New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 652460 link

Starred by 1 user
Status: Duplicate
Merged: issue 412527
Owner:
kra...@amazon.com
Email to this user bounced
Closed: Oct 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Chrome for Android crashes when receiving intents with bad extras

Reported by kra...@amazon.com, Oct 3 2016 
ChromeLauncherActivity did not have sanitation of incoming intents, and thus
if for example an intent with a bad Parcel was sent, Chrome crashed.
This change strips away all extras and makes sure Chrome properly opens the
intended website instead.

Version: Tip of master (And any version before that)
OS: Android

What steps will reproduce the problem?
(1) In an old version of the Facebook app, click on a link

OR
(1) Create an app that fires an intent with a Parcelable that does
    not exist in Chrome's classpath

What is the expected output?
Chrome opens the intent's website as expected

What do you see instead?
Chrome crashes during startup.

Please use labels and text to provide additional information.
Exception according to logcat: (Line numbers might vary)
Caused by: android.os.BadParcelableException: ClassNotFoundException when unmarshalling: com.facebook.events.common.ActionSource
at android.os.Parcel.readParcelableCreator(Parcel.java:2163)
at android.os.Parcel.readParcelable(Parcel.java:2113)
at android.os.Parcel.readValue(Parcel.java:2029)
at android.os.Parcel.readArrayMapInternal(Parcel.java:2330)
at android.os.Bundle.unparcel(Bundle.java:249)
at android.os.Bundle.putLong(Bundle.java:482)
at android.content.Intent.putExtra(Intent.java:5756)
at org.chromium.chrome.browser.IntentHandler.addTimestampToIntent(IntentHandler.java:604)
at org.chromium.chrome.browser.document.ChromeLauncherActivity.onCreate(ChromeLauncherActivity.java:132)
at android.app.Activity.performCreate(Activity.java:5277)
at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1087)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2213)

Comment 1 by kra...@amazon.com, Oct 3 2016 

Proposed fix:
https://codereview.chromium.org/2392763002/

Sorry about the first section of the bug report - seems I accidentally copied over part of my commit message.
Project Member

Comment 2 by bugdroid1@chromium.org, Oct 26 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4bca3b37801c502a164536b804879c00aba7d304

commit 4bca3b37801c502a164536b804879c00aba7d304
Author: kraush <kraush@amazon.com>
Date: Wed Oct 26 15:34:33 2016

Sanitize unparcable intents

ChromeLauncherActivity did not have sanitation of incoming intents, and thus
if for example an intent with a bad Parcel was sent, Chrome crashed.
This change strips away all extras and makes sure Chrome properly opens the
intended website instead.

BUG= 652460 , 412527 

Review-Url: https://codereview.chromium.org/2392763002
Cr-Commit-Position: refs/heads/master@{#427697}

[modify] https://crrev.com/4bca3b37801c502a164536b804879c00aba7d304/chrome/android/java/src/org/chromium/chrome/browser/document/ChromeLauncherActivity.java
[modify] https://crrev.com/4bca3b37801c502a164536b804879c00aba7d304/chrome/android/java/src/org/chromium/chrome/browser/util/IntentUtils.java
[modify] https://crrev.com/4bca3b37801c502a164536b804879c00aba7d304/chrome/android/javatests/src/org/chromium/chrome/browser/document/LauncherActivityTest.java

Comment 3 by wnwen@chromium.org, Oct 26 2016

Mergedinto: 412527
Owner: kra...@amazon.com
Status: Duplicate (was: Untriaged)

Sign in to add a comment