From 4fda9095ba9bdecb8250336d4f0ca328ed7c2aea Mon Sep 17 00:00:00 2001 From: Hongwei Wang Date: Mon, 31 Jul 2023 16:47:45 -0700 Subject: [RESTRICT AUTOMERGE] Ignore small source rect hint Which may be abused by malicious app to create a non-visible PiP window that bypasses the background restriction. Bug: 270368476 Test: Manually, using the POC app Change-Id: I3531a64fc67a1b6c43997ee33b7a7d4ab4e2d985 --- .../src/com/android/wm/shell/pip/PipBoundsAlgorithm.java | 15 +++++++++++++++ .../src/com/android/wm/shell/pip/PipTaskOrganizer.java | 6 +++--- .../Shell/src/com/android/wm/shell/pip/PipTransition.java | 2 +- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipBoundsAlgorithm.java b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipBoundsAlgorithm.java index a4b866aa3f5e..b23b43111281 100644 --- a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipBoundsAlgorithm.java +++ b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipBoundsAlgorithm.java @@ -182,6 +182,21 @@ public class PipBoundsAlgorithm { return null; } + /** + * Returns the source hint rect if it is valid (if provided and is contained by the current + * task bounds and not too small). + */ + public static Rect getValidSourceHintRect(PictureInPictureParams params, Rect sourceBounds, + @NonNull Rect destinationBounds) { + final Rect sourceHintRect = getValidSourceHintRect(params, sourceBounds); + if (sourceHintRect != null + && sourceHintRect.width() > destinationBounds.width() + && sourceHintRect.height() > destinationBounds.height()) { + return sourceHintRect; + } + return null; + } + public float getDefaultAspectRatio() { return mDefaultAspectRatio; } diff --git a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java index f2bad6caf3e8..e0f542ab74ba 100644 --- a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java +++ b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTaskOrganizer.java @@ -564,7 +564,7 @@ public class PipTaskOrganizer implements ShellTaskOrganizer.TaskListener, if (mOneShotAnimationType == ANIM_TYPE_BOUNDS) { mPipMenuController.attach(mLeash); final Rect sourceHintRect = PipBoundsAlgorithm.getValidSourceHintRect( - info.pictureInPictureParams, currentBounds); + info.pictureInPictureParams, currentBounds, destinationBounds); scheduleAnimateResizePip(currentBounds, destinationBounds, 0 /* startingAngle */, sourceHintRect, TRANSITION_DIRECTION_TO_PIP, mEnterAnimationDuration, null /* updateBoundsCallback */); @@ -590,9 +590,9 @@ public class PipTaskOrganizer implements ShellTaskOrganizer.TaskListener, return; } final Rect currentBounds = mTaskInfo.configuration.windowConfiguration.getBounds(); - final Rect sourceHintRect = PipBoundsAlgorithm.getValidSourceHintRect( - mPictureInPictureParams, currentBounds); final Rect destinationBounds = mPipBoundsAlgorithm.getEntryDestinationBounds(); + final Rect sourceHintRect = PipBoundsAlgorithm.getValidSourceHintRect( + mPictureInPictureParams, currentBounds, destinationBounds); animateResizePip(currentBounds, destinationBounds, sourceHintRect, TRANSITION_DIRECTION_TO_PIP, mEnterAnimationDuration, 0 /* startingAngle */); mState = State.ENTERING_PIP; diff --git a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java index 4759550c35c0..8674d694bb42 100644 --- a/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java +++ b/libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java @@ -110,7 +110,7 @@ public class PipTransition extends PipTransitionController { if (mOneShotAnimationType == ANIM_TYPE_BOUNDS) { final Rect sourceHintRect = PipBoundsAlgorithm.getValidSourceHintRect( - taskInfo.pictureInPictureParams, currentBounds); + taskInfo.pictureInPictureParams, currentBounds, destinationBounds); animator = mPipAnimationController.getAnimator(taskInfo, leash, currentBounds, currentBounds, destinationBounds, sourceHintRect, TRANSITION_DIRECTION_TO_PIP, 0 /* startingAngle */, Surface.ROTATION_0); -- cgit v1.2.3-59-g8ed1b