Make a11y node info parceling more robust

Fix a bug where a malformed Parceled representation of an AccessibilityNodeInfo could be used to mess with Bundles as they get reparceled. Bug: 36491278 Test: Verified that POC no longer works, a11y cts still passes. (Manual merge from commit 687bb44b43) Change-Id: I7746c9175a2da28f75d4f4b169d7997abadf1852
2017-04-07 14:39:27 -07:00
parent de9cb7ed68
commit 1d8eb49073
1 changed files with 12 additions and 11 deletions
--- a/core/java/android/view/accessibility/AccessibilityNodeInfo.java
+++ b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
@@ -2478,16 +2478,19 @@ public class AccessibilityNodeInfo implements Parcelable {

        if (mActions != null && !mActions.isEmpty()) {
            final int actionCount = mActions.size();
-            parcel.writeInt(actionCount);

+            int nonLegacyActionCount = 0;
            int defaultLegacyStandardActions = 0;
            for (int i = 0; i < actionCount; i++) {
                AccessibilityAction action = mActions.get(i);
                if (isDefaultLegacyStandardAction(action)) {
                    defaultLegacyStandardActions |= action.getId();
+                } else {
+                    nonLegacyActionCount++;
                }
            }
            parcel.writeInt(defaultLegacyStandardActions);
+            parcel.writeInt(nonLegacyActionCount);

            for (int i = 0; i < actionCount; i++) {
                AccessibilityAction action = mActions.get(i);
@@ -2498,6 +2501,7 @@ public class AccessibilityNodeInfo implements Parcelable {
            }
        } else {
            parcel.writeInt(0);
+            parcel.writeInt(0);
        }

        parcel.writeInt(mMaxTextLength);
@@ -2656,16 +2660,13 @@ public class AccessibilityNodeInfo implements Parcelable {
        mBoundsInScreen.left = parcel.readInt();
        mBoundsInScreen.right = parcel.readInt();

-        final int actionCount = parcel.readInt();
-        if (actionCount > 0) {
-            final int legacyStandardActions = parcel.readInt();
-            addLegacyStandardActions(legacyStandardActions);
-            final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions);
-            for (int i = 0; i < nonLegacyActionCount; i++) {
-                AccessibilityAction action = new AccessibilityAction(
-                        parcel.readInt(), parcel.readCharSequence());
-                addAction(action);
-            }
+        final int legacyStandardActions = parcel.readInt();
+        addLegacyStandardActions(legacyStandardActions);
+        final int nonLegacyActionCount = parcel.readInt();
+        for (int i = 0; i < nonLegacyActionCount; i++) {
+            final AccessibilityAction action = new AccessibilityAction(
+            parcel.readInt(), parcel.readCharSequence());
+            addAction(action);
        }

        mMaxTextLength = parcel.readInt();