Make a11y node info parceling more robust

Fix a bug where a malformed Parceled representation
of an AccessibilityNodeInfo could be used to mess with
Bundles as they get reparceled.

Bug: 36491278
Test: Verified that POC no longer works, a11y cts still passes.
AOSP-Change-Id: I10f24747e3ab87d77cd1deba56db4526e3aa5441
(cherry picked from commit 687bb44b437f7bb24dd3dddf072c2f646308e2ca)
(cherry picked from commit 487d8697333b1e7784394b9cd96cb590b047c513)

CVE-2017-0664

Change-Id: I1dfcc4af5112a372ede1608e10d956553436e8f2

1 files changed, 12 insertions, 11 deletions

diff --git a/core/java/android/view/accessibility/AccessibilityNodeInfo.java b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
index 86ed499cabc..b7094912569 100644
--- a/core/java/android/view/accessibility/AccessibilityNodeInfo.java
+++ b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
@@ -2670,16 +2670,19 @@ public class AccessibilityNodeInfo implements Parcelable {
 
         if (mActions != null && !mActions.isEmpty()) {
             final int actionCount = mActions.size();
-            parcel.writeInt(actionCount);
 
+            int nonLegacyActionCount = 0;
             int defaultLegacyStandardActions = 0;
             for (int i = 0; i < actionCount; i++) {
                 AccessibilityAction action = mActions.get(i);
                 if (isDefaultLegacyStandardAction(action)) {
                     defaultLegacyStandardActions |= action.getId();
+                } else {
+                    nonLegacyActionCount++;
                 }
             }
             parcel.writeInt(defaultLegacyStandardActions);
+            parcel.writeInt(nonLegacyActionCount);
 
             for (int i = 0; i < actionCount; i++) {
                 AccessibilityAction action = mActions.get(i);
@@ -2690,6 +2693,7 @@ public class AccessibilityNodeInfo implements Parcelable {
             }
         } else {
             parcel.writeInt(0);
+            parcel.writeInt(0);
         }
 
         parcel.writeInt(mMaxTextLength);
@@ -2853,16 +2857,13 @@ public class AccessibilityNodeInfo implements Parcelable {
         mBoundsInScreen.left = parcel.readInt();
         mBoundsInScreen.right = parcel.readInt();
 
-        final int actionCount = parcel.readInt();
-        if (actionCount > 0) {
-            final int legacyStandardActions = parcel.readInt();
-            addLegacyStandardActions(legacyStandardActions);
-            final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions);
-            for (int i = 0; i < nonLegacyActionCount; i++) {
-                final AccessibilityAction action = new AccessibilityAction(
-                        parcel.readInt(), parcel.readCharSequence());
-                addActionUnchecked(action);
-            }
+        final int legacyStandardActions = parcel.readInt();
+        addLegacyStandardActions(legacyStandardActions);
+        final int nonLegacyActionCount = parcel.readInt();
+        for (int i = 0; i < nonLegacyActionCount; i++) {
+            final AccessibilityAction action = new AccessibilityAction(
+                    parcel.readInt(), parcel.readCharSequence());
+            addActionUnchecked(action);
         }
 
         mMaxTextLength = parcel.readInt();