xref: /aosp_15_r20/cts/hostsidetests/securitybulletin/securityPatch/CVE-2023-4863/poc.cpp (revision b7c941bb3fa97aba169d73cee0bed2de8ac964bf) 
1 /*
2  * Copyright (C) 2024 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "../includes/common.h"
18 #include "../includes/memutils.h"
19 #include "binary_loader.h"
20 #include "src/dec/vp8li_dec.h"
21 #include "src/dec/webpi_dec.h"
22 
23 char enable_selective_overload = ENABLE_NONE;
24 
25 typedef int (*VP8LDecodeHeaderFunc)(void* dec, void* io);
26 
main(int,char * argv[])27 int main(int /* argc */, char* argv[]) {
28     // Get the absoulute path to the shared library 'libhwui'
29     const char* libPath = argv[1];
30     uintptr_t functionOffset = strtoul(argv[2], NULL, 0);
31 
32     // Load 'libhwui' lib and get offset of VP8LDecodeHeader()
33     BinaryLoader binaryLoader(libPath);
34     uintptr_t functionAddress = binaryLoader.getFunctionAddress(functionOffset);
35     FAIL_CHECK(functionAddress);
36 
37     // Read image data from file
38     size_t data_size = 0;
39     FILE* file = fopen("cve_2023_4863", "rb");
40     if (file) {
41         fseek(file, 0, SEEK_END); // Seek to the end of the file
42         data_size = ftell(file);  // Get the current file pointer (which is the file size)
43         rewind(file);             // Set the file position indicator to the beginning of the file
44     }
45     uint8_t data[data_size];
46     fread(data, sizeof(uint8_t), data_size, file);
47     fclose(file);
48 
49     // Create VP8Io object
50     VP8Io io{};
51     WebPHeaderStructure headers;
52     headers.data = data;
53     headers.data_size = data_size;
54     headers.have_all_data = 1;
55     WebPParseHeaders(&headers);
56     io.data = headers.data + headers.offset;
57     io.data_size = headers.data_size - headers.offset;
58 
59     // Call VP8LDecodeHeader() with VP8LDecoder instance and io.
60     // Without fix, an OOB write occurs in BuildHuffmanTable() which leads to test failure.
61     // With fix, a NPD is seen in BuildHuffmanTable() and the test passes.
62     enable_selective_overload = ENABLE_ALL;
63     ((VP8LDecodeHeaderFunc)functionAddress)(VP8LNew(), &io);
64     enable_selective_overload = ENABLE_FREE_CHECK | ENABLE_REALLOC_CHECK;
65     return 0;
66 }
67