Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a3e88190 authored by Bishoy Gendy's avatar Bishoy Gendy Committed by Android Build Coastguard Worker
Browse files

Fix security vulnerability allowing apps to start from background 

Bug: 317048338
Test: Using the steps in b/317048338#comment12
(cherry picked from commit c5fc8ea9)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df3584bb93ab89d7e174f7d39e42d4b22cb92fe0)
Merged-In: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
Change-Id: Ia91199fdb23beed27bde687fdca8fe5d3a5a4759
parent 5c5d028d

media/java/android/media/session/ParcelableListBinder.java

+11 −2
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    private static final int END_OF_PARCEL = 0;

    private static final int ITEM_CONTINUED = 1;



    private final Class<T> mListElementsClass;

    private final Consumer<List<T>> mConsumer;



    private final Object mLock = new Object();
@@ -61,9 +62,11 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
    /**

     * Creates an instance.

     *

     * @param listElementsClass the class of the list elements.

     * @param consumer a consumer that consumes the list received

     */

    public ParcelableListBinder(@NonNull Consumer<List<T>> consumer) {

    public ParcelableListBinder(Class<T> listElementsClass, @NonNull Consumer<List<T>> consumer) {

        mListElementsClass = listElementsClass;

        mConsumer = consumer;

    }
@@ -83,7 +86,13 @@ public class ParcelableListBinder<T extends Parcelable> extends Binder { 
                mCount = data.readInt();

            }

            while (i < mCount && data.readInt() != END_OF_PARCEL) {

                mList.add(data.readParcelable(null));

                Object object = data.readParcelable(null);

                if (mListElementsClass.isAssignableFrom(object.getClass())) {

                    // Checking list items are of compaitible types to validate against malicious

                    // apps calling it directly via reflection with non compilable items.

                    // See b/317048338 for more details

                    mList.add((T) object);

                }

                i++;

            }

            if (i >= mCount) {

services/core/java/com/android/server/media/MediaSessionRecord.java

+8 −6
Original line number Diff line number Diff line
@@ -1095,7 +1095,9 @@ public class MediaSessionRecord implements IBinder.DeathRecipient, MediaSessionR 


        @Override

        public IBinder getBinderForSetQueue() throws RemoteException {

            return new ParcelableListBinder<QueueItem>((list) -> {

            return new ParcelableListBinder<QueueItem>(

                    QueueItem.class,

                    (list) -> {

                        synchronized (mLock) {

                            mQueue = list;

                        }