cveBugId = 33250932) testBug_33250932()1136 public void testBug_33250932() throws Exception { 1137 int[] frameSizes = {65, 11, 102, 414}; 1138 doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes); 1139 } 1140 1141 @Test 1142 @AsbSecurityTest(cveBugId = 37430213) testStagefright_bug_37430213()1143 public void testStagefright_bug_37430213() throws Exception { 1144 doStagefrightTest(R.raw.bug_37430213); 1145 } 1146 1147 @Test 1148 @AsbSecurityTest(cveBugId = 68664359) testStagefright_bug_68664359()1149 public void testStagefright_bug_68664359() throws Exception { 1150 doStagefrightTest(R.raw.bug_68664359, 60000); 1151 } 1152 1153 @Test 1154 @AsbSecurityTest(cveBugId = 68664359) testStagefright_bug_110435401()1155 public void testStagefright_bug_110435401() throws Exception { 1156 doStagefrightTest(R.raw.bug_110435401, 60000); 1157 } 1158 1159 @Test 1160 @AsbSecurityTest(cveBugId = 32589224) testStagefright_cve_2017_0474()1161 public void testStagefright_cve_2017_0474() throws Exception { 1162 doStagefrightTest(R.raw.cve_2017_0474, 120000); 1163 } 1164 1165 @Test 1166 @AsbSecurityTest(cveBugId = 62872863) testStagefright_cve_2017_0765()1167 public void testStagefright_cve_2017_0765() throws Exception { 1168 doStagefrightTest(R.raw.cve_2017_0765); 1169 } 1170 1171 @Test 1172 @AsbSecurityTest(cveBugId = 70637599) testStagefright_cve_2017_13276()1173 public void testStagefright_cve_2017_13276() throws Exception { 1174 doStagefrightTest(R.raw.cve_2017_13276); 1175 } 1176 1177 @Test 1178 @AsbSecurityTest(cveBugId = 31681434) testStagefright_cve_2016_6764()1179 public void testStagefright_cve_2016_6764() throws Exception { 1180 doStagefrightTest(R.raw.cve_2016_6764, new CrashUtils.Config().checkMinAddress(false)); 1181 } 1182 1183 @Test 1184 @AsbSecurityTest(cveBugId = 38495900) testStagefright_cve_2017_13214()1185 public void testStagefright_cve_2017_13214() throws Exception { 1186 doStagefrightTest(R.raw.cve_2017_13214); 1187 } 1188 1189 @Test 1190 @AsbSecurityTest(cveBugId = 35467107) testStagefright_bug_35467107()1191 public void testStagefright_bug_35467107() throws Exception { 1192 doStagefrightTest(R.raw.bug_35467107, new CrashUtils.Config().checkMinAddress(false)); 1193 } 1194 1195 /*********************************************************** 1196 to prevent merge conflicts, add O tests below this comment, 1197 before any existing test methods 1198 ***********************************************************/ 1199 @Test 1200 @AsbSecurityTest(cveBugId = 162756352) testStagefright_cve_2020_11184()1201 public void testStagefright_cve_2020_11184() throws Exception { 1202 doStagefrightTest(R.raw.cve_2020_11184); 1203 } 1204 1205 @Test 1206 @AsbSecurityTest(cveBugId = 130024844) testStagefright_cve_2019_2107()1207 public void testStagefright_cve_2019_2107() throws Exception { 1208 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1209 getInstrumentation().getContext().getPackageManager(), 1210 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1211 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen); 1212 doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920, 1213 1080, frameSizes); 1214 } 1215 1216 @Test 1217 @AsbSecurityTest(cveBugId = 122473145) testStagefright_cve_2019_2245()1218 public void testStagefright_cve_2019_2245() throws Exception { 1219 doStagefrightTest(R.raw.cve_2019_2245); 1220 } 1221 1222 @Test 1223 @AsbSecurityTest(cveBugId = 120483842) testStagefright_cve_2018_13925()1224 public void testStagefright_cve_2018_13925() throws Exception { 1225 doStagefrightTest(R.raw.cve_2018_13925); 1226 } 1227 1228 @Test 1229 @AsbSecurityTest(cveBugId = 157905659) testStagefright_cve_2020_11139()1230 public void testStagefright_cve_2020_11139() throws Exception { 1231 doStagefrightTest(R.raw.cve_2020_11139); 1232 } 1233 1234 @Test 1235 @AsbSecurityTest(cveBugId = 150697436) testStagefright_cve_2020_3663()1236 public void testStagefright_cve_2020_3663() throws Exception { 1237 doStagefrightTest(R.raw.cve_2020_3663); 1238 } 1239 1240 @Test 1241 @AsbSecurityTest(cveBugId = 155653312) testStagefright_cve_2020_11122()1242 public void testStagefright_cve_2020_11122() throws Exception { 1243 doStagefrightTest(R.raw.cve_2020_11122); 1244 } 1245 1246 @Test 1247 @AsbSecurityTest(cveBugId = 153345450) testStagefright_cve_2020_3688()1248 public void testStagefright_cve_2020_3688() throws Exception { 1249 doStagefrightTest(R.raw.cve_2020_3688); 1250 } 1251 1252 @Test 1253 @AsbSecurityTest(cveBugId = 162756122) testStagefright_cve_2020_11168()1254 public void testStagefright_cve_2020_11168() throws Exception { 1255 doStagefrightTest(R.raw.cve_2020_11168); 1256 } 1257 1258 @Test 1259 @AsbSecurityTest(cveBugId = 150697838) testStagefright_cve_2020_3658()1260 public void testStagefright_cve_2020_3658() throws Exception { 1261 doStagefrightTest(R.raw.cve_2020_3658); 1262 } 1263 1264 @Test 1265 @AsbSecurityTest(cveBugId = 148816216) testStagefright_cve_2020_3633()1266 public void testStagefright_cve_2020_3633() throws Exception { 1267 doStagefrightTest(R.raw.cve_2020_3633); 1268 } 1269 1270 @Test 1271 @AsbSecurityTest(cveBugId = 150695050) testStagefright_cve_2020_3660()1272 public void testStagefright_cve_2020_3660() throws Exception { 1273 doStagefrightTest(R.raw.cve_2020_3660); 1274 } 1275 1276 @Test 1277 @AsbSecurityTest(cveBugId = 150695169) testStagefright_cve_2020_3661()1278 public void testStagefright_cve_2020_3661() throws Exception { 1279 doStagefrightTest(R.raw.cve_2020_3661); 1280 } 1281 1282 @Test 1283 @AsbSecurityTest(cveBugId = 142271944) testStagefright_cve_2019_14013()1284 public void testStagefright_cve_2019_14013() throws Exception { 1285 doStagefrightTest(R.raw.cve_2019_14013); 1286 } 1287 1288 @Test 1289 @AsbSecurityTest(cveBugId = 150696661) testStagefright_cve_2020_3662()1290 public void testStagefright_cve_2020_3662() throws Exception { 1291 doStagefrightTest(R.raw.cve_2020_3662); 1292 } 1293 1294 @Test 1295 @AsbSecurityTest(cveBugId = 170583712) testStagefright_cve_2021_0312()1296 public void testStagefright_cve_2021_0312() throws Exception { 1297 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1298 getInstrumentation().getContext().getPackageManager(), 1299 MainlineModule.MEDIA)); 1300 doStagefrightTestExtractorSeek(R.raw.cve_2021_0312, 2, new CrashUtils.Config() 1301 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1302 } 1303 1304 @Test 1305 @AsbSecurityTest(cveBugId = 77600398) testStagefright_cve_2018_9474()1306 public void testStagefright_cve_2018_9474() throws Exception { 1307 MediaPlayer mp = new MediaPlayer(); 1308 RenderTarget renderTarget = RenderTarget.create(); 1309 Surface surface = renderTarget.getSurface(); 1310 mp.setSurface(surface); 1311 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1312 .openRawResourceFd(R.raw.cve_2018_9474); 1313 1314 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 1315 mp.prepare(); 1316 1317 MediaPlayer.TrackInfo[] trackInfos = mp.getTrackInfo(); 1318 if (trackInfos == null || trackInfos.length == 0) { 1319 return; 1320 } 1321 1322 MediaPlayer.TrackInfo trackInfo = trackInfos[0]; 1323 1324 int trackType = trackInfo.getTrackType(); 1325 MediaFormat format = trackInfo.getFormat(); 1326 1327 Parcel data = Parcel.obtain(); 1328 trackInfo.writeToParcel(data, 0); 1329 1330 data.setDataPosition(0); 1331 int trackTypeFromParcel = data.readInt(); 1332 String mimeTypeFromParcel = data.readString(); 1333 data.recycle(); 1334 1335 if (trackType == trackTypeFromParcel) { 1336 assertFalse("Device *IS* vulnerable to CVE-2018-9474", 1337 mimeTypeFromParcel.equals("und")); 1338 } 1339 } 1340 1341 @Test 1342 @AsbSecurityTest(cveBugId = 130025324) testStagefright_cve_2019_2108()1343 public void testStagefright_cve_2019_2108() throws Exception { 1344 doStagefrightTestRawBlob(R.raw.cve_2019_2108_hevc, "video/hevc", 320, 240, 1345 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1346 CrashUtils.SIGABRT)); 1347 } 1348 1349 @Test 1350 @AsbSecurityTest(cveBugId = 25747670) testStagefright_cve_2016_3880()1351 public void testStagefright_cve_2016_3880() throws Exception { 1352 Thread server = new Thread() { 1353 @Override 1354 public void run() { 1355 try (ServerSocket serverSocket = new ServerSocket(8080) { 1356 {setSoTimeout(10_000);} // time out after 10 seconds 1357 }; 1358 Socket conn = serverSocket.accept() 1359 ) { 1360 OutputStream outputstream = conn.getOutputStream(); 1361 InputStream inputStream = conn.getInputStream(); 1362 byte input[] = new byte[65536]; 1363 inputStream.read(input, 0, 65536); 1364 String inputStr = new String(input); 1365 if (inputStr.contains("DESCRIBE rtsp://127.0.0.1:8080/cve_2016_3880")) { 1366 byte http[] = ("RTSP/1.0 200 OK\r\n" 1367 + "Server: stagefright/1.2 (Linux;Android 9)\r\n" 1368 + "Content-Type: application/sdp\r\n" 1369 + "Content-Base: rtsp://127.0.0.1:8080/cve_2016_3880\r\n" 1370 + "Content-Length: 379\r\n" 1371 + "Cache-Control: no-cache\r\nCSeq: 1\r\n\r\n").getBytes(); 1372 1373 byte sdp[] = ("v=0\r\no=- 64 233572944 IN IP4 127.0.0.0\r\n" 1374 + "s=QuickTime\r\nt=0 0\r\na=range:npt=now-\r\n" 1375 + "m=video 5434 RTP/AVP 96123456\r\nc=IN IP4 127.0.0.1\r\n" 1376 + "b=AS:320000\r\na=rtpmap:96123456 H264/90000\r\n" 1377 + "a=fmtp:96123456 packetization-mode=1;profile-level-id=42001E;" 1378 + "sprop-parameter-sets=Z0IAHpZUBaHogA==,aM44gA==\r\n" 1379 + "a=cliprect:0,0,480,270\r\na=framesize:96123456 720-480\r\n" 1380 + "a=control:track1\r\n").getBytes(); 1381 1382 outputstream.write(http); 1383 outputstream.write(sdp); 1384 outputstream.flush(); 1385 } 1386 } catch (IOException e) { 1387 } 1388 } 1389 }; 1390 server.start(); 1391 String uri = "rtsp://127.0.0.1:8080/cve_2016_3880"; 1392 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(new CrashUtils.Config() 1393 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1394 LooperThread t = new LooperThread(new Runnable() { 1395 @Override 1396 public void run() { 1397 MediaPlayer mp = new MediaPlayer(); 1398 mp.setOnErrorListener(mpcl); 1399 mp.setOnPreparedListener(mpcl); 1400 mp.setOnCompletionListener(mpcl); 1401 RenderTarget renderTarget = RenderTarget.create(); 1402 Surface surface = renderTarget.getSurface(); 1403 mp.setSurface(surface); 1404 AssetFileDescriptor fd = null; 1405 try { 1406 mp.setDataSource(uri); 1407 mp.prepareAsync(); 1408 } catch (IOException e) { 1409 Log.e(TAG, e.toString()); 1410 } finally { 1411 closeQuietly(fd); 1412 } 1413 Looper.loop(); 1414 mp.release(); 1415 } 1416 }); 1417 t.start(); 1418 assertFalse("Device *IS* vulnerable to CVE-2016-3880", 1419 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1420 t.stopLooper(); 1421 t.join(); 1422 server.join(); 1423 } 1424 1425 @Test 1426 @AsbSecurityTest(cveBugId = 170240631) testStagefright_bug170240631()1427 public void testStagefright_bug170240631() throws Exception { 1428 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1429 getInstrumentation().getContext().getPackageManager(), 1430 MainlineModule.MEDIA)); 1431 doStagefrightTest(R.raw.bug170240631_ts); 1432 } 1433 1434 @Test 1435 @AsbSecurityTest(cveBugId = 148816624) testStagefright_cve_2020_3641()1436 public void testStagefright_cve_2020_3641() throws Exception { 1437 doStagefrightTest(R.raw.cve_2020_3641); 1438 } 1439 1440 @Test 1441 @AsbSecurityTest(cveBugId = 147103871) testStagefright_cve_2019_14127()1442 public void testStagefright_cve_2019_14127() throws Exception { 1443 doStagefrightTest(R.raw.cve_2019_14127); 1444 } 1445 1446 @Test 1447 @AsbSecurityTest(cveBugId = 147104052) testStagefright_cve_2019_14132()1448 public void testStagefright_cve_2019_14132() throws Exception { 1449 doStagefrightTest(R.raw.cve_2019_14132); 1450 } 1451 1452 @Test 1453 @AsbSecurityTest(cveBugId = 145545283) testStagefright_cve_2019_10591()1454 public void testStagefright_cve_2019_10591() throws Exception { 1455 doStagefrightTest(R.raw.cve_2019_10591); 1456 } 1457 1458 @Test 1459 @AsbSecurityTest(cveBugId = 143903858) testStagefright_cve_2019_10590()1460 public void testStagefright_cve_2019_10590() throws Exception { 1461 doStagefrightTest(R.raw.cve_2019_10590); 1462 } 1463 1464 @Test 1465 @AsbSecurityTest(cveBugId = 142271848) testStagefright_cve_2019_14004()1466 public void testStagefright_cve_2019_14004() throws Exception { 1467 doStagefrightTest(R.raw.cve_2019_14004); 1468 } 1469 1470 @Test 1471 @AsbSecurityTest(cveBugId = 142271498) testStagefright_cve_2019_14003()1472 public void testStagefright_cve_2019_14003() throws Exception { 1473 doStagefrightTest(R.raw.cve_2019_14003); 1474 } 1475 1476 @Test 1477 @AsbSecurityTest(cveBugId = 143903018) testStagefright_cve_2019_14057()1478 public void testStagefright_cve_2019_14057() throws Exception { 1479 doStagefrightTest(R.raw.cve_2019_14057); 1480 } 1481 1482 @Test 1483 @AsbSecurityTest(cveBugId = 142271634) testStagefright_cve_2019_10532()1484 public void testStagefright_cve_2019_10532() throws Exception { 1485 doStagefrightTest(R.raw.cve_2019_10532); 1486 } 1487 1488 @Test 1489 @AsbSecurityTest(cveBugId = 142268949) testStagefright_cve_2019_10578()1490 public void testStagefright_cve_2019_10578() throws Exception { 1491 doStagefrightTest(R.raw.cve_2019_10578); 1492 } 1493 1494 @Test 1495 @AsbSecurityTest(cveBugId = 145545758) testStagefright_cve_2019_14061()1496 public void testStagefright_cve_2019_14061() throws Exception { 1497 doStagefrightTest(R.raw.cve_2019_14061, 180000); 1498 } 1499 1500 @Test 1501 @AsbSecurityTest(cveBugId = 142271615) testStagefright_cve_2019_10611()1502 public void testStagefright_cve_2019_10611() throws Exception { 1503 doStagefrightTest(R.raw.cve_2019_10611); 1504 } 1505 1506 @Test 1507 @AsbSecurityTest(cveBugId = 132108754) testStagefright_cve_2019_10489()1508 public void testStagefright_cve_2019_10489() throws Exception { 1509 doStagefrightTest(R.raw.cve_2019_10489); 1510 } 1511 1512 @Test 1513 @AsbSecurityTest(cveBugId = 145545282) testStagefright_cve_2019_14048()1514 public void testStagefright_cve_2019_14048() throws Exception { 1515 doStagefrightTest(R.raw.cve_2019_14048); 1516 } 1517 1518 @Test 1519 @AsbSecurityTest(cveBugId = 129766432) testStagefright_cve_2019_2253()1520 public void testStagefright_cve_2019_2253() throws Exception { 1521 doStagefrightTest(R.raw.cve_2019_2253); 1522 } 1523 1524 @Test 1525 @AsbSecurityTest(cveBugId = 142271692) testStagefright_cve_2019_10579()1526 public void testStagefright_cve_2019_10579() throws Exception { 1527 doStagefrightTestANR(R.raw.cve_2019_10579); 1528 } 1529 1530 @Test 1531 @AsbSecurityTest(cveBugId = 142271965) testStagefright_cve_2019_14005()1532 public void testStagefright_cve_2019_14005() throws Exception { 1533 doStagefrightTest(R.raw.cve_2019_14005); 1534 } 1535 1536 @Test 1537 @AsbSecurityTest(cveBugId = 142271827) testStagefright_cve_2019_14006()1538 public void testStagefright_cve_2019_14006() throws Exception { 1539 doStagefrightTest(R.raw.cve_2019_14006); 1540 } 1541 1542 @Test 1543 @AsbSecurityTest(cveBugId = 142270646) testStagefright_CVE_2019_14016()1544 public void testStagefright_CVE_2019_14016() throws Exception { 1545 doStagefrightTest(R.raw.cve_2019_14016); 1546 } 1547 1548 @Test 1549 @AsbSecurityTest(cveBugId = 142271515) testStagefright_CVE_2019_14017()1550 public void testStagefright_CVE_2019_14017() throws Exception { 1551 doStagefrightTest(R.raw.cve_2019_14017); 1552 } 1553 1554 @Test 1555 @AsbSecurityTest(cveBugId = 78029004) testStagefright_cve_2018_9412()1556 public void testStagefright_cve_2018_9412() throws Exception { 1557 doStagefrightTest(R.raw.cve_2018_9412, 180000); 1558 } 1559 1560 @Test 1561 @AsbSecurityTest(cveBugId = 142641801) testStagefright_bug_142641801()1562 public void testStagefright_bug_142641801() throws Exception { 1563 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1564 getInstrumentation().getContext().getPackageManager(), 1565 MainlineModule.MEDIA)); 1566 doStagefrightTest(R.raw.bug_142641801); 1567 } 1568 1569 @Test 1570 @AsbSecurityTest(cveBugId = 134437379) testStagefright_cve_2019_10534()1571 public void testStagefright_cve_2019_10534() throws Exception { 1572 doStagefrightTest(R.raw.cve_2019_10534); 1573 } 1574 1575 @Test 1576 @AsbSecurityTest(cveBugId = 134437210) testStagefright_cve_2019_10533()1577 public void testStagefright_cve_2019_10533() throws Exception { 1578 doStagefrightTest(R.raw.cve_2019_10533); 1579 } 1580 1581 @Test 1582 @AsbSecurityTest(cveBugId = 134437115) testStagefright_cve_2019_10541()1583 public void testStagefright_cve_2019_10541() throws Exception { 1584 doStagefrightTest(R.raw.cve_2019_10541); 1585 } 1586 1587 @Test 1588 @AsbSecurityTest(cveBugId = 62851602) testStagefright_cve_2017_13233()1589 public void testStagefright_cve_2017_13233() throws Exception { 1590 doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640, 1591 480); 1592 } 1593 1594 @Test 1595 @AsbSecurityTest(cveBugId = 130023983) testStagefright_cve_2019_2106()1596 public void testStagefright_cve_2019_2106() throws Exception { 1597 int[] frameSizes = {943, 3153}; 1598 doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320, 1599 240, frameSizes); 1600 } 1601 1602 @Test 1603 @AsbSecurityTest(cveBugId = 34064500) testStagefright_cve_2017_0637()1604 public void testStagefright_cve_2017_0637() throws Exception { 1605 doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000); 1606 } 1607 1608 @Test 1609 @AsbSecurityTest(cveBugId = 109678380) testStagefright_cve_2018_11287()1610 public void testStagefright_cve_2018_11287() throws Exception { 1611 doStagefrightTest(R.raw.cve_2018_11287, 180000); 1612 } 1613 1614 @Test 1615 @AsbSecurityTest(cveBugId = 129766125) testStagefright_cve_2019_2327()1616 public void testStagefright_cve_2019_2327() throws Exception { 1617 doStagefrightTest(R.raw.cve_2019_2327); 1618 } 1619 1620 @Test 1621 @AsbSecurityTest(cveBugId = 129766496) testStagefright_cve_2019_2322()1622 public void testStagefright_cve_2019_2322() throws Exception { 1623 doStagefrightTest(R.raw.cve_2019_2322); 1624 } 1625 1626 @Test 1627 @AsbSecurityTest(cveBugId = 129766099) testStagefright_cve_2019_2334()1628 public void testStagefright_cve_2019_2334() throws Exception { 1629 doStagefrightTest(R.raw.cve_2019_2334); 1630 } 1631 1632 @Test 1633 @AsbSecurityTest(cveBugId = 64380237) testStagefright_cve_2017_13204()1634 public void testStagefright_cve_2017_13204() throws Exception { 1635 int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen); 1636 doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes); 1637 } 1638 1639 @Test 1640 @AsbSecurityTest(cveBugId = 70221445) testStagefright_cve_2017_17773()1641 public void testStagefright_cve_2017_17773() throws Exception { 1642 doStagefrightTest(R.raw.cve_2017_17773); 1643 } 1644 1645 @Test 1646 @AsbSecurityTest(cveBugId = 68326816) testStagefright_cve_2017_18074()1647 public void testStagefright_cve_2017_18074() throws Exception { 1648 doStagefrightTest(R.raw.cve_2017_18074); 1649 } 1650 1651 @Test 1652 @AsbSecurityTest(cveBugId = 74236854) testStagefright_cve_2018_5894()1653 public void testStagefright_cve_2018_5894() throws Exception { 1654 doStagefrightTest(R.raw.cve_2018_5894); 1655 } 1656 1657 @Test 1658 @AsbSecurityTest(cveBugId = 77485139) testStagefright_cve_2018_5874()1659 public void testStagefright_cve_2018_5874() throws Exception { 1660 doStagefrightTest(R.raw.cve_2018_5874); 1661 } 1662 1663 @Test 1664 @AsbSecurityTest(cveBugId = 77485183) testStagefright_cve_2018_5875()1665 public void testStagefright_cve_2018_5875() throws Exception { 1666 doStagefrightTest(R.raw.cve_2018_5875); 1667 } 1668 1669 @Test 1670 @AsbSecurityTest(cveBugId = 77485022) testStagefright_cve_2018_5876()1671 public void testStagefright_cve_2018_5876() throws Exception { 1672 doStagefrightTest(R.raw.cve_2018_5876); 1673 } 1674 1675 @Test 1676 @AsbSecurityTest(cveBugId = 77483830) testStagefright_cve_2018_5882()1677 public void testStagefright_cve_2018_5882() throws Exception { 1678 doStagefrightTest(R.raw.cve_2018_5882); 1679 } 1680 1681 @Test 1682 @AsbSecurityTest(cveBugId = 65186291) testBug_65186291()1683 public void testBug_65186291() throws Exception { 1684 int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen); 1685 doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes); 1686 } 1687 1688 @Test 1689 @AsbSecurityTest(cveBugId = 67737022) testBug_67737022()1690 public void testBug_67737022() throws Exception { 1691 doStagefrightTest(R.raw.bug_67737022); 1692 } 1693 1694 @Test 1695 @AsbSecurityTest(cveBugId = 37093318) testStagefright_bug_37093318()1696 public void testStagefright_bug_37093318() throws Exception { 1697 doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000)); 1698 } 1699 1700 @Test 1701 @AsbSecurityTest(cveBugId = 73172046) testStagefright_bug_73172046()1702 public void testStagefright_bug_73172046() throws Exception { 1703 doStagefrightTest(R.raw.bug_73172046); 1704 1705 Bitmap bitmap = BitmapFactory.decodeResource( 1706 getInstrumentation().getContext().getResources(), R.raw.bug_73172046); 1707 // OK if the decoding failed, but shouldn't cause crashes 1708 if (bitmap != null) { 1709 bitmap.recycle(); 1710 } 1711 } 1712 1713 @Test 1714 @AsbSecurityTest(cveBugId = 25765591) testStagefright_cve_2016_0824()1715 public void testStagefright_cve_2016_0824() throws Exception { 1716 doStagefrightTest(R.raw.cve_2016_0824); 1717 } 1718 1719 @Test 1720 @AsbSecurityTest(cveBugId = 26365349) testStagefright_cve_2016_0815()1721 public void testStagefright_cve_2016_0815() throws Exception { 1722 doStagefrightTest(R.raw.cve_2016_0815); 1723 } 1724 1725 @Test 1726 @AsbSecurityTest(cveBugId = 26221024) testStagefright_cve_2016_2454()1727 public void testStagefright_cve_2016_2454() throws Exception { 1728 doStagefrightTest(R.raw.cve_2016_2454); 1729 } 1730 1731 @Test 1732 @AsbSecurityTest(cveBugId = 31449945) testStagefright_cve_2016_6765()1733 public void testStagefright_cve_2016_6765() throws Exception { 1734 doStagefrightTest(R.raw.cve_2016_6765, new CrashUtils.Config().checkMinAddress(false)); 1735 } 1736 1737 @Test 1738 @AsbSecurityTest(cveBugId = 28799341) testStagefright_cve_2016_2508()1739 public void testStagefright_cve_2016_2508() throws Exception { 1740 doStagefrightTest(R.raw.cve_2016_2508, new CrashUtils.Config().checkMinAddress(false)); 1741 } 1742 1743 @Test 1744 @AsbSecurityTest(cveBugId = 31373622) testStagefright_cve_2016_6699()1745 public void testStagefright_cve_2016_6699() throws Exception { 1746 doStagefrightTest(R.raw.cve_2016_6699); 1747 } 1748 1749 @Test 1750 @AsbSecurityTest(cveBugId = 66734153) testStagefright_cve_2017_18155()1751 public void testStagefright_cve_2017_18155() throws Exception { 1752 doStagefrightTest(R.raw.cve_2017_18155); 1753 } 1754 1755 @Test 1756 @AsbSecurityTest(cveBugId = 77599438) testStagefright_cve_2018_9423()1757 public void testStagefright_cve_2018_9423() throws Exception { 1758 doStagefrightTest(R.raw.cve_2018_9423); 1759 } 1760 1761 @Test 1762 @AsbSecurityTest(cveBugId = 29770686) testStagefright_cve_2016_3879()1763 public void testStagefright_cve_2016_3879() throws Exception { 1764 doStagefrightTest(R.raw.cve_2016_3879, new CrashUtils.Config().checkMinAddress(false)); 1765 } 1766 1767 /*********************************************************** 1768 to prevent merge conflicts, add P tests below this comment, 1769 before any existing test methods 1770 ***********************************************************/ 1771 1772 @Test 1773 @AsbSecurityTest(cveBugId = 179039901) testStagefright_cve_2021_1910()1774 public void testStagefright_cve_2021_1910() throws Exception { 1775 doStagefrightTest(R.raw.cve_2021_1910); 1776 } 1777 1778 @Test 1779 @AsbSecurityTest(cveBugId = 175038625) testStagefright_cve_2020_11299()1780 public void testStagefright_cve_2020_11299() throws Exception { 1781 doStagefrightTest(R.raw.cve_2020_11299); 1782 } 1783 1784 @Test 1785 @AsbSecurityTest(cveBugId = 162756960) testStagefright_cve_2020_11196()1786 public void testStagefright_cve_2020_11196() throws Exception { 1787 doStagefrightTest(R.raw.cve_2020_11196); 1788 } 1789 1790 @Test 1791 @AsbSecurityTest(cveBugId = 112661641) testStagefright_cve_2018_9531()1792 public void testStagefright_cve_2018_9531() throws Exception { 1793 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1794 getInstrumentation().getContext().getPackageManager(), 1795 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1796 int[] frameSizes = getFrameSizes(R.raw.cve_2018_9531_framelen); 1797 CodecConfig codecConfig = new CodecConfig().setAudioParams(48000, 8); 1798 doStagefrightTestRawBlob(R.raw.cve_2018_9531_aac, "audio/mp4a-latm", codecConfig, 1799 frameSizes, new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, 1800 CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1801 } 1802 1803 @Test 1804 @AsbSecurityTest(cveBugId = 140322595) testStagefright_cve_2019_2222()1805 public void testStagefright_cve_2019_2222() throws Exception { 1806 // TODO(b/170987914): This also skips testing hw_codecs. 1807 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1808 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1809 getInstrumentation().getContext().getPackageManager(), 1810 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1811 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2222_framelen); 1812 doStagefrightTestRawBlob(R.raw.cve_2019_2222_hevc, "video/hevc", 320, 240, frameSizes); 1813 } 1814 doStagefrightTest(final int rid)1815 private void doStagefrightTest(final int rid) throws Exception { 1816 doStagefrightTest(rid, null); 1817 } 1818 1819 /*********************************************************** 1820 to prevent merge conflicts, add Q tests below this comment, 1821 before any existing test methods 1822 ***********************************************************/ 1823 @Test 1824 @AsbSecurityTest(cveBugId = 136175447) testStagefright_cve_2019_2186()1825 public void testStagefright_cve_2019_2186() throws Exception { 1826 long end = System.currentTimeMillis() + 180000; // 3 minutes from now 1827 while (System.currentTimeMillis() < end) { 1828 doStagefrightTestRawBlob(R.raw.cve_2019_2186, "video/3gpp", 128, 96, 1829 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1830 CrashUtils.SIGABRT)); 1831 } 1832 } 1833 1834 @Test 1835 @AsbSecurityTest(cveBugId = 140692129) testStagefright_cve_2019_2223()1836 public void testStagefright_cve_2019_2223() throws Exception { 1837 // TODO(b/170987914): This also skips testing hw_codecs. 1838 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1839 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1840 getInstrumentation().getContext().getPackageManager(), 1841 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1842 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2223_framelen); 1843 doStagefrightTestRawBlob(R.raw.cve_2019_2223_hevc, "video/hevc", 320, 240, frameSizes); 1844 } 1845 1846 @Test 1847 @AsbSecurityTest(cveBugId = 118399205) testStagefright_cve_2019_1989()1848 public void testStagefright_cve_2019_1989() throws Exception { 1849 Object obj[] = getFrameInfo(R.raw.cve_2019_1989_info); 1850 int[] isHeader = (int[])obj [0]; 1851 int[] frameSizes = (int[])obj [1]; 1852 doStagefrightTestRawBlob(R.raw.cve_2019_1989_h264, "video/avc", 1853 1920, 1080, frameSizes, isHeader, new CrashUtils.Config()); 1854 } 1855 doStagefrightTest(final int rid, CrashUtils.Config config)1856 private void doStagefrightTest(final int rid, CrashUtils.Config config) throws Exception { 1857 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1858 policy.setCleartextTrafficPermitted(true); 1859 doStagefrightTestMediaPlayer(rid, config); 1860 doStagefrightTestMediaCodec(rid, config); 1861 doStagefrightTestMediaMetadataRetriever(rid, config); 1862 1863 Context context = getInstrumentation().getContext(); 1864 CtsTestServer server = null; 1865 try { 1866 server = new CtsTestServer(context); 1867 } catch (BindException e) { 1868 // Instant Apps security policy does not allow 1869 // listening for incoming connections. 1870 // Server based tests cannot be run. 1871 return; 1872 } 1873 Resources resources = context.getResources(); 1874 String rname = resources.getResourceEntryName(rid); 1875 String url = server.getAssetUrl("raw/" + rname); 1876 verifyServer(rid, url); 1877 doStagefrightTestMediaPlayer(url, config); 1878 doStagefrightTestMediaCodec(url, config); 1879 doStagefrightTestMediaMetadataRetriever(url, config); 1880 policy.setCleartextTrafficPermitted(false); 1881 server.shutdown(); 1882 } 1883 1884 // verify that CtsTestServer is functional by retrieving the asset 1885 // and comparing it to the resource verifyServer(final int rid, final String uri)1886 private void verifyServer(final int rid, final String uri) throws Exception { 1887 Log.i(TAG, "checking server"); 1888 URL url = new URL(uri); 1889 InputStream in1 = new BufferedInputStream(url.openStream()); 1890 1891 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1892 .openRawResourceFd(rid); 1893 InputStream in2 = new BufferedInputStream(fd.createInputStream()); 1894 1895 while (true) { 1896 int b1 = in1.read(); 1897 int b2 = in2.read(); 1898 assertEquals("CtsTestServer fail", b1, b2); 1899 if (b1 < 0) { 1900 break; 1901 } 1902 } 1903 1904 in1.close(); 1905 in2.close(); 1906 Log.i(TAG, "checked server"); 1907 } 1908 doStagefrightTest(final int rid, int timeout)1909 private void doStagefrightTest(final int rid, int timeout) throws Exception { 1910 doStagefrightTest(rid, null, timeout); 1911 } 1912 doStagefrightTest( final int rid, CrashUtils.Config config, int timeout)1913 private void doStagefrightTest( 1914 final int rid, CrashUtils.Config config, int timeout) throws Exception { 1915 runWithTimeout(new Runnable() { 1916 @Override 1917 public void run() { 1918 try { 1919 doStagefrightTest(rid, config); 1920 } catch (Exception e) { 1921 fail(e.toString()); 1922 } 1923 } 1924 }, timeout); 1925 } 1926 doStagefrightTestANR(final int rid)1927 private void doStagefrightTestANR(final int rid) throws Exception { 1928 doStagefrightTestANR(rid, null); 1929 } 1930 doStagefrightTestANR( final int rid, CrashUtils.Config config)1931 private void doStagefrightTestANR( 1932 final int rid, CrashUtils.Config config) throws Exception { 1933 doStagefrightTestMediaPlayerANR(rid, null, config); 1934 } 1935 getCrashReport(String testname, long timeout)1936 public JSONArray getCrashReport(String testname, long timeout) 1937 throws InterruptedException { 1938 Log.i(TAG, CrashUtils.UPLOAD_REQUEST); 1939 File reportFile = new File(CrashUtils.DEVICE_PATH, testname); 1940 File lockFile = new File(CrashUtils.DEVICE_PATH, CrashUtils.LOCK_FILENAME); 1941 while ((!reportFile.exists() || !lockFile.exists()) && timeout > 0) { 1942 Thread.sleep(CHECK_INTERVAL); 1943 timeout -= CHECK_INTERVAL; 1944 } 1945 1946 if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { 1947 Log.e(TAG, "couldn't get the report or lock file"); 1948 return null; 1949 } 1950 try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { 1951 StringBuilder json = new StringBuilder(); 1952 String line = reader.readLine(); 1953 while (line != null) { 1954 json.append(line); 1955 line = reader.readLine(); 1956 } 1957 return new JSONArray(json.toString()); 1958 } catch (IOException | JSONException e) { 1959 Log.e(TAG, "Failed to deserialize crash list with error " + e.getMessage()); 1960 return null; 1961 } 1962 } 1963 1964 class MediaPlayerCrashListener 1965 implements MediaPlayer.OnErrorListener, 1966 MediaPlayer.OnPreparedListener, 1967 MediaPlayer.OnCompletionListener { 1968 1969 CrashUtils.Config config; 1970 1971 private final Pattern[] validProcessPatterns = { 1972 Pattern.compile("adsprpcd"), 1973 Pattern.compile("android\\.hardware\\.cas@\\d+?\\.\\d+?-service"), 1974 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service"), 1975 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.clearkey"), 1976 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.widevine"), 1977 Pattern.compile("omx@\\d+?\\.\\d+?-service"), // name:omx@1.0-service 1978 Pattern.compile("android\\.process\\.media"), 1979 Pattern.compile("mediadrmserver"), 1980 Pattern.compile("mediaextractor"), 1981 Pattern.compile("media\\.extractor"), 1982 Pattern.compile("media\\.metrics"), 1983 Pattern.compile("mediaserver"), 1984 Pattern.compile("media\\.codec"), 1985 Pattern.compile("media\\.swcodec"), 1986 Pattern.compile("\\[?sdcard\\]?"), // name:/system/bin/sdcard, user:media_rw 1987 // Match any vendor processes. 1988 // It should only catch crashes that happen during the test. 1989 Pattern.compile("vendor.*"), 1990 }; 1991 MediaPlayerCrashListener()1992 MediaPlayerCrashListener() { 1993 this(null); 1994 } 1995 MediaPlayerCrashListener(CrashUtils.Config config)1996 MediaPlayerCrashListener(CrashUtils.Config config) { 1997 if (config == null) { 1998 config = new CrashUtils.Config(); 1999 } 2000 // if a different process is needed for a test, it should be added to the main list. 2001 config.setProcessPatterns(validProcessPatterns); 2002 this.config = config; 2003 } 2004 2005 @Override onError(MediaPlayer mp, int newWhat, int extra)2006 public boolean onError(MediaPlayer mp, int newWhat, int extra) { 2007 Log.i(TAG, "error: " + newWhat + "/" + extra); 2008 // don't overwrite a more severe error with a less severe one 2009 if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 2010 what = newWhat; 2011 } 2012 2013 lock.lock(); 2014 errored = true; 2015 condition.signal(); 2016 lock.unlock(); 2017 2018 return true; // don't call oncompletion 2019 } 2020 2021 @Override onPrepared(MediaPlayer mp)2022 public void onPrepared(MediaPlayer mp) { 2023 mp.start(); 2024 } 2025 2026 @Override onCompletion(MediaPlayer mp)2027 public void onCompletion(MediaPlayer mp) { 2028 // preserve error condition, if any 2029 lock.lock(); 2030 completed = true; 2031 condition.signal(); 2032 lock.unlock(); 2033 } 2034 waitForError()2035 public int waitForError() throws InterruptedException { 2036 lock.lock(); 2037 if (!errored && !completed) { 2038 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2039 Log.d(TAG, "timed out on waiting for error. " + 2040 "errored: " + errored + ", completed: " + completed); 2041 } 2042 } 2043 lock.unlock(); 2044 if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 2045 // Sometimes mediaserver signals a decoding error first, and *then* crashes 2046 // due to additional in-flight buffers being processed, so wait a little 2047 // and see if more errors show up. 2048 Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); 2049 SystemClock.sleep(1000); 2050 JSONArray crashes = getCrashReport(name.getMethodName(), 5000); 2051 if (crashes == null) { 2052 Log.e(TAG, "Crash results not found for test " + name.getMethodName()); 2053 return what; 2054 } else if (CrashUtils.securityCrashDetected(crashes, config)) { 2055 return what; 2056 } else { 2057 Log.i(TAG, "Crash ignored due to no security crash found for test " + 2058 name.getMethodName()); 2059 // 0 is the code for no error. 2060 return 0; 2061 } 2062 } 2063 Log.d(TAG, "waitForError finished with no errors."); 2064 return what; 2065 } 2066 waitForErrorOrCompletion()2067 public boolean waitForErrorOrCompletion() throws InterruptedException { 2068 lock.lock(); 2069 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2070 Log.d(TAG, "timed out on waiting for error or completion"); 2071 } 2072 lock.unlock(); 2073 return (what != 0 && what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) || completed; 2074 } 2075 2076 ReentrantLock lock = new ReentrantLock(); 2077 Condition condition = lock.newCondition(); 2078 int what; 2079 boolean completed = false; 2080 boolean errored = false; 2081 } 2082 2083 class LooperThread extends Thread { 2084 private Looper mLooper; 2085 LooperThread(Runnable runner)2086 LooperThread(Runnable runner) { 2087 super(runner); 2088 } 2089 2090 @Override run()2091 public void run() { 2092 Looper.prepare(); 2093 mLooper = Looper.myLooper(); 2094 super.run(); 2095 } 2096 stopLooper()2097 public void stopLooper() { 2098 mLooper.quitSafely(); 2099 } 2100 } 2101 doStagefrightTestMediaPlayer(final int rid)2102 private void doStagefrightTestMediaPlayer(final int rid) throws Exception { 2103 doStagefrightTestMediaPlayer(rid, null, null); 2104 } 2105 doStagefrightTestMediaPlayer( final int rid, CrashUtils.Config config)2106 private void doStagefrightTestMediaPlayer( 2107 final int rid, CrashUtils.Config config) throws Exception { 2108 doStagefrightTestMediaPlayer(rid, null, config); 2109 } 2110 doStagefrightTestMediaPlayer(final String url)2111 private void doStagefrightTestMediaPlayer(final String url) throws Exception { 2112 doStagefrightTestMediaPlayer(url, null); 2113 } 2114 doStagefrightTestMediaPlayer( final String url, CrashUtils.Config config)2115 private void doStagefrightTestMediaPlayer( 2116 final String url, CrashUtils.Config config) throws Exception { 2117 doStagefrightTestMediaPlayer(-1, url, config); 2118 } 2119 closeQuietly(AutoCloseable closeable)2120 private void closeQuietly(AutoCloseable closeable) { 2121 if (closeable != null) { 2122 try { 2123 closeable.close(); 2124 } catch (RuntimeException rethrown) { 2125 throw rethrown; 2126 } catch (Exception ignored) { 2127 } 2128 } 2129 } 2130 doStagefrightTestMediaPlayer(final int rid, final String uri)2131 private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception { 2132 doStagefrightTestMediaPlayer(rid, uri, null); 2133 } 2134 doStagefrightTestMediaPlayer(final int rid, final String uri, CrashUtils.Config config)2135 private void doStagefrightTestMediaPlayer(final int rid, final String uri, 2136 CrashUtils.Config config) throws Exception { 2137 2138 String name = uri != null ? uri : 2139 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2140 Log.i(TAG, "start mediaplayer test for: " + name); 2141 2142 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2143 2144 LooperThread t = new LooperThread(new Runnable() { 2145 @Override 2146 public void run() { 2147 2148 MediaPlayer mp = new MediaPlayer(); 2149 mp.setOnErrorListener(mpcl); 2150 mp.setOnPreparedListener(mpcl); 2151 mp.setOnCompletionListener(mpcl); 2152 RenderTarget renderTarget = RenderTarget.create(); 2153 Surface surface = renderTarget.getSurface(); 2154 mp.setSurface(surface); 2155 AssetFileDescriptor fd = null; 2156 try { 2157 if (uri == null) { 2158 fd = getInstrumentation().getContext().getResources() 2159 .openRawResourceFd(rid); 2160 2161 mp.setDataSource(fd.getFileDescriptor(), 2162 fd.getStartOffset(), 2163 fd.getLength()); 2164 2165 } else { 2166 mp.setDataSource(uri); 2167 } 2168 mp.prepareAsync(); 2169 } catch (Exception e) { 2170 } finally { 2171 closeQuietly(fd); 2172 } 2173 2174 Looper.loop(); 2175 mp.release(); 2176 renderTarget.destroy(); 2177 } 2178 }); 2179 2180 t.start(); 2181 assertNotEquals("MediaPlayer encountered a security crash when testing MediaPlayer.", 2182 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2183 t.stopLooper(); 2184 t.join(); // wait for thread to exit so we're sure the player was released 2185 } 2186 2187 /* 2188 * b/135207745 2189 */ 2190 @Test 2191 @AsbSecurityTest(cveBugId = 124781927) testStagefright_cve_2019_2129()2192 public void testStagefright_cve_2019_2129() throws Exception { 2193 final int rid = R.raw.cve_2019_2129; 2194 String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2195 Log.i(TAG, "start mediaplayer test for: " + name); 2196 2197 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener() { 2198 @Override 2199 public void onPrepared(MediaPlayer mp) { 2200 super.onPrepared(mp); 2201 mp.setLooping(true); 2202 } 2203 }; 2204 2205 LooperThread t = new LooperThread(new Runnable() { 2206 @Override 2207 public void run() { 2208 MediaPlayer mp = new MediaPlayer(); 2209 mp.setOnErrorListener(mpcl); 2210 mp.setOnPreparedListener(mpcl); 2211 mp.setOnCompletionListener(mpcl); 2212 RenderTarget renderTarget = RenderTarget.create(); 2213 Surface surface = renderTarget.getSurface(); 2214 mp.setSurface(surface); 2215 AssetFileDescriptor fd = null; 2216 try { 2217 fd = getInstrumentation().getContext().getResources().openRawResourceFd(rid); 2218 mp.setOnTimedTextListener(new MediaPlayer.OnTimedTextListener() { 2219 @Override 2220 public void onTimedText(MediaPlayer p, TimedText text) { 2221 if (text != null) { 2222 Log.d(TAG, "text = " + text.getText()); 2223 } 2224 } 2225 }); 2226 mp.setDataSource(fd.getFileDescriptor(), 2227 fd.getStartOffset(), 2228 fd.getLength()); 2229 // keep the original as in poc by not using prepareAsync 2230 mp.prepare(); 2231 mp.selectTrack(2); 2232 } catch (Exception e) { 2233 Log.e(TAG, "Exception is caught " + e.getMessage()); 2234 e.printStackTrace(); 2235 } finally { 2236 closeQuietly(fd); 2237 } 2238 2239 try { 2240 // here to catch & swallow the runtime crash in exception 2241 // after the place where original poc failed in 2242 // java.lang.IllegalArgumentException: parseParcel() 2243 // which is beyond test control. 2244 Looper.loop(); 2245 } catch (RuntimeException e) { 2246 Log.e(TAG, "Exception is caught on Looper.loop() " + e.getMessage()); 2247 e.printStackTrace(); 2248 } 2249 mp.release(); 2250 renderTarget.destroy(); 2251 } 2252 }); 2253 2254 t.start(); 2255 assertNotEquals("MediaPlayer encountered a security crash when testing CVE-2019-2129.", 2256 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2257 t.stopLooper(); 2258 t.join(); // wait for thread to exit so we're sure the player was released 2259 } 2260 doStagefrightTestMediaCodec(final int rid)2261 private void doStagefrightTestMediaCodec(final int rid) throws Exception { 2262 doStagefrightTestMediaCodec(rid, null, null); 2263 } 2264 doStagefrightTestMediaCodec( final int rid, CrashUtils.Config config)2265 private void doStagefrightTestMediaCodec( 2266 final int rid, CrashUtils.Config config) throws Exception { 2267 doStagefrightTestMediaCodec(rid, null, config); 2268 } 2269 doStagefrightTestMediaCodec(final String url)2270 private void doStagefrightTestMediaCodec(final String url) throws Exception { 2271 doStagefrightTestMediaCodec(url, null); 2272 } 2273 doStagefrightTestMediaCodec( final String url, CrashUtils.Config config)2274 private void doStagefrightTestMediaCodec( 2275 final String url, CrashUtils.Config config) throws Exception { 2276 doStagefrightTestMediaCodec(-1, url, config); 2277 } 2278 doStagefrightTestMediaCodec(final int rid, final String url)2279 private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception { 2280 doStagefrightTestMediaCodec(rid, url, null); 2281 } 2282 doStagefrightTestMediaCodec( final int rid, final String url, CrashUtils.Config config)2283 private void doStagefrightTestMediaCodec( 2284 final int rid, final String url, CrashUtils.Config config) throws Exception { 2285 2286 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2287 2288 LooperThread thr = new LooperThread(new Runnable() { 2289 @Override 2290 public void run() { 2291 2292 MediaPlayer mp = new MediaPlayer(); 2293 mp.setOnErrorListener(mpcl); 2294 try { 2295 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 2296 .openRawResourceFd(R.raw.good); 2297 2298 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2299 // setDataSource has been called 2300 mp.setDataSource(fd.getFileDescriptor(), 2301 fd.getStartOffset(), 2302 fd.getLength()); 2303 fd.close(); 2304 } catch (Exception e) { 2305 // this is a known-good file, so no failure should occur 2306 fail("setDataSource of known-good file failed"); 2307 } 2308 2309 synchronized(mpcl) { 2310 mpcl.notify(); 2311 } 2312 Looper.loop(); 2313 mp.release(); 2314 } 2315 }); 2316 thr.start(); 2317 // wait until the thread has initialized the MediaPlayer 2318 synchronized(mpcl) { 2319 mpcl.wait(); 2320 } 2321 2322 Resources resources = getInstrumentation().getContext().getResources(); 2323 MediaExtractor ex = new MediaExtractor(); 2324 if (url == null) { 2325 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2326 try { 2327 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2328 } catch (IOException e) { 2329 // ignore 2330 } finally { 2331 closeQuietly(fd); 2332 } 2333 } else { 2334 try { 2335 ex.setDataSource(url); 2336 } catch (Exception e) { 2337 // indicative of problems with our tame CTS test web server 2338 } 2339 } 2340 int numtracks = ex.getTrackCount(); 2341 String rname = url != null ? url: resources.getResourceEntryName(rid); 2342 Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks"); 2343 for (int t = 0; t < numtracks; t++) { 2344 // find all the available decoders for this format 2345 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2346 MediaFormat format = null; 2347 try { 2348 format = ex.getTrackFormat(t); 2349 } catch (IllegalArgumentException e) { 2350 Log.e(TAG, "could not get track format for track " + t); 2351 continue; 2352 } 2353 String mime = format.getString(MediaFormat.KEY_MIME); 2354 int numCodecs = MediaCodecList.getCodecCount(); 2355 for (int i = 0; i < numCodecs; i++) { 2356 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2357 if (info.isEncoder()) { 2358 continue; 2359 } 2360 try { 2361 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2362 if (caps != null) { 2363 matchingCodecs.add(info.getName()); 2364 Log.i(TAG, "Found matching codec " + info.getName() + " for track " + t); 2365 } 2366 } catch (IllegalArgumentException e) { 2367 // type is not supported 2368 } 2369 } 2370 2371 if (matchingCodecs.size() == 0) { 2372 Log.w(TAG, "no codecs for track " + t + ", type " + mime); 2373 } 2374 // decode this track once with each matching codec 2375 try { 2376 ex.selectTrack(t); 2377 } catch (IllegalArgumentException e) { 2378 Log.w(TAG, "couldn't select track " + t); 2379 // continue on with codec initialization anyway, since that might still crash 2380 } 2381 for (String codecName: matchingCodecs) { 2382 Log.i(TAG, "Decoding track " + t + " using codec " + codecName); 2383 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 2384 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2385 RenderTarget renderTarget = RenderTarget.create(); 2386 Surface surface = null; 2387 if (mime.startsWith("video/")) { 2388 surface = renderTarget.getSurface(); 2389 } 2390 try { 2391 codec.configure(format, surface, null, 0); 2392 codec.start(); 2393 } catch (Exception e) { 2394 Log.i(TAG, "Failed to start/configure:", e); 2395 } 2396 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2397 try { 2398 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2399 while (true) { 2400 int flags = ex.getSampleFlags(); 2401 long time = ex.getSampleTime(); 2402 ex.getCachedDuration(); 2403 int bufidx = codec.dequeueInputBuffer(5000); 2404 if (bufidx >= 0) { 2405 int n = ex.readSampleData(inputBuffers[bufidx], 0); 2406 if (n < 0) { 2407 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2408 time = 0; 2409 n = 0; 2410 } 2411 codec.queueInputBuffer(bufidx, 0, n, time, flags); 2412 ex.advance(); 2413 } 2414 int status = codec.dequeueOutputBuffer(info, 5000); 2415 if (status >= 0) { 2416 if ((info.flags & MediaCodec.BUFFER_FLAG_END_OF_STREAM) != 0) { 2417 break; 2418 } 2419 if (info.presentationTimeUs > TIMEOUT_NS / 1000) { 2420 Log.d(TAG, "stopping after 10 seconds worth of data"); 2421 break; 2422 } 2423 codec.releaseOutputBuffer(status, true); 2424 } 2425 } 2426 } catch (Exception e) { 2427 // local exceptions ignored, not security issues 2428 } finally { 2429 codec.release(); 2430 renderTarget.destroy(); 2431 } 2432 } 2433 try { 2434 ex.unselectTrack(t); 2435 } catch (IllegalArgumentException e) { 2436 // since we're just cleaning up, we don't care if it fails 2437 } 2438 } 2439 ex.release(); 2440 assertNotEquals("MediaPlayer encountered a security crash when testing media codecs.", 2441 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2442 thr.stopLooper(); 2443 thr.join(); 2444 } 2445 doStagefrightTestMediaMetadataRetriever(final int rid)2446 private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception { 2447 doStagefrightTestMediaMetadataRetriever(rid, null, null); 2448 } doStagefrightTestMediaMetadataRetriever( final int rid, CrashUtils.Config config)2449 private void doStagefrightTestMediaMetadataRetriever( 2450 final int rid, CrashUtils.Config config) throws Exception { 2451 doStagefrightTestMediaMetadataRetriever(rid, null, config); 2452 } 2453 doStagefrightTestMediaMetadataRetriever(final String url)2454 private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception { 2455 doStagefrightTestMediaMetadataRetriever(url, null); 2456 } 2457 doStagefrightTestMediaMetadataRetriever( final String url, CrashUtils.Config config)2458 private void doStagefrightTestMediaMetadataRetriever( 2459 final String url, CrashUtils.Config config) throws Exception { 2460 doStagefrightTestMediaMetadataRetriever(-1, url, config); 2461 } 2462 doStagefrightTestMediaMetadataRetriever( final int rid, final String url)2463 private void doStagefrightTestMediaMetadataRetriever( 2464 final int rid, final String url) throws Exception { 2465 doStagefrightTestMediaMetadataRetriever(rid, url, null); 2466 } 2467 doStagefrightTestMediaMetadataRetriever( final int rid, final String url, CrashUtils.Config config)2468 private void doStagefrightTestMediaMetadataRetriever( 2469 final int rid, final String url, CrashUtils.Config config) throws Exception { 2470 2471 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2472 2473 LooperThread thr = new LooperThread(new Runnable() { 2474 @Override 2475 public void run() { 2476 2477 MediaPlayer mp = new MediaPlayer(); 2478 mp.setOnErrorListener(mpcl); 2479 AssetFileDescriptor fd = null; 2480 try { 2481 fd = getInstrumentation().getContext().getResources() 2482 .openRawResourceFd(R.raw.good); 2483 2484 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2485 // setDataSource has been called 2486 mp.setDataSource(fd.getFileDescriptor(), 2487 fd.getStartOffset(), 2488 fd.getLength()); 2489 fd.close(); 2490 } catch (Exception e) { 2491 // this is a known-good file, so no failure should occur 2492 fail("setDataSource of known-good file failed"); 2493 } 2494 2495 synchronized(mpcl) { 2496 mpcl.notify(); 2497 } 2498 Looper.loop(); 2499 mp.release(); 2500 } 2501 }); 2502 thr.start(); 2503 // wait until the thread has initialized the MediaPlayer 2504 synchronized(mpcl) { 2505 mpcl.wait(); 2506 } 2507 2508 Resources resources = getInstrumentation().getContext().getResources(); 2509 MediaMetadataRetriever retriever = new MediaMetadataRetriever(); 2510 if (url == null) { 2511 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2512 try { 2513 retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2514 } catch (Exception e) { 2515 // ignore 2516 } finally { 2517 closeQuietly(fd); 2518 } 2519 } else { 2520 try { 2521 retriever.setDataSource(url, new HashMap<String, String>()); 2522 } catch (Exception e) { 2523 // indicative of problems with our tame CTS test web server 2524 } 2525 } 2526 retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION); 2527 retriever.getEmbeddedPicture(); 2528 retriever.getFrameAtTime(); 2529 2530 retriever.release(); 2531 String rname = url != null ? url : resources.getResourceEntryName(rid); 2532 assertNotEquals("MediaPlayer encountered a security crash when retrieving media metadata.", 2533 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2534 thr.stopLooper(); 2535 thr.join(); 2536 } 2537 2538 @Test 2539 @AsbSecurityTest(cveBugId = 36215950) testBug36215950()2540 public void testBug36215950() throws Exception { 2541 doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240); 2542 } 2543 2544 @Test 2545 @AsbSecurityTest(cveBugId = 36816007) testBug36816007()2546 public void testBug36816007() throws Exception { 2547 doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240, 2548 new CrashUtils.Config().checkMinAddress(false)); 2549 } 2550 2551 @Test 2552 @AsbSecurityTest(cveBugId = 36895511) testBug36895511()2553 public void testBug36895511() throws Exception { 2554 doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240, 2555 new CrashUtils.Config().checkMinAddress(false)); 2556 } 2557 2558 @Test 2559 @AsbSecurityTest(cveBugId = 64836894) testBug64836894()2560 public void testBug64836894() throws Exception { 2561 doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240); 2562 } 2563 2564 @Test 2565 @AsbSecurityTest(cveBugId = 35583675) testCve_2017_0687()2566 public void testCve_2017_0687() throws Exception { 2567 doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240); 2568 } 2569 2570 @Test 2571 @AsbSecurityTest(cveBugId = 37207120) testCve_2017_0696()2572 public void testCve_2017_0696() throws Exception { 2573 doStagefrightTestRawBlob(R.raw.cve_2017_0696, "video/avc", 320, 240); 2574 } 2575 2576 @Test 2577 @AsbSecurityTest(cveBugId = 37930177) testBug_37930177()2578 public void testBug_37930177() throws Exception { 2579 doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240); 2580 } 2581 2582 @Test 2583 @AsbSecurityTest(cveBugId = 37712181) testBug_37712181()2584 public void testBug_37712181() throws Exception { 2585 doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240); 2586 } 2587 2588 @Test 2589 @AsbSecurityTest(cveBugId = 70897394) testBug_70897394()2590 public void testBug_70897394() throws Exception { 2591 doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240, 2592 new CrashUtils.Config().checkMinAddress(false)); 2593 } 2594 2595 @Test 2596 @AsbSecurityTest(cveBugId = 123700383) testBug_123700383()2597 public void testBug_123700383() throws Exception { 2598 assertExtractorDoesNotHang(R.raw.bug_123700383); 2599 } 2600 2601 @Test 2602 @AsbSecurityTest(cveBugId = 127310810) testBug_127310810()2603 public void testBug_127310810() throws Exception { 2604 assertExtractorDoesNotHang(R.raw.bug_127310810); 2605 } 2606 2607 @Test 2608 @AsbSecurityTest(cveBugId = 127312550) testBug_127312550()2609 public void testBug_127312550() throws Exception { 2610 assertExtractorDoesNotHang(R.raw.bug_127312550); 2611 } 2612 2613 @Test 2614 @AsbSecurityTest(cveBugId = 127313223) testBug_127313223()2615 public void testBug_127313223() throws Exception { 2616 assertExtractorDoesNotHang(R.raw.bug_127313223); 2617 } 2618 2619 @Test 2620 @AsbSecurityTest(cveBugId = 127313537) testBug_127313537()2621 public void testBug_127313537() throws Exception { 2622 assertExtractorDoesNotHang(R.raw.bug_127313537); 2623 } 2624 2625 @Test 2626 @AsbSecurityTest(cveBugId = 127313764) testBug_127313764()2627 public void testBug_127313764() throws Exception { 2628 assertExtractorDoesNotHang(R.raw.bug_127313764); 2629 } 2630 2631 @Test 2632 @AsbSecurityTest(cveBugId = 189402477) testStagefright_cve_2021_0635()2633 public void testStagefright_cve_2021_0635() throws Exception { 2634 doStagefrightTest(R.raw.cve_2021_0635_1); 2635 doStagefrightTest(R.raw.cve_2021_0635_2); 2636 } 2637 getFrameSizes(int rid)2638 private int[] getFrameSizes(int rid) throws IOException { 2639 final Context context = getInstrumentation().getContext(); 2640 final Resources resources = context.getResources(); 2641 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2642 FileInputStream fis = fd.createInputStream(); 2643 byte[] frameInfo = new byte[(int) fd.getLength()]; 2644 fis.read(frameInfo); 2645 fis.close(); 2646 String[] valueStr = new String(frameInfo).trim().split("\\s+"); 2647 int[] frameSizes = new int[valueStr.length]; 2648 for (int i = 0; i < valueStr.length; i++) 2649 frameSizes[i] = Integer.parseInt(valueStr[i]); 2650 return frameSizes; 2651 } 2652 getFrameInfo(int rid)2653 private Object[] getFrameInfo(int rid) throws IOException { 2654 final Context context = getInstrumentation().getContext(); 2655 final Resources resources = context.getResources(); 2656 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2657 FileInputStream fis = fd.createInputStream(); 2658 byte[] frameInfo = new byte[(int) fd.getLength()]; 2659 fis.read(frameInfo); 2660 fis.close(); 2661 String[] lines = new String(frameInfo).trim().split("\\r?\\n"); 2662 int isHeader[] = new int[lines.length]; 2663 int frameSizes[] = new int[lines.length]; 2664 for (int i = 0; i < lines.length; i++) { 2665 String[] values = lines[i].trim().split("\\s+"); 2666 isHeader[i] = Integer.parseInt(values[0]); 2667 frameSizes[i] = Integer.parseInt(values[1]); 2668 } 2669 return new Object[] {isHeader, frameSizes}; 2670 } 2671 runWithTimeout(Runnable runner, int timeout)2672 private void runWithTimeout(Runnable runner, int timeout) { 2673 Thread t = new Thread(runner); 2674 t.start(); 2675 try { 2676 t.join(timeout); 2677 } catch (InterruptedException e) { 2678 fail("operation was interrupted"); 2679 } 2680 if (t.isAlive()) { 2681 fail("operation not completed within timeout of " + timeout + "ms"); 2682 } 2683 } 2684 releaseCodec(final MediaCodec codec)2685 private void releaseCodec(final MediaCodec codec) { 2686 runWithTimeout(new Runnable() { 2687 @Override 2688 public void run() { 2689 codec.release(); 2690 } 2691 }, 5000); 2692 } 2693 doStagefrightTestRawBlob( int rid, String mime, int initWidth, int initHeight)2694 private void doStagefrightTestRawBlob( 2695 int rid, String mime, int initWidth, int initHeight) throws Exception { 2696 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, new CrashUtils.Config()); 2697 } 2698 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, CrashUtils.Config config)2699 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2700 CrashUtils.Config config) throws Exception { 2701 2702 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2703 final Context context = getInstrumentation().getContext(); 2704 final Resources resources = context.getResources(); 2705 2706 LooperThread thr = new LooperThread(new Runnable() { 2707 @Override 2708 public void run() { 2709 2710 MediaPlayer mp = new MediaPlayer(); 2711 mp.setOnErrorListener(mpcl); 2712 AssetFileDescriptor fd = null; 2713 try { 2714 fd = resources.openRawResourceFd(R.raw.good); 2715 2716 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2717 // setDataSource has been called 2718 mp.setDataSource(fd.getFileDescriptor(), 2719 fd.getStartOffset(), 2720 fd.getLength()); 2721 fd.close(); 2722 } catch (Exception e) { 2723 // this is a known-good file, so no failure should occur 2724 fail("setDataSource of known-good file failed"); 2725 } 2726 2727 synchronized(mpcl) { 2728 mpcl.notify(); 2729 } 2730 Looper.loop(); 2731 mp.release(); 2732 } 2733 }); 2734 thr.start(); 2735 // wait until the thread has initialized the MediaPlayer 2736 synchronized(mpcl) { 2737 mpcl.wait(); 2738 } 2739 2740 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2741 byte [] blob = new byte[(int)fd.getLength()]; 2742 FileInputStream fis = fd.createInputStream(); 2743 int numRead = fis.read(blob); 2744 fis.close(); 2745 2746 // find all the available decoders for this format 2747 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2748 int numCodecs = MediaCodecList.getCodecCount(); 2749 for (int i = 0; i < numCodecs; i++) { 2750 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2751 if (info.isEncoder()) { 2752 continue; 2753 } 2754 try { 2755 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2756 if (caps != null) { 2757 matchingCodecs.add(info.getName()); 2758 } 2759 } catch (IllegalArgumentException e) { 2760 // type is not supported 2761 } 2762 } 2763 2764 if (matchingCodecs.size() == 0) { 2765 Log.w(TAG, "no codecs for mime type " + mime); 2766 } 2767 String rname = resources.getResourceEntryName(rid); 2768 // decode this blob once with each matching codec 2769 for (String codecName: matchingCodecs) { 2770 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2771 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2772 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2773 try { 2774 codec.configure(format, null, null, 0); 2775 codec.start(); 2776 } catch (Exception e) { 2777 Log.i(TAG, "Exception from codec " + codecName); 2778 releaseCodec(codec); 2779 continue; 2780 } 2781 2782 try { 2783 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2784 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2785 // enqueue the bad data a number of times, in case 2786 // the codec needs multiple buffers to fail. 2787 for(int i = 0; i < 64; i++) { 2788 int bufidx = codec.dequeueInputBuffer(5000); 2789 if (bufidx >= 0) { 2790 Log.i(TAG, "got input buffer of size " + inputBuffers[bufidx].capacity()); 2791 inputBuffers[bufidx].rewind(); 2792 inputBuffers[bufidx].put(blob, 0, numRead); 2793 codec.queueInputBuffer(bufidx, 0, numRead, 0, 0); 2794 } else { 2795 Log.i(TAG, "no input buffer"); 2796 } 2797 bufidx = codec.dequeueOutputBuffer(info, 5000); 2798 if (bufidx >= 0) { 2799 Log.i(TAG, "got output buffer"); 2800 codec.releaseOutputBuffer(bufidx, false); 2801 } else { 2802 Log.i(TAG, "no output buffer"); 2803 } 2804 } 2805 } catch (Exception e) { 2806 // ignore, not a security issue 2807 } finally { 2808 releaseCodec(codec); 2809 } 2810 } 2811 2812 assertNotEquals("MediaPlayer encountered a security crash when testing raw blobs.", 2813 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2814 thr.stopLooper(); 2815 thr.join(); 2816 } 2817 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[])2818 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2819 int frameSizes[]) throws Exception { 2820 // check crash address by default 2821 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, frameSizes, new CrashUtils.Config()); 2822 } 2823 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], CrashUtils.Config config)2824 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2825 int frameSizes[], CrashUtils.Config config) throws Exception { 2826 CodecConfig codecConfig = new CodecConfig().setVideoParams(initWidth, initHeight); 2827 doStagefrightTestRawBlob(rid, mime, codecConfig, frameSizes, config); 2828 } 2829 doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, int frameSizes[], CrashUtils.Config config)2830 private void doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, 2831 int frameSizes[], CrashUtils.Config config) throws Exception { 2832 2833 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2834 final Context context = getInstrumentation().getContext(); 2835 final Resources resources = context.getResources(); 2836 2837 LooperThread thr = new LooperThread(new Runnable() { 2838 @Override 2839 public void run() { 2840 2841 MediaPlayer mp = new MediaPlayer(); 2842 mp.setOnErrorListener(mpcl); 2843 AssetFileDescriptor fd = null; 2844 try { 2845 fd = resources.openRawResourceFd(R.raw.good); 2846 2847 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2848 // setDataSource has been called 2849 mp.setDataSource(fd.getFileDescriptor(), 2850 fd.getStartOffset(), 2851 fd.getLength()); 2852 fd.close(); 2853 } catch (Exception e) { 2854 // this is a known-good file, so no failure should occur 2855 fail("setDataSource of known-good file failed"); 2856 } 2857 2858 synchronized(mpcl) { 2859 mpcl.notify(); 2860 } 2861 Looper.loop(); 2862 mp.release(); 2863 } 2864 }); 2865 thr.start(); 2866 // wait until the thread has initialized the MediaPlayer 2867 synchronized(mpcl) { 2868 mpcl.wait(); 2869 } 2870 2871 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2872 byte [] blob = new byte[(int)fd.getLength()]; 2873 FileInputStream fis = fd.createInputStream(); 2874 int numRead = fis.read(blob); 2875 fis.close(); 2876 2877 // find all the available decoders for this format 2878 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2879 int numCodecs = MediaCodecList.getCodecCount(); 2880 for (int i = 0; i < numCodecs; i++) { 2881 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2882 if (info.isEncoder()) { 2883 continue; 2884 } 2885 try { 2886 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2887 if (caps != null) { 2888 matchingCodecs.add(info.getName()); 2889 } 2890 } catch (IllegalArgumentException e) { 2891 // type is not supported 2892 } 2893 } 2894 2895 if (matchingCodecs.size() == 0) { 2896 Log.w(TAG, "no codecs for mime type " + mime); 2897 } 2898 String rname = resources.getResourceEntryName(rid); 2899 // decode this blob once with each matching codec 2900 for (String codecName: matchingCodecs) { 2901 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2902 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2903 MediaFormat format; 2904 if (codecConfig.isAudio) { 2905 format = MediaFormat.createAudioFormat(mime, codecConfig.sampleRate, 2906 codecConfig.channelCount); 2907 } else { 2908 format = MediaFormat.createVideoFormat(mime, codecConfig.initWidth, 2909 codecConfig.initHeight); 2910 } 2911 try { 2912 codec.configure(format, null, null, 0); 2913 codec.start(); 2914 } catch (Exception e) { 2915 Log.i(TAG, "Exception from codec " + codecName); 2916 releaseCodec(codec); 2917 continue; 2918 } 2919 2920 try { 2921 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2922 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2923 int numFrames = 0; 2924 if (frameSizes != null) { 2925 numFrames = frameSizes.length; 2926 } 2927 2928 if (0 == numFrames) { 2929 fail("Improper picture length file"); 2930 } 2931 2932 int offset = 0; 2933 int bytesToFeed = 0; 2934 byte [] tempBlob = new byte[(int)inputBuffers[0].capacity()]; 2935 for (int j = 0; j < numFrames; j++) { 2936 int flags = 0; 2937 int bufidx = codec.dequeueInputBuffer(5000); 2938 if (bufidx >= 0) { 2939 inputBuffers[bufidx].rewind(); 2940 if(j == (numFrames - 1)) { 2941 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2942 } 2943 if (codecConfig.isAudio) { 2944 if (j == 0) { 2945 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 2946 } 2947 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 2948 bytesToFeed = frameSizes[j]; 2949 } else { 2950 bytesToFeed = Math.min((int) (fd.getLength() - offset), 2951 inputBuffers[bufidx].capacity()); 2952 System.arraycopy(blob, offset, tempBlob, 0, bytesToFeed); 2953 inputBuffers[bufidx].put(tempBlob, 0, inputBuffers[bufidx].capacity()); 2954 } 2955 codec.queueInputBuffer(bufidx, 0, bytesToFeed, 0, flags); 2956 offset = offset + frameSizes[j]; 2957 } else { 2958 Log.i(TAG, "no input buffer"); 2959 } 2960 bufidx = codec.dequeueOutputBuffer(info, 5000); 2961 if (bufidx >= 0) { 2962 codec.releaseOutputBuffer(bufidx, false); 2963 } else { 2964 Log.i(TAG, "no output buffer"); 2965 } 2966 } 2967 } catch (Exception e) { 2968 // ignore, not a security issue 2969 } finally { 2970 releaseCodec(codec); 2971 } 2972 } 2973 2974 assertNotEquals( 2975 "MediaPlayer encountered a security crash when testing raw blobs with frame sizes.", 2976 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2977 thr.stopLooper(); 2978 thr.join(); 2979 } 2980 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], int isHeader[], CrashUtils.Config config)2981 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2982 int frameSizes[], int isHeader[], CrashUtils.Config config) throws Exception { 2983 2984 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2985 final Context context = getInstrumentation().getContext(); 2986 final Resources resources = context.getResources(); 2987 LooperThread thr = new LooperThread(new Runnable() { 2988 @Override 2989 public void run() { 2990 MediaPlayer mp = new MediaPlayer(); 2991 mp.setOnErrorListener(mpcl); 2992 AssetFileDescriptor fd = null; 2993 try { 2994 fd = resources.openRawResourceFd(R.raw.good); 2995 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2996 // setDataSource has been called 2997 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2998 fd.close(); 2999 } catch (Exception e) { 3000 // this is a known-good file, so no failure should occur 3001 fail("setDataSource of known-good file failed"); 3002 } 3003 synchronized (mpcl) { 3004 mpcl.notify(); 3005 } 3006 Looper.loop(); 3007 mp.release(); 3008 } 3009 }); 3010 thr.start(); 3011 // wait until the thread has initialized the MediaPlayer 3012 synchronized (mpcl) { 3013 mpcl.wait(); 3014 } 3015 3016 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3017 byte[] blob = new byte[(int) fd.getLength()]; 3018 FileInputStream fis = fd.createInputStream(); 3019 int numRead = fis.read(blob); 3020 fis.close(); 3021 3022 // find all the available decoders for this format 3023 ArrayList<String> matchingCodecs = new ArrayList<String>(); 3024 int numCodecs = MediaCodecList.getCodecCount(); 3025 for (int i = 0; i < numCodecs; i++) { 3026 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 3027 if (info.isEncoder()) { 3028 continue; 3029 } 3030 try { 3031 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 3032 if (caps != null) { 3033 matchingCodecs.add(info.getName()); 3034 } 3035 } catch (IllegalArgumentException e) { 3036 // type is not supported 3037 } 3038 } 3039 3040 if (matchingCodecs.size() == 0) { 3041 Log.w(TAG, "no codecs for mime type " + mime); 3042 } 3043 String rname = resources.getResourceEntryName(rid); 3044 // decode this blob once with each matching codec 3045 for (String codecName : matchingCodecs) { 3046 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 3047 MediaCodec codec = MediaCodec.createByCodecName(codecName); 3048 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 3049 try { 3050 codec.configure(format, null, null, 0); 3051 codec.start(); 3052 } catch (Exception e) { 3053 Log.i(TAG, "Exception from codec " + codecName); 3054 releaseCodec(codec); 3055 continue; 3056 } 3057 try { 3058 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 3059 ByteBuffer[] inputBuffers = codec.getInputBuffers(); 3060 int numFrames = 0; 3061 if (frameSizes != null) { 3062 numFrames = frameSizes.length; 3063 } 3064 if (0 == numFrames) { 3065 fail("Improper picture length file"); 3066 } 3067 int offset = 0; 3068 int j = 0; 3069 while (j < numFrames) { 3070 int flags = 0; 3071 int bufidx = codec.dequeueInputBuffer(5000); 3072 if (bufidx >= 0) { 3073 inputBuffers[bufidx].rewind(); 3074 Log.i(TAG, "Got buffer index " + bufidx + " with length " 3075 + inputBuffers[bufidx].capacity()); 3076 if (isHeader[j] == 1) { 3077 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 3078 } 3079 if (j == (numFrames - 1)) { 3080 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 3081 } 3082 Log.i(TAG, "Feeding frame " + j + " with framelen " + frameSizes[j] 3083 + " offset " + offset + " and flags " + flags); 3084 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 3085 codec.queueInputBuffer(bufidx, 0, frameSizes[j], 0, flags); 3086 offset = offset + frameSizes[j]; 3087 j++; 3088 } else { 3089 Log.i(TAG, "no input buffer"); 3090 } 3091 bufidx = codec.dequeueOutputBuffer(info, 5000); 3092 if (bufidx >= 0) { 3093 codec.releaseOutputBuffer(bufidx, false); 3094 } else { 3095 Log.i(TAG, "no output buffer"); 3096 } 3097 } 3098 } catch (Exception e) { 3099 // ignore, not a security issue 3100 } finally { 3101 releaseCodec(codec); 3102 } 3103 } 3104 String cve = rname.replace("_", "-").toUpperCase(); 3105 assertFalse("Device *IS* vulnerable to " + cve, 3106 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 3107 thr.stopLooper(); 3108 thr.join(); 3109 } 3110 doStagefrightTestMediaPlayerANR(final int rid, final String uri)3111 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri) throws Exception { 3112 doStagefrightTestMediaPlayerANR(rid, uri, null); 3113 } 3114 doStagefrightTestMediaPlayerANR(final int rid, final String uri, CrashUtils.Config config)3115 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri, 3116 CrashUtils.Config config) throws Exception { 3117 String name = uri != null ? uri : 3118 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 3119 Log.i(TAG, "start mediaplayerANR test for: " + name); 3120 3121 final MediaPlayerCrashListener mpl = new MediaPlayerCrashListener(config); 3122 3123 LooperThread t = new LooperThread(new Runnable() { 3124 @Override 3125 public void run() { 3126 MediaPlayer mp = new MediaPlayer(); 3127 mp.setOnErrorListener(mpl); 3128 mp.setOnPreparedListener(mpl); 3129 mp.setOnCompletionListener(mpl); 3130 RenderTarget renderTarget = RenderTarget.create(); 3131 Surface surface = renderTarget.getSurface(); 3132 mp.setSurface(surface); 3133 AssetFileDescriptor fd = null; 3134 try { 3135 if (uri == null) { 3136 fd = getInstrumentation().getContext().getResources() 3137 .openRawResourceFd(rid); 3138 3139 mp.setDataSource(fd.getFileDescriptor(), 3140 fd.getStartOffset(), 3141 fd.getLength()); 3142 } else { 3143 mp.setDataSource(uri); 3144 } 3145 mp.prepareAsync(); 3146 } catch (Exception e) { 3147 } finally { 3148 closeQuietly(fd); 3149 } 3150 3151 Looper.loop(); 3152 mp.release(); 3153 renderTarget.destroy(); 3154 } 3155 }); 3156 3157 t.start(); 3158 assertTrue("MediaPlayer failed to complete when testing ANR.", 3159 mpl.waitForErrorOrCompletion()); 3160 t.stopLooper(); 3161 t.join(); // wait for thread to exit so we're sure the player was released 3162 } 3163 doStagefrightTestExtractorSeek(final int rid, final long offset)3164 private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception { 3165 doStagefrightTestExtractorSeek(rid, offset, new CrashUtils.Config()); // check crash address by default 3166 } 3167 doStagefrightTestExtractorSeek(final int rid, final long offset, CrashUtils.Config config)3168 private void doStagefrightTestExtractorSeek(final int rid, final long offset, 3169 CrashUtils.Config config) throws Exception { 3170 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 3171 LooperThread thr = new LooperThread(new Runnable() { 3172 @Override 3173 public void run() { 3174 MediaPlayer mp = new MediaPlayer(); 3175 mp.setOnErrorListener(mpcl); 3176 try { 3177 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 3178 .openRawResourceFd(R.raw.good); 3179 mp.setDataSource(fd.getFileDescriptor(), 3180 fd.getStartOffset(), 3181 fd.getLength()); 3182 fd.close(); 3183 } catch (Exception e) { 3184 fail("setDataSource of known-good file failed"); 3185 } 3186 synchronized(mpcl) { 3187 mpcl.notify(); 3188 } 3189 Looper.loop(); 3190 mp.release(); 3191 } 3192 }); 3193 thr.start(); 3194 synchronized(mpcl) { 3195 mpcl.wait(); 3196 } 3197 Resources resources = getInstrumentation().getContext().getResources(); 3198 MediaExtractor ex = new MediaExtractor(); 3199 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3200 try { 3201 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3202 } catch (IOException e) { 3203 } finally { 3204 closeQuietly(fd); 3205 } 3206 int numtracks = ex.getTrackCount(); 3207 String rname = resources.getResourceEntryName(rid); 3208 Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks"); 3209 for (int t = 0; t < numtracks; t++) { 3210 try { 3211 ex.selectTrack(t); 3212 } catch (IllegalArgumentException e) { 3213 Log.w(TAG, "couldn't select track " + t); 3214 } 3215 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 3216 ex.advance(); 3217 ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC); 3218 try 3219 { 3220 ex.unselectTrack(t); 3221 } 3222 catch (Exception e) { 3223 } 3224 } 3225 ex.release(); 3226 assertNotEquals("MediaPlayer encountered a security crash when testing extractor seeking.", 3227 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 3228 thr.stopLooper(); 3229 thr.join(); 3230 } 3231 assertExtractorDoesNotHang(int rid)3232 protected void assertExtractorDoesNotHang(int rid) throws Exception { 3233 // The media extractor has a watchdog, currently set to 10 seconds. 3234 final long timeoutMs = 12 * 1000; 3235 3236 Thread thread = new Thread(() -> { 3237 MediaExtractor ex = new MediaExtractor(); 3238 AssetFileDescriptor fd = 3239 getInstrumentation().getContext().getResources().openRawResourceFd(rid); 3240 try { 3241 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3242 } catch (IOException e) { 3243 // It is OK for the call to fail, we're only making sure it doesn't hang. 3244 } finally { 3245 closeQuietly(fd); 3246 ex.release(); 3247 } 3248 }); 3249 thread.start(); 3250 3251 thread.join(timeoutMs); 3252 boolean hung = thread.isAlive(); 3253 if (hung) { 3254 // We don't have much to do at this point. Attempt to un-hang the thread, the media 3255 // extractor process is likely still spinning. At least we found a bug... 3256 // TODO: reboot the media extractor process. 3257 thread.interrupt(); 3258 } 3259 3260 assertFalse(hung); 3261 } 3262 getInstrumentation()3263 private Instrumentation getInstrumentation() { 3264 return mInstrumentation; 3265 } 3266 } 3267