Make a11y node info parceling more robust

Fix a bug where a malformed Parceled representation of an AccessibilityNodeInfo could be used to mess with Bundles as they get reparceled. Bug: 36491278 Test: Verified that POC no longer works, a11y cts still passes. Change-Id: I10f24747e3ab87d77cd1deba56db4526e3aa5441 (cherry picked from commit 687bb44b43)
2017-04-06 17:40:51 -07:00
parent 137006ff5c
commit 487d869733
1 changed files with 12 additions and 11 deletions
--- a/core/java/android/view/accessibility/AccessibilityNodeInfo.java
+++ b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
@@ -2760,16 +2760,19 @@ public class AccessibilityNodeInfo implements Parcelable {

        if (mActions != null && !mActions.isEmpty()) {
            final int actionCount = mActions.size();
-            parcel.writeInt(actionCount);

+            int nonLegacyActionCount = 0;
            int defaultLegacyStandardActions = 0;
            for (int i = 0; i < actionCount; i++) {
                AccessibilityAction action = mActions.get(i);
                if (isDefaultLegacyStandardAction(action)) {
                    defaultLegacyStandardActions |= action.getId();
+                } else {
+                    nonLegacyActionCount++;
                }
            }
            parcel.writeInt(defaultLegacyStandardActions);
+            parcel.writeInt(nonLegacyActionCount);

            for (int i = 0; i < actionCount; i++) {
                AccessibilityAction action = mActions.get(i);
@@ -2780,6 +2783,7 @@ public class AccessibilityNodeInfo implements Parcelable {
            }
        } else {
            parcel.writeInt(0);
+            parcel.writeInt(0);
        }

        parcel.writeInt(mMaxTextLength);
@@ -2947,16 +2951,13 @@ public class AccessibilityNodeInfo implements Parcelable {
        mBoundsInScreen.left = parcel.readInt();
        mBoundsInScreen.right = parcel.readInt();

-        final int actionCount = parcel.readInt();
-        if (actionCount > 0) {
-            final int legacyStandardActions = parcel.readInt();
-            addLegacyStandardActions(legacyStandardActions);
-            final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions);
-            for (int i = 0; i < nonLegacyActionCount; i++) {
-                final AccessibilityAction action = new AccessibilityAction(
-                        parcel.readInt(), parcel.readCharSequence());
-                addActionUnchecked(action);
-            }
+        final int legacyStandardActions = parcel.readInt();
+        addLegacyStandardActions(legacyStandardActions);
+        final int nonLegacyActionCount = parcel.readInt();
+        for (int i = 0; i < nonLegacyActionCount; i++) {
+            final AccessibilityAction action = new AccessibilityAction(
+                    parcel.readInt(), parcel.readCharSequence());
+            addActionUnchecked(action);
        }

        mMaxTextLength = parcel.readInt();