1 /** 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 #define _GNU_SOURCE 17 #include <sys/types.h> 18 #include <sys/wait.h> 19 #include <stdio.h> 20 #include <stdlib.h> 21 #include <unistd.h> 22 #include <sys/stat.h> 23 #include <fcntl.h> 24 #include <dlfcn.h> 25 #include <string.h> 26 #include <sys/mman.h> 27 28 typedef struct { 29 uint32_t width; 30 uint32_t height; 31 uint32_t format; 32 const unsigned char* pixels; 33 } gdx2d_pixmap; 34 35 gdx2d_pixmap *(*gdx2d_load)(const unsigned char *buffer, uint32_t len); 36 void (*gdx2d_free)(const gdx2d_pixmap* pixmap); 37 38 int main() { 39 void *libgdx = dlopen("libgdx.so", RTLD_LAZY); 40 if(libgdx == NULL) { 41 return -1; 42 } 43 gdx2d_load = dlsym(libgdx, "gdx2d_load"); 44 gdx2d_free = dlsym(libgdx, "gdx2d_free"); 45 if(gdx2d_load == NULL || gdx2d_free == NULL){ 46 dlclose(libgdx); 47 return -2; 48 } 49 50 char *fname = "/data/local/tmp/CVE-2017-0477.gif"; 51 int fd = open(fname, O_RDONLY); 52 struct stat st; 53 fstat(fd, &st); 54 void *ptr = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); 55 56 gdx2d_pixmap *pixmap = gdx2d_load((unsigned char *) ptr, st.st_size); 57 if (pixmap) { 58 gdx2d_free(pixmap); 59 } 60 dlclose(libgdx); 61 return 0; 62 } 63 64
