Fix vulnerability that allowed attackers to start arbitary activities

Test: Flashed device and verified dream settings works as expected Test: Installed APK from bug and verified the dream didn't allow launching the inappropriate settings activity. Fixes: 300090204 Change-Id: I146415ad400827d0a798e27f34f098feb5e96422 Merged-In: I6e90e3a0d513dceb7d7f5c59d6807ebe164c5716

Fix vulnerability that allowed attackers to start arbitary activities
bf8ff047 · William Leshner · 5e5e9db2 · bf8ff047
Commit bf8ff047 authored 1 year ago by William Leshner
--- a/core/java/android/service/dreams/DreamService.java
+++ b/core/java/android/service/dreams/DreamService.java
@@ -1192,8 +1192,17 @@ public class DreamService extends Service implements Window.Callback {
        if (!flattenedString.contains("/")) {
            return new ComponentName(serviceInfo.packageName, flattenedString);
        }
-
-        return ComponentName.unflattenFromString(flattenedString);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName cn = ComponentName.unflattenFromString(flattenedString);
+        if (cn == null) return null;
+        if (!cn.getPackageName().equals(serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + cn.getPackageName()
+                            + ", should be: " + serviceInfo.packageName);
+            return null;
+        }
+        return cn;
    }

    /**