Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_base / b6cff0c1757c0a02675f8ea162784181de7c0cd9^1..b6cff0c1757c0a02675f8ea162784181de7c0cd9 / .
commitb6cff0c1757c0a02675f8ea162784181de7c0cd9[log] [tgz]
authorIván Budnik <ivanbuper@google.com>Mon Aug 22 12:31:22 2022 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Mon Aug 22 12:31:22 2022 +0000
tree9db3d05d99ed62378759d6520ae34b3089ea38e1
parentd000f2dbec846598d599cf30d4ee710f43ed84a8 [diff]
parentc4d258d8b16b636afab7d4b4e3d50c52d5c641a1 [diff]
Merge "Enforce ComponentName belongs to caller app" into rvc-dev am: c4d258d8b1

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/19497893

Change-Id: I8459e2027cccec768411b8be9d5b812647161bba
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/services/core/java/com/android/server/media/MediaSessionRecord.java b/services/core/java/com/android/server/media/MediaSessionRecord.java
index 348e9c1..4ba43f9 100644
--- a/services/core/java/com/android/server/media/MediaSessionRecord.java
+++ b/services/core/java/com/android/server/media/MediaSessionRecord.java

@@ -18,6 +18,7 @@
 
 import android.annotation.Nullable;
 import android.app.PendingIntent;
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.ParceledListSlice;
@@ -49,6 +50,8 @@
 import android.os.RemoteException;
 import android.os.ResultReceiver;
 import android.os.SystemClock;
+import android.text.TextUtils;
+import android.util.EventLog;
 import android.util.Log;
 import android.util.Slog;
 import android.view.KeyEvent;
@@ -834,10 +837,30 @@
             mHandler.post(MessageHandler.MSG_UPDATE_SESSION_STATE);
         }
 
+        private boolean checkComponentNamePackage(PendingIntent pi, String packageName) {
+            ComponentName componentName = null;
+            if (pi != null && pi.getIntent() != null) {
+                componentName = pi.getIntent().getComponent();
+            }
+
+            if(componentName != null
+                   && !TextUtils.equals(packageName, componentName.getPackageName())) {
+                return false;
+            }
+
+            return true;
+        }
+
         @Override
         public void setMediaButtonReceiver(PendingIntent pi) throws RemoteException {
             final long token = Binder.clearCallingIdentity();
             try {
+                if (!checkComponentNamePackage(pi, mPackageName)) {
+                    EventLog.writeEvent(0x534e4554, "238177121", -1, ""); // SafetyNet logging
+                    throw new IllegalArgumentException("Component Name package does not match "
+                            + "package name provided to MediaSessionRecord.");
+                }
+
                 if ((mPolicies & SessionPolicyProvider.SESSION_POLICY_IGNORE_BUTTON_RECEIVER)
                         != 0) {
                     return;