fix: WriteNullStrongBinder format and objects array registration

Two fixes for null binder objects:

1. Write BINDER_TYPE_BINDER type field even for null binders, matching
   Android's flattenBinder(nullptr) which sets type=BINDER_TYPE_BINDER
   with binder=0 and cookie=0. Previously wrote all zeros (type=0).

2. Do not record null binder objects in the parcel's objects array.
   Android's Parcel::writeObject skips the objects array when
   binder==0 && !nullMetaData, because the kernel should not process
   null binder objects.

Author: xaionaro@dx.center

parcel/binder_object.go

@@ -133,12 +133,17 @@ func (p *Parcel) ReadStrongBinder() (uint32, error) {
 	return handle, nil
 }
 
-// WriteNullStrongBinder writes a null flat_binder_object (all zeros)
-// followed by the UNDECLARED stability level.
+// WriteNullStrongBinder writes a null flat_binder_object.
+// Android's flattenBinder(nullptr) writes type=BINDER_TYPE_BINDER with
+// binder=0 and cookie=0. The null object is NOT recorded in the objects
+// array (Parcel::writeObject skips it when binder==0 && !nullMetaData).
+// Followed by UNDECLARED stability level (finishFlattenBinder).
 func (p *Parcel) WriteNullStrongBinder() {
-	offset := uint64(p.Len())
-	p.objects = append(p.objects, offset)
-	p.grow(flatBinderObjectSize)
+	buf := p.grow(flatBinderObjectSize)
+
+	// type must be BINDER_TYPE_BINDER even for null (Android convention).
+	binary.LittleEndian.PutUint32(buf[0:], binderTypeBinder)
+	// flags, binder, cookie are all zero (from grow's zero-fill).
 
 	// Null binder uses UNDECLARED stability.
 	p.WriteInt32(StabilityUndeclared)