Merge "Fix vulnerability that allowed attackers to start arbitary activities" into tm-qpr-dev

author: Lucas Silva <lusilva@google.com> 2022-09-02 17:18:21 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2022-09-02 17:18:21 +0000
commit: de117f20ffd67c2aa554ef6772d272ad018d8a0c (patch)
tree: 731dda6c85c0488c9d17c5d379dadb6a3392c235 /core/java/android
parent: 0a9fbfe94c4722c11fc72c5a2bfc0373c00ec060 (diff)
parent: 2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70 (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/core/java/android/service/dreams/DreamService.java b/core/java/android/service/dreams/DreamService.java
index 2d461c6cf92e..75155383855b 100644
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -22,6 +22,7 @@ import android.annotation.NonNull;
 import android.annotation.Nullable;
 import android.annotation.SdkConstant;
 import android.annotation.SdkConstant.SdkConstantType;
+import android.annotation.TestApi;
 import android.app.Activity;
 import android.app.ActivityTaskManager;
 import android.app.AlarmManager;
@@ -1124,7 +1125,8 @@ public class DreamService extends Service implements Window.Callback {
      * @hide
      */
     @Nullable
-    public static DreamMetadata getDreamMetadata(Context context,
+    @TestApi
+    public static DreamMetadata getDreamMetadata(@NonNull Context context,
             @Nullable ServiceInfo serviceInfo) {
         if (serviceInfo == null) return null;
 
@@ -1183,7 +1185,8 @@ public class DreamService extends Service implements Window.Callback {
         }
     }
 
-    private static ComponentName convertToComponentName(String flattenedString,
+    @Nullable
+    private static ComponentName convertToComponentName(@Nullable String flattenedString,
             ServiceInfo serviceInfo) {
         if (flattenedString == null) {
             return null;
@@ -1193,7 +1196,17 @@ public class DreamService extends Service implements Window.Callback {
             return new ComponentName(serviceInfo.packageName, flattenedString);
         }
 
-        return ComponentName.unflattenFromString(flattenedString);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);
+        if (cn == null) return null;
+        if (!cn.getPackageName().equals(serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + cn.getPackageName()
+                            + ", should be: " + serviceInfo.packageName);
+            return null;
+        }
+        return cn;
     }
 
     /**
@@ -1489,6 +1502,7 @@ public class DreamService extends Service implements Window.Callback {
      *
      * @hide
      */
+    @TestApi
     public static final class DreamMetadata {
         @Nullable
         public final ComponentName settingsActivity;
author	Lucas Silva <lusilva@google.com>	2022-09-02 17:18:21 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2022-09-02 17:18:21 +0000
commit	de117f20ffd67c2aa554ef6772d272ad018d8a0c (patch)
tree	731dda6c85c0488c9d17c5d379dadb6a3392c235 /core/java/android
parent	0a9fbfe94c4722c11fc72c5a2bfc0373c00ec060 (diff)
parent	2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70 (diff)