diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2021-06-21 14:27:01 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2021-06-21 14:27:01 +0000 |
commit | 4f42e35205be46873efc93744c22ce2a1fc33854 (patch) | |
tree | d5dd35e02c3b6767a037533b50136a6034907d1b | |
parent | f0ff5a6b4659491e915abe941c7a194f06b09bec (diff) | |
parent | ae98dded0afe43f2a4ddd0cc01b5d878cc416920 (diff) | |
download | dng_sdk-4f42e35205be46873efc93744c22ce2a1fc33854.tar.gz |
Snap for 7478028 from ae98dded0afe43f2a4ddd0cc01b5d878cc416920 to mainline-adbd-releaseandroid-mainline-12.0.0_r97android-mainline-12.0.0_r85android-mainline-12.0.0_r68android-mainline-12.0.0_r41android-mainline-12.0.0_r21android-mainline-12.0.0_r1android12-mainline-adbd-release
Change-Id: I2bc134440a79b8c1535d1b090e0058f66f5d45ae
-rw-r--r-- | Android.bp | 43 | ||||
-rw-r--r-- | METADATA | 6 | ||||
-rw-r--r-- | fuzzer/Android.bp | 39 | ||||
-rw-r--r-- | fuzzer/README.md | 47 | ||||
-rw-r--r-- | fuzzer/dng_parser_fuzzer.cpp | 36 | ||||
-rwxr-xr-x | fuzzer/seeds/CVE_2020_9589/original.dng | bin | 0 -> 266600 bytes | |||
-rwxr-xr-x | fuzzer/seeds/CVE_2020_9589/poc.dng | bin | 0 -> 266600 bytes | |||
-rw-r--r-- | source/dng_date_time.cpp | 54 | ||||
-rw-r--r-- | source/dng_utils.h | 40 |
9 files changed, 244 insertions, 21 deletions
@@ -1,3 +1,46 @@ +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + default_applicable_licenses: ["external_dng_sdk_license"], +} + +// Added automatically by a large-scale-change that took the approach of +// 'apply every license found to every target'. While this makes sure we respect +// every license restriction, it may not be entirely correct. +// +// e.g. GPL in an MIT project might only apply to the contrib/ directory. +// +// Please consider splitting the single license below into multiple licenses, +// taking care not to lose any license_kind information, and overriding the +// default license using the 'licenses: [...]' property on targets as needed. +// +// For unused files, consider creating a 'fileGroup' with "//visibility:private" +// to attach the license to, and including a comment whether the files may be +// used in the current project. +// +// large-scale-change included anything that looked like it might be a license +// text as a license_text. e.g. LICENSE, NOTICE, COPYING etc. +// +// Please consider removing redundant or irrelevant files from 'license_text:'. +// See: http://go/android-license-faq +license { + name: "external_dng_sdk_license", + visibility: [":__subpackages__"], + license_kinds: [ + "SPDX-license-identifier-Apache-2.0", + "SPDX-license-identifier-MIT", + "legacy_by_exception_only", // by exception only + ], + license_text: [ + "LICENSE", + "LICENSE.source_code", + "LICENSE.technology", + "NOTICE", + "PATENTS", + ], +} + cc_defaults { name: "libdng_sdk-defaults", srcs: [ diff --git a/METADATA b/METADATA new file mode 100644 index 0000000..3814b8d --- /dev/null +++ b/METADATA @@ -0,0 +1,6 @@ +# *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +# CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +# DEPENDING ON IT IN YOUR PROJECT. *** +third_party { + license_type: BY_EXCEPTION_ONLY +} diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp new file mode 100644 index 0000000..26e2fa6 --- /dev/null +++ b/fuzzer/Android.bp @@ -0,0 +1,39 @@ +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "external_dng_sdk_license" + // to get the below license kinds: + // SPDX-license-identifier-MIT + // legacy_by_exception_only (by exception only) + default_applicable_licenses: ["external_dng_sdk_license"], +} + +cc_fuzz { + name: "dng_parser_fuzzer", + host_supported: true, + srcs: [ + "dng_parser_fuzzer.cpp", + ], + cflags: [ + "-Wno-unused-parameter", + "-fexceptions", + ], + static_libs: [ + "libdng_sdk", + "libjpeg", + "liblog", + "libz", + ], + target: { + darwin: { + enabled: false, + }, + }, + corpus: [ + "seeds/CVE_2020_9589/original.dng", + "seeds/CVE_2020_9589/poc.dng", + ], +} diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..edc7ef2 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,47 @@ +# Fuzzing DNG SDK + +This fuzzer is intented to do a varian analysis of the issue reported +in b/156261521. + +Here is a list of some CVEs previously discovered in DNG SDK: + +* CVE-2020-9589 +* CVE-2020-9590 +* CVE-2020-9620 +* CVE-2020-9621 +* CVE-2020-9622 +* CVE-2020-9623 +* CVE-2020-9624 +* CVE-2020-9625 +* CVE-2020-9626 +* CVE-2020-9627 +* CVE-2020-9628 +* CVE-2020-9629 + +## Building & running the fuzz target: Android device + +It is recommended to set rss limit to higher values (such as 4096) when running +the fuzzer to avoid frequent OOM libFuzzer crashes. + +```sh +$ source build/envsetup.sh +$ lunch aosp_arm64-eng +$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer +$ adb sync data +$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \ +$ -rss_limit=4096 \ +$ /data/fuzz/arm64/dng_parser_fuzzer/corpus +``` + +## Building & running the fuzz target: Host + +```sh +$ source build/envsetup.sh +$ lunch aosp_x86_64-eng +$ SANITIZE_HOST=address make dng_parser_fuzzer +$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \ +$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \ +$ -rss_limit_mb=4096 \ +$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/ +``` + diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp new file mode 100644 index 0000000..84db0f3 --- /dev/null +++ b/fuzzer/dng_parser_fuzzer.cpp @@ -0,0 +1,36 @@ +#include <stddef.h> +#include <stdint.h> + +#include "dng_exceptions.h" +#include "dng_host.h" +#include "dng_info.h" +#include "dng_memory_stream.h" +#include "dng_negative.h" + + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + dng_host host; + dng_memory_stream stream(host.Allocator()); + + stream.Put(data, size); + stream.SetReadPosition(0); + + std::unique_ptr<dng_negative> negative(host.Make_dng_negative()); + + try { + dng_info info; + info.Parse(host, stream); + info.PostParse(host); + + if (info.IsValidDNG()) { + negative->Parse(host, stream, info); + negative->PostParse(host, stream, info); + negative->ReadStage1Image(host, stream, info); + } + } catch (dng_exception &e) { + // dng_sdk throws C++ exceptions on errors + // catch them here to prevent libFuzzer from crashing. + } + + return 0; +} diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng Binary files differnew file mode 100755 index 0000000..a30ac76 --- /dev/null +++ b/fuzzer/seeds/CVE_2020_9589/original.dng diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng Binary files differnew file mode 100755 index 0000000..b838844 --- /dev/null +++ b/fuzzer/seeds/CVE_2020_9589/poc.dng diff --git a/source/dng_date_time.cpp b/source/dng_date_time.cpp index bede131..b143181 100644 --- a/source/dng_date_time.cpp +++ b/source/dng_date_time.cpp @@ -806,32 +806,44 @@ dng_time_zone LocalTimeZone (const dng_date_time &dt) #if qMacOS CFTimeZoneRef zoneRef = CFTimeZoneCopyDefault (); - + + CFReleaseHelper<CFTimeZoneRef> zoneRefDeleter (zoneRef); + if (zoneRef) { - - CFGregorianDate gregDate; - gregDate.year = dt.fYear; - gregDate.month = (SInt8) dt.fMonth; - gregDate.day = (SInt8) dt.fDay; - gregDate.hour = (SInt8) dt.fHour; - gregDate.minute = (SInt8) dt.fMinute; - gregDate.second = (SInt8) dt.fSecond; - - CFAbsoluteTime absTime = CFGregorianDateGetAbsoluteTime (gregDate, zoneRef); - - CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime); - - CFRelease (zoneRef); - - result.SetOffsetSeconds (Round_int32 (secondsDelta)); - - if (result.IsValid ()) + // New path that doesn't use deprecated CFGregorian-based APIs. + + CFCalendarRef calendar = + CFCalendarCreateWithIdentifier (kCFAllocatorDefault, + kCFGregorianCalendar); + + CFReleaseHelper<CFCalendarRef> calendarDeleter (calendar); + + CFAbsoluteTime absTime; + + if (CFCalendarComposeAbsoluteTime (calendar, + &absTime, + "yMdHms", + dt.fYear, + dt.fMonth, + dt.fDay, + dt.fHour, + dt.fMinute, + dt.fSecond)) { - return result; + + CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime); + + result.SetOffsetSeconds (Round_int32 (secondsDelta)); + + if (result.IsValid ()) + { + return result; + } + } - + } #endif diff --git a/source/dng_utils.h b/source/dng_utils.h index 691f0b9..db38599 100644 --- a/source/dng_utils.h +++ b/source/dng_utils.h @@ -1259,6 +1259,46 @@ void LimitFloatBitDepth (dng_host &host, /*****************************************************************************/ +#if qMacOS + +/*****************************************************************************/ + +template<typename T> +class CFReleaseHelper + { + + private: + + T fRef; + + public: + + CFReleaseHelper (T ref) + : fRef (ref) + { + } + + ~CFReleaseHelper () + { + if (fRef) + { + CFRelease (fRef); + } + } + + T Get () const + { + return fRef; + } + + }; + +/*****************************************************************************/ + +#endif // qMacOS + +/*****************************************************************************/ + #endif /*****************************************************************************/ |