1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * 17 * This code was provided to AOSP by Zimperium Inc and was 18 * written by: 19 * 20 * Simone "evilsocket" Margaritelli 21 * Joshua "jduck" Drake 22 */ 23 package android.security.cts; 24 25 import android.app.Instrumentation; 26 import android.content.Context; 27 import android.content.res.AssetFileDescriptor; 28 import android.content.res.Resources; 29 import android.graphics.Bitmap; 30 import android.graphics.BitmapFactory; 31 import android.graphics.SurfaceTexture; 32 import android.media.MediaCodec; 33 import android.media.MediaCodecInfo; 34 import android.media.MediaCodecList; 35 import android.media.MediaExtractor; 36 import android.media.MediaFormat; 37 import android.media.MediaMetadataRetriever; 38 import android.media.MediaPlayer; 39 import android.opengl.GLES20; 40 import android.opengl.GLES11Ext; 41 import android.os.Looper; 42 import android.os.SystemClock; 43 import android.platform.test.annotations.AppModeFull; 44 import android.os.Parcel; 45 import android.platform.test.annotations.SecurityTest; 46 import android.util.Log; 47 import android.view.Surface; 48 import android.webkit.cts.CtsTestServer; 49 50 import com.android.compatibility.common.util.CrashUtils; 51 import com.android.compatibility.common.util.mainline.MainlineModule; 52 import com.android.compatibility.common.util.mainline.ModuleDetector; 53 54 import java.io.BufferedInputStream; 55 import java.io.BufferedReader; 56 import java.io.FileInputStream; 57 import java.io.FileReader; 58 import java.io.IOException; 59 import java.io.InputStream; 60 import java.net.URL; 61 import java.nio.ByteBuffer; 62 import java.io.FileOutputStream; 63 import java.io.ObjectInputStream; 64 import java.io.OutputStream; 65 import java.io.InputStream; 66 import java.net.BindException; 67 import java.net.Socket; 68 import java.net.ServerSocket; 69 import java.io.File; 70 import java.util.ArrayList; 71 import java.util.HashMap; 72 import java.util.concurrent.locks.Condition; 73 import java.util.concurrent.locks.ReentrantLock; 74 import java.util.regex.Pattern; 75 76 import org.json.JSONArray; 77 import org.json.JSONException; 78 import org.json.JSONObject; 79 80 import android.security.cts.R; 81 82 import android.security.NetworkSecurityPolicy; 83 import android.media.TimedText; 84 85 import androidx.test.InstrumentationRegistry; 86 import androidx.test.runner.AndroidJUnit4; 87 88 import org.junit.Rule; 89 import org.junit.rules.TestName; 90 import org.junit.Before; 91 import org.junit.Test; 92 import org.junit.runner.RunWith; 93 94 import static org.junit.Assume.*; 95 import static org.junit.Assert.*; 96 97 /** 98 * Verify that the device is not vulnerable to any known Stagefright 99 * vulnerabilities. 100 */ 101 @AppModeFull 102 @RunWith(AndroidJUnit4.class) 103 public class StagefrightTest { 104 static final String TAG = "StagefrightTest"; 105 private Instrumentation mInstrumentation; 106 107 private final long TIMEOUT_NS = 10000000000L; // 10 seconds. 108 private final static long CHECK_INTERVAL = 50; 109 110 @Rule public TestName name = new TestName(); 111 112 @Before setup()113 public void setup() { 114 mInstrumentation = InstrumentationRegistry.getInstrumentation(); 115 } 116 117 /*********************************************************** 118 to prevent merge conflicts, add K tests below this comment, 119 before any existing test methods 120 ***********************************************************/ 121 122 @Test 123 @SecurityTest(minPatchLevel = "2019-04") testStagefright_cve_2019_2244()124 public void testStagefright_cve_2019_2244() throws Exception { 125 doStagefrightTestRawBlob(R.raw.cve_2019_2244, "video/mpeg2", 320, 420); 126 } 127 128 @Test 129 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36725407()130 public void testStagefright_bug_36725407() throws Exception { 131 doStagefrightTest(R.raw.bug_36725407); 132 } 133 134 @Test 135 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3829()136 public void testStagefright_cve_2016_3829() throws Exception { 137 doStagefrightTest(R.raw.cve_2016_3829, new CrashUtils.Config().checkMinAddress(false)); 138 } 139 140 @Test 141 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0643()142 public void testStagefright_cve_2017_0643() throws Exception { 143 doStagefrightTest(R.raw.cve_2017_0643, new CrashUtils.Config().checkMinAddress(false)); 144 } 145 146 @Test 147 @SecurityTest(minPatchLevel = "2017-08") testStagefright_cve_2017_0728()148 public void testStagefright_cve_2017_0728() throws Exception { 149 doStagefrightTest(R.raw.cve_2017_0728, new CrashUtils.Config().checkMinAddress(false)); 150 } 151 152 @Test 153 @SecurityTest(minPatchLevel = "2017-10") testStagefright_bug_62187433()154 public void testStagefright_bug_62187433() throws Exception { 155 doStagefrightTest(R.raw.bug_62187433); 156 } 157 158 @Test 159 @SecurityTest(minPatchLevel = "2017-09") testStagefrightANR_bug_62673844()160 public void testStagefrightANR_bug_62673844() throws Exception { 161 doStagefrightTestANR(R.raw.bug_62673844); 162 } 163 164 @Test 165 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_37079296()166 public void testStagefright_bug_37079296() throws Exception { 167 doStagefrightTest(R.raw.bug_37079296); 168 } 169 170 @Test 171 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38342499()172 public void testStagefright_bug_38342499() throws Exception { 173 doStagefrightTest(R.raw.bug_38342499); 174 } 175 176 @Test 177 @SecurityTest(minPatchLevel = "2015-10") testStagefright_bug_22771132()178 public void testStagefright_bug_22771132() throws Exception { 179 doStagefrightTest(R.raw.bug_22771132); 180 } 181 182 @Test 183 @SecurityTest(minPatchLevel = "2015-10") testStagefright_bug_21443020()184 public void testStagefright_bug_21443020() throws Exception { 185 doStagefrightTest(R.raw.bug_21443020_webm); 186 } 187 188 @Test 189 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_34360591()190 public void testStagefright_bug_34360591() throws Exception { 191 doStagefrightTest(R.raw.bug_34360591); 192 } 193 194 @Test 195 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35763994()196 public void testStagefright_bug_35763994() throws Exception { 197 doStagefrightTest(R.raw.bug_35763994, new CrashUtils.Config().checkMinAddress(false)); 198 } 199 200 @Test 201 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_33137046()202 public void testStagefright_bug_33137046() throws Exception { 203 doStagefrightTest(R.raw.bug_33137046); 204 } 205 206 @Test 207 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2016_2507()208 public void testStagefright_cve_2016_2507() throws Exception { 209 doStagefrightTest(R.raw.cve_2016_2507, new CrashUtils.Config().checkMinAddress(false)); 210 } 211 212 @Test 213 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_31647370()214 public void testStagefright_bug_31647370() throws Exception { 215 doStagefrightTest(R.raw.bug_31647370); 216 } 217 218 @Test 219 @SecurityTest(minPatchLevel = "2017-01") testStagefright_bug_32577290()220 public void testStagefright_bug_32577290() throws Exception { 221 doStagefrightTest(R.raw.bug_32577290); 222 } 223 224 @Test 225 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_1()226 public void testStagefright_cve_2015_1538_1() throws Exception { 227 doStagefrightTest(R.raw.cve_2015_1538_1); 228 } 229 230 @Test 231 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_2()232 public void testStagefright_cve_2015_1538_2() throws Exception { 233 doStagefrightTest(R.raw.cve_2015_1538_2); 234 } 235 236 @Test 237 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_3()238 public void testStagefright_cve_2015_1538_3() throws Exception { 239 doStagefrightTest(R.raw.cve_2015_1538_3); 240 } 241 242 @Test 243 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_4()244 public void testStagefright_cve_2015_1538_4() throws Exception { 245 doStagefrightTest(R.raw.cve_2015_1538_4); 246 } 247 248 @Test 249 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1539()250 public void testStagefright_cve_2015_1539() throws Exception { 251 doStagefrightTest(R.raw.cve_2015_1539); 252 } 253 254 @Test 255 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3824()256 public void testStagefright_cve_2015_3824() throws Exception { 257 doStagefrightTest(R.raw.cve_2015_3824); 258 } 259 260 @Test 261 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3826()262 public void testStagefright_cve_2015_3826() throws Exception { 263 doStagefrightTest(R.raw.cve_2015_3826); 264 } 265 266 @Test 267 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3827()268 public void testStagefright_cve_2015_3827() throws Exception { 269 doStagefrightTest(R.raw.cve_2015_3827); 270 } 271 272 @Test 273 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3828()274 public void testStagefright_cve_2015_3828() throws Exception { 275 doStagefrightTest(R.raw.cve_2015_3828); 276 } 277 278 @Test 279 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3829()280 public void testStagefright_cve_2015_3829() throws Exception { 281 doStagefrightTest(R.raw.cve_2015_3829); 282 } 283 284 @Test 285 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3836()286 public void testStagefright_cve_2015_3836() throws Exception { 287 doStagefrightTest(R.raw.cve_2015_3836); 288 } 289 290 @Test 291 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3864()292 public void testStagefright_cve_2015_3864() throws Exception { 293 doStagefrightTest(R.raw.cve_2015_3864); 294 } 295 296 @Test 297 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3864_b23034759()298 public void testStagefright_cve_2015_3864_b23034759() throws Exception { 299 doStagefrightTest(R.raw.cve_2015_3864_b23034759); 300 } 301 302 @Test 303 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6598()304 public void testStagefright_cve_2015_6598() throws Exception { 305 doStagefrightTest(R.raw.cve_2015_6598); 306 } 307 308 @Test 309 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6766()310 public void testStagefright_cve_2016_6766() throws Exception { 311 doStagefrightTest(R.raw.cve_2016_6766); 312 } 313 314 @Test 315 @SecurityTest(minPatchLevel = "2017-02") testStagefright_cve_2016_2429_b_27211885()316 public void testStagefright_cve_2016_2429_b_27211885() throws Exception { 317 doStagefrightTest(R.raw.cve_2016_2429_b_27211885, 318 new CrashUtils.Config().checkMinAddress(false)); 319 } 320 321 @Test 322 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_34031018()323 public void testStagefright_bug_34031018() throws Exception { 324 doStagefrightTest(R.raw.bug_34031018_32bit, new CrashUtils.Config().checkMinAddress(false)); 325 doStagefrightTest(R.raw.bug_34031018_64bit, new CrashUtils.Config().checkMinAddress(false)); 326 } 327 328 /*********************************************************** 329 to prevent merge conflicts, add L tests below this comment, 330 before any existing test methods 331 ***********************************************************/ 332 333 @Test 334 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65123471()335 public void testStagefright_bug_65123471() throws Exception { 336 doStagefrightTest(R.raw.bug_65123471); 337 } 338 339 @Test 340 @SecurityTest(minPatchLevel = "2018-04") testStagefright_bug_72165027()341 public void testStagefright_bug_72165027() throws Exception { 342 doStagefrightTest(R.raw.bug_72165027); 343 } 344 345 @Test 346 @SecurityTest(minPatchLevel = "2018-06") testStagefright_bug_65483665()347 public void testStagefright_bug_65483665() throws Exception { 348 doStagefrightTest(R.raw.bug_65483665); 349 } 350 351 @Test 352 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_0852_b_62815506()353 public void testStagefright_cve_2017_0852_b_62815506() throws Exception { 354 doStagefrightTest(R.raw.cve_2017_0852_b_62815506, 355 new CrashUtils.Config().checkMinAddress(false)); 356 } 357 358 @Test 359 @SecurityTest(minPatchLevel = "2018-02") testStagefright_cve_2017_13229()360 public void testStagefright_cve_2017_13229() throws Exception { 361 doStagefrightTest(R.raw.cve_2017_13229); 362 } 363 364 @Test 365 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2017_0763()366 public void testStagefright_cve_2017_0763() throws Exception { 367 doStagefrightTest(R.raw.cve_2017_0763); 368 } 369 370 /*********************************************************** 371 to prevent merge conflicts, add M tests below this comment, 372 before any existing test methods 373 ***********************************************************/ 374 375 @Test 376 @SecurityTest(minPatchLevel = "2018-06") testBug_73965890()377 public void testBug_73965890() throws Exception { 378 int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen); 379 doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes); 380 } 381 382 @Test 383 @SecurityTest(minPatchLevel = "2016-10") testStagefright_cve_2016_3920()384 public void testStagefright_cve_2016_3920() throws Exception { 385 doStagefrightTest(R.raw.cve_2016_3920, new CrashUtils.Config().checkMinAddress(false)); 386 } 387 388 @Test 389 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38448381()390 public void testStagefright_bug_38448381() throws Exception { 391 doStagefrightTest(R.raw.bug_38448381); 392 } 393 394 @Test 395 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3821()396 public void testStagefright_cve_2016_3821() throws Exception { 397 doStagefrightTest(R.raw.cve_2016_3821, new CrashUtils.Config().checkMinAddress(false)); 398 } 399 400 @Test 401 @SecurityTest(minPatchLevel = "2018-04") testStagefright_bug_70897454()402 public void testStagefright_bug_70897454() throws Exception { 403 doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420); 404 } 405 406 @Test 407 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3742_b_28165659()408 public void testStagefright_cve_2016_3742_b_28165659() throws Exception { 409 doStagefrightTest(R.raw.cve_2016_3742_b_28165659); 410 } 411 412 @Test 413 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_35039946()414 public void testStagefright_bug_35039946() throws Exception { 415 doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420); 416 } 417 418 @Test 419 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38115076()420 public void testStagefright_bug_38115076() throws Exception { 421 doStagefrightTest(R.raw.bug_38115076, new CrashUtils.Config().checkMinAddress(false)); 422 } 423 424 @Test 425 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_34618607()426 public void testStagefright_bug_34618607() throws Exception { 427 doStagefrightTest(R.raw.bug_34618607, new CrashUtils.Config().checkMinAddress(false)); 428 } 429 430 @Test 431 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_69478425()432 public void testStagefright_bug_69478425() throws Exception { 433 doStagefrightTest(R.raw.bug_69478425); 434 } 435 436 @Test 437 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65735716()438 public void testStagefright_bug_65735716() throws Exception { 439 doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240); 440 } 441 442 @Test 443 @SecurityTest(minPatchLevel = "2017-12") testStagefright_bug_65717533()444 public void testStagefright_bug_65717533() throws Exception { 445 doStagefrightTest(R.raw.bug_65717533_header_corrupt); 446 } 447 448 @Test 449 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_38239864()450 public void testStagefright_bug_38239864() throws Exception { 451 doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000)); 452 } 453 454 @Test 455 @SecurityTest(minPatchLevel = "2017-05") testStagefright_cve_2017_0600()456 public void testStagefright_cve_2017_0600() throws Exception { 457 doStagefrightTest(R.raw.cve_2017_0600, new CrashUtils.Config().checkMinAddress(false)); 458 } 459 460 @Test 461 @SecurityTest(minPatchLevel = "2017-08") testBug_38014992()462 public void testBug_38014992() throws Exception { 463 int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen); 464 doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes, 465 new CrashUtils.Config().checkMinAddress(false)); 466 } 467 468 @Test 469 @SecurityTest(minPatchLevel = "2017-07") testBug_35584425()470 public void testBug_35584425() throws Exception { 471 int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen); 472 doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes); 473 } 474 475 @Test 476 @SecurityTest(minPatchLevel = "2016-11") testBug_31092462()477 public void testBug_31092462() throws Exception { 478 int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen); 479 doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes); 480 } 481 482 @Test 483 @SecurityTest(minPatchLevel = "2017-04") testBug_34097866()484 public void testBug_34097866() throws Exception { 485 int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len); 486 doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes); 487 } 488 489 @Test 490 @SecurityTest(minPatchLevel = "2017-03") testBug_33862021()491 public void testBug_33862021() throws Exception { 492 int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len); 493 doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes); 494 } 495 496 @Test 497 @SecurityTest(minPatchLevel = "2017-03") testBug_33387820()498 public void testBug_33387820() throws Exception { 499 int[] frameSizes = {45, 3202, 430, 2526}; 500 doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes, 501 new CrashUtils.Config().checkMinAddress(false)); 502 } 503 504 @Test 505 @SecurityTest(minPatchLevel = "2017-07") testBug_37008096()506 public void testBug_37008096() throws Exception { 507 int[] frameSizes = {245, 12, 33, 140, 164}; 508 doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes); 509 } 510 511 @Test 512 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_34231163()513 public void testStagefright_bug_34231163() throws Exception { 514 int[] frameSizes = {22, 357, 217, 293, 175}; 515 doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes); 516 } 517 518 @Test 519 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_33933140()520 public void testStagefright_bug_33933140() throws Exception { 521 int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen); 522 doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes); 523 } 524 525 @Test 526 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_34097915()527 public void testStagefright_bug_34097915() throws Exception { 528 int[] frameSizes = {4140, 593, 0, 15495}; 529 doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes); 530 } 531 532 @Test 533 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_34097213()534 public void testStagefright_bug_34097213() throws Exception { 535 int[] frameSizes = {2571, 210, 33858}; 536 doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes); 537 } 538 539 @Test 540 @SecurityTest(minPatchLevel = "2016-08") testBug_28816956()541 public void testBug_28816956() throws Exception { 542 int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen); 543 doStagefrightTestRawBlob( 544 R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes, 545 new CrashUtils.Config().checkMinAddress(false)); 546 } 547 548 @Test 549 @SecurityTest(minPatchLevel = "2017-03") testBug_33818500()550 public void testBug_33818500() throws Exception { 551 int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen); 552 doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes, 553 new CrashUtils.Config().checkMinAddress(false)); 554 } 555 556 @Test 557 @SecurityTest(minPatchLevel = "2018-01") testBug_64784973()558 public void testBug_64784973() throws Exception { 559 int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen); 560 doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes); 561 } 562 563 @Test 564 @SecurityTest(minPatchLevel = "2017-07") testBug_34231231()565 public void testBug_34231231() throws Exception { 566 int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen); 567 doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes); 568 } 569 570 @Test 571 @SecurityTest(minPatchLevel = "2017-10") testBug_63045918()572 public void testBug_63045918() throws Exception { 573 int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen); 574 doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes); 575 } 576 577 @Test 578 @SecurityTest(minPatchLevel = "2017-03") testBug_33298089()579 public void testBug_33298089() throws Exception { 580 int[] frameSizes = {3247, 430, 221, 2305}; 581 doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes); 582 } 583 584 @Test 585 @SecurityTest(minPatchLevel = "2017-05") testStagefright_cve_2017_0599()586 public void testStagefright_cve_2017_0599() throws Exception { 587 doStagefrightTest(R.raw.cve_2017_0599, new CrashUtils.Config().checkMinAddress(false)); 588 } 589 590 @Test 591 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_36492741()592 public void testStagefright_bug_36492741() throws Exception { 593 doStagefrightTest(R.raw.bug_36492741); 594 } 595 596 @Test 597 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_38487564()598 public void testStagefright_bug_38487564() throws Exception { 599 doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000)); 600 } 601 602 @Test 603 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_37237396()604 public void testStagefright_bug_37237396() throws Exception { 605 doStagefrightTest(R.raw.bug_37237396); 606 } 607 608 @Test 609 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2016_0842()610 public void testStagefright_cve_2016_0842() throws Exception { 611 doStagefrightTest(R.raw.cve_2016_0842); 612 } 613 614 @Test 615 @SecurityTest(minPatchLevel = "2017-11") testStagefright_bug_63121644()616 public void testStagefright_bug_63121644() throws Exception { 617 doStagefrightTest(R.raw.bug_63121644); 618 } 619 620 @Test 621 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2016_6712()622 public void testStagefright_cve_2016_6712() throws Exception { 623 doStagefrightTest(R.raw.cve_2016_6712, new CrashUtils.Config().checkMinAddress(false)); 624 } 625 626 @Test 627 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_34097231()628 public void testStagefright_bug_34097231() throws Exception { 629 doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240); 630 } 631 632 @Test 633 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_34097672()634 public void testStagefright_bug_34097672() throws Exception { 635 doStagefrightTest(R.raw.bug_34097672); 636 } 637 638 639 @Test 640 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_33751193()641 public void testStagefright_bug_33751193() throws Exception { 642 doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240); 643 } 644 645 @Test 646 @SecurityTest(minPatchLevel = "2017-07") testBug_36993291()647 public void testBug_36993291() throws Exception { 648 doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240); 649 } 650 651 @Test 652 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_33818508()653 public void testStagefright_bug_33818508() throws Exception { 654 doStagefrightTest(R.raw.bug_33818508, new CrashUtils.Config().checkMinAddress(false)); 655 } 656 657 @Test 658 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_32873375()659 public void testStagefright_bug_32873375() throws Exception { 660 doStagefrightTest(R.raw.bug_32873375, new CrashUtils.Config().checkMinAddress(false)); 661 } 662 663 @Test 664 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_63522067()665 public void testStagefright_bug_63522067() throws Exception { 666 doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420); 667 doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420); 668 doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420); 669 doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420); 670 } 671 672 @Test 673 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_25765591()674 public void testStagefright_bug_25765591() throws Exception { 675 doStagefrightTest(R.raw.bug_25765591); 676 } 677 678 @Test 679 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_62673179()680 public void testStagefright_bug_62673179() throws Exception { 681 doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000)); 682 } 683 684 @Test 685 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_69269702()686 public void testStagefright_bug_69269702() throws Exception { 687 doStagefrightTest(R.raw.bug_69269702); 688 } 689 690 @Test 691 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3867()692 public void testStagefright_cve_2015_3867() throws Exception { 693 doStagefrightTest(R.raw.cve_2015_3867); 694 } 695 696 @Test 697 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65398821()698 public void testStagefright_bug_65398821() throws Exception { 699 doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) ); 700 } 701 702 @Test 703 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3869()704 public void testStagefright_cve_2015_3869() throws Exception { 705 doStagefrightTest(R.raw.cve_2015_3869); 706 } 707 708 @Test 709 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_23452792()710 public void testStagefright_bug_23452792() throws Exception { 711 doStagefrightTest(R.raw.bug_23452792); 712 } 713 714 @Test 715 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3820()716 public void testStagefright_cve_2016_3820() throws Exception { 717 doStagefrightTest(R.raw.cve_2016_3820); 718 } 719 720 @Test 721 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3741()722 public void testStagefright_cve_2016_3741() throws Exception { 723 doStagefrightTest(R.raw.cve_2016_3741); 724 } 725 726 @Test 727 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_2506()728 public void testStagefright_cve_2016_2506() throws Exception { 729 doStagefrightTest(R.raw.cve_2016_2506); 730 } 731 732 @Test 733 @SecurityTest(minPatchLevel = "2016-06") testStagefright_cve_2016_2428()734 public void testStagefright_cve_2016_2428() throws Exception { 735 doStagefrightTest(R.raw.cve_2016_2428, new CrashUtils.Config().checkMinAddress(false)); 736 } 737 738 @Test 739 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3756()740 public void testStagefright_cve_2016_3756() throws Exception { 741 doStagefrightTest(R.raw.cve_2016_3756); 742 } 743 744 @Test 745 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36592202()746 public void testStagefright_bug_36592202() throws Exception { 747 Resources resources = getInstrumentation().getContext().getResources(); 748 AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202); 749 final int oggPageSize = 25627; 750 byte [] blob = new byte[oggPageSize]; 751 // 127 bytes read and 25500 zeros constitute one Ogg page 752 FileInputStream fis = fd.createInputStream(); 753 int numRead = fis.read(blob); 754 fis.close(); 755 // Creating temp file 756 final File tempFile = File.createTempFile("poc_tmp", ".ogg", null); 757 try { 758 final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath()); 759 int bytesWritten = 0; 760 final long oggPagesRequired = 50000; 761 long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize; 762 long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable); 763 // Repeat data for specified number of pages 764 for (int i = 0; i < numOggPages; i++) { 765 tempFos.write(blob); 766 bytesWritten += oggPageSize; 767 } 768 tempFos.close(); 769 final int fileSize = bytesWritten; 770 final int timeout = (10 * 60 * 1000); 771 runWithTimeout(new Runnable() { 772 @Override 773 public void run() { 774 try { 775 doStagefrightTestMediaCodec(tempFile.getAbsolutePath(), 776 new CrashUtils.Config().checkMinAddress(false)); 777 } catch (Exception | AssertionError e) { 778 if (!tempFile.delete()) { 779 Log.e(TAG, "Failed to delete temporary PoC file"); 780 } 781 fail("Operation was not successful"); 782 } 783 } 784 }, timeout); 785 } catch (Exception e) { 786 fail("Failed to test b/36592202"); 787 } finally { 788 if (!tempFile.delete()) { 789 Log.e(TAG, "Failed to delete temporary PoC file"); 790 } 791 } 792 } 793 794 @Test 795 @SecurityTest(minPatchLevel = "2016-11") testStagefright_bug_30822755()796 public void testStagefright_bug_30822755() throws Exception { 797 doStagefrightTest(R.raw.bug_30822755); 798 } 799 800 @Test 801 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_32322258()802 public void testStagefright_bug_32322258() throws Exception { 803 doStagefrightTest(R.raw.bug_32322258, new CrashUtils.Config().checkMinAddress(false)); 804 } 805 806 @Test 807 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_23248776()808 public void testStagefright_cve_2015_3873_b_23248776() throws Exception { 809 doStagefrightTest(R.raw.cve_2015_3873_b_23248776); 810 } 811 812 @Test 813 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35472997()814 public void testStagefright_bug_35472997() throws Exception { 815 doStagefrightTest(R.raw.bug_35472997); 816 } 817 818 @Test 819 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_20718524()820 public void testStagefright_cve_2015_3873_b_20718524() throws Exception { 821 doStagefrightTest(R.raw.cve_2015_3873_b_20718524); 822 } 823 824 @Test 825 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_34896431()826 public void testStagefright_bug_34896431() throws Exception { 827 doStagefrightTest(R.raw.bug_34896431); 828 } 829 830 @Test 831 @SecurityTest(minPatchLevel = "2017-04") testBug_33641588()832 public void testBug_33641588() throws Exception { 833 doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240); 834 } 835 836 @Test 837 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3862_b_22954006()838 public void testStagefright_cve_2015_3862_b_22954006() throws Exception { 839 doStagefrightTest(R.raw.cve_2015_3862_b_22954006, 840 new CrashUtils.Config().checkMinAddress(false)); 841 } 842 843 @Test 844 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3867_b_23213430()845 public void testStagefright_cve_2015_3867_b_23213430() throws Exception { 846 doStagefrightTest(R.raw.cve_2015_3867_b_23213430); 847 } 848 849 @Test 850 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_21814993()851 public void testStagefright_cve_2015_3873_b_21814993() throws Exception { 852 doStagefrightTest(R.raw.cve_2015_3873_b_21814993); 853 } 854 855 @Test 856 @SecurityTest(minPatchLevel = "2016-04") testStagefright_bug_25812590()857 public void testStagefright_bug_25812590() throws Exception { 858 doStagefrightTest(R.raw.bug_25812590); 859 } 860 861 @Test 862 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6600()863 public void testStagefright_cve_2015_6600() throws Exception { 864 doStagefrightTest(R.raw.cve_2015_6600); 865 } 866 867 @Test 868 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6603()869 public void testStagefright_cve_2015_6603() throws Exception { 870 doStagefrightTest(R.raw.cve_2015_6603); 871 } 872 873 @Test 874 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6604()875 public void testStagefright_cve_2015_6604() throws Exception { 876 doStagefrightTest(R.raw.cve_2015_6604); 877 } 878 879 @Test 880 @SecurityTest(minPatchLevel = "2015-12") testStagefright_bug_24157524()881 public void testStagefright_bug_24157524() throws Exception { 882 doStagefrightTestMediaCodec(R.raw.bug_24157524); 883 } 884 885 @Test 886 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3871()887 public void testStagefright_cve_2015_3871() throws Exception { 888 doStagefrightTest(R.raw.cve_2015_3871); 889 } 890 891 @Test 892 @SecurityTest(minPatchLevel = "2016-04") testStagefright_bug_26070014()893 public void testStagefright_bug_26070014() throws Exception { 894 doStagefrightTest(R.raw.bug_26070014); 895 } 896 897 @Test 898 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_32915871()899 public void testStagefright_bug_32915871() throws Exception { 900 doStagefrightTest(R.raw.bug_32915871); 901 } 902 903 @Test 904 @SecurityTest(minPatchLevel = "2016-07") testStagefright_bug_28333006()905 public void testStagefright_bug_28333006() throws Exception { 906 doStagefrightTest(R.raw.bug_28333006); 907 } 908 909 @Test 910 @SecurityTest(minPatchLevel = "2015-11") testStagefright_bug_14388161()911 public void testStagefright_bug_14388161() throws Exception { 912 doStagefrightTestMediaPlayer(R.raw.bug_14388161); 913 } 914 915 @Test 916 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3755()917 public void testStagefright_cve_2016_3755() throws Exception { 918 doStagefrightTest(R.raw.cve_2016_3755, new CrashUtils.Config().checkMinAddress(false)); 919 } 920 921 @Test 922 @SecurityTest(minPatchLevel = "2016-09") testStagefright_cve_2016_3878_b_29493002()923 public void testStagefright_cve_2016_3878_b_29493002() throws Exception { 924 doStagefrightTest(R.raw.cve_2016_3878_b_29493002, 925 new CrashUtils.Config().checkMinAddress(false)); 926 } 927 928 @Test 929 @SecurityTest(minPatchLevel = "2017-08") testBug_36819262()930 public void testBug_36819262() throws Exception { 931 doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480); 932 } 933 934 @Test 935 @SecurityTest(minPatchLevel = "2015-11") testStagefright_cve_2015_6608_b_23680780()936 public void testStagefright_cve_2015_6608_b_23680780() throws Exception { 937 doStagefrightTest(R.raw.cve_2015_6608_b_23680780); 938 } 939 940 @Test 941 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_36715268()942 public void testStagefright_bug_36715268() throws Exception { 943 doStagefrightTest(R.raw.bug_36715268); 944 } 945 946 @Test 947 @SecurityTest(minPatchLevel = "2016-06") testStagefright_bug_27855419_CVE_2016_2463()948 public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception { 949 doStagefrightTest(R.raw.bug_27855419, new CrashUtils.Config().checkMinAddress(false)); 950 } 951 952 @Test 953 @SecurityTest(minPatchLevel = "2015-11") testStagefright_bug_19779574()954 public void testStagefright_bug_19779574() throws Exception { 955 doStagefrightTest(R.raw.bug_19779574, new CrashUtils.Config().checkMinAddress(false)); 956 } 957 958 /*********************************************************** 959 to prevent merge conflicts, add N tests below this comment, 960 before any existing test methods 961 ***********************************************************/ 962 963 @Test 964 @SecurityTest(minPatchLevel = "2017-03") testBug_33090864()965 public void testBug_33090864() throws Exception { 966 int[] frameSizes = getFrameSizes(R.raw.bug_33090864_framelen); 967 doStagefrightTestRawBlob(R.raw.bug_33090864_avc, "video/avc", 320, 240, frameSizes); 968 } 969 970 @Test 971 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36279112()972 public void testStagefright_bug_36279112() throws Exception { 973 doStagefrightTest(R.raw.bug_36279112, new CrashUtils.Config().checkMinAddress(false)); 974 } 975 976 @Test 977 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0640()978 public void testStagefright_cve_2017_0640() throws Exception { 979 int[] frameSizes = {21, 4}; 980 doStagefrightTestRawBlob(R.raw.cve_2017_0640_avc, "video/avc", 640, 480, 981 frameSizes); 982 } 983 984 @Test 985 @SecurityTest(minPatchLevel = "2017-08") testBug_37203196()986 public void testBug_37203196() throws Exception { 987 int[] frameSizes = getFrameSizes(R.raw.bug_37203196_framelen); 988 doStagefrightTestRawBlob(R.raw.bug_37203196_mpeg2, "video/mpeg2", 48, 48, frameSizes); 989 } 990 991 @Test 992 @SecurityTest(minPatchLevel = "2018-06") testBug_73552574()993 public void testBug_73552574() throws Exception { 994 int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen); 995 doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes); 996 } 997 998 @Test 999 @SecurityTest(minPatchLevel = "2015-09") testStagefright_bug_23285192()1000 public void testStagefright_bug_23285192() throws Exception { 1001 doStagefrightTest(R.raw.bug_23285192); 1002 } 1003 1004 @Test 1005 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_25928803()1006 public void testStagefright_bug_25928803() throws Exception { 1007 doStagefrightTest(R.raw.bug_25928803); 1008 } 1009 1010 @Test 1011 @SecurityTest(minPatchLevel = "2016-04") testBug_26399350()1012 public void testBug_26399350() throws Exception { 1013 int[] frameSizes = {657, 54930}; 1014 doStagefrightTestRawBlob(R.raw.bug_26399350_avc, "video/avc", 640, 480, 1015 frameSizes); 1016 } 1017 1018 @Test 1019 @SecurityTest(minPatchLevel = "2018-12") testBug_113260892()1020 public void testBug_113260892() throws Exception { 1021 doStagefrightTestRawBlob(R.raw.bug_113260892_hevc, "video/hevc", 320, 240); 1022 } 1023 1024 @Test 1025 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_68342866()1026 public void testStagefright_bug_68342866() throws Exception { 1027 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1028 policy.setCleartextTrafficPermitted(true); 1029 Thread server = new Thread() { 1030 @Override 1031 public void run() { 1032 try (ServerSocket serverSocket = new ServerSocket(8080) { 1033 {setSoTimeout(10_000);} // time out after 10 seconds 1034 }; 1035 Socket conn = serverSocket.accept(); 1036 ) { 1037 OutputStream outputstream = conn.getOutputStream(); 1038 InputStream inputStream = conn.getInputStream(); 1039 byte input[] = new byte[65536]; 1040 inputStream.read(input, 0, 65536); 1041 String inputStr = new String(input); 1042 if (inputStr.contains("bug_68342866.m3u8")) { 1043 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n") 1044 .getBytes(); 1045 byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54, 1046 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54, 1047 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41, 1048 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23, 1049 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A, 1050 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF, 1051 (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 1052 (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E, 1053 0x46, 0x00, 0x00 }; 1054 outputstream.write(http); 1055 outputstream.write(playlist); 1056 } 1057 } catch (IOException e) { 1058 } 1059 } 1060 }; 1061 server.start(); 1062 String uri = "http://127.0.0.1:8080/bug_68342866.m3u8"; 1063 final MediaPlayerCrashListener mpcl = 1064 new MediaPlayerCrashListener(new CrashUtils.Config().checkMinAddress(false)); 1065 LooperThread t = new LooperThread(new Runnable() { 1066 @Override 1067 public void run() { 1068 MediaPlayer mp = new MediaPlayer(); 1069 mp.setOnErrorListener(mpcl); 1070 mp.setOnPreparedListener(mpcl); 1071 mp.setOnCompletionListener(mpcl); 1072 RenderTarget renderTarget = RenderTarget.create(); 1073 Surface surface = renderTarget.getSurface(); 1074 mp.setSurface(surface); 1075 AssetFileDescriptor fd = null; 1076 try { 1077 mp.setDataSource(uri); 1078 mp.prepareAsync(); 1079 } catch (IOException e) { 1080 Log.e(TAG, e.toString()); 1081 } finally { 1082 closeQuietly(fd); 1083 } 1084 Looper.loop(); 1085 mp.release(); 1086 renderTarget.destroy(); 1087 } 1088 }); 1089 t.start(); 1090 assertFalse("Device *IS* vulnerable to BUG-68342866", 1091 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1092 t.stopLooper(); 1093 t.join(); 1094 policy.setCleartextTrafficPermitted(false); 1095 server.join(); 1096 } 1097 1098 @Test 1099 @SecurityTest(minPatchLevel = "2018-05") testStagefright_bug_74114680()1100 public void testStagefright_bug_74114680() throws Exception { 1101 doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000)); 1102 } 1103 1104 @Test 1105 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_70239507()1106 public void testStagefright_bug_70239507() throws Exception { 1107 doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L); 1108 } 1109 1110 @Test 1111 @SecurityTest(minPatchLevel = "2017-03") testBug_33250932()1112 public void testBug_33250932() throws Exception { 1113 int[] frameSizes = {65, 11, 102, 414}; 1114 doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes); 1115 } 1116 1117 @Test 1118 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_37430213()1119 public void testStagefright_bug_37430213() throws Exception { 1120 doStagefrightTest(R.raw.bug_37430213); 1121 } 1122 1123 @Test 1124 @SecurityTest(minPatchLevel = "2018-11") testStagefright_bug_68664359()1125 public void testStagefright_bug_68664359() throws Exception { 1126 doStagefrightTest(R.raw.bug_68664359, 60000); 1127 } 1128 1129 @Test 1130 @SecurityTest(minPatchLevel = "2018-11") testStagefright_bug_110435401()1131 public void testStagefright_bug_110435401() throws Exception { 1132 doStagefrightTest(R.raw.bug_110435401, 60000); 1133 } 1134 1135 @Test 1136 @SecurityTest(minPatchLevel = "2017-03") testStagefright_cve_2017_0474()1137 public void testStagefright_cve_2017_0474() throws Exception { 1138 doStagefrightTest(R.raw.cve_2017_0474, 120000); 1139 } 1140 1141 @Test 1142 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2017_0765()1143 public void testStagefright_cve_2017_0765() throws Exception { 1144 doStagefrightTest(R.raw.cve_2017_0765); 1145 } 1146 1147 @Test 1148 @SecurityTest(minPatchLevel = "2018-04") testStagefright_cve_2017_13276()1149 public void testStagefright_cve_2017_13276() throws Exception { 1150 doStagefrightTest(R.raw.cve_2017_13276); 1151 } 1152 1153 @Test 1154 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6764()1155 public void testStagefright_cve_2016_6764() throws Exception { 1156 doStagefrightTest(R.raw.cve_2016_6764, new CrashUtils.Config().checkMinAddress(false)); 1157 } 1158 1159 @Test 1160 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_13214()1161 public void testStagefright_cve_2017_13214() throws Exception { 1162 doStagefrightTest(R.raw.cve_2017_13214); 1163 } 1164 1165 @Test 1166 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35467107()1167 public void testStagefright_bug_35467107() throws Exception { 1168 doStagefrightTest(R.raw.bug_35467107, new CrashUtils.Config().checkMinAddress(false)); 1169 } 1170 1171 /*********************************************************** 1172 to prevent merge conflicts, add O tests below this comment, 1173 before any existing test methods 1174 ***********************************************************/ 1175 1176 @Test 1177 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2107()1178 public void testStagefright_cve_2019_2107() throws Exception { 1179 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1180 getInstrumentation().getContext().getPackageManager(), 1181 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1182 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2107_framelen); 1183 doStagefrightTestRawBlob(R.raw.cve_2019_2107_hevc, "video/hevc", 1920, 1184 1080, frameSizes); 1185 } 1186 1187 @Test 1188 @SecurityTest(minPatchLevel = "2019-04") testStagefright_cve_2019_2245()1189 public void testStagefright_cve_2019_2245() throws Exception { 1190 doStagefrightTest(R.raw.cve_2019_2245); 1191 } 1192 1193 @Test 1194 @SecurityTest(minPatchLevel = "2019-04") testStagefright_cve_2018_13925()1195 public void testStagefright_cve_2018_13925() throws Exception { 1196 doStagefrightTest(R.raw.cve_2018_13925); 1197 } 1198 1199 @Test 1200 @SecurityTest(minPatchLevel = "2020-12") testStagefright_cve_2020_11139()1201 public void testStagefright_cve_2020_11139() throws Exception { 1202 doStagefrightTest(R.raw.cve_2020_11139); 1203 } 1204 1205 @Test 1206 @SecurityTest(minPatchLevel = "2020-06") testStagefright_cve_2020_3663()1207 public void testStagefright_cve_2020_3663() throws Exception { 1208 doStagefrightTest(R.raw.cve_2020_3663); 1209 } 1210 1211 @Test 1212 @SecurityTest(minPatchLevel = "2020-08") testStagefright_cve_2020_11122()1213 public void testStagefright_cve_2020_11122() throws Exception { 1214 doStagefrightTest(R.raw.cve_2020_11122); 1215 } 1216 1217 @Test 1218 @SecurityTest(minPatchLevel = "2020-07") testStagefright_cve_2020_3688()1219 public void testStagefright_cve_2020_3688() throws Exception { 1220 doStagefrightTest(R.raw.cve_2020_3688); 1221 } 1222 1223 @Test 1224 @SecurityTest(minPatchLevel = "2020-11") testStagefright_cve_2020_11168()1225 public void testStagefright_cve_2020_11168() throws Exception { 1226 doStagefrightTest(R.raw.cve_2020_11168); 1227 } 1228 1229 @Test 1230 @SecurityTest(minPatchLevel = "2020-06") testStagefright_cve_2020_3658()1231 public void testStagefright_cve_2020_3658() throws Exception { 1232 doStagefrightTest(R.raw.cve_2020_3658); 1233 } 1234 1235 @Test 1236 @SecurityTest(minPatchLevel = "2020-05") testStagefright_cve_2020_3633()1237 public void testStagefright_cve_2020_3633() throws Exception { 1238 doStagefrightTest(R.raw.cve_2020_3633); 1239 } 1240 1241 @Test 1242 @SecurityTest(minPatchLevel = "2020-06") testStagefright_cve_2020_3660()1243 public void testStagefright_cve_2020_3660() throws Exception { 1244 doStagefrightTest(R.raw.cve_2020_3660); 1245 } 1246 1247 @Test 1248 @SecurityTest(minPatchLevel = "2020-06") testStagefright_cve_2020_3661()1249 public void testStagefright_cve_2020_3661() throws Exception { 1250 doStagefrightTest(R.raw.cve_2020_3661); 1251 } 1252 1253 @Test 1254 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_14013()1255 public void testStagefright_cve_2019_14013() throws Exception { 1256 doStagefrightTest(R.raw.cve_2019_14013); 1257 } 1258 1259 @Test 1260 @SecurityTest(minPatchLevel = "2020-06") testStagefright_cve_2020_3662()1261 public void testStagefright_cve_2020_3662() throws Exception { 1262 doStagefrightTest(R.raw.cve_2020_3662); 1263 } 1264 1265 @Test 1266 @SecurityTest(minPatchLevel = "2021-01") testStagefright_cve_2021_0312()1267 public void testStagefright_cve_2021_0312() throws Exception { 1268 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1269 getInstrumentation().getContext().getPackageManager(), 1270 MainlineModule.MEDIA)); 1271 doStagefrightTestExtractorSeek(R.raw.cve_2021_0312, 2, new CrashUtils.Config() 1272 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1273 } 1274 1275 @Test 1276 @SecurityTest(minPatchLevel = "2018-09") testStagefright_cve_2018_9474()1277 public void testStagefright_cve_2018_9474() throws Exception { 1278 MediaPlayer mp = new MediaPlayer(); 1279 RenderTarget renderTarget = RenderTarget.create(); 1280 Surface surface = renderTarget.getSurface(); 1281 mp.setSurface(surface); 1282 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1283 .openRawResourceFd(R.raw.cve_2018_9474); 1284 1285 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 1286 mp.prepare(); 1287 1288 MediaPlayer.TrackInfo[] trackInfos = mp.getTrackInfo(); 1289 if (trackInfos == null || trackInfos.length == 0) { 1290 return; 1291 } 1292 1293 MediaPlayer.TrackInfo trackInfo = trackInfos[0]; 1294 1295 int trackType = trackInfo.getTrackType(); 1296 MediaFormat format = trackInfo.getFormat(); 1297 1298 Parcel data = Parcel.obtain(); 1299 trackInfo.writeToParcel(data, 0); 1300 1301 data.setDataPosition(0); 1302 int trackTypeFromParcel = data.readInt(); 1303 String mimeTypeFromParcel = data.readString(); 1304 data.recycle(); 1305 1306 if (trackType == trackTypeFromParcel) { 1307 assertFalse("Device *IS* vulnerable to CVE-2018-9474", 1308 mimeTypeFromParcel.equals("und")); 1309 } 1310 } 1311 1312 @Test 1313 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_2108()1314 public void testStagefright_cve_2019_2108() throws Exception { 1315 doStagefrightTestRawBlob(R.raw.cve_2019_2108_hevc, "video/hevc", 320, 240, 1316 new CrashUtils.Config().setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, 1317 CrashUtils.SIGABRT)); 1318 } 1319 1320 @Test 1321 @SecurityTest(minPatchLevel = "2016-09") testStagefright_cve_2016_3880()1322 public void testStagefright_cve_2016_3880() throws Exception { 1323 Thread server = new Thread() { 1324 @Override 1325 public void run() { 1326 try (ServerSocket serverSocket = new ServerSocket(8080) { 1327 {setSoTimeout(10_000);} // time out after 10 seconds 1328 }; 1329 Socket conn = serverSocket.accept() 1330 ) { 1331 OutputStream outputstream = conn.getOutputStream(); 1332 InputStream inputStream = conn.getInputStream(); 1333 byte input[] = new byte[65536]; 1334 inputStream.read(input, 0, 65536); 1335 String inputStr = new String(input); 1336 if (inputStr.contains("DESCRIBE rtsp://127.0.0.1:8080/cve_2016_3880")) { 1337 byte http[] = ("RTSP/1.0 200 OK\r\n" 1338 + "Server: stagefright/1.2 (Linux;Android 9)\r\n" 1339 + "Content-Type: application/sdp\r\n" 1340 + "Content-Base: rtsp://127.0.0.1:8080/cve_2016_3880\r\n" 1341 + "Content-Length: 379\r\n" 1342 + "Cache-Control: no-cache\r\nCSeq: 1\r\n\r\n").getBytes(); 1343 1344 byte sdp[] = ("v=0\r\no=- 64 233572944 IN IP4 127.0.0.0\r\n" 1345 + "s=QuickTime\r\nt=0 0\r\na=range:npt=now-\r\n" 1346 + "m=video 5434 RTP/AVP 96123456\r\nc=IN IP4 127.0.0.1\r\n" 1347 + "b=AS:320000\r\na=rtpmap:96123456 H264/90000\r\n" 1348 + "a=fmtp:96123456 packetization-mode=1;profile-level-id=42001E;" 1349 + "sprop-parameter-sets=Z0IAHpZUBaHogA==,aM44gA==\r\n" 1350 + "a=cliprect:0,0,480,270\r\na=framesize:96123456 720-480\r\n" 1351 + "a=control:track1\r\n").getBytes(); 1352 1353 outputstream.write(http); 1354 outputstream.write(sdp); 1355 outputstream.flush(); 1356 } 1357 } catch (IOException e) { 1358 } 1359 } 1360 }; 1361 server.start(); 1362 String uri = "rtsp://127.0.0.1:8080/cve_2016_3880"; 1363 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(new CrashUtils.Config() 1364 .setSignals(CrashUtils.SIGSEGV, CrashUtils.SIGBUS, CrashUtils.SIGABRT)); 1365 LooperThread t = new LooperThread(new Runnable() { 1366 @Override 1367 public void run() { 1368 MediaPlayer mp = new MediaPlayer(); 1369 mp.setOnErrorListener(mpcl); 1370 mp.setOnPreparedListener(mpcl); 1371 mp.setOnCompletionListener(mpcl); 1372 RenderTarget renderTarget = RenderTarget.create(); 1373 Surface surface = renderTarget.getSurface(); 1374 mp.setSurface(surface); 1375 AssetFileDescriptor fd = null; 1376 try { 1377 mp.setDataSource(uri); 1378 mp.prepareAsync(); 1379 } catch (IOException e) { 1380 Log.e(TAG, e.toString()); 1381 } finally { 1382 closeQuietly(fd); 1383 } 1384 Looper.loop(); 1385 mp.release(); 1386 } 1387 }); 1388 t.start(); 1389 assertFalse("Device *IS* vulnerable to CVE-2016-3880", 1390 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1391 t.stopLooper(); 1392 t.join(); 1393 server.join(); 1394 } 1395 1396 @Test 1397 @SecurityTest(minPatchLevel = "2021-01") testStagefright_bug170240631()1398 public void testStagefright_bug170240631() throws Exception { 1399 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1400 getInstrumentation().getContext().getPackageManager(), 1401 MainlineModule.MEDIA)); 1402 doStagefrightTest(R.raw.bug170240631_ts); 1403 } 1404 1405 @Test 1406 @SecurityTest(minPatchLevel = "2020-05") testStagefright_cve_2020_3641()1407 public void testStagefright_cve_2020_3641() throws Exception { 1408 doStagefrightTest(R.raw.cve_2020_3641); 1409 } 1410 1411 @Test 1412 @SecurityTest(minPatchLevel = "2020-04") testStagefright_cve_2019_14127()1413 public void testStagefright_cve_2019_14127() throws Exception { 1414 doStagefrightTest(R.raw.cve_2019_14127); 1415 } 1416 1417 @Test 1418 @SecurityTest(minPatchLevel = "2020-04") testStagefright_cve_2019_14132()1419 public void testStagefright_cve_2019_14132() throws Exception { 1420 doStagefrightTest(R.raw.cve_2019_14132); 1421 } 1422 1423 @Test 1424 @SecurityTest(minPatchLevel = "2020-03") testStagefright_cve_2019_10591()1425 public void testStagefright_cve_2019_10591() throws Exception { 1426 doStagefrightTest(R.raw.cve_2019_10591); 1427 } 1428 1429 @Test 1430 @SecurityTest(minPatchLevel = "2020-02") testStagefright_cve_2019_10590()1431 public void testStagefright_cve_2019_10590() throws Exception { 1432 doStagefrightTest(R.raw.cve_2019_10590); 1433 } 1434 1435 @Test 1436 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_14004()1437 public void testStagefright_cve_2019_14004() throws Exception { 1438 doStagefrightTest(R.raw.cve_2019_14004); 1439 } 1440 1441 @Test 1442 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_14003()1443 public void testStagefright_cve_2019_14003() throws Exception { 1444 doStagefrightTest(R.raw.cve_2019_14003); 1445 } 1446 1447 @Test 1448 @SecurityTest(minPatchLevel = "2020-02") testStagefright_cve_2019_14057()1449 public void testStagefright_cve_2019_14057() throws Exception { 1450 doStagefrightTest(R.raw.cve_2019_14057); 1451 } 1452 1453 @Test 1454 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_10532()1455 public void testStagefright_cve_2019_10532() throws Exception { 1456 doStagefrightTest(R.raw.cve_2019_10532); 1457 } 1458 1459 @Test 1460 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_10578()1461 public void testStagefright_cve_2019_10578() throws Exception { 1462 doStagefrightTest(R.raw.cve_2019_10578); 1463 } 1464 1465 @Test 1466 @SecurityTest(minPatchLevel = "2020-03") testStagefright_cve_2019_14061()1467 public void testStagefright_cve_2019_14061() throws Exception { 1468 doStagefrightTest(R.raw.cve_2019_14061, 180000); 1469 } 1470 1471 @Test 1472 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_10611()1473 public void testStagefright_cve_2019_10611() throws Exception { 1474 doStagefrightTest(R.raw.cve_2019_10611); 1475 } 1476 1477 @Test 1478 @SecurityTest(minPatchLevel = "2019-08") testStagefright_cve_2019_10489()1479 public void testStagefright_cve_2019_10489() throws Exception { 1480 doStagefrightTest(R.raw.cve_2019_10489); 1481 } 1482 1483 @Test 1484 @SecurityTest(minPatchLevel = "2020-03") testStagefright_cve_2019_14048()1485 public void testStagefright_cve_2019_14048() throws Exception { 1486 doStagefrightTest(R.raw.cve_2019_14048); 1487 } 1488 1489 @Test 1490 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2253()1491 public void testStagefright_cve_2019_2253() throws Exception { 1492 doStagefrightTest(R.raw.cve_2019_2253); 1493 } 1494 1495 @Test 1496 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_10579()1497 public void testStagefright_cve_2019_10579() throws Exception { 1498 doStagefrightTestANR(R.raw.cve_2019_10579); 1499 } 1500 1501 @Test 1502 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_14005()1503 public void testStagefright_cve_2019_14005() throws Exception { 1504 doStagefrightTest(R.raw.cve_2019_14005); 1505 } 1506 1507 @Test 1508 @SecurityTest(minPatchLevel = "2020-01") testStagefright_cve_2019_14006()1509 public void testStagefright_cve_2019_14006() throws Exception { 1510 doStagefrightTest(R.raw.cve_2019_14006); 1511 } 1512 1513 @Test 1514 @SecurityTest(minPatchLevel = "2020-01") testStagefright_CVE_2019_14016()1515 public void testStagefright_CVE_2019_14016() throws Exception { 1516 doStagefrightTest(R.raw.cve_2019_14016); 1517 } 1518 1519 @Test 1520 @SecurityTest(minPatchLevel = "2020-01") testStagefright_CVE_2019_14017()1521 public void testStagefright_CVE_2019_14017() throws Exception { 1522 doStagefrightTest(R.raw.cve_2019_14017); 1523 } 1524 1525 @Test 1526 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_9412()1527 public void testStagefright_cve_2018_9412() throws Exception { 1528 doStagefrightTest(R.raw.cve_2018_9412, 180000); 1529 } 1530 1531 @Test 1532 @SecurityTest(minPatchLevel = "Unknown") testStagefright_bug_142641801()1533 public void testStagefright_bug_142641801() throws Exception { 1534 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1535 getInstrumentation().getContext().getPackageManager(), 1536 MainlineModule.MEDIA)); 1537 doStagefrightTest(R.raw.bug_142641801); 1538 } 1539 1540 @Test 1541 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10534()1542 public void testStagefright_cve_2019_10534() throws Exception { 1543 doStagefrightTest(R.raw.cve_2019_10534); 1544 } 1545 1546 @Test 1547 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10533()1548 public void testStagefright_cve_2019_10533() throws Exception { 1549 doStagefrightTest(R.raw.cve_2019_10533); 1550 } 1551 1552 @Test 1553 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10541()1554 public void testStagefright_cve_2019_10541() throws Exception { 1555 doStagefrightTest(R.raw.cve_2019_10541); 1556 } 1557 1558 @Test 1559 @SecurityTest(minPatchLevel = "2018-02") testStagefright_cve_2017_13233()1560 public void testStagefright_cve_2017_13233() throws Exception { 1561 doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640, 1562 480); 1563 } 1564 1565 @Test 1566 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2106()1567 public void testStagefright_cve_2019_2106() throws Exception { 1568 int[] frameSizes = {943, 3153}; 1569 doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320, 1570 240, frameSizes); 1571 } 1572 1573 @Test 1574 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0637()1575 public void testStagefright_cve_2017_0637() throws Exception { 1576 doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000); 1577 } 1578 1579 @Test 1580 @SecurityTest(minPatchLevel = "2018-09") testStagefright_cve_2018_11287()1581 public void testStagefright_cve_2018_11287() throws Exception { 1582 doStagefrightTest(R.raw.cve_2018_11287, 180000); 1583 } 1584 1585 @Test 1586 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2327()1587 public void testStagefright_cve_2019_2327() throws Exception { 1588 doStagefrightTest(R.raw.cve_2019_2327); 1589 } 1590 1591 @Test 1592 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2322()1593 public void testStagefright_cve_2019_2322() throws Exception { 1594 doStagefrightTest(R.raw.cve_2019_2322); 1595 } 1596 1597 @Test 1598 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2334()1599 public void testStagefright_cve_2019_2334() throws Exception { 1600 doStagefrightTest(R.raw.cve_2019_2334); 1601 } 1602 1603 @Test 1604 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_13204()1605 public void testStagefright_cve_2017_13204() throws Exception { 1606 int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen); 1607 doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes); 1608 } 1609 1610 @Test 1611 @SecurityTest(minPatchLevel = "2018-03") testStagefright_cve_2017_17773()1612 public void testStagefright_cve_2017_17773() throws Exception { 1613 doStagefrightTest(R.raw.cve_2017_17773); 1614 } 1615 1616 @Test 1617 @SecurityTest(minPatchLevel = "2018-04") testStagefright_cve_2017_18074()1618 public void testStagefright_cve_2017_18074() throws Exception { 1619 doStagefrightTest(R.raw.cve_2017_18074); 1620 } 1621 1622 @Test 1623 @SecurityTest(minPatchLevel = "2018-06") testStagefright_cve_2018_5894()1624 public void testStagefright_cve_2018_5894() throws Exception { 1625 doStagefrightTest(R.raw.cve_2018_5894); 1626 } 1627 1628 @Test 1629 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5874()1630 public void testStagefright_cve_2018_5874() throws Exception { 1631 doStagefrightTest(R.raw.cve_2018_5874); 1632 } 1633 1634 @Test 1635 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5875()1636 public void testStagefright_cve_2018_5875() throws Exception { 1637 doStagefrightTest(R.raw.cve_2018_5875); 1638 } 1639 1640 @Test 1641 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5876()1642 public void testStagefright_cve_2018_5876() throws Exception { 1643 doStagefrightTest(R.raw.cve_2018_5876); 1644 } 1645 1646 @Test 1647 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5882()1648 public void testStagefright_cve_2018_5882() throws Exception { 1649 doStagefrightTest(R.raw.cve_2018_5882); 1650 } 1651 1652 @Test 1653 @SecurityTest(minPatchLevel = "2017-12") testBug_65186291()1654 public void testBug_65186291() throws Exception { 1655 int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen); 1656 doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes); 1657 } 1658 1659 @Test 1660 @SecurityTest(minPatchLevel = "2018-01") testBug_67737022()1661 public void testBug_67737022() throws Exception { 1662 doStagefrightTest(R.raw.bug_67737022); 1663 } 1664 1665 @Test 1666 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_37093318()1667 public void testStagefright_bug_37093318() throws Exception { 1668 doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000)); 1669 } 1670 1671 @Test 1672 @SecurityTest(minPatchLevel = "2018-05") testStagefright_bug_73172046()1673 public void testStagefright_bug_73172046() throws Exception { 1674 doStagefrightTest(R.raw.bug_73172046); 1675 1676 Bitmap bitmap = BitmapFactory.decodeResource( 1677 getInstrumentation().getContext().getResources(), R.raw.bug_73172046); 1678 // OK if the decoding failed, but shouldn't cause crashes 1679 if (bitmap != null) { 1680 bitmap.recycle(); 1681 } 1682 } 1683 1684 @Test 1685 @SecurityTest(minPatchLevel = "2016-03") testStagefright_cve_2016_0824()1686 public void testStagefright_cve_2016_0824() throws Exception { 1687 doStagefrightTest(R.raw.cve_2016_0824); 1688 } 1689 1690 @Test 1691 @SecurityTest(minPatchLevel = "2016-03") testStagefright_cve_2016_0815()1692 public void testStagefright_cve_2016_0815() throws Exception { 1693 doStagefrightTest(R.raw.cve_2016_0815); 1694 } 1695 1696 @Test 1697 @SecurityTest(minPatchLevel = "2016-05") testStagefright_cve_2016_2454()1698 public void testStagefright_cve_2016_2454() throws Exception { 1699 doStagefrightTest(R.raw.cve_2016_2454); 1700 } 1701 1702 @Test 1703 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6765()1704 public void testStagefright_cve_2016_6765() throws Exception { 1705 doStagefrightTest(R.raw.cve_2016_6765, new CrashUtils.Config().checkMinAddress(false)); 1706 } 1707 1708 @Test 1709 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_2508()1710 public void testStagefright_cve_2016_2508() throws Exception { 1711 doStagefrightTest(R.raw.cve_2016_2508, new CrashUtils.Config().checkMinAddress(false)); 1712 } 1713 1714 @Test 1715 @SecurityTest(minPatchLevel = "2016-11") testStagefright_cve_2016_6699()1716 public void testStagefright_cve_2016_6699() throws Exception { 1717 doStagefrightTest(R.raw.cve_2016_6699); 1718 } 1719 1720 @Test 1721 @SecurityTest(minPatchLevel = "2018-06") testStagefright_cve_2017_18155()1722 public void testStagefright_cve_2017_18155() throws Exception { 1723 doStagefrightTest(R.raw.cve_2017_18155); 1724 } 1725 1726 @Test 1727 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_9423()1728 public void testStagefright_cve_2018_9423() throws Exception { 1729 doStagefrightTest(R.raw.cve_2018_9423); 1730 } 1731 1732 @Test 1733 @SecurityTest(minPatchLevel = "2016-09") testStagefright_cve_2016_3879()1734 public void testStagefright_cve_2016_3879() throws Exception { 1735 doStagefrightTest(R.raw.cve_2016_3879, new CrashUtils.Config().checkMinAddress(false)); 1736 } 1737 1738 /*********************************************************** 1739 to prevent merge conflicts, add P tests below this comment, 1740 before any existing test methods 1741 ***********************************************************/ 1742 1743 @Test 1744 @SecurityTest(minPatchLevel = "2019-12") testStagefright_cve_2019_2222()1745 public void testStagefright_cve_2019_2222() throws Exception { 1746 // TODO(b/170987914): This also skips testing hw_codecs. 1747 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1748 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1749 getInstrumentation().getContext().getPackageManager(), 1750 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1751 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2222_framelen); 1752 doStagefrightTestRawBlob(R.raw.cve_2019_2222_hevc, "video/hevc", 320, 240, frameSizes); 1753 } 1754 doStagefrightTest(final int rid)1755 private void doStagefrightTest(final int rid) throws Exception { 1756 doStagefrightTest(rid, null); 1757 } 1758 1759 /*********************************************************** 1760 to prevent merge conflicts, add Q tests below this comment, 1761 before any existing test methods 1762 ***********************************************************/ 1763 1764 @Test 1765 @SecurityTest(minPatchLevel = "2019-12") testStagefright_cve_2019_2223()1766 public void testStagefright_cve_2019_2223() throws Exception { 1767 // TODO(b/170987914): This also skips testing hw_codecs. 1768 // Update doStagefrightTestRawBlob to skip just the sw_codec test. 1769 assumeFalse(ModuleDetector.moduleIsPlayManaged( 1770 getInstrumentation().getContext().getPackageManager(), 1771 MainlineModule.MEDIA_SOFTWARE_CODEC)); 1772 int[] frameSizes = getFrameSizes(R.raw.cve_2019_2223_framelen); 1773 doStagefrightTestRawBlob(R.raw.cve_2019_2223_hevc, "video/hevc", 320, 240, frameSizes); 1774 } 1775 1776 @Test 1777 @SecurityTest(minPatchLevel = "2019-03") testStagefright_cve_2019_1989()1778 public void testStagefright_cve_2019_1989() throws Exception { 1779 Object obj[] = getFrameInfo(R.raw.cve_2019_1989_info); 1780 int[] isHeader = (int[])obj [0]; 1781 int[] frameSizes = (int[])obj [1]; 1782 doStagefrightTestRawBlob(R.raw.cve_2019_1989_h264, "video/avc", 1783 1920, 1080, frameSizes, isHeader, new CrashUtils.Config()); 1784 } 1785 doStagefrightTest(final int rid, CrashUtils.Config config)1786 private void doStagefrightTest(final int rid, CrashUtils.Config config) throws Exception { 1787 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1788 policy.setCleartextTrafficPermitted(true); 1789 doStagefrightTestMediaPlayer(rid, config); 1790 doStagefrightTestMediaCodec(rid, config); 1791 doStagefrightTestMediaMetadataRetriever(rid, config); 1792 1793 Context context = getInstrumentation().getContext(); 1794 CtsTestServer server = null; 1795 try { 1796 server = new CtsTestServer(context); 1797 } catch (BindException e) { 1798 // Instant Apps security policy does not allow 1799 // listening for incoming connections. 1800 // Server based tests cannot be run. 1801 return; 1802 } 1803 Resources resources = context.getResources(); 1804 String rname = resources.getResourceEntryName(rid); 1805 String url = server.getAssetUrl("raw/" + rname); 1806 verifyServer(rid, url); 1807 doStagefrightTestMediaPlayer(url, config); 1808 doStagefrightTestMediaCodec(url, config); 1809 doStagefrightTestMediaMetadataRetriever(url, config); 1810 policy.setCleartextTrafficPermitted(false); 1811 server.shutdown(); 1812 } 1813 1814 // verify that CtsTestServer is functional by retrieving the asset 1815 // and comparing it to the resource verifyServer(final int rid, final String uri)1816 private void verifyServer(final int rid, final String uri) throws Exception { 1817 Log.i(TAG, "checking server"); 1818 URL url = new URL(uri); 1819 InputStream in1 = new BufferedInputStream(url.openStream()); 1820 1821 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1822 .openRawResourceFd(rid); 1823 InputStream in2 = new BufferedInputStream(fd.createInputStream()); 1824 1825 while (true) { 1826 int b1 = in1.read(); 1827 int b2 = in2.read(); 1828 assertEquals("CtsTestServer fail", b1, b2); 1829 if (b1 < 0) { 1830 break; 1831 } 1832 } 1833 1834 in1.close(); 1835 in2.close(); 1836 Log.i(TAG, "checked server"); 1837 } 1838 doStagefrightTest(final int rid, int timeout)1839 private void doStagefrightTest(final int rid, int timeout) throws Exception { 1840 doStagefrightTest(rid, null, timeout); 1841 } 1842 doStagefrightTest( final int rid, CrashUtils.Config config, int timeout)1843 private void doStagefrightTest( 1844 final int rid, CrashUtils.Config config, int timeout) throws Exception { 1845 runWithTimeout(new Runnable() { 1846 @Override 1847 public void run() { 1848 try { 1849 doStagefrightTest(rid, config); 1850 } catch (Exception e) { 1851 fail(e.toString()); 1852 } 1853 } 1854 }, timeout); 1855 } 1856 doStagefrightTestANR(final int rid)1857 private void doStagefrightTestANR(final int rid) throws Exception { 1858 doStagefrightTestANR(rid, null); 1859 } 1860 doStagefrightTestANR( final int rid, CrashUtils.Config config)1861 private void doStagefrightTestANR( 1862 final int rid, CrashUtils.Config config) throws Exception { 1863 doStagefrightTestMediaPlayerANR(rid, null, config); 1864 } 1865 getCrashReport(String testname, long timeout)1866 public JSONArray getCrashReport(String testname, long timeout) 1867 throws InterruptedException { 1868 Log.i(TAG, CrashUtils.UPLOAD_REQUEST); 1869 File reportFile = new File(CrashUtils.DEVICE_PATH, testname); 1870 File lockFile = new File(CrashUtils.DEVICE_PATH, CrashUtils.LOCK_FILENAME); 1871 while ((!reportFile.exists() || !lockFile.exists()) && timeout > 0) { 1872 Thread.sleep(CHECK_INTERVAL); 1873 timeout -= CHECK_INTERVAL; 1874 } 1875 1876 if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { 1877 Log.e(TAG, "couldn't get the report or lock file"); 1878 return null; 1879 } 1880 try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { 1881 StringBuilder json = new StringBuilder(); 1882 String line = reader.readLine(); 1883 while (line != null) { 1884 json.append(line); 1885 line = reader.readLine(); 1886 } 1887 return new JSONArray(json.toString()); 1888 } catch (IOException | JSONException e) { 1889 Log.e(TAG, "Failed to deserialize crash list with error " + e.getMessage()); 1890 return null; 1891 } 1892 } 1893 1894 class MediaPlayerCrashListener 1895 implements MediaPlayer.OnErrorListener, 1896 MediaPlayer.OnPreparedListener, 1897 MediaPlayer.OnCompletionListener { 1898 1899 CrashUtils.Config config; 1900 1901 private final Pattern[] validProcessPatterns = { 1902 Pattern.compile("adsprpcd"), 1903 Pattern.compile("android\\.hardware\\.cas@\\d+?\\.\\d+?-service"), 1904 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service"), 1905 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.clearkey"), 1906 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.widevine"), 1907 Pattern.compile("omx@\\d+?\\.\\d+?-service"), // name:omx@1.0-service 1908 Pattern.compile("android\\.process\\.media"), 1909 Pattern.compile("mediadrmserver"), 1910 Pattern.compile("mediaextractor"), 1911 Pattern.compile("media\\.extractor"), 1912 Pattern.compile("media\\.metrics"), 1913 Pattern.compile("mediaserver"), 1914 Pattern.compile("media\\.codec"), 1915 Pattern.compile("media\\.swcodec"), 1916 Pattern.compile("\\[?sdcard\\]?"), // name:/system/bin/sdcard, user:media_rw 1917 // Match any vendor processes. 1918 // It should only catch crashes that happen during the test. 1919 Pattern.compile("vendor.*"), 1920 }; 1921 MediaPlayerCrashListener()1922 MediaPlayerCrashListener() { 1923 this(null); 1924 } 1925 MediaPlayerCrashListener(CrashUtils.Config config)1926 MediaPlayerCrashListener(CrashUtils.Config config) { 1927 if (config == null) { 1928 config = new CrashUtils.Config(); 1929 } 1930 // if a different process is needed for a test, it should be added to the main list. 1931 config.setProcessPatterns(validProcessPatterns); 1932 this.config = config; 1933 } 1934 1935 @Override onError(MediaPlayer mp, int newWhat, int extra)1936 public boolean onError(MediaPlayer mp, int newWhat, int extra) { 1937 Log.i(TAG, "error: " + newWhat + "/" + extra); 1938 // don't overwrite a more severe error with a less severe one 1939 if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 1940 what = newWhat; 1941 } 1942 1943 lock.lock(); 1944 errored = true; 1945 condition.signal(); 1946 lock.unlock(); 1947 1948 return true; // don't call oncompletion 1949 } 1950 1951 @Override onPrepared(MediaPlayer mp)1952 public void onPrepared(MediaPlayer mp) { 1953 mp.start(); 1954 } 1955 1956 @Override onCompletion(MediaPlayer mp)1957 public void onCompletion(MediaPlayer mp) { 1958 // preserve error condition, if any 1959 lock.lock(); 1960 completed = true; 1961 condition.signal(); 1962 lock.unlock(); 1963 } 1964 waitForError()1965 public int waitForError() throws InterruptedException { 1966 lock.lock(); 1967 if (!errored && !completed) { 1968 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 1969 Log.d(TAG, "timed out on waiting for error. " + 1970 "errored: " + errored + ", completed: " + completed); 1971 } 1972 } 1973 lock.unlock(); 1974 if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 1975 // Sometimes mediaserver signals a decoding error first, and *then* crashes 1976 // due to additional in-flight buffers being processed, so wait a little 1977 // and see if more errors show up. 1978 Log.e(TAG, "couldn't get media crash yet, waiting 1 second"); 1979 SystemClock.sleep(1000); 1980 JSONArray crashes = getCrashReport(name.getMethodName(), 5000); 1981 if (crashes == null) { 1982 Log.e(TAG, "Crash results not found for test " + name.getMethodName()); 1983 return what; 1984 } else if (CrashUtils.securityCrashDetected(crashes, config)) { 1985 return what; 1986 } else { 1987 Log.i(TAG, "Crash ignored due to no security crash found for test " + 1988 name.getMethodName()); 1989 // 0 is the code for no error. 1990 return 0; 1991 } 1992 } 1993 Log.d(TAG, "waitForError finished with no errors."); 1994 return what; 1995 } 1996 waitForErrorOrCompletion()1997 public boolean waitForErrorOrCompletion() throws InterruptedException { 1998 lock.lock(); 1999 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 2000 Log.d(TAG, "timed out on waiting for error or completion"); 2001 } 2002 lock.unlock(); 2003 return (what != 0 && what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) || completed; 2004 } 2005 2006 ReentrantLock lock = new ReentrantLock(); 2007 Condition condition = lock.newCondition(); 2008 int what; 2009 boolean completed = false; 2010 boolean errored = false; 2011 } 2012 2013 class LooperThread extends Thread { 2014 private Looper mLooper; 2015 LooperThread(Runnable runner)2016 LooperThread(Runnable runner) { 2017 super(runner); 2018 } 2019 2020 @Override run()2021 public void run() { 2022 Looper.prepare(); 2023 mLooper = Looper.myLooper(); 2024 super.run(); 2025 } 2026 stopLooper()2027 public void stopLooper() { 2028 mLooper.quitSafely(); 2029 } 2030 } 2031 doStagefrightTestMediaPlayer(final int rid)2032 private void doStagefrightTestMediaPlayer(final int rid) throws Exception { 2033 doStagefrightTestMediaPlayer(rid, null, null); 2034 } 2035 doStagefrightTestMediaPlayer( final int rid, CrashUtils.Config config)2036 private void doStagefrightTestMediaPlayer( 2037 final int rid, CrashUtils.Config config) throws Exception { 2038 doStagefrightTestMediaPlayer(rid, null, config); 2039 } 2040 doStagefrightTestMediaPlayer(final String url)2041 private void doStagefrightTestMediaPlayer(final String url) throws Exception { 2042 doStagefrightTestMediaPlayer(url, null); 2043 } 2044 doStagefrightTestMediaPlayer( final String url, CrashUtils.Config config)2045 private void doStagefrightTestMediaPlayer( 2046 final String url, CrashUtils.Config config) throws Exception { 2047 doStagefrightTestMediaPlayer(-1, url, config); 2048 } 2049 closeQuietly(AutoCloseable closeable)2050 private void closeQuietly(AutoCloseable closeable) { 2051 if (closeable != null) { 2052 try { 2053 closeable.close(); 2054 } catch (RuntimeException rethrown) { 2055 throw rethrown; 2056 } catch (Exception ignored) { 2057 } 2058 } 2059 } 2060 doStagefrightTestMediaPlayer(final int rid, final String uri)2061 private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception { 2062 doStagefrightTestMediaPlayer(rid, uri, null); 2063 } 2064 doStagefrightTestMediaPlayer(final int rid, final String uri, CrashUtils.Config config)2065 private void doStagefrightTestMediaPlayer(final int rid, final String uri, 2066 CrashUtils.Config config) throws Exception { 2067 2068 String name = uri != null ? uri : 2069 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2070 Log.i(TAG, "start mediaplayer test for: " + name); 2071 2072 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2073 2074 LooperThread t = new LooperThread(new Runnable() { 2075 @Override 2076 public void run() { 2077 2078 MediaPlayer mp = new MediaPlayer(); 2079 mp.setOnErrorListener(mpcl); 2080 mp.setOnPreparedListener(mpcl); 2081 mp.setOnCompletionListener(mpcl); 2082 RenderTarget renderTarget = RenderTarget.create(); 2083 Surface surface = renderTarget.getSurface(); 2084 mp.setSurface(surface); 2085 AssetFileDescriptor fd = null; 2086 try { 2087 if (uri == null) { 2088 fd = getInstrumentation().getContext().getResources() 2089 .openRawResourceFd(rid); 2090 2091 mp.setDataSource(fd.getFileDescriptor(), 2092 fd.getStartOffset(), 2093 fd.getLength()); 2094 2095 } else { 2096 mp.setDataSource(uri); 2097 } 2098 mp.prepareAsync(); 2099 } catch (Exception e) { 2100 } finally { 2101 closeQuietly(fd); 2102 } 2103 2104 Looper.loop(); 2105 mp.release(); 2106 renderTarget.destroy(); 2107 } 2108 }); 2109 2110 t.start(); 2111 String cve = name.replace("_", "-").toUpperCase(); 2112 assertFalse("Device *IS* vulnerable to " + cve, 2113 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2114 t.stopLooper(); 2115 t.join(); // wait for thread to exit so we're sure the player was released 2116 } 2117 2118 /* 2119 * b/135207745 2120 */ 2121 @Test 2122 @SecurityTest(minPatchLevel = "2019-08") testStagefright_cve_2019_2129()2123 public void testStagefright_cve_2019_2129() throws Exception { 2124 final int rid = R.raw.cve_2019_2129; 2125 String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2126 Log.i(TAG, "start mediaplayer test for: " + name); 2127 2128 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener() { 2129 @Override 2130 public void onPrepared(MediaPlayer mp) { 2131 super.onPrepared(mp); 2132 mp.setLooping(true); 2133 } 2134 }; 2135 2136 LooperThread t = new LooperThread(new Runnable() { 2137 @Override 2138 public void run() { 2139 MediaPlayer mp = new MediaPlayer(); 2140 mp.setOnErrorListener(mpcl); 2141 mp.setOnPreparedListener(mpcl); 2142 mp.setOnCompletionListener(mpcl); 2143 RenderTarget renderTarget = RenderTarget.create(); 2144 Surface surface = renderTarget.getSurface(); 2145 mp.setSurface(surface); 2146 AssetFileDescriptor fd = null; 2147 try { 2148 fd = getInstrumentation().getContext().getResources().openRawResourceFd(rid); 2149 mp.setOnTimedTextListener(new MediaPlayer.OnTimedTextListener() { 2150 @Override 2151 public void onTimedText(MediaPlayer p, TimedText text) { 2152 if (text != null) { 2153 Log.d(TAG, "text = " + text.getText()); 2154 } 2155 } 2156 }); 2157 mp.setDataSource(fd.getFileDescriptor(), 2158 fd.getStartOffset(), 2159 fd.getLength()); 2160 // keep the original as in poc by not using prepareAsync 2161 mp.prepare(); 2162 mp.selectTrack(2); 2163 } catch (Exception e) { 2164 Log.e(TAG, "Exception is caught " + e.getMessage()); 2165 e.printStackTrace(); 2166 } finally { 2167 closeQuietly(fd); 2168 } 2169 2170 try { 2171 // here to catch & swallow the runtime crash in exception 2172 // after the place where original poc failed in 2173 // java.lang.IllegalArgumentException: parseParcel() 2174 // which is beyond test control. 2175 Looper.loop(); 2176 } catch (RuntimeException e) { 2177 Log.e(TAG, "Exception is caught on Looper.loop() " + e.getMessage()); 2178 e.printStackTrace(); 2179 } 2180 mp.release(); 2181 renderTarget.destroy(); 2182 } 2183 }); 2184 2185 t.start(); 2186 String cve = name.replace("_", "-").toUpperCase(); 2187 assertFalse("Device *IS* vulnerable to " + cve, 2188 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2189 t.stopLooper(); 2190 t.join(); // wait for thread to exit so we're sure the player was released 2191 } 2192 doStagefrightTestMediaCodec(final int rid)2193 private void doStagefrightTestMediaCodec(final int rid) throws Exception { 2194 doStagefrightTestMediaCodec(rid, null, null); 2195 } 2196 doStagefrightTestMediaCodec( final int rid, CrashUtils.Config config)2197 private void doStagefrightTestMediaCodec( 2198 final int rid, CrashUtils.Config config) throws Exception { 2199 doStagefrightTestMediaCodec(rid, null, config); 2200 } 2201 doStagefrightTestMediaCodec(final String url)2202 private void doStagefrightTestMediaCodec(final String url) throws Exception { 2203 doStagefrightTestMediaCodec(url, null); 2204 } 2205 doStagefrightTestMediaCodec( final String url, CrashUtils.Config config)2206 private void doStagefrightTestMediaCodec( 2207 final String url, CrashUtils.Config config) throws Exception { 2208 doStagefrightTestMediaCodec(-1, url, config); 2209 } 2210 doStagefrightTestMediaCodec(final int rid, final String url)2211 private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception { 2212 doStagefrightTestMediaCodec(rid, url, null); 2213 } 2214 doStagefrightTestMediaCodec( final int rid, final String url, CrashUtils.Config config)2215 private void doStagefrightTestMediaCodec( 2216 final int rid, final String url, CrashUtils.Config config) throws Exception { 2217 2218 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2219 2220 LooperThread thr = new LooperThread(new Runnable() { 2221 @Override 2222 public void run() { 2223 2224 MediaPlayer mp = new MediaPlayer(); 2225 mp.setOnErrorListener(mpcl); 2226 try { 2227 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 2228 .openRawResourceFd(R.raw.good); 2229 2230 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2231 // setDataSource has been called 2232 mp.setDataSource(fd.getFileDescriptor(), 2233 fd.getStartOffset(), 2234 fd.getLength()); 2235 fd.close(); 2236 } catch (Exception e) { 2237 // this is a known-good file, so no failure should occur 2238 fail("setDataSource of known-good file failed"); 2239 } 2240 2241 synchronized(mpcl) { 2242 mpcl.notify(); 2243 } 2244 Looper.loop(); 2245 mp.release(); 2246 } 2247 }); 2248 thr.start(); 2249 // wait until the thread has initialized the MediaPlayer 2250 synchronized(mpcl) { 2251 mpcl.wait(); 2252 } 2253 2254 Resources resources = getInstrumentation().getContext().getResources(); 2255 MediaExtractor ex = new MediaExtractor(); 2256 if (url == null) { 2257 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2258 try { 2259 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2260 } catch (IOException e) { 2261 // ignore 2262 } finally { 2263 closeQuietly(fd); 2264 } 2265 } else { 2266 try { 2267 ex.setDataSource(url); 2268 } catch (Exception e) { 2269 // indicative of problems with our tame CTS test web server 2270 } 2271 } 2272 int numtracks = ex.getTrackCount(); 2273 String rname = url != null ? url: resources.getResourceEntryName(rid); 2274 Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks"); 2275 for (int t = 0; t < numtracks; t++) { 2276 // find all the available decoders for this format 2277 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2278 MediaFormat format = null; 2279 try { 2280 format = ex.getTrackFormat(t); 2281 } catch (IllegalArgumentException e) { 2282 Log.e(TAG, "could not get track format for track " + t); 2283 continue; 2284 } 2285 String mime = format.getString(MediaFormat.KEY_MIME); 2286 int numCodecs = MediaCodecList.getCodecCount(); 2287 for (int i = 0; i < numCodecs; i++) { 2288 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2289 if (info.isEncoder()) { 2290 continue; 2291 } 2292 try { 2293 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2294 if (caps != null) { 2295 matchingCodecs.add(info.getName()); 2296 Log.i(TAG, "Found matching codec " + info.getName() + " for track " + t); 2297 } 2298 } catch (IllegalArgumentException e) { 2299 // type is not supported 2300 } 2301 } 2302 2303 if (matchingCodecs.size() == 0) { 2304 Log.w(TAG, "no codecs for track " + t + ", type " + mime); 2305 } 2306 // decode this track once with each matching codec 2307 try { 2308 ex.selectTrack(t); 2309 } catch (IllegalArgumentException e) { 2310 Log.w(TAG, "couldn't select track " + t); 2311 // continue on with codec initialization anyway, since that might still crash 2312 } 2313 for (String codecName: matchingCodecs) { 2314 Log.i(TAG, "Decoding track " + t + " using codec " + codecName); 2315 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 2316 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2317 RenderTarget renderTarget = RenderTarget.create(); 2318 Surface surface = null; 2319 if (mime.startsWith("video/")) { 2320 surface = renderTarget.getSurface(); 2321 } 2322 try { 2323 codec.configure(format, surface, null, 0); 2324 codec.start(); 2325 } catch (Exception e) { 2326 Log.i(TAG, "Failed to start/configure:", e); 2327 } 2328 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2329 try { 2330 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2331 while (true) { 2332 int flags = ex.getSampleFlags(); 2333 long time = ex.getSampleTime(); 2334 ex.getCachedDuration(); 2335 int bufidx = codec.dequeueInputBuffer(5000); 2336 if (bufidx >= 0) { 2337 int n = ex.readSampleData(inputBuffers[bufidx], 0); 2338 if (n < 0) { 2339 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2340 time = 0; 2341 n = 0; 2342 } 2343 codec.queueInputBuffer(bufidx, 0, n, time, flags); 2344 ex.advance(); 2345 } 2346 int status = codec.dequeueOutputBuffer(info, 5000); 2347 if (status >= 0) { 2348 if ((info.flags & MediaCodec.BUFFER_FLAG_END_OF_STREAM) != 0) { 2349 break; 2350 } 2351 if (info.presentationTimeUs > TIMEOUT_NS / 1000) { 2352 Log.d(TAG, "stopping after 10 seconds worth of data"); 2353 break; 2354 } 2355 codec.releaseOutputBuffer(status, true); 2356 } 2357 } 2358 } catch (Exception e) { 2359 // local exceptions ignored, not security issues 2360 } finally { 2361 try { 2362 codec.stop(); 2363 } catch (Exception e) { 2364 // local exceptions ignored, not security issues 2365 } 2366 codec.release(); 2367 renderTarget.destroy(); 2368 } 2369 } 2370 try { 2371 ex.unselectTrack(t); 2372 } catch (IllegalArgumentException e) { 2373 // since we're just cleaning up, we don't care if it fails 2374 } 2375 } 2376 ex.release(); 2377 String cve = rname.replace("_", "-").toUpperCase(); 2378 assertFalse("Device *IS* vulnerable to " + cve, 2379 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2380 thr.stopLooper(); 2381 thr.join(); 2382 } 2383 doStagefrightTestMediaMetadataRetriever(final int rid)2384 private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception { 2385 doStagefrightTestMediaMetadataRetriever(rid, null, null); 2386 } doStagefrightTestMediaMetadataRetriever( final int rid, CrashUtils.Config config)2387 private void doStagefrightTestMediaMetadataRetriever( 2388 final int rid, CrashUtils.Config config) throws Exception { 2389 doStagefrightTestMediaMetadataRetriever(rid, null, config); 2390 } 2391 doStagefrightTestMediaMetadataRetriever(final String url)2392 private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception { 2393 doStagefrightTestMediaMetadataRetriever(url, null); 2394 } 2395 doStagefrightTestMediaMetadataRetriever( final String url, CrashUtils.Config config)2396 private void doStagefrightTestMediaMetadataRetriever( 2397 final String url, CrashUtils.Config config) throws Exception { 2398 doStagefrightTestMediaMetadataRetriever(-1, url, config); 2399 } 2400 doStagefrightTestMediaMetadataRetriever( final int rid, final String url)2401 private void doStagefrightTestMediaMetadataRetriever( 2402 final int rid, final String url) throws Exception { 2403 doStagefrightTestMediaMetadataRetriever(rid, url, null); 2404 } 2405 doStagefrightTestMediaMetadataRetriever( final int rid, final String url, CrashUtils.Config config)2406 private void doStagefrightTestMediaMetadataRetriever( 2407 final int rid, final String url, CrashUtils.Config config) throws Exception { 2408 2409 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2410 2411 LooperThread thr = new LooperThread(new Runnable() { 2412 @Override 2413 public void run() { 2414 2415 MediaPlayer mp = new MediaPlayer(); 2416 mp.setOnErrorListener(mpcl); 2417 AssetFileDescriptor fd = null; 2418 try { 2419 fd = getInstrumentation().getContext().getResources() 2420 .openRawResourceFd(R.raw.good); 2421 2422 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2423 // setDataSource has been called 2424 mp.setDataSource(fd.getFileDescriptor(), 2425 fd.getStartOffset(), 2426 fd.getLength()); 2427 fd.close(); 2428 } catch (Exception e) { 2429 // this is a known-good file, so no failure should occur 2430 fail("setDataSource of known-good file failed"); 2431 } 2432 2433 synchronized(mpcl) { 2434 mpcl.notify(); 2435 } 2436 Looper.loop(); 2437 mp.release(); 2438 } 2439 }); 2440 thr.start(); 2441 // wait until the thread has initialized the MediaPlayer 2442 synchronized(mpcl) { 2443 mpcl.wait(); 2444 } 2445 2446 Resources resources = getInstrumentation().getContext().getResources(); 2447 MediaMetadataRetriever retriever = new MediaMetadataRetriever(); 2448 if (url == null) { 2449 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2450 try { 2451 retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2452 } catch (Exception e) { 2453 // ignore 2454 } finally { 2455 closeQuietly(fd); 2456 } 2457 } else { 2458 try { 2459 retriever.setDataSource(url, new HashMap<String, String>()); 2460 } catch (Exception e) { 2461 // indicative of problems with our tame CTS test web server 2462 } 2463 } 2464 retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION); 2465 retriever.getEmbeddedPicture(); 2466 retriever.getFrameAtTime(); 2467 2468 retriever.release(); 2469 String rname = url != null ? url : resources.getResourceEntryName(rid); 2470 String cve = rname.replace("_", "-").toUpperCase(); 2471 assertFalse("Device *IS* vulnerable to " + cve, 2472 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2473 thr.stopLooper(); 2474 thr.join(); 2475 } 2476 2477 @Test 2478 @SecurityTest(minPatchLevel = "2017-07") testBug36215950()2479 public void testBug36215950() throws Exception { 2480 doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240); 2481 } 2482 2483 @Test 2484 @SecurityTest(minPatchLevel = "2017-08") testBug36816007()2485 public void testBug36816007() throws Exception { 2486 doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240, 2487 new CrashUtils.Config().checkMinAddress(false)); 2488 } 2489 2490 @Test 2491 @SecurityTest(minPatchLevel = "2017-05") testBug36895511()2492 public void testBug36895511() throws Exception { 2493 doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240, 2494 new CrashUtils.Config().checkMinAddress(false)); 2495 } 2496 2497 @Test 2498 @SecurityTest(minPatchLevel = "2017-11") testBug64836894()2499 public void testBug64836894() throws Exception { 2500 doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240); 2501 } 2502 2503 @Test 2504 @SecurityTest(minPatchLevel = "2017-08") testCve_2017_0687()2505 public void testCve_2017_0687() throws Exception { 2506 doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240); 2507 } 2508 2509 @Test 2510 @SecurityTest(minPatchLevel = "2017-07") testCve_2017_0696()2511 public void testCve_2017_0696() throws Exception { 2512 doStagefrightTestRawBlob(R.raw.cve_2017_0696, "video/avc", 320, 240); 2513 } 2514 2515 @Test 2516 @SecurityTest(minPatchLevel = "2018-01") testBug_37930177()2517 public void testBug_37930177() throws Exception { 2518 doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240); 2519 } 2520 2521 @Test 2522 @SecurityTest(minPatchLevel = "2017-08") testBug_37712181()2523 public void testBug_37712181() throws Exception { 2524 doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240); 2525 } 2526 2527 @Test 2528 @SecurityTest(minPatchLevel = "2018-04") testBug_70897394()2529 public void testBug_70897394() throws Exception { 2530 doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240, 2531 new CrashUtils.Config().checkMinAddress(false)); 2532 } 2533 2534 @Test 2535 @SecurityTest(minPatchLevel = "Unknown") testBug_123700383()2536 public void testBug_123700383() throws Exception { 2537 assertExtractorDoesNotHang(R.raw.bug_123700383); 2538 } 2539 2540 @Test 2541 @SecurityTest(minPatchLevel = "Unknown") testBug_127310810()2542 public void testBug_127310810() throws Exception { 2543 assertExtractorDoesNotHang(R.raw.bug_127310810); 2544 } 2545 2546 @Test 2547 @SecurityTest(minPatchLevel = "Unknown") testBug_127312550()2548 public void testBug_127312550() throws Exception { 2549 assertExtractorDoesNotHang(R.raw.bug_127312550); 2550 } 2551 2552 @Test 2553 @SecurityTest(minPatchLevel = "Unknown") testBug_127313223()2554 public void testBug_127313223() throws Exception { 2555 assertExtractorDoesNotHang(R.raw.bug_127313223); 2556 } 2557 2558 @Test 2559 @SecurityTest(minPatchLevel = "Unknown") testBug_127313537()2560 public void testBug_127313537() throws Exception { 2561 assertExtractorDoesNotHang(R.raw.bug_127313537); 2562 } 2563 2564 @Test 2565 @SecurityTest(minPatchLevel = "Unknown") testBug_127313764()2566 public void testBug_127313764() throws Exception { 2567 assertExtractorDoesNotHang(R.raw.bug_127313764); 2568 } 2569 getFrameSizes(int rid)2570 private int[] getFrameSizes(int rid) throws IOException { 2571 final Context context = getInstrumentation().getContext(); 2572 final Resources resources = context.getResources(); 2573 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2574 FileInputStream fis = fd.createInputStream(); 2575 byte[] frameInfo = new byte[(int) fd.getLength()]; 2576 fis.read(frameInfo); 2577 fis.close(); 2578 String[] valueStr = new String(frameInfo).trim().split("\\s+"); 2579 int[] frameSizes = new int[valueStr.length]; 2580 for (int i = 0; i < valueStr.length; i++) 2581 frameSizes[i] = Integer.parseInt(valueStr[i]); 2582 return frameSizes; 2583 } 2584 getFrameInfo(int rid)2585 private Object[] getFrameInfo(int rid) throws IOException { 2586 final Context context = getInstrumentation().getContext(); 2587 final Resources resources = context.getResources(); 2588 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2589 FileInputStream fis = fd.createInputStream(); 2590 byte[] frameInfo = new byte[(int) fd.getLength()]; 2591 fis.read(frameInfo); 2592 fis.close(); 2593 String[] lines = new String(frameInfo).trim().split("\\r?\\n"); 2594 int isHeader[] = new int[lines.length]; 2595 int frameSizes[] = new int[lines.length]; 2596 for (int i = 0; i < lines.length; i++) { 2597 String[] values = lines[i].trim().split("\\s+"); 2598 isHeader[i] = Integer.parseInt(values[0]); 2599 frameSizes[i] = Integer.parseInt(values[1]); 2600 } 2601 return new Object[] {isHeader, frameSizes}; 2602 } 2603 runWithTimeout(Runnable runner, int timeout)2604 private void runWithTimeout(Runnable runner, int timeout) { 2605 Thread t = new Thread(runner); 2606 t.start(); 2607 try { 2608 t.join(timeout); 2609 } catch (InterruptedException e) { 2610 fail("operation was interrupted"); 2611 } 2612 if (t.isAlive()) { 2613 fail("operation not completed within timeout of " + timeout + "ms"); 2614 } 2615 } 2616 releaseCodec(final MediaCodec codec)2617 private void releaseCodec(final MediaCodec codec) { 2618 runWithTimeout(new Runnable() { 2619 @Override 2620 public void run() { 2621 codec.release(); 2622 } 2623 }, 5000); 2624 } 2625 doStagefrightTestRawBlob( int rid, String mime, int initWidth, int initHeight)2626 private void doStagefrightTestRawBlob( 2627 int rid, String mime, int initWidth, int initHeight) throws Exception { 2628 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, new CrashUtils.Config()); 2629 } 2630 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, CrashUtils.Config config)2631 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2632 CrashUtils.Config config) throws Exception { 2633 2634 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2635 final Context context = getInstrumentation().getContext(); 2636 final Resources resources = context.getResources(); 2637 2638 LooperThread thr = new LooperThread(new Runnable() { 2639 @Override 2640 public void run() { 2641 2642 MediaPlayer mp = new MediaPlayer(); 2643 mp.setOnErrorListener(mpcl); 2644 AssetFileDescriptor fd = null; 2645 try { 2646 fd = resources.openRawResourceFd(R.raw.good); 2647 2648 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2649 // setDataSource has been called 2650 mp.setDataSource(fd.getFileDescriptor(), 2651 fd.getStartOffset(), 2652 fd.getLength()); 2653 fd.close(); 2654 } catch (Exception e) { 2655 // this is a known-good file, so no failure should occur 2656 fail("setDataSource of known-good file failed"); 2657 } 2658 2659 synchronized(mpcl) { 2660 mpcl.notify(); 2661 } 2662 Looper.loop(); 2663 mp.release(); 2664 } 2665 }); 2666 thr.start(); 2667 // wait until the thread has initialized the MediaPlayer 2668 synchronized(mpcl) { 2669 mpcl.wait(); 2670 } 2671 2672 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2673 byte [] blob = new byte[(int)fd.getLength()]; 2674 FileInputStream fis = fd.createInputStream(); 2675 int numRead = fis.read(blob); 2676 fis.close(); 2677 //Log.i("@@@@", "read " + numRead + " bytes"); 2678 2679 // find all the available decoders for this format 2680 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2681 int numCodecs = MediaCodecList.getCodecCount(); 2682 for (int i = 0; i < numCodecs; i++) { 2683 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2684 if (info.isEncoder()) { 2685 continue; 2686 } 2687 try { 2688 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2689 if (caps != null) { 2690 matchingCodecs.add(info.getName()); 2691 } 2692 } catch (IllegalArgumentException e) { 2693 // type is not supported 2694 } 2695 } 2696 2697 if (matchingCodecs.size() == 0) { 2698 Log.w(TAG, "no codecs for mime type " + mime); 2699 } 2700 String rname = resources.getResourceEntryName(rid); 2701 // decode this blob once with each matching codec 2702 for (String codecName: matchingCodecs) { 2703 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2704 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2705 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2706 codec.configure(format, null, null, 0); 2707 codec.start(); 2708 2709 try { 2710 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2711 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2712 // enqueue the bad data a number of times, in case 2713 // the codec needs multiple buffers to fail. 2714 for(int i = 0; i < 64; i++) { 2715 int bufidx = codec.dequeueInputBuffer(5000); 2716 if (bufidx >= 0) { 2717 Log.i(TAG, "got input buffer of size " + inputBuffers[bufidx].capacity()); 2718 inputBuffers[bufidx].rewind(); 2719 inputBuffers[bufidx].put(blob, 0, numRead); 2720 codec.queueInputBuffer(bufidx, 0, numRead, 0, 0); 2721 } else { 2722 Log.i(TAG, "no input buffer"); 2723 } 2724 bufidx = codec.dequeueOutputBuffer(info, 5000); 2725 if (bufidx >= 0) { 2726 Log.i(TAG, "got output buffer"); 2727 codec.releaseOutputBuffer(bufidx, false); 2728 } else { 2729 Log.i(TAG, "no output buffer"); 2730 } 2731 } 2732 } catch (Exception e) { 2733 // ignore, not a security issue 2734 } finally { 2735 releaseCodec(codec); 2736 } 2737 } 2738 2739 String cve = rname.replace("_", "-").toUpperCase(); 2740 assertFalse("Device *IS* vulnerable to " + cve, 2741 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2742 thr.stopLooper(); 2743 thr.join(); 2744 } 2745 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[])2746 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2747 int frameSizes[]) throws Exception { 2748 // check crash address by default 2749 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, frameSizes, new CrashUtils.Config()); 2750 } 2751 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], CrashUtils.Config config)2752 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2753 int frameSizes[], CrashUtils.Config config) throws Exception { 2754 2755 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2756 final Context context = getInstrumentation().getContext(); 2757 final Resources resources = context.getResources(); 2758 2759 LooperThread thr = new LooperThread(new Runnable() { 2760 @Override 2761 public void run() { 2762 2763 MediaPlayer mp = new MediaPlayer(); 2764 mp.setOnErrorListener(mpcl); 2765 AssetFileDescriptor fd = null; 2766 try { 2767 fd = resources.openRawResourceFd(R.raw.good); 2768 2769 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2770 // setDataSource has been called 2771 mp.setDataSource(fd.getFileDescriptor(), 2772 fd.getStartOffset(), 2773 fd.getLength()); 2774 fd.close(); 2775 } catch (Exception e) { 2776 // this is a known-good file, so no failure should occur 2777 fail("setDataSource of known-good file failed"); 2778 } 2779 2780 synchronized(mpcl) { 2781 mpcl.notify(); 2782 } 2783 Looper.loop(); 2784 mp.release(); 2785 } 2786 }); 2787 thr.start(); 2788 // wait until the thread has initialized the MediaPlayer 2789 synchronized(mpcl) { 2790 mpcl.wait(); 2791 } 2792 2793 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2794 byte [] blob = new byte[(int)fd.getLength()]; 2795 FileInputStream fis = fd.createInputStream(); 2796 int numRead = fis.read(blob); 2797 fis.close(); 2798 2799 // find all the available decoders for this format 2800 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2801 int numCodecs = MediaCodecList.getCodecCount(); 2802 for (int i = 0; i < numCodecs; i++) { 2803 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2804 if (info.isEncoder()) { 2805 continue; 2806 } 2807 try { 2808 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2809 if (caps != null) { 2810 matchingCodecs.add(info.getName()); 2811 } 2812 } catch (IllegalArgumentException e) { 2813 // type is not supported 2814 } 2815 } 2816 2817 if (matchingCodecs.size() == 0) { 2818 Log.w(TAG, "no codecs for mime type " + mime); 2819 } 2820 String rname = resources.getResourceEntryName(rid); 2821 // decode this blob once with each matching codec 2822 for (String codecName: matchingCodecs) { 2823 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2824 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2825 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2826 try { 2827 codec.configure(format, null, null, 0); 2828 codec.start(); 2829 } catch (Exception e) { 2830 Log.i(TAG, "Exception from codec " + codecName); 2831 releaseCodec(codec); 2832 continue; 2833 } 2834 2835 try { 2836 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2837 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2838 int numFrames = 0; 2839 if (frameSizes != null) { 2840 numFrames = frameSizes.length; 2841 } 2842 2843 if (0 == numFrames) { 2844 fail("Improper picture length file"); 2845 } 2846 2847 int offset = 0; 2848 int bytesToFeed = 0; 2849 int flags = 0; 2850 byte [] tempBlob = new byte[(int)inputBuffers[0].capacity()]; 2851 for (int j = 0; j < numFrames; j++) { 2852 int bufidx = codec.dequeueInputBuffer(5000); 2853 if (bufidx >= 0) { 2854 inputBuffers[bufidx].rewind(); 2855 bytesToFeed = Math.min((int)(fd.getLength() - offset), 2856 inputBuffers[bufidx].capacity()); 2857 if(j == (numFrames - 1)) { 2858 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2859 } 2860 System.arraycopy(blob, offset, tempBlob, 0, bytesToFeed); 2861 inputBuffers[bufidx].put(tempBlob, 0, inputBuffers[bufidx].capacity()); 2862 codec.queueInputBuffer(bufidx, 0, bytesToFeed, 0, flags); 2863 offset = offset + frameSizes[j]; 2864 } else { 2865 Log.i(TAG, "no input buffer"); 2866 } 2867 bufidx = codec.dequeueOutputBuffer(info, 5000); 2868 if (bufidx >= 0) { 2869 codec.releaseOutputBuffer(bufidx, false); 2870 } else { 2871 Log.i(TAG, "no output buffer"); 2872 } 2873 } 2874 } catch (Exception e) { 2875 // ignore, not a security issue 2876 } finally { 2877 releaseCodec(codec); 2878 } 2879 } 2880 2881 String cve = rname.replace("_", "-").toUpperCase(); 2882 assertFalse("Device *IS* vulnerable to " + cve, 2883 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2884 thr.stopLooper(); 2885 thr.join(); 2886 } 2887 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], int isHeader[], CrashUtils.Config config)2888 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2889 int frameSizes[], int isHeader[], CrashUtils.Config config) throws Exception { 2890 2891 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2892 final Context context = getInstrumentation().getContext(); 2893 final Resources resources = context.getResources(); 2894 LooperThread thr = new LooperThread(new Runnable() { 2895 @Override 2896 public void run() { 2897 MediaPlayer mp = new MediaPlayer(); 2898 mp.setOnErrorListener(mpcl); 2899 AssetFileDescriptor fd = null; 2900 try { 2901 fd = resources.openRawResourceFd(R.raw.good); 2902 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2903 // setDataSource has been called 2904 mp.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2905 fd.close(); 2906 } catch (Exception e) { 2907 // this is a known-good file, so no failure should occur 2908 fail("setDataSource of known-good file failed"); 2909 } 2910 synchronized (mpcl) { 2911 mpcl.notify(); 2912 } 2913 Looper.loop(); 2914 mp.release(); 2915 } 2916 }); 2917 thr.start(); 2918 // wait until the thread has initialized the MediaPlayer 2919 synchronized (mpcl) { 2920 mpcl.wait(); 2921 } 2922 2923 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2924 byte[] blob = new byte[(int) fd.getLength()]; 2925 FileInputStream fis = fd.createInputStream(); 2926 int numRead = fis.read(blob); 2927 fis.close(); 2928 2929 // find all the available decoders for this format 2930 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2931 int numCodecs = MediaCodecList.getCodecCount(); 2932 for (int i = 0; i < numCodecs; i++) { 2933 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2934 if (info.isEncoder()) { 2935 continue; 2936 } 2937 try { 2938 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2939 if (caps != null) { 2940 matchingCodecs.add(info.getName()); 2941 } 2942 } catch (IllegalArgumentException e) { 2943 // type is not supported 2944 } 2945 } 2946 2947 if (matchingCodecs.size() == 0) { 2948 Log.w(TAG, "no codecs for mime type " + mime); 2949 } 2950 String rname = resources.getResourceEntryName(rid); 2951 // decode this blob once with each matching codec 2952 for (String codecName : matchingCodecs) { 2953 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2954 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2955 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2956 try { 2957 codec.configure(format, null, null, 0); 2958 codec.start(); 2959 } catch (Exception e) { 2960 Log.i(TAG, "Exception from codec " + codecName); 2961 releaseCodec(codec); 2962 continue; 2963 } 2964 try { 2965 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2966 ByteBuffer[] inputBuffers = codec.getInputBuffers(); 2967 int numFrames = 0; 2968 if (frameSizes != null) { 2969 numFrames = frameSizes.length; 2970 } 2971 if (0 == numFrames) { 2972 fail("Improper picture length file"); 2973 } 2974 int offset = 0; 2975 int j = 0; 2976 while (j < numFrames) { 2977 int flags = 0; 2978 int bufidx = codec.dequeueInputBuffer(5000); 2979 if (bufidx >= 0) { 2980 inputBuffers[bufidx].rewind(); 2981 Log.i(TAG, "Got buffer index " + bufidx + " with length " 2982 + inputBuffers[bufidx].capacity()); 2983 if (isHeader[j] == 1) { 2984 flags = MediaCodec.BUFFER_FLAG_CODEC_CONFIG; 2985 } 2986 if (j == (numFrames - 1)) { 2987 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2988 } 2989 Log.i(TAG, "Feeding frame " + j + " with framelen " + frameSizes[j] 2990 + " offset " + offset + " and flags " + flags); 2991 inputBuffers[bufidx].put(blob, offset, frameSizes[j]); 2992 codec.queueInputBuffer(bufidx, 0, frameSizes[j], 0, flags); 2993 offset = offset + frameSizes[j]; 2994 j++; 2995 } else { 2996 Log.i(TAG, "no input buffer"); 2997 } 2998 bufidx = codec.dequeueOutputBuffer(info, 5000); 2999 if (bufidx >= 0) { 3000 codec.releaseOutputBuffer(bufidx, false); 3001 } else { 3002 Log.i(TAG, "no output buffer"); 3003 } 3004 } 3005 } catch (Exception e) { 3006 // ignore, not a security issue 3007 } finally { 3008 releaseCodec(codec); 3009 } 3010 } 3011 String cve = rname.replace("_", "-").toUpperCase(); 3012 assertFalse("Device *IS* vulnerable to " + cve, 3013 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 3014 thr.stopLooper(); 3015 thr.join(); 3016 } 3017 doStagefrightTestMediaPlayerANR(final int rid, final String uri)3018 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri) throws Exception { 3019 doStagefrightTestMediaPlayerANR(rid, uri, null); 3020 } 3021 doStagefrightTestMediaPlayerANR(final int rid, final String uri, CrashUtils.Config config)3022 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri, 3023 CrashUtils.Config config) throws Exception { 3024 String name = uri != null ? uri : 3025 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 3026 Log.i(TAG, "start mediaplayerANR test for: " + name); 3027 3028 final MediaPlayerCrashListener mpl = new MediaPlayerCrashListener(config); 3029 3030 LooperThread t = new LooperThread(new Runnable() { 3031 @Override 3032 public void run() { 3033 MediaPlayer mp = new MediaPlayer(); 3034 mp.setOnErrorListener(mpl); 3035 mp.setOnPreparedListener(mpl); 3036 mp.setOnCompletionListener(mpl); 3037 RenderTarget renderTarget = RenderTarget.create(); 3038 Surface surface = renderTarget.getSurface(); 3039 mp.setSurface(surface); 3040 AssetFileDescriptor fd = null; 3041 try { 3042 if (uri == null) { 3043 fd = getInstrumentation().getContext().getResources() 3044 .openRawResourceFd(rid); 3045 3046 mp.setDataSource(fd.getFileDescriptor(), 3047 fd.getStartOffset(), 3048 fd.getLength()); 3049 } else { 3050 mp.setDataSource(uri); 3051 } 3052 mp.prepareAsync(); 3053 } catch (Exception e) { 3054 } finally { 3055 closeQuietly(fd); 3056 } 3057 3058 Looper.loop(); 3059 mp.release(); 3060 renderTarget.destroy(); 3061 } 3062 }); 3063 3064 t.start(); 3065 String cve = name.replace("_", "-").toUpperCase(); 3066 assertTrue("Device *IS* vulnerable to " + cve, mpl.waitForErrorOrCompletion()); 3067 t.stopLooper(); 3068 t.join(); // wait for thread to exit so we're sure the player was released 3069 } 3070 doStagefrightTestExtractorSeek(final int rid, final long offset)3071 private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception { 3072 doStagefrightTestExtractorSeek(rid, offset, new CrashUtils.Config()); // check crash address by default 3073 } 3074 doStagefrightTestExtractorSeek(final int rid, final long offset, CrashUtils.Config config)3075 private void doStagefrightTestExtractorSeek(final int rid, final long offset, 3076 CrashUtils.Config config) throws Exception { 3077 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 3078 LooperThread thr = new LooperThread(new Runnable() { 3079 @Override 3080 public void run() { 3081 MediaPlayer mp = new MediaPlayer(); 3082 mp.setOnErrorListener(mpcl); 3083 try { 3084 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 3085 .openRawResourceFd(R.raw.good); 3086 mp.setDataSource(fd.getFileDescriptor(), 3087 fd.getStartOffset(), 3088 fd.getLength()); 3089 fd.close(); 3090 } catch (Exception e) { 3091 fail("setDataSource of known-good file failed"); 3092 } 3093 synchronized(mpcl) { 3094 mpcl.notify(); 3095 } 3096 Looper.loop(); 3097 mp.release(); 3098 } 3099 }); 3100 thr.start(); 3101 synchronized(mpcl) { 3102 mpcl.wait(); 3103 } 3104 Resources resources = getInstrumentation().getContext().getResources(); 3105 MediaExtractor ex = new MediaExtractor(); 3106 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 3107 try { 3108 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3109 } catch (IOException e) { 3110 } finally { 3111 closeQuietly(fd); 3112 } 3113 int numtracks = ex.getTrackCount(); 3114 String rname = resources.getResourceEntryName(rid); 3115 Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks"); 3116 for (int t = 0; t < numtracks; t++) { 3117 try { 3118 ex.selectTrack(t); 3119 } catch (IllegalArgumentException e) { 3120 Log.w(TAG, "couldn't select track " + t); 3121 } 3122 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 3123 ex.advance(); 3124 ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC); 3125 try 3126 { 3127 ex.unselectTrack(t); 3128 } 3129 catch (Exception e) { 3130 } 3131 } 3132 ex.release(); 3133 String cve = rname.replace("_", "-").toUpperCase(); 3134 assertFalse("Device *IS* vulnerable to " + cve, 3135 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 3136 thr.stopLooper(); 3137 thr.join(); 3138 } 3139 assertExtractorDoesNotHang(int rid)3140 protected void assertExtractorDoesNotHang(int rid) throws Exception { 3141 // The media extractor has a watchdog, currently set to 10 seconds. 3142 final long timeoutMs = 12 * 1000; 3143 3144 Thread thread = new Thread(() -> { 3145 MediaExtractor ex = new MediaExtractor(); 3146 AssetFileDescriptor fd = 3147 getInstrumentation().getContext().getResources().openRawResourceFd(rid); 3148 try { 3149 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 3150 } catch (IOException e) { 3151 // It is OK for the call to fail, we're only making sure it doesn't hang. 3152 } finally { 3153 closeQuietly(fd); 3154 ex.release(); 3155 } 3156 }); 3157 thread.start(); 3158 3159 thread.join(timeoutMs); 3160 boolean hung = thread.isAlive(); 3161 if (hung) { 3162 // We don't have much to do at this point. Attempt to un-hang the thread, the media 3163 // extractor process is likely still spinning. At least we found a bug... 3164 // TODO: reboot the media extractor process. 3165 thread.interrupt(); 3166 } 3167 3168 assertFalse(hung); 3169 } 3170 getInstrumentation()3171 private Instrumentation getInstrumentation() { 3172 return mInstrumentation; 3173 } 3174 } 3175