1 /**
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #define _GNU_SOURCE
17 #include <sys/types.h>
18 #include <sys/wait.h>
19 #include <stdio.h>
20 #include <stdlib.h>
21 #include <unistd.h>
22 #include <sys/stat.h>
23 #include <fcntl.h>
24 #include <dlfcn.h>
25 #include <string.h>
26 #include <sys/mman.h>
27
28 typedef struct {
29 uint32_t width;
30 uint32_t height;
31 uint32_t format;
32 const unsigned char* pixels;
33 } gdx2d_pixmap;
34
35 gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len);
36 void (*gdx2d_free)(const gdx2d_pixmap* pixmap);
37
main()38 int main() {
39 void *libgdx = dlopen("libgdx.so", RTLD_LAZY);
40 if(libgdx == NULL) {
41 return -1;
42 }
43 gdx2d_load = dlsym(libgdx, "gdx2d_load");
44 gdx2d_free = dlsym(libgdx, "gdx2d_free");
45 if(gdx2d_load == NULL || gdx2d_free == NULL){
46 dlclose(libgdx);
47 return -2;
48 }
49
50 char *fname = "/data/local/tmp/CVE-2017-0477.gif";
51 int fd = open(fname, O_RDONLY);
52 struct stat st;
53 fstat(fd, &st);
54 void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
55
56 gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size);
57 if (pixmap) {
58 gdx2d_free(pixmap);
59 }
60 dlclose(libgdx);
61 return 0;
62 }
63
64
