Merge "Fix vulnerability that allowed attackers to start arbitary activities" into tm-dev am: f00e7d5c08

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/25249793

Change-Id: I6c988f69812de8ec59dc872dd0548caf612e3162
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 11 insertions, 2 deletions

diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java
index 2d461c6cf92e..d380522de643 100644
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback {
         if (!flattenedString.contains("/")) {
             return new ComponentName(serviceInfo.packageName, flattenedString);
         }
-
-        return ComponentName.unflattenFromString(flattenedString);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);
+        if (cn == null) return null;
+        if (!cn.getPackageName().equals(serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + cn.getPackageName()
+                            + ", should be: " + serviceInfo.packageName);
+            return null;
+        }
+        return cn;
     }
 
     /**