From 2b6197f464d851a8a4654fb0c31753ca1e92069e Mon Sep 17 00:00:00 2001
From: Phil Weaver <pweaver@google.com>
Date: Fri, 7 Apr 2017 14:39:27 -0700
Subject: Make a11y node info parceling more robust

Fix a bug where a malformed Parceled representation
of an AccessibilityNodeInfo could be used to mess with
Bundles as they get reparceled.

Bug: 36491278
Test: Verified that POC no longer works, a11y cts still passes.

(Manual merge from commit 687bb44b437f7bb24dd3dddf072c2f646308e2ca)

Change-Id: I7746c9175a2da28f75d4f4b169d7997abadf1852
---
 .../view/accessibility/AccessibilityNodeInfo.java  | 23 +++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/core/java/android/view/accessibility/AccessibilityNodeInfo.java b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
index 6096d7d1d8bc..425d6b634f5d 100644
--- a/core/java/android/view/accessibility/AccessibilityNodeInfo.java
+++ b/core/java/android/view/accessibility/AccessibilityNodeInfo.java
@@ -2585,16 +2585,19 @@ public class AccessibilityNodeInfo implements Parcelable {
 
         if (mActions != null && !mActions.isEmpty()) {
             final int actionCount = mActions.size();
-            parcel.writeInt(actionCount);
 
+            int nonLegacyActionCount = 0;
             int defaultLegacyStandardActions = 0;
             for (int i = 0; i < actionCount; i++) {
                 AccessibilityAction action = mActions.get(i);
                 if (isDefaultLegacyStandardAction(action)) {
                     defaultLegacyStandardActions |= action.getId();
+                } else {
+                    nonLegacyActionCount++;
                 }
             }
             parcel.writeInt(defaultLegacyStandardActions);
+            parcel.writeInt(nonLegacyActionCount);
 
             for (int i = 0; i < actionCount; i++) {
                 AccessibilityAction action = mActions.get(i);
@@ -2605,6 +2608,7 @@ public class AccessibilityNodeInfo implements Parcelable {
             }
         } else {
             parcel.writeInt(0);
+            parcel.writeInt(0);
         }
 
         parcel.writeInt(mMaxTextLength);
@@ -2768,16 +2772,13 @@ public class AccessibilityNodeInfo implements Parcelable {
         mBoundsInScreen.left = parcel.readInt();
         mBoundsInScreen.right = parcel.readInt();
 
-        final int actionCount = parcel.readInt();
-        if (actionCount > 0) {
-            final int legacyStandardActions = parcel.readInt();
-            addLegacyStandardActions(legacyStandardActions);
-            final int nonLegacyActionCount = actionCount - Integer.bitCount(legacyStandardActions);
-            for (int i = 0; i < nonLegacyActionCount; i++) {
-                AccessibilityAction action = new AccessibilityAction(
-                        parcel.readInt(), parcel.readCharSequence());
-                addAction(action);
-            }
+        final int legacyStandardActions = parcel.readInt();
+        addLegacyStandardActions(legacyStandardActions);
+        final int nonLegacyActionCount = parcel.readInt();
+        for (int i = 0; i < nonLegacyActionCount; i++) {
+            final AccessibilityAction action = new AccessibilityAction(
+            parcel.readInt(), parcel.readCharSequence());
+            addAction(action);
         }
 
         mMaxTextLength = parcel.readInt();
-- 
cgit v1.2.3-59-g8ed1b