Snap for 7478028 from ae98dded0afe43f2a4ddd0cc01b5d878cc416920 to mainline-adbd-releaseandroid-mainline-12.0.0_r97android-mainline-12.0.0_r85android-mainline-12.0.0_r68android-mainline-12.0.0_r41android-mainline-12.0.0_r21android-mainline-12.0.0_r1android12-mainline-adbd-release

Change-Id: I2bc134440a79b8c1535d1b090e0058f66f5d45ae

9 files changed, 244 insertions, 21 deletions

diff --git a/Android.bp b/Android.bp
index c7215e1..0681e93 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1,3 +1,46 @@
+// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS.  PLEASE
+//     CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+//     DEPENDING ON IT IN YOUR PROJECT. ***
+package {
+    default_applicable_licenses: ["external_dng_sdk_license"],
+}
+
+// Added automatically by a large-scale-change that took the approach of
+// 'apply every license found to every target'. While this makes sure we respect
+// every license restriction, it may not be entirely correct.
+//
+// e.g. GPL in an MIT project might only apply to the contrib/ directory.
+//
+// Please consider splitting the single license below into multiple licenses,
+// taking care not to lose any license_kind information, and overriding the
+// default license using the 'licenses: [...]' property on targets as needed.
+//
+// For unused files, consider creating a 'fileGroup' with "//visibility:private"
+// to attach the license to, and including a comment whether the files may be
+// used in the current project.
+//
+// large-scale-change included anything that looked like it might be a license
+// text as a license_text. e.g. LICENSE, NOTICE, COPYING etc.
+//
+// Please consider removing redundant or irrelevant files from 'license_text:'.
+// See: http://go/android-license-faq
+license {
+    name: "external_dng_sdk_license",
+    visibility: [":__subpackages__"],
+    license_kinds: [
+        "SPDX-license-identifier-Apache-2.0",
+        "SPDX-license-identifier-MIT",
+        "legacy_by_exception_only", // by exception only
+    ],
+    license_text: [
+        "LICENSE",
+        "LICENSE.source_code",
+        "LICENSE.technology",
+        "NOTICE",
+        "PATENTS",
+    ],
+}
+
 cc_defaults {
     name: "libdng_sdk-defaults",
     srcs: [
diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..3814b8d
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,6 @@
+# *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS.  PLEASE
+#     CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+#     DEPENDING ON IT IN YOUR PROJECT. ***
+third_party {
+  license_type: BY_EXCEPTION_ONLY
+}
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..26e2fa6
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,39 @@
+// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS.  PLEASE
+//     CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE
+//     DEPENDING ON IT IN YOUR PROJECT. ***
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "external_dng_sdk_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-MIT
+    //   legacy_by_exception_only (by exception only)
+    default_applicable_licenses: ["external_dng_sdk_license"],
+}
+
+cc_fuzz {
+    name: "dng_parser_fuzzer",
+    host_supported: true,
+    srcs: [
+        "dng_parser_fuzzer.cpp",
+    ],
+    cflags: [
+        "-Wno-unused-parameter",
+        "-fexceptions",
+    ],
+    static_libs: [
+        "libdng_sdk",
+        "libjpeg",
+        "liblog",
+        "libz",
+    ],
+    target: {
+        darwin: {
+            enabled: false,
+        },
+    },
+    corpus: [
+        "seeds/CVE_2020_9589/original.dng",
+        "seeds/CVE_2020_9589/poc.dng",
+    ],
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..edc7ef2
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,47 @@
+# Fuzzing DNG SDK
+
+This fuzzer is intented to do a varian analysis of the issue reported
+in b/156261521.
+
+Here is a list of some CVEs previously discovered in DNG SDK:
+
+* CVE-2020-9589
+* CVE-2020-9590
+* CVE-2020-9620
+* CVE-2020-9621
+* CVE-2020-9622
+* CVE-2020-9623
+* CVE-2020-9624
+* CVE-2020-9625
+* CVE-2020-9626
+* CVE-2020-9627
+* CVE-2020-9628
+* CVE-2020-9629
+
+## Building & running the fuzz target: Android device
+
+It is recommended to set rss limit to higher values (such as 4096) when running
+the fuzzer to avoid frequent OOM libFuzzer crashes.
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_arm64-eng
+$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer
+$ adb sync data
+$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit=4096 \
+$ /data/fuzz/arm64/dng_parser_fuzzer/corpus
+```
+
+## Building & running the fuzz target: Host
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_x86_64-eng
+$ SANITIZE_HOST=address make dng_parser_fuzzer
+$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit_mb=4096 \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/
+```
+
diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp
new file mode 100644
index 0000000..84db0f3
--- /dev/null
+++ b/fuzzer/dng_parser_fuzzer.cpp
@@ -0,0 +1,36 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "dng_exceptions.h"
+#include "dng_host.h"
+#include "dng_info.h"
+#include "dng_memory_stream.h"
+#include "dng_negative.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  dng_host host;
+  dng_memory_stream stream(host.Allocator());
+
+  stream.Put(data, size);
+  stream.SetReadPosition(0);
+
+  std::unique_ptr<dng_negative> negative(host.Make_dng_negative());
+
+  try {
+    dng_info info;
+    info.Parse(host, stream);
+    info.PostParse(host);
+
+    if (info.IsValidDNG()) {
+      negative->Parse(host, stream, info);
+      negative->PostParse(host, stream, info);
+      negative->ReadStage1Image(host, stream, info);
+    }
+  } catch (dng_exception &e) {
+    // dng_sdk throws C++ exceptions on errors
+    // catch them here to prevent libFuzzer from crashing.
+  }
+
+  return 0;
+}
diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng
new file mode 100755
index 0000000..a30ac76
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/original.dng
diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng
new file mode 100755
index 0000000..b838844
--- /dev/null
+++ b/fuzzer/seeds/CVE_2020_9589/poc.dng
diff --git a/source/dng_date_time.cpp b/source/dng_date_time.cpp
index bede131..b143181 100644
--- a/source/dng_date_time.cpp
+++ b/source/dng_date_time.cpp
@@ -806,32 +806,44 @@ dng_time_zone LocalTimeZone (const dng_date_time &dt)
 		#if qMacOS
 		
 		CFTimeZoneRef zoneRef = CFTimeZoneCopyDefault ();
-		
+
+		CFReleaseHelper<CFTimeZoneRef> zoneRefDeleter (zoneRef);
+
 		if (zoneRef)
 			{
-			
-			CFGregorianDate gregDate;
 
-			gregDate.year   = dt.fYear;
-			gregDate.month  = (SInt8) dt.fMonth;
-			gregDate.day    = (SInt8) dt.fDay;
-			gregDate.hour   = (SInt8) dt.fHour;
-			gregDate.minute = (SInt8) dt.fMinute;
-			gregDate.second = (SInt8) dt.fSecond;
-			
-			CFAbsoluteTime absTime = CFGregorianDateGetAbsoluteTime (gregDate, zoneRef);
-			
-			CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime);
-		
-			CFRelease (zoneRef);
-			
-			result.SetOffsetSeconds (Round_int32 (secondsDelta));
-			
-			if (result.IsValid ())
+			// New path that doesn't use deprecated CFGregorian-based APIs.
+
+			CFCalendarRef calendar =
+				CFCalendarCreateWithIdentifier (kCFAllocatorDefault,
+												kCFGregorianCalendar);
+
+			CFReleaseHelper<CFCalendarRef> calendarDeleter (calendar);
+
+			CFAbsoluteTime absTime;
+
+			if (CFCalendarComposeAbsoluteTime (calendar,
+											   &absTime,
+											   "yMdHms",
+											   dt.fYear,
+											   dt.fMonth,
+											   dt.fDay,
+											   dt.fHour,
+											   dt.fMinute,
+											   dt.fSecond))
 				{
-				return result;
+
+				CFTimeInterval secondsDelta = CFTimeZoneGetSecondsFromGMT (zoneRef, absTime);
+
+				result.SetOffsetSeconds (Round_int32 (secondsDelta));
+
+				if (result.IsValid ())
+					{
+					return result;
+					}
+
 				}
-			
+
 			}
 		
 		#endif
diff --git a/source/dng_utils.h b/source/dng_utils.h
index 691f0b9..db38599 100644
--- a/source/dng_utils.h
+++ b/source/dng_utils.h
@@ -1259,6 +1259,46 @@ void LimitFloatBitDepth (dng_host &host,
 
 /*****************************************************************************/
 
+#if qMacOS
+
+/*****************************************************************************/
+
+template<typename T>
+class CFReleaseHelper
+	{
+
+	private:
+
+		T fRef;
+
+	public:
+
+		CFReleaseHelper (T ref)
+			:	fRef (ref)
+			{
+			}
+
+		~CFReleaseHelper ()
+			{
+			if (fRef)
+				{
+				CFRelease (fRef);
+				}
+			}
+
+		T Get () const
+			{
+			return fRef;
+			}
+
+	};
+
+/*****************************************************************************/
+
+#endif	// qMacOS
+
+/*****************************************************************************/
+
 #endif
 	
 /*****************************************************************************/