summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWinson <chiuwinson@google.com>2021-06-25 09:59:32 -0700
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>2021-06-30 23:59:09 +0000
commitf1c159e1f5b3f0835f045a6d58dfd7fdaf1c01f3 (patch)
tree683a576f5002ae5ee0c47b26adcc5ab626fdfc42
parente9a6ebf59258a4ca14f83b74f10113aaddaf2b33 (diff)
downloadbase-f1c159e1f5b3f0835f045a6d58dfd7fdaf1c01f3.tar.gz
Use IntentFilter CREATOR directly for serializing ParsedIntentInfo
ParsedIntentInfo's CRFEATOR was removed because it exposes a reparcelling vulnerability. This adjusts a system API that relied on the implicit parcelling read to instead use IntentFilter directly, ignoring the fields contained in the subclass. Bug: 192050390 Bug: 191055353 Test: manual, cannot repro crash after patch Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded (cherry picked from commit 7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21)
Diffstat
-rw-r--r--services/core/java/com/android/server/pm/PackageManagerService.java12
1 files changed, 9 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c643307c5f51..cde249fe2a72 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -14252,9 +14252,15 @@ public class PackageManagerService extends IPackageManager.Stub
return new ParceledListSlice<IntentFilter>(result) {
@Override
protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) {
- // IntentFilter has final Parcelable methods, so redirect to the subclass
- ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest,
- callFlags);
+ parcelable.writeToParcel(dest, callFlags);
+ }
+
+ @Override
+ protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) {
+ // All Parcel#writeParcelableCreator does is serialize the class name to
+ // access via reflection to grab its CREATOR. This does that manually, pointing
+ // to the parent IntentFilter so that all of the subclass fields are ignored.
+ dest.writeString(IntentFilter.class.getName());
}
};
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-09 12:34:06 +0000