Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ac9b1da authored by Winson's avatar Winson Committed by Patrick Baumann
Browse files

Use IntentFilter CREATOR directly for serializing ParsedIntentInfo 

ParsedIntentInfo's CRFEATOR was removed because it exposes a
reparcelling vulnerability. This adjusts a system API that relied on
the implicit parcelling read to instead use IntentFilter directly,
ignoring the fields contained in the subclass.

Bug: 192050390
Bug: 191055353

Test: manual, cannot repro crash after patch

Merged-In: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
Change-Id: Ib12e0a959eb5a5d73d5832ff2eee26a30eed5ded
parent e51f884f

services/core/java/com/android/server/pm/PackageManagerService.java

+9 −3
Original line number Diff line number Diff line
@@ -14226,9 +14226,15 @@ public class PackageManagerService extends IPackageManager.Stub 
            return new ParceledListSlice<IntentFilter>(result) {

                @Override

                protected void writeElement(IntentFilter parcelable, Parcel dest, int callFlags) {

                    // IntentFilter has final Parcelable methods, so redirect to the subclass

                    ((ParsedIntentInfo) parcelable).writeIntentInfoToParcel(dest,

                            callFlags);

                    parcelable.writeToParcel(dest, callFlags);

                }













                @Override













                protected void writeParcelableCreator(IntentFilter parcelable, Parcel dest) {













                    // All Parcel#writeParcelableCreator does is serialize the class name to













                    // access via reflection to grab its CREATOR. This does that manually, pointing













                    // to the parent IntentFilter so that all of the subclass fields are ignored.













                    dest.writeString(IntentFilter.class.getName());















                }















            };















        }