Fix vulnerability that allowed attackers to start arbitary activities

Test: Flashed device and verified dream settings works as expected
Test: Installed APK from bug and verified the dream didn't allow
launching the inappropriate settings activity.
Fixes: 300090204

Change-Id: I146415ad400827d0a798e27f34f098feb5e96422
Merged-In: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716

1 files changed, 11 insertions, 2 deletions

diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java
index 2d461c6cf92e..d380522de643 100644
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback {
         if (!flattenedString.contains("/")) {
             return new ComponentName(serviceInfo.packageName, flattenedString);
         }
-
-        return ComponentName.unflattenFromString(flattenedString);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);
+        if (cn == null) return null;
+        if (!cn.getPackageName().equals(serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + cn.getPackageName()
+                            + ", should be: " + serviceInfo.packageName);
+            return null;
+        }
+        return cn;
     }
 
     /**