Picks

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-14.1/android_external_expat/348649.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 16 Nov 2022 16:31:05 +0000
+Subject: [PATCH] Fix overeager DTD destruction (fixes #649)
+
+Bug: http://b/255449293
+Test: TreeHugger
+Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6
+(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a)
+Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6
+---
+ lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 956c2677..57c93e05 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -855,6 +855,14 @@ parserCreate(const XML_Char *encodingName,
+   parserInit(parser, encodingName);
+ 
+   if (encodingName && !protocolEncodingName) {
++    if (dtd) {
++      // We need to stop the upcoming call to XML_ParserFree from happily
++      // destroying parser->m_dtd because the DTD is shared with the parent
++      // parser and the only guard that keeps XML_ParserFree from destroying
++      // parser->m_dtd is parser->m_isParamEntity but it will be set to
++      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
++      _dtd = NULL;
++    }
+     XML_ParserFree(parser);
+     return NULL;
+   }

Patches/LineageOS-14.1/android_frameworks_base/348650.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jackal Guo <jackalguo@google.com>
+Date: Tue, 25 Oct 2022 15:03:55 +0800
+Subject: [PATCH] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+
+This action should be only broadcasted when the user data is cleared
+successfully. Broadcasting this action when failed case may result in
+unexpected result.
+
+Bug: 240267890
+Test: manually using the PoC in the buganizer to ensure the symptom
+      no longer exists.
+Change-Id: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+(cherry picked from commit 8b2e092146c7ab5c2952818dab6dcb6af9c417ce)
+Merged-In: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+---
+ .../android/server/am/ActivityManagerService.java  | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 4e48f422a2fe..4b7cb9bac5af 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -5746,12 +5746,14 @@ public final class ActivityManagerService extends ActivityManagerNative
+                         finishForceStopPackageLocked(packageName, pkgUidF);
+                     }
+ 
+-                    final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
+-                            Uri.fromParts("package", packageName, null));
+-                    intent.putExtra(Intent.EXTRA_UID, pkgUidF);
+-                    intent.putExtra(Intent.EXTRA_USER_HANDLE, UserHandle.getUserId(pkgUidF));
+-                    broadcastIntentInPackage("android", Process.SYSTEM_UID, intent,
+-                            null, null, 0, null, null, null, null, false, false, userIdF);
++                    if (succeeded) {
++                        final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
++                                Uri.fromParts("package", packageName, null));
++                        intent.putExtra(Intent.EXTRA_UID, pkgUidF);
++                        intent.putExtra(Intent.EXTRA_USER_HANDLE, UserHandle.getUserId(pkgUidF));
++                        broadcastIntentInPackage("android", Process.SYSTEM_UID, intent,
++                                null, null, 0, null, null, null, null, false, false, userIdF);
++                    }
+ 
+                     if (observer != null) {
+                         observer.onRemoveCompleted(packageName, succeeded);

Patches/LineageOS-14.1/android_frameworks_base/348651.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 22 Nov 2022 22:54:01 +0000
+Subject: [PATCH] Convert argument to intent in ChooseTypeAndAccountActivity
+
+Bug: 244154558
+Test: manual
+Change-Id: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+(cherry picked from commit ede0a767c26f144e38b4a0c1c2f530b05ffd29a8)
+Merged-In: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+---
+ core/java/android/accounts/ChooseTypeAndAccountActivity.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/accounts/ChooseTypeAndAccountActivity.java b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+index ca4a60e980b8..79cb17231525 100644
+--- a/core/java/android/accounts/ChooseTypeAndAccountActivity.java
++++ b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+@@ -378,7 +378,7 @@ public class ChooseTypeAndAccountActivity extends Activity
+                 mExistingAccounts = AccountManager.get(this).getAccountsForPackage(mCallingPackage,
+                         mCallingUid);
+                 intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK);
+-                startActivityForResult(intent, REQUEST_ADD_ACCOUNT);
++                startActivityForResult(new Intent(intent), REQUEST_ADD_ACCOUNT);
+                 return;
+             }
+         } catch (OperationCanceledException e) {

Patches/LineageOS-14.1/android_packages_apps_Bluetooth/348652.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 8 Nov 2022 23:32:46 +0000
+Subject: [PATCH] Fix OPP comparison
+
+isBluetoothShareUri_correctlyCheckUri (under
+com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing
+on null input due to an incorrect comparison in
+isBluetoothShareUri.  Change the comparison to one which can
+cope with null input.
+
+Bug: 257190999
+Test: atest: BluetoothOppUtilityTest
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: Ia6a08e7092c2084e1816b782317c13254e78719b
+(cherry picked from commit 90dc6fcdcba6c0c2b0f9bdaad28457a81c9af4ba)
+Merged-In: Ia6a08e7092c2084e1816b782317c13254e78719b
+---
+ src/com/android/bluetooth/opp/BluetoothOppUtility.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+index 3a4959fcd..365dfcc81 100644
+--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+@@ -56,6 +56,7 @@ import java.io.File;
+ import java.io.IOException;
+ import java.util.ArrayList;
+ import java.util.List;
++import java.util.Objects;
+ import java.util.concurrent.ConcurrentHashMap;
+ 
+ import android.support.v4.content.FileProvider;
+@@ -72,10 +73,10 @@ public class BluetoothOppUtility {
+ 
+     public static boolean isBluetoothShareUri(Uri uri) {
+         if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString())
+-                && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) {
++                && !Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority())) {
+             EventLog.writeEvent(0x534e4554, "225880741", -1, "");
+         }
+-        return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority());
++        return Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority());
+     }
+ 
+     public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {

Patches/LineageOS-14.1/android_packages_apps_Nfc/348653.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 22 Nov 2022 15:49:11 -0800
+Subject: [PATCH] DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr
+
+Bug: 246932269
+Test: Build ok
+Change-Id: I4dcd18da8b5145e218d070414da8997aff181364
+(cherry picked from commit 2e4dfa6c92de30907851914add6485f8b7920968)
+Merged-In: I4dcd18da8b5145e218d070414da8997aff181364
+---
+ nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+index 6c24bf83..91aec55c 100755
+--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
++++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+@@ -1528,6 +1528,12 @@ phNciNfc_MfCreateXchgDataHdr(phNciNfc_TransceiveInfo_t tTranscvInfo,
+     NFCSTATUS   status = NFCSTATUS_SUCCESS;
+     uint8_t     i = 0;
+ 
++    if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1))
++    {
++      android_errorWriteLog(0x534e4554, "246932269");
++      return NFCSTATUS_FAILED;
++    }
++
+     buff[i++] = phNciNfc_e_MfRawDataXchgHdr;
+     memcpy(&buff[i],tTranscvInfo.tSendData.pBuff,tTranscvInfo.tSendData.wLen);
+     *buffSz = i + tTranscvInfo.tSendData.wLen;

Patches/LineageOS-14.1/android_system_bt/348654.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 27 Sep 2022 22:05:08 +0000
+Subject: [PATCH] Add bounds check in avdt_scb_act.cc
+
+Bug: 242535997
+Test: BT unit tests, validated against researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+(cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd)
+Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+---
+ stack/avdt/avdt_scb_act.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c
+index f61abd626..5537c3d1d 100644
+--- a/stack/avdt/avdt_scb_act.c
++++ b/stack/avdt/avdt_scb_act.c
+@@ -1295,6 +1295,12 @@ void avdt_scb_hdl_write_req_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
+     /* Add RTP header if required */
+     if ( !(p_data->apiwrite.opt & AVDT_DATA_OPT_NO_RTP) )
+     {
++        if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE)
++        {
++          android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
++          return;
++        }
++
+         ssrc = avdt_scb_gen_ssrc(p_scb);
+ 
+         p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;

PrebuiltApps

@@ -1 +1 @@
-Subproject commit bf86ff13f9f4e487bf3a38198589fc83ab7bc7f8
+Subproject commit f0d83f62a1485644e2d3967916171c1552612977

Scripts/LineageOS-14.1/Patch.sh

@@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-01 #XXX
+sed -i 's/2021-06-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #n-asb-2023-02 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -93,6 +93,7 @@ if enterAndClear "external/expat"; then
 applyPatch "$DOS_PATCHES/android_external_expat/337987-backport.patch"; #n-asb-2022-09 Prevent XML_GetBuffer signed integer overflow
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
+applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
 fi;
 
 if enterAndClear "external/libavc"; then
@@ -175,6 +176,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/346948.patch"; #n-asb-2023-01 L
 applyPatch "$DOS_PATCHES/android_frameworks_base/346949.patch"; #n-asb-2023-01 Disable all A11yServices from an uninstalled package.
 applyPatch "$DOS_PATCHES/android_frameworks_base/346950.patch"; #n-asb-2023-01 Trim any long string inputs that come in to AutomaticZenRule
 applyPatch "$DOS_PATCHES/android_frameworks_base/346951.patch"; #n-asb-2023-01 Fix conditionId string trimming in AutomaticZenRule
+applyPatch "$DOS_PATCHES/android_frameworks_base/348650.patch"; #n-asb-2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+applyPatch "$DOS_PATCHES/android_frameworks_base/348651.patch"; #n-asb-2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@@ -289,6 +292,7 @@ if enterAndClear "packages/apps/Bluetooth"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345525.patch"; #n-asb-2022-12 Fix URI check in BluetoothOppUtility.java
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/348652.patch"; #n-asb-2023-02 Fix OPP comparison
 fi;
 
 if enterAndClear "packages/apps/Contacts"; then
@@ -319,6 +323,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/315715.patch"; #n-asb-2021-09
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328308.patch"; #n-asb-2022-04 Do not set default contactless application without user interaction
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
+applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/348653.patch"; #n-asb-2023-02 DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr
 fi;
 
 if enterAndClear "packages/apps/PackageInstaller"; then
@@ -421,6 +426,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/345529.patch"; #n-asb-2022-12 Add mis
 applyPatch "$DOS_PATCHES/android_system_bt/345530.patch"; #n-asb-2022-12 Add length check when copy AVDT and AVCT packet
 applyPatch "$DOS_PATCHES/android_system_bt/345531.patch"; #n-asb-2022-12 Fix integer overflow when parsing avrc response
 applyPatch "$DOS_PATCHES/android_system_bt/346952.patch"; #n-asb-2023-01 Once AT command is retrieved, return from method.
+applyPatch "$DOS_PATCHES/android_system_bt/348654.patch"; #n-asb-2023-02 Add bounds check in avdt_scb_act.cc
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)