Use IntentFilter CREATOR directly for serializing ParsedIntentInfo
ParsedIntentInfo's CRFEATOR was removed because it exposes a
reparcelling vulnerability. This adjusts a system API that relied on
the implicit parcelling read to instead use IntentFilter directly,
ignoring the fields contained in the subclass.
Bug: 192050390
Bug: 191055353
Test: manual, cannot repro crash after patch
Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
(cherry picked from commit 7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21)
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c643307c..cde249f 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -14252,9 +14252,15 @@
return new ParceledListSlice<IntentFilter>(result) {
@Override
protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) {
- // IntentFilter has final Parcelable methods, so redirect to the subclass
- ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest,
- callFlags);
+ parcelable.writeToParcel(dest, callFlags);
+ }
+
+ @Override
+ protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) {
+ // All Parcel#writeParcelableCreator does is serialize the class name to
+ // access via reflection to grab its CREATOR. This does that manually, pointing
+ // to the parent IntentFilter so that all of the subclass fields are ignored.
+ dest.writeString(IntentFilter.class.getName());
}
};
}