Resolve StatusHints image exploit across user. (36721f26) · Commits · e / os / android_frameworks_base

telecomm/java/android/telecom/ParcelableConference.java

+10 −2

Original line number	Diff line number	Diff line
		@@ -21,12 +21,12 @@ import android.os.Bundle;
		import android.os.Parcel;
		import android.os.Parcelable;

		import com.android.internal.telecom.IVideoProvider;

		import java.util.ArrayList;
		import java.util.Collections;
		import java.util.List;

		import com.android.internal.telecom.IVideoProvider;

		/**
		* A parcelable representation of a conference connection.
		* @hide
		@@ -287,6 +287,14 @@ public final class ParcelableConference implements Parcelable {
		return mCallDirection;
		}

		public String getCallerDisplayName() {
		return mCallerDisplayName;
		}

		public int getCallerDisplayNamePresentation() {
		return mCallerDisplayNamePresentation;
		}

		public static final @android.annotation.NonNull Parcelable.Creator<ParcelableConference> CREATOR =
		new Parcelable.Creator<ParcelableConference> () {
		@Override

telecomm/java/android/telecom/StatusHints.java

+51 −2

Original line number	Diff line number	Diff line
		@@ -16,14 +16,19 @@

		package android.telecom;

		import android.annotation.Nullable;
		import android.annotation.SystemApi;
		import android.content.ComponentName;
		import android.content.Context;
		import android.graphics.drawable.Drawable;
		import android.graphics.drawable.Icon;
		import android.os.Binder;
		import android.os.Bundle;
		import android.os.Parcel;
		import android.os.Parcelable;
		import android.os.UserHandle;

		import com.android.internal.annotations.VisibleForTesting;

		import java.util.Objects;

		@@ -33,7 +38,7 @@ import java.util.Objects;
		public final class StatusHints implements Parcelable {

		private final CharSequence mLabel;
		private final Icon mIcon;
		private Icon mIcon;
		private final Bundle mExtras;

		/**
		@@ -48,10 +53,30 @@ public final class StatusHints implements Parcelable {

		public StatusHints(CharSequence label, Icon icon, Bundle extras) {
		mLabel = label;
		mIcon = icon;
		mIcon = validateAccountIconUserBoundary(icon, Binder.getCallingUserHandle());
		mExtras = extras;
		}

		/**
		* @param icon
		* @hide
		*/
		@VisibleForTesting
		public StatusHints(@Nullable Icon icon) {
		mLabel = null;
		mExtras = null;
		mIcon = icon;
		}

		/**
		*
		* @param icon
		* @hide
		*/
		public void setIcon(@Nullable Icon icon) {
		mIcon = icon;
		}

		/**
		* @return A package used to load the icon.
		*
		@@ -112,6 +137,30 @@ public final class StatusHints implements Parcelable {
		return 0;
		}

		/**
		* Validates the StatusHints image icon to see if it's not in the calling user space.
		* Invalidates the icon if so, otherwise returns back the original icon.
		*
		* @param icon
		* @return icon (validated)
		* @hide
		*/
		public static Icon validateAccountIconUserBoundary(Icon icon, UserHandle callingUserHandle) {
		// Refer to Icon#getUriString for context. The URI string is invalid for icons of
		// incompatible types.
		if (icon != null && (icon.getType() == Icon.TYPE_URI
		\|\| icon.getType() == Icon.TYPE_URI_ADAPTIVE_BITMAP)) {
		String encodedUser = icon.getUri().getEncodedUserInfo();
		// If there is no encoded user, the URI is calling into the calling user space
		if (encodedUser != null) {
		int userId = Integer.parseInt(encodedUser);
		// Do not try to save the icon if the user id isn't in the calling user space.
		if (userId != callingUserHandle.getIdentifier()) return null;
		}
		}
		return icon;
		}

		@Override
		public void writeToParcel(Parcel out, int flags) {
		out.writeCharSequence(mLabel);