diff options
author | Winson <chiuwinson@google.com> | 2021-06-25 09:59:32 -0700 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-06-30 23:59:09 +0000 |
commit | f1c159e1f5b3f0835f045a6d58dfd7fdaf1c01f3 (patch) | |
tree | 683a576f5002ae5ee0c47b26adcc5ab626fdfc42 | |
parent | e9a6ebf59258a4ca14f83b74f10113aaddaf2b33 (diff) | |
download | base-f1c159e1f5b3f0835f045a6d58dfd7fdaf1c01f3.tar.gz |
Use IntentFilter CREATOR directly for serializing ParsedIntentInfo
ParsedIntentInfo's CRFEATOR was removed because it exposes a
reparcelling vulnerability. This adjusts a system API that relied on
the implicit parcelling read to instead use IntentFilter directly,
ignoring the fields contained in the subclass.
Bug: 192050390
Bug: 191055353
Test: manual, cannot repro crash after patch
Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
(cherry picked from commit 7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21)
-rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index c643307c5f51..cde249fe2a72 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -14252,9 +14252,15 @@ public class PackageManagerService extends IPackageManager.Stub return new ParceledListSlice<IntentFilter>(result) { @Override protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) { - // IntentFilter has final Parcelable methods, so redirect to the subclass - ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest, - callFlags); + parcelable.writeToParcel(dest, callFlags); + } + + @Override + protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) { + // All Parcel#writeParcelableCreator does is serialize the class name to + // access via reflection to grab its CREATOR. This does that manually, pointing + // to the parent IntentFilter so that all of the subclass fields are ignored. + dest.writeString(IntentFilter.class.getName()); } }; } |