commit 7406836051a5b50ab959d177c2bf4041a6d0149f
author Pranav Madapurmath <pmadapurmath@google.com> Fri Jun 21 20:04:53 2024 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Jun 21 20:04:53 2024 +0000
tree 6638688a163bcc3333a598d22805248cc44e658e
parent 274f26bf93f8f4e01d4f52dbffe09b934fe16958
parent 01055f014b41d90612994c42e7900f80a0a8dd5c

Merge "Resolve cross-user image exploit for conference status hints" into sc-dev am: 7a69743951 am: 01055f014b

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/services/Telecomm/+/27801273

Change-Id: Ifb7f2efb299dbf93778d68f431996b02b2c37387
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

src/com/android/server/telecom/ConnectionServiceWrapper.java

diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
index e4d1ecd..7802e08 100644
--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
+++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
@@ -136,10 +136,17 @@
                 ParcelableConference conference, Session.Info sessionInfo) {
             Log.startSession(sessionInfo, LogUtils.Sessions.CSW_HANDLE_CREATE_CONNECTION_COMPLETE,
                     mPackageAbbreviation);
+            UserHandle callingUserHandle = Binder.getCallingUserHandle();
             long token = Binder.clearCallingIdentity();
             try {
                 synchronized (mLock) {
                     logIncoming("handleCreateConferenceComplete %s", callId);
+                    // Check status hints image for cross user access
+                    if (conference.getStatusHints() != null) {
+                        Icon icon = conference.getStatusHints().getIcon();
+                        conference.getStatusHints().setIcon(StatusHints.
+                                validateAccountIconUserBoundary(icon, callingUserHandle));
+                    }
                     Call call = mCallIdMapper.getCall(callId);
                     if (mScheduledFutureMap.containsKey(call)) {
                         ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);