1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * 17 * This code was provided to AOSP by Zimperium Inc and was 18 * written by: 19 * 20 * Simone "evilsocket" Margaritelli 21 * Joshua "jduck" Drake 22 */ 23 package android.security.cts; 24 25 import android.app.Instrumentation; 26 import android.content.Context; 27 import android.content.res.AssetFileDescriptor; 28 import android.content.res.Resources; 29 import android.graphics.Bitmap; 30 import android.graphics.BitmapFactory; 31 import android.graphics.SurfaceTexture; 32 import android.media.MediaCodec; 33 import android.media.MediaCodecInfo; 34 import android.media.MediaCodecList; 35 import android.media.MediaExtractor; 36 import android.media.MediaFormat; 37 import android.media.MediaMetadataRetriever; 38 import android.media.MediaPlayer; 39 import android.opengl.GLES20; 40 import android.opengl.GLES11Ext; 41 import android.os.Looper; 42 import android.os.SystemClock; 43 import android.platform.test.annotations.SecurityTest; 44 import android.util.Log; 45 import android.view.Surface; 46 import android.webkit.cts.CtsTestServer; 47 48 import com.android.compatibility.common.util.CrashUtils; 49 50 import java.io.BufferedInputStream; 51 import java.io.BufferedReader; 52 import java.io.FileInputStream; 53 import java.io.FileReader; 54 import java.io.IOException; 55 import java.io.InputStream; 56 import java.net.URL; 57 import java.nio.ByteBuffer; 58 import java.io.FileOutputStream; 59 import java.io.ObjectInputStream; 60 import java.io.OutputStream; 61 import java.io.InputStream; 62 import java.net.BindException; 63 import java.net.Socket; 64 import java.net.ServerSocket; 65 import java.io.File; 66 import java.util.ArrayList; 67 import java.util.HashMap; 68 import java.util.concurrent.locks.Condition; 69 import java.util.concurrent.locks.ReentrantLock; 70 import java.util.regex.Pattern; 71 72 import org.json.JSONArray; 73 import org.json.JSONException; 74 import org.json.JSONObject; 75 76 import android.security.cts.R; 77 78 import android.security.NetworkSecurityPolicy; 79 import android.media.TimedText; 80 81 import androidx.test.InstrumentationRegistry; 82 import androidx.test.runner.AndroidJUnit4; 83 84 import org.junit.Rule; 85 import org.junit.rules.TestName; 86 import org.junit.Before; 87 import org.junit.Test; 88 import org.junit.runner.RunWith; 89 90 import static org.junit.Assume.*; 91 import static org.junit.Assert.*; 92 93 /** 94 * Verify that the device is not vulnerable to any known Stagefright 95 * vulnerabilities. 96 */ 97 @RunWith(AndroidJUnit4.class) 98 public class StagefrightTest { 99 static final String TAG = "StagefrightTest"; 100 private Instrumentation mInstrumentation; 101 102 private final long TIMEOUT_NS = 10000000000L; // 10 seconds. 103 private final static long CHECK_INTERVAL = 50; 104 105 @Rule public TestName name = new TestName(); 106 107 @Before setup()108 public void setup() { 109 mInstrumentation = InstrumentationRegistry.getInstrumentation(); 110 } 111 112 /*********************************************************** 113 to prevent merge conflicts, add K tests below this comment, 114 before any existing test methods 115 ***********************************************************/ 116 117 @Test 118 @SecurityTest(minPatchLevel = "2019-04") testStagefright_cve_2019_2244()119 public void testStagefright_cve_2019_2244() throws Exception { 120 doStagefrightTestRawBlob(R.raw.cve_2019_2244, "video/mpeg2", 320, 420); 121 } 122 123 @Test 124 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36725407()125 public void testStagefright_bug_36725407() throws Exception { 126 doStagefrightTest(R.raw.bug_36725407); 127 } 128 129 @Test 130 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3829()131 public void testStagefright_cve_2016_3829() throws Exception { 132 doStagefrightTest(R.raw.cve_2016_3829, new CrashUtils.Config().checkMinAddress(false)); 133 } 134 135 @Test 136 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0643()137 public void testStagefright_cve_2017_0643() throws Exception { 138 doStagefrightTest(R.raw.cve_2017_0643, new CrashUtils.Config().checkMinAddress(false)); 139 } 140 141 @Test 142 @SecurityTest(minPatchLevel = "2017-08") testStagefright_cve_2017_0728()143 public void testStagefright_cve_2017_0728() throws Exception { 144 doStagefrightTest(R.raw.cve_2017_0728, new CrashUtils.Config().checkMinAddress(false)); 145 } 146 147 @Test 148 @SecurityTest(minPatchLevel = "2017-10") testStagefright_bug_62187433()149 public void testStagefright_bug_62187433() throws Exception { 150 doStagefrightTest(R.raw.bug_62187433); 151 } 152 153 @Test 154 @SecurityTest(minPatchLevel = "2017-09") testStagefrightANR_bug_62673844()155 public void testStagefrightANR_bug_62673844() throws Exception { 156 doStagefrightTestANR(R.raw.bug_62673844); 157 } 158 159 @Test 160 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_37079296()161 public void testStagefright_bug_37079296() throws Exception { 162 doStagefrightTest(R.raw.bug_37079296); 163 } 164 165 @Test 166 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38342499()167 public void testStagefright_bug_38342499() throws Exception { 168 doStagefrightTest(R.raw.bug_38342499); 169 } 170 171 @Test 172 @SecurityTest(minPatchLevel = "2015-10") testStagefright_bug_22771132()173 public void testStagefright_bug_22771132() throws Exception { 174 doStagefrightTest(R.raw.bug_22771132); 175 } 176 177 @Test 178 @SecurityTest(minPatchLevel = "2015-10") testStagefright_bug_21443020()179 public void testStagefright_bug_21443020() throws Exception { 180 doStagefrightTest(R.raw.bug_21443020_webm); 181 } 182 183 @Test 184 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_34360591()185 public void testStagefright_bug_34360591() throws Exception { 186 doStagefrightTest(R.raw.bug_34360591); 187 } 188 189 @Test 190 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35763994()191 public void testStagefright_bug_35763994() throws Exception { 192 doStagefrightTest(R.raw.bug_35763994, new CrashUtils.Config().checkMinAddress(false)); 193 } 194 195 @Test 196 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_33137046()197 public void testStagefright_bug_33137046() throws Exception { 198 doStagefrightTest(R.raw.bug_33137046); 199 } 200 201 @Test 202 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2016_2507()203 public void testStagefright_cve_2016_2507() throws Exception { 204 doStagefrightTest(R.raw.cve_2016_2507, new CrashUtils.Config().checkMinAddress(false)); 205 } 206 207 @Test 208 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_31647370()209 public void testStagefright_bug_31647370() throws Exception { 210 doStagefrightTest(R.raw.bug_31647370); 211 } 212 213 @Test 214 @SecurityTest(minPatchLevel = "2017-01") testStagefright_bug_32577290()215 public void testStagefright_bug_32577290() throws Exception { 216 doStagefrightTest(R.raw.bug_32577290); 217 } 218 219 @Test 220 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_1()221 public void testStagefright_cve_2015_1538_1() throws Exception { 222 doStagefrightTest(R.raw.cve_2015_1538_1); 223 } 224 225 @Test 226 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_2()227 public void testStagefright_cve_2015_1538_2() throws Exception { 228 doStagefrightTest(R.raw.cve_2015_1538_2); 229 } 230 231 @Test 232 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_3()233 public void testStagefright_cve_2015_1538_3() throws Exception { 234 doStagefrightTest(R.raw.cve_2015_1538_3); 235 } 236 237 @Test 238 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1538_4()239 public void testStagefright_cve_2015_1538_4() throws Exception { 240 doStagefrightTest(R.raw.cve_2015_1538_4); 241 } 242 243 @Test 244 @SecurityTest(minPatchLevel = "2017-07") testStagefright_cve_2015_1539()245 public void testStagefright_cve_2015_1539() throws Exception { 246 doStagefrightTest(R.raw.cve_2015_1539); 247 } 248 249 @Test 250 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3824()251 public void testStagefright_cve_2015_3824() throws Exception { 252 doStagefrightTest(R.raw.cve_2015_3824); 253 } 254 255 @Test 256 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3826()257 public void testStagefright_cve_2015_3826() throws Exception { 258 doStagefrightTest(R.raw.cve_2015_3826); 259 } 260 261 @Test 262 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3827()263 public void testStagefright_cve_2015_3827() throws Exception { 264 doStagefrightTest(R.raw.cve_2015_3827); 265 } 266 267 @Test 268 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3828()269 public void testStagefright_cve_2015_3828() throws Exception { 270 doStagefrightTest(R.raw.cve_2015_3828); 271 } 272 273 @Test 274 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3829()275 public void testStagefright_cve_2015_3829() throws Exception { 276 doStagefrightTest(R.raw.cve_2015_3829); 277 } 278 279 @Test 280 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3836()281 public void testStagefright_cve_2015_3836() throws Exception { 282 doStagefrightTest(R.raw.cve_2015_3836); 283 } 284 285 @Test 286 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3864()287 public void testStagefright_cve_2015_3864() throws Exception { 288 doStagefrightTest(R.raw.cve_2015_3864); 289 } 290 291 @Test 292 @SecurityTest(minPatchLevel = "2015-01") testStagefright_cve_2015_3864_b23034759()293 public void testStagefright_cve_2015_3864_b23034759() throws Exception { 294 doStagefrightTest(R.raw.cve_2015_3864_b23034759); 295 } 296 297 @Test 298 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6598()299 public void testStagefright_cve_2015_6598() throws Exception { 300 doStagefrightTest(R.raw.cve_2015_6598); 301 } 302 303 @Test 304 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6766()305 public void testStagefright_cve_2016_6766() throws Exception { 306 doStagefrightTest(R.raw.cve_2016_6766); 307 } 308 309 @Test 310 @SecurityTest(minPatchLevel = "2017-02") testStagefright_cve_2016_2429_b_27211885()311 public void testStagefright_cve_2016_2429_b_27211885() throws Exception { 312 doStagefrightTest(R.raw.cve_2016_2429_b_27211885, 313 new CrashUtils.Config().checkMinAddress(false)); 314 } 315 316 @Test 317 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_34031018()318 public void testStagefright_bug_34031018() throws Exception { 319 doStagefrightTest(R.raw.bug_34031018_32bit, new CrashUtils.Config().checkMinAddress(false)); 320 doStagefrightTest(R.raw.bug_34031018_64bit, new CrashUtils.Config().checkMinAddress(false)); 321 } 322 323 /*********************************************************** 324 to prevent merge conflicts, add L tests below this comment, 325 before any existing test methods 326 ***********************************************************/ 327 328 @Test 329 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65123471()330 public void testStagefright_bug_65123471() throws Exception { 331 doStagefrightTest(R.raw.bug_65123471); 332 } 333 334 @Test 335 @SecurityTest(minPatchLevel = "2018-04") testStagefright_bug_72165027()336 public void testStagefright_bug_72165027() throws Exception { 337 doStagefrightTest(R.raw.bug_72165027); 338 } 339 340 @Test 341 @SecurityTest(minPatchLevel = "2018-06") testStagefright_bug_65483665()342 public void testStagefright_bug_65483665() throws Exception { 343 doStagefrightTest(R.raw.bug_65483665); 344 } 345 346 @Test 347 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_0852_b_62815506()348 public void testStagefright_cve_2017_0852_b_62815506() throws Exception { 349 doStagefrightTest(R.raw.cve_2017_0852_b_62815506, 350 new CrashUtils.Config().checkMinAddress(false)); 351 } 352 353 @Test 354 @SecurityTest(minPatchLevel = "2018-02") testStagefright_cve_2017_13229()355 public void testStagefright_cve_2017_13229() throws Exception { 356 doStagefrightTest(R.raw.cve_2017_13229); 357 } 358 359 @Test 360 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2017_0763()361 public void testStagefright_cve_2017_0763() throws Exception { 362 doStagefrightTest(R.raw.cve_2017_0763); 363 } 364 365 /*********************************************************** 366 to prevent merge conflicts, add M tests below this comment, 367 before any existing test methods 368 ***********************************************************/ 369 370 @Test 371 @SecurityTest(minPatchLevel = "2018-06") testBug_73965890()372 public void testBug_73965890() throws Exception { 373 int[] frameSizes = getFrameSizes(R.raw.bug_73965890_framelen); 374 doStagefrightTestRawBlob(R.raw.bug_73965890_hevc, "video/hevc", 320, 240, frameSizes); 375 } 376 377 @Test 378 @SecurityTest(minPatchLevel = "2016-10") testStagefright_cve_2016_3920()379 public void testStagefright_cve_2016_3920() throws Exception { 380 doStagefrightTest(R.raw.cve_2016_3920, new CrashUtils.Config().checkMinAddress(false)); 381 } 382 383 @Test 384 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38448381()385 public void testStagefright_bug_38448381() throws Exception { 386 doStagefrightTest(R.raw.bug_38448381); 387 } 388 389 @Test 390 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3821()391 public void testStagefright_cve_2016_3821() throws Exception { 392 doStagefrightTest(R.raw.cve_2016_3821, new CrashUtils.Config().checkMinAddress(false)); 393 } 394 395 @Test 396 @SecurityTest(minPatchLevel = "2018-04") testStagefright_bug_70897454()397 public void testStagefright_bug_70897454() throws Exception { 398 doStagefrightTestRawBlob(R.raw.b70897454_avc, "video/avc", 320, 420); 399 } 400 401 @Test 402 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3742_b_28165659()403 public void testStagefright_cve_2016_3742_b_28165659() throws Exception { 404 doStagefrightTest(R.raw.cve_2016_3742_b_28165659); 405 } 406 407 @Test 408 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_35039946()409 public void testStagefright_bug_35039946() throws Exception { 410 doStagefrightTestRawBlob(R.raw.bug_35039946_hevc, "video/hevc", 320, 420); 411 } 412 413 @Test 414 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_38115076()415 public void testStagefright_bug_38115076() throws Exception { 416 doStagefrightTest(R.raw.bug_38115076, new CrashUtils.Config().checkMinAddress(false)); 417 } 418 419 @Test 420 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_34618607()421 public void testStagefright_bug_34618607() throws Exception { 422 doStagefrightTest(R.raw.bug_34618607, new CrashUtils.Config().checkMinAddress(false)); 423 } 424 425 @Test 426 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_69478425()427 public void testStagefright_bug_69478425() throws Exception { 428 doStagefrightTest(R.raw.bug_69478425); 429 } 430 431 @Test 432 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65735716()433 public void testStagefright_bug_65735716() throws Exception { 434 doStagefrightTestRawBlob(R.raw.bug_65735716_avc, "video/avc", 320, 240); 435 } 436 437 @Test 438 @SecurityTest(minPatchLevel = "2017-12") testStagefright_bug_65717533()439 public void testStagefright_bug_65717533() throws Exception { 440 doStagefrightTest(R.raw.bug_65717533_header_corrupt); 441 } 442 443 @Test 444 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_38239864()445 public void testStagefright_bug_38239864() throws Exception { 446 doStagefrightTest(R.raw.bug_38239864, (4 * 60 * 1000)); 447 } 448 449 @Test 450 @SecurityTest(minPatchLevel = "2017-05") testStagefright_cve_2017_0600()451 public void testStagefright_cve_2017_0600() throws Exception { 452 doStagefrightTest(R.raw.cve_2017_0600, new CrashUtils.Config().checkMinAddress(false)); 453 } 454 455 @Test 456 @SecurityTest(minPatchLevel = "2017-08") testBug_38014992()457 public void testBug_38014992() throws Exception { 458 int[] frameSizes = getFrameSizes(R.raw.bug_38014992_framelen); 459 doStagefrightTestRawBlob(R.raw.bug_38014992_avc, "video/avc", 640, 480, frameSizes, 460 new CrashUtils.Config().checkMinAddress(false)); 461 } 462 463 @Test 464 @SecurityTest(minPatchLevel = "2017-07") testBug_35584425()465 public void testBug_35584425() throws Exception { 466 int[] frameSizes = getFrameSizes(R.raw.bug_35584425_framelen); 467 doStagefrightTestRawBlob(R.raw.bug_35584425_avc, "video/avc", 352, 288, frameSizes); 468 } 469 470 @Test 471 @SecurityTest(minPatchLevel = "2016-11") testBug_31092462()472 public void testBug_31092462() throws Exception { 473 int[] frameSizes = getFrameSizes(R.raw.bug_31092462_framelen); 474 doStagefrightTestRawBlob(R.raw.bug_31092462_avc, "video/avc", 1280, 1024, frameSizes); 475 } 476 477 @Test 478 @SecurityTest(minPatchLevel = "2017-04") testBug_34097866()479 public void testBug_34097866() throws Exception { 480 int[] frameSizes = getFrameSizes(R.raw.bug_34097866_frame_len); 481 doStagefrightTestRawBlob(R.raw.bug_34097866_avc, "video/avc", 352, 288, frameSizes); 482 } 483 484 @Test 485 @SecurityTest(minPatchLevel = "2017-03") testBug_33862021()486 public void testBug_33862021() throws Exception { 487 int[] frameSizes = getFrameSizes(R.raw.bug_33862021_frame_len); 488 doStagefrightTestRawBlob(R.raw.bug_33862021_hevc, "video/hevc", 160, 96, frameSizes); 489 } 490 491 @Test 492 @SecurityTest(minPatchLevel = "2017-03") testBug_33387820()493 public void testBug_33387820() throws Exception { 494 int[] frameSizes = {45, 3202, 430, 2526}; 495 doStagefrightTestRawBlob(R.raw.bug_33387820_avc, "video/avc", 320, 240, frameSizes, 496 new CrashUtils.Config().checkMinAddress(false)); 497 } 498 499 @Test 500 @SecurityTest(minPatchLevel = "2017-07") testBug_37008096()501 public void testBug_37008096() throws Exception { 502 int[] frameSizes = {245, 12, 33, 140, 164}; 503 doStagefrightTestRawBlob(R.raw.bug_37008096_avc, "video/avc", 320, 240, frameSizes); 504 } 505 506 @Test 507 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_34231163()508 public void testStagefright_bug_34231163() throws Exception { 509 int[] frameSizes = {22, 357, 217, 293, 175}; 510 doStagefrightTestRawBlob(R.raw.bug_34231163_mpeg2, "video/mpeg2", 320, 240, frameSizes); 511 } 512 513 @Test 514 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_33933140()515 public void testStagefright_bug_33933140() throws Exception { 516 int[] frameSizes = getFrameSizes(R.raw.bug_33933140_framelen); 517 doStagefrightTestRawBlob(R.raw.bug_33933140_avc, "video/avc", 320, 240, frameSizes); 518 } 519 520 @Test 521 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_34097915()522 public void testStagefright_bug_34097915() throws Exception { 523 int[] frameSizes = {4140, 593, 0, 15495}; 524 doStagefrightTestRawBlob(R.raw.bug_34097915_avc, "video/avc", 320, 240, frameSizes); 525 } 526 527 @Test 528 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_34097213()529 public void testStagefright_bug_34097213() throws Exception { 530 int[] frameSizes = {2571, 210, 33858}; 531 doStagefrightTestRawBlob(R.raw.bug_34097213_avc, "video/avc", 320, 240, frameSizes); 532 } 533 534 @Test 535 @SecurityTest(minPatchLevel = "2016-08") testBug_28816956()536 public void testBug_28816956() throws Exception { 537 int[] frameSizes = getFrameSizes(R.raw.bug_28816956_framelen); 538 doStagefrightTestRawBlob( 539 R.raw.bug_28816956_hevc, "video/hevc", 352, 288, frameSizes, 540 new CrashUtils.Config().checkMinAddress(false)); 541 } 542 543 @Test 544 @SecurityTest(minPatchLevel = "2017-03") testBug_33818500()545 public void testBug_33818500() throws Exception { 546 int[] frameSizes = getFrameSizes(R.raw.bug_33818500_framelen); 547 doStagefrightTestRawBlob(R.raw.bug_33818500_avc, "video/avc", 64, 32, frameSizes, 548 new CrashUtils.Config().checkMinAddress(false)); 549 } 550 551 @Test 552 @SecurityTest(minPatchLevel = "2018-01") testBug_64784973()553 public void testBug_64784973() throws Exception { 554 int[] frameSizes = getFrameSizes(R.raw.bug_64784973_framelen); 555 doStagefrightTestRawBlob(R.raw.bug_64784973_hevc, "video/hevc", 1280, 720, frameSizes); 556 } 557 558 @Test 559 @SecurityTest(minPatchLevel = "2017-07") testBug_34231231()560 public void testBug_34231231() throws Exception { 561 int[] frameSizes = getFrameSizes(R.raw.bug_34231231_framelen); 562 doStagefrightTestRawBlob(R.raw.bug_34231231_mpeg2, "video/mpeg2", 352, 288, frameSizes); 563 } 564 565 @Test 566 @SecurityTest(minPatchLevel = "2017-10") testBug_63045918()567 public void testBug_63045918() throws Exception { 568 int[] frameSizes = getFrameSizes(R.raw.bug_63045918_framelen); 569 doStagefrightTestRawBlob(R.raw.bug_63045918_hevc, "video/hevc", 352, 288, frameSizes); 570 } 571 572 @Test 573 @SecurityTest(minPatchLevel = "2017-03") testBug_33298089()574 public void testBug_33298089() throws Exception { 575 int[] frameSizes = {3247, 430, 221, 2305}; 576 doStagefrightTestRawBlob(R.raw.bug_33298089_avc, "video/avc", 32, 64, frameSizes); 577 } 578 579 @Test 580 @SecurityTest(minPatchLevel = "2017-05") testStagefright_cve_2017_0599()581 public void testStagefright_cve_2017_0599() throws Exception { 582 doStagefrightTest(R.raw.cve_2017_0599, new CrashUtils.Config().checkMinAddress(false)); 583 } 584 585 @Test 586 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_36492741()587 public void testStagefright_bug_36492741() throws Exception { 588 doStagefrightTest(R.raw.bug_36492741); 589 } 590 591 @Test 592 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_38487564()593 public void testStagefright_bug_38487564() throws Exception { 594 doStagefrightTest(R.raw.bug_38487564, (4 * 60 * 1000)); 595 } 596 597 @Test 598 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_37237396()599 public void testStagefright_bug_37237396() throws Exception { 600 doStagefrightTest(R.raw.bug_37237396); 601 } 602 603 @Test 604 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2016_0842()605 public void testStagefright_cve_2016_0842() throws Exception { 606 doStagefrightTest(R.raw.cve_2016_0842); 607 } 608 609 @Test 610 @SecurityTest(minPatchLevel = "2017-11") testStagefright_bug_63121644()611 public void testStagefright_bug_63121644() throws Exception { 612 doStagefrightTest(R.raw.bug_63121644); 613 } 614 615 @Test 616 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2016_6712()617 public void testStagefright_cve_2016_6712() throws Exception { 618 doStagefrightTest(R.raw.cve_2016_6712, new CrashUtils.Config().checkMinAddress(false)); 619 } 620 621 @Test 622 @SecurityTest(minPatchLevel = "2017-04") testStagefright_bug_34097231()623 public void testStagefright_bug_34097231() throws Exception { 624 doStagefrightTestRawBlob(R.raw.bug_34097231_avc, "video/avc", 320, 240); 625 } 626 627 @Test 628 @SecurityTest(minPatchLevel = "2017-05") testStagefright_bug_34097672()629 public void testStagefright_bug_34097672() throws Exception { 630 doStagefrightTest(R.raw.bug_34097672); 631 } 632 633 634 @Test 635 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_33751193()636 public void testStagefright_bug_33751193() throws Exception { 637 doStagefrightTestRawBlob(R.raw.bug_33751193_avc, "video/avc", 320, 240); 638 } 639 640 @Test 641 @SecurityTest(minPatchLevel = "2017-07") testBug_36993291()642 public void testBug_36993291() throws Exception { 643 doStagefrightTestRawBlob(R.raw.bug_36993291_avc, "video/avc", 320, 240); 644 } 645 646 @Test 647 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_33818508()648 public void testStagefright_bug_33818508() throws Exception { 649 doStagefrightTest(R.raw.bug_33818508, new CrashUtils.Config().checkMinAddress(false)); 650 } 651 652 @Test 653 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_32873375()654 public void testStagefright_bug_32873375() throws Exception { 655 doStagefrightTest(R.raw.bug_32873375, new CrashUtils.Config().checkMinAddress(false)); 656 } 657 658 @Test 659 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_63522067()660 public void testStagefright_bug_63522067() throws Exception { 661 doStagefrightTestRawBlob(R.raw.bug_63522067_1_hevc, "video/hevc", 320, 420); 662 doStagefrightTestRawBlob(R.raw.bug_63522067_2_hevc, "video/hevc", 320, 420); 663 doStagefrightTestRawBlob(R.raw.bug_63522067_3_hevc, "video/hevc", 320, 420); 664 doStagefrightTestRawBlob(R.raw.bug_63522067_4_hevc, "video/hevc", 320, 420); 665 } 666 667 @Test 668 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_25765591()669 public void testStagefright_bug_25765591() throws Exception { 670 doStagefrightTest(R.raw.bug_25765591); 671 } 672 673 @Test 674 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_62673179()675 public void testStagefright_bug_62673179() throws Exception { 676 doStagefrightTest(R.raw.bug_62673179_ts, (4 * 60 * 1000)); 677 } 678 679 @Test 680 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_69269702()681 public void testStagefright_bug_69269702() throws Exception { 682 doStagefrightTest(R.raw.bug_69269702); 683 } 684 685 @Test 686 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3867()687 public void testStagefright_cve_2015_3867() throws Exception { 688 doStagefrightTest(R.raw.cve_2015_3867); 689 } 690 691 @Test 692 @SecurityTest(minPatchLevel = "2018-01") testStagefright_bug_65398821()693 public void testStagefright_bug_65398821() throws Exception { 694 doStagefrightTest(R.raw.bug_65398821, ( 4 * 60 * 1000 ) ); 695 } 696 697 @Test 698 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3869()699 public void testStagefright_cve_2015_3869() throws Exception { 700 doStagefrightTest(R.raw.cve_2015_3869); 701 } 702 703 @Test 704 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_23452792()705 public void testStagefright_bug_23452792() throws Exception { 706 doStagefrightTest(R.raw.bug_23452792); 707 } 708 709 @Test 710 @SecurityTest(minPatchLevel = "2016-08") testStagefright_cve_2016_3820()711 public void testStagefright_cve_2016_3820() throws Exception { 712 doStagefrightTest(R.raw.cve_2016_3820); 713 } 714 715 @Test 716 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3741()717 public void testStagefright_cve_2016_3741() throws Exception { 718 doStagefrightTest(R.raw.cve_2016_3741); 719 } 720 721 @Test 722 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_2506()723 public void testStagefright_cve_2016_2506() throws Exception { 724 doStagefrightTest(R.raw.cve_2016_2506); 725 } 726 727 @Test 728 @SecurityTest(minPatchLevel = "2016-06") testStagefright_cve_2016_2428()729 public void testStagefright_cve_2016_2428() throws Exception { 730 doStagefrightTest(R.raw.cve_2016_2428, new CrashUtils.Config().checkMinAddress(false)); 731 } 732 733 @Test 734 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3756()735 public void testStagefright_cve_2016_3756() throws Exception { 736 doStagefrightTest(R.raw.cve_2016_3756); 737 } 738 739 @Test 740 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36592202()741 public void testStagefright_bug_36592202() throws Exception { 742 Resources resources = getInstrumentation().getContext().getResources(); 743 AssetFileDescriptor fd = resources.openRawResourceFd(R.raw.bug_36592202); 744 final int oggPageSize = 25627; 745 byte [] blob = new byte[oggPageSize]; 746 // 127 bytes read and 25500 zeros constitute one Ogg page 747 FileInputStream fis = fd.createInputStream(); 748 int numRead = fis.read(blob); 749 fis.close(); 750 // Creating temp file 751 final File tempFile = File.createTempFile("poc_tmp", ".ogg", null); 752 try { 753 final FileOutputStream tempFos = new FileOutputStream(tempFile.getAbsolutePath()); 754 int bytesWritten = 0; 755 final long oggPagesRequired = 50000; 756 long oggPagesAvailable = tempFile.getUsableSpace() / oggPageSize; 757 long numOggPages = Math.min(oggPagesRequired, oggPagesAvailable); 758 // Repeat data for specified number of pages 759 for (int i = 0; i < numOggPages; i++) { 760 tempFos.write(blob); 761 bytesWritten += oggPageSize; 762 } 763 tempFos.close(); 764 final int fileSize = bytesWritten; 765 final int timeout = (10 * 60 * 1000); 766 runWithTimeout(new Runnable() { 767 @Override 768 public void run() { 769 try { 770 doStagefrightTestMediaCodec(tempFile.getAbsolutePath(), 771 new CrashUtils.Config().checkMinAddress(false)); 772 } catch (Exception | AssertionError e) { 773 if (!tempFile.delete()) { 774 Log.e(TAG, "Failed to delete temporary PoC file"); 775 } 776 fail("Operation was not successful"); 777 } 778 } 779 }, timeout); 780 } catch (Exception e) { 781 fail("Failed to test b/36592202"); 782 } finally { 783 if (!tempFile.delete()) { 784 Log.e(TAG, "Failed to delete temporary PoC file"); 785 } 786 } 787 } 788 789 @Test 790 @SecurityTest(minPatchLevel = "2016-11") testStagefright_bug_30822755()791 public void testStagefright_bug_30822755() throws Exception { 792 doStagefrightTest(R.raw.bug_30822755); 793 } 794 795 @Test 796 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_32322258()797 public void testStagefright_bug_32322258() throws Exception { 798 doStagefrightTest(R.raw.bug_32322258, new CrashUtils.Config().checkMinAddress(false)); 799 } 800 801 @Test 802 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_23248776()803 public void testStagefright_cve_2015_3873_b_23248776() throws Exception { 804 doStagefrightTest(R.raw.cve_2015_3873_b_23248776); 805 } 806 807 @Test 808 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35472997()809 public void testStagefright_bug_35472997() throws Exception { 810 doStagefrightTest(R.raw.bug_35472997); 811 } 812 813 @Test 814 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_20718524()815 public void testStagefright_cve_2015_3873_b_20718524() throws Exception { 816 doStagefrightTest(R.raw.cve_2015_3873_b_20718524); 817 } 818 819 @Test 820 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_34896431()821 public void testStagefright_bug_34896431() throws Exception { 822 doStagefrightTest(R.raw.bug_34896431); 823 } 824 825 @Test 826 @SecurityTest(minPatchLevel = "2017-04") testBug_33641588()827 public void testBug_33641588() throws Exception { 828 doStagefrightTestRawBlob(R.raw.bug_33641588_avc, "video/avc", 320, 240); 829 } 830 831 @Test 832 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3862_b_22954006()833 public void testStagefright_cve_2015_3862_b_22954006() throws Exception { 834 doStagefrightTest(R.raw.cve_2015_3862_b_22954006, 835 new CrashUtils.Config().checkMinAddress(false)); 836 } 837 838 @Test 839 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3867_b_23213430()840 public void testStagefright_cve_2015_3867_b_23213430() throws Exception { 841 doStagefrightTest(R.raw.cve_2015_3867_b_23213430); 842 } 843 844 @Test 845 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3873_b_21814993()846 public void testStagefright_cve_2015_3873_b_21814993() throws Exception { 847 doStagefrightTest(R.raw.cve_2015_3873_b_21814993); 848 } 849 850 @Test 851 @SecurityTest(minPatchLevel = "2016-04") testStagefright_bug_25812590()852 public void testStagefright_bug_25812590() throws Exception { 853 doStagefrightTest(R.raw.bug_25812590); 854 } 855 856 @Test 857 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6600()858 public void testStagefright_cve_2015_6600() throws Exception { 859 doStagefrightTest(R.raw.cve_2015_6600); 860 } 861 862 @Test 863 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6603()864 public void testStagefright_cve_2015_6603() throws Exception { 865 doStagefrightTest(R.raw.cve_2015_6603); 866 } 867 868 @Test 869 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_6604()870 public void testStagefright_cve_2015_6604() throws Exception { 871 doStagefrightTest(R.raw.cve_2015_6604); 872 } 873 874 @Test 875 @SecurityTest(minPatchLevel = "2015-12") testStagefright_bug_24157524()876 public void testStagefright_bug_24157524() throws Exception { 877 doStagefrightTestMediaCodec(R.raw.bug_24157524); 878 } 879 880 @Test 881 @SecurityTest(minPatchLevel = "2015-10") testStagefright_cve_2015_3871()882 public void testStagefright_cve_2015_3871() throws Exception { 883 doStagefrightTest(R.raw.cve_2015_3871); 884 } 885 886 @Test 887 @SecurityTest(minPatchLevel = "2016-04") testStagefright_bug_26070014()888 public void testStagefright_bug_26070014() throws Exception { 889 doStagefrightTest(R.raw.bug_26070014); 890 } 891 892 @Test 893 @SecurityTest(minPatchLevel = "2017-03") testStagefright_bug_32915871()894 public void testStagefright_bug_32915871() throws Exception { 895 doStagefrightTest(R.raw.bug_32915871); 896 } 897 898 @Test 899 @SecurityTest(minPatchLevel = "2016-07") testStagefright_bug_28333006()900 public void testStagefright_bug_28333006() throws Exception { 901 doStagefrightTest(R.raw.bug_28333006); 902 } 903 904 @Test 905 @SecurityTest(minPatchLevel = "2015-11") testStagefright_bug_14388161()906 public void testStagefright_bug_14388161() throws Exception { 907 doStagefrightTestMediaPlayer(R.raw.bug_14388161); 908 } 909 910 @Test 911 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_3755()912 public void testStagefright_cve_2016_3755() throws Exception { 913 doStagefrightTest(R.raw.cve_2016_3755, new CrashUtils.Config().checkMinAddress(false)); 914 } 915 916 @Test 917 @SecurityTest(minPatchLevel = "2016-09") testStagefright_cve_2016_3878_b_29493002()918 public void testStagefright_cve_2016_3878_b_29493002() throws Exception { 919 doStagefrightTest(R.raw.cve_2016_3878_b_29493002, 920 new CrashUtils.Config().checkMinAddress(false)); 921 } 922 923 @Test 924 @SecurityTest(minPatchLevel = "2017-08") testBug_36819262()925 public void testBug_36819262() throws Exception { 926 doStagefrightTestRawBlob(R.raw.bug_36819262_mpeg2, "video/mpeg2", 640, 480); 927 } 928 929 @Test 930 @SecurityTest(minPatchLevel = "2015-11") testStagefright_cve_2015_6608_b_23680780()931 public void testStagefright_cve_2015_6608_b_23680780() throws Exception { 932 doStagefrightTest(R.raw.cve_2015_6608_b_23680780); 933 } 934 935 @Test 936 @SecurityTest(minPatchLevel = "2017-09") testStagefright_bug_36715268()937 public void testStagefright_bug_36715268() throws Exception { 938 doStagefrightTest(R.raw.bug_36715268); 939 } 940 941 @Test 942 @SecurityTest(minPatchLevel = "2016-06") testStagefright_bug_27855419_CVE_2016_2463()943 public void testStagefright_bug_27855419_CVE_2016_2463() throws Exception { 944 doStagefrightTest(R.raw.bug_27855419, new CrashUtils.Config().checkMinAddress(false)); 945 } 946 947 @Test 948 @SecurityTest(minPatchLevel = "2015-11") testStagefright_bug_19779574()949 public void testStagefright_bug_19779574() throws Exception { 950 doStagefrightTest(R.raw.bug_19779574, new CrashUtils.Config().checkMinAddress(false)); 951 } 952 953 /*********************************************************** 954 to prevent merge conflicts, add N tests below this comment, 955 before any existing test methods 956 ***********************************************************/ 957 958 @Test 959 @SecurityTest(minPatchLevel = "2017-03") testBug_33090864()960 public void testBug_33090864() throws Exception { 961 int[] frameSizes = getFrameSizes(R.raw.bug_33090864_framelen); 962 doStagefrightTestRawBlob(R.raw.bug_33090864_avc, "video/avc", 320, 240, frameSizes); 963 } 964 965 @Test 966 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_36279112()967 public void testStagefright_bug_36279112() throws Exception { 968 doStagefrightTest(R.raw.bug_36279112, new CrashUtils.Config().checkMinAddress(false)); 969 } 970 971 @Test 972 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0640()973 public void testStagefright_cve_2017_0640() throws Exception { 974 int[] frameSizes = {21, 4}; 975 doStagefrightTestRawBlob(R.raw.cve_2017_0640_avc, "video/avc", 640, 480, 976 frameSizes); 977 } 978 979 @Test 980 @SecurityTest(minPatchLevel = "2017-08") testBug_37203196()981 public void testBug_37203196() throws Exception { 982 int[] frameSizes = getFrameSizes(R.raw.bug_37203196_framelen); 983 doStagefrightTestRawBlob(R.raw.bug_37203196_mpeg2, "video/mpeg2", 48, 48, frameSizes); 984 } 985 986 @Test 987 @SecurityTest(minPatchLevel = "2018-06") testBug_73552574()988 public void testBug_73552574() throws Exception { 989 int[] frameSizes = getFrameSizes(R.raw.bug_73552574_framelen); 990 doStagefrightTestRawBlob(R.raw.bug_73552574_avc, "video/avc", 320, 240, frameSizes); 991 } 992 993 @Test 994 @SecurityTest(minPatchLevel = "2015-09") testStagefright_bug_23285192()995 public void testStagefright_bug_23285192() throws Exception { 996 doStagefrightTest(R.raw.bug_23285192); 997 } 998 999 @Test 1000 @SecurityTest(minPatchLevel = "2016-03") testStagefright_bug_25928803()1001 public void testStagefright_bug_25928803() throws Exception { 1002 doStagefrightTest(R.raw.bug_25928803); 1003 } 1004 1005 @Test 1006 @SecurityTest(minPatchLevel = "2016-04") testBug_26399350()1007 public void testBug_26399350() throws Exception { 1008 int[] frameSizes = {657, 54930}; 1009 doStagefrightTestRawBlob(R.raw.bug_26399350_avc, "video/avc", 640, 480, 1010 frameSizes); 1011 } 1012 1013 @Test 1014 @SecurityTest(minPatchLevel = "2018-12") testBug_113260892()1015 public void testBug_113260892() throws Exception { 1016 doStagefrightTestRawBlob(R.raw.bug_113260892_hevc, "video/hevc", 320, 240); 1017 } 1018 1019 @Test 1020 @SecurityTest(minPatchLevel = "2018-02") testStagefright_bug_68342866()1021 public void testStagefright_bug_68342866() throws Exception { 1022 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1023 policy.setCleartextTrafficPermitted(true); 1024 Thread server = new Thread() { 1025 @Override 1026 public void run() { 1027 try (ServerSocket serverSocket = new ServerSocket(8080) { 1028 {setSoTimeout(10_000);} // time out after 10 seconds 1029 }; 1030 Socket conn = serverSocket.accept(); 1031 ) { 1032 OutputStream outputstream = conn.getOutputStream(); 1033 InputStream inputStream = conn.getInputStream(); 1034 byte input[] = new byte[65536]; 1035 inputStream.read(input, 0, 65536); 1036 String inputStr = new String(input); 1037 if (inputStr.contains("bug_68342866.m3u8")) { 1038 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n") 1039 .getBytes(); 1040 byte playlist[] = new byte[] { 0x23, 0x45, 0x58, 0x54, 1041 0x4D, 0x33, 0x55, 0x0A, 0x23, 0x45, 0x58, 0x54, 1042 0x2D, 0x58, 0x2D, 0x53, 0x54, 0x52, 0x45, 0x41, 1043 0x4D, 0x2D, 0x49, 0x4E, 0x46, 0x46, 0x43, 0x23, 1044 0x45, 0x3A, 0x54, 0x42, 0x00, 0x00, 0x00, 0x0A, 1045 0x00, 0x00, 0x00, 0x00, 0x00, (byte) 0xFF, 1046 (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 1047 (byte) 0xFF, (byte) 0xFF, 0x3F, 0x2C, 0x4E, 1048 0x46, 0x00, 0x00 }; 1049 outputstream.write(http); 1050 outputstream.write(playlist); 1051 } 1052 } catch (IOException e) { 1053 } 1054 } 1055 }; 1056 server.start(); 1057 String uri = "http://127.0.0.1:8080/bug_68342866.m3u8"; 1058 final MediaPlayerCrashListener mpcl = 1059 new MediaPlayerCrashListener(new CrashUtils.Config().checkMinAddress(false)); 1060 LooperThread t = new LooperThread(new Runnable() { 1061 @Override 1062 public void run() { 1063 MediaPlayer mp = new MediaPlayer(); 1064 mp.setOnErrorListener(mpcl); 1065 mp.setOnPreparedListener(mpcl); 1066 mp.setOnCompletionListener(mpcl); 1067 RenderTarget renderTarget = RenderTarget.create(); 1068 Surface surface = renderTarget.getSurface(); 1069 mp.setSurface(surface); 1070 AssetFileDescriptor fd = null; 1071 try { 1072 mp.setDataSource(uri); 1073 mp.prepareAsync(); 1074 } catch (IOException e) { 1075 Log.e(TAG, e.toString()); 1076 } finally { 1077 closeQuietly(fd); 1078 } 1079 Looper.loop(); 1080 mp.release(); 1081 renderTarget.destroy(); 1082 } 1083 }); 1084 t.start(); 1085 assertFalse("Device *IS* vulnerable to BUG-68342866", 1086 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1087 t.stopLooper(); 1088 t.join(); 1089 policy.setCleartextTrafficPermitted(false); 1090 server.join(); 1091 } 1092 1093 @Test 1094 @SecurityTest(minPatchLevel = "2018-05") testStagefright_bug_74114680()1095 public void testStagefright_bug_74114680() throws Exception { 1096 doStagefrightTest(R.raw.bug_74114680_ts, (10 * 60 * 1000)); 1097 } 1098 1099 @Test 1100 @SecurityTest(minPatchLevel = "2018-03") testStagefright_bug_70239507()1101 public void testStagefright_bug_70239507() throws Exception { 1102 doStagefrightTestExtractorSeek(R.raw.bug_70239507,1311768465173141112L); 1103 } 1104 1105 @Test 1106 @SecurityTest(minPatchLevel = "2017-03") testBug_33250932()1107 public void testBug_33250932() throws Exception { 1108 int[] frameSizes = {65, 11, 102, 414}; 1109 doStagefrightTestRawBlob(R.raw.bug_33250932_avc, "video/avc", 640, 480, frameSizes); 1110 } 1111 1112 @Test 1113 @SecurityTest(minPatchLevel = "2017-08") testStagefright_bug_37430213()1114 public void testStagefright_bug_37430213() throws Exception { 1115 doStagefrightTest(R.raw.bug_37430213); 1116 } 1117 1118 @Test 1119 @SecurityTest(minPatchLevel = "2017-03") testStagefright_cve_2017_0474()1120 public void testStagefright_cve_2017_0474() throws Exception { 1121 doStagefrightTest(R.raw.cve_2017_0474, 120000); 1122 } 1123 1124 @Test 1125 @SecurityTest(minPatchLevel = "2017-09") testStagefright_cve_2017_0765()1126 public void testStagefright_cve_2017_0765() throws Exception { 1127 doStagefrightTest(R.raw.cve_2017_0765); 1128 } 1129 1130 @Test 1131 @SecurityTest(minPatchLevel = "2018-04") testStagefright_cve_2017_13279()1132 public void testStagefright_cve_2017_13279() throws Exception { 1133 Thread server = new Thread() { 1134 @Override 1135 public void run(){ 1136 try (ServerSocket serverSocket = new ServerSocket(8080) { 1137 {setSoTimeout(10_000);} // time out after 10 seconds 1138 }; 1139 Socket conn = serverSocket.accept() 1140 ) { 1141 OutputStream stream = conn.getOutputStream(); 1142 byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n" 1143 + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes(); 1144 stream.write(http); 1145 while(!conn.isClosed()) 1146 stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1147 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1148 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1149 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1150 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1151 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1152 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1153 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1154 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1155 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1156 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1157 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1158 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1159 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1160 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1161 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1162 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1163 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1164 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1165 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1166 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1167 + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n" 1168 + "a\na\na\na\na\na\na\na\n").getBytes()); 1169 } 1170 catch(IOException e){ 1171 } 1172 } 1173 }; 1174 server.start(); 1175 String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 1176 + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/" 1177 + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8"; 1178 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(); 1179 1180 LooperThread t = new LooperThread(new Runnable() { 1181 @Override 1182 public void run() { 1183 1184 MediaPlayer mp = new MediaPlayer(); 1185 mp.setOnErrorListener(mpcl); 1186 mp.setOnPreparedListener(mpcl); 1187 mp.setOnCompletionListener(mpcl); 1188 RenderTarget renderTarget = RenderTarget.create(); 1189 Surface surface = renderTarget.getSurface(); 1190 mp.setSurface(surface); 1191 AssetFileDescriptor fd = null; 1192 try { 1193 mp.setDataSource(uri); 1194 mp.prepareAsync(); 1195 } catch (IOException e) { 1196 Log.e(TAG, e.toString()); 1197 } finally { 1198 closeQuietly(fd); 1199 } 1200 1201 Looper.loop(); 1202 mp.release(); 1203 } 1204 }); 1205 t.start(); 1206 Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError 1207 // doesn't wait long enough 1208 assertFalse("Device *IS* vulnerable to CVE-2017-13279", 1209 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1210 t.stopLooper(); 1211 t.join(); // wait for thread to exit so we're sure the player was released 1212 server.join(); 1213 } 1214 1215 @Test 1216 @SecurityTest(minPatchLevel = "2018-04") testStagefright_cve_2017_13276()1217 public void testStagefright_cve_2017_13276() throws Exception { 1218 doStagefrightTest(R.raw.cve_2017_13276); 1219 } 1220 1221 @Test 1222 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6764()1223 public void testStagefright_cve_2016_6764() throws Exception { 1224 doStagefrightTest(R.raw.cve_2016_6764, new CrashUtils.Config().checkMinAddress(false)); 1225 } 1226 1227 @Test 1228 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_13214()1229 public void testStagefright_cve_2017_13214() throws Exception { 1230 doStagefrightTest(R.raw.cve_2017_13214); 1231 } 1232 1233 @Test 1234 @SecurityTest(minPatchLevel = "2017-06") testStagefright_bug_35467107()1235 public void testStagefright_bug_35467107() throws Exception { 1236 doStagefrightTest(R.raw.bug_35467107, new CrashUtils.Config().checkMinAddress(false)); 1237 } 1238 1239 /*********************************************************** 1240 to prevent merge conflicts, add O tests below this comment, 1241 before any existing test methods 1242 ***********************************************************/ 1243 1244 @Test 1245 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10534()1246 public void testStagefright_cve_2019_10534() throws Exception { 1247 doStagefrightTest(R.raw.cve_2019_10534); 1248 } 1249 1250 @Test 1251 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10533()1252 public void testStagefright_cve_2019_10533() throws Exception { 1253 doStagefrightTest(R.raw.cve_2019_10533); 1254 } 1255 1256 @Test 1257 @SecurityTest(minPatchLevel = "2019-09") testStagefright_cve_2019_10541()1258 public void testStagefright_cve_2019_10541() throws Exception { 1259 doStagefrightTest(R.raw.cve_2019_10541); 1260 } 1261 1262 @Test 1263 @SecurityTest(minPatchLevel = "2018-02") testStagefright_cve_2017_13233()1264 public void testStagefright_cve_2017_13233() throws Exception { 1265 doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640, 1266 480); 1267 } 1268 1269 @Test 1270 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2106()1271 public void testStagefright_cve_2019_2106() throws Exception { 1272 int[] frameSizes = {943, 3153}; 1273 doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320, 1274 240, frameSizes); 1275 } 1276 1277 @Test 1278 @SecurityTest(minPatchLevel = "2017-06") testStagefright_cve_2017_0637()1279 public void testStagefright_cve_2017_0637() throws Exception { 1280 doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000); 1281 } 1282 1283 @Test 1284 @SecurityTest(minPatchLevel = "2018-09") testStagefright_cve_2018_11287()1285 public void testStagefright_cve_2018_11287() throws Exception { 1286 doStagefrightTest(R.raw.cve_2018_11287, 180000); 1287 } 1288 1289 @Test 1290 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2327()1291 public void testStagefright_cve_2019_2327() throws Exception { 1292 doStagefrightTest(R.raw.cve_2019_2327); 1293 } 1294 1295 @Test 1296 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2322()1297 public void testStagefright_cve_2019_2322() throws Exception { 1298 doStagefrightTest(R.raw.cve_2019_2322); 1299 } 1300 1301 @Test 1302 @SecurityTest(minPatchLevel = "2019-07") testStagefright_cve_2019_2334()1303 public void testStagefright_cve_2019_2334() throws Exception { 1304 doStagefrightTest(R.raw.cve_2019_2334); 1305 } 1306 1307 @Test 1308 @SecurityTest(minPatchLevel = "2018-01") testStagefright_cve_2017_13204()1309 public void testStagefright_cve_2017_13204() throws Exception { 1310 int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen); 1311 doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes); 1312 } 1313 1314 @Test 1315 @SecurityTest(minPatchLevel = "2018-03") testStagefright_cve_2017_17773()1316 public void testStagefright_cve_2017_17773() throws Exception { 1317 doStagefrightTest(R.raw.cve_2017_17773); 1318 } 1319 1320 @Test 1321 @SecurityTest(minPatchLevel = "2018-04") testStagefright_cve_2017_18074()1322 public void testStagefright_cve_2017_18074() throws Exception { 1323 doStagefrightTest(R.raw.cve_2017_18074); 1324 } 1325 1326 @Test 1327 @SecurityTest(minPatchLevel = "2018-06") testStagefright_cve_2018_5894()1328 public void testStagefright_cve_2018_5894() throws Exception { 1329 doStagefrightTest(R.raw.cve_2018_5894); 1330 } 1331 1332 @Test 1333 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5874()1334 public void testStagefright_cve_2018_5874() throws Exception { 1335 doStagefrightTest(R.raw.cve_2018_5874); 1336 } 1337 1338 @Test 1339 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5875()1340 public void testStagefright_cve_2018_5875() throws Exception { 1341 doStagefrightTest(R.raw.cve_2018_5875); 1342 } 1343 1344 @Test 1345 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5876()1346 public void testStagefright_cve_2018_5876() throws Exception { 1347 doStagefrightTest(R.raw.cve_2018_5876); 1348 } 1349 1350 @Test 1351 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_5882()1352 public void testStagefright_cve_2018_5882() throws Exception { 1353 doStagefrightTest(R.raw.cve_2018_5882); 1354 } 1355 1356 @Test 1357 @SecurityTest(minPatchLevel = "2017-12") testBug_65186291()1358 public void testBug_65186291() throws Exception { 1359 int[] frameSizes = getFrameSizes(R.raw.bug_65186291_framelen); 1360 doStagefrightTestRawBlob(R.raw.bug_65186291_hevc, "video/hevc", 1920, 1080, frameSizes); 1361 } 1362 1363 @Test 1364 @SecurityTest(minPatchLevel = "2018-01") testBug_67737022()1365 public void testBug_67737022() throws Exception { 1366 doStagefrightTest(R.raw.bug_67737022); 1367 } 1368 1369 @Test 1370 @SecurityTest(minPatchLevel = "2017-07") testStagefright_bug_37093318()1371 public void testStagefright_bug_37093318() throws Exception { 1372 doStagefrightTest(R.raw.bug_37093318, (4 * 60 * 1000)); 1373 } 1374 1375 @Test 1376 @SecurityTest(minPatchLevel = "2018-05") testStagefright_bug_73172046()1377 public void testStagefright_bug_73172046() throws Exception { 1378 doStagefrightTest(R.raw.bug_73172046); 1379 1380 Bitmap bitmap = BitmapFactory.decodeResource( 1381 getInstrumentation().getContext().getResources(), R.raw.bug_73172046); 1382 // OK if the decoding failed, but shouldn't cause crashes 1383 if (bitmap != null) { 1384 bitmap.recycle(); 1385 } 1386 } 1387 1388 @Test 1389 @SecurityTest(minPatchLevel = "2016-03") testStagefright_cve_2016_0824()1390 public void testStagefright_cve_2016_0824() throws Exception { 1391 doStagefrightTest(R.raw.cve_2016_0824); 1392 } 1393 1394 @Test 1395 @SecurityTest(minPatchLevel = "2016-03") testStagefright_cve_2016_0815()1396 public void testStagefright_cve_2016_0815() throws Exception { 1397 doStagefrightTest(R.raw.cve_2016_0815); 1398 } 1399 1400 @Test 1401 @SecurityTest(minPatchLevel = "2016-05") testStagefright_cve_2016_2454()1402 public void testStagefright_cve_2016_2454() throws Exception { 1403 doStagefrightTest(R.raw.cve_2016_2454); 1404 } 1405 1406 @Test 1407 @SecurityTest(minPatchLevel = "2016-12") testStagefright_cve_2016_6765()1408 public void testStagefright_cve_2016_6765() throws Exception { 1409 doStagefrightTest(R.raw.cve_2016_6765, new CrashUtils.Config().checkMinAddress(false)); 1410 } 1411 1412 @Test 1413 @SecurityTest(minPatchLevel = "2016-07") testStagefright_cve_2016_2508()1414 public void testStagefright_cve_2016_2508() throws Exception { 1415 doStagefrightTest(R.raw.cve_2016_2508, new CrashUtils.Config().checkMinAddress(false)); 1416 } 1417 1418 @Test 1419 @SecurityTest(minPatchLevel = "2016-11") testStagefright_cve_2016_6699()1420 public void testStagefright_cve_2016_6699() throws Exception { 1421 doStagefrightTest(R.raw.cve_2016_6699); 1422 } 1423 1424 @Test 1425 @SecurityTest(minPatchLevel = "2018-06") testStagefright_cve_2017_18155()1426 public void testStagefright_cve_2017_18155() throws Exception { 1427 doStagefrightTest(R.raw.cve_2017_18155); 1428 } 1429 1430 @Test 1431 @SecurityTest(minPatchLevel = "2018-07") testStagefright_cve_2018_9423()1432 public void testStagefright_cve_2018_9423() throws Exception { 1433 doStagefrightTest(R.raw.cve_2018_9423); 1434 } 1435 1436 @Test 1437 @SecurityTest(minPatchLevel = "2016-09") testStagefright_cve_2016_3879()1438 public void testStagefright_cve_2016_3879() throws Exception { 1439 doStagefrightTest(R.raw.cve_2016_3879, new CrashUtils.Config().checkMinAddress(false)); 1440 } 1441 doStagefrightTest(final int rid)1442 private void doStagefrightTest(final int rid) throws Exception { 1443 doStagefrightTest(rid, null); 1444 } 1445 doStagefrightTest(final int rid, CrashUtils.Config config)1446 private void doStagefrightTest(final int rid, CrashUtils.Config config) throws Exception { 1447 NetworkSecurityPolicy policy = NetworkSecurityPolicy.getInstance(); 1448 policy.setCleartextTrafficPermitted(true); 1449 doStagefrightTestMediaPlayer(rid, config); 1450 doStagefrightTestMediaCodec(rid, config); 1451 doStagefrightTestMediaMetadataRetriever(rid, config); 1452 1453 Context context = getInstrumentation().getContext(); 1454 CtsTestServer server = null; 1455 try { 1456 server = new CtsTestServer(context); 1457 } catch (BindException e) { 1458 // Instant Apps security policy does not allow 1459 // listening for incoming connections. 1460 // Server based tests cannot be run. 1461 return; 1462 } 1463 Resources resources = context.getResources(); 1464 String rname = resources.getResourceEntryName(rid); 1465 String url = server.getAssetUrl("raw/" + rname); 1466 verifyServer(rid, url); 1467 policy.setCleartextTrafficPermitted(false); 1468 doStagefrightTestMediaPlayer(url, config); 1469 doStagefrightTestMediaCodec(url, config); 1470 doStagefrightTestMediaMetadataRetriever(url, config); 1471 server.shutdown(); 1472 } 1473 1474 // verify that CtsTestServer is functional by retrieving the asset 1475 // and comparing it to the resource verifyServer(final int rid, final String uri)1476 private void verifyServer(final int rid, final String uri) throws Exception { 1477 Log.i(TAG, "checking server"); 1478 URL url = new URL(uri); 1479 InputStream in1 = new BufferedInputStream(url.openStream()); 1480 1481 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1482 .openRawResourceFd(rid); 1483 InputStream in2 = new BufferedInputStream(fd.createInputStream()); 1484 1485 while (true) { 1486 int b1 = in1.read(); 1487 int b2 = in2.read(); 1488 assertEquals("CtsTestServer fail", b1, b2); 1489 if (b1 < 0) { 1490 break; 1491 } 1492 } 1493 1494 in1.close(); 1495 in2.close(); 1496 Log.i(TAG, "checked server"); 1497 } 1498 doStagefrightTest(final int rid, int timeout)1499 private void doStagefrightTest(final int rid, int timeout) throws Exception { 1500 doStagefrightTest(rid, null, timeout); 1501 } 1502 doStagefrightTest( final int rid, CrashUtils.Config config, int timeout)1503 private void doStagefrightTest( 1504 final int rid, CrashUtils.Config config, int timeout) throws Exception { 1505 runWithTimeout(new Runnable() { 1506 @Override 1507 public void run() { 1508 try { 1509 doStagefrightTest(rid, config); 1510 } catch (Exception e) { 1511 fail(e.toString()); 1512 } 1513 } 1514 }, timeout); 1515 } 1516 doStagefrightTestANR(final int rid)1517 private void doStagefrightTestANR(final int rid) throws Exception { 1518 doStagefrightTestANR(rid, null); 1519 } 1520 doStagefrightTestANR( final int rid, CrashUtils.Config config)1521 private void doStagefrightTestANR( 1522 final int rid, CrashUtils.Config config) throws Exception { 1523 doStagefrightTestMediaPlayerANR(rid, null, config); 1524 } 1525 getCrashReport(String testname, long timeout)1526 public JSONArray getCrashReport(String testname, long timeout) 1527 throws InterruptedException { 1528 Log.i(TAG, CrashUtils.UPLOAD_REQUEST); 1529 File reportFile = new File(CrashUtils.DEVICE_PATH, testname); 1530 File lockFile = new File(CrashUtils.DEVICE_PATH, CrashUtils.LOCK_FILENAME); 1531 while ((!reportFile.exists() || !lockFile.exists()) && timeout > 0) { 1532 Thread.sleep(CHECK_INTERVAL); 1533 timeout -= CHECK_INTERVAL; 1534 } 1535 if (!reportFile.exists() || !reportFile.isFile() || !lockFile.exists()) { 1536 return null; 1537 } 1538 try (BufferedReader reader = new BufferedReader(new FileReader(reportFile))) { 1539 StringBuilder json = new StringBuilder(); 1540 String line = reader.readLine(); 1541 while (line != null) { 1542 json.append(line); 1543 line = reader.readLine(); 1544 } 1545 return new JSONArray(json.toString()); 1546 } catch (IOException | JSONException e) { 1547 Log.e(TAG, "Failed to deserialize crash list with error " + e.getMessage()); 1548 return null; 1549 } 1550 } 1551 1552 class MediaPlayerCrashListener 1553 implements MediaPlayer.OnErrorListener, 1554 MediaPlayer.OnPreparedListener, 1555 MediaPlayer.OnCompletionListener { 1556 1557 CrashUtils.Config config; 1558 1559 private final Pattern[] validProcessPatterns = { 1560 Pattern.compile("adsprpcd"), 1561 Pattern.compile("android\\.hardware\\.cas@\\d+?\\.\\d+?-service"), 1562 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service"), 1563 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.clearkey"), 1564 Pattern.compile("android\\.hardware\\.drm@\\d+?\\.\\d+?-service\\.widevine"), 1565 Pattern.compile("omx@\\d+?\\.\\d+?-service"), // name:omx@1.0-service 1566 Pattern.compile("android\\.process\\.media"), 1567 Pattern.compile("mediadrmserver"), 1568 Pattern.compile("mediaextractor"), 1569 Pattern.compile("media\\.extractor"), 1570 Pattern.compile("media\\.metrics"), 1571 Pattern.compile("mediaserver"), 1572 Pattern.compile("media\\.codec"), 1573 Pattern.compile("media\\.swcodec"), 1574 Pattern.compile("\\[?sdcard\\]?"), // name:/system/bin/sdcard, user:media_rw 1575 // Match any vendor processes. 1576 // It should only catch crashes that happen during the test. 1577 Pattern.compile("vendor.*"), 1578 }; 1579 MediaPlayerCrashListener()1580 MediaPlayerCrashListener() { 1581 this(null); 1582 } 1583 MediaPlayerCrashListener(CrashUtils.Config config)1584 MediaPlayerCrashListener(CrashUtils.Config config) { 1585 if (config == null) { 1586 config = new CrashUtils.Config(); 1587 } 1588 // if a different process is needed for a test, it should be added to the main list. 1589 config.setProcessPatterns(validProcessPatterns); 1590 this.config = config; 1591 } 1592 1593 @Override onError(MediaPlayer mp, int newWhat, int extra)1594 public boolean onError(MediaPlayer mp, int newWhat, int extra) { 1595 Log.i(TAG, "error: " + newWhat + "/" + extra); 1596 // don't overwrite a more severe error with a less severe one 1597 if (what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 1598 what = newWhat; 1599 } 1600 lock.lock(); 1601 condition.signal(); 1602 lock.unlock(); 1603 1604 return true; // don't call oncompletion 1605 } 1606 1607 @Override onPrepared(MediaPlayer mp)1608 public void onPrepared(MediaPlayer mp) { 1609 mp.start(); 1610 } 1611 1612 @Override onCompletion(MediaPlayer mp)1613 public void onCompletion(MediaPlayer mp) { 1614 // preserve error condition, if any 1615 lock.lock(); 1616 completed = true; 1617 condition.signal(); 1618 lock.unlock(); 1619 } 1620 waitForError()1621 public int waitForError() throws InterruptedException { 1622 lock.lock(); 1623 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 1624 Log.d(TAG, "timed out on waiting for error"); 1625 } 1626 lock.unlock(); 1627 if (what != 0) { 1628 // Sometimes mediaserver signals a decoding error first, and *then* crashes 1629 // due to additional in-flight buffers being processed, so wait a little 1630 // and see if more errors show up. 1631 SystemClock.sleep(1000); 1632 } 1633 if (what == MediaPlayer.MEDIA_ERROR_SERVER_DIED) { 1634 JSONArray crashes = getCrashReport(name.getMethodName(), 5000); 1635 if (crashes == null) { 1636 Log.e(TAG, "Crash results not found for test " + name.getMethodName()); 1637 return what; 1638 } else if (CrashUtils.securityCrashDetected(crashes, config)) { 1639 return what; 1640 } else { 1641 Log.i(TAG, "Crash ignored due to no security crash found for test " + 1642 name.getMethodName()); 1643 // 0 is the code for no error. 1644 return 0; 1645 } 1646 1647 } 1648 return what; 1649 } 1650 waitForErrorOrCompletion()1651 public boolean waitForErrorOrCompletion() throws InterruptedException { 1652 lock.lock(); 1653 if (condition.awaitNanos(TIMEOUT_NS) <= 0) { 1654 Log.d(TAG, "timed out on waiting for error or completion"); 1655 } 1656 lock.unlock(); 1657 return (what != 0 && what != MediaPlayer.MEDIA_ERROR_SERVER_DIED) || completed; 1658 } 1659 1660 ReentrantLock lock = new ReentrantLock(); 1661 Condition condition = lock.newCondition(); 1662 int what; 1663 boolean completed = false; 1664 } 1665 1666 class LooperThread extends Thread { 1667 private Looper mLooper; 1668 LooperThread(Runnable runner)1669 LooperThread(Runnable runner) { 1670 super(runner); 1671 } 1672 1673 @Override run()1674 public void run() { 1675 Looper.prepare(); 1676 mLooper = Looper.myLooper(); 1677 super.run(); 1678 } 1679 stopLooper()1680 public void stopLooper() { 1681 mLooper.quitSafely(); 1682 } 1683 } 1684 doStagefrightTestMediaPlayer(final int rid)1685 private void doStagefrightTestMediaPlayer(final int rid) throws Exception { 1686 doStagefrightTestMediaPlayer(rid, null, null); 1687 } 1688 doStagefrightTestMediaPlayer( final int rid, CrashUtils.Config config)1689 private void doStagefrightTestMediaPlayer( 1690 final int rid, CrashUtils.Config config) throws Exception { 1691 doStagefrightTestMediaPlayer(rid, null, config); 1692 } 1693 doStagefrightTestMediaPlayer(final String url)1694 private void doStagefrightTestMediaPlayer(final String url) throws Exception { 1695 doStagefrightTestMediaPlayer(url, null); 1696 } 1697 doStagefrightTestMediaPlayer( final String url, CrashUtils.Config config)1698 private void doStagefrightTestMediaPlayer( 1699 final String url, CrashUtils.Config config) throws Exception { 1700 doStagefrightTestMediaPlayer(-1, url, config); 1701 } 1702 closeQuietly(AutoCloseable closeable)1703 private void closeQuietly(AutoCloseable closeable) { 1704 if (closeable != null) { 1705 try { 1706 closeable.close(); 1707 } catch (RuntimeException rethrown) { 1708 throw rethrown; 1709 } catch (Exception ignored) { 1710 } 1711 } 1712 } 1713 doStagefrightTestMediaPlayer(final int rid, final String uri)1714 private void doStagefrightTestMediaPlayer(final int rid, final String uri) throws Exception { 1715 doStagefrightTestMediaPlayer(rid, uri, null); 1716 } 1717 doStagefrightTestMediaPlayer(final int rid, final String uri, CrashUtils.Config config)1718 private void doStagefrightTestMediaPlayer(final int rid, final String uri, 1719 CrashUtils.Config config) throws Exception { 1720 1721 String name = uri != null ? uri : 1722 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 1723 Log.i(TAG, "start mediaplayer test for: " + name); 1724 1725 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 1726 1727 LooperThread t = new LooperThread(new Runnable() { 1728 @Override 1729 public void run() { 1730 1731 MediaPlayer mp = new MediaPlayer(); 1732 mp.setOnErrorListener(mpcl); 1733 mp.setOnPreparedListener(mpcl); 1734 mp.setOnCompletionListener(mpcl); 1735 RenderTarget renderTarget = RenderTarget.create(); 1736 Surface surface = renderTarget.getSurface(); 1737 mp.setSurface(surface); 1738 AssetFileDescriptor fd = null; 1739 try { 1740 if (uri == null) { 1741 fd = getInstrumentation().getContext().getResources() 1742 .openRawResourceFd(rid); 1743 1744 mp.setDataSource(fd.getFileDescriptor(), 1745 fd.getStartOffset(), 1746 fd.getLength()); 1747 1748 } else { 1749 mp.setDataSource(uri); 1750 } 1751 mp.prepareAsync(); 1752 } catch (Exception e) { 1753 } finally { 1754 closeQuietly(fd); 1755 } 1756 1757 Looper.loop(); 1758 mp.release(); 1759 renderTarget.destroy(); 1760 } 1761 }); 1762 1763 t.start(); 1764 String cve = name.replace("_", "-").toUpperCase(); 1765 assertFalse("Device *IS* vulnerable to " + cve, 1766 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1767 t.stopLooper(); 1768 t.join(); // wait for thread to exit so we're sure the player was released 1769 } 1770 1771 /* 1772 * b/135207745 1773 */ 1774 @Test 1775 @SecurityTest(minPatchLevel = "2019-08") testStagefright_cve_2019_2129()1776 public void testStagefright_cve_2019_2129() throws Exception { 1777 final int rid = R.raw.cve_2019_2129; 1778 String name = getInstrumentation().getContext().getResources().getResourceEntryName(rid); 1779 Log.i(TAG, "start mediaplayer test for: " + name); 1780 1781 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener() { 1782 @Override 1783 public void onPrepared(MediaPlayer mp) { 1784 super.onPrepared(mp); 1785 mp.setLooping(true); 1786 } 1787 }; 1788 1789 LooperThread t = new LooperThread(new Runnable() { 1790 @Override 1791 public void run() { 1792 MediaPlayer mp = new MediaPlayer(); 1793 mp.setOnErrorListener(mpcl); 1794 mp.setOnPreparedListener(mpcl); 1795 mp.setOnCompletionListener(mpcl); 1796 RenderTarget renderTarget = RenderTarget.create(); 1797 Surface surface = renderTarget.getSurface(); 1798 mp.setSurface(surface); 1799 AssetFileDescriptor fd = null; 1800 try { 1801 fd = getInstrumentation().getContext().getResources().openRawResourceFd(rid); 1802 mp.setOnTimedTextListener(new MediaPlayer.OnTimedTextListener() { 1803 @Override 1804 public void onTimedText(MediaPlayer p, TimedText text) { 1805 if (text != null) { 1806 Log.d(TAG, "text = " + text.getText()); 1807 } 1808 } 1809 }); 1810 mp.setDataSource(fd.getFileDescriptor(), 1811 fd.getStartOffset(), 1812 fd.getLength()); 1813 // keep the original as in poc by not using prepareAsync 1814 mp.prepare(); 1815 mp.selectTrack(2); 1816 } catch (Exception e) { 1817 Log.e(TAG, "Exception is caught " + e.getMessage()); 1818 e.printStackTrace(); 1819 } finally { 1820 closeQuietly(fd); 1821 } 1822 1823 try { 1824 // here to catch & swallow the runtime crash in exception 1825 // after the place where original poc failed in 1826 // java.lang.IllegalArgumentException: parseParcel() 1827 // which is beyond test control. 1828 Looper.loop(); 1829 } catch (RuntimeException e) { 1830 Log.e(TAG, "Exception is caught on Looper.loop() " + e.getMessage()); 1831 e.printStackTrace(); 1832 } 1833 mp.release(); 1834 renderTarget.destroy(); 1835 } 1836 }); 1837 1838 t.start(); 1839 String cve = name.replace("_", "-").toUpperCase(); 1840 assertFalse("Device *IS* vulnerable to " + cve, 1841 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 1842 t.stopLooper(); 1843 t.join(); // wait for thread to exit so we're sure the player was released 1844 } 1845 doStagefrightTestMediaCodec(final int rid)1846 private void doStagefrightTestMediaCodec(final int rid) throws Exception { 1847 doStagefrightTestMediaCodec(rid, null, null); 1848 } 1849 doStagefrightTestMediaCodec( final int rid, CrashUtils.Config config)1850 private void doStagefrightTestMediaCodec( 1851 final int rid, CrashUtils.Config config) throws Exception { 1852 doStagefrightTestMediaCodec(rid, null, config); 1853 } 1854 doStagefrightTestMediaCodec(final String url)1855 private void doStagefrightTestMediaCodec(final String url) throws Exception { 1856 doStagefrightTestMediaCodec(url, null); 1857 } 1858 doStagefrightTestMediaCodec( final String url, CrashUtils.Config config)1859 private void doStagefrightTestMediaCodec( 1860 final String url, CrashUtils.Config config) throws Exception { 1861 doStagefrightTestMediaCodec(-1, url, config); 1862 } 1863 doStagefrightTestMediaCodec(final int rid, final String url)1864 private void doStagefrightTestMediaCodec(final int rid, final String url) throws Exception { 1865 doStagefrightTestMediaCodec(rid, url, null); 1866 } 1867 doStagefrightTestMediaCodec( final int rid, final String url, CrashUtils.Config config)1868 private void doStagefrightTestMediaCodec( 1869 final int rid, final String url, CrashUtils.Config config) throws Exception { 1870 1871 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 1872 1873 LooperThread thr = new LooperThread(new Runnable() { 1874 @Override 1875 public void run() { 1876 1877 MediaPlayer mp = new MediaPlayer(); 1878 mp.setOnErrorListener(mpcl); 1879 try { 1880 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 1881 .openRawResourceFd(R.raw.good); 1882 1883 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 1884 // setDataSource has been called 1885 mp.setDataSource(fd.getFileDescriptor(), 1886 fd.getStartOffset(), 1887 fd.getLength()); 1888 fd.close(); 1889 } catch (Exception e) { 1890 // this is a known-good file, so no failure should occur 1891 fail("setDataSource of known-good file failed"); 1892 } 1893 1894 synchronized(mpcl) { 1895 mpcl.notify(); 1896 } 1897 Looper.loop(); 1898 mp.release(); 1899 } 1900 }); 1901 thr.start(); 1902 // wait until the thread has initialized the MediaPlayer 1903 synchronized(mpcl) { 1904 mpcl.wait(); 1905 } 1906 1907 Resources resources = getInstrumentation().getContext().getResources(); 1908 MediaExtractor ex = new MediaExtractor(); 1909 if (url == null) { 1910 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 1911 try { 1912 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 1913 } catch (IOException e) { 1914 // ignore 1915 } finally { 1916 closeQuietly(fd); 1917 } 1918 } else { 1919 try { 1920 ex.setDataSource(url); 1921 } catch (Exception e) { 1922 // indicative of problems with our tame CTS test web server 1923 } 1924 } 1925 int numtracks = ex.getTrackCount(); 1926 String rname = url != null ? url: resources.getResourceEntryName(rid); 1927 Log.i(TAG, "start mediacodec test for: " + rname + ", which has " + numtracks + " tracks"); 1928 for (int t = 0; t < numtracks; t++) { 1929 // find all the available decoders for this format 1930 ArrayList<String> matchingCodecs = new ArrayList<String>(); 1931 MediaFormat format = null; 1932 try { 1933 format = ex.getTrackFormat(t); 1934 } catch (IllegalArgumentException e) { 1935 Log.e(TAG, "could not get track format for track " + t); 1936 continue; 1937 } 1938 String mime = format.getString(MediaFormat.KEY_MIME); 1939 int numCodecs = MediaCodecList.getCodecCount(); 1940 for (int i = 0; i < numCodecs; i++) { 1941 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 1942 if (info.isEncoder()) { 1943 continue; 1944 } 1945 try { 1946 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 1947 if (caps != null) { 1948 matchingCodecs.add(info.getName()); 1949 Log.i(TAG, "Found matching codec " + info.getName() + " for track " + t); 1950 } 1951 } catch (IllegalArgumentException e) { 1952 // type is not supported 1953 } 1954 } 1955 1956 if (matchingCodecs.size() == 0) { 1957 Log.w(TAG, "no codecs for track " + t + ", type " + mime); 1958 } 1959 // decode this track once with each matching codec 1960 try { 1961 ex.selectTrack(t); 1962 } catch (IllegalArgumentException e) { 1963 Log.w(TAG, "couldn't select track " + t); 1964 // continue on with codec initialization anyway, since that might still crash 1965 } 1966 for (String codecName: matchingCodecs) { 1967 Log.i(TAG, "Decoding track " + t + " using codec " + codecName); 1968 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 1969 MediaCodec codec = MediaCodec.createByCodecName(codecName); 1970 RenderTarget renderTarget = RenderTarget.create(); 1971 Surface surface = null; 1972 if (mime.startsWith("video/")) { 1973 surface = renderTarget.getSurface(); 1974 } 1975 try { 1976 codec.configure(format, surface, null, 0); 1977 codec.start(); 1978 } catch (Exception e) { 1979 Log.i(TAG, "Failed to start/configure:", e); 1980 } 1981 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 1982 try { 1983 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 1984 while (true) { 1985 int flags = ex.getSampleFlags(); 1986 long time = ex.getSampleTime(); 1987 ex.getCachedDuration(); 1988 int bufidx = codec.dequeueInputBuffer(5000); 1989 if (bufidx >= 0) { 1990 int n = ex.readSampleData(inputBuffers[bufidx], 0); 1991 if (n < 0) { 1992 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 1993 time = 0; 1994 n = 0; 1995 } 1996 codec.queueInputBuffer(bufidx, 0, n, time, flags); 1997 ex.advance(); 1998 } 1999 int status = codec.dequeueOutputBuffer(info, 5000); 2000 if (status >= 0) { 2001 if ((info.flags & MediaCodec.BUFFER_FLAG_END_OF_STREAM) != 0) { 2002 break; 2003 } 2004 if (info.presentationTimeUs > TIMEOUT_NS / 1000) { 2005 Log.d(TAG, "stopping after 10 seconds worth of data"); 2006 break; 2007 } 2008 codec.releaseOutputBuffer(status, true); 2009 } 2010 } 2011 } catch (Exception e) { 2012 // local exceptions ignored, not security issues 2013 } finally { 2014 codec.release(); 2015 renderTarget.destroy(); 2016 } 2017 } 2018 ex.unselectTrack(t); 2019 } 2020 ex.release(); 2021 String cve = rname.replace("_", "-").toUpperCase(); 2022 assertFalse("Device *IS* vulnerable to " + cve, 2023 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2024 thr.stopLooper(); 2025 thr.join(); 2026 } 2027 doStagefrightTestMediaMetadataRetriever(final int rid)2028 private void doStagefrightTestMediaMetadataRetriever(final int rid) throws Exception { 2029 doStagefrightTestMediaMetadataRetriever(rid, null, null); 2030 } doStagefrightTestMediaMetadataRetriever( final int rid, CrashUtils.Config config)2031 private void doStagefrightTestMediaMetadataRetriever( 2032 final int rid, CrashUtils.Config config) throws Exception { 2033 doStagefrightTestMediaMetadataRetriever(rid, null, config); 2034 } 2035 doStagefrightTestMediaMetadataRetriever(final String url)2036 private void doStagefrightTestMediaMetadataRetriever(final String url) throws Exception { 2037 doStagefrightTestMediaMetadataRetriever(url, null); 2038 } 2039 doStagefrightTestMediaMetadataRetriever( final String url, CrashUtils.Config config)2040 private void doStagefrightTestMediaMetadataRetriever( 2041 final String url, CrashUtils.Config config) throws Exception { 2042 doStagefrightTestMediaMetadataRetriever(-1, url, config); 2043 } 2044 doStagefrightTestMediaMetadataRetriever( final int rid, final String url)2045 private void doStagefrightTestMediaMetadataRetriever( 2046 final int rid, final String url) throws Exception { 2047 doStagefrightTestMediaMetadataRetriever(rid, url, null); 2048 } 2049 doStagefrightTestMediaMetadataRetriever( final int rid, final String url, CrashUtils.Config config)2050 private void doStagefrightTestMediaMetadataRetriever( 2051 final int rid, final String url, CrashUtils.Config config) throws Exception { 2052 2053 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2054 2055 LooperThread thr = new LooperThread(new Runnable() { 2056 @Override 2057 public void run() { 2058 2059 MediaPlayer mp = new MediaPlayer(); 2060 mp.setOnErrorListener(mpcl); 2061 AssetFileDescriptor fd = null; 2062 try { 2063 fd = getInstrumentation().getContext().getResources() 2064 .openRawResourceFd(R.raw.good); 2065 2066 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2067 // setDataSource has been called 2068 mp.setDataSource(fd.getFileDescriptor(), 2069 fd.getStartOffset(), 2070 fd.getLength()); 2071 fd.close(); 2072 } catch (Exception e) { 2073 // this is a known-good file, so no failure should occur 2074 fail("setDataSource of known-good file failed"); 2075 } 2076 2077 synchronized(mpcl) { 2078 mpcl.notify(); 2079 } 2080 Looper.loop(); 2081 mp.release(); 2082 } 2083 }); 2084 thr.start(); 2085 // wait until the thread has initialized the MediaPlayer 2086 synchronized(mpcl) { 2087 mpcl.wait(); 2088 } 2089 2090 Resources resources = getInstrumentation().getContext().getResources(); 2091 MediaMetadataRetriever retriever = new MediaMetadataRetriever(); 2092 if (url == null) { 2093 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2094 try { 2095 retriever.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2096 } catch (Exception e) { 2097 // ignore 2098 } finally { 2099 closeQuietly(fd); 2100 } 2101 } else { 2102 try { 2103 retriever.setDataSource(url, new HashMap<String, String>()); 2104 } catch (Exception e) { 2105 // indicative of problems with our tame CTS test web server 2106 } 2107 } 2108 retriever.extractMetadata(MediaMetadataRetriever.METADATA_KEY_DURATION); 2109 retriever.getEmbeddedPicture(); 2110 retriever.getFrameAtTime(); 2111 2112 retriever.release(); 2113 String rname = url != null ? url : resources.getResourceEntryName(rid); 2114 String cve = rname.replace("_", "-").toUpperCase(); 2115 assertFalse("Device *IS* vulnerable to " + cve, 2116 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2117 thr.stopLooper(); 2118 thr.join(); 2119 } 2120 2121 @Test 2122 @SecurityTest(minPatchLevel = "2017-07") testBug36215950()2123 public void testBug36215950() throws Exception { 2124 doStagefrightTestRawBlob(R.raw.bug_36215950, "video/hevc", 320, 240); 2125 } 2126 2127 @Test 2128 @SecurityTest(minPatchLevel = "2017-08") testBug36816007()2129 public void testBug36816007() throws Exception { 2130 doStagefrightTestRawBlob(R.raw.bug_36816007, "video/avc", 320, 240, 2131 new CrashUtils.Config().checkMinAddress(false)); 2132 } 2133 2134 @Test 2135 @SecurityTest(minPatchLevel = "2017-05") testBug36895511()2136 public void testBug36895511() throws Exception { 2137 doStagefrightTestRawBlob(R.raw.bug_36895511, "video/hevc", 320, 240, 2138 new CrashUtils.Config().checkMinAddress(false)); 2139 } 2140 2141 @Test 2142 @SecurityTest(minPatchLevel = "2017-11") testBug64836894()2143 public void testBug64836894() throws Exception { 2144 doStagefrightTestRawBlob(R.raw.bug_64836894, "video/avc", 320, 240); 2145 } 2146 2147 @Test 2148 @SecurityTest(minPatchLevel = "2017-08") testCve_2017_0687()2149 public void testCve_2017_0687() throws Exception { 2150 doStagefrightTestRawBlob(R.raw.cve_2017_0687, "video/avc", 320, 240); 2151 } 2152 2153 @Test 2154 @SecurityTest(minPatchLevel = "2017-07") testCve_2017_0696()2155 public void testCve_2017_0696() throws Exception { 2156 doStagefrightTestRawBlob(R.raw.cve_2017_0696, "video/avc", 320, 240); 2157 } 2158 2159 @Test 2160 @SecurityTest(minPatchLevel = "2018-01") testBug_37930177()2161 public void testBug_37930177() throws Exception { 2162 doStagefrightTestRawBlob(R.raw.bug_37930177_hevc, "video/hevc", 320, 240); 2163 } 2164 2165 @Test 2166 @SecurityTest(minPatchLevel = "2017-08") testBug_37712181()2167 public void testBug_37712181() throws Exception { 2168 doStagefrightTestRawBlob(R.raw.bug_37712181_hevc, "video/hevc", 320, 240); 2169 } 2170 2171 @Test 2172 @SecurityTest(minPatchLevel = "2018-04") testBug_70897394()2173 public void testBug_70897394() throws Exception { 2174 doStagefrightTestRawBlob(R.raw.bug_70897394_avc, "video/avc", 320, 240, 2175 new CrashUtils.Config().checkMinAddress(false)); 2176 } 2177 2178 @Test 2179 @SecurityTest(minPatchLevel = "Unknown") testBug_123700383()2180 public void testBug_123700383() throws Exception { 2181 assertExtractorDoesNotHang(R.raw.bug_123700383); 2182 } 2183 2184 @Test 2185 @SecurityTest(minPatchLevel = "Unknown") testBug_127310810()2186 public void testBug_127310810() throws Exception { 2187 assertExtractorDoesNotHang(R.raw.bug_127310810); 2188 } 2189 2190 @Test 2191 @SecurityTest(minPatchLevel = "Unknown") testBug_127312550()2192 public void testBug_127312550() throws Exception { 2193 assertExtractorDoesNotHang(R.raw.bug_127312550); 2194 } 2195 2196 @Test 2197 @SecurityTest(minPatchLevel = "Unknown") testBug_127313223()2198 public void testBug_127313223() throws Exception { 2199 assertExtractorDoesNotHang(R.raw.bug_127313223); 2200 } 2201 2202 @Test 2203 @SecurityTest(minPatchLevel = "Unknown") testBug_127313537()2204 public void testBug_127313537() throws Exception { 2205 assertExtractorDoesNotHang(R.raw.bug_127313537); 2206 } 2207 2208 @Test 2209 @SecurityTest(minPatchLevel = "Unknown") testBug_127313764()2210 public void testBug_127313764() throws Exception { 2211 assertExtractorDoesNotHang(R.raw.bug_127313764); 2212 } 2213 getFrameSizes(int rid)2214 private int[] getFrameSizes(int rid) throws IOException { 2215 final Context context = getInstrumentation().getContext(); 2216 final Resources resources = context.getResources(); 2217 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2218 FileInputStream fis = fd.createInputStream(); 2219 byte[] frameInfo = new byte[(int) fd.getLength()]; 2220 fis.read(frameInfo); 2221 fis.close(); 2222 String[] valueStr = new String(frameInfo).trim().split("\\s+"); 2223 int[] frameSizes = new int[valueStr.length]; 2224 for (int i = 0; i < valueStr.length; i++) 2225 frameSizes[i] = Integer.parseInt(valueStr[i]); 2226 return frameSizes; 2227 } 2228 runWithTimeout(Runnable runner, int timeout)2229 private void runWithTimeout(Runnable runner, int timeout) { 2230 Thread t = new Thread(runner); 2231 t.start(); 2232 try { 2233 t.join(timeout); 2234 } catch (InterruptedException e) { 2235 fail("operation was interrupted"); 2236 } 2237 if (t.isAlive()) { 2238 fail("operation not completed within timeout of " + timeout + "ms"); 2239 } 2240 } 2241 releaseCodec(final MediaCodec codec)2242 private void releaseCodec(final MediaCodec codec) { 2243 runWithTimeout(new Runnable() { 2244 @Override 2245 public void run() { 2246 codec.release(); 2247 } 2248 }, 5000); 2249 } 2250 doStagefrightTestRawBlob( int rid, String mime, int initWidth, int initHeight)2251 private void doStagefrightTestRawBlob( 2252 int rid, String mime, int initWidth, int initHeight) throws Exception { 2253 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, new CrashUtils.Config()); 2254 } 2255 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, CrashUtils.Config config)2256 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2257 CrashUtils.Config config) throws Exception { 2258 2259 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2260 final Context context = getInstrumentation().getContext(); 2261 final Resources resources = context.getResources(); 2262 2263 LooperThread thr = new LooperThread(new Runnable() { 2264 @Override 2265 public void run() { 2266 2267 MediaPlayer mp = new MediaPlayer(); 2268 mp.setOnErrorListener(mpcl); 2269 AssetFileDescriptor fd = null; 2270 try { 2271 fd = resources.openRawResourceFd(R.raw.good); 2272 2273 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2274 // setDataSource has been called 2275 mp.setDataSource(fd.getFileDescriptor(), 2276 fd.getStartOffset(), 2277 fd.getLength()); 2278 fd.close(); 2279 } catch (Exception e) { 2280 // this is a known-good file, so no failure should occur 2281 fail("setDataSource of known-good file failed"); 2282 } 2283 2284 synchronized(mpcl) { 2285 mpcl.notify(); 2286 } 2287 Looper.loop(); 2288 mp.release(); 2289 } 2290 }); 2291 thr.start(); 2292 // wait until the thread has initialized the MediaPlayer 2293 synchronized(mpcl) { 2294 mpcl.wait(); 2295 } 2296 2297 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2298 byte [] blob = new byte[(int)fd.getLength()]; 2299 FileInputStream fis = fd.createInputStream(); 2300 int numRead = fis.read(blob); 2301 fis.close(); 2302 //Log.i("@@@@", "read " + numRead + " bytes"); 2303 2304 // find all the available decoders for this format 2305 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2306 int numCodecs = MediaCodecList.getCodecCount(); 2307 for (int i = 0; i < numCodecs; i++) { 2308 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2309 if (info.isEncoder()) { 2310 continue; 2311 } 2312 try { 2313 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2314 if (caps != null) { 2315 matchingCodecs.add(info.getName()); 2316 } 2317 } catch (IllegalArgumentException e) { 2318 // type is not supported 2319 } 2320 } 2321 2322 if (matchingCodecs.size() == 0) { 2323 Log.w(TAG, "no codecs for mime type " + mime); 2324 } 2325 String rname = resources.getResourceEntryName(rid); 2326 // decode this blob once with each matching codec 2327 for (String codecName: matchingCodecs) { 2328 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2329 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2330 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2331 codec.configure(format, null, null, 0); 2332 codec.start(); 2333 2334 try { 2335 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2336 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2337 // enqueue the bad data a number of times, in case 2338 // the codec needs multiple buffers to fail. 2339 for(int i = 0; i < 64; i++) { 2340 int bufidx = codec.dequeueInputBuffer(5000); 2341 if (bufidx >= 0) { 2342 Log.i(TAG, "got input buffer of size " + inputBuffers[bufidx].capacity()); 2343 inputBuffers[bufidx].rewind(); 2344 inputBuffers[bufidx].put(blob, 0, numRead); 2345 codec.queueInputBuffer(bufidx, 0, numRead, 0, 0); 2346 } else { 2347 Log.i(TAG, "no input buffer"); 2348 } 2349 bufidx = codec.dequeueOutputBuffer(info, 5000); 2350 if (bufidx >= 0) { 2351 Log.i(TAG, "got output buffer"); 2352 codec.releaseOutputBuffer(bufidx, false); 2353 } else { 2354 Log.i(TAG, "no output buffer"); 2355 } 2356 } 2357 } catch (Exception e) { 2358 // ignore, not a security issue 2359 } finally { 2360 releaseCodec(codec); 2361 } 2362 } 2363 2364 String cve = rname.replace("_", "-").toUpperCase(); 2365 assertFalse("Device *IS* vulnerable to " + cve, 2366 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2367 thr.stopLooper(); 2368 thr.join(); 2369 } 2370 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[])2371 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2372 int frameSizes[]) throws Exception { 2373 // check crash address by default 2374 doStagefrightTestRawBlob(rid, mime, initWidth, initHeight, frameSizes, new CrashUtils.Config()); 2375 } 2376 doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, int frameSizes[], CrashUtils.Config config)2377 private void doStagefrightTestRawBlob(int rid, String mime, int initWidth, int initHeight, 2378 int frameSizes[], CrashUtils.Config config) throws Exception { 2379 2380 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2381 final Context context = getInstrumentation().getContext(); 2382 final Resources resources = context.getResources(); 2383 2384 LooperThread thr = new LooperThread(new Runnable() { 2385 @Override 2386 public void run() { 2387 2388 MediaPlayer mp = new MediaPlayer(); 2389 mp.setOnErrorListener(mpcl); 2390 AssetFileDescriptor fd = null; 2391 try { 2392 fd = resources.openRawResourceFd(R.raw.good); 2393 2394 // the onErrorListener won't receive MEDIA_ERROR_SERVER_DIED until 2395 // setDataSource has been called 2396 mp.setDataSource(fd.getFileDescriptor(), 2397 fd.getStartOffset(), 2398 fd.getLength()); 2399 fd.close(); 2400 } catch (Exception e) { 2401 // this is a known-good file, so no failure should occur 2402 fail("setDataSource of known-good file failed"); 2403 } 2404 2405 synchronized(mpcl) { 2406 mpcl.notify(); 2407 } 2408 Looper.loop(); 2409 mp.release(); 2410 } 2411 }); 2412 thr.start(); 2413 // wait until the thread has initialized the MediaPlayer 2414 synchronized(mpcl) { 2415 mpcl.wait(); 2416 } 2417 2418 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2419 byte [] blob = new byte[(int)fd.getLength()]; 2420 FileInputStream fis = fd.createInputStream(); 2421 int numRead = fis.read(blob); 2422 fis.close(); 2423 2424 // find all the available decoders for this format 2425 ArrayList<String> matchingCodecs = new ArrayList<String>(); 2426 int numCodecs = MediaCodecList.getCodecCount(); 2427 for (int i = 0; i < numCodecs; i++) { 2428 MediaCodecInfo info = MediaCodecList.getCodecInfoAt(i); 2429 if (info.isEncoder()) { 2430 continue; 2431 } 2432 try { 2433 MediaCodecInfo.CodecCapabilities caps = info.getCapabilitiesForType(mime); 2434 if (caps != null) { 2435 matchingCodecs.add(info.getName()); 2436 } 2437 } catch (IllegalArgumentException e) { 2438 // type is not supported 2439 } 2440 } 2441 2442 if (matchingCodecs.size() == 0) { 2443 Log.w(TAG, "no codecs for mime type " + mime); 2444 } 2445 String rname = resources.getResourceEntryName(rid); 2446 // decode this blob once with each matching codec 2447 for (String codecName: matchingCodecs) { 2448 Log.i(TAG, "Decoding blob " + rname + " using codec " + codecName); 2449 MediaCodec codec = MediaCodec.createByCodecName(codecName); 2450 MediaFormat format = MediaFormat.createVideoFormat(mime, initWidth, initHeight); 2451 try { 2452 codec.configure(format, null, null, 0); 2453 codec.start(); 2454 } catch (Exception e) { 2455 Log.i(TAG, "Exception from codec " + codecName); 2456 releaseCodec(codec); 2457 continue; 2458 } 2459 2460 try { 2461 MediaCodec.BufferInfo info = new MediaCodec.BufferInfo(); 2462 ByteBuffer [] inputBuffers = codec.getInputBuffers(); 2463 int numFrames = 0; 2464 if (frameSizes != null) { 2465 numFrames = frameSizes.length; 2466 } 2467 2468 if (0 == numFrames) { 2469 fail("Improper picture length file"); 2470 } 2471 2472 int offset = 0; 2473 int bytesToFeed = 0; 2474 int flags = 0; 2475 byte [] tempBlob = new byte[(int)inputBuffers[0].capacity()]; 2476 for (int j = 0; j < numFrames; j++) { 2477 int bufidx = codec.dequeueInputBuffer(5000); 2478 if (bufidx >= 0) { 2479 inputBuffers[bufidx].rewind(); 2480 bytesToFeed = Math.min((int)(fd.getLength() - offset), 2481 inputBuffers[bufidx].capacity()); 2482 if(j == (numFrames - 1)) { 2483 flags = MediaCodec.BUFFER_FLAG_END_OF_STREAM; 2484 } 2485 System.arraycopy(blob, offset, tempBlob, 0, bytesToFeed); 2486 inputBuffers[bufidx].put(tempBlob, 0, inputBuffers[bufidx].capacity()); 2487 codec.queueInputBuffer(bufidx, 0, bytesToFeed, 0, flags); 2488 offset = offset + frameSizes[j]; 2489 } else { 2490 Log.i(TAG, "no input buffer"); 2491 } 2492 bufidx = codec.dequeueOutputBuffer(info, 5000); 2493 if (bufidx >= 0) { 2494 codec.releaseOutputBuffer(bufidx, false); 2495 } else { 2496 Log.i(TAG, "no output buffer"); 2497 } 2498 } 2499 } catch (Exception e) { 2500 // ignore, not a security issue 2501 } finally { 2502 releaseCodec(codec); 2503 } 2504 } 2505 2506 String cve = rname.replace("_", "-").toUpperCase(); 2507 assertFalse("Device *IS* vulnerable to " + cve, 2508 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2509 thr.stopLooper(); 2510 thr.join(); 2511 } 2512 doStagefrightTestMediaPlayerANR(final int rid, final String uri)2513 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri) throws Exception { 2514 doStagefrightTestMediaPlayerANR(rid, uri, null); 2515 } 2516 doStagefrightTestMediaPlayerANR(final int rid, final String uri, CrashUtils.Config config)2517 private void doStagefrightTestMediaPlayerANR(final int rid, final String uri, 2518 CrashUtils.Config config) throws Exception { 2519 String name = uri != null ? uri : 2520 getInstrumentation().getContext().getResources().getResourceEntryName(rid); 2521 Log.i(TAG, "start mediaplayerANR test for: " + name); 2522 2523 final MediaPlayerCrashListener mpl = new MediaPlayerCrashListener(config); 2524 2525 LooperThread t = new LooperThread(new Runnable() { 2526 @Override 2527 public void run() { 2528 MediaPlayer mp = new MediaPlayer(); 2529 mp.setOnErrorListener(mpl); 2530 mp.setOnPreparedListener(mpl); 2531 mp.setOnCompletionListener(mpl); 2532 RenderTarget renderTarget = RenderTarget.create(); 2533 Surface surface = renderTarget.getSurface(); 2534 mp.setSurface(surface); 2535 AssetFileDescriptor fd = null; 2536 try { 2537 if (uri == null) { 2538 fd = getInstrumentation().getContext().getResources() 2539 .openRawResourceFd(rid); 2540 2541 mp.setDataSource(fd.getFileDescriptor(), 2542 fd.getStartOffset(), 2543 fd.getLength()); 2544 } else { 2545 mp.setDataSource(uri); 2546 } 2547 mp.prepareAsync(); 2548 } catch (Exception e) { 2549 } finally { 2550 closeQuietly(fd); 2551 } 2552 2553 Looper.loop(); 2554 mp.release(); 2555 renderTarget.destroy(); 2556 } 2557 }); 2558 2559 t.start(); 2560 String cve = name.replace("_", "-").toUpperCase(); 2561 assertTrue("Device *IS* vulnerable to " + cve, mpl.waitForErrorOrCompletion()); 2562 t.stopLooper(); 2563 t.join(); // wait for thread to exit so we're sure the player was released 2564 } 2565 doStagefrightTestExtractorSeek(final int rid, final long offset)2566 private void doStagefrightTestExtractorSeek(final int rid, final long offset) throws Exception { 2567 doStagefrightTestExtractorSeek(rid, offset, new CrashUtils.Config()); // check crash address by default 2568 } 2569 doStagefrightTestExtractorSeek(final int rid, final long offset, CrashUtils.Config config)2570 private void doStagefrightTestExtractorSeek(final int rid, final long offset, 2571 CrashUtils.Config config) throws Exception { 2572 final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener(config); 2573 LooperThread thr = new LooperThread(new Runnable() { 2574 @Override 2575 public void run() { 2576 MediaPlayer mp = new MediaPlayer(); 2577 mp.setOnErrorListener(mpcl); 2578 try { 2579 AssetFileDescriptor fd = getInstrumentation().getContext().getResources() 2580 .openRawResourceFd(R.raw.good); 2581 mp.setDataSource(fd.getFileDescriptor(), 2582 fd.getStartOffset(), 2583 fd.getLength()); 2584 fd.close(); 2585 } catch (Exception e) { 2586 fail("setDataSource of known-good file failed"); 2587 } 2588 synchronized(mpcl) { 2589 mpcl.notify(); 2590 } 2591 Looper.loop(); 2592 mp.release(); 2593 } 2594 }); 2595 thr.start(); 2596 synchronized(mpcl) { 2597 mpcl.wait(); 2598 } 2599 Resources resources = getInstrumentation().getContext().getResources(); 2600 MediaExtractor ex = new MediaExtractor(); 2601 AssetFileDescriptor fd = resources.openRawResourceFd(rid); 2602 try { 2603 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2604 } catch (IOException e) { 2605 } finally { 2606 closeQuietly(fd); 2607 } 2608 int numtracks = ex.getTrackCount(); 2609 String rname = resources.getResourceEntryName(rid); 2610 Log.i(TAG, "start mediaextractor test for: " + rname + ", which has " + numtracks + " tracks"); 2611 for (int t = 0; t < numtracks; t++) { 2612 try { 2613 ex.selectTrack(t); 2614 } catch (IllegalArgumentException e) { 2615 Log.w(TAG, "couldn't select track " + t); 2616 } 2617 ex.seekTo(0, MediaExtractor.SEEK_TO_CLOSEST_SYNC); 2618 ex.advance(); 2619 ex.seekTo(offset, MediaExtractor.SEEK_TO_NEXT_SYNC); 2620 try 2621 { 2622 ex.unselectTrack(t); 2623 } 2624 catch (Exception e) { 2625 } 2626 } 2627 ex.release(); 2628 String cve = rname.replace("_", "-").toUpperCase(); 2629 assertFalse("Device *IS* vulnerable to " + cve, 2630 mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED); 2631 thr.stopLooper(); 2632 thr.join(); 2633 } 2634 assertExtractorDoesNotHang(int rid)2635 protected void assertExtractorDoesNotHang(int rid) throws Exception { 2636 // The media extractor has a watchdog, currently set to 10 seconds. 2637 final long timeoutMs = 12 * 1000; 2638 2639 Thread thread = new Thread(() -> { 2640 MediaExtractor ex = new MediaExtractor(); 2641 AssetFileDescriptor fd = 2642 getInstrumentation().getContext().getResources().openRawResourceFd(rid); 2643 try { 2644 ex.setDataSource(fd.getFileDescriptor(), fd.getStartOffset(), fd.getLength()); 2645 } catch (IOException e) { 2646 // It is OK for the call to fail, we're only making sure it doesn't hang. 2647 } finally { 2648 closeQuietly(fd); 2649 ex.release(); 2650 } 2651 }); 2652 thread.start(); 2653 2654 thread.join(timeoutMs); 2655 boolean hung = thread.isAlive(); 2656 if (hung) { 2657 // We don't have much to do at this point. Attempt to un-hang the thread, the media 2658 // extractor process is likely still spinning. At least we found a bug... 2659 // TODO: reboot the media extractor process. 2660 thread.interrupt(); 2661 } 2662 2663 assertFalse(hung); 2664 } 2665 getInstrumentation()2666 private Instrumentation getInstrumentation() { 2667 return mInstrumentation; 2668 } 2669 } 2670