Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa4edfe6 authored by Phil Weaver's avatar Phil Weaver Committed by android-build-team Robot
Browse files

Make a11y node info parceling more robust 

Fix a bug where a malformed Parceled representation
of an AccessibilityNodeInfo could be used to mess with
Bundles as they get reparceled.

Bug: 36491278
Test: Verified that POC no longer works, a11y cts still passes.
Change-Id: I10f24747e3ab87d77cd1deba56db4526e3aa5441
(cherry picked from commit 687bb44b)
(cherry picked from commit 487d8697)
parent dee7c41e

core/java/android/view/accessibility/AccessibilityNodeInfo.java

+12 −11
Original line number Original line Diff line number Diff line
@@ -2760,16 +2760,19 @@ public class AccessibilityNodeInfo implements Parcelable { 




        if (mActions != null && !mActions.isEmpty()) {

        if (mActions != null && !mActions.isEmpty()) {

            final int actionCount = mActions.size();

            final int actionCount = mActions.size();

            parcel.writeInt(actionCount);





            int nonLegacyActionCount = 0;

            int defaultLegacyStandardActions = 0;

            int defaultLegacyStandardActions = 0;

            for (int i = 0; i < actionCount; i++) {

            for (int i = 0; i < actionCount; i++) {

                AccessibilityAction action = mActions.get(i);

                AccessibilityAction action = mActions.get(i);

                if (isDefaultLegacyStandardAction(action)) {

                if (isDefaultLegacyStandardAction(action)) {

                    defaultLegacyStandardActions |= action.getId();

                    defaultLegacyStandardActions |= action.getId();

                } else {

                    nonLegacyActionCount++;

                }

                }

            }

            }

            parcel.writeInt(defaultLegacyStandardActions);

            parcel.writeInt(defaultLegacyStandardActions);

            parcel.writeInt(nonLegacyActionCount);





            for (int i = 0; i < actionCount; i++) {

            for (int i = 0; i < actionCount; i++) {

                AccessibilityAction action = mActions.get(i);

                AccessibilityAction action = mActions.get(i);
@@ -2780,6 +2783,7 @@ public class AccessibilityNodeInfo implements Parcelable { 
            }

            }

        } else {

        } else {

            parcel.writeInt(0);

            parcel.writeInt(0);

            parcel.writeInt(0);

        }

        }





        parcel.writeInt(mMaxTextLength);

        parcel.writeInt(mMaxTextLength);
@@ -2947,17 +2951,14 @@ public class AccessibilityNodeInfo implements Parcelable { 
        mBoundsInScreen.left = parcel.readInt();

        mBoundsInScreen.left = parcel.readInt();

        mBoundsInScreen.right = parcel.readInt();

        mBoundsInScreen.right = parcel.readInt();





        final int actionCount = parcel.readInt();

        if (actionCount > 0) {

        final int legacyStandardActions = parcel.readInt();

        final int legacyStandardActions = parcel.readInt();

        addLegacyStandardActions(legacyStandardActions);

        addLegacyStandardActions(legacyStandardActions);

            final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions);

        final int nonLegacyActionCount = parcel.readInt();

        for (int i = 0; i < nonLegacyActionCount; i++) {

        for (int i = 0; i < nonLegacyActionCount; i++) {

            final AccessibilityAction action = new AccessibilityAction(

            final AccessibilityAction action = new AccessibilityAction(

                    parcel.readInt(), parcel.readCharSequence());

                    parcel.readInt(), parcel.readCharSequence());

            addActionUnchecked(action);

            addActionUnchecked(action);

        }

        }

        }





        mMaxTextLength = parcel.readInt();

        mMaxTextLength = parcel.readInt();

        mMovementGranularities = parcel.readInt();

        mMovementGranularities = parcel.readInt();