Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 553232c2 authored by Daniel Norman's avatar Daniel Norman
Browse files

Checks if AccessibilityServiceInfo is within parcelable size. 

- If too large when parsing service XMLs then skip this service.
- If too large when a service attempts to update its own info
  then throw an error.

Bug: 261589597
Test: atest AccessibilityServiceInfoTest
Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
parent 1b0f4091

core/java/android/accessibilityservice/AccessibilityService.java

+4 −0
Original line number Diff line number Diff line
@@ -1982,6 +1982,10 @@ public abstract class AccessibilityService extends Service { 
        IAccessibilityServiceConnection connection =

            AccessibilityInteractionClient.getInstance().getConnection(mConnectionId);

        if (mInfo != null && connection != null) {

            if (!mInfo.isWithinParcelableSize()) {

                throw new IllegalStateException(

                        "Cannot update service info: size is larger than safe parcelable limits.");

            }

            try {

                connection.setServiceInfo(mInfo);

                mInfo = null;

core/java/android/accessibilityservice/AccessibilityServiceInfo.java

+10 −0
Original line number Diff line number Diff line
@@ -39,6 +39,7 @@ import android.content.res.XmlResourceParser; 
import android.graphics.drawable.Drawable;

import android.hardware.fingerprint.FingerprintManager;

import android.os.Build;

import android.os.IBinder;

import android.os.Parcel;

import android.os.Parcelable;

import android.os.RemoteException;
@@ -1016,6 +1017,15 @@ public class AccessibilityServiceInfo implements Parcelable { 
        return 0;

    }



    /** @hide */

    public final boolean isWithinParcelableSize() {

        final Parcel parcel = Parcel.obtain();

        writeToParcel(parcel, 0);

        final boolean result = parcel.dataSize() <= IBinder.MAX_IPC_SIZE;

        parcel.recycle();

        return result;

    }



    public void writeToParcel(Parcel parcel, int flagz) {

        parcel.writeInt(eventTypes);

        parcel.writeStringArray(packageNames);

services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java

+6 −0
Original line number Diff line number Diff line
@@ -1353,6 +1353,12 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub 
            AccessibilityServiceInfo accessibilityServiceInfo;

            try {

                accessibilityServiceInfo = new AccessibilityServiceInfo(resolveInfo, mContext);

                if (!accessibilityServiceInfo.isWithinParcelableSize()) {

                    Slog.e(LOG_TAG, "Skipping service "

                            + accessibilityServiceInfo.getResolveInfo().getComponentInfo()

                            + " because service info size is larger than safe parcelable limits.");

                    continue;

                }

                if (userState.mCrashedServices.contains(serviceInfo.getComponentName())) {

                    // Restore the crashed attribute.

                    accessibilityServiceInfo.crashed = true;