package android.content.pm; import android.os.Parcel; import android.os.Parcelable; import junit.framework.TestCase; import java.util.ArrayList; import java.util.List; public class ParceledListSliceTest extends TestCase { public void testSmallList() throws Exception { final int objectCount = 100; List<SmallObject> list = new ArrayList<SmallObject>(); for (int i = 0; i < objectCount; i++) { list.add(new SmallObject(i * 2, (i * 2) + 1)); } ParceledListSlice<SmallObject> slice; Parcel parcel = Parcel.obtain(); try { parcel.writeParcelable(new ParceledListSlice<SmallObject>(list), 0); parcel.setDataPosition(0); slice = parcel.readParcelable(getClass().getClassLoader()); } finally { parcel.recycle(); } assertNotNull(slice); assertNotNull(slice.getList()); assertEquals(objectCount, slice.getList().size()); for (int i = 0; i < objectCount; i++) { assertEquals(i * 2, slice.getList().get(i).mFieldA); assertEquals((i * 2) + 1, slice.getList().get(i).mFieldB); } } private static int measureLargeObject() { Parcel p = Parcel.obtain(); try { new LargeObject(0, 0, 0, 0, 0).writeToParcel(p, 0); return p.dataPosition(); } finally { p.recycle(); } } /** * Test that when the list is large, the data is successfully parceled * and unparceled (the implementation will send pieces of the list in * separate round-trips to avoid the IPC limit). */ public void testLargeList() throws Exception { final int thresholdBytes = 256 * 1024; final int objectCount = thresholdBytes / measureLargeObject(); List<LargeObject> list = new ArrayList<LargeObject>(); for (int i = 0; i < objectCount; i++) { list.add(new LargeObject( i * 5, (i * 5) + 1, (i * 5) + 2, (i * 5) + 3, (i * 5) + 4 )); } ParceledListSlice<LargeObject> slice; Parcel parcel = Parcel.obtain(); try { parcel.writeParcelable(new ParceledListSlice<LargeObject>(list), 0); parcel.setDataPosition(0); slice = parcel.readParcelable(getClass().getClassLoader()); } finally { parcel.recycle(); } assertNotNull(slice); assertNotNull(slice.getList()); assertEquals(objectCount, slice.getList().size()); for (int i = 0; i < objectCount; i++) { assertEquals(i * 5, slice.getList().get(i).mFieldA); assertEquals((i * 5) + 1, slice.getList().get(i).mFieldB); assertEquals((i * 5) + 2, slice.getList().get(i).mFieldC); assertEquals((i * 5) + 3, slice.getList().get(i).mFieldD); assertEquals((i * 5) + 4, slice.getList().get(i).mFieldE); } } /** * Test that only homogeneous elements may be unparceled. */ public void testHomogeneousElements() throws Exception { List<BaseObject> list = new ArrayList<BaseObject>(); list.add(new LargeObject(0, 1, 2, 3, 4)); list.add(new SmallObject(5, 6)); list.add(new SmallObject(7, 8)); Parcel parcel = Parcel.obtain(); try { writeEvilParceledListSlice(parcel, list); parcel.setDataPosition(0); try { ParceledListSlice.CREATOR.createFromParcel(parcel, getClass().getClassLoader()); assertTrue("Unparceled heterogeneous ParceledListSlice", false); } catch (IllegalArgumentException e) { // Success, we're not allowed to process heterogeneous // elements in a ParceledListSlice. } } finally { parcel.recycle(); } } /** * Write a ParcelableListSlice that uses the BaseObject base class as the Creator. * This is dangerous, as it may affect how the data is unparceled, then later parceled * by the system, leading to a self-modifying data security vulnerability. */ private static <T extends BaseObject> void writeEvilParceledListSlice(Parcel dest, List<T> list) { final int listCount = list.size(); // Number of items. dest.writeInt(listCount); // The type/creator to use when unparceling. Here we use the base class // to simulate an attack on ParceledListSlice. dest.writeString(BaseObject.class.getName()); for (int i = 0; i < listCount; i++) { // 1 means the item is present. dest.writeInt(1); list.get(i).writeToParcel(dest, 0); } } public abstract static class BaseObject implements Parcelable { protected static final int TYPE_SMALL = 0; protected static final int TYPE_LARGE = 1; protected void writeToParcel(Parcel dest, int flags, int type) { dest.writeInt(type); } @Override public int describeContents() { return 0; } /** * This is *REALLY* bad, but we're doing it in the test to ensure that we handle * the possible exploit when unparceling an object with the BaseObject written as * Creator. */ public static final Creator<BaseObject> CREATOR = new Creator<BaseObject>() { @Override public BaseObject createFromParcel(Parcel source) { switch (source.readInt()) { case TYPE_SMALL: return SmallObject.createFromParcelBody(source); case TYPE_LARGE: return LargeObject.createFromParcelBody(source); default: throw new IllegalArgumentException("Unknown type"); } } @Override public BaseObject[] newArray(int size) { return new BaseObject[size]; } }; } public static class SmallObject extends BaseObject { public int mFieldA; public int mFieldB; public SmallObject(int a, int b) { mFieldA = a; mFieldB = b; } @Override public void writeToParcel(Parcel dest, int flags) { super.writeToParcel(dest, flags, TYPE_SMALL); dest.writeInt(mFieldA); dest.writeInt(mFieldB); } public static SmallObject createFromParcelBody(Parcel source) { return new SmallObject(source.readInt(), source.readInt()); } public static final Creator<SmallObject> CREATOR = new Creator<SmallObject>() { @Override public SmallObject createFromParcel(Parcel source) { // Consume the type (as it is always written out). source.readInt(); return createFromParcelBody(source); } @Override public SmallObject[] newArray(int size) { return new SmallObject[size]; } }; } public static class LargeObject extends BaseObject { public int mFieldA; public int mFieldB; public int mFieldC; public int mFieldD; public int mFieldE; public LargeObject(int a, int b, int c, int d, int e) { mFieldA = a; mFieldB = b; mFieldC = c; mFieldD = d; mFieldE = e; } @Override public void writeToParcel(Parcel dest, int flags) { super.writeToParcel(dest, flags, TYPE_LARGE); dest.writeInt(mFieldA); dest.writeInt(mFieldB); dest.writeInt(mFieldC); dest.writeInt(mFieldD); dest.writeInt(mFieldE); } public static LargeObject createFromParcelBody(Parcel source) { return new LargeObject( source.readInt(), source.readInt(), source.readInt(), source.readInt(), source.readInt() ); } public static final Creator<LargeObject> CREATOR = new Creator<LargeObject>() { @Override public LargeObject createFromParcel(Parcel source) { // Consume the type (as it is always written out). source.readInt(); return createFromParcelBody(source); } @Override public LargeObject[] newArray(int size) { return new LargeObject[size]; } }; } }