Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 6558ac6a authored by Bishoy Gendy's avatar Bishoy Gendy Committed by Kevin F. Haggerty
Browse files

Fix security vulnerability allowing apps to start from background 

Bug: 317048338
Test: Using the steps in b/317048338#comment12
(cherry picked from commit c5fc8ea9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df3584bb93ab89d7e174f7d39e42d4b22cb92fe0)
Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
parent 6f70d774

media/java/android/media/session/ParcelableListBinder.java

+11 −2
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    private static final int END_OF_PARCEL = 0;

    private static final int ITEM_CONTINUED = 1;



    private final Class<T> mListElementsClass;

    private final Consumer<List<T>> mConsumer;



    private final Object mLock = new Object();
@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    /**

     * Creates an instance.

     *

     * @param listElementsClass the class of the list elements.

     * @param consumer a consumer that consumes the list received

     */

    public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {

    public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {

        mListElementsClass = listElementsClass;

        mConsumer = consumer;

    }
@@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
                mCount = data.readInt();

            }

            while (i < mCount && data.readInt() != END_OF_PARCEL) {

                mList.add(data.readParcelable(null));

                Object object = data.readParcelable(null);

                if (mListElementsClass.isAssignableFrom(object.getClass())) {

                    // Checking list items are of compaitible types to validate against malicious

                    // apps calling it directly via reflection with non compilable items.

                    // See b/317048338 for more details

                    mList.add((T) object);

                }

                i++;

            }

            if (i >= mCount) {

services/core/java/com/android/server/media/MediaSessionRecord.java

+8 −6
Original line number Diff line number Diff line
@@ -1095,7 +1095,9 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 


        @Override

        public IBinder getBinderForSetQueue() throws RemoteException {

            return new ParcelableListBinder<QueueItem>((list) -> {

            return new ParcelableListBinder<QueueItem>(

                    QueueItem.class,

                    (list) -> {

                        synchronized (mLock) {

                            mQueue = list;

                        }