Merge "Fix vulnerability that allowed attackers to start arbitary activities"...

Merge "Fix vulnerability that allowed attackers to start arbitary activities" into rvc-dev am: 6b55e128 Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/25238611 Change-Id: Ib5ceab90ffead9088d80b035ee0f6c52d90c01f7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Merge "Fix vulnerability that allowed attackers to start arbitary activities"...
eebdc4c3 · William Leshner · Automerger Merge Worker · 0b29810e · 6b55e128 · eebdc4c3
Commit eebdc4c3 authored 1 year ago by William Leshner Committed by Automerger Merge Worker 1 year ago
--- a/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
+++ b/packages/SettingsLib/src/com/android/settingslib/dream/DreamBackend.java
@@ -351,7 +351,17 @@ public class DreamBackend {
        if (cn != null && cn.indexOf('/') < 0) {
            cn = resolveInfo.serviceInfo.packageName + "/" + cn;
        }
-        return cn == null ? null : ComponentName.unflattenFromString(cn);
+        // Ensure that the component is from the same package as the dream service. If not,
+        // treat the component as invalid and return null instead.
+        final ComponentName result = cn != null ? ComponentName.unflattenFromString(cn) : null;
+        if (result != null
+                && !result.getPackageName().equals(resolveInfo.serviceInfo.packageName)) {
+            Log.w(TAG,
+                    "Inconsistent package name in component: " + result.getPackageName()
+                            + ", should be: " + resolveInfo.serviceInfo.packageName);
+            return null;
+        }
+        return result;
    }

    private static void logd(String msg, Object... args) {