1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * 17 * This code was provided to AOSP by Zimperium Inc and was 18 * written by: 19 * 20 * Simone "evilsocket" Margaritelli 21 * Joshua "jduck" Drake 22 */ 23 package android.security.cts; 24 25 import static org.hamcrest.Matchers.is; 26 import static org.junit.Assert.assertEquals; 27 import static org.junit.Assert.assertFalse; 28 import static org.junit.Assert.assertNotEquals; 29 import static org.junit.Assert.assertTrue; 30 import static org.junit.Assert.fail; 31 import static org.junit.Assume.assumeFalse; 32 import static org.junit.Assume.assumeThat; 33 34 import android.content.Context; 35 import android.content.res.AssetFileDescriptor; 36 import android.content.res.Resources; 37 import android.graphics.Bitmap; 38 import android.graphics.BitmapFactory; 39 import android.media.MediaCodec; 40 import android.media.MediaCodecInfo; 41 import android.media.MediaCodecList; 42 import android.media.MediaExtractor; 43 import android.media.MediaFormat; 44 import android.media.MediaMetadataRetriever; 45 import android.media.MediaPlayer; 46 import android.media.TimedText; 47 import android.os.Looper; 48 import android.os.Parcel; 49 import android.os.SystemClock; 50 import android.platform.test.annotations.AppModeFull; 51 import android.platform.test.annotations.AsbSecurityTest; 52 import android.security.NetworkSecurityPolicy; 53 import android.util.Log; 54 import android.view.Surface; 55 import android.webkit.cts.CtsTestServer; 56 57 import androidx.test.runner.AndroidJUnit4; 58 59 import com.android.compatibility.common.util.CrashUtils; 60 import com.android.compatibility.common.util.mainline.MainlineModule; 61 import com.android.compatibility.common.util.mainline.ModuleDetector; 62 import com.android.sts.common.util.StsExtraBusinessLogicTestCase; 63 64 import org.json.JSONArray; 65 import org.json.JSONException; 66 import org.junit.Rule; 67 import org.junit.Test; 68 import org.junit.rules.TestName; 69 import org.junit.runner.RunWith; 70 71 import java.io.BufferedInputStream; 72 import java.io.BufferedReader; 73 import java.io.File; 74 import java.io.FileInputStream; 75 import java.io.FileOutputStream; 76 import java.io.FileReader; 77 import java.io.IOException; 78 import java.io.InputStream; 79 import java.io.OutputStream; 80 import java.net.BindException; 81 import java.net.ServerSocket; 82 import java.net.Socket; 83 import java.net.URL; 84 import java.nio.ByteBuffer; 85 import java.util.ArrayList; 86 import java.util.HashMap; 87 import java.util.concurrent.locks.Condition; 88 import java.util.concurrent.locks.ReentrantLock; 89 import java.util.regex.Pattern; 90 91 /** 92 * Verify that the device is not vulnerable to any known Stagefright 93 * vulnerabilities. 94 */ 95 @AppModeFull 96 @RunWith(AndroidJUnit4.class) 97 public class StagefrightTest extends StsExtraBusinessLogicTestCase { 98 static final String TAG = "StagefrightTest"; 99 100 private final long TIMEOUT_NS = 10000000000L; // 10 seconds. 101 private final static long CHECK_INTERVAL = 50; 102 103 @Rule public TestName name = new TestName(); 104 105 class CodecConfig { 106 boolean isAudio; 107 /* Video Parameters - valid only when isAudio is false */ 108 int initWidth; 109 int initHeight; 110 /* Audio Parameters - valid only when isAudio is true */ 111 int sampleRate; 112 int channelCount; 113 setVideoParams(int initWidth, int initHeight)114 public CodecConfig setVideoParams(int initWidth, int initHeight) { 115 this.isAudio = false; 116 this.initWidth = initWidth; 117 this.initHeight = initHeight; 118 return this; 119 } 120 setAudioParams(int sampleRate, int channelCount)121 public CodecConfig setAudioParams(int sampleRate, int channelCount) { 122 this.isAudio = true; 123 this.sampleRate = sampleRate; 124 this.channelCount = channelCount; 125 return this; 126 } 127 } 128 129 /*********************************************************** 130 to prevent merge conflicts, add K tests below this comment, 131 before any existing test methods 132 ***********************************************************/ 133 134 @Test 135 @AsbSecurityTest(cveBugId = 122472139) testStagefright_cve_2019_2244()136 public void testStagefright_cve_2019_2244() throws Exception { 137 doStagefrightTestRawBlob(R.raw.cve_2019_2244, "video/mpeg2", 320, 420); 138 } 139 140 @Test 141 @AsbSecurityTest(cveBugId = 36725407) testStagefright_bug_36725407()142 public void testStagefright_bug_36725407() throws Exception { 143 doStagefrightTest(R.raw.bug_36725407); 144 } 145 146 @Test 147 @AsbSecurityTest(cveBugId = 29023649) testStagefright_cve_2016_3829()148 public void testStagefright_cve_2016_3829() throws Exception { 149 doStagefrightTest(R.raw.cve_2016_3829, new CrashUtils.Config().checkMinAddress(false)); 150 } 151 152 @Test 153 @AsbSecurityTest(cveBugId = 35645051) testStagefright_cve_2017_0643()154 public void testStagefright_cve_2017_0643() throws Exception { 155 doStagefrightTest(R.raw.cve_2017_0643, new CrashUtils.Config().checkMinAddress(false)); 156 } 157 158 @Test 159 @AsbSecurityTest(cveBugId = 37469795) testStagefright_cve_2017_0728()160 public void testStagefright_cve_2017_0728() throws Exception { 161 doStagefrightTest(R.raw.cve_2017_0728, new CrashUtils.Config().checkMinAddress(false)); 162 } 163 164 @Test 165 @AsbSecurityTest(cveBugId = 62187433) testStagefright_bug_62187433()166 public void testStagefright_bug_62187433() throws Exception { 167 doStagefrightTest(R.raw.bug_62187433); 168 } 169 170 @Test 171 @AsbSecurityTest(cveBugId = 62673844) testStagefrightANR_bug_62673844()172 public void testStagefrightANR_bug_62673844() throws Exception { 173 doStagefrightTestANR(R.raw.bug_62673844); 174 } 175 176 @Test 177 @AsbSecurityTest(cveBugId = 37079296) testStagefright_bug_37079296()178 public void testStagefright_bug_37079296() throws Exception { 179 doStagefrightTest(R.raw.bug_37079296); 180 } 181 182 @Test 183 @AsbSecurityTest(cveBugId = 38342499) testStagefright_bug_38342499()184 public void testStagefright_bug_38342499() throws Exception { 185 doStagefrightTest(R.raw.bug_38342499); 186 } 187 188 @Test 189 @AsbSecurityTest(cveBugId = 22771132) testStagefright_bug_22771132()190 public void testStagefright_bug_22771132() throws Exception { 191 doStagefrightTest(R.raw.bug_22771132); 192 } 193 194 @Test 195 @AsbSecurityTest(cveBugId = 21443020) testStagefright_bug_21443020()196 public void testStagefright_bug_21443020() throws Exception { 197 doStagefrightTest(R.raw.bug_21443020_webm); 198 } 199 200 @Test 201 @AsbSecurityTest(cveBugId = 34360591) testStagefright_bug_34360591()202 public void testStagefright_bug_34360591() throws Exception { 203 doStagefrightTest(R.raw.bug_34360591); 204 } 205 206 @Test 207 @AsbSecurityTest(cveBugId = 35763994) testStagefright_bug_35763994()208 public void testStagefright_bug_35763994() throws Exception { 209 doStagefrightTest(R.raw.bug_35763994, new CrashUtils.Config().checkMinAddress(false)); 210 } 211 212 @Test 213 @AsbSecurityTest(cveBugId = 33137046) testStagefright_bug_33137046()214 public void testStagefright_bug_33137046() throws Exception { 215 doStagefrightTest(R.raw.bug_33137046); 216 } 217 218 @Test 219 @AsbSecurityTest(cveBugId = 28532266) testStagefright_cve_2016_2507()220 public void testStagefright_cve_2016_2507() throws Exception { 221 doStagefrightTest(R.raw.cve_2016_2507, new CrashUtils.Config().checkMinAddress(false)); 222 } 223 224 @Test 225 @AsbSecurityTest(cveBugId = 31647370) testStagefright_bug_31647370()226 public void testStagefright_bug_31647370() throws Exception { 227 doStagefrightTest(R.raw.bug_31647370); 228 } 229 230 @Test 231 @AsbSecurityTest(cveBugId = 32577290) testStagefright_bug_32577290()232 public void testStagefright_bug_32577290() throws Exception { 233 doStagefrightTest(R.raw.bug_32577290); 234 } 235 236 @Test 237 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_1()238 public void testStagefright_cve_2015_1538_1() throws Exception { 239 doStagefrightTest(R.raw.cve_2015_1538_1); 240 } 241 242 @Test 243 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_2()244 public void testStagefright_cve_2015_1538_2() throws Exception { 245 doStagefrightTest(R.raw.cve_2015_1538_2); 246 } 247 248 @Test 249 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_3()250 public void testStagefright_cve_2015_1538_3() throws Exception { 251 doStagefrightTest(R.raw.cve_2015_1538_3); 252 } 253 254 @Test 255 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1538_4()256 public void testStagefright_cve_2015_1538_4() throws Exception { 257 doStagefrightTest(R.raw.cve_2015_1538_4); 258 } 259 260 @Test 261 @AsbSecurityTest(cveBugId = 20139950) testStagefright_cve_2015_1539()262 public void testStagefright_cve_2015_1539() throws Exception { 263 doStagefrightTest(R.raw.cve_2015_1539); 264 } 265 266 @Test 267 @AsbSecurityTest(cveBugId = 21468251) testStagefright_cve_2015_3824()268 public void testStagefright_cve_2015_3824() throws Exception { 269 doStagefrightTest(R.raw.cve_2015_3824); 270 } 271 272 @Test 273 @AsbSecurityTest(cveBugId = 21467632) testStagefright_cve_2015_3826()274 public void testStagefright_cve_2015_3826() throws Exception { 275 doStagefrightTest(R.raw.cve_2015_3826); 276 } 277 278 @Test 279 @AsbSecurityTest(cveBugId = 21468053) testStagefright_cve_2015_3827()280 public void testStagefright_cve_2015_3827() throws Exception { 281 doStagefrightTest(R.raw.cve_2015_3827); 282 } 283 284 @Test 285 @AsbSecurityTest(cveBugId = 21467634) testStagefright_cve_2015_3828()286 public void testStagefright_cve_2015_3828() throws Exception { 287 doStagefrightTest(R.raw.cve_2015_3828); 288 } 289 290 @Test 291 @AsbSecurityTest(cveBugId = 21467767) testStagefright_cve_2015_3829()292 public void testStagefright_cve_2015_3829() throws Exception { 293 doStagefrightTest(R.raw.cve_2015_3829); 294 } 295 296 @Test 297 @AsbSecurityTest(cveBugId = 21132860) testStagefright_cve_2015_3836()298 public void testStagefright_cve_2015_3836() throws Exception { 299 doStagefrightTest(R.raw.cve_2015_3836); 300 } 301 302 @Test 303 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864()304 public void testStagefright_cve_2015_3864() throws Exception { 305 doStagefrightTest(R.raw.cve_2015_3864); 306 } 307 308 @Test 309 @AsbSecurityTest(cveBugId = 23034759) testStagefright_cve_2015_3864_b23034759()310 public void testStagefright_cve_2015_3864_b23034759() throws Exception { 311 doStagefrightTest(R.raw.cve_2015_3864_b23034759); 312 } 313 314 @Test 315 @AsbSecurityTest(cveBugId = 23306638) testStagefright_cve_2015_6598()316 public void testStagefright_cve_2015_6598() throws Exception { 317 doStagefrightTest(R.raw.cve_2015_6598); 318 } 319 320 @Test 321 @AsbSecurityTest(cveBugId = 31318219) testStagefright_cve_2016_6766()322 public void testStagefright_cve_2016_6766() throws Exception { 323 doStagefrightTest(R.raw.cve_2016_6766); 324 } 325 326 @Test 327 @AsbSecurityTest(cveBugId = 27211885) testStagefright_cve_2016_2429_b_27211885()328 public void testStagefright_cve_2016_2429_b_27211885() throws Exception { 329 doStagefrightTest(R.raw.cve_2016_2429_b_27211885, 330 new CrashUtils.Config().checkMinAddress(false)); 331 } 332 333 @Test 334 @AsbSecurityTest(cveBugId = 34031018) testStagefright_bug_34031018()335 public void testStagefright_bug_34031018() throws Exception { 336 doStagefrightTest(R.raw.bug_34031018_32bit, new CrashUtils.Config().checkMinAddress(false)); 337 doStagefrightTest(R.raw.bug_34031018_64bit, new CrashUtils.Config().checkMinAddress(false)); 338 } 339 340 /*********************************************************** 341 to prevent merge conflicts, add L tests below this comment, 342 before any existing test methods 343 ***********************************************************/ 344 345 @Test 346 @AsbSecurityTest(cveBugId = 65123471) testStagefright_bug_65123471()347 public void testStagefright_bug_65123471() throws Exception { 348 doStagefrightTest(R.raw.bug_65123471); 349 } 350 351 @Test 352 @AsbSecurityTest(cveBugId = 72165027) testStagefright_bug_72165027()353 public void testStagefright_bug_72165027() throws Exception { 354 doStagefrightTest(R.raw.bug_72165027); 355 } 356 357 @Test 358 @AsbSecurityTest(cveBugId = 65483665) testStagefright_bug_65483665()359 public void testStagefright_bug_65483665() throws Exception { 360 doStagefrightTest(R.raw.bug_65483665); 361 } 362 363 @Test 364 @AsbSecurityTest(cveBugId = 62815506) testStagefright_cve_2017_0852_b_62815506()365 public void testStagefright_cve_2017_0852_b_62815506() throws Exception { 366 doStagefrightTest(R.raw.cve_2017_0852_b_62815506, 367 new CrashUtils.Config().checkMinAddress(false)); 368 } 369 370 @Test 371 @AsbSecurityTest(cveBugId = 68160703) testStagefright_cve_2017_13229()372 public void testStagefright_cve_2017_13229() throws Exception { 373 doStagefrightTest(R.raw.cve_2017_13229); 374 } 375 376 @Test 377 @AsbSecurityTest(cveBugId = 62534693) testStagefright_cve_2017_0763()378 public void testStagefright_cve_2017_0763() throws Exception { 379 doStagefrightTest(R.raw.cve_2017_0763); 380 } 381 382 /*********************************************************** 383 to prevent merge conflicts, add M tests below this comment, 384 before any existing test methods 385 ***********************************************************/ 386 387 @Test 388 @AsbSecurityTest(cveBugId = 73965890) testBug_73965890()389 public void testBug_73965890() throws Exception { 390 int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen); 391 doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes); 392 } 393 394 @Test 395 @AsbSecurityTest(cveBugId = 30744884) testStagefright_cve_2016_3920()396 public void testStagefright_cve_2016_3920() throws Exception { 397 doStagefrightTest(R.raw.cve_2016_3920, new CrashUtils.Config().checkMinAddress(false)); 398 } 399 400 @Test 401 @AsbSecurityTest(cveBugId = 38448381) testStagefright_bug_38448381()402 public void testStagefright_bug_38448381() throws Exception { 403 doStagefrightTest(R.raw.bug_38448381); 404 } 405 406 @Test 407 @AsbSecurityTest(cveBugId = 28166152) testStagefright_cve_2016_3821()408 public void testStagefright_cve_2016_3821() throws Exception { 409 doStagefrightTest(R.raw.cve_2016_3821, new CrashUtils.Config().checkMinAddress(false)); 410 } 411 412 @Test 413 @AsbSecurityTest(cveBugId = 70897454) testStagefright_bug_70897454()414 public void testStagefright_bug_70897454() throws Exception { 415 doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420); 416 } 417 418 @Test 419 @AsbSecurityTest(cveBugId = 28165659) testStagefright_cve_2016_3742_b_28165659()420 public void testStagefright_cve_2016_3742_b_28165659() throws Exception { 421 doStagefrightTest(R.raw.cve_2016_3742_b_28165659); 422 } 423 424 @Test 425 @AsbSecurityTest(cveBugId = 35039946) testStagefright_bug_35039946()426 public void testStagefright_bug_35039946() throws Exception { 427 doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420); 428 } 429 430 @Test 431 @AsbSecurityTest(cveBugId = 38115076) testStagefright_bug_38115076()432 public void testStagefright_bug_38115076() throws Exception { 433 doStagefrightTest(R.raw.bug_38115076, new CrashUtils.Config().checkMinAddress(false)); 434 } 435 436 @Test 437 @AsbSecurityTest(cveBugId = 34618607) testStagefright_bug_34618607()438 public void testStagefright_bug_34618607() throws Exception { 439 doStagefrightTest(R.raw.bug_34618607, new CrashUtils.Config().checkMinAddress(false)); 440 } 441 442 @Test 443 @AsbSecurityTest(cveBugId = 69478425) testStagefright_bug_69478425()444 public void testStagefright_bug_69478425() throws Exception { 445 doStagefrightTest(R.raw.bug_69478425); 446 } 447 448 @Test 449 @AsbSecurityTest(cveBugId = 65735716) testStagefright_bug_65735716()450 public void testStagefright_bug_65735716() throws Exception { 451 doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240); 452 } 453 454 @Test 455 @AsbSecurityTest(cveBugId = 65717533) testStagefright_bug_65717533()456 public void testStagefright_bug_65717533() throws Exception { 457 doStagefrightTest(R.raw.bug_65717533_header_corrupt); 458 } 459 460 @Test 461 @AsbSecurityTest(cveBugId = 38239864) testStagefright_bug_38239864()462 public void testStagefright_bug_38239864() throws Exception { 463 doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000)); 464 } 465 466 @Test 467 @AsbSecurityTest(cveBugId = 35269635) testStagefright_cve_2017_0600()468 public void testStagefright_cve_2017_0600() throws Exception { 469 doStagefrightTest(R.raw.cve_2017_0600, new CrashUtils.Config().checkMinAddress(false)); 470 } 471 472 @Test 473 @AsbSecurityTest(cveBugId = 38014992) testBug_38014992()474 public void testBug_38014992() throws Exception { 475 int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen); 476 doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes, 477 new CrashUtils.Config().checkMinAddress(false)); 478 } 479 480 @Test 481 @AsbSecurityTest(cveBugId = 35584425) testBug_35584425()482 public void testBug_35584425() throws Exception { 483 int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen); 484 doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes); 485 } 486 487 @Test 488 @AsbSecurityTest(cveBugId = 31092462) testBug_31092462()489 public void testBug_31092462() throws Exception { 490 int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen); 491 doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes); 492 } 493 494 @Test 495 @AsbSecurityTest(cveBugId = 34097866) testBug_34097866()496 public void testBug_34097866() throws Exception { 497 int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len); 498 doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes); 499 } 500 501 @Test 502 @AsbSecurityTest(cveBugId = 33862021) testBug_33862021()503 public void testBug_33862021() throws Exception { 504 int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len); 505 doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes); 506 } 507 508 @Test 509 @AsbSecurityTest(cveBugId = 33387820) testBug_33387820()510 public void testBug_33387820() throws Exception { 511 int[] frameSizes = {45, 3202, 430, 2526}; 512 doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes, 513 new CrashUtils.Config().checkMinAddress(false)); 514 } 515 516 @Test 517 @AsbSecurityTest(cveBugId = 37008096) testBug_37008096()518 public void testBug_37008096() throws Exception { 519 int[] frameSizes = {245, 12, 33, 140, 164}; 520 doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes); 521 } 522 523 @Test 524 @AsbSecurityTest(cveBugId = 34231163) testStagefright_bug_34231163()525 public void testStagefright_bug_34231163() throws Exception { 526 int[] frameSizes = {22, 357, 217, 293, 175}; 527 doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes); 528 } 529 530 @Test 531 @AsbSecurityTest(cveBugId = 33933140) testStagefright_bug_33933140()532 public void testStagefright_bug_33933140() throws Exception { 533 int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen); 534 doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes); 535 } 536 537 @Test 538 @AsbSecurityTest(cveBugId = 34097915) testStagefright_bug_34097915()539 public void testStagefright_bug_34097915() throws Exception { 540 int[] frameSizes = {4140, 593, 0, 15495}; 541 doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes); 542 } 543 544 @Test 545 @AsbSecurityTest(cveBugId = 34097213) testStagefright_bug_34097213()546 public void testStagefright_bug_34097213() throws Exception { 547 int[] frameSizes = {2571, 210, 33858}; 548 doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes); 549 } 550 551 @Test 552 @AsbSecurityTest(cveBugId = 28816956) testBug_28816956()553 public void testBug_28816956() throws Exception { 554 int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen); 555 doStagefrightTestRawBlob( 556 R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes, 557 new CrashUtils.Config().checkMinAddress(false)); 558 } 559 560 @Test 561 @AsbSecurityTest(cveBugId = 33818500) testBug_33818500()562 public void testBug_33818500() throws Exception { 563 int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen); 564 doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes, 565 new CrashUtils.Config().checkMinAddress(false)); 566 } 567 568 @Test 569 @AsbSecurityTest(cveBugId = 64784973) testBug_64784973()570 public void testBug_64784973() throws Exception { 571 int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen); 572 doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes); 573 } 574 575 @Test 576 @AsbSecurityTest(cveBugId = 34231231) testBug_34231231()577 public void testBug_34231231() throws Exception { 578 int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen); 579 doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes); 580 } 581 582 @Test 583 @AsbSecurityTest(cveBugId = 63045918) testBug_63045918()584 public void testBug_63045918() throws Exception { 585 int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen); 586 doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes); 587 } 588 589 @Test 590 @AsbSecurityTest(cveBugId = 33298089) testBug_33298089()591 public void testBug_33298089() throws Exception { 592 int[] frameSizes = {3247, 430, 221, 2305}; 593 doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes); 594 } 595 596 @Test 597 @AsbSecurityTest(cveBugId = 34672748) testStagefright_cve_2017_0599()598 public void testStagefright_cve_2017_0599() throws Exception { 599 doStagefrightTest(R.raw.cve_2017_0599, new CrashUtils.Config().checkMinAddress(false)); 600 } 601 602 @Test 603 @AsbSecurityTest(cveBugId = 36492741) testStagefright_bug_36492741()604 public void testStagefright_bug_36492741() throws Exception { 605 doStagefrightTest(R.raw.bug_36492741); 606 } 607 608 @Test 609 @AsbSecurityTest(cveBugId = 38487564) testStagefright_bug_38487564()610 public void testStagefright_bug_38487564() throws Exception { 611 doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000)); 612 } 613 614 @Test 615 @AsbSecurityTest(cveBugId = 37237396) testStagefright_bug_37237396()616 public void testStagefright_bug_37237396() throws Exception { 617 doStagefrightTest(R.raw.bug_37237396); 618 } 619 620 @Test 621 @AsbSecurityTest(cveBugId = 25818142) testStagefright_cve_2016_0842()622 public void testStagefright_cve_2016_0842() throws Exception { 623 doStagefrightTest(R.raw.cve_2016_0842); 624 } 625 626 @Test 627 @AsbSecurityTest(cveBugId = 63121644) testStagefright_bug_63121644()628 public void testStagefright_bug_63121644() throws Exception { 629 doStagefrightTest(R.raw.bug_63121644); 630 } 631 632 @Test 633 @AsbSecurityTest(cveBugId = 30593752) testStagefright_cve_2016_6712()634 public void testStagefright_cve_2016_6712() throws Exception { 635 doStagefrightTest(R.raw.cve_2016_6712, new CrashUtils.Config().checkMinAddress(false)); 636 } 637 638 @Test 639 @AsbSecurityTest(cveBugId = 34097231) testStagefright_bug_34097231()640 public void testStagefright_bug_34097231() throws Exception { 641 doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240); 642 } 643 644 @Test 645 @AsbSecurityTest(cveBugId = 34097672) testStagefright_bug_34097672()646 public void testStagefright_bug_34097672() throws Exception { 647 doStagefrightTest(R.raw.bug_34097672); 648 } 649 650 651 @Test 652 @AsbSecurityTest(cveBugId = 33751193) testStagefright_bug_33751193()653 public void testStagefright_bug_33751193() throws Exception { 654 doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240); 655 } 656 657 @Test 658 @AsbSecurityTest(cveBugId = 36993291) testBug_36993291()659 public void testBug_36993291() throws Exception { 660 doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240); 661 } 662 663 @Test 664 @AsbSecurityTest(cveBugId = 33818508) testStagefright_bug_33818508()665 public void testStagefright_bug_33818508() throws Exception { 666 doStagefrightTest(R.raw.bug_33818508, new CrashUtils.Config().checkMinAddress(false)); 667 } 668 669 @Test 670 @AsbSecurityTest(cveBugId = 32873375) testStagefright_bug_32873375()671 public void testStagefright_bug_32873375() throws Exception { 672 doStagefrightTest(R.raw.bug_32873375, new CrashUtils.Config().checkMinAddress(false)); 673 } 674 675 @Test 676 @AsbSecurityTest(cveBugId = 63522067) testStagefright_bug_63522067()677 public void testStagefright_bug_63522067() throws Exception { 678 doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420); 679 doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420); 680 doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420); 681 doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420); 682 } 683 684 @Test 685 @AsbSecurityTest(cveBugId = 25765591) testStagefright_bug_25765591()686 public void testStagefright_bug_25765591() throws Exception { 687 doStagefrightTest(R.raw.bug_25765591); 688 } 689 690 @Test 691 @AsbSecurityTest(cveBugId = 62673179) testStagefright_bug_62673179()692 public void testStagefright_bug_62673179() throws Exception { 693 doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000)); 694 } 695 696 @Test 697 @AsbSecurityTest(cveBugId = 69269702) testStagefright_bug_69269702()698 public void testStagefright_bug_69269702() throws Exception { 699 doStagefrightTest(R.raw.bug_69269702); 700 } 701 702 @Test 703 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867()704 public void testStagefright_cve_2015_3867() throws Exception { 705 doStagefrightTest(R.raw.cve_2015_3867); 706 } 707 708 @Test 709 @AsbSecurityTest(cveBugId = 65398821) testStagefright_bug_65398821()710 public void testStagefright_bug_65398821() throws Exception { 711 doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) ); 712 } 713 714 @Test 715 @AsbSecurityTest(cveBugId = 23036083) testStagefright_cve_2015_3869()716 public void testStagefright_cve_2015_3869() throws Exception { 717 doStagefrightTest(R.raw.cve_2015_3869); 718 } 719 720 @Test 721 @AsbSecurityTest(cveBugId = 23452792) testStagefright_bug_23452792()722 public void testStagefright_bug_23452792() throws Exception { 723 doStagefrightTest(R.raw.bug_23452792); 724 } 725 726 @Test 727 @AsbSecurityTest(cveBugId = 28673410) testStagefright_cve_2016_3820()728 public void testStagefright_cve_2016_3820() throws Exception { 729 doStagefrightTest(R.raw.cve_2016_3820); 730 } 731 732 @Test 733 @AsbSecurityTest(cveBugId = 28165661) testStagefright_cve_2016_3741()734 public void testStagefright_cve_2016_3741() throws Exception { 735 doStagefrightTest(R.raw.cve_2016_3741); 736 } 737 738 @Test 739 @AsbSecurityTest(cveBugId = 28175045) testStagefright_cve_2016_2506()740 public void testStagefright_cve_2016_2506() throws Exception { 741 doStagefrightTest(R.raw.cve_2016_2506); 742 } 743 744 @Test 745 @AsbSecurityTest(cveBugId = 26751339) testStagefright_cve_2016_2428()746 public void testStagefright_cve_2016_2428() throws Exception { 747 doStagefrightTest(R.raw.cve_2016_2428, new CrashUtils.Config().checkMinAddress(false)); 748 } 749 750 @Test 751 @AsbSecurityTest(cveBugId = 28556125) testStagefright_cve_2016_3756()752 public void testStagefright_cve_2016_3756() throws Exception { 753 doStagefrightTest(R.raw.cve_2016_3756); 754 } 755 756 @Test 757 @AsbSecurityTest(cveBugId = 36592202) testStagefright_bug_36592202()758 public void testStagefright_bug_36592202() throws Exception { 759 Resources resources = getInstrumentation().getContext().getResources(); 760 AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202); 761 final int oggPageSize = 25627; 762 byte [] blob = new byte[oggPageSize]; 763 // 127 bytes read and 25500 zeros constitute one Ogg page 764 FileInputStream fis = fd.createInputStream(); 765 int numRead = fis.read(blob); 766 fis.close(); 767 // Creating temp file 768 final File tempFile = File.createTempFile("poc_tmp", ".ogg", null); 769 try { 770 final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath()); 771 int bytesWritten = 0; 772 final long oggPagesRequired = 50000; 773 long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize; 774 long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable); 775 // Repeat data for specified number of pages 776 for (int i = 0; i < numOggPages; i++) { 777 tempFos.write(blob); 778 bytesWritten += oggPageSize; 779 } 780 tempFos.close(); 781 final int fileSize = bytesWritten; 782 final int timeout = (10 * 60 * 1000); 783 runWithTimeout(new Runnable() { 784 @Override 785 public void run() { 786 try { 787 doStagefrightTestMediaCodec(tempFile.getAbsolutePath(), 788 new CrashUtils.Config().checkMinAddress(false)); 789 } catch (Exception | AssertionError e) { 790 if (!tempFile.delete()) { 791 Log.e(TAG, "Failed to delete temporary PoC file"); 792 } 793 fail("Operation was not successful"); 794 } 795 } 796 }, timeout); 797 } catch (Exception e) { 798 fail("Failed to test b/36592202"); 799 } finally { 800 if (!tempFile.delete()) { 801 Log.e(TAG, "Failed to delete temporary PoC file"); 802 } 803 } 804 } 805 806 @Test 807 @AsbSecurityTest(cveBugId = 30822755) testStagefright_bug_30822755()808 public void testStagefright_bug_30822755() throws Exception { 809 doStagefrightTest(R.raw.bug_30822755); 810 } 811 812 @Test 813 @AsbSecurityTest(cveBugId = 32322258) testStagefright_bug_32322258()814 public void testStagefright_bug_32322258() throws Exception { 815 doStagefrightTest(R.raw.bug_32322258, new CrashUtils.Config().checkMinAddress(false)); 816 } 817 818 @Test 819 @AsbSecurityTest(cveBugId = 23248776) testStagefright_cve_2015_3873_b_23248776()820 public void testStagefright_cve_2015_3873_b_23248776() throws Exception { 821 doStagefrightTest(R.raw.cve_2015_3873_b_23248776); 822 } 823 824 @Test 825 @AsbSecurityTest(cveBugId = 35472997) testStagefright_bug_35472997()826 public void testStagefright_bug_35472997() throws Exception { 827 doStagefrightTest(R.raw.bug_35472997); 828 } 829 830 @Test 831 @AsbSecurityTest(cveBugId = 20718524) testStagefright_cve_2015_3873_b_20718524()832 public void testStagefright_cve_2015_3873_b_20718524() throws Exception { 833 doStagefrightTest(R.raw.cve_2015_3873_b_20718524); 834 } 835 836 @Test 837 @AsbSecurityTest(cveBugId = 34896431) testStagefright_bug_34896431()838 public void testStagefright_bug_34896431() throws Exception { 839 doStagefrightTest(R.raw.bug_34896431); 840 } 841 842 @Test 843 @AsbSecurityTest(cveBugId = 33641588) testBug_33641588()844 public void testBug_33641588() throws Exception { 845 doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240); 846 } 847 848 @Test 849 @AsbSecurityTest(cveBugId = 22954006) testStagefright_cve_2015_3862_b_22954006()850 public void testStagefright_cve_2015_3862_b_22954006() throws Exception { 851 doStagefrightTest(R.raw.cve_2015_3862_b_22954006, 852 new CrashUtils.Config().checkMinAddress(false)); 853 } 854 855 @Test 856 @AsbSecurityTest(cveBugId = 23213430) testStagefright_cve_2015_3867_b_23213430()857 public void testStagefright_cve_2015_3867_b_23213430() throws Exception { 858 doStagefrightTest(R.raw.cve_2015_3867_b_23213430); 859 } 860 861 @Test 862 @AsbSecurityTest(cveBugId = 21814993) testStagefright_cve_2015_3873_b_21814993()863 public void testStagefright_cve_2015_3873_b_21814993() throws Exception { 864 doStagefrightTest(R.raw.cve_2015_3873_b_21814993); 865 } 866 867 @Test 868 @AsbSecurityTest(cveBugId = 25812590) testStagefright_bug_25812590()869 public void testStagefright_bug_25812590() throws Exception { 870 doStagefrightTest(R.raw.bug_25812590); 871 } 872 873 @Test 874 @AsbSecurityTest(cveBugId = 22882938) testStagefright_cve_2015_6600()875 public void testStagefright_cve_2015_6600() throws Exception { 876 doStagefrightTest(R.raw.cve_2015_6600); 877 } 878 879 @Test 880 @AsbSecurityTest(cveBugId = 23227354) testStagefright_cve_2015_6603()881 public void testStagefright_cve_2015_6603() throws Exception { 882 doStagefrightTest(R.raw.cve_2015_6603); 883 } 884 885 @Test 886 @AsbSecurityTest(cveBugId = 23129786) testStagefright_cve_2015_6604()887 public void testStagefright_cve_2015_6604() throws Exception { 888 doStagefrightTest(R.raw.cve_2015_6604); 889 } 890 891 @Test 892 @AsbSecurityTest(cveBugId = 24157524) testStagefright_bug_24157524()893 public void testStagefright_bug_24157524() throws Exception { 894 doStagefrightTestMediaCodec(R.raw.bug_24157524); 895 } 896 897 @Test 898 @AsbSecurityTest(cveBugId = 23031033) testStagefright_cve_2015_3871()899 public void testStagefright_cve_2015_3871() throws Exception { 900 doStagefrightTest(R.raw.cve_2015_3871); 901 } 902 903 @Test 904 @AsbSecurityTest(cveBugId = 26070014) testStagefright_bug_26070014()905 public void testStagefright_bug_26070014() throws Exception { 906 doStagefrightTest(R.raw.bug_26070014); 907 } 908 909 @Test 910 @AsbSecurityTest(cveBugId = 32915871) testStagefright_bug_32915871()911 public void testStagefright_bug_32915871() throws Exception { 912 doStagefrightTest(R.raw.bug_32915871); 913 } 914 915 @Test 916 @AsbSecurityTest(cveBugId = 28333006) testStagefright_bug_28333006()917 public void testStagefright_bug_28333006() throws Exception { 918 doStagefrightTest(R.raw.bug_28333006); 919 } 920 921 @Test 922 @AsbSecurityTest(cveBugId = 14388161) testStagefright_bug_14388161()923 public void testStagefright_bug_14388161() throws Exception { 924 doStagefrightTestMediaPlayer(R.raw.bug_14388161); 925 } 926 927 @Test 928 @AsbSecurityTest(cveBugId = 28470138) testStagefright_cve_2016_3755()929 public void testStagefright_cve_2016_3755() throws Exception { 930 doStagefrightTest(R.raw.cve_2016_3755, new CrashUtils.Config().checkMinAddress(false)); 931 } 932 933 @Test 934 @AsbSecurityTest(cveBugId = 29493002) testStagefright_cve_2016_3878_b_29493002()935 public void testStagefright_cve_2016_3878_b_29493002() throws Exception { 936 doStagefrightTest(R.raw.cve_2016_3878_b_29493002, 937 new CrashUtils.Config().checkMinAddress(false)); 938 } 939 940 @Test 941 @AsbSecurityTest(cveBugId = 36819262) testBug_36819262()942 public void testBug_36819262() throws Exception { 943 doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480); 944 } 945 946 @Test 947 @AsbSecurityTest(cveBugId = 23680780) testStagefright_cve_2015_6608_b_23680780()948 public void testStagefright_cve_2015_6608_b_23680780() throws Exception { 949 doStagefrightTest(R.raw.cve_2015_6608_b_23680780); 950 } 951 952 @Test 953 @AsbSecurityTest(cveBugId = 36715268) testStagefright_bug_36715268()954 public void testStagefright_bug_36715268() throws Exception { 955 doStagefrightTest(R.raw.bug_36715268); 956 } 957 958 @Test 959 @AsbSecurityTest(cveBugId = 27855419) testStagefright_bug_27855419_CVE_2016_2463()960 public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception { 961 doStagefrightTest(R.raw.bug_27855419, new CrashUtils.Config().checkMinAddress(false)); 962 } 963 964 @Test 965 @AsbSecurityTest(cveBugId = 19779574) testStagefright_bug_19779574()966 public void testStagefright_bug_19779574() throws Exception { 967 doStagefrightTest(R.raw.bug_19779574, new CrashUtils.Config().checkMinAddress(false)); 968 } 969 970 /*********************************************************** 971 to prevent merge conflicts, add N tests below this comment, 972 before any existing test methods 973 ***********************************************************/ 974 975 @Test 976 @AsbSecurityTest(cveBugId = 33090864) testBug_33090864()977 public void testBug_33090864() throws Exception { 978 int[] frameSizes = getFrameSizes(R.raw.bug_33090864_framelen); 979 doStagefrightTestRawBlob(R.raw.bug_33090864_avc, "video/avc", 320, 240, frameSizes); 980 } 981 982 @Test 983 @AsbSecurityTest(cveBugId = 36279112) testStagefright_bug_36279112()984 public void testStagefright_bug_36279112() throws Exception { 985 doStagefrightTest(R.raw.bug_36279112, new CrashUtils.Config().checkMinAddress(false)); 986 } 987 988 @Test 989 @AsbSecurityTest(cveBugId = 33129467) testStagefright_cve_2017_0640()990 public void testStagefright_cve_2017_0640() throws Exception { 991 int[] frameSizes = {21, 4}; 992 doStagefrightTestRawBlob(R.raw.cve_2017_0640_avc, "video/avc", 640, 480, 993 frameSizes); 994 } 995 996 @Test 997 @AsbSecurityTest(cveBugId = 37203196) testBug_37203196()998 public void testBug_37203196() throws Exception { 999 int[] frameSizes = getFrameSizes(R.raw.bug_37203196_framelen); 1000 doStagefrightTestRawBlob(R.raw.bug_37203196_mpeg2, "video/mpeg2", 48, 48, frameSizes); 1001 } 1002 1003 @Test 1004 @AsbSecurityTest(cveBugId = 73552574) testBug_73552574()1005 public void testBug_73552574() throws Exception { 1006 int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen); 1007 doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes); 1008 } 1009 1010 @Test 1011 @AsbSecurityTest(cveBugId = 23285192) testStagefright_bug_23285192()1012 public void testStagefright_bug_23285192() throws Exception { 1013 doStagefrightTest(R.raw.bug_23285192); 1014 } 1015 1016 @Test 1017 @AsbSecurityTest(cveBugId = 25928803) testStagefright_bug_25928803()1018 public void testStagefright_bug_25928803() throws Exception { 1019 doStagefrightTest(R.raw.bug_25928803); 1020 } 1021 1022 @Test 1023 @AsbSecurityTest(cveBugId = 26399350) testBug_26399350()1024 public void testBug_26399350() throws Exception { 1025 int[] frameSizes = {657, 54930}; 1026 doStagefrightTestRawBlob(R.raw.bug_26399350_avc, "video/avc", 640, 480, 1027 frameSizes); 1028 } 1029 1030 @Test 1031 @AsbSecurityTest(cveBugId = 113260892) testBug_113260892()1032 public void testBug_113260892() throws Exception { 1033 doStagefrightTestRawBlob(R.raw.bug_113260892_hevc, "video/hevc", 320, 240); 1034 } 1035 1036 @Test 1037 @AsbSecurityTest(cveBugId = 68342866) testStagefright_bug_68342866()1038 public void testStagefright_bug_68342866() throws Exception { 1039 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1040 policy.setCleartextTrafficPermitted(true); 1041 Thread server = new Thread() { 1042 @Override 1043 public void run() { 1044 try (ServerSocket serverSocket = new ServerSocket(8080) { 1045 {setSoTimeout(10_000);} // time out after 10 seconds 1046 }; 1047 Socket conn = serverSocket.accept(); 1048 ) { 1049 OutputStream outputstream = conn.getOutputStream(); 1050 InputStream inputStream = conn.getInputStream(); 1051 byte input[] = new byte[65536]; 1052 inputStream.read(input, 0, 65536); 1053 String inputStr = new String(input); 1054 if (inputStr.contains("bug_68342866.m3u8")) { 1055 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n") 1056 .getBytes(); 1057 byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54, 1058 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54, 1059 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41, 1060 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23, 1061 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A, 1062 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF, 1063 (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 1064 (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E, 1065 0x46, 0x00, 0x00 }; 1066 outputstream.write(http); 1067 outputstream.write(playlist); 1068 } 1069 } catch (IOException e) { 1070 } 1071 } 1072 }; 1073 server.start(); 1074 String uri = "http://127.0.0.1:8080/bug_68342866.m3u8"; 1075 final MediaPlayerCrashListener mpcl = 1076 new MediaPlayerCrashListener(new CrashUtils.Config().checkMinAddress(false)); 1077 LooperThread t = new LooperThread(new Runnable() { 1078 @Override 1079 public void run() { 1080 MediaPlayer mp = new MediaPlayer(); 1081 mp.setOnErrorListener(mpcl); 1082 mp.setOnPreparedListener(mpcl); 1083 mp.setOnCompletionListener(mpcl); 1084 RenderTarget renderTarget = RenderTarget.create(); 1085 Surface surface = renderTarget.getSurface(); 1086 mp.setSurface(surface); 1087 AssetFileDescriptor fd = null; 1088 try { 1089 mp.setDataSource(uri); 1090 mp.prepareAsync(); 1091 } catch (IOException e) { 1092 Log.e(TAG, e.toString()); 1093 } finally { 1094 closeQuietly(fd); 1095 } 1096 Looper.loop(); 1097 mp.release(); 1098 renderTarget.destroy(); 1099 } 1100 }); 1101 t.start(); 1102 assertFalse("Device *IS* vulnerable to BUG-68342866", 1103 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1104 t.stopLooper(); 1105 t.join(); 1106 policy.setCleartextTrafficPermitted(false); 1107 server.join(); 1108 } 1109 1110 @Test 1111 @AsbSecurityTest(cveBugId = 74114680) testStagefright_bug_74114680()1112 public void testStagefright_bug_74114680() throws Exception { 1113 doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000)); 1114 } 1115 1116 @Test 1117 @AsbSecurityTest(cveBugId = 70239507) testStagefright_bug_70239507()1118 public void testStagefright_bug_70239507() throws Exception { 1119 doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L); 1120 } 1121 1122 @Test 1123 @AsbSecurityTest(cveBugId = 33250932) testBug_33250932()1124 public void testBug_33250932() throws Exception { 1125 int[] frameSizes = {65, 11, 102, 414}; 1126 doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes); 1127 } 1128 1129 @Test 1130 @AsbSecurityTest(cveBugId = 37430213) testStagefright_bug_37430213()1131 public void testStagefright_bug_37430213() throws Exception { 1132 doStagefrightTest(R.raw.bug_37430213); 1133 } 1134 1135 @Test 1136 @AsbSecurityTest(cveBugId = 68664359) testStagefright_bug_68664359()1137 public void testStagefright_bug_68664359() throws Exception { 1138 doStagefrightTest(R.raw.bug_68664359, 60000); 1139 } 1140 1141 @Test 1142 @AsbSecurityTest(cveBugId = 68664359) testStagefright_bug_110435401()1143 public void testStagefright_bug_110435401() throws Exception { 1144 doStagefrightTest(R.raw.bug_110435401, 60000); 1145 } 1146 1147 @Test 1148 @AsbSecurityTest(cveBugId = 32589224) testStagefright_cve_2017_0474()1149 public void testStagefright_cve_2017_0474() throws Exception { 1150 doStagefrightTest(R.raw.cve_2017_0474, 120000); 1151 } 1152 1153 @Test 1154 @AsbSecurityTest(cveBugId = 62872863) testStagefright_cve_2017_0765()1155 public void testStagefright_cve_2017_0765() throws Exception { 1156 doStagefrightTest(R.raw.cve_2017_0765); 1157 } 1158 1159 @Test 1160 @AsbSecurityTest(cveBugId = 70637599) testStagefright_cve_2017_13276()1161 public void testStagefright_cve_2017_13276() throws Exception { 1162 doStagefrightTest(R.raw.cve_2017_13276); 1163 } 1164 1165 @Test 1166 @AsbSecurityTest(cveBugId = 31681434) testStagefright_cve_2016_6764()1167 public void testStagefright_cve_2016_6764() throws Exception { 1168 doStagefrightTest(R.raw.cve_2016_6764, new CrashUtils.Config().checkMinAddress(false)); 1169 } 1170 1171 @Test 1172 @AsbSecurityTest(cveBugId = 38495900) testStagefright_cve_2017_13214()1173 public void testStagefright_cve_2017_13214() throws Exception { 1174 doStagefrightTest(R.raw.cve_2017_13214); 1175 } 1176 1177 @Test 1178 @AsbSecurityTest(cveBugId = 35467107) testStagefright_bug_35467107()1179 public void testStagefright_bug_35467107() throws Exception { 1180 doStagefrightTest(R.raw.bug_35467107, new CrashUtils.Config().checkMinAddress(false)); 1181 } 1182 1183 /*********************************************************** 1184 to prevent merge conflicts, add O tests below this comment, 1185 before any existing test methods 1186 ***********************************************************/ 1187 @Test 1188 @AsbSecurityTest(cveBugId = 162756352) testStagefright_cve_2020_11184()1189 public void testStagefright_cve_2020_11184() throws Exception { 1190 doStagefrightTest(R.raw.cve_2020_11184); 1191 } 1192 1193 @Test 1194 @AsbSecurityTest(cveBugId = 130024844) testStagefright_cve_2019_2107()1195 public void testStagefright_cve_2019_2107() throws Exception { 1196 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1197 getInstrumentation().getContext().getPackageManager(), 1198 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1199 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen); 1200 doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920, 1201 1080, frameSizes); 1202 } 1203 1204 @Test 1205 @AsbSecurityTest(cveBugId = 122473145) testStagefright_cve_2019_2245()1206 public void testStagefright_cve_2019_2245() throws Exception { 1207 doStagefrightTest(R.raw.cve_2019_2245); 1208 } 1209 1210 @Test 1211 @AsbSecurityTest(cveBugId = 120483842) testStagefright_cve_2018_13925()1212 public void testStagefright_cve_2018_13925() throws Exception { 1213 doStagefrightTest(R.raw.cve_2018_13925); 1214 } 1215 1216 @Test 1217 @AsbSecurityTest(cveBugId = 157905659) testStagefright_cve_2020_11139()1218 public void testStagefright_cve_2020_11139() throws Exception { 1219 doStagefrightTest(R.raw.cve_2020_11139); 1220 } 1221 1222 @Test 1223 @AsbSecurityTest(cveBugId = 150697436) testStagefright_cve_2020_3663()1224 public void testStagefright_cve_2020_3663() throws Exception { 1225 doStagefrightTest(R.raw.cve_2020_3663); 1226 } 1227 1228 @Test 1229 @AsbSecurityTest(cveBugId = 155653312) testStagefright_cve_2020_11122()1230 public void testStagefright_cve_2020_11122() throws Exception { 1231 doStagefrightTest(R.raw.cve_2020_11122); 1232 } 1233 1234 @Test 1235 @AsbSecurityTest(cveBugId = 153345450) testStagefright_cve_2020_3688()1236 public void testStagefright_cve_2020_3688() throws Exception { 1237 doStagefrightTest(R.raw.cve_2020_3688); 1238 } 1239 1240 @Test 1241 @AsbSecurityTest(cveBugId = 162756122) testStagefright_cve_2020_11168()1242 public void testStagefright_cve_2020_11168() throws Exception { 1243 doStagefrightTest(R.raw.cve_2020_11168); 1244 } 1245 1246 @Test 1247 @AsbSecurityTest(cveBugId = 150697838) testStagefright_cve_2020_3658()1248 public void testStagefright_cve_2020_3658() throws Exception { 1249 doStagefrightTest(R.raw.cve_2020_3658); 1250 } 1251 1252 @Test 1253 @AsbSecurityTest(cveBugId = 148816216) testStagefright_cve_2020_3633()1254 public void testStagefright_cve_2020_3633() throws Exception { 1255 doStagefrightTest(R.raw.cve_2020_3633); 1256 } 1257 1258 @Test 1259 @AsbSecurityTest(cveBugId = 150695050) testStagefright_cve_2020_3660()1260 public void testStagefright_cve_2020_3660() throws Exception { 1261 doStagefrightTest(R.raw.cve_2020_3660); 1262 } 1263 1264 @Test 1265 @AsbSecurityTest(cveBugId = 150695169) testStagefright_cve_2020_3661()1266 public void testStagefright_cve_2020_3661() throws Exception { 1267 doStagefrightTest(R.raw.cve_2020_3661); 1268 } 1269 1270 @Test 1271 @AsbSecurityTest(cveBugId = 142271944) testStagefright_cve_2019_14013()1272 public void testStagefright_cve_2019_14013() throws Exception { 1273 doStagefrightTest(R.raw.cve_2019_14013); 1274 } 1275 1276 @Test 1277 @AsbSecurityTest(cveBugId = 150696661) testStagefright_cve_2020_3662()1278 public void testStagefright_cve_2020_3662() throws Exception { 1279 doStagefrightTest(R.raw.cve_2020_3662); 1280 } 1281 1282 @Test 1283 @AsbSecurityTest(cveBugId = 170583712) testStagefright_cve_2021_0312()1284 public void testStagefright_cve_2021_0312() throws Exception { 1285 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1286 getInstrumentation().getContext().getPackageManager(), 1287 MainlineModule.MEDIA)); 1288 doStagefrightTestExtractorSeek(R.raw.cve_2021_0312, 2, new CrashUtils.Config() 1289 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1290 } 1291 1292 @Test 1293 @AsbSecurityTest(cveBugId = 77600398) testStagefright_cve_2018_9474()1294 public void testStagefright_cve_2018_9474() throws Exception { 1295 MediaPlayer mp = new MediaPlayer(); 1296 RenderTarget renderTarget = RenderTarget.create(); 1297 Surface surface = renderTarget.getSurface(); 1298 mp.setSurface(surface); 1299 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1300 .openRawResourceFd(R.raw.cve_2018_9474); 1301 1302 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 1303 mp.prepare(); 1304 1305 MediaPlayer.TrackInfo[] trackInfos = mp.getTrackInfo(); 1306 if (trackInfos == null || trackInfos.length == 0) { 1307 return; 1308 } 1309 1310 MediaPlayer.TrackInfo trackInfo = trackInfos[0]; 1311 1312 int trackType = trackInfo.getTrackType(); 1313 MediaFormat format = trackInfo.getFormat(); 1314 1315 Parcel data = Parcel.obtain(); 1316 trackInfo.writeToParcel(data, 0); 1317 1318 data.setDataPosition(0); 1319 int trackTypeFromParcel = data.readInt(); 1320 String mimeTypeFromParcel = data.readString(); 1321 data.recycle(); 1322 1323 if (trackType == trackTypeFromParcel) { 1324 assertFalse("Device *IS* vulnerable to CVE-2018-9474", 1325 mimeTypeFromParcel.equals("und")); 1326 } 1327 } 1328 1329 @Test 1330 @AsbSecurityTest(cveBugId = 130025324) testStagefright_cve_2019_2108()1331 public void testStagefright_cve_2019_2108() throws Exception { 1332 doStagefrightTestRawBlob(R.raw.cve_2019_2108_hevc, "video/hevc", 320, 240, 1333 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1334 CrashUtils.SIGABRT)); 1335 } 1336 1337 @Test 1338 @AsbSecurityTest(cveBugId = 25747670) testStagefright_cve_2016_3880()1339 public void testStagefright_cve_2016_3880() throws Exception { 1340 Thread server = new Thread() { 1341 @Override 1342 public void run() { 1343 try (ServerSocket serverSocket = new ServerSocket(8080) { 1344 {setSoTimeout(10_000);} // time out after 10 seconds 1345 }; 1346 Socket conn = serverSocket.accept() 1347 ) { 1348 OutputStream outputstream = conn.getOutputStream(); 1349 InputStream inputStream = conn.getInputStream(); 1350 byte input[] = new byte[65536]; 1351 inputStream.read(input, 0, 65536); 1352 String inputStr = new String(input); 1353 if (inputStr.contains("DESCRIBE rtsp://127.0.0.1:8080/cve_2016_3880")) { 1354 byte http[] = ("RTSP/1.0 200 OK\r\n" 1355 + "Server: stagefright/1.2 (Linux;Android 9)\r\n" 1356 + "Content-Type: application/sdp\r\n" 1357 + "Content-Base: rtsp://127.0.0.1:8080/cve_2016_3880\r\n" 1358 + "Content-Length: 379\r\n" 1359 + "Cache-Control: no-cache\r\nCSeq: 1\r\n\r\n").getBytes(); 1360 1361 byte sdp[] = ("v=0\r\no=- 64 233572944 IN IP4 127.0.0.0\r\n" 1362 + "s=QuickTime\r\nt=0 0\r\na=range:npt=now-\r\n" 1363 + "m=video 5434 RTP/AVP 96123456\r\nc=IN IP4 127.0.0.1\r\n" 1364 + "b=AS:320000\r\na=rtpmap:96123456 H264/90000\r\n" 1365 + "a=fmtp:96123456 packetization-mode=1;profile-level-id=42001E;" 1366 + "sprop-parameter-sets=Z0IAHpZUBaHogA==,aM44gA==\r\n" 1367 + "a=cliprect:0,0,480,270\r\na=framesize:96123456 720-480\r\n" 1368 + "a=control:track1\r\n").getBytes(); 1369 1370 outputstream.write(http); 1371 outputstream.write(sdp); 1372 outputstream.flush(); 1373 } 1374 } catch (IOException e) { 1375 } 1376 } 1377 }; 1378 server.start(); 1379 String uri = "rtsp://127.0.0.1:8080/cve_2016_3880"; 1380 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener( 1381 new CrashUtils.Config() 1382 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT) 1383 .appendAbortMessageExcludes("CHECK\\(IsRTSPVersion")); 1384 LooperThread t = new LooperThread(new Runnable() { 1385 @Override 1386 public void run() { 1387 MediaPlayer mp = new MediaPlayer(); 1388 mp.setOnErrorListener(mpcl); 1389 mp.setOnPreparedListener(mpcl); 1390 mp.setOnCompletionListener(mpcl); 1391 RenderTarget renderTarget = RenderTarget.create(); 1392 Surface surface = renderTarget.getSurface(); 1393 mp.setSurface(surface); 1394 AssetFileDescriptor fd = null; 1395 try { 1396 mp.setDataSource(uri); 1397 mp.prepareAsync(); 1398 } catch (IOException e) { 1399 Log.e(TAG, e.toString()); 1400 } finally { 1401 closeQuietly(fd); 1402 } 1403 Looper.loop(); 1404 mp.release(); 1405 } 1406 }); 1407 t.start(); 1408 assertFalse("Device *IS* vulnerable to CVE-2016-3880", 1409 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1410 t.stopLooper(); 1411 t.join(); 1412 server.join(); 1413 } 1414 1415 @Test 1416 @AsbSecurityTest(cveBugId = 170240631) testStagefright_bug170240631()1417 public void testStagefright_bug170240631() throws Exception { 1418 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1419 getInstrumentation().getContext().getPackageManager(), 1420 MainlineModule.MEDIA)); 1421 doStagefrightTest(R.raw.bug170240631_ts); 1422 } 1423 1424 @Test 1425 @AsbSecurityTest(cveBugId = 148816624) testStagefright_cve_2020_3641()1426 public void testStagefright_cve_2020_3641() throws Exception { 1427 doStagefrightTest(R.raw.cve_2020_3641); 1428 } 1429 1430 @Test 1431 @AsbSecurityTest(cveBugId = 147103871) testStagefright_cve_2019_14127()1432 public void testStagefright_cve_2019_14127() throws Exception { 1433 doStagefrightTest(R.raw.cve_2019_14127); 1434 } 1435 1436 @Test 1437 @AsbSecurityTest(cveBugId = 147104052) testStagefright_cve_2019_14132()1438 public void testStagefright_cve_2019_14132() throws Exception { 1439 doStagefrightTest(R.raw.cve_2019_14132); 1440 } 1441 1442 @Test 1443 @AsbSecurityTest(cveBugId = 145545283) testStagefright_cve_2019_10591()1444 public void testStagefright_cve_2019_10591() throws Exception { 1445 doStagefrightTest(R.raw.cve_2019_10591); 1446 } 1447 1448 @Test 1449 @AsbSecurityTest(cveBugId = 143903858) testStagefright_cve_2019_10590()1450 public void testStagefright_cve_2019_10590() throws Exception { 1451 doStagefrightTest(R.raw.cve_2019_10590); 1452 } 1453 1454 @Test 1455 @AsbSecurityTest(cveBugId = 142271848) testStagefright_cve_2019_14004()1456 public void testStagefright_cve_2019_14004() throws Exception { 1457 doStagefrightTest(R.raw.cve_2019_14004); 1458 } 1459 1460 @Test 1461 @AsbSecurityTest(cveBugId = 142271498) testStagefright_cve_2019_14003()1462 public void testStagefright_cve_2019_14003() throws Exception { 1463 doStagefrightTest(R.raw.cve_2019_14003); 1464 } 1465 1466 @Test 1467 @AsbSecurityTest(cveBugId = 143903018) testStagefright_cve_2019_14057()1468 public void testStagefright_cve_2019_14057() throws Exception { 1469 doStagefrightTest(R.raw.cve_2019_14057); 1470 } 1471 1472 @Test 1473 @AsbSecurityTest(cveBugId = 142271634) testStagefright_cve_2019_10532()1474 public void testStagefright_cve_2019_10532() throws Exception { 1475 doStagefrightTest(R.raw.cve_2019_10532); 1476 } 1477 1478 @Test 1479 @AsbSecurityTest(cveBugId = 142268949) testStagefright_cve_2019_10578()1480 public void testStagefright_cve_2019_10578() throws Exception { 1481 doStagefrightTest(R.raw.cve_2019_10578); 1482 } 1483 1484 @Test 1485 @AsbSecurityTest(cveBugId = 145545758) testStagefright_cve_2019_14061()1486 public void testStagefright_cve_2019_14061() throws Exception { 1487 doStagefrightTest(R.raw.cve_2019_14061, 180000); 1488 } 1489 1490 @Test 1491 @AsbSecurityTest(cveBugId = 142271615) testStagefright_cve_2019_10611()1492 public void testStagefright_cve_2019_10611() throws Exception { 1493 doStagefrightTest(R.raw.cve_2019_10611); 1494 } 1495 1496 @Test 1497 @AsbSecurityTest(cveBugId = 132108754) testStagefright_cve_2019_10489()1498 public void testStagefright_cve_2019_10489() throws Exception { 1499 doStagefrightTest(R.raw.cve_2019_10489); 1500 } 1501 1502 @Test 1503 @AsbSecurityTest(cveBugId = 145545282) testStagefright_cve_2019_14048()1504 public void testStagefright_cve_2019_14048() throws Exception { 1505 doStagefrightTest(R.raw.cve_2019_14048); 1506 } 1507 1508 @Test 1509 @AsbSecurityTest(cveBugId = 129766432) testStagefright_cve_2019_2253()1510 public void testStagefright_cve_2019_2253() throws Exception { 1511 doStagefrightTest(R.raw.cve_2019_2253); 1512 } 1513 1514 @Test 1515 @AsbSecurityTest(cveBugId = 142271692) testStagefright_cve_2019_10579()1516 public void testStagefright_cve_2019_10579() throws Exception { 1517 doStagefrightTestANR(R.raw.cve_2019_10579); 1518 } 1519 1520 @Test 1521 @AsbSecurityTest(cveBugId = 142271965) testStagefright_cve_2019_14005()1522 public void testStagefright_cve_2019_14005() throws Exception { 1523 doStagefrightTest(R.raw.cve_2019_14005); 1524 } 1525 1526 @Test 1527 @AsbSecurityTest(cveBugId = 142271827) testStagefright_cve_2019_14006()1528 public void testStagefright_cve_2019_14006() throws Exception { 1529 doStagefrightTest(R.raw.cve_2019_14006); 1530 } 1531 1532 @Test 1533 @AsbSecurityTest(cveBugId = 142270646) testStagefright_CVE_2019_14016()1534 public void testStagefright_CVE_2019_14016() throws Exception { 1535 doStagefrightTest(R.raw.cve_2019_14016); 1536 } 1537 1538 @Test 1539 @AsbSecurityTest(cveBugId = 142271515) testStagefright_CVE_2019_14017()1540 public void testStagefright_CVE_2019_14017() throws Exception { 1541 doStagefrightTest(R.raw.cve_2019_14017); 1542 } 1543 1544 @Test 1545 @AsbSecurityTest(cveBugId = 78029004) testStagefright_cve_2018_9412()1546 public void testStagefright_cve_2018_9412() throws Exception { 1547 doStagefrightTest(R.raw.cve_2018_9412, 180000); 1548 } 1549 1550 @Test 1551 @AsbSecurityTest(cveBugId = 142641801) testStagefright_bug_142641801()1552 public void testStagefright_bug_142641801() throws Exception { 1553 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1554 getInstrumentation().getContext().getPackageManager(), 1555 MainlineModule.MEDIA)); 1556 doStagefrightTest(R.raw.bug_142641801); 1557 } 1558 1559 @Test 1560 @AsbSecurityTest(cveBugId = 134437379) testStagefright_cve_2019_10534()1561 public void testStagefright_cve_2019_10534() throws Exception { 1562 doStagefrightTest(R.raw.cve_2019_10534); 1563 } 1564 1565 @Test 1566 @AsbSecurityTest(cveBugId = 134437210) testStagefright_cve_2019_10533()1567 public void testStagefright_cve_2019_10533() throws Exception { 1568 doStagefrightTest(R.raw.cve_2019_10533); 1569 } 1570 1571 @Test 1572 @AsbSecurityTest(cveBugId = 134437115) testStagefright_cve_2019_10541()1573 public void testStagefright_cve_2019_10541() throws Exception { 1574 doStagefrightTest(R.raw.cve_2019_10541); 1575 } 1576 1577 @Test 1578 @AsbSecurityTest(cveBugId = 62851602) testStagefright_cve_2017_13233()1579 public void testStagefright_cve_2017_13233() throws Exception { 1580 doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640, 1581 480); 1582 } 1583 1584 @Test 1585 @AsbSecurityTest(cveBugId = 130023983) testStagefright_cve_2019_2106()1586 public void testStagefright_cve_2019_2106() throws Exception { 1587 int[] frameSizes = {943, 3153}; 1588 doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320, 1589 240, frameSizes); 1590 } 1591 1592 @Test 1593 @AsbSecurityTest(cveBugId = 34064500) testStagefright_cve_2017_0637()1594 public void testStagefright_cve_2017_0637() throws Exception { 1595 doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000); 1596 } 1597 1598 @Test 1599 @AsbSecurityTest(cveBugId = 109678380) testStagefright_cve_2018_11287()1600 public void testStagefright_cve_2018_11287() throws Exception { 1601 doStagefrightTest(R.raw.cve_2018_11287, 180000); 1602 } 1603 1604 @Test 1605 @AsbSecurityTest(cveBugId = 129766125) testStagefright_cve_2019_2327()1606 public void testStagefright_cve_2019_2327() throws Exception { 1607 doStagefrightTest(R.raw.cve_2019_2327); 1608 } 1609 1610 @Test 1611 @AsbSecurityTest(cveBugId = 129766496) testStagefright_cve_2019_2322()1612 public void testStagefright_cve_2019_2322() throws Exception { 1613 doStagefrightTest(R.raw.cve_2019_2322); 1614 } 1615 1616 @Test 1617 @AsbSecurityTest(cveBugId = 129766099) testStagefright_cve_2019_2334()1618 public void testStagefright_cve_2019_2334() throws Exception { 1619 doStagefrightTest(R.raw.cve_2019_2334); 1620 } 1621 1622 @Test 1623 @AsbSecurityTest(cveBugId = 64380237) testStagefright_cve_2017_13204()1624 public void testStagefright_cve_2017_13204() throws Exception { 1625 int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen); 1626 doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes); 1627 } 1628 1629 @Test 1630 @AsbSecurityTest(cveBugId = 70221445) testStagefright_cve_2017_17773()1631 public void testStagefright_cve_2017_17773() throws Exception { 1632 doStagefrightTest(R.raw.cve_2017_17773); 1633 } 1634 1635 @Test 1636 @AsbSecurityTest(cveBugId = 68326816) testStagefright_cve_2017_18074()1637 public void testStagefright_cve_2017_18074() throws Exception { 1638 doStagefrightTest(R.raw.cve_2017_18074); 1639 } 1640 1641 @Test 1642 @AsbSecurityTest(cveBugId = 74236854) testStagefright_cve_2018_5894()1643 public void testStagefright_cve_2018_5894() throws Exception { 1644 doStagefrightTest(R.raw.cve_2018_5894); 1645 } 1646 1647 @Test 1648 @AsbSecurityTest(cveBugId = 77485139) testStagefright_cve_2018_5874()1649 public void testStagefright_cve_2018_5874() throws Exception { 1650 doStagefrightTest(R.raw.cve_2018_5874); 1651 } 1652 1653 @Test 1654 @AsbSecurityTest(cveBugId = 77485183) testStagefright_cve_2018_5875()1655 public void testStagefright_cve_2018_5875() throws Exception { 1656 doStagefrightTest(R.raw.cve_2018_5875); 1657 } 1658 1659 @Test 1660 @AsbSecurityTest(cveBugId = 77485022) testStagefright_cve_2018_5876()1661 public void testStagefright_cve_2018_5876() throws Exception { 1662 doStagefrightTest(R.raw.cve_2018_5876); 1663 } 1664 1665 @Test 1666 @AsbSecurityTest(cveBugId = 77483830) testStagefright_cve_2018_5882()1667 public void testStagefright_cve_2018_5882() throws Exception { 1668 doStagefrightTest(R.raw.cve_2018_5882); 1669 } 1670 1671 @Test 1672 @AsbSecurityTest(cveBugId = 65186291) testBug_65186291()1673 public void testBug_65186291() throws Exception { 1674 int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen); 1675 doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes); 1676 } 1677 1678 @Test 1679 @AsbSecurityTest(cveBugId = 67737022) testBug_67737022()1680 public void testBug_67737022() throws Exception { 1681 doStagefrightTest(R.raw.bug_67737022); 1682 } 1683 1684 @Test 1685 @AsbSecurityTest(cveBugId = 37093318) testStagefright_bug_37093318()1686 public void testStagefright_bug_37093318() throws Exception { 1687 doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000)); 1688 } 1689 1690 @Test 1691 @AsbSecurityTest(cveBugId = 73172046) testStagefright_bug_73172046()1692 public void testStagefright_bug_73172046() throws Exception { 1693 doStagefrightTest(R.raw.bug_73172046); 1694 1695 Bitmap bitmap = BitmapFactory.decodeResource( 1696 getInstrumentation().getContext().getResources(), R.raw.bug_73172046); 1697 // OK if the decoding failed, but shouldn't cause crashes 1698 if (bitmap != null) { 1699 bitmap.recycle(); 1700 } 1701 } 1702 1703 @Test 1704 @AsbSecurityTest(cveBugId = 25765591) testStagefright_cve_2016_0824()1705 public void testStagefright_cve_2016_0824() throws Exception { 1706 doStagefrightTest(R.raw.cve_2016_0824); 1707 } 1708 1709 @Test 1710 @AsbSecurityTest(cveBugId = 26365349) testStagefright_cve_2016_0815()1711 public void testStagefright_cve_2016_0815() throws Exception { 1712 doStagefrightTest(R.raw.cve_2016_0815); 1713 } 1714 1715 @Test 1716 @AsbSecurityTest(cveBugId = 26221024) testStagefright_cve_2016_2454()1717 public void testStagefright_cve_2016_2454() throws Exception { 1718 doStagefrightTest(R.raw.cve_2016_2454); 1719 } 1720 1721 @Test 1722 @AsbSecurityTest(cveBugId = 31449945) testStagefright_cve_2016_6765()1723 public void testStagefright_cve_2016_6765() throws Exception { 1724 doStagefrightTest(R.raw.cve_2016_6765, new CrashUtils.Config().checkMinAddress(false)); 1725 } 1726 1727 @Test 1728 @AsbSecurityTest(cveBugId = 28799341) testStagefright_cve_2016_2508()1729 public void testStagefright_cve_2016_2508() throws Exception { 1730 doStagefrightTest(R.raw.cve_2016_2508, new CrashUtils.Config().checkMinAddress(false)); 1731 } 1732 1733 @Test 1734 @AsbSecurityTest(cveBugId = 31373622) testStagefright_cve_2016_6699()1735 public void testStagefright_cve_2016_6699() throws Exception { 1736 doStagefrightTest(R.raw.cve_2016_6699); 1737 } 1738 1739 @Test 1740 @AsbSecurityTest(cveBugId = 66734153) testStagefright_cve_2017_18155()1741 public void testStagefright_cve_2017_18155() throws Exception { 1742 doStagefrightTest(R.raw.cve_2017_18155); 1743 } 1744 1745 @Test 1746 @AsbSecurityTest(cveBugId = 77599438) testStagefright_cve_2018_9423()1747 public void testStagefright_cve_2018_9423() throws Exception { 1748 doStagefrightTest(R.raw.cve_2018_9423); 1749 } 1750 1751 @Test 1752 @AsbSecurityTest(cveBugId = 29770686) testStagefright_cve_2016_3879()1753 public void testStagefright_cve_2016_3879() throws Exception { 1754 doStagefrightTest(R.raw.cve_2016_3879, new CrashUtils.Config().checkMinAddress(false)); 1755 } 1756 1757 /*********************************************************** 1758 to prevent merge conflicts, add P tests below this comment, 1759 before any existing test methods 1760 ***********************************************************/ 1761 1762 @Test 1763 @AsbSecurityTest(cveBugId = 179039901) testStagefright_cve_2021_1910()1764 public void testStagefright_cve_2021_1910() throws Exception { 1765 doStagefrightTest(R.raw.cve_2021_1910); 1766 } 1767 1768 @Test 1769 @AsbSecurityTest(cveBugId = 175038625) testStagefright_cve_2020_11299()1770 public void testStagefright_cve_2020_11299() throws Exception { 1771 doStagefrightTest(R.raw.cve_2020_11299); 1772 } 1773 1774 @Test 1775 @AsbSecurityTest(cveBugId = 162756960) testStagefright_cve_2020_11196()1776 public void testStagefright_cve_2020_11196() throws Exception { 1777 doStagefrightTest(R.raw.cve_2020_11196); 1778 } 1779 1780 @Test 1781 @AsbSecurityTest(cveBugId = 112661641) testStagefright_cve_2018_9531()1782 public void testStagefright_cve_2018_9531() throws Exception { 1783 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1784 getInstrumentation().getContext().getPackageManager(), 1785 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1786 int[] frameSizes = getFrameSizes(R.raw.cve_2018_9531_framelen); 1787 CodecConfig codecConfig = new CodecConfig().setAudioParams(48000, 8); 1788 doStagefrightTestRawBlob(R.raw.cve_2018_9531_aac, "audio/mp4a-latm", codecConfig, 1789 frameSizes, new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, 1790 CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1791 } 1792 1793 @Test 1794 @AsbSecurityTest(cveBugId = 140322595) testStagefright_cve_2019_2222()1795 public void testStagefright_cve_2019_2222() throws Exception { 1796 // TODO(b/170987914): This also skips testing hw_codecs. 1797 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1798 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1799 getInstrumentation().getContext().getPackageManager(), 1800 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1801 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2222_framelen); 1802 doStagefrightTestRawBlob(R.raw.cve_2019_2222_hevc, "video/hevc", 320, 240, frameSizes); 1803 } 1804 doStagefrightTest(final int rid)1805 private void doStagefrightTest(final int rid) throws Exception { 1806 doStagefrightTest(rid, null); 1807 } 1808 1809 /*********************************************************** 1810 to prevent merge conflicts, add Q tests below this comment, 1811 before any existing test methods 1812 ***********************************************************/ 1813 @Test 1814 @AsbSecurityTest(cveBugId = 240971780) testStagefright_cve_2022_33234()1815 public void testStagefright_cve_2022_33234() throws Exception { 1816 doStagefrightTest(R.raw.cve_2022_33234); 1817 } 1818 1819 @Test 1820 @AsbSecurityTest(cveBugId = 235102508) testStagefright_cve_2022_25669()1821 public void testStagefright_cve_2022_25669() throws Exception { 1822 doStagefrightTest(R.raw.cve_2022_25669); 1823 } 1824 1825 @Test 1826 @AsbSecurityTest(cveBugId = 223209306) testStagefright_cve_2022_22085()1827 public void testStagefright_cve_2022_22085() throws Exception { 1828 doStagefrightTest(R.raw.cve_2022_22085); 1829 } 1830 1831 @Test 1832 @AsbSecurityTest(cveBugId = 223209816) testStagefright_cve_2022_22084()1833 public void testStagefright_cve_2022_22084() throws Exception { 1834 doStagefrightTest(R.raw.cve_2022_22084); 1835 } 1836 1837 @Test 1838 @AsbSecurityTest(cveBugId = 223211218) testStagefright_cve_2022_22086()1839 public void testStagefright_cve_2022_22086() throws Exception { 1840 doStagefrightTest(R.raw.cve_2022_22086); 1841 } 1842 1843 @Test 1844 @AsbSecurityTest(cveBugId = 228101819) testStagefright_cve_2022_25659()1845 public void testStagefright_cve_2022_25659() throws Exception { 1846 doStagefrightTest(R.raw.cve_2022_25659); 1847 } 1848 1849 @Test 1850 @AsbSecurityTest(cveBugId = 223210917) testStagefright_cve_2022_22083()1851 public void testStagefright_cve_2022_22083() throws Exception { 1852 doStagefrightTest(R.raw.cve_2022_22083); 1853 } 1854 1855 @Test 1856 @AsbSecurityTest(cveBugId = 223209610) testStagefright_cve_2022_22087()1857 public void testStagefright_cve_2022_22087() throws Exception { 1858 doStagefrightTest(R.raw.cve_2022_22087); 1859 } 1860 1861 @Test 1862 @AsbSecurityTest(cveBugId = 228101835) testStagefright_cve_2022_25657()1863 public void testStagefright_cve_2022_25657() throws Exception { 1864 doStagefrightTest(R.raw.cve_2022_25657); 1865 } 1866 1867 @Test 1868 @AsbSecurityTest(cveBugId = 231156126) testStagefright_cve_2022_22059()1869 public void testStagefright_cve_2022_22059() throws Exception { 1870 doStagefrightTest(R.raw.cve_2022_22059); 1871 } 1872 1873 @Test 1874 @AsbSecurityTest(cveBugId = 157906313) testStagefright_cve_2020_11135()1875 public void testStagefright_cve_2020_11135() throws Exception { 1876 doStagefrightTest(R.raw.cve_2020_11135); 1877 } 1878 1879 @Test 1880 @AsbSecurityTest(cveBugId = 136175447) testStagefright_cve_2019_2186()1881 public void testStagefright_cve_2019_2186() throws Exception { 1882 long end = System.currentTimeMillis() + 180000; // 3 minutes from now 1883 while (System.currentTimeMillis() < end) { 1884 doStagefrightTestRawBlob(R.raw.cve_2019_2186, "video/3gpp", 128, 96, 1885 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1886 CrashUtils.SIGABRT)); 1887 } 1888 } 1889 1890 @Test 1891 @AsbSecurityTest(cveBugId = 140692129) testStagefright_cve_2019_2223()1892 public void testStagefright_cve_2019_2223() throws Exception { 1893 // TODO(b/170987914): This also skips testing hw_codecs. 1894 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1895 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1896 getInstrumentation().getContext().getPackageManager(), 1897 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1898 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2223_framelen); 1899 doStagefrightTestRawBlob(R.raw.cve_2019_2223_hevc, "video/hevc", 320, 240, frameSizes); 1900 } 1901 1902 @Test 1903 @AsbSecurityTest(cveBugId = 118399205) testStagefright_cve_2019_1989()1904 public void testStagefright_cve_2019_1989() throws Exception { 1905 Object obj[] = getFrameInfo(R.raw.cve_2019_1989_info); 1906 int[] isHeader = (int[])obj [0]; 1907 int[] frameSizes = (int[])obj [1]; 1908 doStagefrightTestRawBlob(R.raw.cve_2019_1989_h264, "video/avc", 1909 1920, 1080, frameSizes, isHeader, new CrashUtils.Config()); 1910 } 1911 doStagefrightTest(final int rid, CrashUtils.Config config)1912 private void doStagefrightTest(final int rid, CrashUtils.Config config) throws Exception { 1913 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1914 policy.setCleartextTrafficPermitted(true); 1915 doStagefrightTestMediaPlayer(rid, config); 1916 doStagefrightTestMediaCodec(rid, config); 1917 doStagefrightTestMediaMetadataRetriever(rid, config); 1918 1919 Context context = getInstrumentation().getContext(); 1920 CtsTestServer server = null; 1921 try { 1922 server = new CtsTestServer(context); 1923 } catch (BindException e) { 1924 // Instant Apps security policy does not allow 1925 // listening for incoming connections. 1926 // Server based tests cannot be run. 1927 return; 1928 } 1929 Resources resources = context.getResources(); 1930 String rname = resources.getResourceEntryName(rid); 1931 String url = server.getAssetUrl("raw/" + rname); 1932 verifyServer(rid, url); 1933 doStagefrightTestMediaPlayer(url, config); 1934 doStagefrightTestMediaCodec(url, config); 1935 doStagefrightTestMediaMetadataRetriever(url, config); 1936 policy.setCleartextTrafficPermitted(false); 1937 server.shutdown(); 1938 } 1939 1940 // verify that CtsTestServer is functional by retrieving the asset 1941 // and comparing it to the resource verifyServer(final int rid, final String uri)1942 private void verifyServer(final int rid, final String uri) throws Exception { 1943 Log.i(TAG, "checking server"); 1944 URL url = new URL(uri); 1945 InputStream in1 = new BufferedInputStream(url.openStream()); 1946 1947 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1948 .openRawResourceFd(rid); 1949 InputStream in2 = new BufferedInputStream(fd.createInputStream()); 1950 1951 while (true) { 1952 int b1 = in1.read(); 1953 int b2 = in2.read(); 1954 assertEquals("CtsTestServer fail", b1, b2); 1955 if (b1 < 0) { 1956 break; 1957 } 1958 } 1959 1960 in1.close(); 1961 in2.close(); 1962 Log.i(TAG, "checked server"); 1963 } 1964 doStagefrightTest(final int rid, int timeout)1965 private void doStagefrightTest(final int rid, int timeout) throws Exception { 1966 doStagefrightTest(rid, null, timeout); 1967 } 1968 doStagefrightTest( final int rid, CrashUtils.Config config, int timeout)1969 private void doStagefrightTest( 1970 final int rid, CrashUtils.Config config, int timeout) throws Exception { 1971 runWithTimeout(new Runnable() { 1972 @Override 1973 public void run() { 1974 try { 1975 doStagefrightTest(rid, config); 1976 } catch (Exception e) { 1977 fail(e.toString()); 1978 } 1979 } 1980 }, timeout); 1981 } 1982 doStagefrightTestANR(final int rid)1983 private void doStagefrightTestANR(final int rid) throws Exception { 1984 doStagefrightTestANR(rid, null); 1985 } 1986 doStagefrightTestANR( final int rid, CrashUtils.Config config)1987 private void doStagefrightTestANR( 1988 final int rid, CrashUtils.Config config) throws Exception { 1989 doStagefrightTestMediaPlayerANR(rid, null, config); 1990 } 1991 getCrashReport(String testname, long timeout)1992 public JSONArray getCrashReport(String testname, long timeout) 1993 throws InterruptedException { 1994 Log.i(TAG, CrashUtils.UPLOAD_REQUEST); 1995 File reportFile = new File(CrashUtils.DEVICE_PATH, testname); 1996 File lockFile = new File(CrashUtils.DEVICE_PATH, CrashUtils.LOCK_FILENAME); 1997 while ((!reportFile.exists() || !lockFile.exists()) && timeout > 0) { 1998 Thread.sleep(CHECK_INTERVAL); 1999 timeout -= CHECK_INTERVAL; 2000 } 2001 2002 if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { 2003 Log.e(TAG, "couldn't get the report or lock file"); 2004 return null; 2005 } 2006 try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { 2007 StringBuilder json = new StringBuilder(); 2008 String line = reader.readLine(); 2009 while (line != null) { 2010 json.append(line); 2011 line = reader.readLine(); 2012 } 2013 return new JSONArray(json.toString()); 2014 } catch (IOException | JSONException e) { 2015 Log.e(TAG, "Failed to deserialize crash list with error " + e.getMessage()); 2016 return null; 2017 } 2018 } 2019 2020 class MediaPlayerCrashListener 2021 implements MediaPlayer.OnErrorListener, 2022 MediaPlayer.OnPreparedListener, 2023 MediaPlayer.OnCompletionListener { 2024 2025 CrashUtils.Config config; 2026 2027 private final Pattern[] validProcessPatterns = { 2028 Pattern.compile("adsprpcd"), 2029 Pattern.compile("android\\.hardware\\.cas@\\d+?\\.\\d+?-service"), 2030 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service"), 2031 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.clearkey"), 2032 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.widevine"), 2033 Pattern.compile("omx@\\d+?\\.\\d+?-service"), // name:omx@1.0-service 2034 Pattern.compile("android\\.process\\.media"), 2035 Pattern.compile("mediadrmserver"), 2036 Pattern.compile("mediaextractor"), 2037 Pattern.compile("media\\.extractor"), 2038 Pattern.compile("media\\.metrics"), 2039 Pattern.compile("mediaserver"), 2040 Pattern.compile("media\\.codec"), 2041 Pattern.compile("media\\.swcodec"), 2042 Pattern.compile("\\[?sdcard\\]?"), // name:/system/bin/sdcard, user:media_rw 2043 // Match any vendor processes. 2044 // It should only catch crashes that happen during the test. 2045 Pattern.compile("vendor.*"), 2046 }; 2047 MediaPlayerCrashListener()2048 MediaPlayerCrashListener() { 2049 this(null); 2050 } 2051 MediaPlayerCrashListener(CrashUtils.Config config)2052 MediaPlayerCrashListener(CrashUtils.Config config) { 2053 if (config == null) { 2054 config = new CrashUtils.Config(); 2055 } 2056 // if a different process is needed for a test, it should be added to the main list. 2057 config.setProcessPatterns(validProcessPatterns); 2058 this.config = config; 2059 } 2060 2061 @Override onError(MediaPlayer mp, int newWhat, int extra)2062 public boolean onError(MediaPlayer mp, int newWhat, int extra) { 2063 Log.i(TAG, "error: " + newWhat + "/" + extra); 2064 // don't overwrite a more severe error with a less severe one 2065 if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 2066 what = newWhat; 2067 } 2068 2069 lock.lock(); 2070 errored = true; 2071 condition.signal(); 2072 lock.unlock(); 2073 2074 return true; // don't call oncompletion 2075 } 2076 2077 @Override onPrepared(MediaPlayer mp)2078 public void onPrepared(MediaPlayer mp) { 2079 mp.start(); 2080 } 2081 2082 @Override onCompletion(MediaPlayer mp)2083 public void onCompletion(MediaPlayer mp) { 2084 // preserve error condition, if any 2085 lock.lock(); 2086 completed = true; 2087 condition.signal(); 2088 lock.unlock(); 2089 } 2090 waitForError()2091 public int waitForError() throws InterruptedException { 2092 lock.lock(); 2093 if (!errored && !completed) { 2094 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2095 Log.d(TAG, "timed out on waiting for error. " + 2096 "errored: " + errored + ", completed: " + completed); 2097 } 2098 } 2099 lock.unlock(); 2100 if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 2101 // Sometimes mediaserver signals a decoding error first, and *then* crashes 2102 // due to additional in-flight buffers being processed, so wait a little 2103 // and see if more errors show up. 2104 Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); 2105 SystemClock.sleep(1000); 2106 JSONArray crashes = getCrashReport(name.getMethodName(), 5000); 2107 if (crashes == null) { 2108 Log.e(TAG, "Crash results not found for test " + name.getMethodName()); 2109 return what; 2110 } else if (CrashUtils.securityCrashDetected(crashes, config)) { 2111 return what; 2112 } else { 2113 Log.i(TAG, "Crash ignored due to no security crash found for test " + 2114 name.getMethodName()); 2115 // 0 is the code for no error. 2116 return 0; 2117 } 2118 } 2119 Log.d(TAG, "waitForError finished with no errors."); 2120 return what; 2121 } 2122 waitForErrorOrCompletion()2123 public boolean waitForErrorOrCompletion() throws InterruptedException { 2124 lock.lock(); 2125 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2126 Log.d(TAG, "timed out on waiting for error or completion"); 2127 } 2128 lock.unlock(); 2129 return (what != 0 && what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) || completed; 2130 } 2131 2132 ReentrantLock lock = new ReentrantLock(); 2133 Condition condition = lock.newCondition(); 2134 int what; 2135 boolean completed = false; 2136 boolean errored = false; 2137 } 2138 2139 class LooperThread extends Thread { 2140 private Looper mLooper; 2141 LooperThread(Runnable runner)2142 LooperThread(Runnable runner) { 2143 super(runner); 2144 } 2145 2146 @Override run()2147 public void run() { 2148 Looper.prepare(); 2149 mLooper = Looper.myLooper(); 2150 super.run(); 2151 } 2152 stopLooper()2153 public void stopLooper() { 2154 mLooper.quitSafely(); 2155 } 2156 } 2157 doStagefrightTestMediaPlayer(final int rid)2158 private void doStagefrightTestMediaPlayer(final int rid) throws Exception { 2159 doStagefrightTestMediaPlayer(rid, null, null); 2160 } 2161 doStagefrightTestMediaPlayer( final int rid, CrashUtils.Config config)2162 private void doStagefrightTestMediaPlayer( 2163 final int rid, CrashUtils.Config config) throws Exception { 2164 doStagefrightTestMediaPlayer(rid, null, config); 2165 } 2166 doStagefrightTestMediaPlayer(final String url)2167 private void doStagefrightTestMediaPlayer(final String url) throws Exception { 2168 doStagefrightTestMediaPlayer(url, null); 2169 } 2170 doStagefrightTestMediaPlayer( final String url, CrashUtils.Config config)2171 private void doStagefrightTestMediaPlayer( 2172 final String url, CrashUtils.Config config) throws Exception { 2173 doStagefrightTestMediaPlayer(-1, url, config); 2174 } 2175 closeQuietly(AutoCloseable closeable)2176 private void closeQuietly(AutoCloseable closeable) { 2177 if (closeable != null) { 2178 try { 2179 closeable.close(); 2180 } catch (RuntimeException rethrown) { 2181 throw rethrown; 2182 } catch (Exception ignored) { 2183 } 2184 } 2185 } 2186 doStagefrightTestMediaPlayer(final int rid, final String uri)2187 private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception { 2188 doStagefrightTestMediaPlayer(rid, uri, null); 2189 } 2190 doStagefrightTestMediaPlayer(final int rid, final String uri, CrashUtils.Config config)2191 private void doStagefrightTestMediaPlayer(final int rid, final String uri, 2192 CrashUtils.Config config) throws Exception { 2193 2194 String name = uri != null ? uri : 2195 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2196 Log.i(TAG, "start mediaplayer test for: " + name); 2197 2198 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2199 2200 LooperThread t = new LooperThread(new Runnable() { 2201 @Override 2202 public void run() { 2203 2204 MediaPlayer mp = new MediaPlayer(); 2205 mp.setOnErrorListener(mpcl); 2206 mp.setOnPreparedListener(mpcl); 2207 mp.setOnCompletionListener(mpcl); 2208 RenderTarget renderTarget = RenderTarget.create(); 2209 Surface surface = renderTarget.getSurface(); 2210 mp.setSurface(surface); 2211 AssetFileDescriptor fd = null; 2212 try { 2213 if (uri == null) { 2214 fd = getInstrumentation().getContext().getResources() 2215 .openRawResourceFd(rid); 2216 2217 mp.setDataSource(fd.getFileDescriptor(), 2218 fd.getStartOffset(), 2219 fd.getLength()); 2220 2221 } else { 2222 mp.setDataSource(uri); 2223 } 2224 mp.prepareAsync(); 2225 } catch (Exception e) { 2226 } finally { 2227 closeQuietly(fd); 2228 } 2229 2230 Looper.loop(); 2231 mp.release(); 2232 renderTarget.destroy(); 2233 } 2234 }); 2235 2236 t.start(); 2237 assertNotEquals("MediaPlayer encountered a security crash when testing MediaPlayer.", 2238 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2239 t.stopLooper(); 2240 t.join(); // wait for thread to exit so we're sure the player was released 2241 } 2242 2243 /* 2244 * b/135207745 2245 */ 2246 @Test 2247 @AsbSecurityTest(cveBugId = 124781927) testStagefright_cve_2019_2129()2248 public void testStagefright_cve_2019_2129() throws Exception { 2249 final int rid = R.raw.cve_2019_2129; 2250 String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2251 Log.i(TAG, "start mediaplayer test for: " + name); 2252 2253 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener() { 2254 @Override 2255 public void onPrepared(MediaPlayer mp) { 2256 super.onPrepared(mp); 2257 mp.setLooping(true); 2258 } 2259 }; 2260 2261 LooperThread t = new LooperThread(new Runnable() { 2262 @Override 2263 public void run() { 2264 MediaPlayer mp = new MediaPlayer(); 2265 mp.setOnErrorListener(mpcl); 2266 mp.setOnPreparedListener(mpcl); 2267 mp.setOnCompletionListener(mpcl); 2268 RenderTarget renderTarget = RenderTarget.create(); 2269 Surface surface = renderTarget.getSurface(); 2270 mp.setSurface(surface); 2271 AssetFileDescriptor fd = null; 2272 try { 2273 fd = getInstrumentation().getContext().getResources().openRawResourceFd(rid); 2274 mp.setOnTimedTextListener(new MediaPlayer.OnTimedTextListener() { 2275 @Override 2276 public void onTimedText(MediaPlayer p, TimedText text) { 2277 if (text != null) { 2278 Log.d(TAG, "text = " + text.getText()); 2279 } 2280 } 2281 }); 2282 mp.setDataSource(fd.getFileDescriptor(), 2283 fd.getStartOffset(), 2284 fd.getLength()); 2285 // keep the original as in poc by not using prepareAsync 2286 mp.prepare(); 2287 mp.selectTrack(2); 2288 } catch (Exception e) { 2289 Log.e(TAG, "Exception is caught " + e.getMessage()); 2290 e.printStackTrace(); 2291 } finally { 2292 closeQuietly(fd); 2293 } 2294 2295 try { 2296 // here to catch & swallow the runtime crash in exception 2297 // after the place where original poc failed in 2298 // java.lang.IllegalArgumentException: parseParcel() 2299 // which is beyond test control. 2300 Looper.loop(); 2301 } catch (RuntimeException e) { 2302 Log.e(TAG, "Exception is caught on Looper.loop() " + e.getMessage()); 2303 e.printStackTrace(); 2304 } 2305 mp.release(); 2306 renderTarget.destroy(); 2307 } 2308 }); 2309 2310 t.start(); 2311 assertNotEquals("MediaPlayer encountered a security crash when testing CVE-2019-2129.", 2312 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2313 t.stopLooper(); 2314 t.join(); // wait for thread to exit so we're sure the player was released 2315 } 2316 doStagefrightTestMediaCodec(final int rid)2317 private void doStagefrightTestMediaCodec(final int rid) throws Exception { 2318 doStagefrightTestMediaCodec(rid, null, null); 2319 } 2320 doStagefrightTestMediaCodec( final int rid, CrashUtils.Config config)2321 private void doStagefrightTestMediaCodec( 2322 final int rid, CrashUtils.Config config) throws Exception { 2323 doStagefrightTestMediaCodec(rid, null, config); 2324 } 2325 doStagefrightTestMediaCodec(final String url)2326 private void doStagefrightTestMediaCodec(final String url) throws Exception { 2327 doStagefrightTestMediaCodec(url, null); 2328 } 2329 doStagefrightTestMediaCodec( final String url, CrashUtils.Config config)2330 private void doStagefrightTestMediaCodec( 2331 final String url, CrashUtils.Config config) throws Exception { 2332 doStagefrightTestMediaCodec(-1, url, config); 2333 } 2334 doStagefrightTestMediaCodec(final int rid, final String url)2335 private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception { 2336 doStagefrightTestMediaCodec(rid, url, null); 2337 } 2338 doStagefrightTestMediaCodec( final int rid, final String url, CrashUtils.Config config)2339 private void doStagefrightTestMediaCodec( 2340 final int rid, final String url, CrashUtils.Config config) throws Exception { 2341 2342 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2343 2344 LooperThread thr = new LooperThread(new Runnable() { 2345 @Override 2346 public void run() { 2347 2348 MediaPlayer mp = new MediaPlayer(); 2349 mp.setOnErrorListener(mpcl); 2350 try { 2351 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 2352 .openRawResourceFd(R.raw.good); 2353 2354 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2355 // setDataSource has been called 2356 mp.setDataSource(fd.getFileDescriptor(), 2357 fd.getStartOffset(), 2358 fd.getLength()); 2359 fd.close(); 2360 } catch (Exception e) { 2361 // this is a known-good file, so no failure should occur 2362 fail("setDataSource of known-good file failed"); 2363 } 2364 2365 synchronized(mpcl) { 2366 mpcl.notify(); 2367 } 2368 Looper.loop(); 2369 mp.release(); 2370 } 2371 }); 2372 thr.start(); 2373 // wait until the thread has initialized the MediaPlayer 2374 synchronized(mpcl) { 2375 mpcl.wait(); 2376 } 2377 2378 Resources resources = getInstrumentation().getContext().getResources(); 2379 MediaExtractor ex = new MediaExtractor(); 2380 if (url == null) { 2381 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2382 try { 2383 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2384 } catch (IOException e) { 2385 // ignore 2386 } finally { 2387 closeQuietly(fd); 2388 } 2389 } else { 2390 try { 2391 ex.setDataSource(url); 2392 } catch (Exception e) { 2393 // indicative of problems with our tame CTS test web server 2394 } 2395 } 2396 int numtracks = ex.getTrackCount(); 2397 String rname = url != null ? url: resources.getResourceEntryName(rid); 2398 Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks"); 2399 for (int t = 0; t < numtracks; t++) { 2400 // find all the available decoders for this format 2401 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2402 MediaFormat format = null; 2403 try { 2404 format = ex.getTrackFormat(t); 2405 } catch (IllegalArgumentException e) { 2406 Log.e(TAG, "could not get track format for track " + t); 2407 continue; 2408 } 2409 String mime = format.getString(MediaFormat.KEY_MIME); 2410 int numCodecs = MediaCodecList.getCodecCount(); 2411 for (int i = 0; i < numCodecs; i++) { 2412 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2413 if (info.isEncoder()) { 2414 continue; 2415 } 2416 try { 2417 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2418 if (caps != null) { 2419 /* Add mainline skip to decoders in mainline module */ 2420 if (isCodecInMainlineModule(info.getName())) { 2421 Log.i(TAG, "Skipping codec " + info.getName() + 2422 " as it is part of mainline"); 2423 continue; 2424 } 2425 if (info.isAlias()) { 2426 Log.i(TAG, "Skipping codec " + info.getName() + " as it is an alias"); 2427 continue; 2428 } 2429 matchingCodecs.add(info.getName()); 2430 Log.i(TAG, "Found matching codec " + info.getName() + " for track " + t); 2431 } 2432 } catch (IllegalArgumentException e) { 2433 // type is not supported 2434 } 2435 } 2436 2437 if (matchingCodecs.size() == 0) { 2438 Log.w(TAG, "no codecs for track " + t + ", type " + mime); 2439 } 2440 // decode this track once with each matching codec 2441 try { 2442 ex.selectTrack(t); 2443 } catch (IllegalArgumentException e) { 2444 Log.w(TAG, "couldn't select track " + t); 2445 // continue on with codec initialization anyway, since that might still crash 2446 } 2447 for (String codecName: matchingCodecs) { 2448 Log.i(TAG, "Decoding track " + t + " using codec " + codecName); 2449 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 2450 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2451 RenderTarget renderTarget = RenderTarget.create(); 2452 Surface surface = null; 2453 if (mime.startsWith("video/")) { 2454 surface = renderTarget.getSurface(); 2455 } 2456 try { 2457 codec.configure(format, surface, null, 0); 2458 codec.start(); 2459 } catch (Exception e) { 2460 Log.i(TAG, "Failed to start/configure:", e); 2461 } 2462 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2463 try { 2464 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2465 long startTime = System.nanoTime(); 2466 while (System.nanoTime() - startTime < TIMEOUT_NS) { 2467 int flags = ex.getSampleFlags(); 2468 long time = ex.getSampleTime(); 2469 ex.getCachedDuration(); 2470 int bufidx = codec.dequeueInputBuffer(5000); 2471 if (bufidx >= 0) { 2472 int n = ex.readSampleData(inputBuffers[bufidx], 0); 2473 if (n < 0) { 2474 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2475 time = 0; 2476 n = 0; 2477 } 2478 codec.queueInputBuffer(bufidx, 0, n, time, flags); 2479 ex.advance(); 2480 } 2481 int status = codec.dequeueOutputBuffer(info, 5000); 2482 if (status >= 0) { 2483 if ((info.flags & MediaCodec.BUFFER_FLAG_END_OF_STREAM) != 0) { 2484 break; 2485 } 2486 if (info.presentationTimeUs > TIMEOUT_NS / 1000) { 2487 Log.d(TAG, "stopping after 10 seconds worth of data"); 2488 break; 2489 } 2490 codec.releaseOutputBuffer(status, true); 2491 } 2492 } 2493 } catch (Exception e) { 2494 // local exceptions ignored, not security issues 2495 } finally { 2496 try { 2497 codec.stop(); 2498 } catch (Exception e) { 2499 // local exceptions ignored, not security issues 2500 } 2501 codec.release(); 2502 renderTarget.destroy(); 2503 } 2504 } 2505 try { 2506 ex.unselectTrack(t); 2507 } catch (IllegalArgumentException e) { 2508 // since we're just cleaning up, we don't care if it fails 2509 } 2510 } 2511 ex.release(); 2512 assertNotEquals("MediaPlayer encountered a security crash when testing media codecs.", 2513 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2514 thr.stopLooper(); 2515 thr.join(); 2516 } 2517 doStagefrightTestMediaMetadataRetriever(final int rid)2518 private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception { 2519 doStagefrightTestMediaMetadataRetriever(rid, null, null); 2520 } doStagefrightTestMediaMetadataRetriever( final int rid, CrashUtils.Config config)2521 private void doStagefrightTestMediaMetadataRetriever( 2522 final int rid, CrashUtils.Config config) throws Exception { 2523 doStagefrightTestMediaMetadataRetriever(rid, null, config); 2524 } 2525 doStagefrightTestMediaMetadataRetriever(final String url)2526 private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception { 2527 doStagefrightTestMediaMetadataRetriever(url, null); 2528 } 2529 doStagefrightTestMediaMetadataRetriever( final String url, CrashUtils.Config config)2530 private void doStagefrightTestMediaMetadataRetriever( 2531 final String url, CrashUtils.Config config) throws Exception { 2532 doStagefrightTestMediaMetadataRetriever(-1, url, config); 2533 } 2534 doStagefrightTestMediaMetadataRetriever( final int rid, final String url)2535 private void doStagefrightTestMediaMetadataRetriever( 2536 final int rid, final String url) throws Exception { 2537 doStagefrightTestMediaMetadataRetriever(rid, url, null); 2538 } 2539 doStagefrightTestMediaMetadataRetriever( final int rid, final String url, CrashUtils.Config config)2540 private void doStagefrightTestMediaMetadataRetriever( 2541 final int rid, final String url, CrashUtils.Config config) throws Exception { 2542 2543 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2544 2545 LooperThread thr = new LooperThread(new Runnable() { 2546 @Override 2547 public void run() { 2548 2549 MediaPlayer mp = new MediaPlayer(); 2550 mp.setOnErrorListener(mpcl); 2551 AssetFileDescriptor fd = null; 2552 try { 2553 fd = getInstrumentation().getContext().getResources() 2554 .openRawResourceFd(R.raw.good); 2555 2556 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2557 // setDataSource has been called 2558 mp.setDataSource(fd.getFileDescriptor(), 2559 fd.getStartOffset(), 2560 fd.getLength()); 2561 fd.close(); 2562 } catch (Exception e) { 2563 // this is a known-good file, so no failure should occur 2564 fail("setDataSource of known-good file failed"); 2565 } 2566 2567 synchronized(mpcl) { 2568 mpcl.notify(); 2569 } 2570 Looper.loop(); 2571 mp.release(); 2572 } 2573 }); 2574 thr.start(); 2575 // wait until the thread has initialized the MediaPlayer 2576 synchronized(mpcl) { 2577 mpcl.wait(); 2578 } 2579 2580 Resources resources = getInstrumentation().getContext().getResources(); 2581 MediaMetadataRetriever retriever = new MediaMetadataRetriever(); 2582 if (url == null) { 2583 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2584 try { 2585 retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2586 } catch (Exception e) { 2587 // ignore 2588 } finally { 2589 closeQuietly(fd); 2590 } 2591 } else { 2592 try { 2593 retriever.setDataSource(url, new HashMap<String, String>()); 2594 } catch (Exception e) { 2595 // indicative of problems with our tame CTS test web server 2596 } 2597 } 2598 retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION); 2599 retriever.getEmbeddedPicture(); 2600 retriever.getFrameAtTime(); 2601 2602 retriever.release(); 2603 String rname = url != null ? url : resources.getResourceEntryName(rid); 2604 assertNotEquals("MediaPlayer encountered a security crash when retrieving media metadata.", 2605 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2606 thr.stopLooper(); 2607 thr.join(); 2608 } 2609 2610 @Test 2611 @AsbSecurityTest(cveBugId = 36215950) testBug36215950()2612 public void testBug36215950() throws Exception { 2613 doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240); 2614 } 2615 2616 @Test 2617 @AsbSecurityTest(cveBugId = 36816007) testBug36816007()2618 public void testBug36816007() throws Exception { 2619 doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240, 2620 new CrashUtils.Config().checkMinAddress(false)); 2621 } 2622 2623 @Test 2624 @AsbSecurityTest(cveBugId = 36895511) testBug36895511()2625 public void testBug36895511() throws Exception { 2626 doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240, 2627 new CrashUtils.Config().checkMinAddress(false)); 2628 } 2629 2630 @Test 2631 @AsbSecurityTest(cveBugId = 64836894) testBug64836894()2632 public void testBug64836894() throws Exception { 2633 doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240); 2634 } 2635 2636 @Test 2637 @AsbSecurityTest(cveBugId = 35583675) testCve_2017_0687()2638 public void testCve_2017_0687() throws Exception { 2639 doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240); 2640 } 2641 2642 @Test 2643 @AsbSecurityTest(cveBugId = 37207120) testCve_2017_0696()2644 public void testCve_2017_0696() throws Exception { 2645 doStagefrightTestRawBlob(R.raw.cve_2017_0696, "video/avc", 320, 240); 2646 } 2647 2648 @Test 2649 @AsbSecurityTest(cveBugId = 37930177) testBug_37930177()2650 public void testBug_37930177() throws Exception { 2651 doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240); 2652 } 2653 2654 @Test 2655 @AsbSecurityTest(cveBugId = 37712181) testBug_37712181()2656 public void testBug_37712181() throws Exception { 2657 doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240); 2658 } 2659 2660 @Test 2661 @AsbSecurityTest(cveBugId = 70897394) testBug_70897394()2662 public void testBug_70897394() throws Exception { 2663 doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240, 2664 new CrashUtils.Config().checkMinAddress(false)); 2665 } 2666 2667 @Test 2668 @AsbSecurityTest(cveBugId = 123700383) testBug_123700383()2669 public void testBug_123700383() throws Exception { 2670 assertExtractorDoesNotHang(R.raw.bug_123700383); 2671 } 2672 2673 @Test 2674 @AsbSecurityTest(cveBugId = 127310810) testBug_127310810()2675 public void testBug_127310810() throws Exception { 2676 assertExtractorDoesNotHang(R.raw.bug_127310810); 2677 } 2678 2679 @Test 2680 @AsbSecurityTest(cveBugId = 127312550) testBug_127312550()2681 public void testBug_127312550() throws Exception { 2682 assertExtractorDoesNotHang(R.raw.bug_127312550); 2683 } 2684 2685 @Test 2686 @AsbSecurityTest(cveBugId = 127313223) testBug_127313223()2687 public void testBug_127313223() throws Exception { 2688 assertExtractorDoesNotHang(R.raw.bug_127313223); 2689 } 2690 2691 @Test 2692 @AsbSecurityTest(cveBugId = 127313537) testBug_127313537()2693 public void testBug_127313537() throws Exception { 2694 assertExtractorDoesNotHang(R.raw.bug_127313537); 2695 } 2696 2697 @Test 2698 @AsbSecurityTest(cveBugId = 127313764) testBug_127313764()2699 public void testBug_127313764() throws Exception { 2700 assertExtractorDoesNotHang(R.raw.bug_127313764); 2701 } 2702 2703 @Test 2704 @AsbSecurityTest(cveBugId = 189402477) testStagefright_cve_2021_0635()2705 public void testStagefright_cve_2021_0635() throws Exception { 2706 doStagefrightTest(R.raw.cve_2021_0635_1); 2707 doStagefrightTest(R.raw.cve_2021_0635_2); 2708 } 2709 getFrameSizes(int rid)2710 private int[] getFrameSizes(int rid) throws IOException { 2711 final Context context = getInstrumentation().getContext(); 2712 final Resources resources = context.getResources(); 2713 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2714 FileInputStream fis = fd.createInputStream(); 2715 byte[] frameInfo = new byte[(int) fd.getLength()]; 2716 fis.read(frameInfo); 2717 fis.close(); 2718 String[] valueStr = new String(frameInfo).trim().split("\\s+"); 2719 int[] frameSizes = new int[valueStr.length]; 2720 for (int i = 0; i < valueStr.length; i++) 2721 frameSizes[i] = Integer.parseInt(valueStr[i]); 2722 return frameSizes; 2723 } 2724 getFrameInfo(int rid)2725 private Object[] getFrameInfo(int rid) throws IOException { 2726 final Context context = getInstrumentation().getContext(); 2727 final Resources resources = context.getResources(); 2728 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2729 FileInputStream fis = fd.createInputStream(); 2730 byte[] frameInfo = new byte[(int) fd.getLength()]; 2731 fis.read(frameInfo); 2732 fis.close(); 2733 String[] lines = new String(frameInfo).trim().split("\\r?\\n"); 2734 int isHeader[] = new int[lines.length]; 2735 int frameSizes[] = new int[lines.length]; 2736 for (int i = 0; i < lines.length; i++) { 2737 String[] values = lines[i].trim().split("\\s+"); 2738 isHeader[i] = Integer.parseInt(values[0]); 2739 frameSizes[i] = Integer.parseInt(values[1]); 2740 } 2741 return new Object[] {isHeader, frameSizes}; 2742 } 2743 runWithTimeout(Runnable runner, int timeout)2744 private void runWithTimeout(Runnable runner, int timeout) { 2745 Thread t = new Thread(runner); 2746 t.start(); 2747 try { 2748 t.join(timeout); 2749 } catch (InterruptedException e) { 2750 fail("operation was interrupted"); 2751 } 2752 assumeThat("operation not completed within timeout of " + timeout + "ms", t.isAlive(), 2753 is(false)); 2754 } 2755 releaseCodec(final MediaCodec codec)2756 private void releaseCodec(final MediaCodec codec) { 2757 runWithTimeout(new Runnable() { 2758 @Override 2759 public void run() { 2760 codec.release(); 2761 } 2762 }, 5000); 2763 } 2764 isCodecInMainlineModule(String codecName)2765 private boolean isCodecInMainlineModule(String codecName) { 2766 boolean value = false; 2767 if (codecName.startsWith("c2.android.")) { 2768 try { 2769 value = ModuleDetector.moduleIsPlayManaged( 2770 getInstrumentation().getContext().getPackageManager(), 2771 MainlineModule.MEDIA_SOFTWARE_CODEC); 2772 } catch (Exception e) { 2773 Log.e(TAG, "Exception caught " + e.toString()); 2774 } 2775 } 2776 return value; 2777 } 2778 doStagefrightTestRawBlob( int rid, String mime, int initWidth, int initHeight)2779 private void doStagefrightTestRawBlob( 2780 int rid, String mime, int initWidth, int initHeight) throws Exception { 2781 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, new CrashUtils.Config()); 2782 } 2783 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, CrashUtils.Config config)2784 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2785 CrashUtils.Config config) throws Exception { 2786 2787 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2788 final Context context = getInstrumentation().getContext(); 2789 final Resources resources = context.getResources(); 2790 2791 LooperThread thr = new LooperThread(new Runnable() { 2792 @Override 2793 public void run() { 2794 2795 MediaPlayer mp = new MediaPlayer(); 2796 mp.setOnErrorListener(mpcl); 2797 AssetFileDescriptor fd = null; 2798 try { 2799 fd = resources.openRawResourceFd(R.raw.good); 2800 2801 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2802 // setDataSource has been called 2803 mp.setDataSource(fd.getFileDescriptor(), 2804 fd.getStartOffset(), 2805 fd.getLength()); 2806 fd.close(); 2807 } catch (Exception e) { 2808 // this is a known-good file, so no failure should occur 2809 fail("setDataSource of known-good file failed"); 2810 } 2811 2812 synchronized(mpcl) { 2813 mpcl.notify(); 2814 } 2815 Looper.loop(); 2816 mp.release(); 2817 } 2818 }); 2819 thr.start(); 2820 // wait until the thread has initialized the MediaPlayer 2821 synchronized(mpcl) { 2822 mpcl.wait(); 2823 } 2824 2825 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2826 byte [] blob = new byte[(int)fd.getLength()]; 2827 FileInputStream fis = fd.createInputStream(); 2828 int numRead = fis.read(blob); 2829 fis.close(); 2830 2831 // find all the available decoders for this format 2832 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2833 int numCodecs = MediaCodecList.getCodecCount(); 2834 for (int i = 0; i < numCodecs; i++) { 2835 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2836 if (info.isEncoder()) { 2837 continue; 2838 } 2839 try { 2840 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2841 if (caps != null) { 2842 /* Add mainline skip to decoders in mainline module */ 2843 if (isCodecInMainlineModule(info.getName())) { 2844 Log.i(TAG, "Skipping codec " + info.getName() + 2845 " as it is part of mainline"); 2846 continue; 2847 } 2848 if (info.isAlias()) { 2849 Log.i(TAG, "Skipping codec " + info.getName() + " as it is an alias"); 2850 continue; 2851 } 2852 matchingCodecs.add(info.getName()); 2853 } 2854 } catch (IllegalArgumentException e) { 2855 // type is not supported 2856 } 2857 } 2858 2859 if (matchingCodecs.size() == 0) { 2860 Log.w(TAG, "no codecs for mime type " + mime); 2861 } 2862 String rname = resources.getResourceEntryName(rid); 2863 // decode this blob once with each matching codec 2864 for (String codecName: matchingCodecs) { 2865 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2866 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2867 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2868 try { 2869 codec.configure(format, null, null, 0); 2870 codec.start(); 2871 } catch (Exception e) { 2872 Log.i(TAG, "Exception from codec " + codecName); 2873 releaseCodec(codec); 2874 continue; 2875 } 2876 2877 try { 2878 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2879 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2880 // enqueue the bad data a number of times, in case 2881 // the codec needs multiple buffers to fail. 2882 for(int i = 0; i < 64; i++) { 2883 int bufidx = codec.dequeueInputBuffer(5000); 2884 if (bufidx >= 0) { 2885 Log.i(TAG, "got input buffer of size " + inputBuffers[bufidx].capacity()); 2886 inputBuffers[bufidx].rewind(); 2887 inputBuffers[bufidx].put(blob, 0, numRead); 2888 codec.queueInputBuffer(bufidx, 0, numRead, 0, 0); 2889 } else { 2890 Log.i(TAG, "no input buffer"); 2891 } 2892 bufidx = codec.dequeueOutputBuffer(info, 5000); 2893 if (bufidx >= 0) { 2894 Log.i(TAG, "got output buffer"); 2895 codec.releaseOutputBuffer(bufidx, false); 2896 } else { 2897 Log.i(TAG, "no output buffer"); 2898 } 2899 } 2900 } catch (Exception e) { 2901 // ignore, not a security issue 2902 } finally { 2903 releaseCodec(codec); 2904 } 2905 } 2906 2907 assertNotEquals("MediaPlayer encountered a security crash when testing raw blobs.", 2908 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 2909 thr.stopLooper(); 2910 thr.join(); 2911 } 2912 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[])2913 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2914 int frameSizes[]) throws Exception { 2915 // check crash address by default 2916 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, frameSizes, new CrashUtils.Config()); 2917 } 2918 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], CrashUtils.Config config)2919 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2920 int frameSizes[], CrashUtils.Config config) throws Exception { 2921 CodecConfig codecConfig = new CodecConfig().setVideoParams(initWidth, initHeight); 2922 doStagefrightTestRawBlob(rid, mime, codecConfig, frameSizes, config); 2923 } 2924 doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, int frameSizes[], CrashUtils.Config config)2925 private void doStagefrightTestRawBlob(int rid, String mime, CodecConfig codecConfig, 2926 int frameSizes[], CrashUtils.Config config) throws Exception { 2927 2928 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2929 final Context context = getInstrumentation().getContext(); 2930 final Resources resources = context.getResources(); 2931 2932 LooperThread thr = new LooperThread(new Runnable() { 2933 @Override 2934 public void run() { 2935 2936 MediaPlayer mp = new MediaPlayer(); 2937 mp.setOnErrorListener(mpcl); 2938 AssetFileDescriptor fd = null; 2939 try { 2940 fd = resources.openRawResourceFd(R.raw.good); 2941 2942 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2943 // setDataSource has been called 2944 mp.setDataSource(fd.getFileDescriptor(), 2945 fd.getStartOffset(), 2946 fd.getLength()); 2947 fd.close(); 2948 } catch (Exception e) { 2949 // this is a known-good file, so no failure should occur 2950 fail("setDataSource of known-good file failed"); 2951 } 2952 2953 synchronized(mpcl) { 2954 mpcl.notify(); 2955 } 2956 Looper.loop(); 2957 mp.release(); 2958 } 2959 }); 2960 thr.start(); 2961 // wait until the thread has initialized the MediaPlayer 2962 synchronized(mpcl) { 2963 mpcl.wait(); 2964 } 2965 2966 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2967 byte [] blob = new byte[(int)fd.getLength()]; 2968 FileInputStream fis = fd.createInputStream(); 2969 int numRead = fis.read(blob); 2970 fis.close(); 2971 2972 // find all the available decoders for this format 2973 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2974 int numCodecs = MediaCodecList.getCodecCount(); 2975 for (int i = 0; i < numCodecs; i++) { 2976 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2977 if (info.isEncoder()) { 2978 continue; 2979 } 2980 try { 2981 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2982 if (caps != null) { 2983 /* Add mainline skip to decoders in mainline module */ 2984 if (isCodecInMainlineModule(info.getName())) { 2985 Log.i(TAG, "Skipping codec " + info.getName() + 2986 " as it is part of mainline"); 2987 continue; 2988 } 2989 if (info.isAlias()) { 2990 Log.i(TAG, "Skipping codec " + info.getName() + " as it is an alias"); 2991 continue; 2992 } 2993 matchingCodecs.add(info.getName()); 2994 } 2995 } catch (IllegalArgumentException e) { 2996 // type is not supported 2997 } 2998 } 2999 3000 if (matchingCodecs.size() == 0) { 3001 Log.w(TAG, "no codecs for mime type " + mime); 3002 } 3003 String rname = resources.getResourceEntryName(rid); 3004 // decode this blob once with each matching codec 3005 for (String codecName: matchingCodecs) { 3006 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 3007 MediaCodec codec = MediaCodec.createByCodecName(codecName); 3008 MediaFormat format; 3009 if (codecConfig.isAudio) { 3010 format = MediaFormat.createAudioFormat(mime, codecConfig.sampleRate, 3011 codecConfig.channelCount); 3012 } else { 3013 format = MediaFormat.createVideoFormat(mime, codecConfig.initWidth, 3014 codecConfig.initHeight); 3015 } 3016 try { 3017 codec.configure(format, null, null, 0); 3018 codec.start(); 3019 } catch (Exception e) { 3020 Log.i(TAG, "Exception from codec " + codecName); 3021 releaseCodec(codec); 3022 continue; 3023 } 3024 3025 try { 3026 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 3027 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 3028 int numFrames = 0; 3029 if (frameSizes != null) { 3030 numFrames = frameSizes.length; 3031 } 3032 3033 if (0 == numFrames) { 3034 fail("Improper picture length file"); 3035 } 3036 3037 int offset = 0; 3038 int bytesToFeed = 0; 3039 byte [] tempBlob = new byte[(int)inputBuffers[0].capacity()]; 3040 for (int j = 0; j < numFrames; j++) { 3041 int flags = 0; 3042 int bufidx = codec.dequeueInputBuffer(5000); 3043 if (bufidx >= 0) { 3044 inputBuffers[bufidx].rewind(); 3045 if(j == (numFrames - 1)) { 3046 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 3047 } 3048 if (codecConfig.isAudio) { 3049 if (j == 0) { 3050 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 3051 } 3052 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 3053 bytesToFeed = frameSizes[j]; 3054 } else { 3055 bytesToFeed = Math.min((int) (fd.getLength() - offset), 3056 inputBuffers[bufidx].capacity()); 3057 System.arraycopy(blob, offset, tempBlob, 0, bytesToFeed); 3058 inputBuffers[bufidx].put(tempBlob, 0, inputBuffers[bufidx].capacity()); 3059 } 3060 codec.queueInputBuffer(bufidx, 0, bytesToFeed, 0, flags); 3061 offset = offset + frameSizes[j]; 3062 } else { 3063 Log.i(TAG, "no input buffer"); 3064 } 3065 bufidx = codec.dequeueOutputBuffer(info, 5000); 3066 if (bufidx >= 0) { 3067 codec.releaseOutputBuffer(bufidx, false); 3068 } else { 3069 Log.i(TAG, "no output buffer"); 3070 } 3071 } 3072 } catch (Exception e) { 3073 // ignore, not a security issue 3074 } finally { 3075 releaseCodec(codec); 3076 } 3077 } 3078 3079 assertNotEquals( 3080 "MediaPlayer encountered a security crash when testing raw blobs with frame sizes.", 3081 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 3082 thr.stopLooper(); 3083 thr.join(); 3084 } 3085 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], int isHeader[], CrashUtils.Config config)3086 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 3087 int frameSizes[], int isHeader[], CrashUtils.Config config) throws Exception { 3088 3089 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 3090 final Context context = getInstrumentation().getContext(); 3091 final Resources resources = context.getResources(); 3092 LooperThread thr = new LooperThread(new Runnable() { 3093 @Override 3094 public void run() { 3095 MediaPlayer mp = new MediaPlayer(); 3096 mp.setOnErrorListener(mpcl); 3097 AssetFileDescriptor fd = null; 3098 try { 3099 fd = resources.openRawResourceFd(R.raw.good); 3100 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 3101 // setDataSource has been called 3102 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3103 fd.close(); 3104 } catch (Exception e) { 3105 // this is a known-good file, so no failure should occur 3106 fail("setDataSource of known-good file failed"); 3107 } 3108 synchronized (mpcl) { 3109 mpcl.notify(); 3110 } 3111 Looper.loop(); 3112 mp.release(); 3113 } 3114 }); 3115 thr.start(); 3116 // wait until the thread has initialized the MediaPlayer 3117 synchronized (mpcl) { 3118 mpcl.wait(); 3119 } 3120 3121 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3122 byte[] blob = new byte[(int) fd.getLength()]; 3123 FileInputStream fis = fd.createInputStream(); 3124 int numRead = fis.read(blob); 3125 fis.close(); 3126 3127 // find all the available decoders for this format 3128 ArrayList<String> matchingCodecs = new ArrayList<String>(); 3129 int numCodecs = MediaCodecList.getCodecCount(); 3130 for (int i = 0; i < numCodecs; i++) { 3131 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 3132 if (info.isEncoder()) { 3133 continue; 3134 } 3135 try { 3136 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 3137 if (caps != null) { 3138 /* Add mainline skip to decoders in mainline module */ 3139 if (isCodecInMainlineModule(info.getName())) { 3140 Log.i(TAG, "Skipping codec " + info.getName() + 3141 " as it is part of mainline"); 3142 continue; 3143 } 3144 if (info.isAlias()) { 3145 Log.i(TAG, "Skipping codec " + info.getName() + " as it is an alias"); 3146 continue; 3147 } 3148 matchingCodecs.add(info.getName()); 3149 } 3150 } catch (IllegalArgumentException e) { 3151 // type is not supported 3152 } 3153 } 3154 3155 if (matchingCodecs.size() == 0) { 3156 Log.w(TAG, "no codecs for mime type " + mime); 3157 } 3158 String rname = resources.getResourceEntryName(rid); 3159 // decode this blob once with each matching codec 3160 for (String codecName : matchingCodecs) { 3161 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 3162 MediaCodec codec = MediaCodec.createByCodecName(codecName); 3163 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 3164 try { 3165 codec.configure(format, null, null, 0); 3166 codec.start(); 3167 } catch (Exception e) { 3168 Log.i(TAG, "Exception from codec " + codecName); 3169 releaseCodec(codec); 3170 continue; 3171 } 3172 try { 3173 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 3174 ByteBuffer[] inputBuffers = codec.getInputBuffers(); 3175 int numFrames = 0; 3176 if (frameSizes != null) { 3177 numFrames = frameSizes.length; 3178 } 3179 if (0 == numFrames) { 3180 fail("Improper picture length file"); 3181 } 3182 int offset = 0; 3183 int j = 0; 3184 while (j < numFrames) { 3185 int flags = 0; 3186 int bufidx = codec.dequeueInputBuffer(5000); 3187 if (bufidx >= 0) { 3188 inputBuffers[bufidx].rewind(); 3189 Log.i(TAG, "Got buffer index " + bufidx + " with length " 3190 + inputBuffers[bufidx].capacity()); 3191 if (isHeader[j] == 1) { 3192 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 3193 } 3194 if (j == (numFrames - 1)) { 3195 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 3196 } 3197 Log.i(TAG, "Feeding frame " + j + " with framelen " + frameSizes[j] 3198 + " offset " + offset + " and flags " + flags); 3199 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 3200 codec.queueInputBuffer(bufidx, 0, frameSizes[j], 0, flags); 3201 offset = offset + frameSizes[j]; 3202 j++; 3203 } else { 3204 Log.i(TAG, "no input buffer"); 3205 } 3206 bufidx = codec.dequeueOutputBuffer(info, 5000); 3207 if (bufidx >= 0) { 3208 codec.releaseOutputBuffer(bufidx, false); 3209 } else { 3210 Log.i(TAG, "no output buffer"); 3211 } 3212 } 3213 } catch (Exception e) { 3214 // ignore, not a security issue 3215 } finally { 3216 releaseCodec(codec); 3217 } 3218 } 3219 String cve = rname.replace("_", "-").toUpperCase(); 3220 assertFalse("Device *IS* vulnerable to " + cve, 3221 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 3222 thr.stopLooper(); 3223 thr.join(); 3224 } 3225 doStagefrightTestMediaPlayerANR(final int rid, final String uri)3226 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri) throws Exception { 3227 doStagefrightTestMediaPlayerANR(rid, uri, null); 3228 } 3229 doStagefrightTestMediaPlayerANR(final int rid, final String uri, CrashUtils.Config config)3230 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri, 3231 CrashUtils.Config config) throws Exception { 3232 String name = uri != null ? uri : 3233 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 3234 Log.i(TAG, "start mediaplayerANR test for: " + name); 3235 3236 final MediaPlayerCrashListener mpl = new MediaPlayerCrashListener(config); 3237 3238 LooperThread t = new LooperThread(new Runnable() { 3239 @Override 3240 public void run() { 3241 MediaPlayer mp = new MediaPlayer(); 3242 mp.setOnErrorListener(mpl); 3243 mp.setOnPreparedListener(mpl); 3244 mp.setOnCompletionListener(mpl); 3245 RenderTarget renderTarget = RenderTarget.create(); 3246 Surface surface = renderTarget.getSurface(); 3247 mp.setSurface(surface); 3248 AssetFileDescriptor fd = null; 3249 try { 3250 if (uri == null) { 3251 fd = getInstrumentation().getContext().getResources() 3252 .openRawResourceFd(rid); 3253 3254 mp.setDataSource(fd.getFileDescriptor(), 3255 fd.getStartOffset(), 3256 fd.getLength()); 3257 } else { 3258 mp.setDataSource(uri); 3259 } 3260 mp.prepareAsync(); 3261 } catch (Exception e) { 3262 } finally { 3263 closeQuietly(fd); 3264 } 3265 3266 Looper.loop(); 3267 mp.release(); 3268 renderTarget.destroy(); 3269 } 3270 }); 3271 3272 t.start(); 3273 assertTrue("MediaPlayer failed to complete when testing ANR.", 3274 mpl.waitForErrorOrCompletion()); 3275 t.stopLooper(); 3276 t.join(); // wait for thread to exit so we're sure the player was released 3277 } 3278 doStagefrightTestExtractorSeek(final int rid, final long offset)3279 private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception { 3280 doStagefrightTestExtractorSeek(rid, offset, new CrashUtils.Config()); // check crash address by default 3281 } 3282 doStagefrightTestExtractorSeek(final int rid, final long offset, CrashUtils.Config config)3283 private void doStagefrightTestExtractorSeek(final int rid, final long offset, 3284 CrashUtils.Config config) throws Exception { 3285 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 3286 LooperThread thr = new LooperThread(new Runnable() { 3287 @Override 3288 public void run() { 3289 MediaPlayer mp = new MediaPlayer(); 3290 mp.setOnErrorListener(mpcl); 3291 try { 3292 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 3293 .openRawResourceFd(R.raw.good); 3294 mp.setDataSource(fd.getFileDescriptor(), 3295 fd.getStartOffset(), 3296 fd.getLength()); 3297 fd.close(); 3298 } catch (Exception e) { 3299 fail("setDataSource of known-good file failed"); 3300 } 3301 synchronized(mpcl) { 3302 mpcl.notify(); 3303 } 3304 Looper.loop(); 3305 mp.release(); 3306 } 3307 }); 3308 thr.start(); 3309 synchronized(mpcl) { 3310 mpcl.wait(); 3311 } 3312 Resources resources = getInstrumentation().getContext().getResources(); 3313 MediaExtractor ex = new MediaExtractor(); 3314 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3315 try { 3316 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3317 } catch (IOException e) { 3318 } finally { 3319 closeQuietly(fd); 3320 } 3321 int numtracks = ex.getTrackCount(); 3322 String rname = resources.getResourceEntryName(rid); 3323 Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks"); 3324 for (int t = 0; t < numtracks; t++) { 3325 try { 3326 ex.selectTrack(t); 3327 } catch (IllegalArgumentException e) { 3328 Log.w(TAG, "couldn't select track " + t); 3329 } 3330 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 3331 ex.advance(); 3332 ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC); 3333 try 3334 { 3335 ex.unselectTrack(t); 3336 } 3337 catch (Exception e) { 3338 } 3339 } 3340 ex.release(); 3341 assertNotEquals("MediaPlayer encountered a security crash when testing extractor seeking.", 3342 MediaPlayer.MEDIA_ERROR_SERVER_DIED, mpcl.waitForError()); 3343 thr.stopLooper(); 3344 thr.join(); 3345 } 3346 assertExtractorDoesNotHang(int rid)3347 protected void assertExtractorDoesNotHang(int rid) throws Exception { 3348 // The media extractor has a watchdog, currently set to 10 seconds. 3349 final long timeoutMs = 12 * 1000; 3350 3351 Thread thread = new Thread(() -> { 3352 MediaExtractor ex = new MediaExtractor(); 3353 AssetFileDescriptor fd = 3354 getInstrumentation().getContext().getResources().openRawResourceFd(rid); 3355 try { 3356 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3357 } catch (IOException e) { 3358 // It is OK for the call to fail, we're only making sure it doesn't hang. 3359 } finally { 3360 closeQuietly(fd); 3361 ex.release(); 3362 } 3363 }); 3364 thread.start(); 3365 3366 thread.join(timeoutMs); 3367 boolean hung = thread.isAlive(); 3368 if (hung) { 3369 // We don't have much to do at this point. Attempt to un-hang the thread, the media 3370 // extractor process is likely still spinning. At least we found a bug... 3371 // TODO: reboot the media extractor process. 3372 thread.interrupt(); 3373 } 3374 3375 assertFalse(hung); 3376 } 3377 } 3378