Google Git
Sign in
android / platform / frameworks / base / 017c720^! / .
commit017c720d528599905e3f89c2b9b6dcbf5adfb62e[log] [tgz]
authorWinson <chiuwinson@google.com>Fri Jun 25 09:59:32 2021 -0700
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Thu Jul 01 11:00:26 2021 +0000
tree683a576f5002ae5ee0c47b26adcc5ab626fdfc42
parent907c235865ef3e8f6113db419d268e62a16d497f [diff]
Use IntentFilter CREATOR directly for serializing ParsedIntentInfo

ParsedIntentInfo's CRFEATOR was removed because it exposes a
reparcelling vulnerability. This adjusts a system API that relied on
the implicit parcelling read to instead use IntentFilter directly,
ignoring the fields contained in the subclass.

Bug: 192050390
Bug: 191055353

Test: manual, cannot repro crash after patch

Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
(cherry picked from commit 7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21)

diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c643307c..cde249f 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java

@@ -14252,9 +14252,15 @@
             return new ParceledListSlice<IntentFilter>(result) {
                 @Override
                 protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) {
-                    // IntentFilter has final Parcelable methods, so redirect to the subclass
-                    ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest,
-                            callFlags);
+                    parcelable.writeToParcel(dest, callFlags);
+                }
+
+                @Override
+                protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) {
+                    // All Parcel#writeParcelableCreator does is serialize the class name to
+                    // access via reflection to grab its CREATOR. This does that manually, pointing
+                    // to the parent IntentFilter so that all of the subclass fields are ignored.
+                    dest.writeString(IntentFilter.class.getName());
                 }
             };
         }