unplugged-system/cts/hostsidetests/securitybulletin/securityPatch/CVE-2021-0689/poc.cpp

/**
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

// This PoC is written taking reference from frameworks/base/native/graphics/jni/imagedecoder.cpp

#include <android/imagedecoder.h>
#include <binder/IPCThreadState.h>
#include <vector>
#include "../includes/common.h"

constexpr int32_t kMaxDimension = 5000;

struct DecoderDeleter {
    void operator()(AImageDecoder *decoder) const { AImageDecoder_delete(decoder); }
};

using DecoderPointer = std::unique_ptr<AImageDecoder, DecoderDeleter>;

DecoderPointer makeDecoder(const uint8_t *data, size_t size) {
    AImageDecoder *decoder = nullptr;
    int result = AImageDecoder_createFromBuffer(data, size, &decoder);
    if (result != ANDROID_IMAGE_DECODER_SUCCESS) {
        return nullptr;
    }
    return DecoderPointer(decoder);
}

int main(int argc, char **argv) {
    FAIL_CHECK(argc >= 2);
    android::ProcessState::self()->startThreadPool();
    char *filename = argv[1];
    FILE *file = fopen(filename, "r");
    FAIL_CHECK(file);
    fseek(file, 0, SEEK_END);
    size_t size = ftell(file);
    fseek(file, 0, SEEK_SET);
    std::vector<uint8_t> buffer(size);
    fread((void *)buffer.data(), 1, size, file);
    fclose(file);
    DecoderPointer decoder = makeDecoder(buffer.data(), size);
    FAIL_CHECK(decoder);
    const AImageDecoderHeaderInfo *info = AImageDecoder_getHeaderInfo(decoder.get());
    int32_t width = AImageDecoderHeaderInfo_getWidth(info);
    int32_t height = AImageDecoderHeaderInfo_getHeight(info);
    FAIL_CHECK(width <= kMaxDimension && height <= kMaxDimension);
    size_t stride = AImageDecoder_getMinimumStride(decoder.get());
    size_t pixelSize = height * stride;
    std::vector<uint8_t> pixels(pixelSize);
    time_t test_started = start_timer();
    while (timer_active(test_started)) {
        int32_t result = AImageDecoder_decodeImage(decoder.get(), pixels.data(), stride, pixelSize);
        if (result != ANDROID_IMAGE_DECODER_SUCCESS) {
            break;
        }
    }
    return EXIT_SUCCESS;
}
Initial commit: AOSP 14 with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00			`/**`
			`* Copyright (C) 2021 The Android Open Source Project`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`// This PoC is written taking reference from frameworks/base/native/graphics/jni/imagedecoder.cpp`

			`#include <android/imagedecoder.h>`
			`#include <binder/IPCThreadState.h>`
			`#include <vector>`
			`#include "../includes/common.h"`

			`constexpr int32_t kMaxDimension = 5000;`

			`struct DecoderDeleter {`
			`void operator()(AImageDecoder *decoder) const { AImageDecoder_delete(decoder); }`
			`};`

			`using DecoderPointer = std::unique_ptr<AImageDecoder, DecoderDeleter>;`

			`DecoderPointer makeDecoder(const uint8_t *data, size_t size) {`
			`AImageDecoder *decoder = nullptr;`
			`int result = AImageDecoder_createFromBuffer(data, size, &decoder);`
			`if (result != ANDROID_IMAGE_DECODER_SUCCESS) {`
			`return nullptr;`
			`}`
			`return DecoderPointer(decoder);`
			`}`

			`int main(int argc, char **argv) {`
			`FAIL_CHECK(argc >= 2);`
			`android::ProcessState::self()->startThreadPool();`
			`char *filename = argv[1];`
			`FILE *file = fopen(filename, "r");`
			`FAIL_CHECK(file);`
			`fseek(file, 0, SEEK_END);`
			`size_t size = ftell(file);`
			`fseek(file, 0, SEEK_SET);`
			`std::vector<uint8_t> buffer(size);`
			`fread((void *)buffer.data(), 1, size, file);`
			`fclose(file);`
			`DecoderPointer decoder = makeDecoder(buffer.data(), size);`
			`FAIL_CHECK(decoder);`
			`const AImageDecoderHeaderInfo *info = AImageDecoder_getHeaderInfo(decoder.get());`
			`int32_t width = AImageDecoderHeaderInfo_getWidth(info);`
			`int32_t height = AImageDecoderHeaderInfo_getHeight(info);`
			`FAIL_CHECK(width <= kMaxDimension && height <= kMaxDimension);`
			`size_t stride = AImageDecoder_getMinimumStride(decoder.get());`
			`size_t pixelSize = height * stride;`
			`std::vector<uint8_t> pixels(pixelSize);`
			`time_t test_started = start_timer();`
			`while (timer_active(test_started)) {`
			`int32_t result = AImageDecoder_decodeImage(decoder.get(), pixels.data(), stride, pixelSize);`
			`if (result != ANDROID_IMAGE_DECODER_SUCCESS) {`
			`break;`
			`}`
			`}`
			`return EXIT_SUCCESS;`
			`}`