[cts] test if libFLAC is patched against CVE-2014-9028

Overview of CVE-2014-9028: Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. (source: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9028) heap_oob_flac has a .mp3 extension to avoid compresstion by aapt. When a resource file is compressed openRawResourceFd would fail. Please refer to kNoCompressExt in frameworks/base/tools/aapt/Package.cpp for more details. Bug: 23238405 Change-Id: I7c13b19beb83c10fced360537a84b2f053ce8a26
2015-08-25 15:24:08 -07:00
parent 4852cc7100
commit 6eb14e89e5
2 changed files with 31 additions and 0 deletions
--- a/cts/tests/tests/media/res/raw/heap_oob_flac.mp3
+++ b/cts/tests/tests/media/res/raw/heap_oob_flac.mp3
--- a/cts/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
+++ b/cts/tests/tests/media/src/android/media/cts/MediaPlayerTest.java
@ -89,6 +89,37 @@ public class MediaPlayerTest extends MediaPlayerTestBase {
        }
    }
    public void testFlacHeapOverflow() throws Exception {
        testIfMediaServerDied(R.raw.heap_oob_flac);
    }
    private void testIfMediaServerDied(int res) throws Exception {
        mMediaPlayer.setOnErrorListener(new MediaPlayer.OnErrorListener() {
            @Override
            public boolean onError(MediaPlayer mp, int what, int extra) {
                assertTrue(mp == mMediaPlayer);
                assertTrue("mediaserver process died", what != MediaPlayer.MEDIA_ERROR_SERVER_DIED);
                return false;
            }
        });
        mMediaPlayer.setOnCompletionListener(new MediaPlayer.OnCompletionListener() {
            @Override
            public void onCompletion(MediaPlayer mp) {
                assertTrue(mp == mMediaPlayer);
                mOnCompletionCalled.signal();
            }
        });
        AssetFileDescriptor afd = mResources.openRawResourceFd(res);
        mMediaPlayer.setDataSource(afd.getFileDescriptor(), afd.getStartOffset(), afd.getLength());
        afd.close();
        mMediaPlayer.prepare();
        mMediaPlayer.start();
        mOnCompletionCalled.waitForSignal();
        mMediaPlayer.release();
    }
    // Bug 13652927
    public void testVorbisCrash() throws Exception {
        MediaPlayer mp = mMediaPlayer;