From a54d763886ffd69aa14360dc999c76cd2af263f2 Mon Sep 17 00:00:00 2001
From: Hongwei Wang <hwwang@google.com>
Date: Mon, 31 Jul 2023 14:05:36 -0700
Subject: [RESTRICT AUTOMERGE] Ignore small source rect hint

Which may be abused by malicious app to create a non-visible PiP
window that bypasses the background restriction.

Bug: 270368476
Test: Manually, using the POC app
Change-Id: Ifc0e4ffe8b7a9754053246069cb480aa6a59a7e1
---
 .../src/com/android/systemui/pip/PipTaskOrganizer.java       | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java b/packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java
index ae3269fbc19b..7b0a40af4ce0 100644
--- a/packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java
+++ b/packages/SystemUI/src/com/android/systemui/pip/PipTaskOrganizer.java
@@ -387,7 +387,8 @@ public class PipTaskOrganizer extends TaskOrganizer implements
         final Rect currentBounds = mTaskInfo.configuration.windowConfiguration.getBounds();
 
         if (mOneShotAnimationType == ANIM_TYPE_BOUNDS) {
-            final Rect sourceHintRect = getValidSourceHintRect(info, currentBounds);
+            final Rect sourceHintRect = getValidSourceHintRect(info, currentBounds,
+                    destinationBounds);
             scheduleAnimateResizePip(currentBounds, destinationBounds, sourceHintRect,
                     TRANSITION_DIRECTION_TO_PIP, mEnterExitAnimationDuration,
                     null /* updateBoundsCallback */);
@@ -401,14 +402,17 @@ public class PipTaskOrganizer extends TaskOrganizer implements
 
     /**
      * Returns the source hint rect if it is valid (if provided and is contained by the current
-     * task bounds).
+     * task bounds and not too small).
      */
-    private Rect getValidSourceHintRect(ActivityManager.RunningTaskInfo info, Rect sourceBounds) {
+    private Rect getValidSourceHintRect(ActivityManager.RunningTaskInfo info, Rect sourceBounds,
+            Rect destinationBounds) {
         final Rect sourceHintRect = info.pictureInPictureParams != null
                 && info.pictureInPictureParams.hasSourceBoundsHint()
                 ? info.pictureInPictureParams.getSourceRectHint()
                 : null;
-        if (sourceHintRect != null && sourceBounds.contains(sourceHintRect)) {
+        if (sourceHintRect != null && sourceBounds.contains(sourceHintRect)
+                && sourceHintRect.width() > destinationBounds.width()
+                && sourceHintRect.height() > destinationBounds.height()) {
             return sourceHintRect;
         }
         return null;
-- 
cgit v1.2.3-59-g8ed1b