16.0: Import and verify picks

https://review.lineageos.org/q/topic:P_asb_2022-05
https://review.lineageos.org/q/topic:P_asb_2022-06
https://review.lineageos.org/q/topic:P_asb_2022-07
https://review.lineageos.org/q/topic:P_asb_2022-08
https://review.lineageos.org/q/topic:P_asb_2022-09
https://review.lineageos.org/q/topic:P_asb_2022-10
https://review.lineageos.org/q/topic:P_asb_2022-11
https://review.lineageos.org/q/topic:P_asb_2022-12
https://review.lineageos.org/q/topic:P_asb_2023-01
https://review.lineageos.org/q/topic:P_asb_2023-02
https://review.lineageos.org/q/topic:P_asb_2023-03
https://review.lineageos.org/q/topic:P_asb_2023-04
https://review.lineageos.org/q/topic:P_asb_2023-05
https://review.lineageos.org/q/topic:P_asb_2023-06
https://review.lineageos.org/q/topic:P_asb_2023-07
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250
https://review.lineageos.org/q/topic:P_asb_2023-08
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328
https://review.lineageos.org/q/topic:P_asb_2023-09
https://review.lineageos.org/q/topic:P_asb_2023-10
https://review.lineageos.org/q/topic:P_asb_2023-11
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916
https://review.lineageos.org/q/topic:P_asb_2023-12
https://review.lineageos.org/q/topic:P_asb_2024-01
https://review.lineageos.org/q/topic:P_asb_2024-02
https://review.lineageos.org/q/topic:P_asb_2024-03
https://review.lineageos.org/q/topic:P_asb_2024-04

Signed-off-by: Tavi <tavi@divested.dev>

Misc/pick-imports/16-asbs-download.sh

@@ -0,0 +1,271 @@
+wget https://github.com/LineageOS/android_frameworks_base/commit/ea52854b208d2a8e367c65068edbdff741b9eb80.patch -O android_frameworks_base/330961.patch; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority
+wget https://github.com/LineageOS/android_frameworks_base/commit/6bc4a89b9680b780768ee2b92a01f979b708c00b.patch -O android_frameworks_base/330962.patch; #P_asb_2022-05 Verify caller before auto granting slice permission
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/e298920fbeb8714698c6e96beaff71383640878b.patch -O android_packages_services_Telecomm/330959.patch; #P_asb_2022-05 Handle null bindings returned from ConnectionService.
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/cfe47c5ab58c17fe9e2b580874878347461d8695.patch -O android_packages_apps_Settings/330960.patch; #P_asb_2022-05 Hide private DNS settings UI in Guest mode
+wget https://github.com/LineageOS/android_frameworks_base/commit/a1c1383a08e17e14273e0f2e7d1c250fb4e3b7f2.patch -O android_frameworks_base/330963.patch; #P_asb_2022-05 Always restart apps if base.apk gets updated.
+wget https://github.com/LineageOS/android_external_aac/commit/e40800a613eb89b5b4c701774c3cecc1c2b7dd6c.patch -O android_external_aac/332775.patch; #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation.
+wget https://github.com/LineageOS/android_frameworks_base/commit/4005549db2fa7e1524fc0dbbe22c774fb00b6cb3.patch -O android_frameworks_base/332779.patch; #P_asb_2022-06 Prevent non-admin users from deleting system apps.
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/526bbbb30625c4b2728d4c461137413dbd1a96f6.patch -O android_packages_services_Telecomm/332764.patch; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
+wget https://github.com/LineageOS/android_system_core/commit/976019d07ad1c007043b78450857f428a1440f06.patch -O android_system_core/332765.patch; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
+wget https://github.com/LineageOS/android_frameworks_base/commit/c8da70733ac6be9b209b27b8bd72f9b0f0a2ee44.patch -O android_frameworks_base/332778.patch; #P_asb_2022-06 Fix security hole in GateKeeperResponse
+wget https://github.com/LineageOS/android_frameworks_base/commit/e7f0f7bac948a3deb2ef9139ef4fd9ad9eb1215a.patch -O android_frameworks_base/332777.patch; #P_asb_2022-06 Add an OEM configurable limit for zen rules
+wget https://github.com/LineageOS/android_frameworks_base/commit/c6a97af0e9b22c303d13ad573e96eb4b06c0bfa3.patch -O android_frameworks_base/332776.patch; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
+wget https://github.com/LineageOS/android_frameworks_base/commit/76c531e222779ae68047010f42f7a36100010f4c.patch -O android_frameworks_base/332757.patch; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
+wget https://github.com/LineageOS/android_frameworks_base/commit/258ab4cfd77e49b087f4b3333c21ecb23d4c2a9f.patch -O android_frameworks_base/332756.patch; #P_asb_2022-06 Add finalizeWorkProfileProvisioning.
+wget https://github.com/LineageOS/android_packages_apps_Nfc/commit/d7722eaa4defeaea88dce9f3c644e038af3f637d.patch -O android_packages_apps_Nfc/332762.patch; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ecf8fd5a9aa4976ace98fe9a4986f1de3ff77c1d.patch -O android_packages_apps_Settings/332763.patch; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+wget https://github.com/LineageOS/android_packages_apps_Dialer/commit/71701cfc7511cd3ad2e8a0f0f12dd78ea8db2517.patch -O android_packages_apps_Dialer/332761.patch; #P_asb_2022-06 No longer export CallSubjectDialog
+wget https://github.com/LineageOS/android_packages_apps_Contacts/commit/5055718d99866a7783cf72199b3f385e68bc7a53.patch -O android_packages_apps_Contacts/332760.patch; #P_asb_2022-06 No longer export CallSubjectDialog
+wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/6ff1c1f2e637e0dc3fc803f8028c7b89bae74937.patch -O android_packages_apps_Bluetooth/332759.patch; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
+wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/eb31965a73439dc8638d03b23f4648774a05df57.patch -O android_packages_apps_Bluetooth/332758.patch; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/08fbee6160c576d2d9feff91af2ed3ce0bff2cb7.patch -O android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+wget https://github.com/LineageOS/android_system_nfc/commit/318f09ce7e384809e3ab68c0294be96da6bf5141.patch -O android_system_nfc/332766.patch; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+wget https://github.com/LineageOS/android_system_nfc/commit/af0a965cd72fa6cab442fc46068fe4e556ca14c3.patch -O android_system_nfc/332767.patch; #P_asb_2022-06 Double Free in ce_t4t_data_cback
+wget https://github.com/LineageOS/android_system_nfc/commit/09dd85730f6c7ea4e2da2a9bf51de5d45a3b1061.patch -O android_system_nfc/332768.patch; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/a6c1507a0fa5a844514ecae89d0758ccb8724585.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332769.patch; #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/9dd0310855fa8889217e4e077bcfc7822abdbdc2.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332770.patch; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/84a8c1e3350174c25da59c7c6479b0dca37df111.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332771.patch; #P_asb_2022-06 Double Free in ce_t4t_data_cback
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/d5b6e36b4d5585d3e003d16ba6aa73929ae7255d.patch -O android_vendor_nxp_opensource_external_libnfc-nci/332772.patch; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/82c9270c2cf11b9a2ac4b5942f3ec086bc02099c.patch -O android_packages_apps_EmergencyInfo/342101.patch; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+wget https://github.com/LineageOS/android_frameworks_base/commit/862a9ed37b4cc89f450e6159cec65552e6e9fd38.patch -O android_frameworks_base/334256.patch; #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage
+wget https://github.com/LineageOS/android_frameworks_base/commit/10600c7c0cb582877cae6d3a28c9e39a73add1e1.patch -O android_frameworks_base/334257.patch; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails
+wget https://github.com/LineageOS/android_frameworks_base/commit/44130eac9f128dbea908171de1fa0743f2dda709.patch -O android_frameworks_base/334258.patch; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only
+wget https://github.com/LineageOS/android_frameworks_base/commit/8b1d16f79b125ea356d7af582fc6ceac297afa04.patch -O android_frameworks_base/334259.patch; #P_asb_2022-07 Ignore errors preparing user storage for existing users
+wget https://github.com/LineageOS/android_frameworks_base/commit/2688ed5ff6c1c637444ba776d730940769b2ee1d.patch -O android_frameworks_base/334260.patch; #P_asb_2022-07 Log to EventLog on prepareUserStorage failure
+wget https://github.com/LineageOS/android_frameworks_base/commit/bcede32d6c0c192b00fa745e522d50b817ea969b.patch -O android_frameworks_base/334262.patch; #P_asb_2022-07 Crash invalid FGS notifications
+wget https://github.com/LineageOS/android_packages_apps_KeyChain/commit/5e04f66b9db71a74b7dbf6ca9a43b602d5fca122.patch -O android_packages_apps_KeyChain/334264.patch; #P_asb_2022-07 Encode authority part of uri before showing in UI
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/1fee30e9946eec7ec5b0c95481317cd1647c92a7.patch -O android_packages_apps_Settings/334265.patch; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
+wget https://github.com/LineageOS/android_system_bt/commit/b15c9cc55faddbdb36df6af086762adfef028bbe.patch -O android_system_bt/334266.patch; #P_asb_2022-07 Security: Fix out of bound write in HFP client
+wget https://github.com/LineageOS/android_system_bt/commit/5d7b97ac9aa45287bf57d061b7e1e0287c7c513a.patch -O android_system_bt/334267.patch; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length
+wget https://github.com/LineageOS/android_frameworks_opt_telephony/commit/4e3e190ff664797f23039da13a45a70ddf615489.patch -O android_frameworks_opt_telephony/334263.patch; #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID)
+wget https://github.com/LineageOS/android_system_bt/commit/f41d68b53f669b96787f5fde38bdc5fe73e795b8.patch -O android_system_bt/334268.patch; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST
+wget https://github.com/LineageOS/android_frameworks_base/commit/35c2fc9116afdd6fe2dcca6e4fb59466a317b342.patch -O android_frameworks_base/335117.patch; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity
+wget https://github.com/LineageOS/android_system_bt/commit/8bfd408fa1ebf3d8dc2fc9906672c7cfe7dc0144.patch -O android_system_bt/335109.patch; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys
+wget https://github.com/LineageOS/android_packages_providers_ContactsProvider/commit/3b27f760484b42cc1ea25af7bdeb68b40cdfa455.patch -O android_packages_providers_ContactsProvider/335110.patch; #P_asb_2022-08 enforce stricter CallLogProvider query
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/9dfc928466d7709c968adcba7f22378e243b99f2.patch -O android_packages_apps_Settings/335111.patch; #P_asb_2022-08 Verify ringtone from ringtone picker is audio
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/539f79473852aab2bebcc7374404f47eccb297b1.patch -O android_packages_apps_Settings/335112.patch; #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/b8e381a8e5b104a455efb6b4352eee04b1fb4a5c.patch -O android_packages_apps_Settings/335113.patch; #P_asb_2022-08 Fix: policy enforcement for location wifi scanning
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/83ce5e4d8f0bb352ed433e711acacdd1a51130fe.patch -O android_packages_apps_Settings/335114.patch; #P_asb_2022-08 Fix Settings crash when setting a null ringtone
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/91b6470dde8a9b2586273796c183a29000a82ce5.patch -O android_packages_apps_Settings/335115.patch; #P_asb_2022-08 Fix can't change notification sound for work profile.
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ccebafea047fef8ab93c4e748ab1b9a15280702b.patch -O android_packages_apps_Settings/335116.patch; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI
+wget https://github.com/LineageOS/android_frameworks_base/commit/a532c1aeec285ebd601ceb266f0af8553ccef5df.patch -O android_frameworks_base/335118.patch; #P_asb_2022-08 Suppress notifications when device enter lockdown
+wget https://github.com/LineageOS/android_frameworks_base/commit/017b9b6b000693a5e48ba7431bf638c257833ec3.patch -O android_frameworks_base/335119.patch; #P_asb_2022-08 Remove package title from notification access confirmation intent
+wget https://github.com/LineageOS/android_frameworks_base/commit/53f3e590ac533cacdf7e78ec701a8e365c89901b.patch -O android_frameworks_base/335121.patch; #P_asb_2022-08 Only allow the system server to connect to sync adapters
+wget https://github.com/LineageOS/android_frameworks_base/commit/cb2cb0520dd1f4c7e19e806cde02fc3da6a355d2.patch -O android_frameworks_base/335120.patch; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash
+wget https://github.com/LineageOS/android_frameworks_base/commit/26e3268f3cac1d120d8b4683e8d5201b70f44fc2.patch -O android_frameworks_base/338346.patch; #P_asb_2022-09 Fix duplicate permission privilege escalation
+wget https://github.com/LineageOS/android_frameworks_base/commit/b98ed505d5c477f5d6e1f88433a5c9f1cb03025e.patch -O android_frameworks_base/338347.patch; #P_asb_2022-09 Parcel: recycle recycles
+wget https://github.com/LineageOS/android_frameworks_base/commit/3a1887eb6147d7e51a79c387aaed38c08056c789.patch -O android_frameworks_base/338348.patch; #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable
+wget https://github.com/LineageOS/android_frameworks_base/commit/031578d71058c6400ea91b1806b467aca2de54b1.patch -O android_frameworks_base/338349.patch; #P_asb_2022-09 Remove package name from SafetyNet logs
+wget https://github.com/LineageOS/android_external_expat/commit/31f7a33a236a574c7c4bea5de648c349fa1e7508.patch -O android_external_expat/338353.patch; #P_asb_2022-09 Prevent integer overflow in copyString
+wget https://github.com/LineageOS/android_external_expat/commit/5c70aa4e573cf46f6127aa6713c09877a246bf6b.patch -O android_external_expat/338354.patch; #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
+wget https://github.com/LineageOS/android_external_expat/commit/68116f18efee226636fdc2ecf518f3de589c98a8.patch -O android_external_expat/338355.patch; #P_asb_2022-09 Prevent integer overflow in function doProlog
+wget https://github.com/LineageOS/android_external_expat/commit/883c4901f5ca13cf202c9c234612e117f0ef092e.patch -O android_external_expat/338356.patch; #P_asb_2022-09 Prevent more integer overflows
+wget https://github.com/LineageOS/android_system_bt/commit/a940244a653c0c20e5d08aaf40484da93300dc3f.patch -O android_system_bt/338350.patch; #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed
+wget https://github.com/LineageOS/android_system_bt/commit/de882ad1be24fa351ad8ba483b89c2b0b1e615c6.patch -O android_system_bt/338351.patch; #P_asb_2022-09 Fix OOB in BNEP_Write
+wget https://github.com/LineageOS/android_system_bt/commit/88b4c659bc53971605a5cdde56f94b2d90677d20.patch -O android_system_bt/338352.patch; #P_asb_2022-09 Fix OOB in reassemble_and_dispatch
+wget https://github.com/LineageOS/android_external_dtc/commit/d8ff0456cbe3b32b5f71dd0740f9a6cca6de27b9.patch -O android_external_dtc/342096.patch; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings
+wget https://github.com/LineageOS/android_system_bt/commit/024bd7b32e3298ceaf70443e9224aff56cf8de4b.patch -O android_system_bt/342097.patch; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response
+wget https://github.com/LineageOS/android_system_nfc/commit/f7eb9ba0755d2ab170d7fa7f46d67ebed4690426.patch -O android_system_nfc/342098.patch; #P_asb_2022-10 The length of a packet should be non-zero
+wget https://github.com/LineageOS/android_frameworks_base/commit/950c44f0e7229672ea093e86d7f05df00b33844d.patch -O android_frameworks_base/342100.patch; #P_asb_2022-10 Limit the number of concurrently snoozed notifications
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c5cae87d66c3b8d459677da775cc61e550bba993.patch -O android_vendor_nxp_opensource_external_libnfc-nci/342099.patch; #P_asb_2022-10 The length of a packet should be non-zero
+wget https://github.com/LineageOS/android_packages_apps_PackageInstaller/commit/79fbc97fa9030bc872c26dde69d3d6b5ca50d42c.patch -O android_packages_apps_PackageInstaller/344181.patch; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity
+wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/915289305d5bd55c3a9e5667acab9cfec8f68d31.patch -O android_packages_providers_TelephonyProvider/344182.patch; #P_asb_2022-11 Check dir path before updating permissions.
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/9bd081d4162ee1bd99eed4a2f8c144255a3b7a41.patch -O android_packages_services_Telecomm/344183.patch; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+wget https://github.com/LineageOS/android_system_bt/commit/b8332ffa326c412c7952bcae1ad924a8542caa8e.patch -O android_system_bt/344184.patch; #P_asb_2022-11 Add negative length check in process_service_search_rsp
+wget https://github.com/LineageOS/android_system_bt/commit/9e3a7208a794cb350b5b1565db4e1120d7b1373d.patch -O android_system_bt/344185.patch; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc
+wget https://github.com/LineageOS/android_frameworks_base/commit/fcd8dc4d686c362b7353f9d7c6a3b05994cc0565.patch -O android_frameworks_base/344168.patch; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
+wget https://github.com/LineageOS/android_frameworks_base/commit/bad61936167d1d7eca8dc155e8c0c8a248a2bc5c.patch -O android_frameworks_base/344169.patch; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+wget https://github.com/LineageOS/android_frameworks_base/commit/e72558a547d48190469c0763a9e317d1792a9f53.patch -O android_frameworks_base/344170.patch; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo
+wget https://github.com/LineageOS/android_frameworks_base/commit/6a42e12de4cf0f2de93cbd8bb4506de8a83dd88a.patch -O android_frameworks_base/344171.patch; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user.
+wget https://github.com/LineageOS/android_frameworks_base/commit/36b533a308ced7203f515daed97d0f15bb65587f.patch -O android_frameworks_base/344172.patch; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule
+wget https://github.com/LineageOS/android_frameworks_base/commit/114dcf0b5836c0c982a560e85350f408c8640bdf.patch -O android_frameworks_base/344173.patch; #P_asb_2022-11 Check permission for VoiceInteraction
+wget https://github.com/LineageOS/android_frameworks_base/commit/22e363c319e6fddeea39f00f7ef5e63395a45dc5.patch -O android_frameworks_base/344174.patch; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock
+wget https://github.com/LineageOS/android_hardware_nxp_nfc/commit/70c3eef94c74e78d9bf9e9119d58ca0a5082cf2f.patch -O android_hardware_nxp_nfc/344180.patch; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+wget https://github.com/LineageOS/android_external_dtc/commit/c34b2c464b0900d3e79aa1c64c25137fd09c4762.patch -O android_external_dtc/344161.patch; #P_asb_2022-11 Fix integer wrap sanitisation.
+wget https://github.com/LineageOS/android_frameworks_av/commit/2692e4bcdba06eec20424291acaac5669acf581f.patch -O android_frameworks_av/344167.patch; #P_asb_2022-11 setSecurityLevel in clearkey
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_halimpl/commit/9d9f191dd2522aa286bdc3c42d6777b6e503356b.patch -O android_vendor_nxp_opensource_halimpl/344190.patch; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+wget https://github.com/LineageOS/android_system_bt/commit/cea94f7ab0d36254a99d5854b9c2e83afd4584bc.patch -O android_system_bt/345915.patch; #P_asb_2022-12 Added max buffer length check
+wget https://github.com/LineageOS/android_system_bt/commit/56ea90b69d6715e7e1f0ddd35fd5ca7e19d93dc6.patch -O android_system_bt/345916.patch; #P_asb_2022-12 Add missing increment in bnep_api.cc
+wget https://github.com/LineageOS/android_system_bt/commit/da6430bd4b319f8398deaef8d74341234fb79624.patch -O android_system_bt/345917.patch; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
+wget https://github.com/LineageOS/android_system_bt/commit/222fad2e71f159e3d6e0bc0aef36f83cbf3fcdfa.patch -O android_system_bt/345918.patch; #P_asb_2022-12 Fix integer overflow when parsing avrc response
+wget https://github.com/LineageOS/android_frameworks_base/commit/16da2229db1aa80499b296bc8c384fe78add0e30.patch -O android_frameworks_base/345892.patch; #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps."
+wget https://github.com/LineageOS/android_frameworks_base/commit/921f748f4dd12465721dc7e8ed86f89c0718da57.patch -O android_frameworks_base/345893.patch; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup
+wget https://github.com/LineageOS/android_frameworks_base/commit/4bdaa78394c95a864f1d34ec1997c6494dbece15.patch -O android_frameworks_base/345894.patch; #P_asb_2022-12 Prevent non-admin users from deleting system apps.
+wget https://github.com/LineageOS/android_frameworks_base/commit/c8ac5b6a05bb584e196b4c1bd4b819914c4018b6.patch -O android_frameworks_base/345895.patch; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions.
+wget https://github.com/LineageOS/android_frameworks_base/commit/9e0a825e2ca0cf102fc462af55f5a471d6d5836d.patch -O android_frameworks_base/345896.patch; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK.
+wget https://github.com/LineageOS/android_frameworks_base/commit/8d88ee0de3b9e474fcc70ab121186df93bf75456.patch -O android_frameworks_base/345897.patch; #P_asb_2022-12 [pm] forbid deletion of protected packages
+wget https://github.com/LineageOS/android_frameworks_base/commit/c4763f78a2ab695992cf63709b665c7478d43891.patch -O android_frameworks_base/345898.patch; #P_asb_2022-12 Fix NPE
+wget https://github.com/LineageOS/android_frameworks_base/commit/08605e9ee1e96336fe3202066a6cdba21cf377ad.patch -O android_frameworks_base/345899.patch; #P_asb_2022-12 Fix a security issue in app widget service.
+wget https://github.com/LineageOS/android_frameworks_base/commit/4d5e30ccea8cc4dec6359f004173d896c4b01556.patch -O android_frameworks_base/345900.patch; #P_asb_2022-12 Ignore malformed shortcuts
+wget https://github.com/LineageOS/android_frameworks_base/commit/58e177ca589576cacfd1ed016bdd5d0bf4cb9a5d.patch -O android_frameworks_base/345901.patch; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
+wget https://github.com/LineageOS/android_frameworks_base/commit/be00f79f1148a27fd9161e65ebaa2eedb7fca4c7.patch -O android_frameworks_base/345902.patch; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
+wget https://github.com/LineageOS/android_frameworks_minikin/commit/4f583889fcc90883fa3ec86befa20c671ec8774e.patch -O android_frameworks_minikin/345903.patch; #P_asb_2022-12 Fix OOB read for registerLocaleList
+wget https://github.com/LineageOS/android_frameworks_minikin/commit/89b513681269399b4d2621f0c1750daa48f77681.patch -O android_frameworks_minikin/345904.patch; #P_asb_2022-12 Fix OOB crash for registerLocaleList
+wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/f7624d5f831e8576a816feaebb120974e54c23b6.patch -O android_packages_apps_Bluetooth/345907.patch; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
+wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/c6cd624a87b1b8f586ef83b2a810c36669b55a0b.patch -O android_packages_apps_EmergencyInfo/345908.patch; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/d25bc7d14e791a049698ac2c7cbd9c72e6e7592d.patch -O android_packages_apps_EmergencyInfo/345909.patch; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/06242790f0f2b20e1f0caa0548924d1fcddfca93.patch -O android_packages_apps_Settings/345910.patch; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/090473035dd448e96138844bfec0c88952acf3d1.patch -O android_packages_apps_Settings/345911.patch; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/6f9c13de0a620203fe7d6bcdfd6d94c74e22706b.patch -O android_packages_apps_Settings/345912.patch; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
+wget https://github.com/LineageOS/android_external_dtc/commit/77e6d383cde91d7ac8bbb159de215ec198e9f1aa.patch -O android_external_dtc/345891.patch; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/fae9a71b822b913e7516333484e8efd513e1640d.patch -O android_packages_services_Telecomm/345913.patch; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
+wget https://github.com/LineageOS/android_system_bt/commit/210fe2c41c04d50c7a82a6415d7708ff5d055b3e.patch -O android_system_bt/345914.patch; #P_asb_2022-12 Add length check when copy AVDTP packet
+wget https://github.com/LineageOS/android_frameworks_base/commit/7f7b42f83fd7aef7570450b82c5931aa81f1e66d.patch -O android_frameworks_base/347044.patch; #P_asb_2023-01 Limit lengths of fields in Condition to a max length.
+wget https://github.com/LineageOS/android_frameworks_base/commit/91726ddbd32c8b5226991492354f1d93616c6cfd.patch -O android_frameworks_base/347045.patch; #P_asb_2023-01 Disable all A11yServices from an uninstalled package.
+wget https://github.com/LineageOS/android_frameworks_base/commit/2dc4e2467dcebfc827d68f573570cd04e6ea6244.patch -O android_frameworks_base/347046.patch; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule
+wget https://github.com/LineageOS/android_frameworks_base/commit/9b5407d68859e615a2ee7a229f486fc5365682da.patch -O android_frameworks_base/347047.patch; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated
+wget https://github.com/LineageOS/android_frameworks_base/commit/66a9e8fc457e7257b78dfef3f18eab01c63efc12.patch -O android_frameworks_base/347048.patch; #P_asb_2023-01 Revert "Revert "Validate permission tree size..."
+wget https://github.com/LineageOS/android_frameworks_base/commit/c8892a45db45ee79085b0ee620b3d8f69f560d03.patch -O android_frameworks_base/347049.patch; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
+wget https://github.com/LineageOS/android_frameworks_base/commit/9e7745eeedc6066e91e0c508d49c8db15a8ae6bf.patch -O android_frameworks_base/347050.patch; #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23
+wget https://github.com/LineageOS/android_frameworks_base/commit/be4c10b9f70b5033bc6f75649265a12f65ad0bc3.patch -O android_frameworks_base/347051.patch; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
+wget https://github.com/LineageOS/android_packages_services_Telephony/commit/d596467cc3b161beca194ce4c8f96efcd0d6a340.patch -O android_packages_services_Telephony/347041.patch; #P_asb_2023-01 prevent overlays on the phone settings
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/7636df9f0dcff2d9b272f925b956348fc8dc384b.patch -O android_packages_services_Telecomm/347042.patch; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
+wget https://github.com/LineageOS/android_packages_apps_Nfc/commit/48b3f34578cd9757a11c1cd694527b45c5915ae8.patch -O android_packages_apps_Nfc/347043.patch; #P_asb_2023-01 OOBW in Mfc_Transceive()
+wget https://github.com/LineageOS/android_system_bt/commit/deb080bb11eadef601ec11633317090f060e50bb.patch -O android_system_bt/347127.patch; #P_asb_2023-01 BT: Once AT command is retrieved, return from method.
+wget https://github.com/LineageOS/android_system_bt/commit/0c74f58652259adde281b7d8b13732a8f0e9ab92.patch -O android_system_bt/347128.patch; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
+wget https://github.com/LineageOS/android_frameworks_base/commit/a9d49368cb13ba9d98af67ae9a96b82ae7fc4e46.patch -O android_frameworks_base/349330.patch; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+wget https://github.com/LineageOS/android_frameworks_base/commit/7780547c156f34020ba7316e8c8cbea6c7985818.patch -O android_frameworks_base/349331.patch; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
+wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/90e0fb025afa7bfe3600b79c2e0e563b5d6124bb.patch -O android_packages_apps_Bluetooth/349332.patch; #P_asb_2023-02 Fix OPP comparison
+wget https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/eeb60967a52197d04d331b8e87beb5f1fb9e92aa.patch -O android_packages_apps_EmergencyInfo/349333.patch; #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app.
+wget https://github.com/LineageOS/android_system_bt/commit/12b2d2eeb63246e85e30389d2e885608e9209cc1.patch -O android_system_bt/349334.patch; #P_asb_2023-02 Report failure when not able to connect to AVRCP
+wget https://github.com/LineageOS/android_system_bt/commit/8e81bb1e80ccbba0724e12dabac61b9ac36d4b0f.patch -O android_system_bt/349335.patch; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/35299f9e605257a17257c5da0064c3f7cc3dce4a.patch -O android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch; #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr
+wget https://github.com/LineageOS/android_external_expat/commit/281fc3aeb520277460014a8c398ba083d167f284.patch -O android_external_expat/349328.patch; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes
+wget https://github.com/LineageOS/android_frameworks_av/commit/994d95501928153cb7b8f04587e3160bc17ce2a5.patch -O android_frameworks_av/349329.patch; #P_asb_2023-02 move MediaCodec metrics processing to looper thread
+wget https://github.com/LineageOS/android_external_zlib/commit/d6e0dec5307a69aa6381246221803bdc050e5b96.patch -O android_external_zlib/351909.patch; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate().
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/5f84b1609065c5b26f2b5278d83fdd791597a69f.patch -O android_packages_apps_Settings/351914.patch; #P_asb_2023-03 FRP bypass defense in the settings app
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/718126925dc2e00c268f49d006231eb3edd5778a.patch -O android_packages_apps_Settings/351915.patch; #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
+wget https://github.com/LineageOS/android_system_bt/commit/b7dfbbdf4dc9ae5761816ad0a4875d46244ed25a.patch -O android_system_bt/351916.patch; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
+wget https://github.com/LineageOS/android_system_bt/commit/b433704453d59946be0f5b30346cf0dd3e42ec09.patch -O android_system_bt/351917.patch; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+wget https://github.com/LineageOS/android_system_bt/commit/fcd19451fa2e3da35c3e0f5db0961b994ed1b49f.patch -O android_system_bt/351918.patch; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute
+wget https://github.com/LineageOS/android_frameworks_base/commit/3f8c0e9c4ad48b37c44e132a7a8e3fd157a83e00.patch -O android_frameworks_base/351910.patch; #P_asb_2023-03 Move service initialization
+wget https://github.com/LineageOS/android_frameworks_base/commit/11c799795be7c8bafedbc4eb3d940b4a1f93a308.patch -O android_frameworks_base/351911.patch; #P_asb_2023-03 Enable user graularity for lockdown mode
+wget https://github.com/LineageOS/android_frameworks_base/commit/d6401e37da9afb99f647b09fd3ce9aa38bb84016.patch -O android_frameworks_base/351912.patch; #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag
+wget https://github.com/LineageOS/android_frameworks_base/commit/7d63c11542c202467f035e03644962a263cfdc19.patch -O android_frameworks_base/351913.patch; #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code.
+wget https://github.com/LineageOS/android_frameworks_base/commit/7ed39484667b94b738b7d1d7717ef5b640a7a405.patch -O android_frameworks_base/354243.patch; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver
+wget https://github.com/LineageOS/android_frameworks_base/commit/34184bc31e77a8db5b967ca275f6e4841bd5e3ff.patch -O android_frameworks_base/354244.patch; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass
+wget https://github.com/LineageOS/android_frameworks_base/commit/9cade5349e44f2b48ed6408e3b05a1272ff2a3ef.patch -O android_frameworks_base/354245.patch; #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE
+wget https://github.com/LineageOS/android_frameworks_base/commit/1dc0540d7b8918a6043c0863b2bea0946b100b8e.patch -O android_frameworks_base/354242.patch; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now.
+wget https://github.com/LineageOS/android_system_bt/commit/a883a17a9e05d87bfb1547d8b812522c771c971c.patch -O android_system_bt/354246.patch; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
+wget https://github.com/LineageOS/android_system_bt/commit/d9472b7fba9c3a366e768ff4c28225d264aa6ad1.patch -O android_system_bt/354247.patch; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/5ad6edf34e69b9bd0334bb0b0a3592b8d5ded5b4.patch -O android_vendor_nxp_opensource_external_libnfc-nci/354249.patch; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+wget https://github.com/LineageOS/android_system_nfc/commit/d751463856e968430d4859a55a97f12b2553de19.patch -O android_system_nfc/354248.patch; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/ffd36f517fae838fe836d6f189b2de6355e6814c.patch -O android_packages_services_Telecomm/356150.patch; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+wget https://github.com/LineageOS/android_frameworks_native/commit/09ece8aee9246ba8ef5408e074165c9bbc2d6bc1.patch -O android_frameworks_native/356151.patch; #P_asb_2023-05 Check for malformed Sensor Flattenable
+wget https://github.com/LineageOS/android_frameworks_native/commit/c62382dd2192444ca7a81a0318521b03e852c355.patch -O android_frameworks_native/356152.patch; #P_asb_2023-05 Remove some new memory leaks from SensorManager
+wget https://github.com/LineageOS/android_frameworks_native/commit/30348a31e1c0eb604f1a2de40b57d734f71cb9e8.patch -O android_frameworks_native/356153.patch; #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
+wget https://github.com/LineageOS/android_frameworks_base/commit/e0f219e675b2a36304db2f163783fe82937c1d41.patch -O android_frameworks_base/356156.patch; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+wget https://github.com/LineageOS/android_frameworks_base/commit/18025b2a135d7e7063201054b7f4409fe562ee56.patch -O android_frameworks_base/356154.patch; #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
+wget https://github.com/LineageOS/android_frameworks_base/commit/0cfc7a41aa5b741452316b19bc100be58bbe3cc7.patch -O android_frameworks_base/356155.patch; #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path
+wget https://github.com/LineageOS/android_frameworks_av/commit/d4f4cbe1d4eb1e80f64676cb07e84a6409cd095f.patch -O android_frameworks_av/359729.patch; #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/ed20a91b473462e14f7cea5dd1b8cbff4d0feab5.patch -O android_packages_apps_Settings/359734.patch; #P_asb_2023-06 Convert argument to intent in AddAccountSettings.
+wget https://github.com/LineageOS/android_packages_apps_TvSettings/commit/3f8f5d733659d15eb78d0a3de97442c1c33259b8.patch -O android_packages_apps_TvSettings/359735.patch; #P_asb_2023-06 Convert argument to intent in addAccount TvSettings.
+wget https://github.com/LineageOS/android_system_bt/commit/5f6f48a784284a9220ae70d9f99d96a25bd3adce.patch -O android_system_bt/359736.patch; #P_asb_2023-06 Prevent use-after-free of HID reports
+wget https://github.com/LineageOS/android_system_bt/commit/969a3c9aba7e8060f1bcf341375263d67fec01d2.patch -O android_system_bt/359737.patch; #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""
+wget https://github.com/LineageOS/android_system_bt/commit/d50fdc03f066f2b1bdb3bcb21d627a0e3ac9e268.patch -O android_system_bt/359738.patch; #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
+wget https://github.com/LineageOS/android_frameworks_base/commit/c45ee6ab3ee0b8e4f16cc88d098fb9200b3a109a.patch -O android_frameworks_base/359730.patch; #P_asb_2023-06 Check key intent for selectors and prohibited flags
+wget https://github.com/LineageOS/android_frameworks_base/commit/22bac442d2249f6e02608f9994cf761bfdf90d80.patch -O android_frameworks_base/359731.patch; #P_asb_2023-06 Handle invalid data during job loading.
+wget https://github.com/LineageOS/android_frameworks_base/commit/24a90436bb260a64b427efb98f3aa40f0c27fe32.patch -O android_frameworks_base/359732.patch; #P_asb_2023-06 Allow filtering of services
+wget https://github.com/LineageOS/android_frameworks_base/commit/4974a8613d776dcd0dff6c8950b3dd1a7dbec465.patch -O android_frameworks_base/359733.patch; #P_asb_2023-06 Prevent RemoteViews crashing SystemUi
+wget https://github.com/LineageOS/android_packages_apps_Traceur/commit/43b23418ed73d1b64bb198a79c5825666c95684d.patch -O android_packages_apps_Traceur/378475.patch; #P_asb_2023-06 Update Traceur to check admin user status
+wget https://github.com/LineageOS/android_packages_apps_Traceur/commit/55e506621081e4e092a4434a763561d2a2f0859e.patch -O android_packages_apps_Traceur/378476.patch; #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check
+wget https://github.com/LineageOS/android_external_freetype/commit/31e8900c4e35a5b82ee19449830c87f8c1593504.patch -O android_external_freetype/361250.patch; #P_asb_2023-07 Cherry-pick two upstream changes
+wget https://github.com/LineageOS/android_system_nfc/commit/6ea4e00c886e05116d1d6058fb4cf40e0ccdb70b.patch -O android_system_nfc/361251.patch; #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+wget https://github.com/LineageOS/android_system_bt/commit/c4a3cf60380376537eefcce41eec053677c7732c.patch -O android_system_bt/361252.patch; #P_asb_2023-07 Fix gatt_end_operation buffer overflow
+wget https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c2ad40e96300f65c3e16b06eccba282003385956.patch -O android_vendor_nxp_opensource_external_libnfc-nci/361253.patch; #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+wget https://github.com/LineageOS/android_frameworks_base/commit/c1741be24b21788051c95fafb20f889f15c7b8a8.patch -O android_frameworks_base/361254.patch; #P_asb_2023-07 Sanitize VPN label to prevent HTML injection
+wget https://github.com/LineageOS/android_frameworks_base/commit/63ef19bd0f36f043fa72acbb8484cae2e48a07b1.patch -O android_frameworks_base/361256.patch; #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE
+wget https://github.com/LineageOS/android_frameworks_base/commit/626a9919d79ad7584e30496f8b990a1a4e20ec40.patch -O android_frameworks_base/361257.patch; #P_asb_2023-07 Dismiss keyguard when simpin auth'd and...
+wget https://github.com/LineageOS/android_frameworks_base/commit/cfab4afce18c49c6abe6e25fce9add4b57bb65e4.patch -O android_frameworks_base/361259.patch; #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
+wget https://github.com/LineageOS/android_tools_apksig/commit/011adec1a494974102930bf65a8d2fdfa8b375b5.patch -O android_tools_apksig/361280.patch; #P_asb_2023-07 Create source stamp verifier
+wget https://github.com/LineageOS/android_tools_apksig/commit/9a80527425030dae7f962ab95eda500a720cde47.patch -O android_tools_apksig/361281.patch; #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+wget https://github.com/LineageOS/android_frameworks_base/commit/3f7975447006b2246dd1b8722064ca26e40aae25.patch -O android_frameworks_base/361258.patch; #P_asb_2023-07 Truncate ShortcutInfo Id
+wget https://github.com/LineageOS/android_frameworks_base/commit/68f08d51b66b8336aeec2e01bcfa72ae5fbfb81d.patch -O android_frameworks_base/361255.patch; #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+wget https://github.com/LineageOS/android_external_aac/commit/c263e21d9cd270283c0fabddeb710798b6fe56aa.patch -O android_external_aac/364605.patch; #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().
+wget https://github.com/LineageOS/android_external_freetype/commit/ef28d3d7460a814efef8174c44fde7aab4341db5.patch -O android_external_freetype/364606.patch; #P_asb_2023-08 Cherrypick following three changes
+wget https://github.com/LineageOS/android_frameworks_base/commit/6adafe39c32f8236e18c57bc834caa88a09ad8cc.patch -O android_frameworks_base/364608.patch; #P_asb_2023-08 Verify URI permissions for notification shortcutIcon.
+wget https://github.com/LineageOS/android_frameworks_base/commit/0b2c705c891a44ac854cb5ec123fb869669ae5fe.patch -O android_frameworks_base/364609.patch; #P_asb_2023-08 On device lockdown, always show the keyguard
+wget https://github.com/LineageOS/android_frameworks_base/commit/84be6e930a60f855a318c41a446b92849b50087a.patch -O android_frameworks_base/364610.patch; #P_asb_2023-08 Ensure policy has no absurdly long strings
+wget https://github.com/LineageOS/android_frameworks_base/commit/aa0fb47602bd6bc95404d5a5468ba4db577c418f.patch -O android_frameworks_base/364611.patch; #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd.
+wget https://github.com/LineageOS/android_frameworks_base/commit/42d2f7a7ac4004754050ddd53f2e5b626ae28c02.patch -O android_frameworks_base/364612.patch; #P_asb_2023-08 Check URIs in notification public version.
+wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/8e5a42af29838bd09b62ec199d744c4592258eeb.patch -O android_packages_providers_TelephonyProvider/364616.patch; #P_asb_2023-08 Update file permissions using canonical path
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/6428c62b978aefd829bf4e91493a356c3675e5c0.patch -O android_packages_services_Telecomm/364617.patch; #P_asb_2023-08 Resolve StatusHints image exploit across user.
+wget https://github.com/LineageOS/android_system_ca-certificates/commit/4c6994b1a05d435e40947a7315aae1a128984957.patch -O android_system_ca-certificates/365328.patch; #P_asb_2023-08 Drop TrustCor certificates
+wget https://github.com/LineageOS/android_frameworks_base/commit/19dc7642fe849e85abe886b9340b5dda52e21885.patch -O android_frameworks_base/364607.patch; #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only
+wget https://github.com/LineageOS/android_frameworks_base/commit/1537cadd2966e0ea2d188cd3e96af6287bb473c6.patch -O android_frameworks_base/364613.patch; #P_asb_2023-08 Verify URI permissions in MediaMetadata
+wget https://github.com/LineageOS/android_frameworks_base/commit/507937f96405b8530f24c7625b5f5f18f7a0df55.patch -O android_frameworks_base/364614.patch; #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
+wget https://github.com/LineageOS/android_frameworks_base/commit/2e64cb078e9e11e8310c0b589a6edd429b9c2f16.patch -O android_frameworks_base/364615.patch; #P_asb_2023-08 Resolve StatusHints image exploit across user.
+wget https://github.com/LineageOS/android_frameworks_av/commit/7e0adcb2073a2549aa901ecc40de254202a1eded.patch -O android_frameworks_av/366126.patch; #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
+wget https://github.com/LineageOS/android_frameworks_base/commit/383b016298865df13c1d1ead7049a9c0a73cb973.patch -O android_frameworks_base/366127.patch; #P_asb_2023-09 Forbid granting access to NLSes with too-long component names
+wget https://github.com/LineageOS/android_frameworks_native/commit/4d3c579105e1a98abc2868723928dea280a93076.patch -O android_frameworks_native/366129.patch; #P_asb_2023-09 Allow sensors list to be empty
+wget https://github.com/LineageOS/android_packages_services_Telephony/commit/114c9d5475962cd63ebf8f246c2c2f4a9c7fddf1.patch -O android_packages_services_Telephony/366130.patch; #P_asb_2023-09 Fixed leak of cross user data in multiple settings.
+wget https://github.com/LineageOS/android_system_bt/commit/f9ba876145b612b684f5b966ab524d7b5b7a783c.patch -O android_system_bt/366131.patch; #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
+wget https://github.com/LineageOS/android_system_bt/commit/862350fa3b8fc51bcdd8331352f28cd6cac4bf1d.patch -O android_system_bt/366132.patch; #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp
+wget https://github.com/LineageOS/android_system_bt/commit/db6c02ecbc377437585b56c310e2847661dd557c.patch -O android_system_bt/366133.patch; #P_asb_2023-09 Fix potential abort in btu_av_act.cc
+wget https://github.com/LineageOS/android_system_bt/commit/9b06f046f58bd82f9df6592c1a45ade8075608f9.patch -O android_system_bt/366134.patch; #P_asb_2023-09 Fix reliable write.
+wget https://github.com/LineageOS/android_system_bt/commit/9ac8d616f369513b0ef4f466eded252a4511898d.patch -O android_system_bt/366135.patch; #P_asb_2023-09 Fix UAF in gatt_cl.cc
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/acfa0cd4e0551d07fab0511cfb84462e70a48b53.patch -O android_packages_apps_Settings/366136.patch; #P_asb_2023-09 Prevent non-system IME from becoming device admin
+wget https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/0c9ab1418476b9aab2830f5b3f9d4ee7be3714fd.patch -O android_packages_apps_Trebuchet/366137.patch; #P_asb_2023-09 Fix permission issue in legacy shortcut
+wget https://github.com/LineageOS/android_frameworks_base/commit/3f429c322504732c25e1d92bd57fecdd8a7e5d5b.patch -O android_frameworks_base/366128.patch; #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
+wget https://github.com/LineageOS/android_frameworks_base/commit/8489bb9206314ce3be439f374704204626bd40ca.patch -O android_frameworks_base/370695.patch; #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews
+wget https://github.com/LineageOS/android_frameworks_base/commit/aecf51e67aa3b540f86d12164be8d66e12ca47f2.patch -O android_frameworks_base/370697.patch; #P_asb_2023-10 Disallow loading icon from content URI to PipMenu
+wget https://github.com/LineageOS/android_frameworks_base/commit/71c5804bc372c58c4f7a1b01905618cb5edb2dda.patch -O android_frameworks_base/370699.patch; #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..."
+wget https://github.com/LineageOS/android_packages_apps_Settings/commit/e7401f49ebfc563aa5fcd9aaa9981a235557d1b4.patch -O android_packages_apps_Settings/370700.patch; #P_asb_2023-10 Restrict ApnEditor settings
+wget https://github.com/LineageOS/android_external_libxml2/commit/2bd551871a645e43a75ce6065598d22b89b80a21.patch -O android_external_libxml2/370701.patch; #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter
+wget https://github.com/LineageOS/android_frameworks_base/commit/ae25f45e664b47e74fc9d73bc1b4292e6721dd7a.patch -O android_frameworks_base/370693.patch; #P_asb_2023-10 RingtoneManager: verify default ringtone is audio
+wget https://github.com/LineageOS/android_frameworks_base/commit/7adb3e0e1d591aeabccc5edfa624a591a3428a3d.patch -O android_frameworks_base/370694.patch; #P_asb_2023-10 Do not share key mappings with JNI object
+wget https://github.com/LineageOS/android_frameworks_base/commit/0fb320aef79861cb612fcd48585571f1715616fe.patch -O android_frameworks_base/370696.patch; #P_asb_2023-10 Fix KCM key mapping cloning
+wget https://github.com/LineageOS/android_frameworks_base/commit/48e0cbe76661b6b4c8edb2950a572694947b5641.patch -O android_frameworks_base/370698.patch; #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
+wget https://github.com/LineageOS/android_system_ca-certificates/commit/6f06eccd9ef3d37a2d9d52d1c925c3e71f525b14.patch -O android_system_ca-certificates/374916.patch; #P_asb_2023-11 Remove E-Tugra certificates.
+wget https://github.com/LineageOS/android_packages_services_BuiltInPrintService/commit/4302a583e82fa5bd76315077688818e53df98f20.patch -O android_packages_services_BuiltInPrintService/374919.patch; #P_asb_2023-11 Adjust APIs for CUPS 2.3.3
+wget https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/3d07f3a1821c0953d156206e288bb484a0c0f399.patch -O android_packages_providers_TelephonyProvider/374920.patch; #P_asb_2023-11 Block access to sms/mms db from work profile.
+wget https://github.com/LineageOS/android_frameworks_base/commit/e696b2932c41ab89f4910abc5a626c8e9b8d8543.patch -O android_frameworks_base/374921.patch; #P_asb_2023-11 Fix BAL via notification.publicVersion
+wget https://github.com/LineageOS/android_frameworks_av/commit/62ae30fad8c644b492393eb8c1eec2867cc73b07.patch -O android_frameworks_av/374924.patch; #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
+wget https://github.com/LineageOS/android_external_libcups/commit/383806fb90e7246d31241ab11332f3c0172e2f17.patch -O android_external_libcups/374932.patch; #P_asb_2023-11 Upgrade libcups to v2.3.1
+wget https://github.com/LineageOS/android_external_libcups/commit/af78634c7babca00f4a5b1650b817b36be4e94dd.patch -O android_external_libcups/374933.patch; #P_asb_2023-11 Upgrade libcups to v2.3.3
+wget https://github.com/LineageOS/android_frameworks_base/commit/1c5bf358397ad6a337d375fbc8dba4d98a50eca8.patch -O android_frameworks_base/374922.patch; #P_asb_2023-11 Use type safe API of readParcelableArray
+wget https://github.com/LineageOS/android_frameworks_base/commit/64de82f91e01d8d7d4224c737efe915397a904d2.patch -O android_frameworks_base/374923.patch; #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting
+wget https://github.com/LineageOS/android_frameworks_av/commit/5e50aa57f52b08f4cb07a6a3f98698f2077a9cbf.patch -O android_frameworks_av/377765.patch; #P_asb_2023-12 httplive: fix use-after-free
+wget https://github.com/LineageOS/android_frameworks_base/commit/73913dfae62f0c93147896ab07232417cff467ee.patch -O android_frameworks_base/377766.patch; #P_asb_2023-12 Visit Uris added by WearableExtender
+wget https://github.com/LineageOS/android_frameworks_base/commit/ac1ed7557b197952a6e00eb36da31e79d7bf78a4.patch -O android_frameworks_base/377769.patch; #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
+wget https://github.com/LineageOS/android_frameworks_base/commit/4ca5de2bda12925a28a59a1dffaccba045b0f9cb.patch -O android_frameworks_base/377771.patch; #P_asb_2023-12 Revert "On device lockdown, always show the keyguard"
+wget https://github.com/LineageOS/android_frameworks_base/commit/059ed6a3d856caee5896d94d9ea26f90c6117c93.patch -O android_frameworks_base/377773.patch; #P_asb_2023-12 Updated: always show the keyguard on device lockdown
+wget https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/3b53fae30442369bda8cd858f5b0ac697b9cd4ec.patch -O android_packages_apps_Bluetooth/377774.patch; #P_asb_2023-12 Fix UAF in ~CallbackEnv
+wget https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/02e99b157f05f8fbabb9c2457e387842ccad0bed.patch -O android_packages_apps_Trebuchet/377775.patch; #P_asb_2023-12 Fix permission bypass in legacy shortcut
+wget https://github.com/LineageOS/android_packages_services_Telecomm/commit/7ef90cb74da31eb165fc624f479b02cf6df2ebda.patch -O android_packages_services_Telecomm/377776.patch; #P_asb_2023-12 Resolve account image icon profile boundary exploit.
+wget https://github.com/LineageOS/android_system_bt/commit/26fe8da32584d6f639124e3ca8a7cbdbe5c60d89.patch -O android_system_bt/377777.patch; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
+wget https://github.com/LineageOS/android_system_bt/commit/6b208d0624e05bb96bffbca43e18a03dc37d21dd.patch -O android_system_bt/377778.patch; #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
+wget https://github.com/LineageOS/android_system_bt/commit/66a09ccfd76de30e03a843df140d7851be013052.patch -O android_system_bt/377779.patch; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
+wget https://github.com/LineageOS/android_system_bt/commit/95161565e5bf426333102097a92a8f654c10e74a.patch -O android_system_bt/377780.patch; #P_asb_2023-12 Reorganize the code for checking auth requirement
+wget https://github.com/LineageOS/android_system_bt/commit/037c9934224eabab778ee4cc197a46b64396633c.patch -O android_system_bt/377781.patch; #P_asb_2023-12Enforce authentication if encryption is required
+wget https://github.com/LineageOS/android_system_bt/commit/80a300fa626f6c5e8e7a595469f09adc307aee40.patch -O android_system_bt/377782.patch; #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
+wget https://github.com/LineageOS/android_frameworks_base/commit/c78cee7f1c921860ac3253812548f46663383a37.patch -O android_frameworks_base/377767.patch; #P_asb_2023-12 Drop invalid data.
+wget https://github.com/LineageOS/android_frameworks_base/commit/c58b86b918ab7085f17215883cc110ca3362235f.patch -O android_frameworks_base/377768.patch; #P_asb_2023-12 Require permission to unlock keyguard
+wget https://github.com/LineageOS/android_frameworks_base/commit/b18f4518109c2f7a4c936321db87f5245b3143f3.patch -O android_frameworks_base/377770.patch; #P_asb_2023-12 Validate userId when publishing shortcuts
+wget https://github.com/LineageOS/android_frameworks_base/commit/98fc501deb893768aeff55006ce445f688a88203.patch -O android_frameworks_base/377772.patch; #P_asb_2023-12 Adding in verification of calling UID in onShellCommand
+wget https://github.com/LineageOS/android_system_netd/commit/02458b0a19ce2d3214a00f9779bd36868541b7ca.patch -O android_system_netd/378480.patch; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
+wget https://github.com/LineageOS/android_frameworks_av/commit/978191d5fc0ede5bc11b8af2cfa2469a30ad919d.patch -O android_frameworks_av/379788.patch; #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
+wget https://github.com/LineageOS/android_frameworks_base/commit/44ce07024742aaae46a7191cd15e5ac68d209049.patch -O android_frameworks_base/379789.patch; #P_asb_2024-01 Dismiss keyguard when simpin auth'd and...
+wget https://github.com/LineageOS/android_frameworks_base/commit/63e443bfb107da3df0e37863e34c4b947052a6c1.patch -O android_frameworks_base/379790.patch; #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
+wget https://github.com/LineageOS/android_frameworks_base/commit/70f50825ec98cd35d38e45eea69aa7ed8f51556a.patch -O android_frameworks_base/379791.patch; #P_asb_2024-01 Truncate user data to a limit of 500 characters
+wget https://github.com/LineageOS/android_frameworks_base/commit/9001132c18c0eb2a6478939e1bdbbe6778af1ae3.patch -O android_frameworks_base/379792.patch; #P_asb_2024-01 Validate component name length before requesting notification access.
+wget https://github.com/LineageOS/android_frameworks_base/commit/1cf5c05eaaff574e8dceb0c1a75ad02d0c669891.patch -O android_frameworks_base/379793.patch; #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
+wget https://github.com/LineageOS/android_frameworks_base/commit/5948fb2aef0547db38f2f9df47b6fad736ba72b0.patch -O android_frameworks_base/379794.patch; #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
+wget https://github.com/LineageOS/android_system_bt/commit/e65eb2fdab8644f2e7885a628f6af9244ceed813.patch -O android_system_bt/379796.patch; #P_asb_2024-01 Fix some OOB errors in BTM parsing
+wget https://github.com/LineageOS/android_frameworks_base/commit/309033664a4fbb6200b3fe48d33e8f63becee810.patch -O android_frameworks_base/379980.patch; #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
+wget https://github.com/LineageOS/android_frameworks_av/commit/a42e0fc335d448e646309745a8d412d984748479.patch -O android_frameworks_av/383562.patch; #P_asb_2024-02 Update mtp packet buffer
+wget https://github.com/LineageOS/android_frameworks_base/commit/6f5e6f86263c3db753c6d58f516070a45e30b619.patch -O android_frameworks_base/383563.patch; #P_asb_2024-02 Unbind TileService onNullBinding
+wget https://github.com/LineageOS/android_system_bt/commit/14e35c7cf40595a6b1ff1d2e92f8b53fb356b3dc.patch -O android_system_bt/383565.patch; #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
+wget https://github.com/LineageOS/android_system_bt/commit/37ce9a968b579a87640d40e50ec91abe04101f3c.patch -O android_system_bt/383566.patch; #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
+wget https://github.com/LineageOS/android_packages_providers_DownloadProvider/commit/d1a6862647428e9c973f4c21adc83656c5ac98f9.patch -O android_packages_providers_DownloadProvider/383567.patch; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations
+wget https://github.com/LineageOS/android_frameworks_av/commit/cc12a31fcbd0deddd5a74b7be121baf835ecf6dc.patch -O android_frameworks_av/385670.patch; #P_asb_2024-03 Validate OMX Params for VPx encoders
+wget https://github.com/LineageOS/android_frameworks_av/commit/ed62ccd9520a671d2fb900d236f5bc5ad16a1e7c.patch -O android_frameworks_av/385671.patch; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
+wget https://github.com/LineageOS/android_frameworks_base/commit/0254ee96d60cd80a52ce583c90486d6ca1549fb6.patch -O android_frameworks_base/385672.patch; #P_asb_2024-03 Resolve custom printer icon boundary exploit.
+wget https://github.com/LineageOS/android_frameworks_base/commit/3cbbcd611ff83ef7a0f811d04f0478f2760ae891.patch -O android_frameworks_base/385673.patch; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
+wget https://github.com/LineageOS/android_frameworks_base/commit/8befe29745f94a8d80f59f0d644315c5424c8eb6.patch -O android_frameworks_base/385674.patch; #P_asb_2024-03 Close AccountManagerService.session after timeout.
+wget https://github.com/LineageOS/android_system_bt/commit/fbf12851fa55267f8b654f0cd1337f9f98f83c4b.patch -O android_system_bt/385675.patch; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length
+wget https://github.com/LineageOS/android_system_bt/commit/73c18d6ce8333f787a4cedb24d247b071bdbf078.patch -O android_system_bt/385676.patch; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
+wget https://github.com/LineageOS/android_system_bt/commit/42ede61231b6b1a507cbc254827ff10dd5ae8c20.patch -O android_system_bt/385677.patch; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
+wget https://github.com/LineageOS/android_system_bt/commit/3683c921ab4afd4f2f6bef8a49cbfda227ce081f.patch -O android_system_bt/385678.patch; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
+wget https://github.com/LineageOS/android_frameworks_base/commit/e3d632959e2606a909427e4f717cd3a6cc14d4c6.patch -O android_frameworks_base/389269.patch; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements
+wget https://github.com/LineageOS/android_frameworks_base/commit/1010f9aae741c4b5e8400709a273910b9818f4ba.patch -O android_frameworks_base/389270.patch; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.

Misc/pick-imports/16-asbs-patch.sh

@@ -0,0 +1,271 @@
+applyPatch "$DOS_PATCHES/android_external_aac/332775.patch"; #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation.
+applyPatch "$DOS_PATCHES/android_external_aac/364605.patch"; #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().
+applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings
+applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation.
+applyPatch "$DOS_PATCHES/android_external_dtc/345891.patch"; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths
+applyPatch "$DOS_PATCHES/android_external_expat/338353.patch"; #P_asb_2022-09 Prevent integer overflow in copyString
+applyPatch "$DOS_PATCHES/android_external_expat/338354.patch"; #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
+applyPatch "$DOS_PATCHES/android_external_expat/338355.patch"; #P_asb_2022-09 Prevent integer overflow in function doProlog
+applyPatch "$DOS_PATCHES/android_external_expat/338356.patch"; #P_asb_2022-09 Prevent more integer overflows
+applyPatch "$DOS_PATCHES/android_external_expat/349328.patch"; #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes
+applyPatch "$DOS_PATCHES/android_external_freetype/361250.patch"; #P_asb_2023-07 Cherry-pick two upstream changes
+applyPatch "$DOS_PATCHES/android_external_freetype/364606.patch"; #P_asb_2023-08 Cherrypick following three changes
+applyPatch "$DOS_PATCHES/android_external_libcups/374932.patch"; #P_asb_2023-11 Upgrade libcups to v2.3.1
+applyPatch "$DOS_PATCHES/android_external_libcups/374933.patch"; #P_asb_2023-11 Upgrade libcups to v2.3.3
+applyPatch "$DOS_PATCHES/android_external_libxml2/370701.patch"; #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter
+applyPatch "$DOS_PATCHES/android_external_zlib/351909.patch"; #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate().
+applyPatch "$DOS_PATCHES/android_frameworks_av/344167.patch"; #P_asb_2022-11 setSecurityLevel in clearkey
+applyPatch "$DOS_PATCHES/android_frameworks_av/349329.patch"; #P_asb_2023-02 move MediaCodec metrics processing to looper thread
+applyPatch "$DOS_PATCHES/android_frameworks_av/359729.patch"; #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
+applyPatch "$DOS_PATCHES/android_frameworks_av/366126.patch"; #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
+applyPatch "$DOS_PATCHES/android_frameworks_av/374924.patch"; #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
+applyPatch "$DOS_PATCHES/android_frameworks_av/377765.patch"; #P_asb_2023-12 httplive: fix use-after-free
+applyPatch "$DOS_PATCHES/android_frameworks_av/379788.patch"; #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
+applyPatch "$DOS_PATCHES/android_frameworks_av/383562.patch"; #P_asb_2024-02 Update mtp packet buffer
+applyPatch "$DOS_PATCHES/android_frameworks_av/385670.patch"; #P_asb_2024-03 Validate OMX Params for VPx encoders
+applyPatch "$DOS_PATCHES/android_frameworks_av/385671.patch"; #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
+applyPatch "$DOS_PATCHES/android_frameworks_base/330961.patch"; #P_asb_2022-05 Keyguard - Treat messsages to lock with priority
+applyPatch "$DOS_PATCHES/android_frameworks_base/330962.patch"; #P_asb_2022-05 Verify caller before auto granting slice permission
+applyPatch "$DOS_PATCHES/android_frameworks_base/330963.patch"; #P_asb_2022-05 Always restart apps if base.apk gets updated.
+applyPatch "$DOS_PATCHES/android_frameworks_base/332756.patch"; #P_asb_2022-06 Add finalizeWorkProfileProvisioning.
+applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
+applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
+applyPatch "$DOS_PATCHES/android_frameworks_base/332777.patch"; #P_asb_2022-06 Add an OEM configurable limit for zen rules
+applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse
+applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps.
+applyPatch "$DOS_PATCHES/android_frameworks_base/334256.patch"; #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage
+applyPatch "$DOS_PATCHES/android_frameworks_base/334257.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails
+applyPatch "$DOS_PATCHES/android_frameworks_base/334258.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only
+applyPatch "$DOS_PATCHES/android_frameworks_base/334259.patch"; #P_asb_2022-07 Ignore errors preparing user storage for existing users
+applyPatch "$DOS_PATCHES/android_frameworks_base/334260.patch"; #P_asb_2022-07 Log to EventLog on prepareUserStorage failure
+applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications
+applyPatch "$DOS_PATCHES/android_frameworks_base/335117.patch"; #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity
+applyPatch "$DOS_PATCHES/android_frameworks_base/335118.patch"; #P_asb_2022-08 Suppress notifications when device enter lockdown
+applyPatch "$DOS_PATCHES/android_frameworks_base/335119.patch"; #P_asb_2022-08 Remove package title from notification access confirmation intent
+applyPatch "$DOS_PATCHES/android_frameworks_base/335120.patch"; #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash
+applyPatch "$DOS_PATCHES/android_frameworks_base/335121.patch"; #P_asb_2022-08 Only allow the system server to connect to sync adapters
+applyPatch "$DOS_PATCHES/android_frameworks_base/338346.patch"; #P_asb_2022-09 Fix duplicate permission privilege escalation
+applyPatch "$DOS_PATCHES/android_frameworks_base/338347.patch"; #P_asb_2022-09 Parcel: recycle recycles
+applyPatch "$DOS_PATCHES/android_frameworks_base/338348.patch"; #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable
+applyPatch "$DOS_PATCHES/android_frameworks_base/338349.patch"; #P_asb_2022-09 Remove package name from SafetyNet logs
+applyPatch "$DOS_PATCHES/android_frameworks_base/342100.patch"; #P_asb_2022-10 Limit the number of concurrently snoozed notifications
+applyPatch "$DOS_PATCHES/android_frameworks_base/344168.patch"; #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
+applyPatch "$DOS_PATCHES/android_frameworks_base/344169.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+applyPatch "$DOS_PATCHES/android_frameworks_base/344170.patch"; #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo
+applyPatch "$DOS_PATCHES/android_frameworks_base/344171.patch"; #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user.
+applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule
+applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction
+applyPatch "$DOS_PATCHES/android_frameworks_base/344174.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock
+applyPatch "$DOS_PATCHES/android_frameworks_base/345892.patch"; #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps."
+applyPatch "$DOS_PATCHES/android_frameworks_base/345893.patch"; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup
+applyPatch "$DOS_PATCHES/android_frameworks_base/345894.patch"; #P_asb_2022-12 Prevent non-admin users from deleting system apps.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345895.patch"; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345896.patch"; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345897.patch"; #P_asb_2022-12 [pm] forbid deletion of protected packages
+applyPatch "$DOS_PATCHES/android_frameworks_base/345898.patch"; #P_asb_2022-12 Fix NPE
+applyPatch "$DOS_PATCHES/android_frameworks_base/345899.patch"; #P_asb_2022-12 Fix a security issue in app widget service.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345900.patch"; #P_asb_2022-12 Ignore malformed shortcuts
+applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
+applyPatch "$DOS_PATCHES/android_frameworks_base/345902.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
+applyPatch "$DOS_PATCHES/android_frameworks_base/347044.patch"; #P_asb_2023-01 Limit lengths of fields in Condition to a max length.
+applyPatch "$DOS_PATCHES/android_frameworks_base/347045.patch"; #P_asb_2023-01 Disable all A11yServices from an uninstalled package.
+applyPatch "$DOS_PATCHES/android_frameworks_base/347046.patch"; #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule
+applyPatch "$DOS_PATCHES/android_frameworks_base/347047.patch"; #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated
+applyPatch "$DOS_PATCHES/android_frameworks_base/347048.patch"; #P_asb_2023-01 Revert "Revert "Validate permission tree size..."
+applyPatch "$DOS_PATCHES/android_frameworks_base/347049.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
+applyPatch "$DOS_PATCHES/android_frameworks_base/347050.patch"; #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23
+applyPatch "$DOS_PATCHES/android_frameworks_base/347051.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
+applyPatch "$DOS_PATCHES/android_frameworks_base/349330.patch"; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+applyPatch "$DOS_PATCHES/android_frameworks_base/349331.patch"; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
+applyPatch "$DOS_PATCHES/android_frameworks_base/351910.patch"; #P_asb_2023-03 Move service initialization
+applyPatch "$DOS_PATCHES/android_frameworks_base/351911.patch"; #P_asb_2023-03 Enable user graularity for lockdown mode
+applyPatch "$DOS_PATCHES/android_frameworks_base/351912.patch"; #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag
+applyPatch "$DOS_PATCHES/android_frameworks_base/351913.patch"; #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code.
+applyPatch "$DOS_PATCHES/android_frameworks_base/354242.patch"; #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now.
+applyPatch "$DOS_PATCHES/android_frameworks_base/354243.patch"; #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver
+applyPatch "$DOS_PATCHES/android_frameworks_base/354244.patch"; #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass
+applyPatch "$DOS_PATCHES/android_frameworks_base/354245.patch"; #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE
+applyPatch "$DOS_PATCHES/android_frameworks_base/356154.patch"; #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
+applyPatch "$DOS_PATCHES/android_frameworks_base/356155.patch"; #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path
+applyPatch "$DOS_PATCHES/android_frameworks_base/356156.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+applyPatch "$DOS_PATCHES/android_frameworks_base/359730.patch"; #P_asb_2023-06 Check key intent for selectors and prohibited flags
+applyPatch "$DOS_PATCHES/android_frameworks_base/359731.patch"; #P_asb_2023-06 Handle invalid data during job loading.
+applyPatch "$DOS_PATCHES/android_frameworks_base/359732.patch"; #P_asb_2023-06 Allow filtering of services
+applyPatch "$DOS_PATCHES/android_frameworks_base/359733.patch"; #P_asb_2023-06 Prevent RemoteViews crashing SystemUi
+applyPatch "$DOS_PATCHES/android_frameworks_base/361254.patch"; #P_asb_2023-07 Sanitize VPN label to prevent HTML injection
+applyPatch "$DOS_PATCHES/android_frameworks_base/361255.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+applyPatch "$DOS_PATCHES/android_frameworks_base/361256.patch"; #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE
+applyPatch "$DOS_PATCHES/android_frameworks_base/361257.patch"; #P_asb_2023-07 Dismiss keyguard when simpin auth'd and...
+applyPatch "$DOS_PATCHES/android_frameworks_base/361258.patch"; #P_asb_2023-07 Truncate ShortcutInfo Id
+applyPatch "$DOS_PATCHES/android_frameworks_base/361259.patch"; #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
+applyPatch "$DOS_PATCHES/android_frameworks_base/364607.patch"; #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only
+applyPatch "$DOS_PATCHES/android_frameworks_base/364608.patch"; #P_asb_2023-08 Verify URI permissions for notification shortcutIcon.
+applyPatch "$DOS_PATCHES/android_frameworks_base/364609.patch"; #P_asb_2023-08 On device lockdown, always show the keyguard
+applyPatch "$DOS_PATCHES/android_frameworks_base/364610.patch"; #P_asb_2023-08 Ensure policy has no absurdly long strings
+applyPatch "$DOS_PATCHES/android_frameworks_base/364611.patch"; #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd.
+applyPatch "$DOS_PATCHES/android_frameworks_base/364612.patch"; #P_asb_2023-08 Check URIs in notification public version.
+applyPatch "$DOS_PATCHES/android_frameworks_base/364613.patch"; #P_asb_2023-08 Verify URI permissions in MediaMetadata
+applyPatch "$DOS_PATCHES/android_frameworks_base/364614.patch"; #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
+applyPatch "$DOS_PATCHES/android_frameworks_base/364615.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user.
+applyPatch "$DOS_PATCHES/android_frameworks_base/366127.patch"; #P_asb_2023-09 Forbid granting access to NLSes with too-long component names
+applyPatch "$DOS_PATCHES/android_frameworks_base/366128.patch"; #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
+applyPatch "$DOS_PATCHES/android_frameworks_base/370693.patch"; #P_asb_2023-10 RingtoneManager: verify default ringtone is audio
+applyPatch "$DOS_PATCHES/android_frameworks_base/370694.patch"; #P_asb_2023-10 Do not share key mappings with JNI object
+applyPatch "$DOS_PATCHES/android_frameworks_base/370695.patch"; #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews
+applyPatch "$DOS_PATCHES/android_frameworks_base/370696.patch"; #P_asb_2023-10 Fix KCM key mapping cloning
+applyPatch "$DOS_PATCHES/android_frameworks_base/370697.patch"; #P_asb_2023-10 Disallow loading icon from content URI to PipMenu
+applyPatch "$DOS_PATCHES/android_frameworks_base/370698.patch"; #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
+applyPatch "$DOS_PATCHES/android_frameworks_base/370699.patch"; #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..."
+applyPatch "$DOS_PATCHES/android_frameworks_base/374921.patch"; #P_asb_2023-11 Fix BAL via notification.publicVersion
+applyPatch "$DOS_PATCHES/android_frameworks_base/374922.patch"; #P_asb_2023-11 Use type safe API of readParcelableArray
+applyPatch "$DOS_PATCHES/android_frameworks_base/374923.patch"; #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting
+applyPatch "$DOS_PATCHES/android_frameworks_base/377766.patch"; #P_asb_2023-12 Visit Uris added by WearableExtender
+applyPatch "$DOS_PATCHES/android_frameworks_base/377767.patch"; #P_asb_2023-12 Drop invalid data.
+applyPatch "$DOS_PATCHES/android_frameworks_base/377768.patch"; #P_asb_2023-12 Require permission to unlock keyguard
+applyPatch "$DOS_PATCHES/android_frameworks_base/377769.patch"; #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
+applyPatch "$DOS_PATCHES/android_frameworks_base/377770.patch"; #P_asb_2023-12 Validate userId when publishing shortcuts
+applyPatch "$DOS_PATCHES/android_frameworks_base/377771.patch"; #P_asb_2023-12 Revert "On device lockdown, always show the keyguard"
+applyPatch "$DOS_PATCHES/android_frameworks_base/377772.patch"; #P_asb_2023-12 Adding in verification of calling UID in onShellCommand
+applyPatch "$DOS_PATCHES/android_frameworks_base/377773.patch"; #P_asb_2023-12 Updated: always show the keyguard on device lockdown
+applyPatch "$DOS_PATCHES/android_frameworks_base/379789.patch"; #P_asb_2024-01 Dismiss keyguard when simpin auth'd and...
+applyPatch "$DOS_PATCHES/android_frameworks_base/379790.patch"; #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
+applyPatch "$DOS_PATCHES/android_frameworks_base/379791.patch"; #P_asb_2024-01 Truncate user data to a limit of 500 characters
+applyPatch "$DOS_PATCHES/android_frameworks_base/379792.patch"; #P_asb_2024-01 Validate component name length before requesting notification access.
+applyPatch "$DOS_PATCHES/android_frameworks_base/379793.patch"; #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
+applyPatch "$DOS_PATCHES/android_frameworks_base/379794.patch"; #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
+applyPatch "$DOS_PATCHES/android_frameworks_base/379980.patch"; #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
+applyPatch "$DOS_PATCHES/android_frameworks_base/383563.patch"; #P_asb_2024-02 Unbind TileService onNullBinding
+applyPatch "$DOS_PATCHES/android_frameworks_base/385672.patch"; #P_asb_2024-03 Resolve custom printer icon boundary exploit.
+applyPatch "$DOS_PATCHES/android_frameworks_base/385673.patch"; #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
+applyPatch "$DOS_PATCHES/android_frameworks_base/385674.patch"; #P_asb_2024-03 Close AccountManagerService.session after timeout.
+applyPatch "$DOS_PATCHES/android_frameworks_base/389269.patch"; #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements
+applyPatch "$DOS_PATCHES/android_frameworks_base/389270.patch"; #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345903.patch"; #P_asb_2022-12 Fix OOB read for registerLocaleList
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345904.patch"; #P_asb_2022-12 Fix OOB crash for registerLocaleList
+applyPatch "$DOS_PATCHES/android_frameworks_native/356151.patch"; #P_asb_2023-05 Check for malformed Sensor Flattenable
+applyPatch "$DOS_PATCHES/android_frameworks_native/356152.patch"; #P_asb_2023-05 Remove some new memory leaks from SensorManager
+applyPatch "$DOS_PATCHES/android_frameworks_native/356153.patch"; #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
+applyPatch "$DOS_PATCHES/android_frameworks_native/366129.patch"; #P_asb_2023-09 Allow sensors list to be empty
+applyPatch "$DOS_PATCHES/android_frameworks_opt_telephony/334263.patch"; #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID)
+applyPatch "$DOS_PATCHES/android_hardware_nxp_nfc/344180.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332.patch"; #P_asb_2023-02 Fix OPP comparison
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/377774.patch"; #P_asb_2023-12 Fix UAF in ~CallbackEnv
+applyPatch "$DOS_PATCHES/android_packages_apps_Contacts/332760.patch"; #P_asb_2022-06 No longer export CallSubjectDialog
+applyPatch "$DOS_PATCHES/android_packages_apps_Dialer/332761.patch"; #P_asb_2022-06 No longer export CallSubjectDialog
+applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/342101.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345908.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/345909.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+applyPatch "$DOS_PATCHES/android_packages_apps_EmergencyInfo/349333.patch"; #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app.
+applyPatch "$DOS_PATCHES/android_packages_apps_KeyChain/334264.patch"; #P_asb_2022-07 Encode authority part of uri before showing in UI
+applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332762.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/347043.patch"; #P_asb_2023-01 OOBW in Mfc_Transceive()
+applyPatch "$DOS_PATCHES/android_packages_apps_PackageInstaller/344181.patch"; #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/330960.patch"; #P_asb_2022-05 Hide private DNS settings UI in Guest mode
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335112.patch"; #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335113.patch"; #P_asb_2022-08 Fix: policy enforcement for location wifi scanning
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345910.patch"; #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914.patch"; #P_asb_2023-03 FRP bypass defense in the settings app
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351915.patch"; #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/359734.patch"; #P_asb_2023-06 Convert argument to intent in AddAccountSettings.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/366136.patch"; #P_asb_2023-09 Prevent non-system IME from becoming device admin
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/370700.patch"; #P_asb_2023-10 Restrict ApnEditor settings
+applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378475.patch"; #P_asb_2023-06 Update Traceur to check admin user status
+applyPatch "$DOS_PATCHES/android_packages_apps_Traceur/378476.patch"; #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check
+applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/366137.patch"; #P_asb_2023-09 Fix permission issue in legacy shortcut
+applyPatch "$DOS_PATCHES/android_packages_apps_Trebuchet/377775.patch"; #P_asb_2023-12 Fix permission bypass in legacy shortcut
+applyPatch "$DOS_PATCHES/android_packages_apps_TvSettings/359735.patch"; #P_asb_2023-06 Convert argument to intent in addAccount TvSettings.
+applyPatch "$DOS_PATCHES/android_packages_providers_ContactsProvider/335110.patch"; #P_asb_2022-08 enforce stricter CallLogProvider query
+applyPatch "$DOS_PATCHES/android_packages_providers_DownloadProvider/383567.patch"; #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations
+applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/344182.patch"; #P_asb_2022-11 Check dir path before updating permissions.
+applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/364616.patch"; #P_asb_2023-08 Update file permissions using canonical path
+applyPatch "$DOS_PATCHES/android_packages_providers_TelephonyProvider/374920.patch"; #P_asb_2023-11 Block access to sms/mms db from work profile.
+applyPatch "$DOS_PATCHES/android_packages_services_BuiltInPrintService/374919.patch"; #P_asb_2023-11 Adjust APIs for CUPS 2.3.3
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/330959.patch"; #P_asb_2022-05 Handle null bindings returned from ConnectionService.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_asb_2023-01 Fix security vulnerability when register phone accounts.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/356150.patch"; #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364617.patch"; #P_asb_2023-08 Resolve StatusHints image exploit across user.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377776.patch"; #P_asb_2023-12 Resolve account image icon profile boundary exploit.
+applyPatch "$DOS_PATCHES/android_packages_services_Telephony/347041.patch"; #P_asb_2023-01 prevent overlays on the phone settings
+applyPatch "$DOS_PATCHES/android_packages_services_Telephony/366130.patch"; #P_asb_2023-09 Fixed leak of cross user data in multiple settings.
+applyPatch "$DOS_PATCHES/android_system_bt/334266.patch"; #P_asb_2022-07 Security: Fix out of bound write in HFP client
+applyPatch "$DOS_PATCHES/android_system_bt/334267.patch"; #P_asb_2022-07 Check Avrcp packet vendor length before extracting length
+applyPatch "$DOS_PATCHES/android_system_bt/334268.patch"; #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST
+applyPatch "$DOS_PATCHES/android_system_bt/335109.patch"; #P_asb_2022-08 Removing bonded device when auth fails due to missing keys
+applyPatch "$DOS_PATCHES/android_system_bt/338350.patch"; #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed
+applyPatch "$DOS_PATCHES/android_system_bt/338351.patch"; #P_asb_2022-09 Fix OOB in BNEP_Write
+applyPatch "$DOS_PATCHES/android_system_bt/338352.patch"; #P_asb_2022-09 Fix OOB in reassemble_and_dispatch
+applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response
+applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc
+applyPatch "$DOS_PATCHES/android_system_bt/345914.patch"; #P_asb_2022-12 Add length check when copy AVDTP packet
+applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added max buffer length check
+applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc
+applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
+applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response
+applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 BT: Once AT command is retrieved, return from method.
+applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
+applyPatch "$DOS_PATCHES/android_system_bt/349334.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP
+applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
+applyPatch "$DOS_PATCHES/android_system_bt/351916.patch"; #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
+applyPatch "$DOS_PATCHES/android_system_bt/351917.patch"; #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+applyPatch "$DOS_PATCHES/android_system_bt/351918.patch"; #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute
+applyPatch "$DOS_PATCHES/android_system_bt/354246.patch"; #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
+applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an OOB bug in register_notification_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/359736.patch"; #P_asb_2023-06 Prevent use-after-free of HID reports
+applyPatch "$DOS_PATCHES/android_system_bt/359737.patch"; #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""
+applyPatch "$DOS_PATCHES/android_system_bt/359738.patch"; #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
+applyPatch "$DOS_PATCHES/android_system_bt/361252.patch"; #P_asb_2023-07 Fix gatt_end_operation buffer overflow
+applyPatch "$DOS_PATCHES/android_system_bt/366131.patch"; #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
+applyPatch "$DOS_PATCHES/android_system_bt/366132.patch"; #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/366133.patch"; #P_asb_2023-09 Fix potential abort in btu_av_act.cc
+applyPatch "$DOS_PATCHES/android_system_bt/366134.patch"; #P_asb_2023-09 Fix reliable write.
+applyPatch "$DOS_PATCHES/android_system_bt/366135.patch"; #P_asb_2023-09 Fix UAF in gatt_cl.cc
+applyPatch "$DOS_PATCHES/android_system_bt/377777.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
+applyPatch "$DOS_PATCHES/android_system_bt/377778.patch"; #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
+applyPatch "$DOS_PATCHES/android_system_bt/377779.patch"; #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
+applyPatch "$DOS_PATCHES/android_system_bt/377780.patch"; #P_asb_2023-12 Reorganize the code for checking auth requirement
+applyPatch "$DOS_PATCHES/android_system_bt/377781.patch"; #P_asb_2023-12Enforce authentication if encryption is required
+applyPatch "$DOS_PATCHES/android_system_bt/377782.patch"; #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
+applyPatch "$DOS_PATCHES/android_system_bt/379796.patch"; #P_asb_2024-01 Fix some OOB errors in BTM parsing
+applyPatch "$DOS_PATCHES/android_system_bt/383565.patch"; #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/383566.patch"; #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/385675.patch"; #P_asb_2024-03 Fix OOB caused by invalid SMP packet length
+applyPatch "$DOS_PATCHES/android_system_bt/385676.patch"; #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
+applyPatch "$DOS_PATCHES/android_system_bt/385677.patch"; #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
+applyPatch "$DOS_PATCHES/android_system_bt/385678.patch"; #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
+applyPatch "$DOS_PATCHES/android_system_ca-certificates/365328.patch"; #P_asb_2023-08 Drop TrustCor certificates
+applyPatch "$DOS_PATCHES/android_system_ca-certificates/374916.patch"; #P_asb_2023-11 Remove E-Tugra certificates.
+applyPatch "$DOS_PATCHES/android_system_core/332765.patch"; #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
+applyPatch "$DOS_PATCHES/android_system_netd/378480.patch"; #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
+applyPatch "$DOS_PATCHES/android_system_nfc/332766.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+applyPatch "$DOS_PATCHES/android_system_nfc/332767.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
+applyPatch "$DOS_PATCHES/android_system_nfc/332768.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+applyPatch "$DOS_PATCHES/android_system_nfc/342098.patch"; #P_asb_2022-10 The length of a packet should be non-zero
+applyPatch "$DOS_PATCHES/android_system_nfc/354248.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+applyPatch "$DOS_PATCHES/android_system_nfc/361251.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+applyPatch "$DOS_PATCHES/android_tools_apksig/361280.patch"; #P_asb_2023-07 Create source stamp verifier
+applyPatch "$DOS_PATCHES/android_tools_apksig/361281.patch"; #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332769.patch"; #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332770.patch"; #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332771.patch"; #P_asb_2022-06 Double Free in ce_t4t_data_cback
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332772.patch"; #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/342099.patch"; #P_asb_2022-10 The length of a packet should be non-zero
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/354249.patch"; #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/361253.patch"; #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_halimpl/344190.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/332773.patch"; #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/349336.patch"; #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr

Misc/pick-imports/16-asbs.txt

@@ -0,0 +1,438 @@
+https://github.com/LineageOS/android_frameworks_base/commit/ea52854b208d2a8e367c65068edbdff741b9eb80 330961 #P_asb_2022-05 Keyguard - Treat messsages to lock with priority
+https://github.com/LineageOS/android_frameworks_base/commit/6bc4a89b9680b780768ee2b92a01f979b708c00b 330962 #P_asb_2022-05 Verify caller before auto granting slice permission
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/e298920fbeb8714698c6e96beaff71383640878b 330959 #P_asb_2022-05 Handle null bindings returned from ConnectionService.
+https://github.com/LineageOS/android_packages_apps_Settings/commit/cfe47c5ab58c17fe9e2b580874878347461d8695 330960 #P_asb_2022-05 Hide private DNS settings UI in Guest mode
+https://github.com/LineageOS/android_frameworks_base/commit/a1c1383a08e17e14273e0f2e7d1c250fb4e3b7f2 330963 #P_asb_2022-05 Always restart apps if base.apk gets updated.
+
+
+
+
+https://github.com/LineageOS/android_external_aac/commit/e40800a613eb89b5b4c701774c3cecc1c2b7dd6c 332775 #P_asb_2022-06 Reject invalid out of band config in transportDec_OutOfBandConfig() and skip re-allocation.
+https://github.com/LineageOS/android_frameworks_base/commit/4005549db2fa7e1524fc0dbbe22c774fb00b6cb3 332779 #P_asb_2022-06 Prevent non-admin users from deleting system apps.
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/526bbbb30625c4b2728d4c461137413dbd1a96f6 332764 #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
+https://github.com/LineageOS/android_system_core/commit/976019d07ad1c007043b78450857f428a1440f06 332765 #P_asb_2022-06 Backport of Win-specific suppression of potentially rogue construct that can engage in directory traversal on the host.
+https://github.com/LineageOS/android_frameworks_base/commit/c8da70733ac6be9b209b27b8bd72f9b0f0a2ee44 332778 #P_asb_2022-06 Fix security hole in GateKeeperResponse
+https://github.com/LineageOS/android_frameworks_base/commit/e7f0f7bac948a3deb2ef9139ef4fd9ad9eb1215a 332777 #P_asb_2022-06 Add an OEM configurable limit for zen rules
+https://github.com/LineageOS/android_frameworks_base/commit/c6a97af0e9b22c303d13ad573e96eb4b06c0bfa3 332776 #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
+https://github.com/LineageOS/android_frameworks_base/commit/76c531e222779ae68047010f42f7a36100010f4c 332757 #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
+https://github.com/LineageOS/android_frameworks_base/commit/258ab4cfd77e49b087f4b3333c21ecb23d4c2a9f 332756 #P_asb_2022-06 Add finalizeWorkProfileProvisioning.
+https://github.com/LineageOS/android_packages_apps_Nfc/commit/d7722eaa4defeaea88dce9f3c644e038af3f637d 332762 #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+https://github.com/LineageOS/android_packages_apps_Settings/commit/ecf8fd5a9aa4976ace98fe9a4986f1de3ff77c1d 332763 #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+https://github.com/LineageOS/android_packages_apps_Dialer/commit/71701cfc7511cd3ad2e8a0f0f12dd78ea8db2517 332761 #P_asb_2022-06 No longer export CallSubjectDialog
+https://github.com/LineageOS/android_packages_apps_Contacts/commit/5055718d99866a7783cf72199b3f385e68bc7a53 332760 #P_asb_2022-06 No longer export CallSubjectDialog
+https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/6ff1c1f2e637e0dc3fc803f8028c7b89bae74937 332759 #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
+https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/eb31965a73439dc8638d03b23f4648774a05df57 332758 #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
+https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/08fbee6160c576d2d9feff91af2ed3ce0bff2cb7 332773 #P_asb_2022-06 OOB read in phNciNfc_RecvMfResp()
+https://github.com/LineageOS/android_system_nfc/commit/318f09ce7e384809e3ab68c0294be96da6bf5141 332766 #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+https://github.com/LineageOS/android_system_nfc/commit/af0a965cd72fa6cab442fc46068fe4e556ca14c3 332767 #P_asb_2022-06 Double Free in ce_t4t_data_cback
+https://github.com/LineageOS/android_system_nfc/commit/09dd85730f6c7ea4e2da2a9bf51de5d45a3b1061 332768 #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/a6c1507a0fa5a844514ecae89d0758ccb8724585 332769 #P_asb_2022-06 Prevent OOB write in nfc_ncif_proc_ee_discover_req
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/9dd0310855fa8889217e4e077bcfc7822abdbdc2 332770 #P_asb_2022-06 Out of Bounds Read in nfa_dm_check_set_config
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/84a8c1e3350174c25da59c7c6479b0dca37df111 332771 #P_asb_2022-06 Double Free in ce_t4t_data_cback
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/d5b6e36b4d5585d3e003d16ba6aa73929ae7255d 332772 #P_asb_2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
+https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/82c9270c2cf11b9a2ac4b5942f3ec086bc02099c 342101 #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/862a9ed37b4cc89f450e6159cec65552e6e9fd38 334256 #P_asb_2022-07 StorageManagerService: don't ignore failures to prepare user storage
+https://github.com/LineageOS/android_frameworks_base/commit/10600c7c0cb582877cae6d3a28c9e39a73add1e1 334257 #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails
+https://github.com/LineageOS/android_frameworks_base/commit/44130eac9f128dbea908171de1fa0743f2dda709 334258 #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only
+https://github.com/LineageOS/android_frameworks_base/commit/8b1d16f79b125ea356d7af582fc6ceac297afa04 334259 #P_asb_2022-07 Ignore errors preparing user storage for existing users
+https://github.com/LineageOS/android_frameworks_base/commit/2688ed5ff6c1c637444ba776d730940769b2ee1d 334260 #P_asb_2022-07 Log to EventLog on prepareUserStorage failure
+https://github.com/LineageOS/android_frameworks_base/commit/bcede32d6c0c192b00fa745e522d50b817ea969b 334262 #P_asb_2022-07 Crash invalid FGS notifications
+https://github.com/LineageOS/android_packages_apps_KeyChain/commit/5e04f66b9db71a74b7dbf6ca9a43b602d5fca122 334264 #P_asb_2022-07 Encode authority part of uri before showing in UI
+https://github.com/LineageOS/android_packages_apps_Settings/commit/1fee30e9946eec7ec5b0c95481317cd1647c92a7 334265 #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
+https://github.com/LineageOS/android_system_bt/commit/b15c9cc55faddbdb36df6af086762adfef028bbe 334266 #P_asb_2022-07 Security: Fix out of bound write in HFP client
+https://github.com/LineageOS/android_system_bt/commit/5d7b97ac9aa45287bf57d061b7e1e0287c7c513a 334267 #P_asb_2022-07 Check Avrcp packet vendor length before extracting length
+https://github.com/LineageOS/android_frameworks_opt_telephony/commit/4e3e190ff664797f23039da13a45a70ddf615489 334263 #P_asb_2022-07 Enforce privileged phone state for getSubscriptionProperty(GROUP_UUID)
+https://github.com/LineageOS/android_system_bt/commit/f41d68b53f669b96787f5fde38bdc5fe73e795b8 334268 #P_asb_2022-07 Security: Fix out of bound read in AT_SKIP_REST
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/35c2fc9116afdd6fe2dcca6e4fb59466a317b342 335117 #P_asb_2022-08 Only allow system and same app to apply relinquishTaskIdentity
+https://github.com/LineageOS/android_system_bt/commit/8bfd408fa1ebf3d8dc2fc9906672c7cfe7dc0144 335109 #P_asb_2022-08 Removing bonded device when auth fails due to missing keys
+https://github.com/LineageOS/android_packages_providers_ContactsProvider/commit/3b27f760484b42cc1ea25af7bdeb68b40cdfa455 335110 #P_asb_2022-08 enforce stricter CallLogProvider query
+https://github.com/LineageOS/android_packages_apps_Settings/commit/9dfc928466d7709c968adcba7f22378e243b99f2 335111 #P_asb_2022-08 Verify ringtone from ringtone picker is audio
+https://github.com/LineageOS/android_packages_apps_Settings/commit/539f79473852aab2bebcc7374404f47eccb297b1 335112 #P_asb_2022-08 Make bluetooth not discoverable via SliceDeepLinkTrampoline
+https://github.com/LineageOS/android_packages_apps_Settings/commit/b8e381a8e5b104a455efb6b4352eee04b1fb4a5c 335113 #P_asb_2022-08 Fix: policy enforcement for location wifi scanning
+https://github.com/LineageOS/android_packages_apps_Settings/commit/83ce5e4d8f0bb352ed433e711acacdd1a51130fe 335114 #P_asb_2022-08 Fix Settings crash when setting a null ringtone
+https://github.com/LineageOS/android_packages_apps_Settings/commit/91b6470dde8a9b2586273796c183a29000a82ce5 335115 #P_asb_2022-08 Fix can't change notification sound for work profile.
+https://github.com/LineageOS/android_packages_apps_Settings/commit/ccebafea047fef8ab93c4e748ab1b9a15280702b 335116 #P_asb_2022-08 Extract app label from component name in notification access confirmation UI
+https://github.com/LineageOS/android_frameworks_base/commit/a532c1aeec285ebd601ceb266f0af8553ccef5df 335118 #P_asb_2022-08 Suppress notifications when device enter lockdown
+https://github.com/LineageOS/android_frameworks_base/commit/017b9b6b000693a5e48ba7431bf638c257833ec3 335119 #P_asb_2022-08 Remove package title from notification access confirmation intent
+https://github.com/LineageOS/android_frameworks_base/commit/53f3e590ac533cacdf7e78ec701a8e365c89901b 335121 #P_asb_2022-08 Only allow the system server to connect to sync adapters
+https://github.com/LineageOS/android_frameworks_base/commit/cb2cb0520dd1f4c7e19e806cde02fc3da6a355d2 335120 #P_asb_2022-08 Stop using invalid URL to prevent unexpected crash
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/26e3268f3cac1d120d8b4683e8d5201b70f44fc2 338346 #P_asb_2022-09 Fix duplicate permission privilege escalation
+https://github.com/LineageOS/android_frameworks_base/commit/b98ed505d5c477f5d6e1f88433a5c9f1cb03025e 338347 #P_asb_2022-09 Parcel: recycle recycles
+https://github.com/LineageOS/android_frameworks_base/commit/3a1887eb6147d7e51a79c387aaed38c08056c789 338348 #P_asb_2022-09 IMMS: Make IMMS PendingIntents immutable
+https://github.com/LineageOS/android_frameworks_base/commit/031578d71058c6400ea91b1806b467aca2de54b1 338349 #P_asb_2022-09 Remove package name from SafetyNet logs
+https://github.com/LineageOS/android_external_expat/commit/31f7a33a236a574c7c4bea5de648c349fa1e7508 338353 #P_asb_2022-09 Prevent integer overflow in copyString
+https://github.com/LineageOS/android_external_expat/commit/5c70aa4e573cf46f6127aa6713c09877a246bf6b 338354 #P_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
+https://github.com/LineageOS/android_external_expat/commit/68116f18efee226636fdc2ecf518f3de589c98a8 338355 #P_asb_2022-09 Prevent integer overflow in function doProlog
+https://github.com/LineageOS/android_external_expat/commit/883c4901f5ca13cf202c9c234612e117f0ef092e 338356 #P_asb_2022-09 Prevent more integer overflows
+https://github.com/LineageOS/android_system_bt/commit/a940244a653c0c20e5d08aaf40484da93300dc3f 338350 #P_asb_2022-09 Fix OOB in bnep_is_packet_allowed
+https://github.com/LineageOS/android_system_bt/commit/de882ad1be24fa351ad8ba483b89c2b0b1e615c6 338351 #P_asb_2022-09 Fix OOB in BNEP_Write
+https://github.com/LineageOS/android_system_bt/commit/88b4c659bc53971605a5cdde56f94b2d90677d20 338352 #P_asb_2022-09 Fix OOB in reassemble_and_dispatch
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_external_dtc/commit/d8ff0456cbe3b32b5f71dd0740f9a6cca6de27b9 342096 #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings
+https://github.com/LineageOS/android_system_bt/commit/024bd7b32e3298ceaf70443e9224aff56cf8de4b 342097 #P_asb_2022-10 Fix potential interger overflow when parsing vendor response
+https://github.com/LineageOS/android_system_nfc/commit/f7eb9ba0755d2ab170d7fa7f46d67ebed4690426 342098 #P_asb_2022-10 The length of a packet should be non-zero
+https://github.com/LineageOS/android_frameworks_base/commit/950c44f0e7229672ea093e86d7f05df00b33844d 342100 #P_asb_2022-10 Limit the number of concurrently snoozed notifications
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c5cae87d66c3b8d459677da775cc61e550bba993 342099 #P_asb_2022-10 The length of a packet should be non-zero
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_packages_apps_PackageInstaller/commit/79fbc97fa9030bc872c26dde69d3d6b5ca50d42c 344181 #P_asb_2022-11 Hide overlays on ReviewPermissionsAtivity
+https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/915289305d5bd55c3a9e5667acab9cfec8f68d31 344182 #P_asb_2022-11 Check dir path before updating permissions.
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/9bd081d4162ee1bd99eed4a2f8c144255a3b7a41 344183 #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+https://github.com/LineageOS/android_system_bt/commit/b8332ffa326c412c7952bcae1ad924a8542caa8e 344184 #P_asb_2022-11 Add negative length check in process_service_search_rsp
+https://github.com/LineageOS/android_system_bt/commit/9e3a7208a794cb350b5b1565db4e1120d7b1373d 344185 #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc
+https://github.com/LineageOS/android_frameworks_base/commit/fcd8dc4d686c362b7353f9d7c6a3b05994cc0565 344168 #P_asb_2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
+https://github.com/LineageOS/android_frameworks_base/commit/bad61936167d1d7eca8dc155e8c0c8a248a2bc5c 344169 #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+https://github.com/LineageOS/android_frameworks_base/commit/e72558a547d48190469c0763a9e317d1792a9f53 344170 #P_asb_2022-11 Do not send new Intent to non-exported activity when navigateUpTo
+https://github.com/LineageOS/android_frameworks_base/commit/6a42e12de4cf0f2de93cbd8bb4506de8a83dd88a 344171 #P_asb_2022-11 Do not send AccessibilityEvent if notification is for different user.
+https://github.com/LineageOS/android_frameworks_base/commit/36b533a308ced7203f515daed97d0f15bb65587f 344172 #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule
+https://github.com/LineageOS/android_frameworks_base/commit/114dcf0b5836c0c982a560e85350f408c8640bdf 344173 #P_asb_2022-11 Check permission for VoiceInteraction
+https://github.com/LineageOS/android_frameworks_base/commit/22e363c319e6fddeea39f00f7ef5e63395a45dc5 344174 #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock
+https://github.com/LineageOS/android_hardware_nxp_nfc/commit/70c3eef94c74e78d9bf9e9119d58ca0a5082cf2f 344180 #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+https://github.com/LineageOS/android_external_dtc/commit/c34b2c464b0900d3e79aa1c64c25137fd09c4762 344161 #P_asb_2022-11 Fix integer wrap sanitisation.
+https://github.com/LineageOS/android_frameworks_av/commit/2692e4bcdba06eec20424291acaac5669acf581f 344167 #P_asb_2022-11 setSecurityLevel in clearkey
+https://github.com/LineageOS/android_vendor_nxp_opensource_halimpl/commit/9d9f191dd2522aa286bdc3c42d6777b6e503356b 344190 #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
+
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_system_bt/commit/cea94f7ab0d36254a99d5854b9c2e83afd4584bc 345915 #P_asb_2022-12 Added max buffer length check
+https://github.com/LineageOS/android_system_bt/commit/56ea90b69d6715e7e1f0ddd35fd5ca7e19d93dc6 345916 #P_asb_2022-12 Add missing increment in bnep_api.cc
+https://github.com/LineageOS/android_system_bt/commit/da6430bd4b319f8398deaef8d74341234fb79624 345917 #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
+https://github.com/LineageOS/android_system_bt/commit/222fad2e71f159e3d6e0bc0aef36f83cbf3fcdfa 345918 #P_asb_2022-12 Fix integer overflow when parsing avrc response
+https://github.com/LineageOS/android_frameworks_base/commit/16da2229db1aa80499b296bc8c384fe78add0e30 345892 #P_asb_2022-12 Revert "Prevent non-admin users from deleting system apps."
+https://github.com/LineageOS/android_frameworks_base/commit/921f748f4dd12465721dc7e8ed86f89c0718da57 345893 #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup
+https://github.com/LineageOS/android_frameworks_base/commit/4bdaa78394c95a864f1d34ec1997c6494dbece15 345894 #P_asb_2022-12 Prevent non-admin users from deleting system apps.
+https://github.com/LineageOS/android_frameworks_base/commit/c8ac5b6a05bb584e196b4c1bd4b819914c4018b6 345895 #P_asb_2022-12 Validate package name passed to setApplicationRestrictions.
+https://github.com/LineageOS/android_frameworks_base/commit/9e0a825e2ca0cf102fc462af55f5a471d6d5836d 345896 #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK.
+https://github.com/LineageOS/android_frameworks_base/commit/8d88ee0de3b9e474fcc70ab121186df93bf75456 345897 #P_asb_2022-12 [pm] forbid deletion of protected packages
+https://github.com/LineageOS/android_frameworks_base/commit/c4763f78a2ab695992cf63709b665c7478d43891 345898 #P_asb_2022-12 Fix NPE
+https://github.com/LineageOS/android_frameworks_base/commit/08605e9ee1e96336fe3202066a6cdba21cf377ad 345899 #P_asb_2022-12 Fix a security issue in app widget service.
+https://github.com/LineageOS/android_frameworks_base/commit/4d5e30ccea8cc4dec6359f004173d896c4b01556 345900 #P_asb_2022-12 Ignore malformed shortcuts
+https://github.com/LineageOS/android_frameworks_base/commit/58e177ca589576cacfd1ed016bdd5d0bf4cb9a5d 345901 #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
+https://github.com/LineageOS/android_frameworks_base/commit/be00f79f1148a27fd9161e65ebaa2eedb7fca4c7 345902 #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
+https://github.com/LineageOS/android_frameworks_minikin/commit/4f583889fcc90883fa3ec86befa20c671ec8774e 345903 #P_asb_2022-12 Fix OOB read for registerLocaleList
+https://github.com/LineageOS/android_frameworks_minikin/commit/89b513681269399b4d2621f0c1750daa48f77681 345904 #P_asb_2022-12 Fix OOB crash for registerLocaleList
+https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/f7624d5f831e8576a816feaebb120974e54c23b6 345907 #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
+https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/c6cd624a87b1b8f586ef83b2a810c36669b55a0b 345908 #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/d25bc7d14e791a049698ac2c7cbd9c72e6e7592d 345909 #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+https://github.com/LineageOS/android_packages_apps_Settings/commit/06242790f0f2b20e1f0caa0548924d1fcddfca93 345910 #P_asb_2022-12 Revert "Prevent exfiltration of system files via user image settings."
+https://github.com/LineageOS/android_packages_apps_Settings/commit/090473035dd448e96138844bfec0c88952acf3d1 345911 #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+https://github.com/LineageOS/android_packages_apps_Settings/commit/6f9c13de0a620203fe7d6bcdfd6d94c74e22706b 345912 #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
+https://github.com/LineageOS/android_external_dtc/commit/77e6d383cde91d7ac8bbb159de215ec198e9f1aa 345891 #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/fae9a71b822b913e7516333484e8efd513e1640d 345913 #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
+https://github.com/LineageOS/android_system_bt/commit/210fe2c41c04d50c7a82a6415d7708ff5d055b3e 345914 #P_asb_2022-12 Add length check when copy AVDTP packet
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/7f7b42f83fd7aef7570450b82c5931aa81f1e66d 347044 #P_asb_2023-01 Limit lengths of fields in Condition to a max length.
+https://github.com/LineageOS/android_frameworks_base/commit/91726ddbd32c8b5226991492354f1d93616c6cfd 347045 #P_asb_2023-01 Disable all A11yServices from an uninstalled package.
+https://github.com/LineageOS/android_frameworks_base/commit/2dc4e2467dcebfc827d68f573570cd04e6ea6244 347046 #P_asb_2023-01 Fix conditionId string trimming in AutomaticZenRule
+https://github.com/LineageOS/android_frameworks_base/commit/9b5407d68859e615a2ee7a229f486fc5365682da 347047 #P_asb_2023-01 [SettingsProvider] mem limit should be checked before settings are updated
+https://github.com/LineageOS/android_frameworks_base/commit/66a9e8fc457e7257b78dfef3f18eab01c63efc12 347048 #P_asb_2023-01 Revert "Revert "Validate permission tree size..."
+https://github.com/LineageOS/android_frameworks_base/commit/c8892a45db45ee79085b0ee620b3d8f69f560d03 347049 #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
+https://github.com/LineageOS/android_frameworks_base/commit/9e7745eeedc6066e91e0c508d49c8db15a8ae6bf 347050 #P_asb_2023-01 Revoke SYSTEM_ALERT_WINDOW on upgrade past api 23
+https://github.com/LineageOS/android_frameworks_base/commit/be4c10b9f70b5033bc6f75649265a12f65ad0bc3 347051 #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
+https://github.com/LineageOS/android_packages_services_Telephony/commit/d596467cc3b161beca194ce4c8f96efcd0d6a340 347041 #P_asb_2023-01 prevent overlays on the phone settings
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/7636df9f0dcff2d9b272f925b956348fc8dc384b 347042 #P_asb_2023-01 Fix security vulnerability when register phone accounts.
+https://github.com/LineageOS/android_packages_apps_Nfc/commit/48b3f34578cd9757a11c1cd694527b45c5915ae8 347043 #P_asb_2023-01 OOBW in Mfc_Transceive()
+https://github.com/LineageOS/android_system_bt/commit/deb080bb11eadef601ec11633317090f060e50bb 347127 #P_asb_2023-01 BT: Once AT command is retrieved, return from method.
+https://github.com/LineageOS/android_system_bt/commit/0c74f58652259adde281b7d8b13732a8f0e9ab92 347128 #P_asb_2023-01 AVRC: Validating msg size before accessing fields
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/a9d49368cb13ba9d98af67ae9a96b82ae7fc4e46 349330 #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+https://github.com/LineageOS/android_frameworks_base/commit/7780547c156f34020ba7316e8c8cbea6c7985818 349331 #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
+https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/90e0fb025afa7bfe3600b79c2e0e563b5d6124bb 349332 #P_asb_2023-02 Fix OPP comparison
+https://github.com/LineageOS/android_packages_apps_EmergencyInfo/commit/eeb60967a52197d04d331b8e87beb5f1fb9e92aa 349333 #P_asb_2023-02 Removes unnecessary permission from the EmergencyInfo app.
+https://github.com/LineageOS/android_system_bt/commit/12b2d2eeb63246e85e30389d2e885608e9209cc1 349334 #P_asb_2023-02 Report failure when not able to connect to AVRCP
+https://github.com/LineageOS/android_system_bt/commit/8e81bb1e80ccbba0724e12dabac61b9ac36d4b0f 349335 #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
+https://github.com/LineageOS/android_vendor_nxp_opensource_packages_apps_Nfc/commit/35299f9e605257a17257c5da0064c3f7cc3dce4a 349336 #P_asb_2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr
+https://github.com/LineageOS/android_external_expat/commit/281fc3aeb520277460014a8c398ba083d167f284 349328 #P_asb_2023-02 [CVE-2022-43680] Fix overeager DTD destruction (fixes #649)
+https://github.com/LineageOS/android_frameworks_av/commit/994d95501928153cb7b8f04587e3160bc17ce2a5 349329 #P_asb_2023-02 move MediaCodec metrics processing to looper thread
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_external_zlib/commit/d6e0dec5307a69aa6381246221803bdc050e5b96 351909 #P_asb_2023-03 Fix a bug when getting a gzip header extra field with inflate().
+https://github.com/LineageOS/android_packages_apps_Settings/commit/5f84b1609065c5b26f2b5278d83fdd791597a69f 351914 #P_asb_2023-03 FRP bypass defense in the settings app
+https://github.com/LineageOS/android_packages_apps_Settings/commit/718126925dc2e00c268f49d006231eb3edd5778a 351915 #P_asb_2023-03 Add DISALLOW_APPS_CONTROL check into uninstall app for all users
+https://github.com/LineageOS/android_system_bt/commit/b7dfbbdf4dc9ae5761816ad0a4875d46244ed25a 351916 #P_asb_2023-03 Fix an OOB Write bug in gatt_check_write_long_terminate
+https://github.com/LineageOS/android_system_bt/commit/b433704453d59946be0f5b30346cf0dd3e42ec09 351917 #P_asb_2023-03 Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
+https://github.com/LineageOS/android_system_bt/commit/fcd19451fa2e3da35c3e0f5db0961b994ed1b49f 351918 #P_asb_2023-03 Fix an OOB write in SDP_AddAttribute
+https://github.com/LineageOS/android_frameworks_base/commit/3f8c0e9c4ad48b37c44e132a7a8e3fd157a83e00 351910 #P_asb_2023-03 Move service initialization
+https://github.com/LineageOS/android_frameworks_base/commit/11c799795be7c8bafedbc4eb3d940b4a1f93a308 351911 #P_asb_2023-03 Enable user graularity for lockdown mode
+https://github.com/LineageOS/android_frameworks_base/commit/d6401e37da9afb99f647b09fd3ce9aa38bb84016 351912 #P_asb_2023-03 Revoke dev perm if app is upgrading to post 23 and perm has pre23 flag
+https://github.com/LineageOS/android_frameworks_base/commit/7d63c11542c202467f035e03644962a263cfdc19 351913 #P_asb_2023-03 Reconcile WorkSource parcel and unparcel code.
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/7ed39484667b94b738b7d1d7717ef5b640a7a405 354243 #P_asb_2023-04 Checking if package belongs to UID before registering broadcast receiver
+https://github.com/LineageOS/android_frameworks_base/commit/34184bc31e77a8db5b967ca275f6e4841bd5e3ff 354244 #P_asb_2023-04 Fix checkKeyIntentParceledCorrectly's bypass
+https://github.com/LineageOS/android_frameworks_base/commit/9cade5349e44f2b48ed6408e3b05a1272ff2a3ef 354245 #P_asb_2023-04 Encode Intent scheme when serializing to URI string RESTRICT AUTOMERGE
+https://github.com/LineageOS/android_frameworks_base/commit/1dc0540d7b8918a6043c0863b2bea0946b100b8e 354242 #P_asb_2023-04 Context#startInstrumentation could be started from SHELL only now.
+https://github.com/LineageOS/android_system_bt/commit/a883a17a9e05d87bfb1547d8b812522c771c971c 354246 #P_asb_2023-04 Fix OOB access in avdt_scb_hdl_pkt_no_frag
+https://github.com/LineageOS/android_system_bt/commit/d9472b7fba9c3a366e768ff4c28225d264aa6ad1 354247 #P_asb_2023-04 Fix an OOB bug in register_notification_rsp
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/5ad6edf34e69b9bd0334bb0b0a3592b8d5ded5b4 354249 #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+https://github.com/LineageOS/android_system_nfc/commit/d751463856e968430d4859a55a97f12b2553de19 354248 #P_asb_2023-04 OOBW in nci_snd_set_routing_cmd()
+
+
+
+
+
+
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/ffd36f517fae838fe836d6f189b2de6355e6814c 356150 #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+https://github.com/LineageOS/android_frameworks_native/commit/09ece8aee9246ba8ef5408e074165c9bbc2d6bc1 356151 #P_asb_2023-05 Check for malformed Sensor Flattenable
+https://github.com/LineageOS/android_frameworks_native/commit/c62382dd2192444ca7a81a0318521b03e852c355 356152 #P_asb_2023-05 Remove some new memory leaks from SensorManager
+https://github.com/LineageOS/android_frameworks_native/commit/30348a31e1c0eb604f1a2de40b57d734f71cb9e8 356153 #P_asb_2023-05 Add removeInstanceForPackageMethod to SensorManager
+https://github.com/LineageOS/android_frameworks_base/commit/e0f219e675b2a36304db2f163783fe82937c1d41 356156 #P_asb_2023-05 enforce stricter rules when registering phoneAccounts
+https://github.com/LineageOS/android_frameworks_base/commit/18025b2a135d7e7063201054b7f4409fe562ee56 356154 #P_asb_2023-05 Checks if AccessibilityServiceInfo is within parcelable size.
+https://github.com/LineageOS/android_frameworks_base/commit/0cfc7a41aa5b741452316b19bc100be58bbe3cc7 356155 #P_asb_2023-05 Uri: check authority and scheme as part of determining URI path
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/d4f4cbe1d4eb1e80f64676cb07e84a6409cd095f 359729 #P_asb_2023-06 Fix NuMediaExtractor::readSampleData buffer Handling
+https://github.com/LineageOS/android_packages_apps_Settings/commit/ed20a91b473462e14f7cea5dd1b8cbff4d0feab5 359734 #P_asb_2023-06 Convert argument to intent in AddAccountSettings.
+https://github.com/LineageOS/android_packages_apps_TvSettings/commit/3f8f5d733659d15eb78d0a3de97442c1c33259b8 359735 #P_asb_2023-06 Convert argument to intent in addAccount TvSettings.
+https://github.com/LineageOS/android_system_bt/commit/5f6f48a784284a9220ae70d9f99d96a25bd3adce 359736 #P_asb_2023-06 Prevent use-after-free of HID reports
+https://github.com/LineageOS/android_system_bt/commit/969a3c9aba7e8060f1bcf341375263d67fec01d2 359737 #P_asb_2023-06 Revert "Revert "Validate buffer length in sdpu_build_uuid_seq""
+https://github.com/LineageOS/android_system_bt/commit/d50fdc03f066f2b1bdb3bcb21d627a0e3ac9e268 359738 #P_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
+https://github.com/LineageOS/android_frameworks_base/commit/c45ee6ab3ee0b8e4f16cc88d098fb9200b3a109a 359730 #P_asb_2023-06 Check key intent for selectors and prohibited flags
+https://github.com/LineageOS/android_frameworks_base/commit/22bac442d2249f6e02608f9994cf761bfdf90d80 359731 #P_asb_2023-06 Handle invalid data during job loading.
+https://github.com/LineageOS/android_frameworks_base/commit/24a90436bb260a64b427efb98f3aa40f0c27fe32 359732 #P_asb_2023-06 Allow filtering of services
+https://github.com/LineageOS/android_frameworks_base/commit/4974a8613d776dcd0dff6c8950b3dd1a7dbec465 359733 #P_asb_2023-06 Prevent RemoteViews crashing SystemUi
+https://github.com/LineageOS/android_packages_apps_Traceur/commit/43b23418ed73d1b64bb198a79c5825666c95684d 378475 #P_asb_2023-06 Update Traceur to check admin user status
+https://github.com/LineageOS/android_packages_apps_Traceur/commit/55e506621081e4e092a4434a763561d2a2f0859e 378476 #P_asb_2023-06 Add DISALLOW_DEBUGGING_FEATURES check
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_external_freetype/commit/31e8900c4e35a5b82ee19449830c87f8c1593504 361250 #P_asb_2023-07 Cherry-pick two upstream changes
+https://github.com/LineageOS/android_system_nfc/commit/6ea4e00c886e05116d1d6058fb4cf40e0ccdb70b 361251 #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+https://github.com/LineageOS/android_system_bt/commit/c4a3cf60380376537eefcce41eec053677c7732c 361252 #P_asb_2023-07 Fix gatt_end_operation buffer overflow
+https://github.com/LineageOS/android_vendor_nxp_opensource_external_libnfc-nci/commit/c2ad40e96300f65c3e16b06eccba282003385956 361253 #P_asb_2023-07 OOBW in rw_i93_send_to_upper()
+https://github.com/LineageOS/android_frameworks_base/commit/c1741be24b21788051c95fafb20f889f15c7b8a8 361254 #P_asb_2023-07 Sanitize VPN label to prevent HTML injection
+https://github.com/LineageOS/android_frameworks_base/commit/63ef19bd0f36f043fa72acbb8484cae2e48a07b1 361256 #P_asb_2023-07 Import translations. DO NOT MERGE ANYWHERE
+https://github.com/LineageOS/android_frameworks_base/commit/626a9919d79ad7584e30496f8b990a1a4e20ec40 361257 #P_asb_2023-07 Dismiss keyguard when simpin auth'd and...
+https://github.com/LineageOS/android_frameworks_base/commit/cfab4afce18c49c6abe6e25fce9add4b57bb65e4 361259 #P_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
+https://github.com/LineageOS/android_tools_apksig/commit/011adec1a494974102930bf65a8d2fdfa8b375b5 361280 #P_asb_2023-07 Create source stamp verifier
+https://github.com/LineageOS/android_tools_apksig/commit/9a80527425030dae7f962ab95eda500a720cde47 361281 #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+https://github.com/LineageOS/android_frameworks_base/commit/3f7975447006b2246dd1b8722064ca26e40aae25 361258 #P_asb_2023-07 Truncate ShortcutInfo Id
+https://github.com/LineageOS/android_frameworks_base/commit/68f08d51b66b8336aeec2e01bcfa72ae5fbfb81d 361255 #P_asb_2023-07 Limit the number of supported v1 and v2 signers
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_external_aac/commit/c263e21d9cd270283c0fabddeb710798b6fe56aa 364605 #P_asb_2023-08 Increase patchParam array size by one and fix out-of-bounce write in resetLppTransposer().
+https://github.com/LineageOS/android_external_freetype/commit/ef28d3d7460a814efef8174c44fde7aab4341db5 364606 #P_asb_2023-08 Cherrypick following three changes
+https://github.com/LineageOS/android_frameworks_base/commit/6adafe39c32f8236e18c57bc834caa88a09ad8cc 364608 #P_asb_2023-08 Verify URI permissions for notification shortcutIcon.
+https://github.com/LineageOS/android_frameworks_base/commit/0b2c705c891a44ac854cb5ec123fb869669ae5fe 364609 #P_asb_2023-08 On device lockdown, always show the keyguard
+https://github.com/LineageOS/android_frameworks_base/commit/84be6e930a60f855a318c41a446b92849b50087a 364610 #P_asb_2023-08 Ensure policy has no absurdly long strings
+https://github.com/LineageOS/android_frameworks_base/commit/aa0fb47602bd6bc95404d5a5468ba4db577c418f 364611 #P_asb_2023-08 Implement visitUris for RemoteViews ViewGroupActionAdd.
+https://github.com/LineageOS/android_frameworks_base/commit/42d2f7a7ac4004754050ddd53f2e5b626ae28c02 364612 #P_asb_2023-08 Check URIs in notification public version.
+https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/8e5a42af29838bd09b62ec199d744c4592258eeb 364616 #P_asb_2023-08 Update file permissions using canonical path
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/6428c62b978aefd829bf4e91493a356c3675e5c0 364617 #P_asb_2023-08 Resolve StatusHints image exploit across user.
+https://github.com/LineageOS/android_system_ca-certificates/commit/4c6994b1a05d435e40947a7315aae1a128984957 365328 #P_asb_2023-08 Drop TrustCor certificates
+https://github.com/LineageOS/android_frameworks_base/commit/19dc7642fe849e85abe886b9340b5dda52e21885 364607 #P_asb_2023-08 ActivityManager#killBackgroundProcesses can kill caller's own app only
+https://github.com/LineageOS/android_frameworks_base/commit/1537cadd2966e0ea2d188cd3e96af6287bb473c6 364613 #P_asb_2023-08 Verify URI permissions in MediaMetadata
+https://github.com/LineageOS/android_frameworks_base/commit/507937f96405b8530f24c7625b5f5f18f7a0df55 364614 #P_asb_2023-08 Use Settings.System.getIntForUser instead of getInt to make sure user specific settings are used
+https://github.com/LineageOS/android_frameworks_base/commit/2e64cb078e9e11e8310c0b589a6edd429b9c2f16 364615 #P_asb_2023-08 Resolve StatusHints image exploit across user.
+
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/7e0adcb2073a2549aa901ecc40de254202a1eded 366126 #P_asb_2023-09 Fix Segv on unknown address error flagged by fuzzer test.
+https://github.com/LineageOS/android_frameworks_base/commit/383b016298865df13c1d1ead7049a9c0a73cb973 366127 #P_asb_2023-09 Forbid granting access to NLSes with too-long component names
+https://github.com/LineageOS/android_frameworks_native/commit/4d3c579105e1a98abc2868723928dea280a93076 366129 #P_asb_2023-09 Allow sensors list to be empty
+https://github.com/LineageOS/android_packages_services_Telephony/commit/114c9d5475962cd63ebf8f246c2c2f4a9c7fddf1 366130 #P_asb_2023-09 Fixed leak of cross user data in multiple settings.
+https://github.com/LineageOS/android_system_bt/commit/f9ba876145b612b684f5b966ab524d7b5b7a783c 366131 #P_asb_2023-09 Fix an integer overflow bug in avdt_msg_asmbl
+https://github.com/LineageOS/android_system_bt/commit/862350fa3b8fc51bcdd8331352f28cd6cac4bf1d 366132 #P_asb_2023-09 Fix integer overflow in build_read_multi_rsp
+https://github.com/LineageOS/android_system_bt/commit/db6c02ecbc377437585b56c310e2847661dd557c 366133 #P_asb_2023-09 Fix potential abort in btu_av_act.cc
+https://github.com/LineageOS/android_system_bt/commit/9b06f046f58bd82f9df6592c1a45ade8075608f9 366134 #P_asb_2023-09 Fix reliable write.
+https://github.com/LineageOS/android_system_bt/commit/9ac8d616f369513b0ef4f466eded252a4511898d 366135 #P_asb_2023-09 Fix UAF in gatt_cl.cc
+https://github.com/LineageOS/android_packages_apps_Settings/commit/acfa0cd4e0551d07fab0511cfb84462e70a48b53 366136 #P_asb_2023-09 Prevent non-system IME from becoming device admin
+https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/0c9ab1418476b9aab2830f5b3f9d4ee7be3714fd 366137 #P_asb_2023-09 Fix permission issue in legacy shortcut
+https://github.com/LineageOS/android_frameworks_base/commit/3f429c322504732c25e1d92bd57fecdd8a7e5d5b 366128 #P_asb_2023-09 Update AccountManagerService checkKeyIntentParceledCorrectly.
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/8489bb9206314ce3be439f374704204626bd40ca 370695 #P_asb_2023-10 Verify URI Permissions in Autofill RemoteViews
+https://github.com/LineageOS/android_frameworks_base/commit/aecf51e67aa3b540f86d12164be8d66e12ca47f2 370697 #P_asb_2023-10 Disallow loading icon from content URI to PipMenu
+https://github.com/LineageOS/android_frameworks_base/commit/71c5804bc372c58c4f7a1b01905618cb5edb2dda 370699 #P_asb_2023-10 Revert "Dismiss keyguard when simpin auth'd and..."
+https://github.com/LineageOS/android_packages_apps_Settings/commit/e7401f49ebfc563aa5fcd9aaa9981a235557d1b4 370700 #P_asb_2023-10 Restrict ApnEditor settings
+https://github.com/LineageOS/android_external_libxml2/commit/2bd551871a645e43a75ce6065598d22b89b80a21 370701 #P_asb_2023-10 malloc-fail: Fix OOB read after xmlRegGetCounter
+https://github.com/LineageOS/android_frameworks_base/commit/ae25f45e664b47e74fc9d73bc1b4292e6721dd7a 370693 #P_asb_2023-10 RingtoneManager: verify default ringtone is audio
+https://github.com/LineageOS/android_frameworks_base/commit/7adb3e0e1d591aeabccc5edfa624a591a3428a3d 370694 #P_asb_2023-10 Do not share key mappings with JNI object
+https://github.com/LineageOS/android_frameworks_base/commit/0fb320aef79861cb612fcd48585571f1715616fe 370696 #P_asb_2023-10 Fix KCM key mapping cloning
+https://github.com/LineageOS/android_frameworks_base/commit/48e0cbe76661b6b4c8edb2950a572694947b5641 370698 #P_asb_2023-10 Fixing DatabaseUtils to detect malformed UTF-16 strings
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_system_ca-certificates/commit/6f06eccd9ef3d37a2d9d52d1c925c3e71f525b14 374916 #P_asb_2023-11 Remove E-Tugra certificates.
+https://github.com/LineageOS/android_packages_services_BuiltInPrintService/commit/4302a583e82fa5bd76315077688818e53df98f20 374919 #P_asb_2023-11 Adjust APIs for CUPS 2.3.3
+https://github.com/LineageOS/android_packages_providers_TelephonyProvider/commit/3d07f3a1821c0953d156206e288bb484a0c0f399 374920 #P_asb_2023-11 Block access to sms/mms db from work profile.
+https://github.com/LineageOS/android_frameworks_base/commit/e696b2932c41ab89f4910abc5a626c8e9b8d8543 374921 #P_asb_2023-11 Fix BAL via notification.publicVersion
+https://github.com/LineageOS/android_frameworks_av/commit/62ae30fad8c644b492393eb8c1eec2867cc73b07 374924 #P_asb_2023-11 Fix for heap buffer overflow issue flagged by fuzzer test.
+https://github.com/LineageOS/android_external_libcups/commit/383806fb90e7246d31241ab11332f3c0172e2f17 374932 #P_asb_2023-11 Upgrade libcups to v2.3.1
+https://github.com/LineageOS/android_external_libcups/commit/af78634c7babca00f4a5b1650b817b36be4e94dd 374933 #P_asb_2023-11 Upgrade libcups to v2.3.3
+https://github.com/LineageOS/android_frameworks_base/commit/1c5bf358397ad6a337d375fbc8dba4d98a50eca8 374922 #P_asb_2023-11 Use type safe API of readParcelableArray
+https://github.com/LineageOS/android_frameworks_base/commit/64de82f91e01d8d7d4224c737efe915397a904d2 374923 #P_asb_2023-11 [SettingsProvider] verify ringtone URI before setting
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/5e50aa57f52b08f4cb07a6a3f98698f2077a9cbf 377765 #P_asb_2023-12 httplive: fix use-after-free
+https://github.com/LineageOS/android_frameworks_base/commit/73913dfae62f0c93147896ab07232417cff467ee 377766 #P_asb_2023-12 Visit Uris added by WearableExtender
+https://github.com/LineageOS/android_frameworks_base/commit/ac1ed7557b197952a6e00eb36da31e79d7bf78a4 377769 #P_asb_2023-12 Use readUniqueFileDescriptor in incidentd service
+https://github.com/LineageOS/android_frameworks_base/commit/4ca5de2bda12925a28a59a1dffaccba045b0f9cb 377771 #P_asb_2023-12 Revert "On device lockdown, always show the keyguard"
+https://github.com/LineageOS/android_frameworks_base/commit/059ed6a3d856caee5896d94d9ea26f90c6117c93 377773 #P_asb_2023-12 Updated: always show the keyguard on device lockdown
+https://github.com/LineageOS/android_packages_apps_Bluetooth/commit/3b53fae30442369bda8cd858f5b0ac697b9cd4ec 377774 #P_asb_2023-12 Fix UAF in ~CallbackEnv
+https://github.com/LineageOS/android_packages_apps_Trebuchet/commit/02e99b157f05f8fbabb9c2457e387842ccad0bed 377775 #P_asb_2023-12 Fix permission bypass in legacy shortcut
+https://github.com/LineageOS/android_packages_services_Telecomm/commit/7ef90cb74da31eb165fc624f479b02cf6df2ebda 377776 #P_asb_2023-12 Resolve account image icon profile boundary exploit.
+https://github.com/LineageOS/android_system_bt/commit/26fe8da32584d6f639124e3ca8a7cbdbe5c60d89 377777 #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [1]
+https://github.com/LineageOS/android_system_bt/commit/6b208d0624e05bb96bffbca43e18a03dc37d21dd 377778 #P_asb_2023-12 Reject access to secure services authenticated from temp bonding [2]
+https://github.com/LineageOS/android_system_bt/commit/66a09ccfd76de30e03a843df140d7851be013052 377779 #P_asb_2023-12 Reject access to secure service authenticated from a temp bonding [3]
+https://github.com/LineageOS/android_system_bt/commit/95161565e5bf426333102097a92a8f654c10e74a 377780 #P_asb_2023-12 Reorganize the code for checking auth requirement
+https://github.com/LineageOS/android_system_bt/commit/037c9934224eabab778ee4cc197a46b64396633c 377781 #P_asb_2023-12Enforce authentication if encryption is required
+https://github.com/LineageOS/android_system_bt/commit/80a300fa626f6c5e8e7a595469f09adc307aee40 377782 #P_asb_2023-12 Fix timing attack in BTM_BleVerifySignature
+https://github.com/LineageOS/android_frameworks_base/commit/c78cee7f1c921860ac3253812548f46663383a37 377767 #P_asb_2023-12 Drop invalid data.
+https://github.com/LineageOS/android_frameworks_base/commit/c58b86b918ab7085f17215883cc110ca3362235f 377768 #P_asb_2023-12 Require permission to unlock keyguard
+https://github.com/LineageOS/android_frameworks_base/commit/b18f4518109c2f7a4c936321db87f5245b3143f3 377770 #P_asb_2023-12 Validate userId when publishing shortcuts
+https://github.com/LineageOS/android_frameworks_base/commit/98fc501deb893768aeff55006ce445f688a88203 377772 #P_asb_2023-12 Adding in verification of calling UID in onShellCommand
+https://github.com/LineageOS/android_system_netd/commit/02458b0a19ce2d3214a00f9779bd36868541b7ca 378480 #P_asb_2023-12 Fix Heap-use-after-free in MDnsSdListener::Monitor::run
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/978191d5fc0ede5bc11b8af2cfa2469a30ad919d 379788 #P_asb_2024-01 Fix convertYUV420Planar16ToY410 overflow issue for unsupported cropwidth.
+https://github.com/LineageOS/android_frameworks_base/commit/44ce07024742aaae46a7191cd15e5ac68d209049 379789 #P_asb_2024-01 Dismiss keyguard when simpin auth'd and...
+https://github.com/LineageOS/android_frameworks_base/commit/63e443bfb107da3df0e37863e34c4b947052a6c1 379790 #P_asb_2024-01 Ensure finish lockscreen when usersetup incomplete
+https://github.com/LineageOS/android_frameworks_base/commit/70f50825ec98cd35d38e45eea69aa7ed8f51556a 379791 #P_asb_2024-01 Truncate user data to a limit of 500 characters
+https://github.com/LineageOS/android_frameworks_base/commit/9001132c18c0eb2a6478939e1bdbbe6778af1ae3 379792 #P_asb_2024-01 Validate component name length before requesting notification access.
+https://github.com/LineageOS/android_frameworks_base/commit/1cf5c05eaaff574e8dceb0c1a75ad02d0c669891 379793 #P_asb_2024-01 Log to detect usage of whitelistToken when sending non-PI target
+https://github.com/LineageOS/android_frameworks_base/commit/5948fb2aef0547db38f2f9df47b6fad736ba72b0 379794 #P_asb_2024-01 Fix vulnerability that allowed attackers to start arbitary activities
+https://github.com/LineageOS/android_system_bt/commit/e65eb2fdab8644f2e7885a628f6af9244ceed813 379796 #P_asb_2024-01 Fix some OOB errors in BTM parsing
+https://github.com/LineageOS/android_frameworks_base/commit/309033664a4fbb6200b3fe48d33e8f63becee810 379980 #P_asb_2024-01 Fix ActivityManager#killBackgroundProcesses permissions
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/a42e0fc335d448e646309745a8d412d984748479 383562 #P_asb_2024-02 Update mtp packet buffer
+https://github.com/LineageOS/android_frameworks_base/commit/6f5e6f86263c3db753c6d58f516070a45e30b619 383563 #P_asb_2024-02 Unbind TileService onNullBinding
+https://github.com/LineageOS/android_system_bt/commit/14e35c7cf40595a6b1ff1d2e92f8b53fb356b3dc 383565 #P_asb_2024-02 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
+https://github.com/LineageOS/android_system_bt/commit/37ce9a968b579a87640d40e50ec91abe04101f3c 383566 #P_asb_2024-02 Fix an OOB write bug in attp_build_read_by_type_value_cmd
+https://github.com/LineageOS/android_packages_providers_DownloadProvider/commit/d1a6862647428e9c973f4c21adc83656c5ac98f9 383567 #P_asb_2024-02 Consolidate queryChildDocumentsXxx() implementations
+
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_av/commit/cc12a31fcbd0deddd5a74b7be121baf835ecf6dc 385670 #P_asb_2024-03 Validate OMX Params for VPx encoders
+https://github.com/LineageOS/android_frameworks_av/commit/ed62ccd9520a671d2fb900d236f5bc5ad16a1e7c 385671 #P_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
+https://github.com/LineageOS/android_frameworks_base/commit/0254ee96d60cd80a52ce583c90486d6ca1549fb6 385672 #P_asb_2024-03 Resolve custom printer icon boundary exploit.
+https://github.com/LineageOS/android_frameworks_base/commit/3cbbcd611ff83ef7a0f811d04f0478f2760ae891 385673 #P_asb_2024-03 Disallow system apps to be installed/updated as instant.
+https://github.com/LineageOS/android_frameworks_base/commit/8befe29745f94a8d80f59f0d644315c5424c8eb6 385674 #P_asb_2024-03 Close AccountManagerService.session after timeout.
+https://github.com/LineageOS/android_system_bt/commit/fbf12851fa55267f8b654f0cd1337f9f98f83c4b 385675 #P_asb_2024-03 Fix OOB caused by invalid SMP packet length
+https://github.com/LineageOS/android_system_bt/commit/73c18d6ce8333f787a4cedb24d247b071bdbf078 385676 #P_asb_2024-03 Fix an OOB bug in smp_proc_sec_req
+https://github.com/LineageOS/android_system_bt/commit/42ede61231b6b1a507cbc254827ff10dd5ae8c20 385677 #P_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
+https://github.com/LineageOS/android_system_bt/commit/3683c921ab4afd4f2f6bef8a49cbfda227ce081f 385678 #P_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
+
+
+
+
+
+
+
+https://github.com/LineageOS/android_frameworks_base/commit/e3d632959e2606a909427e4f717cd3a6cc14d4c6 389269 #P_asb_2024-04 isUserInLockDown can be true when there are other strong auth requirements
+https://github.com/LineageOS/android_frameworks_base/commit/1010f9aae741c4b5e8400709a273910b9818f4ba 389270 #P_asb_2024-04 Fix security vulnerability that creates user with no restrictions when accountOptions are too long.
+
+

Misc/pick-imports/importer.java

@@ -0,0 +1,44 @@
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Scanner;
+
+public class asb {
+
+    public static void main(String[] args) {
+        try {
+            Scanner s = new Scanner(System.in);
+            ArrayList<String> patchers = new ArrayList<>();
+            while (s.hasNextLine()) {
+                String line = s.nextLine();
+                if(line.trim().length() > 0 && line.contains("github.com")) {
+                    String[] lineS = line.split(" ");
+                    String url = lineS[0];
+                    String project = url.split("/")[4];
+                    String id = lineS[1];
+                    String comment = "#" + line.split(" #")[1];
+
+                    //Print the folders only
+                    //System.out.println(project);
+
+                    //Print the downloader
+                    //System.out.println("wget " + url + ".patch" + " -O " + project + "/" + id + ".patch; " + comment);
+
+                    //Print the patcher
+                    patchers.add("applyPatch \"$DOS_PATCHES/" + project + "/" + id + ".patch\"; " + comment);
+                }
+                if(line.equals("COMPLETE")) {
+                    break;
+                }
+            }
+
+            Collections.sort(patchers);
+            for(String patcher : patchers) {
+                System.out.println(patcher);
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+}

Patches/LineageOS-16.0/android_external_aac/332775.patch

@@ -0,0 +1,45 @@
+From e40800a613eb89b5b4c701774c3cecc1c2b7dd6c Mon Sep 17 00:00:00 2001
+From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
+Date: Tue, 5 Apr 2022 18:53:20 +0200
+Subject: [PATCH] Reject invalid out of band config in
+ transportDec_OutOfBandConfig() and skip re-allocation.
+
+Bug: 224314979
+Bug: 221734266
+Test: adb shell /data/fuzz/arm64/C2FuzzerAacDec/C2FuzzerAacDec /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerAacDec-5461414938804224
+Test: adb shell /data/fuzz/arm64/C2FuzzerAacDec/C2FuzzerAacDec /data/local/tmp/clusterfuzz-testcase-minimized-C2FuzzerAacDec-5062403589275648
+
+Change-Id: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6
+Merged-In: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6
+(cherry picked from commit eb07c22519d94e573f2a02947094acd2219dc07a)
+Merged-In: I64e7fe1b258be2f59c6d39c0b7b699fa881d79e6
+---
+ libMpegTPDec/src/tpdec_lib.cpp | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp
+index 1d8b7b3..c2dc964 100644
+--- a/libMpegTPDec/src/tpdec_lib.cpp
++++ b/libMpegTPDec/src/tpdec_lib.cpp
+@@ -1,7 +1,7 @@
+ /* -----------------------------------------------------------------------------
+ Software License for The Fraunhofer FDK AAC Codec Library for Android
+ 
+-© Copyright  1995 - 2018 Fraunhofer-Gesellschaft zur Förderung der angewandten
++© Copyright  1995 - 2022 Fraunhofer-Gesellschaft zur Förderung der angewandten
+ Forschung e.V. All rights reserved.
+ 
+  1.    INTRODUCTION
+@@ -351,6 +351,12 @@ TRANSPORTDEC_ERROR transportDec_OutOfBandConfig(HANDLE_TRANSPORTDEC hTp,
+         }
+       }
+     }
++
++    /* if an error is detected terminate config parsing to avoid that an invalid
++     * config is accepted in the second pass */
++    if (err != TRANSPORTDEC_OK) {
++      break;
++    }
+   }
+ 
+   if (err == TRANSPORTDEC_OK && fConfigFound) {

Patches/LineageOS-16.0/android_external_dtc/342096.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Mon, 21 Sep 2020 17:52:50 +0100
+Subject: [PATCH] FROMGIT: libfdt: fdt_offset_ptr(): Fix comparison warnings
+
+With -Wsign-compare, compilers warn about mismatching signedness in
+comparisons in fdt_offset_ptr().
+
+This mostly stems from "offset" being passed in as a signed integer,
+even though the function would not really tolerate negative values.
+
+Short of changing the prototype, check that offset is not negative, and
+use an unsigned type internally.
+
+Bug: 230794395
+Test: manual - see bug
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Message-Id: <20200921165303.9115-2-andre.przywara@arm.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Change-Id: I33c4ac27780d6bdd46c5504a839c0827c9c76bfc
+Merged-In: Idb30ae90e2b263d1dd2e931ef1d3662a23812120
+Merged-In: Ice02ecc84d6e9ab30773d039a54664b259979521
+(cherry picked from commit 35c4c2b27acf66c217865451eeecf09bc82dae66)
+Merged-In: I33c4ac27780d6bdd46c5504a839c0827c9c76bfc
+---
+ libfdt/fdt.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libfdt/fdt.c b/libfdt/fdt.c
+index 22286a1..5baaed3 100644
+--- a/libfdt/fdt.c
++++ b/libfdt/fdt.c
+@@ -76,15 +76,19 @@ int fdt_check_header(const void *fdt)
+ 
+ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
+ {
+-	unsigned absoffset = offset + fdt_off_dt_struct(fdt);
++	unsigned int uoffset = offset;
++	unsigned int absoffset = offset + fdt_off_dt_struct(fdt);
+ 
+-	if ((absoffset < offset)
++	if (offset < 0)
++		return NULL;
++
++	if ((absoffset < uoffset)
+ 	    || ((absoffset + len) < absoffset)
+ 	    || (absoffset + len) > fdt_totalsize(fdt))
+ 		return NULL;
+ 
+ 	if (fdt_version(fdt) >= 0x11)
+-		if (((offset + len) < offset)
++		if (((uoffset + len) < uoffset)
+ 		    || ((offset + len) > fdt_size_dt_struct(fdt)))
+ 			return NULL;
+ 

Patches/LineageOS-16.0/android_external_dtc/344161.patch

@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mike McTernan <mikemcternan@google.com>
+Date: Fri, 22 Jul 2022 11:44:33 +0100
+Subject: [PATCH] Fix integer wrap sanitisation.
+
+Test: make check
+Bug: 239630493
+Bug: 242096164
+Change-Id: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
+Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
+(cherry picked from commit 05dec6d1827dc7016cad11c4ddfe8f965bceddb7)
+(cherry picked from commit 61e10c9c53b170ff8a5612ba4ec79e51d58e5eb3)
+Merged-In: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
+---
+ libfdt/fdt.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libfdt/fdt.c b/libfdt/fdt.c
+index 5baaed3..ed7e947 100644
+--- a/libfdt/fdt.c
++++ b/libfdt/fdt.c
+@@ -124,9 +124,15 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
+ 		lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
+ 		if (!lenp)
+ 			return FDT_END; /* premature end */
+-		/* skip-name offset, length and value */
+-		offset += sizeof(struct fdt_property) - FDT_TAGSIZE
+-			+ fdt32_to_cpu(*lenp);
++
++		/* skip-name offset, length */
++		offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
++
++		if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
++			return FDT_END; /* premature end */
++
++		/* skip value */
++		offset += fdt32_to_cpu(*lenp);
+ 		break;
+ 
+ 	case FDT_END:
+@@ -138,7 +144,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
+ 		return FDT_END;
+ 	}
+ 
+-	if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
++	if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))
+ 		return FDT_END; /* premature end */
+ 
+ 	*nextoffset = FDT_TAGALIGN(offset);

Patches/LineageOS-16.0/android_external_dtc/345891.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pierre-Cl=C3=A9ment=20Tosi?= <ptosi@google.com>
+Date: Tue, 13 Sep 2022 16:58:15 +0100
+Subject: [PATCH] libfdt: fdt_path_offset_namelen: Reject empty paths
+
+Make empty paths result in FDT_ERR_BADPATH.
+
+Per the specification (v0.4-rc4):
+
+> The convention for specifying a device path is:
+>     /node-name-1/node-name-2/node-name-N
+>
+> The path to the root node is /.
+>
+> A unit address may be omitted if the full path to the
+> node is unambiguous.
+
+Bug: 246465319
+Test: libfdt_fuzzer  # clusterfuzz/testcase-detail/4530863420604416
+Change-Id: I14ab0a074ab994c1f598243d2d5795d2cd9a853a
+(cherry picked from commit 3c28f3e3a1724c288d19f1b1a139cf57bfe1af33)
+(cherry picked from commit d10c84c4bc78e8ebd8c6ebf70126ad3cb0ba1c46)
+Merged-In: I14ab0a074ab994c1f598243d2d5795d2cd9a853a
+---
+ libfdt/fdt_ro.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c
+index 08de2cc..3b65f16 100644
+--- a/libfdt/fdt_ro.c
++++ b/libfdt/fdt_ro.c
+@@ -188,6 +188,9 @@ int fdt_path_offset_namelen(const void *fdt, const char *path, int namelen)
+ 
+ 	FDT_CHECK_HEADER(fdt);
+ 
++	if (namelen < 1)
++		return -FDT_ERR_BADPATH;
++
+ 	/* see if we have an alias */
+ 	if (*path != '/') {
+ 		const char *q = memchr(path, '/', end - p);

Patches/LineageOS-16.0/android_external_expat/338353.patch

@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Mon, 23 May 2022 22:34:43 +0000
+Subject: [PATCH] Prevent integer overflow in copyString
+
+Bug: http://b/221384482
+Change-Id: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad
+(cherry picked from commit e25c84037506951dfe74a5fae1627fe22bc0ebf4)
+Merged-In: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad
+---
+ lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 90a237f3..67f661b5 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7175,7 +7175,7 @@ static XML_Char *
+ copyString(const XML_Char *s,
+            const XML_Memory_Handling_Suite *memsuite)
+ {
+-    int charsRequired = 0;
++    size_t charsRequired = 0;
+     XML_Char *result;
+ 
+     /* First determine how long the string is */

Patches/LineageOS-16.0/android_external_expat/338354.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Thu, 2 Jun 2022 19:32:22 +0000
+Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow
+
+Bug: http://b/221255869
+Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
+(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)
+Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29
+---
+ lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 67f661b5..1d6e722d 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len)
+     keep = (int)(parser->m_bufferPtr - parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+     if (neededSize  <= parser->m_bufferLim - parser->m_buffer) {

Patches/LineageOS-16.0/android_external_expat/338355.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Fri, 3 Jun 2022 03:40:21 +0000
+Subject: [PATCH] Prevent integer overflow in function doProlog
+
+Bug: http://b/221256678
+Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
+(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3)
+Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
+---
+ lib/xmlparse.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 1d6e722d..7d91ed2b 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5187,23 +5187,29 @@ doProlog(XML_Parser parser,
+       if (dtd->in_eldecl) {
+         ELEMENT_TYPE *el;
+         const XML_Char *name;
+-        int nameLen;
+-        const char *nxt = (quant == XML_CQUANT_NONE
+-                           ? next
+-                           : next - enc->minBytesPerChar);
++        size_t nameLen;
++        const char *nxt
++            = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+         int myindex = nextScaffoldPart(parser);
+         if (myindex < 0)
+           return XML_ERROR_NO_MEMORY;
+         dtd->scaffold[myindex].type = XML_CTYPE_NAME;
+         dtd->scaffold[myindex].quant = quant;
+         el = getElementType(parser, enc, s, nxt);
+-        if (!el)
++        if (! el)
+           return XML_ERROR_NO_MEMORY;
+         name = el->name;
+         dtd->scaffold[myindex].name = name;
+         nameLen = 0;
+-        for (; name[nameLen++]; );
+-        dtd->contentStringLen +=  nameLen;
++        for (; name[nameLen++];)
++          ;
++
++        /* Detect and prevent integer overflow */
++        if (nameLen > UINT_MAX - dtd->contentStringLen) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
++        dtd->contentStringLen += (unsigned)nameLen;
+         if (parser->m_elementDeclHandler)
+           handleDefault = XML_FALSE;
+       }

Patches/LineageOS-16.0/android_external_expat/338356.patch

@@ -0,0 +1,247 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 15 Jun 2022 04:14:33 +0000
+Subject: [PATCH] Prevent more integer overflows
+
+Bug: http://b/219942275
+Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
+Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d
+(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a)
+Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
+---
+ lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7d91ed2b..121b63f7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3187,13 +3187,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+ 
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
++
++  /* Detect and prevent integer overflow */
++  if (n > INT_MAX - nDefaultAtts) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   if (n + nDefaultAtts > parser->m_attsSize) {
+     int oldAttsSize = parser->m_attsSize;
+     ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+     XML_AttrInfo *temp2;
+ #endif
++
++    /* Detect and prevent integer overflow */
++    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
++        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
+     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
++
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+       parser->m_attsSize = oldAttsSize;
+@@ -3201,6 +3226,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+     }
+     parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#  if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#  endif
++
+     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+       parser->m_attsSize = oldAttsSize;
+@@ -3509,9 +3545,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+   tagNamePtr->prefixLen = prefixLen;
+   for (i = 0; localPart[i++];)
+     ;  /* i includes null terminator */
++
++  /* Detect and prevent integer overflow */
++  if (binding->uriLen > INT_MAX - prefixLen
++      || i > INT_MAX - (binding->uriLen + prefixLen)) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   n = i + binding->uriLen + prefixLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
++
++    /* Detect and prevent integer overflow */
++    if (n > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (!uri)
+       return XML_ERROR_NO_MEMORY;
+@@ -3612,6 +3670,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+   if (parser->m_freeBindingList) {
+     b = parser->m_freeBindingList;
+     if (len > b->uriAlloc) {
++      /* Detect and prevent integer overflow */
++      if (len > INT_MAX - EXPAND_SPARE) {
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       XML_Char *temp = (XML_Char *)REALLOC(parser, b->uri,
+                           sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+@@ -3625,6 +3698,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+     if (!b)
+       return XML_ERROR_NO_MEMORY;
++
++    /* Detect and prevent integer overflow */
++    if (len > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (!b->uri) {
+       FREE(parser, b);
+@@ -6025,7 +6113,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+     }
+     else {
+       DEFAULT_ATTRIBUTE *temp;
++
++      /* Detect and prevent integer overflow */
++      if (type->allocDefaultAtts > INT_MAX / 2) {
++        return 0;
++      }
++
+       int count = type->allocDefaultAtts * 2;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
++        return 0;
++      }
++#endif
++
+       temp = (DEFAULT_ATTRIBUTE *)
+         REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+@@ -6700,8 +6805,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
+     /* check for overflow (table is half full) */
+     if (table->used >> (table->power - 1)) {
+       unsigned char newPower = table->power + 1;
++
++      /* Detect and prevent invalid shift */
++      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
++        return NULL;
++      }
++
+       size_t newSize = (size_t)1 << newPower;
+       unsigned long newMask = (unsigned long)newSize - 1;
++
++      /* Detect and prevent integer overflow */
++      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
++        return NULL;
++      }
++
+       size_t tsize = newSize * sizeof(NAMED *);
+       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+       if (!newV)
+@@ -7067,6 +7184,20 @@ nextScaffoldPart(XML_Parser parser)
+   if (dtd->scaffCount >= dtd->scaffSize) {
+     CONTENT_SCAFFOLD *temp;
+     if (dtd->scaffold) {
++      /* Detect and prevent integer overflow */
++      if (dtd->scaffSize > UINT_MAX / 2u) {
++        return -1;
++      }
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
++        return -1;
++      }
++#endif
++
+       temp = (CONTENT_SCAFFOLD *)
+         REALLOC(parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+@@ -7143,9 +7274,26 @@ build_model (XML_Parser parser)
+   XML_Content *ret;
+   XML_Content *cpos;
+   XML_Char * str;
+-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+-                   + (dtd->contentStringLen * sizeof(XML_Char)));
+ 
++  /* Detect and prevent integer overflow.
++   * The preprocessor guard addresses the "always false" warning
++   * from -Wtype-limits on platforms where
++   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
++    return NULL;
++  }
++  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
++    return NULL;
++  }
++#endif
++  if (dtd->scaffCount * sizeof(XML_Content)
++      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
++    return NULL;
++  }
++
++  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
++                            + (dtd->contentStringLen * sizeof(XML_Char)));
+   ret = (XML_Content *)MALLOC(parser, allocsize);
+   if (!ret)
+     return NULL;

Patches/LineageOS-16.0/android_external_expat/349328.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 16 Nov 2022 16:31:05 +0000
+Subject: [PATCH] Fix overeager DTD destruction (fixes #649)
+
+Bug: http://b/255449293
+Test: TreeHugger
+Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6
+(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a)
+Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6
+---
+ lib/xmlparse.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 121b63f7..90089ab7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1013,7 +1013,15 @@ parserCreate(const XML_Char *encodingName,
+   poolInit(&parser->m_temp2Pool, &(parser->m_mem));
+   parserInit(parser, encodingName);
+ 
+-  if (encodingName && !parser->m_protocolEncodingName) {
++  if (encodingName && ! parser->m_protocolEncodingName) {
++    if (dtd) {
++      // We need to stop the upcoming call to XML_ParserFree from happily
++      // destroying parser->m_dtd because the DTD is shared with the parent
++      // parser and the only guard that keeps XML_ParserFree from destroying
++      // parser->m_dtd is parser->m_isParamEntity but it will be set to
++      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
++      parser->m_dtd = NULL;
++    }
+     XML_ParserFree(parser);
+     return NULL;
+   }

Patches/LineageOS-16.0/android_external_zlib/351909.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Tue, 22 Nov 2022 22:00:13 +0000
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Bug: http://b/242299736
+Test: TreeHugger
+
+Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
+(cherry picked from commit 1c4806afd7ae034aa9f86df35d4341a0b175a90a)
+Merged-In: I4eabb3e135c1568e06b2b9740651a3ae11b21140
+---
+ src/inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/inflate.c b/src/inflate.c
+index ac333e8..cd01857 100644
+--- a/src/inflate.c
++++ b/src/inflate.c
+@@ -759,8 +759,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);

Patches/LineageOS-16.0/android_frameworks_av/344167.patch

@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Edwin Wong <edwinwong@google.com>
+Date: Tue, 21 Jun 2022 01:36:43 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE - [Fix vulnerability] setSecurityLevel in
+ clearkey
+
+Potential race condition in clearkey setSecurityLevel.
+
+POC test in http://go/ag/19083795
+
+Test: sts-tradefed run sts-dynamic-develop -m StsHostTestCases -t android.security.sts.CVE_2022_2209#testPocCVE_2022_2209
+
+Bug: 235601882
+Change-Id: I6447fb539ef0cb395772c61e6f3e1504ccde331b
+(cherry picked from commit dab37c25e3337387809fd35c7cd46abf76088b83)
+Merged-In: I6447fb539ef0cb395772c61e6f3e1504ccde331b
+---
+ drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp       | 2 ++
+ drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h | 8 +++++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+index 0737851acc..923e4d500e 100644
+--- a/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
++++ b/drm/mediadrm/plugins/clearkey/hidl/DrmPlugin.cpp
+@@ -381,6 +381,7 @@ Return<void> DrmPlugin::getSecurityLevel(const hidl_vec<uint8_t>& sessionId,
+         return Void();
+     }
+ 
++    Mutex::Autolock lock(mSecurityLevelLock);
+     std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
+             mSecurityLevel.find(sid);
+     if (itr == mSecurityLevel.end()) {
+@@ -411,6 +412,7 @@ Return<Status> DrmPlugin::setSecurityLevel(const hidl_vec<uint8_t>& sessionId,
+         return Status::ERROR_DRM_SESSION_NOT_OPENED;
+     }
+ 
++    Mutex::Autolock lock(mSecurityLevelLock);
+     std::map<std::vector<uint8_t>, SecurityLevel>::iterator itr =
+             mSecurityLevel.find(sid);
+     if (itr != mSecurityLevel.end()) {
+diff --git a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
+index 7d9650f4bf..5360623aef 100644
+--- a/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
++++ b/drm/mediadrm/plugins/clearkey/hidl/include/DrmPlugin.h
+@@ -323,7 +323,8 @@ private:
+     std::vector<KeyValue> mPlayPolicy;
+     std::map<std::string, std::string> mStringProperties;
+     std::map<std::string, std::vector<uint8_t> > mByteArrayProperties;
+-    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel;
++    std::map<std::vector<uint8_t>, SecurityLevel> mSecurityLevel
++        GUARDED_BY(mSecurityLevelLock);
+     sp<IDrmPluginListener> mListener;
+     SessionLibrary *mSessionLibrary;
+     int64_t mOpenSessionOkCount;
+@@ -332,6 +333,11 @@ private:
+     uint32_t mNextSecureStopId;
+     android::Mutex mPlayPolicyLock;
+ 
++    DeviceFiles mFileHandle GUARDED_BY(mFileHandleLock);
++    Mutex mFileHandleLock;
++    Mutex mSecureStopLock;
++    Mutex mSecurityLevelLock;
++
+     CLEARKEY_DISALLOW_COPY_AND_ASSIGN_AND_NEW(DrmPlugin);
+ };
+ 

Patches/LineageOS-16.0/android_frameworks_av/349329.patch

@@ -0,0 +1,242 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Thu, 1 Dec 2022 21:02:09 -0600
+Subject: [PATCH] move MediaCodec metrics processing to looper thread
+
+consolidate to avoid concurrency/mutex problems.
+
+Bug: 256087846
+Bug: 245860753
+Test: atest CtsMediaV2TestCases
+Test: atest CtsMediaCodecTestCases
+Merged-In: Ie77f0028cab8091edd97d3a60ad4c80da3092cfe
+Merged-In: I56eceb6b12ce14348d3f9f2944968e70c6086aa8
+Merged-In: I94b0a2ac029dc0b90a93e9ed844768e9da5259b9
+Merged-In: I739248436a4801a4b9a96395f481640f2956cedf
+Change-Id: If5269d3efcd7c262020e580fe84fe89261a1af60
+(cherry picked from commit 0ccdce19f669cd628ab6d116c131efc8d15707ee)
+Merged-In: If5269d3efcd7c262020e580fe84fe89261a1af60
+---
+ media/libstagefright/MediaCodec.cpp           | 102 ++++++++++++++----
+ .../include/media/stagefright/MediaCodec.h    |   3 +
+ 2 files changed, 86 insertions(+), 19 deletions(-)
+
+diff --git a/media/libstagefright/MediaCodec.cpp b/media/libstagefright/MediaCodec.cpp
+index 353e40702f..cd1d24b06b 100644
+--- a/media/libstagefright/MediaCodec.cpp
++++ b/media/libstagefright/MediaCodec.cpp
+@@ -40,6 +40,7 @@
+ #include <media/IResourceManagerService.h>
+ #include <media/MediaCodecBuffer.h>
+ #include <media/MediaAnalyticsItem.h>
++// RBE do i need to add this? #include <media/MediaMetrics.h>         // RBE
+ #include <media/stagefright/foundation/ABuffer.h>
+ #include <media/stagefright/foundation/ADebug.h>
+ #include <media/stagefright/foundation/AMessage.h>
+@@ -546,6 +547,14 @@ MediaCodec::~MediaCodec() {
+     mResourceManagerService->removeResource(getId(mResourceManagerClient));
+ 
+     flushAnalyticsItem();
++
++    // clean up any saved AnalyticsItem stored in the configuration message
++    if (mConfigureMsg != nullptr) {
++        MediaAnalyticsItem *oldItem = nullptr;
++        if (mConfigureMsg->findPointer("metrics", (void**) &oldItem)) {
++            delete oldItem;
++        }
++    }
+ }
+ 
+ void MediaCodec::initAnalyticsItem() {
+@@ -570,6 +579,8 @@ void MediaCodec::updateAnalyticsItem() {
+         return;
+     }
+ 
++    Mutex::Autolock _lock(mMetricsLock);
++
+     if (mLatencyHist.getCount() != 0 ) {
+         mAnalyticsItem->setInt64(kCodecLatencyMax, mLatencyHist.getMax());
+         mAnalyticsItem->setInt64(kCodecLatencyMin, mLatencyHist.getMin());
+@@ -632,7 +643,10 @@ void MediaCodec::updateEphemeralAnalytics(MediaAnalyticsItem *item) {
+ }
+ 
+ void MediaCodec::flushAnalyticsItem() {
++    // update does its own mutex locking
+     updateAnalyticsItem();
++
++    Mutex::Autolock _lock(mMetricsLock);
+     if (mAnalyticsItem != NULL) {
+         // don't log empty records
+         if (mAnalyticsItem->count() > 0) {
+@@ -1018,16 +1032,22 @@ status_t MediaCodec::configure(
+         uint32_t flags) {
+     sp<AMessage> msg = new AMessage(kWhatConfigure, this);
+ 
+-    if (mAnalyticsItem != NULL) {
++    MediaAnalyticsItem *newItem = new MediaAnalyticsItem(kCodecKeyName);
++
++    if (newItem != NULL) {
+         int32_t profile = 0;
+         if (format->findInt32("profile", &profile)) {
+-            mAnalyticsItem->setInt32(kCodecProfile, profile);
++            newItem->setInt32(kCodecProfile, profile);
+         }
+         int32_t level = 0;
+         if (format->findInt32("level", &level)) {
+-            mAnalyticsItem->setInt32(kCodecLevel, level);
++            newItem->setInt32(kCodecLevel, level);
+         }
+-        mAnalyticsItem->setInt32(kCodecEncoder, (flags & CONFIGURE_FLAG_ENCODE) ? 1 : 0);
++        newItem->setInt32(kCodecEncoder, (flags & CONFIGURE_FLAG_ENCODE) ? 1 : 0);
++
++        newItem->setCString(kCodecCodec, mInitName.c_str());
++        newItem->setCString(kCodecMode, mIsVideo ? kCodecModeVideo : kCodecModeAudio);
++
+     }
+ 
+     if (mIsVideo) {
+@@ -1037,17 +1057,17 @@ status_t MediaCodec::configure(
+             mRotationDegrees = 0;
+         }
+ 
+-        if (mAnalyticsItem != NULL) {
+-            mAnalyticsItem->setInt32(kCodecWidth, mVideoWidth);
+-            mAnalyticsItem->setInt32(kCodecHeight, mVideoHeight);
+-            mAnalyticsItem->setInt32(kCodecRotation, mRotationDegrees);
++        if (newItem != NULL) {
++            newItem->setInt32(kCodecWidth, mVideoWidth);
++            newItem->setInt32(kCodecHeight, mVideoHeight);
++            newItem->setInt32(kCodecRotation, mRotationDegrees);
+             int32_t maxWidth = 0;
+             if (format->findInt32("max-width", &maxWidth)) {
+-                mAnalyticsItem->setInt32(kCodecMaxWidth, maxWidth);
++                newItem->setInt32(kCodecMaxWidth, maxWidth);
+             }
+             int32_t maxHeight = 0;
+             if (format->findInt32("max-height", &maxHeight)) {
+-                mAnalyticsItem->setInt32(kCodecMaxHeight, maxHeight);
++                newItem->setInt32(kCodecMaxHeight, maxHeight);
+             }
+         }
+ 
+@@ -1075,6 +1095,15 @@ status_t MediaCodec::configure(
+         ALOGW("Crypto or descrambler should be given for secure codec");
+     }
+ 
++    // recover space of any previous saved baseline analytics info
++    if (mConfigureMsg != nullptr) {
++        MediaAnalyticsItem *oldItem = nullptr;
++        if (mConfigureMsg->findPointer("metrics", (void **) &oldItem)) {
++            delete oldItem;
++        }
++    }
++    msg->setPointer("metrics", newItem);
++
+     // save msg for reset
+     mConfigureMsg = msg;
+ 
+@@ -1530,20 +1559,36 @@ status_t MediaCodec::getMetrics(MediaAnalyticsItem * &reply) {
+ 
+     reply = NULL;
+ 
+-    // shouldn't happen, but be safe
+-    if (mAnalyticsItem == NULL) {
+-        return UNKNOWN_ERROR;
++    sp<AMessage> msg = new AMessage(kWhatGetMetrics, this);
++    sp<AMessage> response;
++    status_t err;
++    if ((err = PostAndAwaitResponse(msg, &response)) != OK) {
++        return err;
+     }
+ 
+-    // update any in-flight data that's not carried within the record
+-    updateAnalyticsItem();
++    CHECK(response->findPointer("metrics", (void **) &reply));
+ 
+-    // send it back to the caller.
+-    reply = mAnalyticsItem->dup();
++    return OK;
++}
+ 
+-    updateEphemeralAnalytics(reply);
++// runs on the looper thread (for mutex purposes)
++void MediaCodec::onGetMetrics(const sp<AMessage>& msg) {
+ 
+-    return OK;
++    MediaAnalyticsItem *results = nullptr;
++
++    sp<AReplyToken> replyID;
++    CHECK(msg->senderAwaitsResponse(&replyID));
++
++    // RBE is it always non-null at this point?
++    if (mAnalyticsItem != nullptr) {
++        updateAnalyticsItem();
++        results = mAnalyticsItem->dup();
++        updateEphemeralAnalytics(results);
++    }
++
++    sp<AMessage> response = new AMessage;
++    response->setPointer("metrics", results);
++    response->postReply(replyID);
+ }
+ 
+ status_t MediaCodec::getInputBuffers(Vector<sp<MediaCodecBuffer> > *buffers) const {
+@@ -2381,6 +2426,13 @@ void MediaCodec::onMessageReceived(const sp<AMessage> &msg) {
+             break;
+         }
+ 
++        case kWhatGetMetrics:
++        {
++            onGetMetrics(msg);
++            break;
++        }
++
++
+         case kWhatConfigure:
+         {
+             sp<AReplyToken> replyID;
+@@ -2397,6 +2449,18 @@ void MediaCodec::onMessageReceived(const sp<AMessage> &msg) {
+             sp<AMessage> format;
+             CHECK(msg->findMessage("format", &format));
+ 
++            // start with a copy of the passed metrics info for use in this run
++            MediaAnalyticsItem *handle;
++            CHECK(msg->findPointer("metrics", (void **) &handle));
++            if (handle != nullptr) {
++                if (mAnalyticsItem != nullptr) {
++                    flushAnalyticsItem();
++                }
++                mAnalyticsItem = handle->dup();
++                // and set some additional metrics values
++                initAnalyticsItem();
++            }
++
+             int32_t push;
+             if (msg->findInt32("push-blank-buffers-on-shutdown", &push) && push != 0) {
+                 mFlags |= kFlagPushBlankBuffersOnShutdown;
+diff --git a/media/libstagefright/include/media/stagefright/MediaCodec.h b/media/libstagefright/include/media/stagefright/MediaCodec.h
+index 7f6aae6281..b9f5c0b239 100644
+--- a/media/libstagefright/include/media/stagefright/MediaCodec.h
++++ b/media/libstagefright/include/media/stagefright/MediaCodec.h
+@@ -257,6 +257,7 @@ private:
+         kWhatSetCallback                    = 'setC',
+         kWhatSetNotification                = 'setN',
+         kWhatDrmReleaseCrypto               = 'rDrm',
++        kWhatGetMetrics                     = 'getM',
+     };
+ 
+     enum {
+@@ -320,11 +321,13 @@ private:
+     sp<Surface> mSurface;
+     SoftwareRenderer *mSoftRenderer;
+ 
++    Mutex mMetricsLock;
+     MediaAnalyticsItem *mAnalyticsItem;
+     void initAnalyticsItem();
+     void updateAnalyticsItem();
+     void flushAnalyticsItem();
+     void updateEphemeralAnalytics(MediaAnalyticsItem *item);
++    void onGetMetrics(const sp<AMessage>& msg);
+ 
+     sp<AMessage> mOutputFormat;
+     sp<AMessage> mInputFormat;

Patches/LineageOS-16.0/android_frameworks_av/359729.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ray Essick <essick@google.com>
+Date: Mon, 27 Mar 2023 18:16:46 -0500
+Subject: [PATCH] Fix NuMediaExtractor::readSampleData buffer Handling
+
+readSampleData() did not initialize buffer before filling it,
+leading to OOB memory references. Correct and clarify the book
+keeping around output buffer management.
+
+Bug: 275418191
+Test: CtsMediaExtractorTestCases w/debug messages
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:943fc12219b21d2a98f0ddc070b9b316a6f5d412)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:84c69bca81175feb2fd97ebb22e432ee41572786)
+Merged-In: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+Change-Id: Ie744f118526f100d82a312c64f7c6fcf20773b6d
+---
+ media/libstagefright/NuMediaExtractor.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/media/libstagefright/NuMediaExtractor.cpp b/media/libstagefright/NuMediaExtractor.cpp
+index 4a7d6ca7ad..90ddcb81c3 100644
+--- a/media/libstagefright/NuMediaExtractor.cpp
++++ b/media/libstagefright/NuMediaExtractor.cpp
+@@ -607,9 +607,11 @@ status_t NuMediaExtractor::appendVorbisNumPageSamples(
+         numPageSamples = -1;
+     }
+ 
++    // insert, including accounting for the space used.
+     memcpy((uint8_t *)buffer->data() + mbuf->range_length(),
+            &numPageSamples,
+            sizeof(numPageSamples));
++    buffer->setRange(buffer->offset(), buffer->size() + sizeof(numPageSamples));
+ 
+     uint32_t type;
+     const void *data;
+@@ -658,6 +660,8 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+ 
+     ssize_t minIndex = fetchAllTrackSamples();
+ 
++    buffer->setRange(0, 0);     // start with an empty buffer
++
+     if (minIndex < 0) {
+         return ERROR_END_OF_STREAM;
+     }
+@@ -673,25 +677,25 @@ status_t NuMediaExtractor::readSampleData(const sp<ABuffer> &buffer) {
+         sampleSize += sizeof(int32_t);
+     }
+ 
++    // capacity() is ok since we cleared out the buffer
+     if (buffer->capacity() < sampleSize) {
+         return -ENOMEM;
+     }
+ 
++    const size_t srclen = it->mBuffer->range_length();
+     const uint8_t *src =
+         (const uint8_t *)it->mBuffer->data()
+             + it->mBuffer->range_offset();
+ 
+-    memcpy((uint8_t *)buffer->data(), src, it->mBuffer->range_length());
++    memcpy((uint8_t *)buffer->data(), src, srclen);
++    buffer->setRange(0, srclen);
+ 
+     status_t err = OK;
+     if (info->mTrackFlags & kIsVorbis) {
++        // adjusts range when it inserts the extra bits
+         err = appendVorbisNumPageSamples(it->mBuffer, buffer);
+     }
+ 
+-    if (err == OK) {
+-        buffer->setRange(0, sampleSize);
+-    }
+-
+     return err;
+ }
+ 

Patches/LineageOS-16.0/android_frameworks_av/366126.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shruti Bihani <shrutibihani@google.com>
+Date: Thu, 6 Jul 2023 08:41:56 +0000
+Subject: [PATCH] Fix Segv on unknown address error flagged by fuzzer test.
+
+The error is thrown when the destructor tries to free pointer memory.
+This is happening for cases where the pointer was not initialized. Initializing it to a default value fixes the error.
+
+Bug: 245135112
+Test: Build mtp_host_property_fuzzer and run on the target device
+(cherry picked from commit 3afa6e80e8568fe63f893fa354bc79ef91d3dcc0)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d44311374e41a26b28db56794c9a7890a13a6972)
+Merged-In: I255cd68b7641e96ac47ab81479b9b46b78c15580
+Change-Id: I255cd68b7641e96ac47ab81479b9b46b78c15580
+---
+ media/mtp/MtpProperty.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/media/mtp/MtpProperty.h b/media/mtp/MtpProperty.h
+index bfd5f7f59a..1eb8874af1 100644
+--- a/media/mtp/MtpProperty.h
++++ b/media/mtp/MtpProperty.h
+@@ -26,6 +26,9 @@ namespace android {
+ class MtpDataPacket;
+ 
+ struct MtpPropertyValue {
++    // pointer str initialized to NULL so that free operation
++    // is not called for pre-assigned value
++    MtpPropertyValue() : str (NULL) {}
+     union {
+         int8_t          i8;
+         uint8_t         u8;

Patches/LineageOS-16.0/android_frameworks_av/374924.patch

@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shruti Bihani <shrutibihani@google.com>
+Date: Mon, 10 Jul 2023 08:53:42 +0000
+Subject: [PATCH] Fix for heap buffer overflow issue flagged by fuzzer test.
+
+OOB write occurs when a value is assigned to a buffer index which is greater than the buffer size. Adding a check on buffer bounds fixes the issue.
+
+Similar checks have been added wherever applicable on other such methods of the class.
+
+Bug: 243463593
+Test: Build mtp_packet_fuzzer and run on the target device
+(cherry picked from commit a669e34bb8e6f0f7b5d7a35144bd342271a24712)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1401a723899766632363129265b30d433ac69c44)
+Merged-In: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b
+Change-Id: Icd0f2307803a1a35e655bc08d9d4cca5e2b58a9b
+---
+ media/mtp/MtpPacket.cpp | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
+index 3dd4248e4c..917967cf17 100644
+--- a/media/mtp/MtpPacket.cpp
++++ b/media/mtp/MtpPacket.cpp
+@@ -92,24 +92,46 @@ void MtpPacket::copyFrom(const MtpPacket& src) {
+ }
+ 
+ uint16_t MtpPacket::getUInt16(int offset) const {
+-    return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset];
++    if ((unsigned long)(offset+2) <= mBufferSize) {
++        return ((uint16_t)mBuffer[offset + 1] << 8) | (uint16_t)mBuffer[offset];
++    }
++    else {
++        ALOGE("offset for buffer read is greater than buffer size!");
++        abort();
++    }
+ }
+ 
+ uint32_t MtpPacket::getUInt32(int offset) const {
+-    return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) |
+-           ((uint32_t)mBuffer[offset + 1] << 8)  | (uint32_t)mBuffer[offset];
++    if ((unsigned long)(offset+4) <= mBufferSize) {
++        return ((uint32_t)mBuffer[offset + 3] << 24) | ((uint32_t)mBuffer[offset + 2] << 16) |
++               ((uint32_t)mBuffer[offset + 1] << 8)  | (uint32_t)mBuffer[offset];
++    }
++    else {
++        ALOGE("offset for buffer read is greater than buffer size!");
++        abort();
++    }
+ }
+ 
+ void MtpPacket::putUInt16(int offset, uint16_t value) {
+-    mBuffer[offset++] = (uint8_t)(value & 0xFF);
+-    mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);
++    if ((unsigned long)(offset+2) <= mBufferSize) {
++        mBuffer[offset++] = (uint8_t)(value & 0xFF);
++        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);
++    }
++    else {
++        ALOGE("offset for buffer write is greater than buffer size!");
++    }
+ }
+ 
+ void MtpPacket::putUInt32(int offset, uint32_t value) {
+-    mBuffer[offset++] = (uint8_t)(value & 0xFF);
+-    mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);
+-    mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF);
+-    mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF);
++    if ((unsigned long)(offset+4) <= mBufferSize) {
++        mBuffer[offset++] = (uint8_t)(value & 0xFF);
++        mBuffer[offset++] = (uint8_t)((value >> 8) & 0xFF);
++        mBuffer[offset++] = (uint8_t)((value >> 16) & 0xFF);
++        mBuffer[offset++] = (uint8_t)((value >> 24) & 0xFF);
++    }
++    else {
++        ALOGE("offset for buffer write is greater than buffer size!");
++    }
+ }
+ 
+ uint16_t MtpPacket::getContainerCode() const {

Patches/LineageOS-16.0/android_frameworks_av/377765.patch

@@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Toni Heidenreich <tonihei@google.com>
+Date: Wed, 6 Sep 2023 12:49:33 +0000
+Subject: [PATCH] httplive: fix use-after-free
+
+Implement a mutex to ensure secure multi-threaded
+access to the KeyedVector in MetaDataBase.
+Concurrent access by different threads can lead
+to accessing the wrong memory location due to
+potential changes in the vector
+
+Bug: 298057702
+Test: HTTP Live Streaming test
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:a2dfb31957a9d5358d0219a0eda7dcb5b0fff5fe)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90fb4ca425444429ada6ce0de1c13d35829bc196)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3c1d9613ef64e01d2e81c4aa44c90dcd8ca958b9)
+Merged-In: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
+Change-Id: I46b05c85d9c39f4ce549efc160c08a0646c9fd0a
+
+Change-Id: Ibad99da2ee0d9259844c32f954e6db290043e45b
+---
+ media/libmediaextractor/MetaDataBase.cpp | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/media/libmediaextractor/MetaDataBase.cpp b/media/libmediaextractor/MetaDataBase.cpp
+index bfea6f1537..a3c623e354 100644
+--- a/media/libmediaextractor/MetaDataBase.cpp
++++ b/media/libmediaextractor/MetaDataBase.cpp
+@@ -24,6 +24,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <mutex>
++
+ #include <media/stagefright/foundation/ADebug.h>
+ #include <media/stagefright/foundation/AString.h>
+ #include <media/stagefright/foundation/hexdump.h>
+@@ -75,6 +77,7 @@ struct MetaDataBase::Rect {
+ 
+ 
+ struct MetaDataBase::MetaDataInternal {
++    std::mutex mLock;
+     KeyedVector<uint32_t, MetaDataBase::typed_data> mItems;
+ };
+ 
+@@ -99,10 +102,12 @@ MetaDataBase::~MetaDataBase() {
+ }
+ 
+ void MetaDataBase::clear() {
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     mInternalData->mItems.clear();
+ }
+ 
+ bool MetaDataBase::remove(uint32_t key) {
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     ssize_t i = mInternalData->mItems.indexOfKey(key);
+ 
+     if (i < 0) {
+@@ -249,6 +254,7 @@ bool MetaDataBase::setData(
+         uint32_t key, uint32_t type, const void *data, size_t size) {
+     bool overwrote_existing = true;
+ 
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     ssize_t i = mInternalData->mItems.indexOfKey(key);
+     if (i < 0) {
+         typed_data item;
+@@ -266,6 +272,7 @@ bool MetaDataBase::setData(
+ 
+ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
+                         const void **data, size_t *size) const {
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     ssize_t i = mInternalData->mItems.indexOfKey(key);
+ 
+     if (i < 0) {
+@@ -280,6 +287,7 @@ bool MetaDataBase::findData(uint32_t key, uint32_t *type,
+ }
+ 
+ bool MetaDataBase::hasData(uint32_t key) const {
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     ssize_t i = mInternalData->mItems.indexOfKey(key);
+ 
+     if (i < 0) {
+@@ -426,6 +434,7 @@ static void MakeFourCCString(uint32_t x, char *s) {
+ 
+ String8 MetaDataBase::toString() const {
+     String8 s;
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     for (int i = mInternalData->mItems.size(); --i >= 0;) {
+         int32_t key = mInternalData->mItems.keyAt(i);
+         char cc[5];
+@@ -440,6 +449,7 @@ String8 MetaDataBase::toString() const {
+ }
+ 
+ void MetaDataBase::dumpToLog() const {
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     for (int i = mInternalData->mItems.size(); --i >= 0;) {
+         int32_t key = mInternalData->mItems.keyAt(i);
+         char cc[5];
+@@ -451,6 +461,7 @@ void MetaDataBase::dumpToLog() const {
+ 
+ status_t MetaDataBase::writeToParcel(Parcel &parcel) {
+     status_t ret;
++    std::lock_guard<std::mutex> guard(mInternalData->mLock);
+     size_t numItems = mInternalData->mItems.size();
+     ret = parcel.writeUint32(uint32_t(numItems));
+     if (ret) {

Patches/LineageOS-16.0/android_frameworks_av/379788.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songyue Han <songyueh@google.com>
+Date: Tue, 3 Oct 2023 22:40:14 +0000
+Subject: [PATCH] Fix convertYUV420Planar16ToY410 overflow issue for
+ unsupported cropwidth.
+
+Bug: 300476626
+Test: color_conversion_fuzzer
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:de2ad0fad97d6d97d1e01f0e8d8309536eb268b4)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:745ab99f7343bc236b88b9d63cd7b06ab192f9e9)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aa8298ec8eb903e1e3dd915fa24f32e1aea1f76c)
+Merged-In: I8631426188af3c5f9b6c1ff6a0039254c252f733
+Change-Id: I8631426188af3c5f9b6c1ff6a0039254c252f733
+---
+ media/libstagefright/colorconversion/ColorConverter.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/colorconversion/ColorConverter.cpp b/media/libstagefright/colorconversion/ColorConverter.cpp
+index a1873bc5c4..94356b0b0c 100644
+--- a/media/libstagefright/colorconversion/ColorConverter.cpp
++++ b/media/libstagefright/colorconversion/ColorConverter.cpp
+@@ -592,7 +592,8 @@ status_t ColorConverter::convertYUV420Planar16ToY410(
+ 
+         uint32_t u01, v01, y01, y23, y45, y67, uv0, uv1;
+         size_t x = 0;
+-        for (; x < src.cropWidth() - 3; x += 4) {
++        // x % 4 is always 0 so x + 3 will never overflow.
++        for (; x + 3 < src.cropWidth(); x += 4) {
+             u01 = *((uint32_t*)ptr_u); ptr_u += 2;
+             v01 = *((uint32_t*)ptr_v); ptr_v += 2;
+ 

Patches/LineageOS-16.0/android_frameworks_av/383562.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Gupta <kumarashishg@google.com>
+Date: Tue, 21 Nov 2023 08:48:43 +0530
+Subject: [PATCH] Update mtp packet buffer
+
+Currently, the buffer size is not changed when the packet size is increased. Ideally, the buffer size should be larger than the packet size. In our case, when the packet size is increased, we must reallocate the buffer of MTP packet.
+
+Bug: 300007708
+Test: build and flash the device. Check MTP works
+Test: run fuzzer locally
+(cherry picked from commit e1494a2d8e7eee25d7ea5469be43740e97294c99)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5c0f99beb6fa5ff920caf5b0d06aaebc8e9eab24)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:edf60c63243903b9f27f58f4954c599470d011fd)
+Merged-In: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+Change-Id: I98398a9e15962e6d5f08445ee7b17f5d61a3a528
+---
+ media/mtp/MtpPacket.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/media/mtp/MtpPacket.cpp b/media/mtp/MtpPacket.cpp
+index 917967cf17..d7567141d6 100644
+--- a/media/mtp/MtpPacket.cpp
++++ b/media/mtp/MtpPacket.cpp
+@@ -168,8 +168,10 @@ void MtpPacket::setParameter(int index, uint32_t value) {
+         return;
+     }
+     int offset = MTP_CONTAINER_PARAMETER_OFFSET + (index - 1) * sizeof(uint32_t);
+-    if (mPacketSize < offset + sizeof(uint32_t))
++    if (mPacketSize < offset + sizeof(uint32_t)) {
+         mPacketSize = offset + sizeof(uint32_t);
++        allocate(mPacketSize);
++    }
+     putUInt32(offset, value);
+ }
+ 

Patches/LineageOS-16.0/android_frameworks_av/385670.patch

@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
+Date: Tue, 19 Sep 2023 20:42:45 +0000
+Subject: [PATCH] Validate OMX Params for VPx encoders
+
+Bug: 273936274
+Bug: 273937171
+Bug: 273937136
+Bug: 273936553
+Bug: 273936601
+Test: POC in bug descriptions
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:022086b76536cd2e19a44053271190bdf6e181f7)
+(cherry picked from commit 0e4ca1cb5c16af8f1dfb0ae41941c16c104d38e8)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:90641b2799fd3940cdf0bf8a73b2f76839e651a6)
+Merged-In: I9bb17112d9f0217b6af0343afecc9c943453b757
+Change-Id: I9bb17112d9f0217b6af0343afecc9c943453b757
+---
+ media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp | 10 ++++++++++
+ media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp | 10 ++++++++++
+ media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp |  9 +++++++++
+ 3 files changed, 29 insertions(+)
+
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
+index 04737a9ccf..9198b7c327 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVP8Encoder.cpp
+@@ -120,6 +120,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalSetParameter(OMX_INDEXTYPE index,
+ 
+ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params(
+         OMX_VIDEO_PARAM_VP8TYPE* vp8Params) {
++    if (!isValidOMXParam(vp8Params)) {
++        android_errorWriteLog(0x534e4554, "273936274");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp8Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP8Encoder::internalGetVp8Params(
+ 
+ OMX_ERRORTYPE SoftVP8Encoder::internalSetVp8Params(
+         const OMX_VIDEO_PARAM_VP8TYPE* vp8Params) {
++    if (!isValidOMXParam(vp8Params)) {
++        android_errorWriteLog(0x534e4554, "273937171");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp8Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
+index 1ea1c85f76..f8495c2da4 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVP9Encoder.cpp
+@@ -119,6 +119,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalSetParameter(
+ 
+ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params(
+         OMX_VIDEO_PARAM_VP9TYPE *vp9Params) {
++    if (!isValidOMXParam(vp9Params)) {
++        android_errorWriteLog(0x534e4554, "273936553");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp9Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -133,6 +138,11 @@ OMX_ERRORTYPE SoftVP9Encoder::internalGetVp9Params(
+ 
+ OMX_ERRORTYPE SoftVP9Encoder::internalSetVp9Params(
+         const OMX_VIDEO_PARAM_VP9TYPE *vp9Params) {
++    if (!isValidOMXParam(vp9Params)) {
++        android_errorWriteLog(0x534e4554, "273937136");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vp9Params->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+diff --git a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+index f6257b1556..173bbe37d6 100644
+--- a/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
++++ b/media/libstagefright/codecs/on2/enc/SoftVPXEncoder.cpp
+@@ -484,6 +484,11 @@ OMX_ERRORTYPE SoftVPXEncoder::internalSetBitrateParams(
+ 
+ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams(
+         OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) {
++    if (!isValidOMXParam(vpxAndroidParams)) {
++        android_errorWriteLog(0x534e4554, "273936601");
++        return OMX_ErrorBadParameter;
++    }
++
+     if (vpxAndroidParams->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }
+@@ -500,6 +505,10 @@ OMX_ERRORTYPE SoftVPXEncoder::internalGetAndroidVpxParams(
+ 
+ OMX_ERRORTYPE SoftVPXEncoder::internalSetAndroidVpxParams(
+         const OMX_VIDEO_PARAM_ANDROID_VP8ENCODERTYPE *vpxAndroidParams) {
++    if (!isValidOMXParam(vpxAndroidParams)) {
++        android_errorWriteLog(0x534e4554, "273937551");
++        return OMX_ErrorBadParameter;
++    }
+     if (vpxAndroidParams->nPortIndex != kOutputPortIndex) {
+         return OMX_ErrorUnsupportedIndex;
+     }

Patches/LineageOS-16.0/android_frameworks_av/385671.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Haripriya Deshmukh <haripriya.deshmukh@ittiam.com>
+Date: Tue, 5 Dec 2023 18:32:38 +0000
+Subject: [PATCH] Fix out of bounds read and write in onQueueFilled in outQueue
+
+Bug: 276442130
+Test: POC in bug descriptions
+(cherry picked from https://partner-android-review.googlesource.com/q/commit:7aef41e59412e2f95bab5de7e33f5f04bb808643)
+(cherry picked from commit 8f4cfda9fc75f1e9ba3b6dee3fbffda4b6111d64)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:208e430bc6380fafafca8041b239f835263a9d47)
+Merged-In: Ic230d10048193a785f185dc6a7de6f455f9318c1
+Change-Id: Ic230d10048193a785f185dc6a7de6f455f9318c1
+---
+ media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+index fda70280a7..b78ac4325a 100644
+--- a/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
++++ b/media/libstagefright/codecs/m4v_h263/dec/SoftMPEG4.cpp
+@@ -308,8 +308,11 @@ void SoftMPEG4::onQueueFilled(OMX_U32 /* portIndex */) {
+         outHeader->nFilledLen = frameSize;
+ 
+         List<BufferInfo *>::iterator it = outQueue.begin();
+-        while ((*it)->mHeader != outHeader) {
+-            ++it;
++        while (it != outQueue.end() && (*it)->mHeader != outHeader) {
++             ++it;
++        }
++        if (it == outQueue.end()) {
++            return;
+         }
+ 
+         BufferInfo *outInfo = *it;

Patches/LineageOS-16.0/android_frameworks_base/330961.patch

@@ -0,0 +1,146 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matt Pietal <mpietal@google.com>
+Date: Fri, 1 Oct 2021 11:03:16 -0400
+Subject: [PATCH] Keyguard - Treat messsages to lock with priority
+
+When switching users and attempting to lock the device, the sysui main
+thread becomes overwhelmed with events, creating a significant lag
+between the time a message is posted and processed on the main
+thread. This can be dangerous when these events are critical for
+security, such as calls coming from PhoneWindowManager#lockNow() that
+call KeyguardViewMediator#doKeyguardTimeout(). On older devices with
+slower CPUs and less memory, the delay in processing can be
+significant (15 - 30s).
+
+The result of not prioritizing these events leads to a window of time
+where a guest user can switch back to the owner, and gain access to
+the owner's homescreen without needing to unlock the device with the
+owner's credentials.
+
+As a mitigation, prioritize two events originating in two specific
+methods to make sure the device locks as soon as possible as well as
+have the system server preemptively update its local cache.
+
+Bug: 151095871
+Test: Very manual race condition - follow steps listed in bug
+Change-Id: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
+Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
+(cherry picked from commit 28c53ab8bca26af58b45625c1ebba8b9051c107d)
+(cherry picked from commit 563fdf4259d0e28fd960acbb63431e146707d11b)
+Merged-In: I7585a0a5eeb308e0e32a4f77f581556d883b5cda
+---
+ .../internal/policy/IKeyguardStateCallback.aidl  |  2 +-
+ .../systemui/keyguard/KeyguardViewMediator.java  | 16 +++++++++++-----
+ .../policy/keyguard/KeyguardServiceWrapper.java  |  6 ++++++
+ .../policy/keyguard/KeyguardStateMonitor.java    |  8 +++++++-
+ 4 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
+index 8e454db4cb04..a8003a1169e9 100644
+--- a/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
++++ b/core/java/com/android/internal/policy/IKeyguardStateCallback.aidl
+@@ -16,7 +16,7 @@
+ package com.android.internal.policy;
+ 
+ interface IKeyguardStateCallback {
+-    void onShowingStateChanged(boolean showing);
++    void onShowingStateChanged(boolean showing, int userId);
+     void onSimSecureStateChanged(boolean simSecure);
+     void onInputRestrictedStateChanged(boolean inputRestricted);
+     void onTrustedChanged(boolean trusted);
+diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+index 305370d5964b..bac481c8e478 100644
+--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
++++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+@@ -1291,7 +1291,9 @@ public class KeyguardViewMediator extends SystemUI {
+     public void doKeyguardTimeout(Bundle options) {
+         mHandler.removeMessages(KEYGUARD_TIMEOUT);
+         Message msg = mHandler.obtainMessage(KEYGUARD_TIMEOUT, options);
+-        mHandler.sendMessage(msg);
++        // Treat these messages with priority - A call to timeout means the device should lock
++        // as soon as possible and not wait for other messages on the thread to process first.
++        mHandler.sendMessageAtFrontOfQueue(msg);
+     }
+ 
+     /**
+@@ -1488,12 +1490,15 @@ public class KeyguardViewMediator extends SystemUI {
+      * @see #handleShow
+      */
+     private void showLocked(Bundle options) {
+-        Trace.beginSection("KeyguardViewMediator#showLocked aqcuiring mShowKeyguardWakeLock");
++        Trace.beginSection("KeyguardViewMediator#showLocked acquiring mShowKeyguardWakeLock");
+         if (DEBUG) Log.d(TAG, "showLocked");
+         // ensure we stay awake until we are finished displaying the keyguard
+         mShowKeyguardWakeLock.acquire();
+         Message msg = mHandler.obtainMessage(SHOW, options);
+-        mHandler.sendMessage(msg);
++        // Treat these messages with priority - This call can originate from #doKeyguardTimeout,
++        // meaning the device should lock as soon as possible and not wait for other messages on
++        // the thread to process first.
++        mHandler.sendMessageAtFrontOfQueue(msg);
+         Trace.endSection();
+     }
+ 
+@@ -1652,6 +1657,7 @@ public class KeyguardViewMediator extends SystemUI {
+                 case KEYGUARD_TIMEOUT:
+                     synchronized (KeyguardViewMediator.this) {
+                         doKeyguardLocked((Bundle) msg.obj);
++                        notifyDefaultDisplayCallbacks(mShowing);
+                     }
+                     break;
+                 case DISMISS:
+@@ -2213,7 +2219,7 @@ public class KeyguardViewMediator extends SystemUI {
+         for (int i = size - 1; i >= 0; i--) {
+             IKeyguardStateCallback callback = mKeyguardStateCallbacks.get(i);
+             try {
+-                callback.onShowingStateChanged(showing);
++                callback.onShowingStateChanged(showing, KeyguardUpdateMonitor.getCurrentUser());
+             } catch (RemoteException e) {
+                 Slog.w(TAG, "Failed to call onShowingStateChanged", e);
+                 if (e instanceof DeadObjectException) {
+@@ -2261,7 +2267,7 @@ public class KeyguardViewMediator extends SystemUI {
+             mKeyguardStateCallbacks.add(callback);
+             try {
+                 callback.onSimSecureStateChanged(mUpdateMonitor.isSimPinSecure());
+-                callback.onShowingStateChanged(mShowing);
++                callback.onShowingStateChanged(mShowing, KeyguardUpdateMonitor.getCurrentUser());
+                 callback.onInputRestrictedStateChanged(mInputRestricted);
+                 callback.onTrustedChanged(mUpdateMonitor.getUserHasTrust(
+                         KeyguardUpdateMonitor.getCurrentUser()));
+diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
+index 4e848686254a..cf5c587e0494 100644
+--- a/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardServiceWrapper.java
+@@ -192,6 +192,12 @@ public class KeyguardServiceWrapper implements IKeyguardService {
+ 
+     @Override // Binder interface
+     public void doKeyguardTimeout(Bundle options) {
++        int userId = mKeyguardStateMonitor.getCurrentUser();
++        if (mKeyguardStateMonitor.isSecure(userId)) {
++            // Preemptively inform the cache that the keyguard will soon be showing, as calls to
++            // doKeyguardTimeout are a signal to lock the device as soon as possible.
++            mKeyguardStateMonitor.onShowingStateChanged(true, userId);
++        }
+         try {
+             mService.doKeyguardTimeout(options);
+         } catch (RemoteException e) {
+diff --git a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+index dbf96aa9eee6..c49c31d2ce07 100644
+--- a/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
++++ b/services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java
+@@ -92,8 +92,14 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub {
+         return mHasLockscreenWallpaper;
+     }
+ 
++    public int getCurrentUser() {
++        return mCurrentUserId;
++    }
++
+     @Override // Binder interface
+-    public void onShowingStateChanged(boolean showing) {
++    public void onShowingStateChanged(boolean showing, int userId) {
++        if (userId != mCurrentUserId) return;
++
+         mIsShowing = showing;
+ 
+         mCallback.onShowingChanged();

Patches/LineageOS-16.0/android_frameworks_base/330962.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 3 Mar 2022 18:24:37 +0000
+Subject: [PATCH] Verify caller before auto granting slice permission
+
+Currently SliceManagerService#checkSlicePermission does not verify the
+caller's identity. This leads to a security vulnerability because
+checkSlicePermission does more than checking the permission as opposed
+to simply return a boolean value -- it additionally grants slice access
+under a certain condition. A malicious app can spoof the calling package
+to acquire slice access.
+
+This CL verifies the caller before granting slice access.
+
+Bug: 208232850, 179699767
+Test: manual
+Change-Id: I2539c9ff5ea977c91bb58185c95280b4d533a520
+Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520
+(cherry picked from commit 5bd2196c537ae42a5c1626bdc23c3c6db41fb97f)
+(cherry picked from commit 3c92d74d7d74e1d781ae1b071da97b3b2cbc6be9)
+Merged-In: I2539c9ff5ea977c91bb58185c95280b4d533a520
+---
+ .../core/java/com/android/server/slice/SliceManagerService.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/services/core/java/com/android/server/slice/SliceManagerService.java b/services/core/java/com/android/server/slice/SliceManagerService.java
+index f5947ee35ea4..158e6a59ac48 100644
+--- a/services/core/java/com/android/server/slice/SliceManagerService.java
++++ b/services/core/java/com/android/server/slice/SliceManagerService.java
+@@ -239,6 +239,8 @@ public class SliceManagerService extends ISliceManager.Stub {
+         if (autoGrantPermissions != null) {
+             // Need to own the Uri to call in with permissions to grant.
+             enforceOwner(pkg, uri, userId);
++            // b/208232850: Needs to verify caller before granting slice access
++            verifyCaller(pkg);
+             for (String perm : autoGrantPermissions) {
+                 if (mContext.checkPermission(perm, pid, uid) == PERMISSION_GRANTED) {
+                     int providerUser = ContentProvider.getUserIdFromUri(uri, userId);

Patches/LineageOS-16.0/android_frameworks_base/330963.patch

@@ -0,0 +1,88 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Buynytskyy <alexbuy@google.com>
+Date: Thu, 24 Feb 2022 21:40:13 -0800
+Subject: [PATCH] Always restart apps if base.apk gets updated.
+
+Bug: 219044664
+Fixes: 219044664
+Test: atest PackageManagerShellCommandTest
+Change-Id: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
+Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
+(cherry picked from commit a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2)
+Merged-In: I27a0c5009b2d5f1ea51618b9acfa1e6ccee71296
+---
+ .../android/content/pm/IPackageInstallerSession.aidl |  2 ++
+ core/java/android/content/pm/PackageInstaller.java   | 12 ++++++++++++
+ .../android/server/pm/PackageInstallerSession.java   | 11 +++++++++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/core/java/android/content/pm/IPackageInstallerSession.aidl b/core/java/android/content/pm/IPackageInstallerSession.aidl
+index 8fddb99b35a8..4d91bdf93f16 100644
+--- a/core/java/android/content/pm/IPackageInstallerSession.aidl
++++ b/core/java/android/content/pm/IPackageInstallerSession.aidl
+@@ -38,4 +38,6 @@ interface IPackageInstallerSession {
+     void commit(in IntentSender statusReceiver, boolean forTransferred);
+     void transfer(in String packageName);
+     void abandon();
++
++    int getInstallFlags();
+ }
+diff --git a/core/java/android/content/pm/PackageInstaller.java b/core/java/android/content/pm/PackageInstaller.java
+index b51fa6fc2b29..0d7ca9043ccd 100644
+--- a/core/java/android/content/pm/PackageInstaller.java
++++ b/core/java/android/content/pm/PackageInstaller.java
+@@ -1059,6 +1059,18 @@ public class PackageInstaller {
+                 throw e.rethrowFromSystemServer();
+             }
+         }
++
++        /**
++         * @return Session's {@link SessionParams#installFlags}.
++         * @hide
++         */
++        public int getInstallFlags() {
++            try {
++                return mSession.getInstallFlags();
++            } catch (RemoteException e) {
++                throw e.rethrowFromSystemServer();
++            }
++        }
+     }
+ 
+     /**
+diff --git a/services/core/java/com/android/server/pm/PackageInstallerSession.java b/services/core/java/com/android/server/pm/PackageInstallerSession.java
+index edada326ee12..e6ec80ae1b76 100644
+--- a/services/core/java/com/android/server/pm/PackageInstallerSession.java
++++ b/services/core/java/com/android/server/pm/PackageInstallerSession.java
+@@ -83,6 +83,7 @@ import android.system.OsConstants;
+ import android.system.StructStat;
+ import android.text.TextUtils;
+ import android.util.ArraySet;
++import android.util.EventLog;
+ import android.util.ExceptionUtils;
+ import android.util.MathUtils;
+ import android.util.Slog;
+@@ -1285,6 +1286,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
+                 if (baseDexMetadataFile != null) {
+                     mResolvedInheritedFiles.add(baseDexMetadataFile);
+                 }
++            } else if ((params.installFlags & PackageManager.INSTALL_DONT_KILL_APP) != 0) {
++                EventLog.writeEvent(0x534e4554, "219044664");
++
++                // Installing base.apk. Make sure the app is restarted.
++                params.setDontKillApp(false);
+             }
+ 
+             // Inherit splits if not overridden
+@@ -1589,6 +1595,11 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub {
+         dispatchSessionFinished(INSTALL_FAILED_ABORTED, "Session was abandoned", null);
+     }
+ 
++    @Override
++    public int getInstallFlags() {
++        return params.installFlags;
++    }
++
+     private void dispatchSessionFinished(int returnCode, String msg, Bundle extras) {
+         final IPackageInstallObserver2 observer;
+         final String packageName;

Patches/LineageOS-16.0/android_frameworks_base/332756.patch

@@ -0,0 +1,174 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jonathan Scott <scottjonathan@google.com>
+Date: Tue, 5 Apr 2022 18:47:56 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Add finalizeWorkProfileProvisioning.
+
+Test: atest android.devicepolicy.cts.DevicePolicyManagerTest
+Bug: 210469972
+Change-Id: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
+(cherry picked from commit c5037ec63cdc72846082a66e72b34cf5067a6046)
+Merged-In: I2de99f9ccd8b27ffdc2562fa451f132e73d54317
+---
+ .../app/admin/DevicePolicyManager.java        | 21 ++++++++++++
+ .../app/admin/IDevicePolicyManager.aidl       |  3 ++
+ core/res/AndroidManifest.xml                  |  1 +
+ .../BaseIDevicePolicyManager.java             |  6 ++++
+ .../DevicePolicyManagerService.java           | 33 +++++++++++++++++++
+ 5 files changed, 64 insertions(+)
+
+diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
+index f298bc6992b0..485ce78c3320 100644
+--- a/core/java/android/app/admin/DevicePolicyManager.java
++++ b/core/java/android/app/admin/DevicePolicyManager.java
+@@ -16,6 +16,7 @@
+ 
+ package android.app.admin;
+ 
++import android.accounts.Account;
+ import android.annotation.CallbackExecutor;
+ import android.annotation.ColorInt;
+ import android.annotation.IntDef;
+@@ -136,6 +137,26 @@ public class DevicePolicyManager {
+         this(context, service, false);
+     }
+ 
++    /**
++     * Called when a managed profile has been provisioned.
++     *
++     * @throws SecurityException if the caller does not hold
++     * {@link android.Manifest.permission#MANAGE_PROFILE_AND_DEVICE_OWNERS}.
++     * @hide
++     */
++    @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)
++    public void finalizeWorkProfileProvisioning(
++            @NonNull UserHandle managedProfileUser, @Nullable Account migratedAccount) {
++        if (mService == null) {
++            throw new IllegalStateException("Could not find DevicePolicyManagerService");
++        }
++        try {
++            mService.finalizeWorkProfileProvisioning(managedProfileUser, migratedAccount);
++        } catch (RemoteException e) {
++            throw e.rethrowFromSystemServer();
++        }
++    }
++
+     /** @hide */
+     @VisibleForTesting
+     protected DevicePolicyManager(Context context, IDevicePolicyManager service,
+diff --git a/core/java/android/app/admin/IDevicePolicyManager.aidl b/core/java/android/app/admin/IDevicePolicyManager.aidl
+index 096427451662..64b8eaa359aa 100644
+--- a/core/java/android/app/admin/IDevicePolicyManager.aidl
++++ b/core/java/android/app/admin/IDevicePolicyManager.aidl
+@@ -17,6 +17,7 @@
+ 
+ package android.app.admin;
+ 
++import android.accounts.Account;
+ import android.app.admin.NetworkEvent;
+ import android.app.IApplicationThread;
+ import android.app.IServiceConnection;
+@@ -85,6 +86,8 @@ interface IDevicePolicyManager {
+     int getCurrentFailedPasswordAttempts(int userHandle, boolean parent);
+     int getProfileWithMinimumFailedPasswordsForWipe(int userHandle, boolean parent);
+ 
++    void finalizeWorkProfileProvisioning(in UserHandle managedProfileUser, in Account migratedAccount);
++
+     void setMaximumFailedPasswordsForWipe(in ComponentName admin, int num, boolean parent);
+     int getMaximumFailedPasswordsForWipe(in ComponentName admin, int userHandle, boolean parent);
+ 
+diff --git a/core/res/AndroidManifest.xml b/core/res/AndroidManifest.xml
+index af1a6fa9e3c5..0aafab66dabd 100644
+--- a/core/res/AndroidManifest.xml
++++ b/core/res/AndroidManifest.xml
+@@ -91,6 +91,7 @@
+     <protected-broadcast android:name="android.intent.action.USER_ACTIVITY_NOTIFICATION" />
+     <protected-broadcast android:name="android.intent.action.MY_PACKAGE_SUSPENDED" />
+     <protected-broadcast android:name="android.intent.action.MY_PACKAGE_UNSUSPENDED" />
++    <protected-broadcast android:name="android.app.action.MANAGED_PROFILE_PROVISIONED" />
+ 
+     <protected-broadcast android:name="android.os.action.POWER_SAVE_MODE_CHANGED" />
+     <protected-broadcast android:name="android.os.action.POWER_SAVE_MODE_CHANGING" />
+diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java b/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java
+index 1c9782fa5565..af1735f6e26e 100644
+--- a/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java
++++ b/services/devicepolicy/java/com/android/server/devicepolicy/BaseIDevicePolicyManager.java
+@@ -15,10 +15,12 @@
+  */
+ package com.android.server.devicepolicy;
+ 
++import android.accounts.Account;
+ import android.annotation.UserIdInt;
+ import android.app.admin.IDevicePolicyManager;
+ import android.content.ComponentName;
+ import android.os.PersistableBundle;
++import android.os.UserHandle;
+ import android.security.keymaster.KeymasterCertificateChain;
+ import android.security.keystore.ParcelableKeyGenParameterSpec;
+ import android.telephony.data.ApnSetting;
+@@ -159,4 +161,8 @@ abstract class BaseIDevicePolicyManager extends IDevicePolicyManager.Stub {
+     @Override
+     public void setDefaultSmsApplication(ComponentName admin, String packageName) {
+     }
++
++    public void finalizeWorkProfileProvisioning(
++            UserHandle managedProfileUser, Account migratedAccount) {
++    }
+ }
+diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+index 3a183865ead3..d7539e11bea9 100644
+--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
++++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+@@ -20,6 +20,7 @@ import static android.Manifest.permission.BIND_DEVICE_ADMIN;
+ import static android.Manifest.permission.MANAGE_CA_CERTIFICATES;
+ import static android.app.ActivityManager.LOCK_TASK_MODE_NONE;
+ import static android.app.admin.DeviceAdminReceiver.EXTRA_TRANSFER_OWNERSHIP_ADMIN_EXTRAS_BUNDLE;
++import static android.app.admin.DevicePolicyManager.ACTION_MANAGED_PROFILE_PROVISIONED;
+ import static android.app.admin.DevicePolicyManager.ACTION_PROVISION_MANAGED_USER;
+ import static android.app.admin.DevicePolicyManager.CODE_ACCOUNTS_NOT_EMPTY;
+ import static android.app.admin.DevicePolicyManager.CODE_ADD_MANAGED_PROFILE_DISALLOWED;
+@@ -45,6 +46,7 @@ import static android.app.admin.DevicePolicyManager.DELEGATION_INSTALL_EXISTING_
+ import static android.app.admin.DevicePolicyManager.DELEGATION_KEEP_UNINSTALLED_PACKAGES;
+ import static android.app.admin.DevicePolicyManager.DELEGATION_PACKAGE_ACCESS;
+ import static android.app.admin.DevicePolicyManager.DELEGATION_PERMISSION_GRANT;
++import static android.app.admin.DevicePolicyManager.EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE;
+ import static android.app.admin.DevicePolicyManager.ID_TYPE_BASE_INFO;
+ import static android.app.admin.DevicePolicyManager.ID_TYPE_IMEI;
+ import static android.app.admin.DevicePolicyManager.ID_TYPE_MEID;
+@@ -8878,6 +8880,37 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager {
+         }
+     }
+ 
++    @Override
++    public void finalizeWorkProfileProvisioning(UserHandle managedProfileUser,
++            Account migratedAccount) {
++        if (mContext.checkCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)
++                != PackageManager.PERMISSION_GRANTED) {
++            throw new SecurityException("Calling identity is not authorized");
++        }
++
++        if (!isManagedProfile(managedProfileUser.getIdentifier())) {
++            throw new IllegalStateException("Given user is not a managed profile");
++        }
++        ComponentName profileOwnerComponent =
++                mOwners.getProfileOwnerComponent(managedProfileUser.getIdentifier());
++        if (profileOwnerComponent == null) {
++            throw new IllegalStateException("There is no profile owner on the given profile");
++        }
++        Intent primaryProfileSuccessIntent = new Intent(ACTION_MANAGED_PROFILE_PROVISIONED);
++        primaryProfileSuccessIntent.setPackage(profileOwnerComponent.getPackageName());
++        primaryProfileSuccessIntent.addFlags(Intent.FLAG_INCLUDE_STOPPED_PACKAGES
++                | Intent.FLAG_RECEIVER_FOREGROUND);
++        primaryProfileSuccessIntent.putExtra(Intent.EXTRA_USER, managedProfileUser);
++
++        if (migratedAccount != null) {
++            primaryProfileSuccessIntent.putExtra(EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE,
++                    migratedAccount);
++        }
++
++        mContext.sendBroadcastAsUser(primaryProfileSuccessIntent,
++                UserHandle.of(getProfileParentId(managedProfileUser.getIdentifier())));
++    }
++
+     @Override
+     public UserHandle createAndManageUser(ComponentName admin, String name,
+             ComponentName profileOwner, PersistableBundle adminExtras, int flags) {

Patches/LineageOS-16.0/android_frameworks_base/332757.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Stuart <tjstuart@google.com>
+Date: Mon, 31 Jan 2022 20:31:42 +0000
+Subject: [PATCH] limit TelecomManager#registerPhoneAccount to 10; api doc
+ update
+
+bug: 209814693
+Bug: 217934478
+Test: CTS
+Change-Id: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
+Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
+(cherry picked from commit f0f67b5a319efedbf8693b436a641fa65bc2d8be)
+Merged-In: I8e4425a4e7de716f86b1f1f56ea605d93f357a57
+---
+ telecomm/java/android/telecom/TelecomManager.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
+index 18c170a2e330..6b00a495668c 100644
+--- a/telecomm/java/android/telecom/TelecomManager.java
++++ b/telecomm/java/android/telecom/TelecomManager.java
+@@ -1000,9 +1000,14 @@ public class TelecomManager {
+      * when placing calls. The user may still need to enable the {@link PhoneAccount} within
+      * the phone app settings before the account is usable.
+      * <p>
++     * Note: Each package is limited to 10 {@link PhoneAccount} registrations.
++     * <p>
+      * A {@link SecurityException} will be thrown if an app tries to register a
+      * {@link PhoneAccountHandle} where the package name specified within
+      * {@link PhoneAccountHandle#getComponentName()} does not match the package name of the app.
++     * <p>
++     * A {@link IllegalArgumentException} will be thrown if an app tries to register a
++     * {@link PhoneAccount} when the upper bound limit, 10, has already been reached.
+      *
+      * @param account The complete {@link PhoneAccount}.
+      */

Patches/LineageOS-16.0/android_frameworks_base/332776.patch

@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Christie <dnchrist@google.com>
+Date: Fri, 11 Mar 2022 01:13:31 +0000
+Subject: [PATCH] Update GeofenceHardwareRequestParcelable to match
+ parcel/unparcel format.
+
+Test: manual
+Bug: 216631962
+
+Change-Id: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
+(cherry picked from commit 3e1ffdb29417f4fb994587a013fa56c83e157f6f)
+Merged-In: I3d6d1be9d6c312fe0bf98f600ff8fc9c617f8ec3
+---
+ .../location/GeofenceHardwareRequestParcelable.java      | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
+index d3311f5c8c5e..fc27d1de6372 100644
+--- a/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
++++ b/core/java/android/hardware/location/GeofenceHardwareRequestParcelable.java
+@@ -16,9 +16,9 @@
+ 
+ package android.hardware.location;
+ 
++import android.os.BadParcelableException;
+ import android.os.Parcel;
+ import android.os.Parcelable;
+-import android.util.Log;
+ 
+ /**
+  * Geofence Hardware Request used for internal location services communication.
+@@ -139,11 +139,8 @@ public final class GeofenceHardwareRequestParcelable implements Parcelable {
+         @Override
+         public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) {
+             int geofenceType = parcel.readInt();
+-            if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
+-                Log.e(
+-                        "GeofenceHardwareRequest",
+-                        String.format("Invalid Geofence type: %d", geofenceType));
+-                return null;
++            if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {
++                throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
+             }
+ 
+             GeofenceHardwareRequest request = GeofenceHardwareRequest.createCircularGeofence(

Patches/LineageOS-16.0/android_frameworks_base/332777.patch

@@ -0,0 +1,151 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 1 Mar 2022 10:30:27 -0500
+Subject: [PATCH] DO NOT MERGE Add an OEM configurable limit for zen rules
+
+Test: ZenModeHelperTest
+Bug: 220735360
+Change-Id: I3da105951af90007bf48dc6cf00aed3e28778b36
+Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
+(cherry picked from commit 3072d98c2dc2b709bd8ffc343c101557a53dd188)
+Merged-In: I3da105951af90007bf48dc6cf00aed3e28778b36
+---
+ .../server/notification/ZenModeHelper.java    |  6 ++-
+ .../notification/ZenModeHelperTest.java       | 52 ++++++++++++++++++-
+ 2 files changed, 55 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/notification/ZenModeHelper.java b/services/core/java/com/android/server/notification/ZenModeHelper.java
+index 0c42f8ab8345..90c7a874c2f4 100644
+--- a/services/core/java/com/android/server/notification/ZenModeHelper.java
++++ b/services/core/java/com/android/server/notification/ZenModeHelper.java
+@@ -91,6 +91,7 @@ public class ZenModeHelper {
+ 
+     // The amount of time rules instances can exist without their owning app being installed.
+     private static final int RULE_INSTANCE_GRACE_PERIOD = 1000 * 60 * 60 * 72;
++    static final int RULE_LIMIT_PER_PACKAGE = 100;
+ 
+     private final Context mContext;
+     private final H mHandler;
+@@ -294,8 +295,9 @@ public class ZenModeHelper {
+                 ruleInstanceLimit = owner.metaData.getInt(
+                         ConditionProviderService.META_DATA_RULE_INSTANCE_LIMIT, -1);
+             }
+-            if (ruleInstanceLimit > 0 && ruleInstanceLimit
+-                    < (getCurrentInstanceCount(automaticZenRule.getOwner()) + 1)) {
++            int newRuleInstanceCount = getCurrentInstanceCount(automaticZenRule.getOwner()) + 1;
++            if (newRuleInstanceCount > RULE_LIMIT_PER_PACKAGE
++                    || (ruleInstanceLimit > 0 && ruleInstanceLimit < newRuleInstanceCount)) {
+                 throw new IllegalArgumentException("Rule instance limit exceeded");
+             }
+         }
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java
+index 8222c386c0d9..1d97b09853c3 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/ZenModeHelperTest.java
+@@ -20,10 +20,13 @@ import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_BADGE;
+ import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_FULL_SCREEN_INTENT;
+ import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_LIGHTS;
+ import static android.app.NotificationManager.Policy.SUPPRESSED_EFFECT_PEEK;
++import static com.android.server.notification.ZenModeHelper.RULE_LIMIT_PER_PACKAGE;
+ 
+ import static junit.framework.Assert.assertFalse;
+ import static junit.framework.Assert.assertEquals;
++import static junit.framework.Assert.assertNotNull;
+ import static junit.framework.TestCase.assertTrue;
++import static junit.framework.TestCase.fail;
+ 
+ import static org.mockito.ArgumentMatchers.any;
+ import static org.mockito.ArgumentMatchers.anyBoolean;
+@@ -44,6 +47,9 @@ import android.app.NotificationManager;
+ import android.content.ComponentName;
+ import android.content.ContentResolver;
+ import android.content.Context;
++import android.content.pm.ActivityInfo;
++import android.content.pm.PackageManager;
++import android.content.pm.ResolveInfo;
+ import android.content.res.Resources;
+ import android.media.AudioAttributes;
+ import android.media.AudioManager;
+@@ -69,6 +75,8 @@ import com.android.internal.util.FastXmlSerializer;
+ import com.android.server.UiServiceTestCase;
+ import android.util.Slog;
+ 
++import com.google.common.collect.ImmutableList;
++
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
+@@ -87,8 +95,12 @@ import java.io.ByteArrayOutputStream;
+ @TestableLooper.RunWithLooper
+ public class ZenModeHelperTest extends UiServiceTestCase {
+ 
++    private static final String CUSTOM_PKG_NAME = "not.android";
++    private static final int CUSTOM_PKG_UID = 1;
++
+     ConditionProviders mConditionProviders;
+     @Mock NotificationManager mNotificationManager;
++    @Mock PackageManager mPackageManager;
+     @Mock private Resources mResources;
+     private TestableLooper mTestableLooper;
+     private ZenModeHelper mZenModeHelperSpy;
+@@ -96,7 +108,7 @@ public class ZenModeHelperTest extends UiServiceTestCase {
+     private ContentResolver mContentResolver;
+ 
+     @Before
+-    public void setUp() {
++    public void setUp() throws PackageManager.NameNotFoundException {
+         MockitoAnnotations.initMocks(this);
+ 
+         mTestableLooper = TestableLooper.get(this);
+@@ -112,6 +124,16 @@ public class ZenModeHelperTest extends UiServiceTestCase {
+         mConditionProviders.addSystemProvider(new CountdownConditionProvider());
+         mZenModeHelperSpy = spy(new ZenModeHelper(mContext, mTestableLooper.getLooper(),
+                 mConditionProviders));
++
++        ResolveInfo ri = new ResolveInfo();
++        ri.activityInfo = new ActivityInfo();
++        when(mPackageManager.queryIntentActivitiesAsUser(any(), anyInt(), anyInt())).thenReturn(
++                ImmutableList.of(ri));
++        when(mPackageManager.getPackageUidAsUser(eq(CUSTOM_PKG_NAME), anyInt()))
++                .thenReturn(CUSTOM_PKG_UID);
++        when(mPackageManager.getPackagesForUid(anyInt())).thenReturn(
++                new String[] {getContext().getPackageName()});
++        mZenModeHelperSpy.mPm = mPackageManager;
+     }
+ 
+     private ByteArrayOutputStream writeXmlAndPurge(boolean forBackup, Integer version)
+@@ -844,6 +866,34 @@ public class ZenModeHelperTest extends UiServiceTestCase {
+         assertEquals(1, mZenModeHelperSpy.mConditions.mSubscriptions.size());
+     }
+ 
++    @Test
++    public void testAddAutomaticZenRule_beyondSystemLimit() {
++        for (int i = 0; i < RULE_LIMIT_PER_PACKAGE; i++) {
++            ScheduleInfo si = new ScheduleInfo();
++            si.startHour = i;
++            AutomaticZenRule zenRule = new AutomaticZenRule("name" + i,
++                    null,
++                    new ComponentName("android", "ScheduleConditionProvider"),
++                    ZenModeConfig.toScheduleConditionId(si),
++                    new ZenPolicy.Builder().build(),
++                    NotificationManager.INTERRUPTION_FILTER_PRIORITY, true);
++            String id = mZenModeHelperSpy.addAutomaticZenRule(zenRule, "test");
++            assertNotNull(id);
++        }
++        try {
++            AutomaticZenRule zenRule = new AutomaticZenRule("name",
++                    null,
++                    new ComponentName("android", "ScheduleConditionProvider"),
++                    ZenModeConfig.toScheduleConditionId(new ScheduleInfo()),
++                    new ZenPolicy.Builder().build(),
++                    NotificationManager.INTERRUPTION_FILTER_PRIORITY, true);
++            String id = mZenModeHelperSpy.addAutomaticZenRule(zenRule, "test");
++            fail("allowed too many rules to be created");
++        } catch (IllegalArgumentException e) {
++            // yay
++        }
++    }
++
+     private void setupZenConfig() {
+         mZenModeHelperSpy.mZenMode = Settings.Global.ZEN_MODE_IMPORTANT_INTERRUPTIONS;
+         mZenModeHelperSpy.mConfig.allowAlarms = false;

Patches/LineageOS-16.0/android_frameworks_base/332778.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ayush Sharma <ayushsha@google.com>
+Date: Wed, 16 Mar 2022 10:32:23 +0000
+Subject: [PATCH] Fix security hole in GateKeeperResponse
+
+GateKeeperResponse has inconsistent writeToParcel() and
+createFromParcel() methods, making it possible for a malicious app to
+create a Bundle that changes contents after reserialization. Such
+Bundles can be used to execute Intents with system privileges.
+
+We fixed related issues previously for GateKeeperResponse class, but
+one of the case was remaining when payload is byte array of size 0,
+Fixing this case now.
+
+Bug: 220303465
+Test: With the POC provided in the bug.
+Change-Id: Ida28d611edd674e76ed39dd8037f52abcba82586
+Merged-In: Ida28d611edd674e76ed39dd8037f52abcba82586
+
+(cherry picked from commit 46653a91c30245ca29d41d69174813979a910496)
+
+Change-Id: I486348c7a01c6f59c952b20fb4a36429fff22958
+(cherry picked from commit 658c53c47c0d1b6a74d3c0a72372aaaba16c2516)
+Merged-In: I486348c7a01c6f59c952b20fb4a36429fff22958
+---
+ core/java/android/service/gatekeeper/GateKeeperResponse.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/service/gatekeeper/GateKeeperResponse.java b/core/java/android/service/gatekeeper/GateKeeperResponse.java
+index 9b529345851b..4502c0ef2898 100644
+--- a/core/java/android/service/gatekeeper/GateKeeperResponse.java
++++ b/core/java/android/service/gatekeeper/GateKeeperResponse.java
+@@ -103,7 +103,7 @@ public final class GateKeeperResponse implements Parcelable {
+             dest.writeInt(mTimeout);
+         } else if (mResponseCode == RESPONSE_OK) {
+             dest.writeInt(mShouldReEnroll ? 1 : 0);
+-            if (mPayload != null) {
++            if (mPayload != null && mPayload.length > 0) {
+                 dest.writeInt(mPayload.length);
+                 dest.writeByteArray(mPayload);
+             } else {

Patches/LineageOS-16.0/android_frameworks_base/332779.patch

@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 25 Mar 2022 10:02:41 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting
+ system apps.
+
+This addresses a security issue where the guest user can remove updates
+for system apps.
+
+With this CL, attempts to uninstall/downgrade system apps will fail if
+attempted by a non-admin user.
+
+This is a backport of ag/17352264.
+
+Bug: 170646036
+Test: manual, try uninstalling system app update as guest
+Change-Id: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
+Merged-In: I4e959e296cca9bbdfc8fccc5e5e0e654ca524165
+(cherry picked from commit a7621e0ce00f1d140b375518e26cf75693314203)
+Merged-In: I5bbaaf83d035c500bfc02ff4b9b0e7fb1e7c2feb
+---
+ .../com/android/server/pm/PackageManagerService.java   | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index dc44fe17722d..e8532ce4edd3 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -18476,6 +18476,16 @@ public class PackageManagerService extends IPackageManager.Stub
+                 return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
+             }
+ 
++            if (isSystemApp(uninstalledPs)) {
++                UserInfo userInfo = sUserManager.getUserInfo(userId);
++                if (userInfo == null || !userInfo.isAdmin()) {
++                    Slog.w(TAG, "Not removing package " + packageName
++                            + " as only admin user may downgrade system apps");
++                    EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
++                    return PackageManager.DELETE_FAILED_USER_RESTRICTED;
++                }
++            }
++
+             // Static shared libs can be declared by any package, so let us not
+             // allow removing a package if it provides a lib others depend on.
+             pkg = mPackages.get(packageName);

Patches/LineageOS-16.0/android_frameworks_base/334256.patch

@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 13 Aug 2021 13:37:55 -0700
+Subject: [PATCH] StorageManagerService: don't ignore failures to prepare user
+ storage
+
+We must never leave directories unencrypted.
+
+Bug: 164488924
+Bug: 224585613
+Change-Id: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
+(cherry picked from commit 50946dd15fd14cbf92b5c7e32ac7a0f088b8b302)
+Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
+(cherry picked from commit f80dd3ecd46db03005423e7fac28a0def49d0140)
+Merged-In: I9a38ab5cca1ae9c9ebff81fca04615fd83ebe4b2
+---
+ .../core/java/com/android/server/StorageManagerService.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
+index 910e3e345f69..f6ca63a48a39 100644
+--- a/services/core/java/com/android/server/StorageManagerService.java
++++ b/services/core/java/com/android/server/StorageManagerService.java
+@@ -2609,8 +2609,12 @@ class StorageManagerService extends IStorageManager.Stub
+ 
+         try {
+             mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags);
+-        } catch (Exception e) {
++        } catch (RemoteException e) {
+             Slog.wtf(TAG, e);
++            // Make sure to re-throw this exception; we must not ignore failure
++            // to prepare the user storage as it could indicate that encryption
++            // wasn't successfully set up.
++            throw new RuntimeException(e);
+         }
+     }
+ 

Patches/LineageOS-16.0/android_frameworks_base/334257.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 24 Jan 2022 20:33:11 +0000
+Subject: [PATCH] UserDataPreparer: reboot to recovery if preparing user
+ storage fails
+
+StorageManager.prepareUserStorage() can throw an exception if a
+directory cannot be encrypted, for example due to already being
+nonempty.  In this case, usage of the directory must not be allowed to
+proceed.  UserDataPreparer currently handles this by deleting the user's
+directories, but the error is still ultimately suppressed and starting
+the user is still allowed to proceed.
+
+The correct behavior in this case is to reboot into recovery to ask the
+user to factory reset the device.  This is already what happens when
+'init' fails to encrypt a directory with the system DE policy.  However,
+this was overlooked for the user directories.  Start doing this.
+
+Bug: 164488924
+Bug: 224585613
+Change-Id: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
+(cherry picked from commit 5256365e65882b81509ec2f6b9dfe2dcf0025254)
+Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
+(cherry picked from commit ea010f3dd213bb6b5f3ed28b89988754ed26aac6)
+Merged-In: Ib5e91d2510b25780d7a161b91b5cee2f6f7a2e54
+---
+ .../core/java/com/android/server/pm/UserDataPreparer.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java
+index 045a295da965..504769064808 100644
+--- a/services/core/java/com/android/server/pm/UserDataPreparer.java
++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java
+@@ -22,6 +22,7 @@ import android.content.Context;
+ import android.content.pm.UserInfo;
+ import android.os.Environment;
+ import android.os.FileUtils;
++import android.os.RecoverySystem;
+ import android.os.storage.StorageManager;
+ import android.os.storage.VolumeInfo;
+ import android.os.SystemProperties;
+@@ -115,6 +116,13 @@ class UserDataPreparer {
+                 // Try one last time; if we fail again we're really in trouble
+                 prepareUserDataLI(volumeUuid, userId, userSerial,
+                     flags | StorageManager.FLAG_STORAGE_DE, false);
++            } else {
++                try {
++                    Log.e(TAG, "prepareUserData failed", e);
++                    RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed");
++                } catch (IOException e2) {
++                    throw new RuntimeException("error rebooting into recovery", e2);
++                }
+             }
+         }
+     }

Patches/LineageOS-16.0/android_frameworks_base/334258.patch

@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 4 Mar 2022 00:07:29 +0000
+Subject: [PATCH] UserDataPreparer: reboot to recovery for system user only
+
+With the next CL, old devices might contain a combination of old users
+with prepareUserStorage error checking disabled and new users with
+prepareUserStorage error checking enabled.  Factory resetting the whole
+device when any user fails to prepare may be too aggressive.  Also,
+UserDataPreparer already destroys the affected user's storage when it
+fails to prepare, which seems to be fairly effective at breaking things
+for that user (absent proper error handling by upper layers).
+
+Therefore, let's only factory reset the device if the failing user is
+the system user.
+
+Bug: 164488924
+Bug: 224585613
+Change-Id: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
+(cherry picked from commit 4c76da76c9831266e4e63c0618150bed10a929a7)
+Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
+(cherry picked from commit a296a2b724f3b7233952740231a49d432949276b)
+Merged-In: Ia1db01ab4ec6b3b17d725f391c3500d92aa00f97
+---
+ .../core/java/com/android/server/pm/UserDataPreparer.java  | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java
+index 504769064808..95482d7c7f1a 100644
+--- a/services/core/java/com/android/server/pm/UserDataPreparer.java
++++ b/services/core/java/com/android/server/pm/UserDataPreparer.java
+@@ -118,8 +118,11 @@ class UserDataPreparer {
+                     flags | StorageManager.FLAG_STORAGE_DE, false);
+             } else {
+                 try {
+-                    Log.e(TAG, "prepareUserData failed", e);
+-                    RecoverySystem.rebootPromptAndWipeUserData(mContext, "prepareUserData failed");
++                    Log.wtf(TAG, "prepareUserData failed for user " + userId, e);
++                    if (userId == UserHandle.USER_SYSTEM) {
++                        RecoverySystem.rebootPromptAndWipeUserData(mContext,
++                                "prepareUserData failed for system user");
++                    }
+                 } catch (IOException e2) {
+                     throw new RuntimeException("error rebooting into recovery", e2);
+                 }

Patches/LineageOS-16.0/android_frameworks_base/334259.patch

@@ -0,0 +1,198 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 4 Mar 2022 00:07:43 +0000
+Subject: [PATCH] Ignore errors preparing user storage for existing users
+
+Unfortunately we can't rule out the existence of devices where the user
+storage wasn't properly prepared, due to StorageManagerService
+previously ignoring errors from mVold.prepareUserStorage, combined with
+OEMs potentially creating files in per-user directories too early.  And
+forcing these broken devices to be factory reset upon taking an OTA is
+not currently considered to be acceptable.
+
+One option is to only check for prepareUserStorage errors on devices
+that launched with T or later.  However, this is a serious issue and it
+would be strongly preferable to do more than that.
+
+Therefore, this CL makes it so that errors are checked for all new
+users, rather than all new devices.  A field ignorePrepareStorageErrors
+is added to the user record; it is only ever set to true implicitly,
+when reading a user record from disk that lacks this field.  This field
+is used by StorageManagerService to decide whether to check for errors.
+
+Bug: 164488924
+Bug: 224585613
+Test: Intentionally made a device affected by this issue by reverting
+      the CLs that introduced the error checks, and changing vold to
+      inject an error into prepareUserStorage.   Then, flashed a build
+      with this CL without wiping userdata.  The device still boots, as
+      expected, and the log shows that the error was intentionally
+      ignored.  Tested that if a second user is added, the error is
+      *not* ignored and the second user's storage is destroyed before it
+      can be used.  Finally, wiped the device and verified that it won't
+      boot up anymore, as expected since error checking is enabled for
+      the system user in that case.
+Change-Id: I9bdd1a4bf5b14542adb901f264a91d489115c89b
+(cherry picked from commit 60d8318c47b7b659716d71243d087b34ab327f64)
+Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
+(cherry picked from commit 493aa93b84b4281378e6b767bf2df6139bd0975d)
+Merged-In: I9bdd1a4bf5b14542adb901f264a91d489115c89b
+---
+ core/java/android/os/UserManagerInternal.java |  8 ++++
+ .../android/server/StorageManagerService.java | 12 +++++-
+ .../android/server/pm/UserManagerService.java | 42 +++++++++++++++++++
+ 3 files changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/android/os/UserManagerInternal.java b/core/java/android/os/UserManagerInternal.java
+index 1f6c3cc76ddd..674dcc024ddc 100644
+--- a/core/java/android/os/UserManagerInternal.java
++++ b/core/java/android/os/UserManagerInternal.java
+@@ -221,4 +221,12 @@ public abstract class UserManagerInternal {
+      */
+     public abstract boolean isSettingRestrictedForUser(String setting, int userId, String value,
+             int callingUid);
++
++    /**
++     * Returns {@code true} if the system should ignore errors when preparing
++     * the storage directories for the user with ID {@code userId}. This will
++     * return {@code false} for all new users; it will only return {@code true}
++     * for users that already existed on-disk from an older version of Android.
++     */
++    public abstract boolean shouldIgnorePrepareStorageErrors(int userId);
+ }
+diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
+index f6ca63a48a39..dc77f414c9e2 100644
+--- a/services/core/java/com/android/server/StorageManagerService.java
++++ b/services/core/java/com/android/server/StorageManagerService.java
+@@ -86,6 +86,7 @@ import android.os.SystemClock;
+ import android.os.SystemProperties;
+ import android.os.UserHandle;
+ import android.os.UserManager;
++import android.os.UserManagerInternal;
+ import android.os.storage.DiskInfo;
+ import android.os.storage.IObbActionListener;
+ import android.os.storage.IStorageEventListener;
+@@ -2609,11 +2610,20 @@ class StorageManagerService extends IStorageManager.Stub
+ 
+         try {
+             mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags);
+-        } catch (RemoteException e) {
++        } catch (Exception e) {
+             Slog.wtf(TAG, e);
+             // Make sure to re-throw this exception; we must not ignore failure
+             // to prepare the user storage as it could indicate that encryption
+             // wasn't successfully set up.
++            //
++            // Very unfortunately, these errors need to be ignored for broken
++            // users that already existed on-disk from older Android versions.
++            UserManagerInternal umInternal = LocalServices.getService(UserManagerInternal.class);
++            if (umInternal.shouldIgnorePrepareStorageErrors(userId)) {
++                Slog.wtf(TAG, "ignoring error preparing storage for existing user " + userId
++                        + "; device may be insecure!");
++                return;
++            }
+             throw new RuntimeException(e);
+         }
+     }
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index 1a22a84908f8..56d737d50fbf 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -175,6 +175,8 @@ public class UserManagerService extends IUserManager.Stub {
+     private static final String TAG_ENTRY = "entry";
+     private static final String TAG_VALUE = "value";
+     private static final String TAG_SEED_ACCOUNT_OPTIONS = "seedAccountOptions";
++    private static final String TAG_IGNORE_PREPARE_STORAGE_ERRORS =
++            "ignorePrepareStorageErrors";
+     private static final String ATTR_KEY = "key";
+     private static final String ATTR_VALUE_TYPE = "type";
+     private static final String ATTR_MULTIPLE = "m";
+@@ -270,6 +272,22 @@ public class UserManagerService extends IUserManager.Stub {
+         /** Elapsed realtime since boot when the user was unlocked. */
+         long unlockRealtime;
+ 
++        /**
++         * {@code true} if the system should ignore errors when preparing the
++         * storage directories for this user. This is {@code false} for all new
++         * users; it will only be {@code true} for users that already existed
++         * on-disk from an older version of Android.
++         */
++        private boolean mIgnorePrepareStorageErrors;
++
++        boolean getIgnorePrepareStorageErrors() {
++            return mIgnorePrepareStorageErrors;
++        }
++
++        void setIgnorePrepareStorageErrors() {
++            mIgnorePrepareStorageErrors = true;
++        }
++
+         void clearSeedAccountData() {
+             seedAccountName = null;
+             seedAccountType = null;
+@@ -2307,6 +2325,10 @@ public class UserManagerService extends IUserManager.Stub {
+             serializer.endTag(null, TAG_SEED_ACCOUNT_OPTIONS);
+         }
+ 
++        serializer.startTag(/* namespace */ null, TAG_IGNORE_PREPARE_STORAGE_ERRORS);
++        serializer.text(String.valueOf(userData.getIgnorePrepareStorageErrors()));
++        serializer.endTag(/* namespace */ null, TAG_IGNORE_PREPARE_STORAGE_ERRORS);
++
+         serializer.endTag(null, TAG_USER);
+ 
+         serializer.endDocument();
+@@ -2413,6 +2435,7 @@ public class UserManagerService extends IUserManager.Stub {
+         Bundle baseRestrictions = null;
+         Bundle localRestrictions = null;
+         Bundle globalRestrictions = null;
++        boolean ignorePrepareStorageErrors = true; // default is true for old users
+ 
+         XmlPullParser parser = Xml.newPullParser();
+         parser.setInput(is, StandardCharsets.UTF_8.name());
+@@ -2486,6 +2509,11 @@ public class UserManagerService extends IUserManager.Stub {
+                 } else if (TAG_SEED_ACCOUNT_OPTIONS.equals(tag)) {
+                     seedAccountOptions = PersistableBundle.restoreFromXml(parser);
+                     persistSeedData = true;
++                } else if (TAG_IGNORE_PREPARE_STORAGE_ERRORS.equals(tag)) {
++                    type = parser.next();
++                    if (type == XmlPullParser.TEXT) {
++                        ignorePrepareStorageErrors = Boolean.parseBoolean(parser.getText());
++                    }
+                 }
+             }
+         }
+@@ -2510,6 +2538,9 @@ public class UserManagerService extends IUserManager.Stub {
+         userData.seedAccountType = seedAccountType;
+         userData.persistSeedData = persistSeedData;
+         userData.seedAccountOptions = seedAccountOptions;
++        if (ignorePrepareStorageErrors) {
++            userData.setIgnorePrepareStorageErrors();
++        }
+ 
+         synchronized (mRestrictionsLock) {
+             if (baseRestrictions != null) {
+@@ -3663,6 +3694,9 @@ public class UserManagerService extends IUserManager.Stub {
+                             pw.println();
+                         }
+                     }
++
++                    pw.println("    Ignore errors preparing storage: "
++                            + userData.getIgnorePrepareStorageErrors());
+                 }
+             }
+             pw.println();
+@@ -4008,6 +4042,14 @@ public class UserManagerService extends IUserManager.Stub {
+             return UserRestrictionsUtils.isSettingRestrictedForUser(mContext, setting, userId,
+                     value, callingUid);
+         }
++
++        @Override
++        public boolean shouldIgnorePrepareStorageErrors(int userId) {
++            synchronized (mUsersLock) {
++                UserData userData = mUsers.get(userId);
++                return userData != null && userData.getIgnorePrepareStorageErrors();
++            }
++        }
+     }
+ 
+     /* Remove all the users except of the system one. */

Patches/LineageOS-16.0/android_frameworks_base/334260.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sat, 26 Mar 2022 01:08:07 +0000
+Subject: [PATCH] Log to EventLog on prepareUserStorage failure
+
+Bug: 224585613
+Change-Id: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
+(cherry picked from commit fbb632ea95ac5b6d9efa89e09d0988a9df4f19e4)
+Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
+(cherry picked from commit 2f2e7d84f8f856e897056064b64c6b7213ba5d86)
+Merged-In: Id6dfb4f4c48d5cf4e71f54bdb6d0d6eea527caf5
+---
+ .../core/java/com/android/server/StorageManagerService.java     | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
+index dc77f414c9e2..dcd1a7b03075 100644
+--- a/services/core/java/com/android/server/StorageManagerService.java
++++ b/services/core/java/com/android/server/StorageManagerService.java
+@@ -105,6 +105,7 @@ import android.text.format.DateUtils;
+ import android.util.ArrayMap;
+ import android.util.AtomicFile;
+ import android.util.DataUnit;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.Pair;
+ import android.util.Slog;
+@@ -2611,6 +2612,7 @@ class StorageManagerService extends IStorageManager.Stub
+         try {
+             mVold.prepareUserStorage(volumeUuid, userId, serialNumber, flags);
+         } catch (Exception e) {
++            EventLog.writeEvent(0x534e4554, "224585613", -1, "");
+             Slog.wtf(TAG, e);
+             // Make sure to re-throw this exception; we must not ignore failure
+             // to prepare the user storage as it could indicate that encryption

Patches/LineageOS-16.0/android_frameworks_base/334262.patch

@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Wed, 7 Jul 2021 16:19:44 -0400
+Subject: [PATCH] DO NOT MERGE Crash invalid FGS notifications
+
+Test: CTS, ActivityManagerProcessStateTest
+Fixes: 191981182
+Change-Id: I13a0202b25c8118db47edba11a93c1939c94b392
+Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
+(cherry picked from commit 6f657f8f5b7d41af426d6cd8d60bfda6e12057c0)
+(cherry picked from commit b6b2906ea6472d182e6ae03c581a63802cd84f08)
+Merged-In: I13a0202b25c8118db47edba11a93c1939c94b392
+
+Backport to P:
+Make method Notification.isForegroundService() public, as it is the case
+in Android 10 and later, see Ia13c1aac0cf91c400594df96ce267e768133f8d1
+
+Change-Id: I214b6ab4f6ecab332fb8b3293fbc3b2212790b38
+---
+ core/java/android/app/Notification.java                    | 3 ++-
+ .../server/notification/NotificationManagerService.java    | 7 +++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/app/Notification.java b/core/java/android/app/Notification.java
+index 78d23f368900..21bc17172b1f 100644
+--- a/core/java/android/app/Notification.java
++++ b/core/java/android/app/Notification.java
+@@ -5857,8 +5857,9 @@ public class Notification implements Parcelable
+ 
+     /**
+      * @return whether this notification is a foreground service notification
++     * @hide
+      */
+-    private boolean isForegroundService() {
++    public boolean isForegroundService() {
+         return (flags & Notification.FLAG_FOREGROUND_SERVICE) != 0;
+     }
+ 
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index 3e34039548d3..dd202a172d66 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -4161,8 +4161,11 @@ public class NotificationManagerService extends SystemService {
+                 notification.flags &= ~Notification.FLAG_CAN_COLORIZE;
+             }
+ 
+-        } catch (NameNotFoundException e) {
+-            Slog.e(TAG, "Cannot create a context for sending app", e);
++        } catch (Exception e) {
++            if (notification.isForegroundService()) {
++                throw new SecurityException("Invalid FGS notification", e);
++            }
++            Slog.e(TAG, "Cannot fix notification", e);
+             return;
+         }
+ 

Patches/LineageOS-16.0/android_frameworks_base/335117.patch

@@ -0,0 +1,137 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jeff Chang <chengjeff@google.com>
+Date: Wed, 29 Sep 2021 16:49:00 +0800
+Subject: [PATCH] Only allow system and same app to apply
+ relinquishTaskIdentity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Any malicious application could hijack tasks by
+android:relinquishTaskIdentity. This vulnerability can perform UI
+spoofing or spy on user’s activities.
+
+This CL limit the usage which only allow system and same app to apply
+relinquishTaskIdentity
+
+Bug: 185810717
+Test: atest IntentTests
+      atest ActivityStarterTests
+Change-Id: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
+(cherry picked from commit cd1f9e72cf9752c9a31e990822ab34ae3d475fec)
+Merged-In: I55fe8938cd9a0dd7c0268e1cfec89d4e95eee049
+---
+ .../com/android/server/am/TaskRecord.java     | 51 ++++++++++++++-----
+ 1 file changed, 39 insertions(+), 12 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/TaskRecord.java b/services/core/java/com/android/server/am/TaskRecord.java
+index 766cee3278ad..6b42918eddb6 100644
+--- a/services/core/java/com/android/server/am/TaskRecord.java
++++ b/services/core/java/com/android/server/am/TaskRecord.java
+@@ -96,6 +96,7 @@ import android.content.pm.PackageManager;
+ import android.content.res.Configuration;
+ import android.graphics.Rect;
+ import android.os.Debug;
++import android.os.Process;
+ import android.os.RemoteException;
+ import android.os.SystemClock;
+ import android.os.Trace;
+@@ -193,6 +194,11 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi
+     // Do not move the stack as a part of reparenting
+     static final int REPARENT_LEAVE_STACK_IN_PLACE = 2;
+ 
++    /**
++     * Used to identify if the activity that is installed from device's system image.
++     */
++    boolean mIsEffectivelySystemApp;
++
+     /**
+      * The factory used to create {@link TaskRecord}. This allows OEM subclass {@link TaskRecord}.
+      */
+@@ -788,17 +794,25 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi
+ 
+     /** Sets the original intent, and the calling uid and package. */
+     void setIntent(ActivityRecord r) {
+-        mCallingUid = r.launchedFromUid;
+-        mCallingPackage = r.launchedFromPackage;
+-        setIntent(r.intent, r.info);
++        boolean updateIdentity = false;
++        if (this.intent == null) {
++            updateIdentity = true;
++        } else if (!mNeverRelinquishIdentity) {
++            updateIdentity = (effectiveUid == Process.SYSTEM_UID || mIsEffectivelySystemApp
++                    || effectiveUid == r.info.applicationInfo.uid);
++        }
++        if (updateIdentity) {
++            mCallingUid = r.launchedFromUid;
++            mCallingPackage = r.launchedFromPackage;
++            setIntent(r.intent, r.info);
++        }
+         setLockTaskAuth(r);
+     }
+ 
+     /** Sets the original intent, _without_ updating the calling uid or package. */
+     private void setIntent(Intent _intent, ActivityInfo info) {
+         if (intent == null) {
+-            mNeverRelinquishIdentity =
+-                    (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;
++            mNeverRelinquishIdentity = (info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0;
+         } else if (mNeverRelinquishIdentity) {
+             return;
+         }
+@@ -811,6 +825,7 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi
+             rootAffinity = affinity;
+         }
+         effectiveUid = info.applicationInfo.uid;
++        mIsEffectivelySystemApp = info.applicationInfo.isSystemApp();
+         stringName = null;
+ 
+         if (info.targetActivity == null) {
+@@ -1575,12 +1590,12 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi
+         // utility activities.
+         int activityNdx;
+         final int numActivities = mActivities.size();
+-        final boolean relinquish = numActivities != 0 &&
+-                (mActivities.get(0).info.flags & FLAG_RELINQUISH_TASK_IDENTITY) != 0;
+-        for (activityNdx = Math.min(numActivities, 1); activityNdx < numActivities;
+-                ++activityNdx) {
++        for (activityNdx = 0; activityNdx < numActivities; ++activityNdx) {
+             final ActivityRecord r = mActivities.get(activityNdx);
+-            if (relinquish && (r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
++            if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0
++                    || (r.info.applicationInfo.uid != Process.SYSTEM_UID
++                    && !r.info.applicationInfo.isSystemApp()
++                    && r.info.applicationInfo.uid != effectiveUid)) {
+                 // This will be the top activity for determining taskDescription. Pre-inc to
+                 // overcome initial decrement below.
+                 ++activityNdx;
+@@ -1645,15 +1660,27 @@ class TaskRecord extends ConfigurationContainer implements TaskWindowContainerLi
+     int findEffectiveRootIndex() {
+         int effectiveNdx = 0;
+         final int topActivityNdx = mActivities.size() - 1;
++        ActivityRecord root = null;
+         for (int activityNdx = 0; activityNdx <= topActivityNdx; ++activityNdx) {
+             final ActivityRecord r = mActivities.get(activityNdx);
+             if (r.finishing) {
+                 continue;
+             }
+-            effectiveNdx = activityNdx;
+-            if ((r.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0) {
++
++            if (root == null) {
++                // Set this as the candidate root since it isn't finishing.
++                root = r;
++                effectiveNdx = activityNdx;
++            }
++            final int uid = root == r ? effectiveUid : r.info.applicationInfo.uid;
++            if ((root.info.flags & FLAG_RELINQUISH_TASK_IDENTITY) == 0
++                || (root.info.applicationInfo.uid != Process.SYSTEM_UID
++                    && !root.info.applicationInfo.isSystemApp()
++                    && root.info.applicationInfo.uid != uid)) {
+                 break;
+             }
++            effectiveNdx = activityNdx;
++            root = r;
+         }
+         return effectiveNdx;
+     }

Patches/LineageOS-16.0/android_frameworks_base/335118.patch

@@ -0,0 +1,496 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wenhao Wang <wenhaowang@google.com>
+Date: Wed, 2 Feb 2022 10:56:44 -0800
+Subject: [PATCH] DO NOT MERGE Suppress notifications when device enter
+ lockdown
+
+This CL makes the following modifcations:
+1. Add LockPatternUtils.StrongAuthTracker to monitor
+the lockdown mode status of the phone.
+2. Call mListeners.notifyRemovedLocked with all the
+notifications in the mNotificationList when entering
+the lockdown mode.
+3. Call mListeners.notifyPostedLocked with all the
+notifications in the mNotificationList when exiting
+the lockdown mode.
+4. Dismiss the function calls of notifyPostedLocked,
+notifyRemovedLocked, and notifyRankingUpdateLocked
+during the lockdown mode.
+
+The CL also adds corresponding tests.
+
+Bug: 173721373
+Test: atest NotificationManagerServiceTest
+Test: atest NotificationListenersTest
+Test: manually verify the paired device cannot receive
+notifications when the host phone is in lockdown mode.
+Ignore-AOSP-First: pending fix for a security issue.
+
+Change-Id: I7e83544863eeadf8272b6ff8a9bb8136d6466203
+Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
+(cherry picked from commit 3cb6842a053e236cc98d7616ba4433c31ffda3ac)
+(cherry picked from commit 85c00b98a6cac8d7286a70300ceff509693818f2)
+Merged-In: I7e83544863eeadf8272b6ff8a9bb8136d6466203
+---
+ .../NotificationManagerService.java           | 109 +++++++++++++-
+ .../tests/uiservicestests/AndroidManifest.xml |   1 +
+ .../NotificationListenersTest.java            | 135 ++++++++++++++++++
+ .../NotificationManagerServiceTest.java       |  66 +++++++++
+ 4 files changed, 305 insertions(+), 6 deletions(-)
+ create mode 100644 services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index dd202a172d66..0dfc0ab0c3e0 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -181,6 +181,7 @@ import android.util.AtomicFile;
+ import android.util.Log;
+ import android.util.Slog;
+ import android.util.SparseArray;
++import android.util.SparseBooleanArray;
+ import android.util.TimeUtils;
+ import android.util.Xml;
+ import android.util.proto.ProtoOutputStream;
+@@ -202,6 +203,7 @@ import com.android.internal.util.DumpUtils;
+ import com.android.internal.util.FastXmlSerializer;
+ import com.android.internal.util.Preconditions;
+ import com.android.internal.util.XmlUtils;
++import com.android.internal.widget.LockPatternUtils;
+ import com.android.server.DeviceIdleController;
+ import com.android.server.EventLogTags;
+ import com.android.server.LocalServices;
+@@ -1272,6 +1274,54 @@ public class NotificationManagerService extends SystemService {
+         return out;
+     }
+ 
++    protected class StrongAuthTracker extends LockPatternUtils.StrongAuthTracker {
++
++        SparseBooleanArray mUserInLockDownMode = new SparseBooleanArray();
++        boolean mIsInLockDownMode = false;
++
++        StrongAuthTracker(Context context) {
++            super(context);
++        }
++
++        private boolean containsFlag(int haystack, int needle) {
++            return (haystack & needle) != 0;
++        }
++
++        public boolean isInLockDownMode() {
++            return mIsInLockDownMode;
++        }
++
++        @Override
++        public synchronized void onStrongAuthRequiredChanged(int userId) {
++            boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId),
++                    STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
++            mUserInLockDownMode.put(userId, userInLockDownModeNext);
++            boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1;
++
++            if (mIsInLockDownMode == isInLockDownModeNext) {
++                return;
++            }
++
++            if (isInLockDownModeNext) {
++                cancelNotificationsWhenEnterLockDownMode();
++            }
++
++            // When the mIsInLockDownMode is true, both notifyPostedLocked and
++            // notifyRemovedLocked will be dismissed. So we shall call
++            // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode
++            // as true and call postNotificationsWhenExitLockDownMode after we set
++            // mIsInLockDownMode as false.
++            mIsInLockDownMode = isInLockDownModeNext;
++
++            if (!isInLockDownModeNext) {
++                postNotificationsWhenExitLockDownMode();
++            }
++        }
++    }
++
++    private LockPatternUtils mLockPatternUtils;
++    private StrongAuthTracker mStrongAuthTracker;
++
+     public NotificationManagerService(Context context) {
+         super(context);
+         Notification.processWhitelistToken = WHITELIST_TOKEN;
+@@ -1283,6 +1333,11 @@ public class NotificationManagerService extends SystemService {
+         mAudioManager = audioMananger;
+     }
+ 
++    @VisibleForTesting
++    void setStrongAuthTracker(StrongAuthTracker strongAuthTracker) {
++        mStrongAuthTracker = strongAuthTracker;
++    }
++
+     @VisibleForTesting
+     void setHints(int hints) {
+         mListenerHints = hints;
+@@ -1435,6 +1490,8 @@ public class NotificationManagerService extends SystemService {
+ 
+         mHandler = new WorkerHandler(looper);
+         mRankingThread.start();
++        mLockPatternUtils = new LockPatternUtils(getContext());
++        mStrongAuthTracker = new StrongAuthTracker(getContext());
+         String[] extractorNames;
+         try {
+             extractorNames = resources.getStringArray(R.array.config_notificationSignalExtractors);
+@@ -1563,7 +1620,8 @@ public class NotificationManagerService extends SystemService {
+         init(Looper.myLooper(),
+                 AppGlobals.getPackageManager(), getContext().getPackageManager(),
+                 getLocalService(LightsManager.class),
+-                new NotificationListeners(AppGlobals.getPackageManager()),
++                new NotificationListeners(getContext(), mNotificationLock, mUserProfiles,
++                        AppGlobals.getPackageManager()),
+                 new NotificationAssistants(getContext(), mNotificationLock, mUserProfiles,
+                         AppGlobals.getPackageManager()),
+                 new ConditionProviders(getContext(), mUserProfiles, AppGlobals.getPackageManager()),
+@@ -1679,6 +1737,7 @@ public class NotificationManagerService extends SystemService {
+             mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class);
+             mKeyguardManager = getContext().getSystemService(KeyguardManager.class);
+             mZenModeHelper.onSystemReady();
++            mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);
+         } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) {
+             // This observer will force an update when observe is called, causing us to
+             // bind to listener services.
+@@ -6342,6 +6401,29 @@ public class NotificationManagerService extends SystemService {
+         }
+     }
+ 
++    private void cancelNotificationsWhenEnterLockDownMode() {
++        synchronized (mNotificationLock) {
++            int numNotifications = mNotificationList.size();
++            for (int i = 0; i < numNotifications; i++) {
++                NotificationRecord rec = mNotificationList.get(i);
++                mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL,
++                        rec.getStats());
++            }
++
++        }
++    }
++
++    private void postNotificationsWhenExitLockDownMode() {
++        synchronized (mNotificationLock) {
++            int numNotifications = mNotificationList.size();
++            for (int i = 0; i < numNotifications; i++) {
++                NotificationRecord rec = mNotificationList.get(i);
++                mListeners.notifyPostedLocked(rec, rec);
++            }
++
++        }
++    }
++
+     private void updateNotificationPulse() {
+         synchronized (mNotificationLock) {
+             updateLightsLocked();
+@@ -6502,6 +6584,10 @@ public class NotificationManagerService extends SystemService {
+                 channels, overridePeople, snoozeCriteria, showBadge, userSentiment, hidden);
+     }
+ 
++    boolean isInLockDownMode() {
++        return mStrongAuthTracker.isInLockDownMode();
++    }
++
+     boolean hasCompanionDevice(ManagedServiceInfo info) {
+         if (mCompanionManager == null) {
+             mCompanionManager = getCompanionManager();
+@@ -6730,9 +6816,9 @@ public class NotificationManagerService extends SystemService {
+ 
+         private final ArraySet<ManagedServiceInfo> mLightTrimListeners = new ArraySet<>();
+ 
+-        public NotificationListeners(IPackageManager pm) {
+-            super(getContext(), mNotificationLock, mUserProfiles, pm);
+-
++        public NotificationListeners(Context context, Object lock, UserProfiles userProfiles,
++                IPackageManager pm) {
++            super(context, lock, userProfiles, pm);
+         }
+ 
+         @Override
+@@ -6822,8 +6908,12 @@ public class NotificationManagerService extends SystemService {
+          *                           targetting <= O_MR1
+          */
+         @GuardedBy("mNotificationLock")
+-        private void notifyPostedLocked(NotificationRecord r, NotificationRecord old,
++        void notifyPostedLocked(NotificationRecord r, NotificationRecord old,
+                 boolean notifyAllListeners) {
++            if (isInLockDownMode()) {
++                return;
++            }
++
+             // Lazily initialized snapshots of the notification.
+             StatusBarNotification sbn = r.sbn;
+             StatusBarNotification oldSbn = (old != null) ? old.sbn : null;
+@@ -6886,8 +6976,11 @@ public class NotificationManagerService extends SystemService {
+         @GuardedBy("mNotificationLock")
+         public void notifyRemovedLocked(NotificationRecord r, int reason,
+                 NotificationStats notificationStats) {
+-            final StatusBarNotification sbn = r.sbn;
++            if (isInLockDownMode()) {
++                return;
++            }
+ 
++            final StatusBarNotification sbn = r.sbn;
+             // make a copy in case changes are made to the underlying Notification object
+             // NOTE: this copy is lightweight: it doesn't include heavyweight parts of the
+             // notification
+@@ -6938,6 +7031,10 @@ public class NotificationManagerService extends SystemService {
+          */
+         @GuardedBy("mNotificationLock")
+         public void notifyRankingUpdateLocked(List<NotificationRecord> changedHiddenNotifications) {
++            if (isInLockDownMode()) {
++                return;
++            }
++
+             boolean isHiddenRankingUpdate = changedHiddenNotifications != null
+                     && changedHiddenNotifications.size() > 0;
+ 
+diff --git a/services/tests/uiservicestests/AndroidManifest.xml b/services/tests/uiservicestests/AndroidManifest.xml
+index aa3135ff18da..4f81bfae9a7c 100644
+--- a/services/tests/uiservicestests/AndroidManifest.xml
++++ b/services/tests/uiservicestests/AndroidManifest.xml
+@@ -29,6 +29,7 @@
+     <uses-permission android:name="android.permission.DEVICE_POWER" />
+     <uses-permission android:name="android.permission.ACCESS_CONTENT_PROVIDERS_EXTERNALLY" />
+     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
++    <uses-permission android:name="android.permission.ACCESS_KEYGUARD_SECURE_STORAGE" />
+ 
+     <application android:debuggable="true">
+         <uses-library android:name="android.test.runner" />
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
+new file mode 100644
+index 000000000000..793739bfe8f5
+--- /dev/null
++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationListenersTest.java
+@@ -0,0 +1,135 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package com.android.server.notification;
++
++import static org.mockito.ArgumentMatchers.any;
++import static org.mockito.Mockito.doNothing;
++import static org.mockito.Mockito.mock;
++import static org.mockito.Mockito.never;
++import static org.mockito.Mockito.reset;
++import static org.mockito.Mockito.spy;
++import static org.mockito.Mockito.times;
++import static org.mockito.Mockito.verify;
++import static org.mockito.Mockito.when;
++
++import android.app.INotificationManager;
++import android.content.pm.IPackageManager;
++import android.content.pm.PackageManager;
++import android.service.notification.NotificationStats;
++import android.service.notification.StatusBarNotification;
++import android.testing.TestableContext;
++
++import com.android.server.UiServiceTestCase;
++
++import org.junit.Before;
++import org.junit.Test;
++import org.mockito.Mock;
++import org.mockito.MockitoAnnotations;
++import org.mockito.internal.util.reflection.FieldSetter;
++
++import java.util.List;
++
++public class NotificationListenersTest extends UiServiceTestCase {
++
++    @Mock
++    private PackageManager mPm;
++    @Mock
++    private IPackageManager miPm;
++
++    @Mock
++    NotificationManagerService mNm;
++    @Mock
++    private INotificationManager mINm;
++    private TestableContext mContext = spy(getContext());
++
++    NotificationManagerService.NotificationListeners mListeners;
++
++    @Before
++    public void setUp() throws Exception {
++        MockitoAnnotations.initMocks(this);
++        getContext().setMockPackageManager(mPm);
++        doNothing().when(mContext).sendBroadcastAsUser(any(), any(), any());
++
++        mListeners = spy(mNm.new NotificationListeners(
++                mContext, new Object(), mock(ManagedServices.UserProfiles.class), miPm));
++        when(mNm.getBinderService()).thenReturn(mINm);
++    }
++
++    @Test
++    public void testNotifyPostedLockedInLockdownMode() {
++        NotificationRecord r = mock(NotificationRecord.class);
++        NotificationRecord old = mock(NotificationRecord.class);
++
++        // before the lockdown mode
++        when(mNm.isInLockDownMode()).thenReturn(false);
++        mListeners.notifyPostedLocked(r, old, true);
++        mListeners.notifyPostedLocked(r, old, false);
++        verify(mListeners, times(2)).getServices();
++
++        // in the lockdown mode
++        reset(r);
++        reset(old);
++        reset(mListeners);
++        when(mNm.isInLockDownMode()).thenReturn(true);
++        mListeners.notifyPostedLocked(r, old, true);
++        mListeners.notifyPostedLocked(r, old, false);
++        verify(mListeners, never()).getServices();
++    }
++
++    @Test
++    public void testnotifyRankingUpdateLockedInLockdownMode() {
++        List chn = mock(List.class);
++
++        // before the lockdown mode
++        when(mNm.isInLockDownMode()).thenReturn(false);
++        mListeners.notifyRankingUpdateLocked(chn);
++        verify(chn, times(1)).size();
++
++        // in the lockdown mode
++        reset(chn);
++        when(mNm.isInLockDownMode()).thenReturn(true);
++        mListeners.notifyRankingUpdateLocked(chn);
++        verify(chn, never()).size();
++    }
++
++    @Test
++    public void testNotifyRemovedLockedInLockdownMode() throws NoSuchFieldException {
++        StatusBarNotification sbn = mock(StatusBarNotification.class);
++        NotificationRecord r = mock(NotificationRecord.class);
++        NotificationStats rs = mock(NotificationStats.class);
++        FieldSetter.setField(r,
++                NotificationRecord.class.getDeclaredField("sbn"),
++                sbn);
++        FieldSetter.setField(mNm,
++                NotificationManagerService.class.getDeclaredField("mHandler"),
++                mock(NotificationManagerService.WorkerHandler.class));
++
++        // before the lockdown mode
++        when(mNm.isInLockDownMode()).thenReturn(false);
++        mListeners.notifyRemovedLocked(r, 0, rs);
++        mListeners.notifyRemovedLocked(r, 0, rs);
++        verify(sbn, times(2)).cloneLight();
++
++        // in the lockdown mode
++        reset(sbn);
++        reset(r);
++        reset(rs);
++        when(mNm.isInLockDownMode()).thenReturn(true);
++        mListeners.notifyRemovedLocked(r, 0, rs);
++        mListeners.notifyRemovedLocked(r, 0, rs);
++        verify(sbn, never()).cloneLight();
++    }
++}
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+index 420bfbc042ff..ed3406fc95b4 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+@@ -37,6 +37,9 @@ import static android.content.pm.PackageManager.PERMISSION_DENIED;
+ import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+ import static android.os.Build.VERSION_CODES.O_MR1;
+ import static android.os.Build.VERSION_CODES.P;
++import static android.service.notification.NotificationListenerService.REASON_CANCEL_ALL;
++
++import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN;
+ 
+ import static junit.framework.Assert.assertEquals;
+ import static junit.framework.Assert.assertFalse;
+@@ -233,6 +236,26 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         protected void reportUserInteraction(NotificationRecord r) {
+             return;
+         }
++
++        class StrongAuthTrackerFake extends NotificationManagerService.StrongAuthTracker {
++            private int mGetStrongAuthForUserReturnValue = 0;
++            StrongAuthTrackerFake(Context context) {
++                super(context);
++            }
++
++            public void setGetStrongAuthForUserReturnValue(int val) {
++                mGetStrongAuthForUserReturnValue = val;
++            }
++
++            @Override
++            public int getStrongAuthForUser(int userId) {
++                return mGetStrongAuthForUserReturnValue;
++            }
++        }
++    }
++
++    TestableNotificationManagerService.StrongAuthTrackerFake mStrongAuthTracker;
++
+     }
+ 
+     @Before
+@@ -304,6 +327,9 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         }
+         mService.setAudioManager(mAudioManager);
+ 
++        mStrongAuthTracker = mService.new StrongAuthTrackerFake(mContext);
++        mService.setStrongAuthTracker(mStrongAuthTracker);
++
+         // Tests call directly into the Binder.
+         mBinderService = mService.getBinderService();
+         mInternalService = mService.getInternalService();
+@@ -3261,4 +3287,44 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         mBinderService.areNotificationsEnabledForPackage(mContext.getPackageName(),
+                 mUid + UserHandle.PER_USER_RANGE);
+     }
++
++    @Test
++    public void testStrongAuthTracker_isInLockDownMode() {
++        mStrongAuthTracker.setGetStrongAuthForUserReturnValue(
++                STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
++        mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
++        assertTrue(mStrongAuthTracker.isInLockDownMode());
++        mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0);
++        mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
++        assertFalse(mStrongAuthTracker.isInLockDownMode());
++    }
++
++    @Test
++    public void testCancelAndPostNotificationsWhenEnterAndExitLockDownMode() {
++        // post 2 notifications from 2 packages
++        NotificationRecord pkgA = new NotificationRecord(mContext,
++                generateSbn("a", 1000, 9, 0), mTestNotificationChannel);
++        mService.addNotification(pkgA);
++        NotificationRecord pkgB = new NotificationRecord(mContext,
++                generateSbn("b", 1001, 9, 0), mTestNotificationChannel);
++        mService.addNotification(pkgB);
++
++        // when entering the lockdown mode, cancel the 2 notifications.
++        mStrongAuthTracker.setGetStrongAuthForUserReturnValue(
++                STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
++        mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
++        assertTrue(mStrongAuthTracker.isInLockDownMode());
++
++        // the notifyRemovedLocked function is called twice due to REASON_LOCKDOWN.
++        ArgumentCaptor<Integer> captor = ArgumentCaptor.forClass(Integer.class);
++        verify(mListeners, times(2)).notifyRemovedLocked(any(), captor.capture(), any());
++        assertEquals(REASON_CANCEL_ALL, captor.getValue().intValue());
++
++        // exit lockdown mode.
++        mStrongAuthTracker.setGetStrongAuthForUserReturnValue(0);
++        mStrongAuthTracker.onStrongAuthRequiredChanged(mContext.getUserId());
++
++        // the notifyPostedLocked function is called twice.
++        verify(mListeners, times(2)).notifyPostedLocked(any(), any());
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/335119.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Raphael Kim <raphk@google.com>
+Date: Fri, 22 Apr 2022 00:32:08 +0000
+Subject: [PATCH] Remove package title from notification access confirmation
+ intent
+
+Bug: 228178437
+Test: Manually confirmed on an application
+Change-Id: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
+Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
+(cherry picked from commit 51d47ec7c875cf964f46965a27a5d36343ea999d)
+Merged-In: Idad6dc0c71d7b39de0bd9e4ad922b5e6020a6184
+---
+ ...NotificationAccessConfirmationActivityContract.java | 10 ++++++----
+ .../companion/CompanionDeviceManagerService.java       |  9 ++-------
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
+index 4ce6f609ef73..fdf0e9046eef 100644
+--- a/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
++++ b/core/java/com/android/internal/notification/NotificationAccessConfirmationActivityContract.java
+@@ -17,6 +17,7 @@
+ package com.android.internal.notification;
+ 
+ import android.content.ComponentName;
++import android.content.Context;
+ import android.content.Intent;
+ 
+ public final class NotificationAccessConfirmationActivityContract {
+@@ -25,13 +26,14 @@ public final class NotificationAccessConfirmationActivityContract {
+             "com.android.settings.notification.NotificationAccessConfirmationActivity");
+     public static final String EXTRA_USER_ID = "user_id";
+     public static final String EXTRA_COMPONENT_NAME = "component_name";
+-    public static final String EXTRA_PACKAGE_TITLE = "package_title";
+ 
+-    public static Intent launcherIntent(int userId, ComponentName component, String packageTitle) {
++    /**
++     * Creates a launcher intent for NotificationAccessConfirmationActivity.
++     */
++    public static Intent launcherIntent(Context context, int userId, ComponentName component) {
+         return new Intent()
+                 .setComponent(COMPONENT_NAME)
+                 .putExtra(EXTRA_USER_ID, userId)
+-                .putExtra(EXTRA_COMPONENT_NAME, component)
+-                .putExtra(EXTRA_PACKAGE_TITLE, packageTitle);
++                .putExtra(EXTRA_COMPONENT_NAME, component);
+     }
+ }
+diff --git a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+index 0e77715e1563..e39652d77b7a 100644
+--- a/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
++++ b/services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java
+@@ -290,17 +290,12 @@ public class CompanionDeviceManagerService extends SystemService implements Bind
+             String callingPackage = component.getPackageName();
+             checkCanCallNotificationApi(callingPackage);
+             int userId = getCallingUserId();
+-            String packageTitle = BidiFormatter.getInstance().unicodeWrap(
+-                    getPackageInfo(callingPackage, userId)
+-                            .applicationInfo
+-                            .loadSafeLabel(getContext().getPackageManager())
+-                            .toString());
+-            long identity = Binder.clearCallingIdentity();
++            final long identity = Binder.clearCallingIdentity();
+             try {
+                 return PendingIntent.getActivity(getContext(),
+                         0 /* request code */,
+                         NotificationAccessConfirmationActivityContract.launcherIntent(
+-                                userId, component, packageTitle),
++                                getContext(), userId, component),
+                         PendingIntent.FLAG_IMMUTABLE | PendingIntent.FLAG_ONE_SHOT
+                                 | PendingIntent.FLAG_CANCEL_CURRENT);
+             } finally {

Patches/LineageOS-16.0/android_frameworks_base/335120.patch

@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: chiachangwang <chiachangwang@google.com>
+Date: Thu, 2 Jun 2022 10:22:20 +0000
+Subject: [PATCH] Stop using invalid URL to prevent unexpected crash
+
+Verify the input PAC Uri before performing follow-up actions.
+
+Check if the URL is a valid URL to filter some invalid URLs since
+these invalid URLs could not fall into any subclass of existing
+URLConnections. When the PAC Uri is other invalid URL scheme, it
+will cause an UnsupportedOperationException if there is no proper
+subclass that implements the openConnection() method.
+A malformed URL may crash the system.
+
+Even it's a valid URL, some subclasses(e.g. JarURLConnection)
+may not have openConnection() implemented. It will also hit the
+problem, so convert the possbile exception from openConnection()
+to re-throw it to IOException which is handled in the existing
+code.
+
+Bug: 219498290
+Test: atest FrameworksNetTests CtsNetTestCases
+Test: Test with malformed URL
+Merged-In: I22903414380b62051f514e43b93af992f45740b4
+Merged-In: I2abff75ec59a17628ef006aad348c53fadbed076
+Change-Id: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
+(cherry picked from commit 6390b37a3b32fc7583154d53fda3af8fbd95f59f)
+(cherry picked from commit 6d6f4106948bbad67b9845603392d084078997c4)
+Merged-In: I4d6cec1da9cf3f70dec0dcf4223254d3da4f30a3
+---
+ .../server/connectivity/PacManager.java       | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/connectivity/PacManager.java b/services/core/java/com/android/server/connectivity/PacManager.java
+index 3a27fcb352aa..f597c8135701 100644
+--- a/services/core/java/com/android/server/connectivity/PacManager.java
++++ b/services/core/java/com/android/server/connectivity/PacManager.java
+@@ -37,6 +37,7 @@ import android.os.SystemClock;
+ import android.os.SystemProperties;
+ import android.provider.Settings;
+ import android.util.Log;
++import android.webkit.URLUtil;
+ 
+ import com.android.internal.annotations.GuardedBy;
+ import com.android.net.IProxyCallback;
+@@ -211,8 +212,22 @@ public class PacManager {
+      * @throws IOException
+      */
+     private static String get(Uri pacUri) throws IOException {
+-        URL url = new URL(pacUri.toString());
+-        URLConnection urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
++        if (!URLUtil.isValidUrl(pacUri.toString()))  {
++            throw new IOException("Malformed URL:" + pacUri);
++        }
++
++        final URL url = new URL(pacUri.toString());
++        URLConnection urlConnection;
++        try {
++            urlConnection = url.openConnection(java.net.Proxy.NO_PROXY);
++            // Catch the possible exceptions and rethrow as IOException to not to crash the system
++            // for illegal input.
++        } catch (IllegalArgumentException e) {
++            throw new IOException("Incorrect proxy type for " + pacUri);
++        } catch (UnsupportedOperationException e) {
++            throw new IOException("Unsupported URL connection type for " + pacUri);
++        }
++
+         long contentLength = -1;
+         try {
+             contentLength = Long.parseLong(urlConnection.getHeaderField("Content-Length"));

Patches/LineageOS-16.0/android_frameworks_base/335121.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Makoto Onuki <omakoto@google.com>
+Date: Tue, 19 Apr 2022 10:54:18 -0700
+Subject: [PATCH] Only allow the system server to connect to sync adapters
+
+Bug: 203229608
+Test: Manual test with changing the check logic + debug log
+Change-Id: If18009f61360564d02dcda9b1e5fa15685e3250f
+(cherry picked from commit 58270527d11ac7e5f07d337a402d8edf046a63ee)
+(cherry picked from commit 7d1397a54475ed7fee632339ef7c60b432f0fbff)
+Merged-In: If18009f61360564d02dcda9b1e5fa15685e3250f
+---
+ .../content/AbstractThreadedSyncAdapter.java  | 20 +++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/core/java/android/content/AbstractThreadedSyncAdapter.java b/core/java/android/content/AbstractThreadedSyncAdapter.java
+index a086a308d0d9..da4ecdd8c1f2 100644
+--- a/core/java/android/content/AbstractThreadedSyncAdapter.java
++++ b/core/java/android/content/AbstractThreadedSyncAdapter.java
+@@ -21,6 +21,7 @@ import static com.android.internal.util.function.pooled.PooledLambda.obtainMessa
+ import android.accounts.Account;
+ import android.annotation.MainThread;
+ import android.annotation.NonNull;
++import android.os.Binder;
+ import android.os.Build;
+ import android.os.Bundle;
+ import android.os.Handler;
+@@ -171,8 +172,20 @@ public abstract class AbstractThreadedSyncAdapter {
+     }
+ 
+     private class ISyncAdapterImpl extends ISyncAdapter.Stub {
++        private boolean isCallerSystem() {
++            final long callingUid = Binder.getCallingUid();
++            if (callingUid != Process.SYSTEM_UID) {
++                android.util.EventLog.writeEvent(0x534e4554, "203229608", -1, "");
++                return false;
++            }
++            return true;
++        }
++
+         @Override
+         public void onUnsyncableAccount(ISyncAdapterUnsyncableAccountCallback cb) {
++            if (!isCallerSystem()) {
++                return;
++            }
+             Handler.getMain().sendMessage(obtainMessage(
+                     AbstractThreadedSyncAdapter::handleOnUnsyncableAccount,
+                     AbstractThreadedSyncAdapter.this, cb));
+@@ -181,12 +194,16 @@ public abstract class AbstractThreadedSyncAdapter {
+         @Override
+         public void startSync(ISyncContext syncContext, String authority, Account account,
+                 Bundle extras) {
++            if (!isCallerSystem()) {
++                return;
++            }
+             if (ENABLE_LOG) {
+                 if (extras != null) {
+                     extras.size(); // Unparcel so its toString() will show the contents.
+                 }
+                 Log.d(TAG, "startSync() start " + authority + " " + account + " " + extras);
+             }
++
+             try {
+                 final SyncContext syncContextClient = new SyncContext(syncContext);
+ 
+@@ -242,6 +259,9 @@ public abstract class AbstractThreadedSyncAdapter {
+ 
+         @Override
+         public void cancelSync(ISyncContext syncContext) {
++            if (!isCallerSystem()) {
++                return;
++            }
+             try {
+                 // synchronize to make sure that mSyncThreads doesn't change between when we
+                 // check it and when we use it

Patches/LineageOS-16.0/android_frameworks_base/338346.patch

@@ -0,0 +1,113 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Manjeet Rulhania <mrulhania@google.com>
+Date: Thu, 28 Apr 2022 20:23:58 +0000
+Subject: [PATCH] Fix duplicate permission privilege escalation
+
+Duplicate permissions definition with different group allows
+privilege permission escalation to a different permission group.
+
+Android studio and gradle plugin does not allow duplicate
+permissions with different attributes, these tools only allow
+if duplicate permissions are exact copies.
+
+Also platform stores permissions in map at multiple places with
+permission name as key. This suggests that we can disallow
+duplicate permissions during package install/update.
+
+Bug: 213323615
+Test: manual
+Change-Id: I6f44e740897305e7a0553c1cf6c3af37faf02a2e
+Merged-In: I1910dca44104e35a57eba4acfa8188cd9b8626ac
+Merged-In: I34120fff2ec2a158dfa55779d2afd4bbd49487ff
+Merged-In: I9bc839836786a0876e67fd73c05f8944bb532249
+(cherry picked from commit 31bd425bb66b108cdec357a00f4a586379bcd33a)
+Merged-In: I6f44e740897305e7a0553c1cf6c3af37faf02a2e
+---
+ .../android/content/pm/PackageParser.java     | 53 +++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index e0c2d2dc6dde..c56dfbe97895 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -81,6 +81,7 @@ import android.util.AttributeSet;
+ import android.util.Base64;
+ import android.util.ByteStringUtils;
+ import android.util.DisplayMetrics;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.PackageUtils;
+ import android.util.Pair;
+@@ -125,6 +126,7 @@ import java.util.Collections;
+ import java.util.Comparator;
+ import java.util.Iterator;
+ import java.util.List;
++import java.util.Objects;
+ import java.util.Set;
+ import java.util.UUID;
+ import java.util.concurrent.atomic.AtomicInteger;
+@@ -2469,6 +2471,12 @@ public class PackageParser {
+             }
+         }
+ 
++        if (declareDuplicatePermission(pkg)) {
++            outError[0] = "Found duplicate permission with a different attribute value.";
++            mParseError = PackageManager.INSTALL_PARSE_FAILED_MANIFEST_MALFORMED;
++            return null;
++        }
++
+         if (supportsSmallScreens < 0 || (supportsSmallScreens > 0
+                 && pkg.applicationInfo.targetSdkVersion
+                         >= android.os.Build.VERSION_CODES.DONUT)) {
+@@ -2507,6 +2515,51 @@ public class PackageParser {
+         return pkg;
+     }
+ 
++    /**
++     * @return {@code true} if the package declares malformed duplicate permissions.
++     */
++    public static boolean declareDuplicatePermission(@NonNull Package pkg) {
++        final List<Permission> permissions = pkg.permissions;
++        final int size = permissions.size();
++        if (size > 0) {
++            final ArrayMap<String, Permission> checkDuplicatePerm = new ArrayMap<>(size);
++            for (int i = 0; i < size; i++) {
++                final Permission permissionDefinition = permissions.get(i);
++                final String name = permissionDefinition.info.name;
++                final Permission perm = checkDuplicatePerm.get(name);
++                if (isMalformedDuplicate(permissionDefinition, perm)) {
++                    // Fix for b/213323615
++                    EventLog.writeEvent(0x534e4554, "213323615",
++                            "The package " + pkg.packageName + " seems malicious");
++                    return true;
++                }
++                checkDuplicatePerm.put(name, permissionDefinition);
++            }
++        }
++        return false;
++    }
++
++    /**
++     * Determines if a duplicate permission is malformed .i.e. defines different protection level
++     * or group.
++     */
++    private static boolean isMalformedDuplicate(Permission p1, Permission p2) {
++        // Since a permission tree is also added as a permission with normal protection
++        // level, we need to skip if the parsedPermission is a permission tree.
++        if (p1 == null || p2 == null || p1.tree || p2.tree) {
++            return false;
++        }
++
++        if (p1.info.getProtection() != p2.info.getProtection()) {
++            return true;
++        }
++        if (!Objects.equals(p1.info.group, p2.info.group)) {
++            return true;
++        }
++
++        return false;
++    }
++
+     private boolean checkOverlayRequiredSystemProperty(String propName, String propValue) {
+ 
+         if (TextUtils.isEmpty(propName) || TextUtils.isEmpty(propValue)) {

Patches/LineageOS-16.0/android_frameworks_base/338347.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Steven Moreland <smoreland@google.com>
+Date: Wed, 30 Mar 2022 21:46:29 +0000
+Subject: [PATCH] Parcel: recycle recycles
+
+Before, it was like getting a used pan with food stuck on it. We run
+a clean ship here. You want a Parcel? You get a fresh Parcel. When
+we recycle a Parcel, we do a real clean-up job. Air freshener. All
+bits brushed over. These Parcel objects are clean as heck now!
+
+(specifically cleans mClassCookies)
+
+Bug: 208279300
+Test: build
+Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218
+Change-Id: I250872f5c6796bb64e2dc68008154c0e90feb218
+(cherry picked from commit 46770fa49c9a5e51a5ea5a3afc7aab0dba2e59bd)
+(cherry picked from commit b5c79e141a81fa86fc834980d46886ac3c86ab11)
+Merged-In: I250872f5c6796bb64e2dc68008154c0e90feb218
+---
+ core/java/android/os/Parcel.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/core/java/android/os/Parcel.java b/core/java/android/os/Parcel.java
+index 460f12510d45..8d44ba1ad625 100644
+--- a/core/java/android/os/Parcel.java
++++ b/core/java/android/os/Parcel.java
+@@ -406,6 +406,7 @@ public final class Parcel {
+      */
+     public final void recycle() {
+         if (DEBUG_RECYCLE) mStack = null;
++        mClassCookies = null;
+         freeBuffer();
+ 
+         final Parcel[] pool;

Patches/LineageOS-16.0/android_frameworks_base/338348.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Adrian Roos <roosa@google.com>
+Date: Thu, 24 Sep 2020 15:30:46 +0200
+Subject: [PATCH] IMMS: Make IMMS PendingIntents immutable
+
+Fixes: 154913391
+Test: n/a
+Change-Id: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+(cherry picked from commit d4b625994f7664666ac7b53bf6a7d79a6459b3f1)
+(cherry picked from commit 6842f03c9d2f128785df5ce2bd02c61f35226554)
+(cherry picked from commit 2b859826165bddb11f17b217d097253c442f6045)
+Merged-In: I34a95732ef3e7c20d6549b57230c11f0c3db04d6
+---
+ .../java/com/android/server/InputMethodManagerService.java  | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/InputMethodManagerService.java b/services/core/java/com/android/server/InputMethodManagerService.java
+index 412b314aefbf..e728b0aa92e8 100644
+--- a/services/core/java/com/android/server/InputMethodManagerService.java
++++ b/services/core/java/com/android/server/InputMethodManagerService.java
+@@ -1402,7 +1402,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
+ 
+         Intent intent = new Intent(ACTION_SHOW_INPUT_METHOD_PICKER)
+                 .setPackage(mContext.getPackageName());
+-        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent, 0);
++        mImeSwitchPendingIntent = PendingIntent.getBroadcast(mContext, 0, intent,
++                PendingIntent.FLAG_IMMUTABLE);
+ 
+         mShowOngoingImeSwitcherForPhones = false;
+ 
+@@ -2003,7 +2004,8 @@ public class InputMethodManagerService extends IInputMethodManager.Stub
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_LABEL,
+                 com.android.internal.R.string.input_method_binding_label);
+         mCurIntent.putExtra(Intent.EXTRA_CLIENT_INTENT, PendingIntent.getActivity(
+-                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS), 0));
++                mContext, 0, new Intent(Settings.ACTION_INPUT_METHOD_SETTINGS),
++                PendingIntent.FLAG_IMMUTABLE));
+         if (bindCurrentInputMethodServiceLocked(mCurIntent, this, IME_CONNECTION_BIND_FLAGS)) {
+             mLastBindTime = SystemClock.uptimeMillis();
+             mHaveConnection = true;

Patches/LineageOS-16.0/android_frameworks_base/338349.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Manjeet Rulhania <mrulhania@google.com>
+Date: Thu, 30 Jun 2022 18:52:50 +0000
+Subject: [PATCH] Remove package name from SafetyNet logs
+
+Bug: 213323615
+Test: AppSecurityTests
+Change-Id: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a
+Merged-In: I993832e148636f1795ffe393c6dc74a08b9442f8
+Merged-In: I8f823487ca16861a35135cfc3383fa2ce8258017
+Merged-In: I4b61d13256ce0bfb8fc9d21db52ee78ce2097f14
+(cherry picked from commit 50d343c656921ba9c730c68b7a41de6b15f57f03)
+Merged-In: Ia2be2b1e32dc0b75c352bc15219f4c4de9abb45a
+---
+ core/java/android/content/pm/PackageParser.java | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
+index c56dfbe97895..d99302d6696f 100644
+--- a/core/java/android/content/pm/PackageParser.java
++++ b/core/java/android/content/pm/PackageParser.java
+@@ -2529,8 +2529,7 @@ public class PackageParser {
+                 final Permission perm = checkDuplicatePerm.get(name);
+                 if (isMalformedDuplicate(permissionDefinition, perm)) {
+                     // Fix for b/213323615
+-                    EventLog.writeEvent(0x534e4554, "213323615",
+-                            "The package " + pkg.packageName + " seems malicious");
++                    EventLog.writeEvent(0x534e4554, "213323615");
+                     return true;
+                 }
+                 checkDuplicatePerm.put(name, permissionDefinition);

Patches/LineageOS-16.0/android_frameworks_base/342100.patch

@@ -0,0 +1,251 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Fri, 1 Jul 2022 09:49:12 -0400
+Subject: [PATCH] DO NOT MERGE Limit the number of concurrently snoozed
+ notifications
+
+Test: atest FrameworksUiServicesTests
+Bug: 234441463
+Change-Id: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
+Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
+(cherry picked from commit 7c38394ae9c69620499a87e629edae4fe0ac4edc)
+(cherry picked from commit c38cc3e355718577192da8f544d21fd0be5f6be2)
+Merged-In: I005b43979d1c708fd505c8b33ae0c8cb03ddbb35
+---
+ .../NotificationManagerService.java           | 25 +++++--
+ .../server/notification/SnoozeHelper.java     |  9 +++
+ .../NotificationManagerServiceTest.java       | 68 +++++++++++++++++++
+ .../server/notification/SnoozeHelperTest.java | 18 +++++
+ 4 files changed, 116 insertions(+), 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index 0dfc0ab0c3e0..acef7148cd2f 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -4487,13 +4487,17 @@ public class NotificationManagerService extends SystemService {
+ 
+         @GuardedBy("mNotificationLock")
+         void snoozeLocked(NotificationRecord r) {
++            final List<NotificationRecord> recordsToSnooze = new ArrayList<>();
+             if (r.sbn.isGroup()) {
+-                final List<NotificationRecord> groupNotifications = findGroupNotificationsLocked(
+-                        r.sbn.getPackageName(), r.sbn.getGroupKey(), r.sbn.getUserId());
++                final List<NotificationRecord> groupNotifications =
++                        findGroupNotificationsLocked(r.sbn.getPackageName(),
++                                r.sbn.getGroupKey(), r.sbn.getUserId());
+                 if (r.getNotification().isGroupSummary()) {
+                     // snooze summary and all children
+                     for (int i = 0; i < groupNotifications.size(); i++) {
+-                        snoozeNotificationLocked(groupNotifications.get(i));
++                        if (!mKey.equals(groupNotifications.get(i).getKey())) {
++                            recordsToSnooze.add(groupNotifications.get(i));
++                        }
+                     }
+                 } else {
+                     // if there is a valid summary for this group, and we are snoozing the only
+@@ -4504,7 +4508,9 @@ public class NotificationManagerService extends SystemService {
+                         } else {
+                             // snooze summary and the one child
+                             for (int i = 0; i < groupNotifications.size(); i++) {
+-                                snoozeNotificationLocked(groupNotifications.get(i));
++                                if (!mKey.equals(groupNotifications.get(i).getKey())) {
++                                    recordsToSnooze.add(groupNotifications.get(i));
++                                }
+                             }
+                         }
+                     } else {
+@@ -4515,6 +4521,17 @@ public class NotificationManagerService extends SystemService {
+                 // just snooze the one notification
+                 snoozeNotificationLocked(r);
+             }
++
++            // snooze the notification
++            recordsToSnooze.add(r);
++
++            if (mSnoozeHelper.canSnooze(recordsToSnooze.size())) {
++                for (int i = 0; i < recordsToSnooze.size(); i++) {
++                    snoozeNotificationLocked(recordsToSnooze.get(i));
++                }
++            } else {
++                Log.w(TAG, "Cannot snooze " + r.getKey() + ": too many snoozed notifications");
++            }
+         }
+ 
+         @GuardedBy("mNotificationLock")
+diff --git a/services/core/java/com/android/server/notification/SnoozeHelper.java b/services/core/java/com/android/server/notification/SnoozeHelper.java
+index 732a58774b78..fc0962d9ea36 100644
+--- a/services/core/java/com/android/server/notification/SnoozeHelper.java
++++ b/services/core/java/com/android/server/notification/SnoozeHelper.java
+@@ -55,6 +55,8 @@ import java.util.Set;
+  * NotificationManagerService helper for handling snoozed notifications.
+  */
+ public class SnoozeHelper {
++    static final int CONCURRENT_SNOOZE_LIMIT = 500;
++
+     private static final String TAG = "SnoozeHelper";
+     private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG);
+     private static final String INDENT = "    ";
+@@ -89,6 +91,13 @@ public class SnoozeHelper {
+         mUserProfiles = userProfiles;
+     }
+ 
++    protected boolean canSnooze(int numberToSnooze) {
++        if ((mPackages.size() + numberToSnooze) > CONCURRENT_SNOOZE_LIMIT) {
++            return false;
++        }
++        return true;
++    }
++
+     protected boolean isSnoozed(int userId, String pkg, String key) {
+         return mSnoozedNotifications.containsKey(userId)
+                 && mSnoozedNotifications.get(userId).containsKey(pkg)
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+index ed3406fc95b4..9592e1905b54 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java
+@@ -1799,6 +1799,69 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         assertFalse(mService.hasCompanionDevice(mListener));
+     }
+ 
++    @Test
++    public void testSnoozeRunnable_tooManySnoozed_singleNotification() {
++        final NotificationRecord notification = generateNotificationRecord(
++                mTestNotificationChannel, 1, null, true);
++        mService.addNotification(notification);
++
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
++        when(mSnoozeHelper.canSnooze(1)).thenReturn(false);
++
++        NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
++                mService.new SnoozeNotificationRunnable(
++                        notification.getKey(), 100, null);
++        snoozeNotificationRunnable.run();
++
++        verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong());
++        assertEquals(1, mService.getNotificationRecordCount());
++    }
++
++    @Test
++    public void testSnoozeRunnable_tooManySnoozed_singleGroupChildNotification() {
++        final NotificationRecord notification = generateNotificationRecord(
++                mTestNotificationChannel, 1, "group", true);
++        final NotificationRecord notificationChild = generateNotificationRecord(
++                mTestNotificationChannel, 1, "group", false);
++        mService.addNotification(notification);
++        mService.addNotification(notificationChild);
++
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
++        when(mSnoozeHelper.canSnooze(2)).thenReturn(false);
++
++        NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
++                mService.new SnoozeNotificationRunnable(
++                        notificationChild.getKey(), 100, null);
++        snoozeNotificationRunnable.run();
++
++        verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong());
++        assertEquals(2, mService.getNotificationRecordCount());
++    }
++
++    @Test
++    public void testSnoozeRunnable_tooManySnoozed_summaryNotification() {
++        final NotificationRecord notification = generateNotificationRecord(
++                mTestNotificationChannel, 1, "group", true);
++        final NotificationRecord notificationChild = generateNotificationRecord(
++                mTestNotificationChannel, 12, "group", false);
++        final NotificationRecord notificationChild2 = generateNotificationRecord(
++                mTestNotificationChannel, 13, "group", false);
++        mService.addNotification(notification);
++        mService.addNotification(notificationChild);
++        mService.addNotification(notificationChild2);
++
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
++        when(mSnoozeHelper.canSnooze(3)).thenReturn(false);
++
++        NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
++                mService.new SnoozeNotificationRunnable(
++                        notification.getKey(), 100, null);
++        snoozeNotificationRunnable.run();
++
++        verify(mSnoozeHelper, never()).snooze(any(NotificationRecord.class), anyLong());
++        assertEquals(3, mService.getNotificationRecordCount());
++    }
++
+     @Test
+     public void testSnoozeRunnable_snoozeNonGrouped() throws Exception {
+         final NotificationRecord nonGrouped = generateNotificationRecord(
+@@ -1807,6 +1870,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+                 mTestNotificationChannel, 2, "group", false);
+         mService.addNotification(grouped);
+         mService.addNotification(nonGrouped);
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
+ 
+         NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
+                 mService.new SnoozeNotificationRunnable(
+@@ -1829,6 +1893,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         mService.addNotification(parent);
+         mService.addNotification(child);
+         mService.addNotification(child2);
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
+ 
+         NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
+                 mService.new SnoozeNotificationRunnable(
+@@ -1850,6 +1915,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         mService.addNotification(parent);
+         mService.addNotification(child);
+         mService.addNotification(child2);
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
+ 
+         NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
+                 mService.new SnoozeNotificationRunnable(
+@@ -1869,6 +1935,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+                 mTestNotificationChannel, 2, "group", false);
+         mService.addNotification(parent);
+         mService.addNotification(child);
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
+ 
+         NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
+                 mService.new SnoozeNotificationRunnable(
+@@ -1884,6 +1951,7 @@ public class NotificationManagerServiceTest extends UiServiceTestCase {
+         final NotificationRecord child = generateNotificationRecord(
+                 mTestNotificationChannel, 2, "group", false);
+         mService.addNotification(child);
++        when(mSnoozeHelper.canSnooze(anyInt())).thenReturn(true);
+ 
+         NotificationManagerService.SnoozeNotificationRunnable snoozeNotificationRunnable =
+                 mService.new SnoozeNotificationRunnable(
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
+index 7adfbd3cb777..30ec5589d594 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/SnoozeHelperTest.java
+@@ -22,6 +22,8 @@ import org.mockito.ArgumentCaptor;
+ import org.mockito.Mock;
+ import org.mockito.MockitoAnnotations;
+ 
++import static com.android.server.notification.SnoozeHelper.CONCURRENT_SNOOZE_LIMIT;
++
+ import android.app.AlarmManager;
+ import android.app.Notification;
+ import android.app.NotificationChannel;
+@@ -101,6 +103,22 @@ public class SnoozeHelperTest extends UiServiceTestCase {
+                 UserHandle.USER_SYSTEM, r.sbn.getPackageName(), r.getKey()));
+     }
+ 
++    @Test
++    public void testSnoozeLimit() {
++        for (int i = 0; i < CONCURRENT_SNOOZE_LIMIT; i++ ) {
++            NotificationRecord r = getNotificationRecord("pkg", i, i+"", UserHandle.SYSTEM);
++
++            assertTrue("cannot snooze record " + i, mSnoozeHelper.canSnooze(1));
++
++            if (i % 2 == 0) {
++                mSnoozeHelper.snooze(r, 1000);
++            } else {
++                mSnoozeHelper.snooze(r, 9000);
++            }
++        }
++        assertFalse(mSnoozeHelper.canSnooze(1));
++    }
++
+     @Test
+     public void testCancelByApp() throws Exception {
+         NotificationRecord r = getNotificationRecord("pkg", 1, "one", UserHandle.SYSTEM);

Patches/LineageOS-16.0/android_frameworks_base/344168.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aseem Kumar <aseemk@google.com>
+Date: Mon, 21 Mar 2022 20:35:20 -0700
+Subject: [PATCH] DO NOT MERGE Move accountname and typeName length check from
+ Account.java to AccountManagerService.
+
+Bug: 169762606
+Test: atest AccountManagerServiceTest
+Change-Id: I80fabf3a64c55837db98ff316e7e5420129c001b
+(cherry picked from commit 3f218c9a5e1f7c3213ceb84c15afca0d3041057b)
+Merged-In: I80fabf3a64c55837db98ff316e7e5420129c001b
+---
+ core/java/android/accounts/Account.java       |  7 -------
+ .../accounts/AccountManagerService.java       | 12 ++++++++++++
+ .../accounts/AccountManagerServiceTest.java   | 19 +++++++++++++++++++
+ 3 files changed, 31 insertions(+), 7 deletions(-)
+
+diff --git a/core/java/android/accounts/Account.java b/core/java/android/accounts/Account.java
+index 1546ae14862d..3f90f36fb2a1 100644
+--- a/core/java/android/accounts/Account.java
++++ b/core/java/android/accounts/Account.java
+@@ -28,7 +28,6 @@ import android.util.ArraySet;
+ import android.util.Log;
+ import com.android.internal.annotations.GuardedBy;
+ 
+-import java.util.Objects;
+ import java.util.Set;
+ 
+ /**
+@@ -81,12 +80,6 @@ public class Account implements Parcelable {
+         if (TextUtils.isEmpty(type)) {
+             throw new IllegalArgumentException("the type must not be empty: " + type);
+         }
+-        if (name.length() > 200) {
+-            throw new IllegalArgumentException("account name is longer than 200 characters");
+-        }
+-        if (type.length() > 200) {
+-            throw new IllegalArgumentException("account type is longer than 200 characters");
+-        }
+         this.name = name;
+         this.type = type;
+         this.accessId = accessId;
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 9e8464728b9b..4c8acc5ffb63 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -1777,6 +1777,14 @@ public class AccountManagerService
+         if (account == null) {
+             return false;
+         }
++        if (account.name != null && account.name.length() > 200) {
++            Log.w(TAG, "Account cannot be added - Name longer than 200 chars");
++            return false;
++        }
++        if (account.type != null && account.type.length() > 200) {
++            Log.w(TAG, "Account cannot be added - Name longer than 200 chars");
++            return false;
++        }
+         if (!isLocalUnlockedUser(accounts.userId)) {
+             Log.w(TAG, "Account " + account + " cannot be added - user " + accounts.userId
+                     + " is locked. callingUid=" + callingUid);
+@@ -1969,6 +1977,10 @@ public class AccountManagerService
+                 + ", pid " + Binder.getCallingPid());
+         }
+         if (accountToRename == null) throw new IllegalArgumentException("account is null");
++        if (newName != null && newName.length() > 200) {
++            Log.e(TAG, "renameAccount failed - account name longer than 200");
++            throw new IllegalArgumentException("account name longer than 200");
++        }
+         int userId = UserHandle.getCallingUserId();
+         if (!isAccountManagedByCaller(accountToRename.type, callingUid, userId)) {
+             String msg = String.format(
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+index 149ef156a9fa..73267e4868a6 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+@@ -237,6 +237,25 @@ public class AccountManagerServiceTest extends AndroidTestCase {
+         assertEquals(a31, accounts[1]);
+     }
+ 
++    @SmallTest
++    public void testCheckAddAccountLongName() throws Exception {
++        unlockSystemUser();
++        String longString = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++                + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++                + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++                + "aaaaa";
++        Account a11 = new Account(longString, AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1);
++
++        mAms.addAccountExplicitly(a11, /* password= */ "p11", /* extras= */ null);
++
++        String[] list = new String[]{AccountManagerServiceTestFixtures.CALLER_PACKAGE};
++        when(mMockPackageManager.getPackagesForUid(anyInt())).thenReturn(list);
++        Account[] accounts = mAms.getAccountsAsUser(null,
++                UserHandle.getCallingUserId(), mContext.getOpPackageName());
++        assertEquals(0, accounts.length);
++    }
++
++
+     @SmallTest
+     public void testPasswords() throws Exception {
+         unlockSystemUser();

Patches/LineageOS-16.0/android_frameworks_base/344169.patch

@@ -0,0 +1,141 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Stuart <tjstuart@google.com>
+Date: Thu, 23 Jun 2022 14:27:43 -0700
+Subject: [PATCH] switch TelecomManager List getters to ParceledListSlice
+
+It was shown that given a large phoneAccountHandles that are
+over 1 mb, a TransactionTooLarge exception can be silently thrown
+causing an empty list to be returned.
+
+In order to prevent this behavior, all Lists that return a
+PhoneAccountHandle or PhoneAccount have been switched to
+ParceledListSlice.
+
+bug: 236263294
+Test: atest android.telecom.cts.PhoneAccountRegistrarTest
+             #testRegisterPhoneAccountHandleWithFieldOverLimit
+Change-Id: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
+Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
+(cherry picked from commit 773cddde3d522606ff032fe8e432321c70edca09)
+Merged-In: I025245b2a6f8cfaca86f268851a9d8f0817e07dd
+---
+ telecomm/java/android/telecom/TelecomManager.java  | 14 ++++++++------
+ .../android/internal/telecom/ITelecomService.aidl  | 13 +++++++------
+ 2 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/telecomm/java/android/telecom/TelecomManager.java b/telecomm/java/android/telecom/TelecomManager.java
+index 6b00a495668c..ae97db00507d 100644
+--- a/telecomm/java/android/telecom/TelecomManager.java
++++ b/telecomm/java/android/telecom/TelecomManager.java
+@@ -831,7 +831,7 @@ public class TelecomManager {
+         try {
+             if (isServiceConnected()) {
+                 return getTelecomService().getPhoneAccountsSupportingScheme(uriScheme,
+-                        mContext.getOpPackageName());
++                        mContext.getOpPackageName()).getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsSupportingScheme", e);
+@@ -873,7 +873,8 @@ public class TelecomManager {
+     public List<PhoneAccountHandle> getSelfManagedPhoneAccounts() {
+         try {
+             if (isServiceConnected()) {
+-                return getTelecomService().getSelfManagedPhoneAccounts(mContext.getOpPackageName());
++                return getTelecomService()
++                  .getSelfManagedPhoneAccounts(mContext.getOpPackageName()).getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getSelfManagedPhoneAccounts()", e);
+@@ -892,7 +893,7 @@ public class TelecomManager {
+         try {
+             if (isServiceConnected()) {
+                 return getTelecomService().getCallCapablePhoneAccounts(
+-                        includeDisabledAccounts, mContext.getOpPackageName());
++                        includeDisabledAccounts, mContext.getOpPackageName()).getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getCallCapablePhoneAccounts(" +
+@@ -912,7 +913,8 @@ public class TelecomManager {
+     public List<PhoneAccountHandle> getPhoneAccountsForPackage() {
+         try {
+             if (isServiceConnected()) {
+-                return getTelecomService().getPhoneAccountsForPackage(mContext.getPackageName());
++                return getTelecomService()
++                  .getPhoneAccountsForPackage(mContext.getPackageName()).getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getPhoneAccountsForPackage", e);
+@@ -966,7 +968,7 @@ public class TelecomManager {
+     public List<PhoneAccount> getAllPhoneAccounts() {
+         try {
+             if (isServiceConnected()) {
+-                return getTelecomService().getAllPhoneAccounts();
++                return getTelecomService().getAllPhoneAccounts().getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccounts", e);
+@@ -984,7 +986,7 @@ public class TelecomManager {
+     public List<PhoneAccountHandle> getAllPhoneAccountHandles() {
+         try {
+             if (isServiceConnected()) {
+-                return getTelecomService().getAllPhoneAccountHandles();
++                return getTelecomService().getAllPhoneAccountHandles().getList();
+             }
+         } catch (RemoteException e) {
+             Log.e(TAG, "Error calling ITelecomService#getAllPhoneAccountHandles", e);
+diff --git a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
+index b4e7d56bc642..5169a7d24093 100644
+--- a/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
++++ b/telecomm/java/com/android/internal/telecom/ITelecomService.aidl
+@@ -23,6 +23,7 @@ import android.telecom.PhoneAccountHandle;
+ import android.net.Uri;
+ import android.os.Bundle;
+ import android.telecom.PhoneAccount;
++import android.content.pm.ParceledListSlice;
+ 
+ /**
+  * Interface used to interact with Telecom. Mostly this is used by TelephonyManager for passing
+@@ -55,24 +56,24 @@ interface ITelecomService {
+     /**
+      * @see TelecomServiceImpl#getCallCapablePhoneAccounts
+      */
+-    List<PhoneAccountHandle> getCallCapablePhoneAccounts(
++    ParceledListSlice getCallCapablePhoneAccounts(
+             boolean includeDisabledAccounts, String callingPackage);
+ 
+     /**
+      * @see TelecomServiceImpl#getSelfManagedPhoneAccounts
+      */
+-    List<PhoneAccountHandle> getSelfManagedPhoneAccounts(String callingPackage);
++    ParceledListSlice getSelfManagedPhoneAccounts(String callingPackage);
+ 
+     /**
+      * @see TelecomManager#getPhoneAccountsSupportingScheme
+      */
+-    List<PhoneAccountHandle> getPhoneAccountsSupportingScheme(in String uriScheme,
++    ParceledListSlice getPhoneAccountsSupportingScheme(in String uriScheme,
+             String callingPackage);
+ 
+     /**
+      * @see TelecomManager#getPhoneAccountsForPackage
+      */
+-    List<PhoneAccountHandle> getPhoneAccountsForPackage(in String packageName);
++    ParceledListSlice getPhoneAccountsForPackage(in String packageName);
+ 
+     /**
+      * @see TelecomManager#getPhoneAccount
+@@ -87,12 +88,12 @@ interface ITelecomService {
+     /**
+      * @see TelecomManager#getAllPhoneAccounts
+      */
+-    List<PhoneAccount> getAllPhoneAccounts();
++    ParceledListSlice getAllPhoneAccounts();
+ 
+     /**
+      * @see TelecomManager#getAllPhoneAccountHandles
+      */
+-    List<PhoneAccountHandle> getAllPhoneAccountHandles();
++    ParceledListSlice getAllPhoneAccountHandles();
+ 
+     /**
+      * @see TelecomServiceImpl#getSimCallManager

Patches/LineageOS-16.0/android_frameworks_base/344170.patch

@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Louis Chang <louischang@google.com>
+Date: Tue, 2 Aug 2022 03:33:39 +0000
+Subject: [PATCH] Do not send new Intent to non-exported activity when
+ navigateUpTo
+
+The new Intent was delivered to a non-exported activity while
+'#navigateUpTo was called from an Activity of a different uid.
+
+Backport to pie:
+ * services/core/java/com/android/server/am directory (not wm)
+ * back port of getPid() method
+
+Bug: 238605611
+Test: atest StartActivityTests
+Change-Id: I854dd825bfd9a2c08851980d480d1f3a177af6cf
+Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
+(cherry picked from commit b9a934064598aa655fab4ce75c8eab6165409670)
+Merged-In: I854dd825bfd9a2c08851980d480d1f3a177af6cf
+---
+ .../com/android/server/am/ActivityRecord.java  |  4 ++++
+ .../com/android/server/am/ActivityStack.java   | 18 +++++++++++++++++-
+ .../com/android/server/am/ProcessRecord.java   |  4 ++++
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityRecord.java b/services/core/java/com/android/server/am/ActivityRecord.java
+index 2c5b8568515f..089a3984a480 100644
+--- a/services/core/java/com/android/server/am/ActivityRecord.java
++++ b/services/core/java/com/android/server/am/ActivityRecord.java
+@@ -2922,6 +2922,10 @@ final class ActivityRecord extends ConfigurationContainer implements AppWindowCo
+         return info.applicationInfo.uid;
+     }
+ 
++    int getPid() {
++        return app != null ? app.getPid() : 0;
++    }
++
+     void setShowWhenLocked(boolean showWhenLocked) {
+         mShowWhenLocked = showWhenLocked;
+         mStackSupervisor.ensureActivitiesVisibleLocked(null, 0 /* configChanges */,
+diff --git a/services/core/java/com/android/server/am/ActivityStack.java b/services/core/java/com/android/server/am/ActivityStack.java
+index dddcc9e466a4..68af5184dec0 100644
+--- a/services/core/java/com/android/server/am/ActivityStack.java
++++ b/services/core/java/com/android/server/am/ActivityStack.java
+@@ -4008,7 +4008,23 @@ class ActivityStack<T extends StackWindowController> extends ConfigurationContai
+                     parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TASK ||
+                     parentLaunchMode == ActivityInfo.LAUNCH_SINGLE_TOP ||
+                     (destIntentFlags & Intent.FLAG_ACTIVITY_CLEAR_TOP) != 0) {
+-                parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName);
++                boolean abort;
++                try {
++                    final int callingPid = srec.app != null ? srec.app.getPid() : 0;
++                    abort = !mStackSupervisor.checkStartAnyActivityPermission(destIntent,
++                            parent.info, null /* resultWho */, -1 /* requestCode */, callingPid,
++                            callingUid, srec.info.packageName, false /* ignoreTargetSecurity */,
++                            false /* launchingInTask */, srec.app, null /* resultRecord */,
++                            null /* resultRootTask */);
++                } catch (SecurityException e) {
++                    abort = true;
++                }
++                if (abort) {
++                    android.util.EventLog.writeEvent(0x534e4554, "238605611", callingUid, "");
++                    foundParentInTask = false;
++                } else {
++                    parent.deliverNewIntentLocked(callingUid, destIntent, srec.packageName);
++                }
+             } else {
+                 try {
+                     ActivityInfo aInfo = AppGlobals.getPackageManager().getActivityInfo(
+diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java
+index e3e839f63172..b15cf6a606cc 100644
+--- a/services/core/java/com/android/server/am/ProcessRecord.java
++++ b/services/core/java/com/android/server/am/ProcessRecord.java
+@@ -520,6 +520,10 @@ final class ProcessRecord {
+         stringName = null;
+     }
+ 
++    public int getPid() {
++        return pid;
++    }
++
+     public void makeActive(IApplicationThread _thread, ProcessStatsService tracker) {
+         if (thread == null) {
+             final ProcessState origBase = baseProcessTracker;

Patches/LineageOS-16.0/android_frameworks_base/344171.patch

@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Fri, 12 Aug 2022 11:40:41 -0700
+Subject: [PATCH] Do not send AccessibilityEvent if notification is for
+ different user.
+
+Bug: 237540408
+Test: BuzzBeepBlinkTest#testA11yCrossUserEventNotSent
+Change-Id: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
+Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
+(cherry picked from commit 18f2ec86d680bff26ce9248061878894ad16e05f)
+Merged-In: I62a875e26e214847ec72ce3c41b4f2fa8e597e07
+---
+ .../notification/NotificationManagerService.java  |  3 ++-
+ .../server/notification/BuzzBeepBlinkTest.java    | 15 +++++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index acef7148cd2f..a53f2aec436c 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -4985,7 +4985,8 @@ public class NotificationManagerService extends SystemService {
+         boolean sentAccessibilityEvent = false;
+         // If the notification will appear in the status bar, it should send an accessibility
+         // event
+-        if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN) {
++        if (!record.isUpdate && record.getImportance() > IMPORTANCE_MIN
++                && isNotificationForCurrentUser(record)) {
+             sendAccessibilityEvent(record);
+             sentAccessibilityEvent = true;
+         }
+diff --git a/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java b/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java
+index 3b3f128b6ca5..feae34dcb68c 100644
+--- a/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java
++++ b/services/tests/uiservicestests/src/com/android/server/notification/BuzzBeepBlinkTest.java
+@@ -1102,6 +1102,21 @@ public class BuzzBeepBlinkTest extends UiServiceTestCase {
+         verify(mAccessibilityService, times(1)).sendAccessibilityEvent(any(), anyInt());
+     }
+ 
++    @Test
++    public void testA11yCrossUserEventNotSent() throws Exception {
++        final Notification n = new Builder(getContext(), "test")
++                .setSmallIcon(android.R.drawable.sym_def_app_icon).build();
++        int userId = mUser.getIdentifier() + 1;
++        StatusBarNotification sbn = new StatusBarNotification(mPkg, mPkg, 0, mTag, mUid,
++                mPid, n, UserHandle.of(userId), null, System.currentTimeMillis());
++        NotificationRecord r = new NotificationRecord(getContext(), sbn,
++                new NotificationChannel("test", "test", IMPORTANCE_HIGH));
++
++        mService.buzzBeepBlinkLocked(r);
++
++        verify(mAccessibilityService, never()).sendAccessibilityEvent(any(), anyInt());
++    }
++
+     @Test
+     public void testLightsScreenOn() {
+         mService.mScreenOn = true;

Patches/LineageOS-16.0/android_frameworks_base/344172.patch

@@ -0,0 +1,126 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuri Lin <yurilin@google.com>
+Date: Mon, 29 Aug 2022 17:40:14 -0400
+Subject: [PATCH] Trim any long string inputs that come in to AutomaticZenRule
+
+This change both prevents any rules from being unable to be written to
+disk and also avoids risk of running out of memory while handling all
+the zen rules.
+
+Bug: 242703460
+Bug: 242703505
+Bug: 242703780
+Bug: 242704043
+Bug: 243794204
+Test: cts AutomaticZenRuleTest; atest android.app.AutomaticZenRuleTest;
+manually confirmed each exploit example either saves the rule
+successfully with a truncated string (in the case of name & conditionId)
+or may fail to save the rule at all (if the owner/configactivity is invalid).
+Additionally ran the memory-exhausting PoC without device crashes.
+
+Change-Id: I110172a43f28528dd274b3b346eb29c3796ff2c6
+Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
+(cherry picked from commit de172ba0d434c940be9e2aad8685719731ab7da2)
+(cherry picked from commit c4b2c877ec28e2473104d9fcdcf321bd81da881b)
+Merged-In: I110172a43f28528dd274b3b346eb29c3796ff2c6
+---
+ core/java/android/app/AutomaticZenRule.java | 50 ++++++++++++++++++---
+ 1 file changed, 43 insertions(+), 7 deletions(-)
+
+diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java
+index cd4ace669b6c..29dd91ec1ad6 100644
+--- a/core/java/android/app/AutomaticZenRule.java
++++ b/core/java/android/app/AutomaticZenRule.java
+@@ -36,6 +36,13 @@ public final class AutomaticZenRule implements Parcelable {
+     private ComponentName owner;
+     private long creationTime;
+ 
++    /**
++     * The maximum string length for any string contained in this automatic zen rule. This pertains
++     * both to fields in the rule itself (such as its name) and items with sub-fields.
++     * @hide
++     */
++    public static final int MAX_STRING_LENGTH = 1000;
++
+     /**
+      * Creates an automatic zen rule.
+      *
+@@ -50,9 +57,9 @@ public final class AutomaticZenRule implements Parcelable {
+      */
+     public AutomaticZenRule(String name, ComponentName owner, Uri conditionId,
+             int interruptionFilter, boolean enabled) {
+-        this.name = name;
+-        this.owner = owner;
+-        this.conditionId = conditionId;
++        this.name = getTrimmedString(name);
++        this.owner = getTrimmedComponentName(owner);
++        this.conditionId = getTrimmedUri(conditionId);
+         this.interruptionFilter = interruptionFilter;
+         this.enabled = enabled;
+     }
+@@ -70,11 +77,11 @@ public final class AutomaticZenRule implements Parcelable {
+     public AutomaticZenRule(Parcel source) {
+         enabled = source.readInt() == 1;
+         if (source.readInt() == 1) {
+-            name = source.readString();
++            name = getTrimmedString(source.readString());
+         }
+         interruptionFilter = source.readInt();
+         conditionId = source.readParcelable(null);
+-        owner = source.readParcelable(null);
++        owner = getTrimmedComponentName(source.readParcelable(null));
+         creationTime = source.readLong();
+     }
+ 
+@@ -124,7 +131,7 @@ public final class AutomaticZenRule implements Parcelable {
+      * Sets the representation of the state that causes this rule to become active.
+      */
+     public void setConditionId(Uri conditionId) {
+-        this.conditionId = conditionId;
++        this.conditionId = getTrimmedUri(conditionId);
+     }
+ 
+     /**
+@@ -139,7 +146,7 @@ public final class AutomaticZenRule implements Parcelable {
+      * Sets the name of this rule.
+      */
+     public void setName(String name) {
+-        this.name = name;
++        this.name = getTrimmedString(name);
+     }
+ 
+     /**
+@@ -210,4 +217,33 @@ public final class AutomaticZenRule implements Parcelable {
+             return new AutomaticZenRule[size];
+         }
+     };
++
++    /**
++     * If the package or class name of the provided ComponentName are longer than MAX_STRING_LENGTH,
++     * return a trimmed version that truncates each of the package and class name at the max length.
++     */
++    private static ComponentName getTrimmedComponentName(ComponentName cn) {
++        if (cn == null) return null;
++        return new ComponentName(getTrimmedString(cn.getPackageName()),
++                getTrimmedString(cn.getClassName()));
++    }
++    /**
++     * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH.
++     */
++    private static String getTrimmedString(String input) {
++        if (input != null && input.length() > MAX_STRING_LENGTH) {
++            return input.substring(0, MAX_STRING_LENGTH);
++        }
++        return input;
++    }
++    /**
++     * Returns a truncated copy of the Uri by trimming the string representation to the maximum
++     * string length.
++     */
++    private static Uri getTrimmedUri(Uri input) {
++        if (input != null && input.toString().length() > MAX_STRING_LENGTH) {
++            return Uri.parse(getTrimmedString(input.toString()));
++        }
++        return input;
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/344173.patch

@@ -0,0 +1,202 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ivan Chiang <chiangi@google.com>
+Date: Mon, 15 Aug 2022 15:09:33 +0800
+Subject: [PATCH] Check permission for VoiceInteraction
+
+The service must have the CAPTURE_AUDIO_HOTWORD permission to access
+AlwaysOnHotwordDetector. If it doesn't have the permission, return
+STATE_HARDWARE_UNAVAILABLE state. If it is not granted the
+RECORD_AUDIO permisison, it also can't start to recognize the audio.
+
+Test: manual
+Test: atest CtsVoiceInteractionTestCases
+Test: atest CtsAssistTestCases
+Bug: 229793943
+Change-Id: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
+Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
+(cherry picked from commit e4e77f45700bcbc56aa6d6ffc094e0e0ae78190a)
+Merged-In: I7d0f8d2f6af4bc4210060f0a44469db2afc7a1bb
+---
+ .../voice/AlwaysOnHotwordDetector.java        | 40 ++++++++++++++++++-
+ .../voice/VoiceInteractionService.java        |  2 +-
+ .../VoiceInteractionManagerService.java       | 14 +++++++
+ 3 files changed, 53 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/service/voice/AlwaysOnHotwordDetector.java b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
+index 76d89ef039c8..350a4169287f 100644
+--- a/core/java/android/service/voice/AlwaysOnHotwordDetector.java
++++ b/core/java/android/service/voice/AlwaysOnHotwordDetector.java
+@@ -16,11 +16,14 @@
+ 
+ package android.service.voice;
+ 
++import android.Manifest;
+ import android.annotation.IntDef;
+ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.Activity;
++import android.content.Context;
+ import android.content.Intent;
++import android.content.pm.PackageManager;
+ import android.hardware.soundtrigger.IRecognitionStatusCallback;
+ import android.hardware.soundtrigger.KeyphraseEnrollmentInfo;
+ import android.hardware.soundtrigger.KeyphraseMetadata;
+@@ -194,8 +197,10 @@ public class AlwaysOnHotwordDetector {
+     private final Callback mExternalCallback;
+     private final Object mLock = new Object();
+     private final Handler mHandler;
++    private final Context mContext;
+ 
+     private int mAvailability = STATE_NOT_READY;
++    private boolean mIsGrantedHotwordPermission;
+ 
+     /**
+      * Additional payload for {@link Callback#onDetected}.
+@@ -322,19 +327,32 @@ public class AlwaysOnHotwordDetector {
+         public abstract void onRecognitionResumed();
+     }
+ 
++    private static boolean hasHotwordPermission(Context context) {
++        return context.checkSelfPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD)
++            == PackageManager.PERMISSION_GRANTED;
++    }
++
++    private static boolean hasRecordAudioPermission(Context context) {
++        return context.checkSelfPermission(Manifest.permission.RECORD_AUDIO)
++            == PackageManager.PERMISSION_GRANTED;
++    }
++
+     /**
++     * @param context The context to check permission
+      * @param text The keyphrase text to get the detector for.
+      * @param locale The java locale for the detector.
+      * @param callback A non-null Callback for receiving the recognition events.
++     * @param keyphraseEnrollmentInfo The Enrollment info of key phrase
+      * @param voiceInteractionService The current voice interaction service.
+      * @param modelManagementService A service that allows management of sound models.
+      *
+      * @hide
+      */
+-    public AlwaysOnHotwordDetector(String text, Locale locale, Callback callback,
++    public AlwaysOnHotwordDetector(Context context, String text, Locale locale, Callback callback,
+             KeyphraseEnrollmentInfo keyphraseEnrollmentInfo,
+             IVoiceInteractionService voiceInteractionService,
+             IVoiceInteractionManagerService modelManagementService) {
++        mContext = context;
+         mText = text;
+         mLocale = locale;
+         mKeyphraseEnrollmentInfo = keyphraseEnrollmentInfo;
+@@ -344,6 +362,7 @@ public class AlwaysOnHotwordDetector {
+         mInternalCallback = new SoundTriggerListener(mHandler);
+         mVoiceInteractionService = voiceInteractionService;
+         mModelManagementService = modelManagementService;
++        mIsGrantedHotwordPermission = hasHotwordPermission(mContext);
+         new RefreshAvailabiltyTask().execute();
+     }
+ 
+@@ -400,6 +419,12 @@ public class AlwaysOnHotwordDetector {
+      */
+     public boolean startRecognition(@RecognitionFlags int recognitionFlags) {
+         if (DBG) Slog.d(TAG, "startRecognition(" + recognitionFlags + ")");
++
++        if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
++            throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
++                + "permissions to access the detector.");
++        }
++
+         synchronized (mLock) {
+             if (mAvailability == STATE_INVALID) {
+                 throw new IllegalStateException("startRecognition called on an invalid detector");
+@@ -428,6 +453,12 @@ public class AlwaysOnHotwordDetector {
+      */
+     public boolean stopRecognition() {
+         if (DBG) Slog.d(TAG, "stopRecognition()");
++
++        if (!mIsGrantedHotwordPermission || !hasRecordAudioPermission(mContext)) {
++            throw new IllegalStateException("Must have the RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD "
++                + "permissions to access the detector.");
++        }
++
+         synchronized (mLock) {
+             if (mAvailability == STATE_INVALID) {
+                 throw new IllegalStateException("stopRecognition called on an invalid detector");
+@@ -544,7 +575,8 @@ public class AlwaysOnHotwordDetector {
+         synchronized (mLock) {
+             if (mAvailability == STATE_INVALID
+                     || mAvailability == STATE_HARDWARE_UNAVAILABLE
+-                    || mAvailability == STATE_KEYPHRASE_UNSUPPORTED) {
++                    || mAvailability == STATE_KEYPHRASE_UNSUPPORTED
++                    || !hasRecordAudioPermission(mContext)) {
+                 Slog.w(TAG, "Received onSoundModelsChanged for an unsupported keyphrase/config");
+                 return;
+             }
+@@ -715,6 +747,10 @@ public class AlwaysOnHotwordDetector {
+          * @return The initial availability without checking the enrollment status.
+          */
+         private int internalGetInitialAvailability() {
++            if (!mIsGrantedHotwordPermission) {
++                return STATE_HARDWARE_UNAVAILABLE;
++            }
++
+             synchronized (mLock) {
+                 // This detector has already been invalidated.
+                 if (mAvailability == STATE_INVALID) {
+diff --git a/core/java/android/service/voice/VoiceInteractionService.java b/core/java/android/service/voice/VoiceInteractionService.java
+index 8f79bcffa776..409d8ddddc2d 100644
+--- a/core/java/android/service/voice/VoiceInteractionService.java
++++ b/core/java/android/service/voice/VoiceInteractionService.java
+@@ -272,7 +272,7 @@ public class VoiceInteractionService extends Service {
+         synchronized (mLock) {
+             // Allow only one concurrent recognition via the APIs.
+             safelyShutdownHotwordDetector();
+-            mHotwordDetector = new AlwaysOnHotwordDetector(keyphrase, locale, callback,
++            mHotwordDetector = new AlwaysOnHotwordDetector(this, keyphrase, locale, callback,
+                     mKeyphraseEnrollmentInfo, mInterface, mSystemService);
+         }
+         return mHotwordDetector;
+diff --git a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
+index 44f55511f940..e6e3ef372e28 100644
+--- a/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
++++ b/services/voiceinteraction/java/com/android/server/voiceinteraction/VoiceInteractionManagerService.java
+@@ -902,6 +902,9 @@ public class VoiceInteractionManagerService extends SystemService {
+ 
+         @Override
+         public ModuleProperties getDspModuleProperties(IVoiceInteractionService service) {
++            // Allow the call if it is granted CAPTURE_AUDIO_HOTWORD.
++            enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
++
+             // Allow the call if this is the current voice interaction service.
+             synchronized (this) {
+                 if (mImpl == null || mImpl.mService == null
+@@ -923,6 +926,9 @@ public class VoiceInteractionManagerService extends SystemService {
+         public int startRecognition(IVoiceInteractionService service, int keyphraseId,
+                 String bcp47Locale, IRecognitionStatusCallback callback,
+                 RecognitionConfig recognitionConfig) {
++            // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
++            enforceAlwaysOnHotwordPermissions();
++
+             // Allow the call if this is the current voice interaction service.
+             synchronized (this) {
+                 if (mImpl == null || mImpl.mService == null
+@@ -963,6 +969,9 @@ public class VoiceInteractionManagerService extends SystemService {
+         @Override
+         public int stopRecognition(IVoiceInteractionService service, int keyphraseId,
+                 IRecognitionStatusCallback callback) {
++            // Allow the call if it is granted RECORD_AUDIO and CAPTURE_AUDIO_HOTWORD.
++            enforceAlwaysOnHotwordPermissions();
++
+             // Allow the call if this is the current voice interaction service.
+             synchronized (this) {
+                 if (mImpl == null || mImpl.mService == null
+@@ -1172,6 +1181,11 @@ public class VoiceInteractionManagerService extends SystemService {
+             mSoundTriggerInternal.dump(fd, pw, args);
+         }
+ 
++        private void enforceAlwaysOnHotwordPermissions() {
++            enforceCallingPermission(Manifest.permission.RECORD_AUDIO);
++            enforceCallingPermission(Manifest.permission.CAPTURE_AUDIO_HOTWORD);
++        }
++
+         private void enforceCallingPermission(String permission) {
+             if (mContext.checkCallingOrSelfPermission(permission)
+                     != PackageManager.PERMISSION_GRANTED) {

Patches/LineageOS-16.0/android_frameworks_base/344174.patch

@@ -0,0 +1,353 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matt Pietal <mpietal@google.com>
+Date: Thu, 18 Aug 2022 12:04:43 +0000
+Subject: [PATCH] Do not dismiss keyguard after SIM PUK unlock
+
+After PUK unlock, multiple calls to
+KeyguardSecurityContainerController#dismiss() were being called from
+the KeyguardSimPukViewController, which begins the transition to the
+next security screen, if any. At the same time, other parts of the
+system, also listening to SIM events, recognize the PUK unlock and
+call KeyguardSecurityContainer#showSecurityScreen, which updates which
+security method comes next. After boot, this should be one of PIN,
+Password, Pattern, assuming they have a security method. If one of the
+first dismiss() calls comes AFTER the security method changes, this is
+incorrectly recognized by the code as a successful
+PIN/pattern/password unlock. This causes the keyguard to be marked as
+done, causing screen flickers and incorrect system state.
+
+The solution: every call to dismiss() should include a new parameter
+for the security method used. If there is a difference between this
+parameter and the current value in KeyguardSecurityContainerCallback,
+ignore the request, as the system state has changed.
+
+Bug: 218500036
+Test: atest KeyguardSecurityContainerTest
+
+Merged-In: I7c8714a177bc85fbce92f6e8fe911f74ca2ac243
+Change-Id: I30226bc7b5eda9480d471b35fe81e106b0491ff8
+(cherry picked from commit a30148b8a40a36cababba1ff434d053cfd7dd6e3)
+Merged-In: I30226bc7b5eda9480d471b35fe81e106b0491ff8
+---
+ .../keyguard/KeyguardAbsKeyInputView.java     |  4 ++-
+ .../android/keyguard/KeyguardHostView.java    | 13 +++++---
+ .../com/android/keyguard/KeyguardPINView.java |  6 ++++
+ .../keyguard/KeyguardPasswordView.java        |  6 ++++
+ .../android/keyguard/KeyguardPatternView.java |  3 +-
+ .../keyguard/KeyguardSecurityCallback.java    |  5 ++-
+ .../keyguard/KeyguardSecurityContainer.java   | 32 +++++++++++++++----
+ .../android/keyguard/KeyguardSimPinView.java  | 10 +++++-
+ .../android/keyguard/KeyguardSimPukView.java  | 12 +++++--
+ 9 files changed, 73 insertions(+), 18 deletions(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
+index c3119793eaf5..959da444cee7 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardAbsKeyInputView.java
+@@ -29,6 +29,7 @@ import android.view.KeyEvent;
+ import android.view.View;
+ import android.widget.LinearLayout;
+ 
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+ import com.android.internal.util.LatencyTracker;
+ import com.android.internal.widget.LockPatternChecker;
+ import com.android.internal.widget.LockPatternUtils;
+@@ -92,6 +93,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
+ 
+     protected abstract int getPasswordTextViewId();
+     protected abstract void resetState();
++    protected abstract SecurityMode getSecurityMode();
+ 
+     @Override
+     protected void onFinishInflate() {
+@@ -191,7 +193,7 @@ public abstract class KeyguardAbsKeyInputView extends LinearLayout
+             mCallback.reportUnlockAttempt(userId, true, 0);
+             if (dismissKeyguard) {
+                 mDismissing = true;
+-                mCallback.dismiss(true, userId);
++                mCallback.dismiss(true, userId, getSecurityMode());
+             }
+         } else {
+             if (isValidPassword) {
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
+index aa0bcc5cf2b8..27e7d79bd6f5 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
+@@ -89,7 +89,7 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
+                         // the user proved presence via some other way to the trust agent.
+                         Log.i(TAG, "TrustAgent dismissed Keyguard.");
+                     }
+-                    dismiss(false /* authenticated */, userId);
++                    dismiss(false /* authenticated */, userId, SecurityMode.Invalid);
+                 } else {
+                     mViewMediatorCallback.playTrustedSound();
+                 }
+@@ -189,12 +189,13 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
+      * @return True if the keyguard is done.
+      */
+     public boolean dismiss(int targetUserId) {
+-        return dismiss(false, targetUserId);
++        return dismiss(false, targetUserId, getCurrentSecurityMode());
+     }
+ 
+     public boolean handleBackKey() {
+         if (mSecurityContainer.getCurrentSecuritySelection() != SecurityMode.None) {
+-            mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser());
++            mSecurityContainer.dismiss(false, KeyguardUpdateMonitor.getCurrentUser(),
++                getCurrentSecurityMode());
+             return true;
+         }
+         return false;
+@@ -205,8 +206,10 @@ public class KeyguardHostView extends FrameLayout implements SecurityCallback {
+     }
+ 
+     @Override
+-    public boolean dismiss(boolean authenticated, int targetUserId) {
+-        return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId);
++    public boolean dismiss(boolean authenticated, int targetUserId,
++            SecurityMode expectedSecurityMode) {
++        return mSecurityContainer.showNextSecurityScreenOrFinish(authenticated, targetUserId,
++            expectedSecurityMode);
+     }
+ 
+     /**
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
+index 4058d3e0f6c0..c75997a89c2e 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPINView.java
+@@ -23,6 +23,7 @@ import android.view.ViewGroup;
+ import android.view.animation.AnimationUtils;
+ import android.widget.LinearLayout;
+ 
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+ import com.android.settingslib.animation.AppearAnimationUtils;
+ import com.android.settingslib.animation.DisappearAnimationUtils;
+ 
+@@ -212,4 +213,9 @@ public class KeyguardPINView extends KeyguardPinBasedInputView {
+     public boolean hasOverlappingRendering() {
+         return false;
+     }
++
++    @Override
++    public SecurityMode getSecurityMode() {
++        return SecurityMode.PIN;
++    }
+ }
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+index 5dd2655a8f16..16cb7796d13f 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+@@ -36,6 +36,7 @@ import android.widget.TextView;
+ import android.widget.TextView.OnEditorActionListener;
+ 
+ import com.android.internal.widget.TextViewInputDisabler;
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+ 
+ import java.util.List;
+ /**
+@@ -368,4 +369,9 @@ public class KeyguardPasswordView extends KeyguardAbsKeyInputView
+         return getContext().getString(
+                 com.android.internal.R.string.keyguard_accessibility_password_unlock);
+     }
++
++    @Override
++    public SecurityMode getSecurityMode() {
++        return SecurityMode.Password;
++    }
+ }
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
+index 69e3b0d50020..ef2ef4febcac 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
+@@ -37,6 +37,7 @@ import com.android.internal.util.LatencyTracker;
+ import com.android.internal.widget.LockPatternChecker;
+ import com.android.internal.widget.LockPatternUtils;
+ import com.android.internal.widget.LockPatternView;
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+ import com.android.settingslib.animation.AppearAnimationCreator;
+ import com.android.settingslib.animation.AppearAnimationUtils;
+ import com.android.settingslib.animation.DisappearAnimationUtils;
+@@ -321,7 +322,7 @@ public class KeyguardPatternView extends LinearLayout implements KeyguardSecurit
+                 mCallback.reportUnlockAttempt(userId, true, 0);
+                 if (dismissKeyguard) {
+                     mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Correct);
+-                    mCallback.dismiss(true, userId);
++                    mCallback.dismiss(true, userId, SecurityMode.Pattern);
+                 }
+             } else {
+                 mLockPatternView.setDisplayMode(LockPatternView.DisplayMode.Wrong);
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
+index 5b743c1a20c5..c8eec6b80897 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityCallback.java
+@@ -15,14 +15,17 @@
+  */
+ package com.android.keyguard;
+ 
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
++
+ public interface KeyguardSecurityCallback {
+ 
+     /**
+      * Dismiss the given security screen.
+      * @param securityVerified true if the user correctly entered credentials for the given screen.
+      * @param targetUserId a user that needs to be the foreground user at the dismissal completion.
++     * @param expectedSecurityMode The security mode that is invoking this dismiss.
+      */
+-    void dismiss(boolean securityVerified, int targetUserId);
++    void dismiss(boolean securityVerified, int targetUserId, SecurityMode expectedSecurityMode);
+ 
+     /**
+      * Manually report user activity to keep the device awake.
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index 9c69432d3178..6a71cf84759c 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -54,7 +54,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+ 
+     // Used to notify the container when something interesting happens.
+     public interface SecurityCallback {
+-        public boolean dismiss(boolean authenticated, int targetUserId);
++        public boolean dismiss(boolean authenticated, int targetUserId,
++            SecurityMode expectedSecurityMode);
+         public void userActivity();
+         public void onSecurityModeChanged(SecurityMode securityMode, boolean needsInput);
+ 
+@@ -312,10 +313,20 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+      * @param authenticated true if the user entered the correct authentication
+      * @param targetUserId a user that needs to be the foreground user at the finish (if called)
+      *     completion.
++     * @param expectedSecurityMode SecurityMode that is invoking this request. SecurityMode.Invalid
++     *      indicates that no check should be done
+      * @return true if keyguard is done
+      */
+-    boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId) {
++    boolean showNextSecurityScreenOrFinish(boolean authenticated, int targetUserId,
++            SecurityMode expectedSecurityMode) {
+         if (DEBUG) Log.d(TAG, "showNextSecurityScreenOrFinish(" + authenticated + ")");
++        if (expectedSecurityMode != SecurityMode.Invalid
++                && expectedSecurityMode != getCurrentSecurityMode()) {
++            Log.w(TAG, "Attempted to invoke showNextSecurityScreenOrFinish with securityMode "
++                    + expectedSecurityMode + ", but current mode is " + getCurrentSecurityMode());
++            return false;
++        }
++
+         boolean finish = false;
+         boolean strongAuth = false;
+         if (mUpdateMonitor.getUserCanSkipBouncer(targetUserId)) {
+@@ -417,8 +428,13 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+             }
+         }
+ 
+-        public void dismiss(boolean authenticated, int targetId) {
+-            mSecurityCallback.dismiss(authenticated, targetId);
++        /**
++         * Potentially dismiss the current security screen, after validating that all device
++         * security has been unlocked. Otherwise show the next screen.
++         */
++        public void dismiss(boolean authenticated, int targetId,
++                SecurityMode expectedSecurityMode) {
++            mSecurityCallback.dismiss(authenticated, targetId, expectedSecurityMode);
+         }
+ 
+         public boolean isVerifyUnlockOnly() {
+@@ -454,7 +470,8 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+         @Override
+         public boolean isVerifyUnlockOnly() { return false; }
+         @Override
+-        public void dismiss(boolean securityVerified, int targetUserId) { }
++        public void dismiss(boolean securityVerified, int targetUserId,
++                SecurityMode expectedSecurityMode) { }
+         @Override
+         public void reset() {}
+     };
+@@ -500,8 +517,9 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+         return mCurrentSecuritySelection;
+     }
+ 
+-    public void dismiss(boolean authenticated, int targetUserId) {
+-        mCallback.dismiss(authenticated, targetUserId);
++    public void dismiss(boolean authenticated, int targetUserId,
++            SecurityMode expectedSecurityMode) {
++        mCallback.dismiss(authenticated, targetUserId, expectedSecurityMode);
+     }
+ 
+     public boolean needsInput() {
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
+index df9fb355ce2f..f2cfdd2f4c86 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPinView.java
+@@ -42,6 +42,8 @@ import android.view.View;
+ import android.view.WindowManager;
+ import android.widget.ImageView;
+ 
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
++
+ /**
+  * Displays a PIN pad for unlocking.
+  */
+@@ -342,7 +344,8 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
+                                 mRemainingAttempts = -1;
+                                 mShowDefaultMessage = true;
+                                 if (mCallback != null) {
+-                                    mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
++                                    mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
++                                        SecurityMode.SimPin);
+                                 }
+                             } else {
+                                 mShowDefaultMessage = false;
+@@ -390,5 +393,10 @@ public class KeyguardSimPinView extends KeyguardPinBasedInputView {
+         return getContext().getString(
+                 com.android.internal.R.string.keyguard_accessibility_sim_pin_unlock);
+     }
++
++    @Override
++    public SecurityMode getSecurityMode() {
++        return SecurityMode.SimPin;
++    }
+ }
+ 
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
+index 5da764d90f73..08ba8d4ef6e8 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSimPukView.java
+@@ -40,6 +40,7 @@ import com.android.internal.telephony.ITelephony;
+ import com.android.internal.telephony.IccCardConstants;
+ import com.android.internal.telephony.PhoneConstants;
+ import com.android.internal.telephony.IccCardConstants.State;
++import com.android.keyguard.KeyguardSecurityModel.SecurityMode;
+ 
+ 
+ /**
+@@ -78,7 +79,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
+                     // mCallback can be null if onSimStateChanged callback is called when keyguard
+                     // isn't active.
+                     if (mCallback != null) {
+-                        mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
++                        mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
++                            SecurityMode.SimPuk);
+                     }
+                     break;
+                 }
+@@ -408,7 +410,8 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
+                                 mRemainingAttempts = -1;
+                                 mShowDefaultMessage = true;
+                                 if (mCallback != null) {
+-                                    mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser());
++                                    mCallback.dismiss(true, KeyguardUpdateMonitor.getCurrentUser(),
++                                        SecurityMode.SimPuk);
+                                 }
+                             } else {
+                                 mShowDefaultMessage = false;
+@@ -463,6 +466,11 @@ public class KeyguardSimPukView extends KeyguardPinBasedInputView {
+         return getContext().getString(
+                 com.android.internal.R.string.keyguard_accessibility_sim_puk_unlock);
+     }
++
++    @Override
++    public SecurityMode getSecurityMode() {
++        return SecurityMode.SimPuk;
++    }
+ }
+ 
+ 

Patches/LineageOS-16.0/android_frameworks_base/345892.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Tue, 19 Jul 2022 10:45:22 +0000
+Subject: [PATCH] Revert "RESTRICT AUTOMERGE Prevent non-admin users from
+ deleting system apps."
+
+This reverts commit 4005549db2fa7e1524fc0dbbe22c774fb00b6cb3.
+
+Reason for revert: Regression, DELETE_SYSTEM_APP flag no longer works
+
+Change-Id: I7386d1ba3d61b95836b85c52214c83b216c478e8
+(cherry picked from commit 49d8f9325a8d103497632097010899f87f403faa)
+Merged-In: I7386d1ba3d61b95836b85c52214c83b216c478e8
+---
+ .../com/android/server/pm/PackageManagerService.java   | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index e8532ce4edd3..dc44fe17722d 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -18476,16 +18476,6 @@ public class PackageManagerService extends IPackageManager.Stub
+                 return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
+             }
+ 
+-            if (isSystemApp(uninstalledPs)) {
+-                UserInfo userInfo = sUserManager.getUserInfo(userId);
+-                if (userInfo == null || !userInfo.isAdmin()) {
+-                    Slog.w(TAG, "Not removing package " + packageName
+-                            + " as only admin user may downgrade system apps");
+-                    EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
+-                    return PackageManager.DELETE_FAILED_USER_RESTRICTED;
+-                }
+-            }
+-
+             // Static shared libs can be declared by any package, so let us not
+             // allow removing a package if it provides a lib others depend on.
+             pkg = mPackages.get(packageName);

Patches/LineageOS-16.0/android_frameworks_base/345893.patch

@@ -0,0 +1,325 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Fri, 19 Aug 2022 09:54:23 -0400
+Subject: [PATCH] Limit the size of NotificationChannel and
+ NotificationChannelGroup
+
+Test: android.app.NotificationChannelGroupTest
+Test: android.app.NotificationChannelTest
+Test: cts NotificationChannelTest
+Test: cts NotificationChannelGroupTest
+Bug: 241764350
+Bug: 241764340
+Bug: 241764135
+Bug: 242702935
+Bug: 242703118
+Bug: 242703202
+Bug: 242702851
+Bug: 242703217
+Bug: 242703556
+Change-Id: I0925583ab54d6c81c415859618f6b907ab7baada
+Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada
+(cherry picked from commit 3850857cb0e7f26702d5bd601731d7290390fa3b)
+(cherry picked from commit c2d264989a2c18af9e3f210f62eba8d987fefb5b)
+Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada
+---
+ .../java/android/app/NotificationChannel.java |  19 +++-
+ .../android/app/NotificationChannelGroup.java |  10 +-
+ .../app/NotificationChannelGroupTest.java     |  73 +++++++++++++
+ .../android/app/NotificationChannelTest.java  | 102 ++++++++++++++++++
+ 4 files changed, 195 insertions(+), 9 deletions(-)
+ create mode 100644 core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+ create mode 100644 core/tests/coretests/src/android/app/NotificationChannelTest.java
+
+diff --git a/core/java/android/app/NotificationChannel.java b/core/java/android/app/NotificationChannel.java
+index ba355f9f9c1d..5c5801d0019b 100644
+--- a/core/java/android/app/NotificationChannel.java
++++ b/core/java/android/app/NotificationChannel.java
+@@ -55,8 +55,13 @@ public final class NotificationChannel implements Parcelable {
+     /**
+      * The maximum length for text fields in a NotificationChannel. Fields will be truncated at this
+      * limit.
++     * @hide
+      */
+-    private static final int MAX_TEXT_LENGTH = 1000;
++    public static final int MAX_TEXT_LENGTH = 1000;
++    /**
++     * @hide
++     */
++    public static final int MAX_VIBRATION_LENGTH = 1000;
+ 
+     private static final String TAG_CHANNEL = "channel";
+     private static final String ATT_NAME = "name";
+@@ -177,17 +182,17 @@ public final class NotificationChannel implements Parcelable {
+      */
+     protected NotificationChannel(Parcel in) {
+         if (in.readByte() != 0) {
+-            mId = in.readString();
++            mId = getTrimmedString(in.readString());
+         } else {
+             mId = null;
+         }
+         if (in.readByte() != 0) {
+-            mName = in.readString();
++            mName = getTrimmedString(in.readString());
+         } else {
+             mName = null;
+         }
+         if (in.readByte() != 0) {
+-            mDesc = in.readString();
++            mDesc = getTrimmedString(in.readString());
+         } else {
+             mDesc = null;
+         }
+@@ -196,18 +201,22 @@ public final class NotificationChannel implements Parcelable {
+         mLockscreenVisibility = in.readInt();
+         if (in.readByte() != 0) {
+             mSound = Uri.CREATOR.createFromParcel(in);
++            mSound = Uri.parse(getTrimmedString(mSound.toString()));
+         } else {
+             mSound = null;
+         }
+         mLights = in.readByte() != 0;
+         mVibration = in.createLongArray();
++        if (mVibration != null && mVibration.length > MAX_VIBRATION_LENGTH) {
++            mVibration = Arrays.copyOf(mVibration, MAX_VIBRATION_LENGTH);
++        }
+         mUserLockedFields = in.readInt();
+         mFgServiceShown = in.readByte() != 0;
+         mVibrationEnabled = in.readByte() != 0;
+         mShowBadge = in.readByte() != 0;
+         mDeleted = in.readByte() != 0;
+         if (in.readByte() != 0) {
+-            mGroup = in.readString();
++            mGroup = getTrimmedString(in.readString());
+         } else {
+             mGroup = null;
+         }
+diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java
+index 0fa3c7fa6492..14c8be38b8a4 100644
+--- a/core/java/android/app/NotificationChannelGroup.java
++++ b/core/java/android/app/NotificationChannelGroup.java
+@@ -40,8 +40,9 @@ public final class NotificationChannelGroup implements Parcelable {
+     /**
+      * The maximum length for text fields in a NotificationChannelGroup. Fields will be truncated at
+      * this limit.
++     * @hide
+      */
+-    private static final int MAX_TEXT_LENGTH = 1000;
++    public static final int MAX_TEXT_LENGTH = 1000;
+ 
+     private static final String TAG_GROUP = "channelGroup";
+     private static final String ATT_NAME = "name";
+@@ -75,13 +76,14 @@ public final class NotificationChannelGroup implements Parcelable {
+      */
+     protected NotificationChannelGroup(Parcel in) {
+         if (in.readByte() != 0) {
+-            mId = in.readString();
++            mId = getTrimmedString(in.readString());
+         } else {
+             mId = null;
+         }
+         mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in);
++        mName = getTrimmedString(mName.toString());
+         if (in.readByte() != 0) {
+-            mDescription = in.readString();
++            mDescription = getTrimmedString(in.readString());
+         } else {
+             mDescription = null;
+         }
+@@ -104,7 +106,7 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             dest.writeByte((byte) 0);
+         }
+-        TextUtils.writeToParcel(mName, dest, flags);
++        TextUtils.writeToParcel(mName.toString(), dest, flags);
+         if (mDescription != null) {
+             dest.writeByte((byte) 1);
+             dest.writeString(mDescription);
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+new file mode 100644
+index 000000000000..2a3da05eabb3
+--- /dev/null
++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package android.app;
++
++import static junit.framework.TestCase.assertEquals;
++
++import android.os.Parcel;
++import android.test.AndroidTestCase;
++
++import androidx.test.filters.SmallTest;
++import androidx.test.runner.AndroidJUnit4;
++
++import com.google.common.base.Strings;
++
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++import java.lang.reflect.Field;
++
++@RunWith(AndroidJUnit4.class)
++@SmallTest
++public class NotificationChannelGroupTest {
++    private final String CLASS = "android.app.NotificationChannelGroup";
++
++    @Test
++    public void testLongStringFields() {
++        NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", "groupName");
++
++        try {
++            String longString = Strings.repeat("A", 65536);
++            Field mName = Class.forName(CLASS).getDeclaredField("mName");
++            mName.setAccessible(true);
++            mName.set(group, longString);
++            Field mId = Class.forName(CLASS).getDeclaredField("mId");
++            mId.setAccessible(true);
++            mId.set(group, longString);
++            Field mDescription = Class.forName(CLASS).getDeclaredField("mDescription");
++            mDescription.setAccessible(true);
++            mDescription.set(group, longString);
++        } catch (NoSuchFieldException e) {
++            e.printStackTrace();
++        } catch (ClassNotFoundException e) {
++            e.printStackTrace();
++        } catch (IllegalAccessException e) {
++            e.printStackTrace();
++        }
++
++        Parcel parcel = Parcel.obtain();
++        group.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannelGroup fromParcel =
++                NotificationChannelGroup.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getId().length());
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getName().length());
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH,
++                fromParcel.getDescription().length());
++    }
++}
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelTest.java b/core/tests/coretests/src/android/app/NotificationChannelTest.java
+new file mode 100644
+index 000000000000..d8be502e6db6
+--- /dev/null
++++ b/core/tests/coretests/src/android/app/NotificationChannelTest.java
+@@ -0,0 +1,102 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package android.app;
++
++import static junit.framework.TestCase.assertEquals;
++
++import android.net.Uri;
++import android.os.Parcel;
++
++import androidx.test.filters.SmallTest;
++import androidx.test.runner.AndroidJUnit4;
++
++import com.google.common.base.Strings;
++
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++import java.lang.reflect.Field;
++
++@RunWith(AndroidJUnit4.class)
++@SmallTest
++public class NotificationChannelTest {
++    private final String CLASS = "android.app.NotificationChannel";
++
++    @Test
++    public void testLongStringFields() {
++        NotificationChannel channel = new NotificationChannel("id", "name", 3);
++
++        try {
++            String longString = Strings.repeat("A", 65536);
++            Field mName = Class.forName(CLASS).getDeclaredField("mName");
++            mName.setAccessible(true);
++            mName.set(channel, longString);
++            Field mId = Class.forName(CLASS).getDeclaredField("mId");
++            mId.setAccessible(true);
++            mId.set(channel, longString);
++            Field mDesc = Class.forName(CLASS).getDeclaredField("mDesc");
++            mDesc.setAccessible(true);
++            mDesc.set(channel, longString);
++            Field mParentId = Class.forName(CLASS).getDeclaredField("mParentId");
++            mParentId.setAccessible(true);
++            mParentId.set(channel, longString);
++            Field mGroup = Class.forName(CLASS).getDeclaredField("mGroup");
++            mGroup.setAccessible(true);
++            mGroup.set(channel, longString);
++            Field mConversationId = Class.forName(CLASS).getDeclaredField("mConversationId");
++            mConversationId.setAccessible(true);
++            mConversationId.set(channel, longString);
++        } catch (NoSuchFieldException e) {
++            e.printStackTrace();
++        } catch (ClassNotFoundException e) {
++            e.printStackTrace();
++        } catch (IllegalAccessException e) {
++            e.printStackTrace();
++        }
++
++        Parcel parcel = Parcel.obtain();
++        channel.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getId().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getName().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getDescription().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getGroup().length());
++    }
++
++    @Test
++    public void testLongAlertFields() {
++        NotificationChannel channel = new NotificationChannel("id", "name", 3);
++
++        channel.setSound(Uri.parse("content://" + Strings.repeat("A",65536)),
++                Notification.AUDIO_ATTRIBUTES_DEFAULT);
++        channel.setVibrationPattern(new long[65550/2]);
++
++        Parcel parcel = Parcel.obtain();
++        channel.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannel.MAX_VIBRATION_LENGTH,
++                fromParcel.getVibrationPattern().length);
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getSound().toString().length());
++    }
++}

Patches/LineageOS-16.0/android_frameworks_base/345894.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Mon, 8 Aug 2022 13:31:36 +0100
+Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting
+ system apps.
+
+This addresses a security issue where the guest user can remove updates
+for system apps.
+
+With this CL, attempts to uninstall/downgrade system apps will fail if
+attempted by a non-admin user, unless the DELETE_SYSTEM_APP flag is
+specified.
+
+This is a fixed version of ag/17400663, to address b/236578018.
+
+Bug: 170646036
+Test: manual, try uninstalling system app update as guest
+Change-Id: I5eab215cba6528aa4316ed7b20bee544915c1486
+(cherry picked from commit 7fdc96aef4e098d2271ac3a8557bd8e1ad6827f3)
+Merged-In: I5eab215cba6528aa4316ed7b20bee544915c1486
+---
+ .../com/android/server/pm/PackageManagerService.java  | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index dc44fe17722d..c873f82d740c 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -18476,6 +18476,17 @@ public class PackageManagerService extends IPackageManager.Stub
+                 return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
+             }
+ 
++            if (isSystemApp(uninstalledPs)
++                    && (deleteFlags & PackageManager.DELETE_SYSTEM_APP) == 0) {
++                UserInfo userInfo = sUserManager.getUserInfo(userId);
++                if (userInfo == null || !userInfo.isAdmin()) {
++                    Slog.w(TAG, "Not removing package " + packageName
++                            + " as only admin user may downgrade system apps");
++                    EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
++                    return PackageManager.DELETE_FAILED_USER_RESTRICTED;
++                }
++            }
++
+             // Static shared libs can be declared by any package, so let us not
+             // allow removing a package if it provides a lib others depend on.
+             pkg = mPackages.get(packageName);

Patches/LineageOS-16.0/android_frameworks_base/345895.patch

@@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 19 Aug 2022 17:08:13 +0100
+Subject: [PATCH] Validate package name passed to setApplicationRestrictions.
+
+This adds validation that the package name passed to
+setApplicationRestrictions is in the correct format. This will avoid
+an issue where a path could be entered resulting in a file being
+written to an unexpected place.
+
+Bug: 239701237
+Test: atest UserManagerServiceTest
+Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+---
+ .../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++
+ .../server/pm/UserManagerServiceTest.java     |  7 ++++
+ 2 files changed, 48 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index 56d737d50fbf..423b88388809 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -76,6 +76,7 @@ import android.provider.Settings;
+ import android.security.GateKeeper;
+ import android.service.gatekeeper.IGateKeeperService;
+ import android.util.AtomicFile;
++import android.util.EventLog;
+ import android.util.IntArray;
+ import android.util.Log;
+ import android.util.Slog;
+@@ -3104,6 +3105,13 @@ public class UserManagerService extends IUserManager.Stub {
+     public void setApplicationRestrictions(String packageName, Bundle restrictions,
+             int userId) {
+         checkSystemOrRoot("set application restrictions");
++        String validationResult = validateName(packageName);
++        if (validationResult != null) {
++            if (packageName.contains("../")) {
++                EventLog.writeEvent(0x534e4554, "239701237", -1, "");
++            }
++            throw new IllegalArgumentException("Invalid package name: " + validationResult);
++        }
+         if (restrictions != null) {
+             restrictions.setDefusable(true);
+         }
+@@ -3123,6 +3131,39 @@ public class UserManagerService extends IUserManager.Stub {
+         mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId));
+     }
+ 
++    /**
++     * Check if the given name is valid.
++     *
++     * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove
++     * unnecessary parts. Copied here for a security fix.
++     *
++     * @param name The name to check.
++     * @return null if it's valid, error message if not
++     */
++    @VisibleForTesting
++    static String validateName(String name) {
++        final int n = name.length();
++        boolean front = true;
++        for (int i = 0; i < n; i++) {
++            final char c = name.charAt(i);
++            if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) {
++                front = false;
++                continue;
++            }
++            if (!front) {
++                if ((c >= '0' && c <= '9') || c == '_') {
++                    continue;
++                }
++                if (c == '.') {
++                    front = true;
++                    continue;
++                }
++            }
++            return "bad character '" + c + "'";
++        }
++        return null;
++    }
++
+     private int getUidForPackage(String packageName) {
+         long ident = Binder.clearCallingIdentity();
+         try {
+diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+index d1366144d33b..8da7a76f18ce 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase {
+         assertEquals(accountName, um.getUserAccount(tempUserId));
+     }
+ 
++    public void testValidateName() {
++        assertNull(UserManagerService.validateName("android"));
++        assertNull(UserManagerService.validateName("com.company.myapp"));
++        assertNotNull(UserManagerService.validateName("/../../data"));
++        assertNotNull(UserManagerService.validateName("/dir"));
++    }
++
+     private Bundle createBundle() {
+         Bundle result = new Bundle();
+         // Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[]

Patches/LineageOS-16.0/android_frameworks_base/345896.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Thu, 1 Sep 2022 10:14:24 -0700
+Subject: [PATCH] Include all enabled services when FEEDBACK_ALL_MASK.
+
+Bug: 243849844
+Test: m sts;
+      sts-tradefed run sts-dynamic-develop -m CtsAccessibilityTestCases
+Change-Id: I4f93e06d1066085bd64e8f09882de2f4a72a0633
+(cherry picked from commit 2bc4d49c2b0265f5de1c62d1342b1426cc5e1377)
+Merged-In: I4f93e06d1066085bd64e8f09882de2f4a72a0633
+---
+ .../server/accessibility/AccessibilityManagerService.java      | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 7798cf7af3cb..58a1beed70c9 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -620,7 +620,8 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub
+             final List<AccessibilityServiceInfo> result = new ArrayList<>(serviceCount);
+             for (int i = 0; i < serviceCount; ++i) {
+                 final AccessibilityServiceConnection service = services.get(i);
+-                if ((service.mFeedbackType & feedbackType) != 0) {
++                if ((service.mFeedbackType & feedbackType) != 0
++                        || feedbackType == AccessibilityServiceInfo.FEEDBACK_ALL_MASK) {
+                     result.add(service.getServiceInfo());
+                 }
+             }

Patches/LineageOS-16.0/android_frameworks_base/345897.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songchun Fan <schfan@google.com>
+Date: Fri, 9 Sep 2022 14:50:31 -0700
+Subject: [PATCH] forbid deletion of protected packages
+
+BUG: 242996180
+Test: adb shell pm uninstall --user 0 com.google.android.apps.work.oobconfig
+Test: Verified with the command above. Before this CL, the package can
+be deleted. After this CL, the deletion will fail.
+
+Change-Id: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+(cherry picked from commit 15f85c7fa97fe9faa540e6ad9e850990f46a5cca)
+Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+(cherry picked from commit 2e42c393f2d5521d20acd9281d411a0fbc6196c3)
+Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+---
+ .../android/server/pm/PackageManagerService.java   | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index c873f82d740c..4cd38c15ce52 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -18144,6 +18144,20 @@ public class PackageManagerService extends IPackageManager.Stub
+ 
+         final String packageName = versionedPackage.getPackageName();
+         final long versionCode = versionedPackage.getLongVersionCode();
++
++        if (mProtectedPackages.isPackageStateProtected(userId, packageName)) {
++            mHandler.post(() -> {
++                try {
++                    Slog.w(TAG, "Attempted to delete protected package: " + packageName);
++                    observer.onPackageDeleted(packageName,
++                            PackageManager.DELETE_FAILED_INTERNAL_ERROR, null);
++                } catch (RemoteException re) {
++                }
++            });
++            return;
++        }
++
++
+         final String internalPackageName;
+         synchronized (mPackages) {
+             // Normalize package name to handle renamed packages and static libs

Patches/LineageOS-16.0/android_frameworks_base/345898.patch

@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 6 Sep 2022 10:19:06 -0400
+Subject: [PATCH] Fix NPE
+
+Test: NotificationChannelGroupTest
+Test: view notification settings for an app that doesn't use groups
+Fixes: 244574602
+Bug: 241764350
+Bug: 241764340
+Bug: 241764135
+Bug: 242702935
+Bug: 242703118
+Bug: 242703202
+Bug: 242702851
+Bug: 242703217
+Bug: 242703556
+Change-Id: I9c681106f6d645e62b0e44903d40aa523fee0e95
+(cherry picked from commit 6f02c07176d0fa4d6985c8f2200ccf49a1657d1c)
+(cherry picked from commit a37554289731f0d52923123697d55074b0f41748)
+Merged-In: I9c681106f6d645e62b0e44903d40aa523fee0e95
+---
+ .../android/app/NotificationChannelGroup.java    | 14 +++++++++++---
+ .../app/NotificationChannelGroupTest.java        | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java
+index 14c8be38b8a4..87565312448c 100644
+--- a/core/java/android/app/NotificationChannelGroup.java
++++ b/core/java/android/app/NotificationChannelGroup.java
+@@ -80,8 +80,11 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             mId = null;
+         }
+-        mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in);
+-        mName = getTrimmedString(mName.toString());
++        if (in.readByte() != 0) {
++            mName = getTrimmedString(in.readString());
++        } else {
++            mName = "";
++        }
+         if (in.readByte() != 0) {
+             mDescription = getTrimmedString(in.readString());
+         } else {
+@@ -106,7 +109,12 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             dest.writeByte((byte) 0);
+         }
+-        TextUtils.writeToParcel(mName.toString(), dest, flags);
++        if (mName != null) {
++            dest.writeByte((byte) 1);
++            dest.writeString(mName.toString());
++        } else {
++            dest.writeByte((byte) 0);
++        }
+         if (mDescription != null) {
+             dest.writeByte((byte) 1);
+             dest.writeString(mDescription);
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+index 2a3da05eabb3..625c66a4c60e 100644
+--- a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+@@ -17,9 +17,11 @@
+ package android.app;
+ 
+ import static junit.framework.TestCase.assertEquals;
++import static junit.framework.TestCase.assertTrue;
+ 
+ import android.os.Parcel;
+ import android.test.AndroidTestCase;
++import android.text.TextUtils;
+ 
+ import androidx.test.filters.SmallTest;
+ import androidx.test.runner.AndroidJUnit4;
+@@ -70,4 +72,18 @@ public class NotificationChannelGroupTest {
+         assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH,
+                 fromParcel.getDescription().length());
+     }
++
++    @Test
++    public void testNullableFields() {
++        NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", null);
++
++        Parcel parcel = Parcel.obtain();
++        group.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannelGroup fromParcel =
++                NotificationChannelGroup.CREATOR.createFromParcel(parcel);
++        assertEquals(group.getId(), fromParcel.getId());
++        assertTrue(TextUtils.isEmpty(fromParcel.getName()));
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/345899.patch

@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Thu, 14 Jul 2022 11:25:54 -0700
+Subject: [PATCH] Fix a security issue in app widget service.
+
+Bug: 234013191
+Test: atest RemoteViewsAdapterTest
+Change-Id: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
+Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
+(cherry picked from commit 263d7d0ba8818c471a27938c4e002bae33569f01)
+(cherry picked from commit 0ee21ef3e652c78c934d257632a4951bd6d38011)
+Merged-In: Icd2eccb7a90124aca18a3dd463c3f79e3a595c20
+---
+ core/java/android/appwidget/AppWidgetManager.java          | 4 +++-
+ .../com/android/server/appwidget/AppWidgetServiceImpl.java | 7 ++++---
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/core/java/android/appwidget/AppWidgetManager.java b/core/java/android/appwidget/AppWidgetManager.java
+index 20248b90d1e9..b8d33b1c8a17 100644
+--- a/core/java/android/appwidget/AppWidgetManager.java
++++ b/core/java/android/appwidget/AppWidgetManager.java
+@@ -1089,7 +1089,9 @@ public class AppWidgetManager {
+      * @param intent        The intent of the service which will be providing the data to the
+      *                      RemoteViewsAdapter.
+      * @param connection    The callback interface to be notified when a connection is made or lost.
+-     * @param flags         Flags used for binding to the service
++     * @param flags         Flags used for binding to the service. Currently only
++     *                     {@link Context#BIND_AUTO_CREATE} and
++     *                     {@link Context#BIND_FOREGROUND_SERVICE_WHILE_AWAKE} are supported.
+      *
+      * @see Context#getServiceDispatcher(ServiceConnection, Handler, int)
+      * @hide
+diff --git a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+index da52d408e125..9c18029ec693 100644
+--- a/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
++++ b/services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java
+@@ -1299,11 +1299,12 @@ class AppWidgetServiceImpl extends IAppWidgetService.Stub implements WidgetBacku
+             try {
+                 // Ask ActivityManager to bind it. Notice that we are binding the service with the
+                 // caller app instead of DevicePolicyManagerService.
+-                if(ActivityManager.getService().bindService(
++                if (ActivityManager.getService().bindService(
+                         caller, activtiyToken, intent,
+                         intent.resolveTypeIfNeeded(mContext.getContentResolver()),
+-                        connection, flags, mContext.getOpPackageName(),
+-                        widget.provider.getUserId()) != 0) {
++                        connection, flags & (Context.BIND_AUTO_CREATE
++                                | Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE),
++                        mContext.getOpPackageName(), widget.provider.getUserId()) != 0) {
+ 
+                     // Add it to the mapping of RemoteViewsService to appWidgetIds so that we
+                     // can determine when we can call back to the RemoteViewsService later to

Patches/LineageOS-16.0/android_frameworks_base/345900.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Wed, 21 Sep 2022 23:03:11 +0000
+Subject: [PATCH] Ignore malformed shortcuts
+
+After an app publishes a shortcut that contains malformed intent, the
+system can be stuck in boot-loop due to uncaught exception caused by
+parsing the malformed intent.
+
+This CL ignores that particular malformed entry. Since shortcuts are
+constantly writes back into the xml from system memory, the malformed
+entry will be removed from the xml the next time system persists
+shortcuts from memory to file system.
+
+Bug: 246540168
+Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+Test: manual
+(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e)
+Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+---
+ .../com/android/server/pm/ShortcutPackage.java     | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index 92e261a72617..320cd382c2fc 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -1486,11 +1486,15 @@ class ShortcutPackage extends ShortcutPackageItem {
+ 
+                         continue;
+                     case TAG_SHORTCUT:
+-                        final ShortcutInfo si = parseShortcut(parser, packageName,
+-                                shortcutUser.getUserId(), fromBackup);
+-
+-                        // Don't use addShortcut(), we don't need to save the icon.
+-                        ret.mShortcuts.put(si.getId(), si);
++                        try {
++                            final ShortcutInfo si = parseShortcut(parser, packageName,
++                                    shortcutUser.getUserId(), fromBackup);
++                            // Don't use addShortcut(), we don't need to save the icon.
++                            ret.mShortcuts.put(si.getId(), si);
++                        } catch (Exception e) {
++                            // b/246540168 malformed shortcuts should be ignored
++                            Slog.e(TAG, "Failed parsing shortcut.", e);
++                        }
+                         continue;
+                 }
+             }

Patches/LineageOS-16.0/android_frameworks_base/345901.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhed Jao <rhedjao@google.com>
+Date: Mon, 26 Sep 2022 21:35:26 +0800
+Subject: [PATCH] Fix permanent denial of service via
+ setComponentEnabledSetting
+
+Do not update invalid component enabled settings to prevent the
+malicious apps from exhausting system server memory.
+
+Bug: 240936919
+Test: atest android.security.cts.PackageManagerTest
+Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f)
+Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+---
+ .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 4cd38c15ce52..5b454f2d8939 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -21244,6 +21244,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName());
+                     } else {
+                         Slog.w(TAG, "Failed setComponentEnabledSetting: component class "
+                                 + className + " does not exist in " + packageName);
++                        // Safetynet logging for b/240936919
++                        EventLog.writeEvent(0x534e4554, "240936919", callingUid);
++                        return;
+                     }
+                 }
+                 switch (newState) {

Patches/LineageOS-16.0/android_frameworks_base/345902.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Tue, 4 Oct 2022 19:43:58 +0000
+Subject: [PATCH] Add safety checks on KEY_INTENT mismatch.
+
+For many years, Parcel mismatch typed exploits has been using the
+AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of
+launching arbitrary intents. We are adding an extra check on the service
+side to simulate the final deserialization of the KEY_INTENT value, to
+make sure the client side won't get a mismatched KEY_INTENT value.
+
+Bug: 250588548
+Bug: 240138294
+Test: atest CtsAccountManagerTestCases
+Test: local test, also see b/250588548
+Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82)
+Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+---
+ .../accounts/AccountManagerService.java       | 34 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 4c8acc5ffb63..c1f401e9a11f 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -87,6 +87,7 @@ import android.os.SystemClock;
+ import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.text.TextUtils;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.Pair;
+ import android.util.Slog;
+@@ -3001,7 +3002,7 @@ public class AccountManagerService
+                              */
+                             if (!checkKeyIntent(
+                                     Binder.getCallingUid(),
+-                                    intent)) {
++                                    result)) {
+                                 onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                                         "invalid intent in bundle returned");
+                                 return;
+@@ -3411,7 +3412,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;
+@@ -4771,7 +4772,13 @@ public class AccountManagerService
+          * into launching arbitrary intents on the device via by tricking to click authenticator
+          * supplied entries in the system Settings app.
+          */
+-         protected boolean checkKeyIntent(int authUid, Intent intent) {
++        protected boolean checkKeyIntent(int authUid, Bundle bundle) {
++            if (!checkKeyIntentParceledCorrectly(bundle)) {
++            	EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
++                return false;
++            }
++
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4808,6 +4815,25 @@ public class AccountManagerService
+             }
+         }
+ 
++        /**
++         * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't
++         * violate our security policy.
++         *
++         * In particular we want to make sure the Authenticator doesn't trick users
++         * into launching arbitrary intents on the device via exploiting any other Parcel read/write
++         * mismatch problems.
++         */
++        private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
++            Parcel p = Parcel.obtain();
++            p.writeBundle(bundle);
++            p.setDataPosition(0);
++            Bundle simulateBundle = p.readBundle();
++            p.recycle();
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
++            return (intent.filterEquals(simulateIntent));
++        }
++
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+             String className = activityInfo.name;
+             return "android".equals(activityInfo.packageName) &&
+@@ -4954,7 +4980,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;

Patches/LineageOS-16.0/android_frameworks_base/347044.patch

@@ -0,0 +1,86 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuri Lin <yurilin@google.com>
+Date: Tue, 13 Sep 2022 12:53:19 -0400
+Subject: [PATCH] Limit lengths of fields in Condition to a max length.
+
+This app-generated input needs to not be too long to avoid errors in the process of writing to disk.
+
+Bug: 242846316
+Test: cts ConditionTest; atest ConditionTest; manually verified exploit apk is OK
+
+Change-Id: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
+Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
+(cherry picked from commit 81352c3775949c622441e10b468766441e35edc7)
+(cherry picked from commit 5cb217fff3bc7184bd776a9dc2991e7fce5e25bd)
+Merged-In: Ic2fa8f06cc7a4c1f262115764fbd1be2a226b4b9
+---
+ .../service/notification/Condition.java       | 38 +++++++++++++++++--
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/core/java/android/service/notification/Condition.java b/core/java/android/service/notification/Condition.java
+index 5a7a83f19b0c..10a7f5afaa50 100644
+--- a/core/java/android/service/notification/Condition.java
++++ b/core/java/android/service/notification/Condition.java
+@@ -99,6 +99,12 @@ public final class Condition implements Parcelable {
+     @SystemApi
+     public final int icon;
+ 
++    /**
++     * The maximum string length for any string contained in this condition.
++     * @hide
++     */
++    public static final int MAX_STRING_LENGTH = 1000;
++
+     /**
+      * An object representing the current state of a {@link android.app.AutomaticZenRule}.
+      * @param id the {@link android.app.AutomaticZenRule#getConditionId()} of the zen rule
+@@ -114,16 +120,19 @@ public final class Condition implements Parcelable {
+         if (id == null) throw new IllegalArgumentException("id is required");
+         if (summary == null) throw new IllegalArgumentException("summary is required");
+         if (!isValidState(state)) throw new IllegalArgumentException("state is invalid: " + state);
+-        this.id = id;
+-        this.summary = summary;
+-        this.line1 = line1;
+-        this.line2 = line2;
++        this.id = getTrimmedUri(id);
++        this.summary = getTrimmedString(summary);
++        this.line1 = getTrimmedString(line1);
++        this.line2 = getTrimmedString(line2);
+         this.icon = icon;
+         this.state = state;
+         this.flags = flags;
+     }
+ 
+     public Condition(Parcel source) {
++        // This constructor passes all fields directly into the constructor that takes all the
++        // fields as arguments; that constructor will trim each of the input strings to
++        // max length if necessary.
+         this((Uri)source.readParcelable(Condition.class.getClassLoader()),
+                 source.readString(),
+                 source.readString(),
+@@ -255,4 +264,25 @@ public final class Condition implements Parcelable {
+             return new Condition[size];
+         }
+     };
++
++    /**
++     * Returns a truncated copy of the string if the string is longer than MAX_STRING_LENGTH.
++     */
++    private static String getTrimmedString(String input) {
++        if (input != null && input.length() > MAX_STRING_LENGTH) {
++            return input.substring(0, MAX_STRING_LENGTH);
++        }
++        return input;
++    }
++
++    /**
++     * Returns a truncated copy of the Uri by trimming the string representation to the maximum
++     * string length.
++     */
++    private static Uri getTrimmedUri(Uri input) {
++        if (input != null && input.toString().length() > MAX_STRING_LENGTH) {
++            return Uri.parse(getTrimmedString(input.toString()));
++        }
++        return input;
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/347045.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Wed, 5 Oct 2022 16:28:20 -0700
+Subject: [PATCH] RESTRICT AUTOMERGE Disable all A11yServices from an
+ uninstalled package.
+
+Previous logic would exit the loop after removing the first service
+matching the uninstalled package.
+
+Bug: 243378132
+Test: atest AccessibilityEndToEndTest
+Test: m sts;
+      sts-tradefed run sts-dynamic-develop -m \
+        CtsAccessibilityServiceTestCases
+Change-Id: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
+(cherry picked from commit 37966299859153377e61a6a97b036388d231c2d0)
+Merged-In: I4ba30345d8600674ee8a9ea3ff411aecbf3655a3
+---
+ .../AccessibilityManagerService.java          | 24 ++++++++++---------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 58a1beed70c9..91d1b7576ca7 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -379,25 +379,27 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub
+                     }
+                     UserState userState = getUserStateLocked(userId);
+                     Iterator<ComponentName> it = userState.mEnabledServices.iterator();
++                    boolean anyServiceRemoved = false;
+                     while (it.hasNext()) {
+                         ComponentName comp = it.next();
+                         String compPkg = comp.getPackageName();
+                         if (compPkg.equals(packageName)) {
+                             it.remove();
+-                            // Update the enabled services setting.
+-                            persistComponentNamesToSettingLocked(
+-                                    Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
+-                                    userState.mEnabledServices, userId);
+-                            // Update the touch exploration granted services setting.
+                             userState.mTouchExplorationGrantedServices.remove(comp);
+-                            persistComponentNamesToSettingLocked(
+-                                    Settings.Secure.
+-                                    TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
+-                                    userState.mTouchExplorationGrantedServices, userId);
+-                            onUserStateChangedLocked(userState);
+-                            return;
++                            anyServiceRemoved = true;
+                         }
+                     }
++                    if (anyServiceRemoved) {
++                        // Update the enabled services setting.
++                        persistComponentNamesToSettingLocked(
++                                Settings.Secure.ENABLED_ACCESSIBILITY_SERVICES,
++                                userState.mEnabledServices, userId);
++                        // Update the touch exploration granted services setting.
++                        persistComponentNamesToSettingLocked(
++                                Settings.Secure.TOUCH_EXPLORATION_GRANTED_ACCESSIBILITY_SERVICES,
++                                userState.mTouchExplorationGrantedServices, userId);
++                        onUserStateChangedLocked(userState);
++                    }
+                 }
+             }
+ 

Patches/LineageOS-16.0/android_frameworks_base/347046.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuri Lin <yurilin@google.com>
+Date: Wed, 12 Oct 2022 14:27:46 +0000
+Subject: [PATCH] Fix conditionId string trimming in AutomaticZenRule
+
+This change only applies to S branches and earlier.
+
+Bug: 253085433
+Bug: 242703460
+Bug: 242703505
+Bug: 242703780
+Bug: 242704043
+Bug: 243794204
+Test: AutomaticZenRuleTest
+Change-Id: Iae423d93b777df8946ecf1c3baf640fcf74990ec
+Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
+(cherry picked from commit 303f6bde896877793370c1697fa8c8331b808e56)
+Merged-In: Iae423d93b777df8946ecf1c3baf640fcf74990ec
+---
+ core/java/android/app/AutomaticZenRule.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/app/AutomaticZenRule.java b/core/java/android/app/AutomaticZenRule.java
+index 29dd91ec1ad6..5998ab6fdaf4 100644
+--- a/core/java/android/app/AutomaticZenRule.java
++++ b/core/java/android/app/AutomaticZenRule.java
+@@ -80,7 +80,7 @@ public final class AutomaticZenRule implements Parcelable {
+             name = getTrimmedString(source.readString());
+         }
+         interruptionFilter = source.readInt();
+-        conditionId = source.readParcelable(null);
++        conditionId = getTrimmedUri(source.readParcelable(null));
+         owner = getTrimmedComponentName(source.readParcelable(null));
+         creationTime = source.readLong();
+     }

Patches/LineageOS-16.0/android_frameworks_base/347047.patch

@@ -0,0 +1,237 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songchun Fan <schfan@google.com>
+Date: Wed, 17 Aug 2022 09:37:18 -0700
+Subject: [PATCH] mem limit should be checked before settings are updated
+
+Previously, a setting is updated before the memory usage limit
+check, which can be exploited by malicious apps and cause OoM DoS.
+
+This CL changes the logic to checkMemLimit -> update -> updateMemUsage.
+
+BUG: 239415861
+Test: atest com.android.providers.settings.SettingsStateTest
+
+(cherry picked from commit 8eeb92950f4a7012d4cf282106a1418fd211f475)
+Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
+Change-Id: I20551a2dba9aa79efa0c064824f349f551c2c2e4
+(cherry picked from commit d85a42821075ad80b931d904bdc9c1d4c3129456)
+Merged-In: I20551a2dba9aa79efa0c064824f349f551c2c2e4
+---
+ .../providers/settings/SettingsState.java     | 75 ++++++++++++-------
+ .../providers/settings/SettingsStateTest.java | 43 ++++++++++-
+ 2 files changed, 90 insertions(+), 28 deletions(-)
+
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+index 449946d7ab15..33b506468e11 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+@@ -358,9 +358,11 @@ final class SettingsState {
+             Setting newSetting = new Setting(name, oldSetting.getValue(), null,
+                     oldSetting.getPackageName(), oldSetting.getTag(), false,
+                     oldSetting.getId());
+-            mSettings.put(name, newSetting);
+-            updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
++            int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
+                     newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
++            checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
++            mSettings.put(name, newSetting);
++            updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
+             scheduleWriteIfNeededLocked();
+         }
+     }
+@@ -375,6 +377,12 @@ final class SettingsState {
+         Setting oldState = mSettings.get(name);
+         String oldValue = (oldState != null) ? oldState.value : null;
+         String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
++        String newDefaultValue = makeDefault ? value : oldDefaultValue;
++
++        int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
++                oldDefaultValue, newDefaultValue);
++        checkNewMemoryUsagePerPackageLocked(packageName, newSize);
++
+         Setting newState;
+ 
+         if (oldState != null) {
+@@ -392,8 +400,7 @@ final class SettingsState {
+ 
+         addHistoricalOperationLocked(HISTORICAL_OPERATION_UPDATE, newState);
+ 
+-        updateMemoryUsagePerPackageLocked(packageName, oldValue, value,
+-                oldDefaultValue, newState.getDefaultValue());
++        updateMemoryUsagePerPackageLocked(packageName, newSize);
+ 
+         scheduleWriteIfNeededLocked();
+ 
+@@ -413,13 +420,14 @@ final class SettingsState {
+         }
+ 
+         Setting oldState = mSettings.remove(name);
++        int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
++                null, oldState.defaultValue, null);
+ 
+         StatsLog.write(StatsLog.SETTING_CHANGED, name, /* value= */ "", /* newValue= */ "",
+             oldState.value, /* tag */ "", false, getUserIdFromKey(mKey),
+             StatsLog.SETTING_CHANGED__REASON__DELETED);
+ 
+-        updateMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
+-                null, oldState.defaultValue, null);
++        updateMemoryUsagePerPackageLocked(oldState.packageName, newSize);
+ 
+         addHistoricalOperationLocked(HISTORICAL_OPERATION_DELETE, oldState);
+ 
+@@ -439,16 +447,18 @@ final class SettingsState {
+         Setting oldSetting = new Setting(setting);
+         String oldValue = setting.getValue();
+         String oldDefaultValue = setting.getDefaultValue();
++        String newValue = oldDefaultValue;
++        String newDefaultValue = oldDefaultValue;
++
++        int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
++                newValue, oldDefaultValue, newDefaultValue);
++        checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
+ 
+         if (!setting.reset()) {
+             return false;
+         }
+ 
+-        String newValue = setting.getValue();
+-        String newDefaultValue = setting.getDefaultValue();
+-
+-        updateMemoryUsagePerPackageLocked(setting.packageName, oldValue,
+-                newValue, oldDefaultValue, newDefaultValue);
++        updateMemoryUsagePerPackageLocked(setting.packageName, newSize);
+ 
+         addHistoricalOperationLocked(HISTORICAL_OPERATION_RESET, oldSetting);
+ 
+@@ -553,38 +563,49 @@ final class SettingsState {
+         }
+     }
+ 
+-    private void updateMemoryUsagePerPackageLocked(String packageName, String oldValue,
+-            String newValue, String oldDefaultValue, String newDefaultValue) {
+-        if (mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED) {
+-            return;
+-        }
++    private boolean isExemptFromMemoryUsageCap(String packageName) {
++        return mMaxBytesPerAppPackage == MAX_BYTES_PER_APP_PACKAGE_UNLIMITED
++                || SYSTEM_PACKAGE_NAME.equals(packageName);
++    }
+ 
+-        if (SYSTEM_PACKAGE_NAME.equals(packageName)) {
++    @GuardedBy("mLock")
++    private void checkNewMemoryUsagePerPackageLocked(String packageName, int newSize)
++            throws IllegalStateException {
++        if (isExemptFromMemoryUsageCap(packageName)) {
+             return;
+         }
++        if (newSize > mMaxBytesPerAppPackage) {
++            throw new IllegalStateException("You are adding too many system settings. "
++                    + "You should stop using system settings for app specific data"
++                    + " package: " + packageName);
++        }
++    }
+ 
++    @GuardedBy("mLock")
++    private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
++            String newValue, String oldDefaultValue, String newDefaultValue) {
++        if (isExemptFromMemoryUsageCap(packageName)) {
++            return 0;
++        }
++        final Integer currentSize = mPackageToMemoryUsage.get(packageName);
+         final int oldValueSize = (oldValue != null) ? oldValue.length() : 0;
+         final int newValueSize = (newValue != null) ? newValue.length() : 0;
+         final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
+         final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
+         final int deltaSize = newValueSize + newDefaultValueSize
+                 - oldValueSize - oldDefaultValueSize;
++        return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
++    }
+ 
+-        Integer currentSize = mPackageToMemoryUsage.get(packageName);
+-        final int newSize = Math.max((currentSize != null)
+-                ? currentSize + deltaSize : deltaSize, 0);
+-
+-        if (newSize > mMaxBytesPerAppPackage) {
+-            throw new IllegalStateException("You are adding too many system settings. "
+-                    + "You should stop using system settings for app specific data"
+-                    + " package: " + packageName);
++    @GuardedBy("mLock")
++    private void updateMemoryUsagePerPackageLocked(String packageName, int newSize) {
++        if (isExemptFromMemoryUsageCap(packageName)) {
++            return;
+         }
+-
+         if (DEBUG) {
+             Slog.i(LOG_TAG, "Settings for package: " + packageName
+                     + " size: " + newSize + " bytes.");
+         }
+-
+         mPackageToMemoryUsage.put(packageName, newSize);
+     }
+ 
+diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+index 3f68554ffe87..6f45adef91f7 100644
+--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+@@ -21,6 +21,8 @@ import android.util.Xml;
+ 
+ import org.xmlpull.v1.XmlSerializer;
+ 
++import com.google.common.base.Strings;
++
+ import java.io.ByteArrayOutputStream;
+ import java.io.File;
+ import java.io.FileOutputStream;
+@@ -46,7 +48,6 @@ public class SettingsStateTest extends AndroidTestCase {
+             "\uD800ab\uDC00 " + // broken surrogate pairs
+             "日本語";
+ 
+-
+     public void testIsBinary() {
+         assertFalse(SettingsState.isBinary(" abc 日本語"));
+ 
+@@ -182,4 +183,44 @@ public class SettingsStateTest extends AndroidTestCase {
+             assertEquals("p2", s.getPackageName());
+         }
+     }
++
++    public void testInsertSetting_memoryUsage() {
++        final Object lock = new Object();
++	final File file = new File(getContext().getCacheDir(), "setting.xml");
++	final String settingName = "test_setting";
++
++        SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
++                SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
++        // No exception should be thrown when there is no cap
++        settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
++                null, false, "p1");
++        settingsState.deleteSettingLocked(settingName);
++
++        settingsState = new SettingsState(getContext(), lock, file, 1,
++                SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
++        // System package doesn't have memory usage limit
++        settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
++                null, false, "android");
++        settingsState.deleteSettingLocked(settingName);
++
++        // Should not throw if usage is under the cap
++        settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
++                null, false, "p1");
++        settingsState.deleteSettingLocked(settingName);
++        try {
++            settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
++                    null, false, "p1");
++            fail("Should throw because it exceeded per package memory usage");
++        } catch (IllegalStateException ex) {
++            assertTrue(ex.getMessage().contains("p1"));
++        }
++        try {
++            settingsState.insertSettingLocked(settingName, Strings.repeat("A", 20001),
++                    null, false, "p1");
++            fail("Should throw because it exceeded per package memory usage");
++        } catch (IllegalStateException ex) {
++            assertTrue(ex.getMessage().contains("p1"));
++        }
++        assertTrue(settingsState.getSettingLocked(settingName).isNull());
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/347048.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nate Myren <ntmyren@google.com>
+Date: Wed, 26 Oct 2022 17:37:26 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Revert "Revert "RESTRICT AUTOMERGE
+ Validate permission tree size..."
+
+Revert submission 20285709-revert-20103164-permTree-qt-dev-QWIEBZIWEA
+
+Reason for revert: resubmission
+Reverted Changes:
+I0a3b68aff:Revert "RESTRICT AUTOMERGE Add PermissionMemoryFoo...
+I4e8ec8b1a:Revert "RESTRICT AUTOMERGE Validate permission tre...
+
+Change-Id: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
+(cherry picked from commit 4e83e59b27f7d6232ee9fe96f789e32debc19772)
+Merged-In: I3cd1aa270373bb32f95dfbe8422faa783ee49dca
+---
+ .../android/server/pm/permission/PermissionManagerService.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index 79b2636481b3..a61f67d32452 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -688,8 +688,8 @@ public class PermissionManagerService {
+             BasePermission bp = mSettings.getPermissionLocked(info.name);
+             added = bp == null;
+             int fixedLevel = PermissionInfo.fixProtectionLevel(info.protectionLevel);
++            enforcePermissionCapLocked(info, tree);
+             if (added) {
+-                enforcePermissionCapLocked(info, tree);
+                 bp = new BasePermission(info.name, tree.getSourcePackageName(),
+                         BasePermission.TYPE_DYNAMIC);
+             } else if (!bp.isDynamic()) {

Patches/LineageOS-16.0/android_frameworks_base/347049.patch

@@ -0,0 +1,249 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songchun Fan <schfan@google.com>
+Date: Tue, 11 Oct 2022 18:08:11 -0700
+Subject: [PATCH] key size limit for mutating settings
+
+Prior to targetSdk 22, apps could add random system settings keys which
+opens an opportunity for OOM attacks. This CL adds a key size limit.
+
+BUG: 239415997
+Test: manual; will add cts test
+Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
+Change-Id: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
+(cherry picked from commit 783bcba343c480f6ccedaaff41ba7171a1082e0c)
+(cherry picked from commit f1831c87122e56951c04e1f62f647ab156ca71e3)
+Merged-In: Ic9e88c0cc3d7206c64ba5b5c7d15b50d1ffc9adc
+---
+ .../providers/settings/SettingsState.java     |  40 ++++---
+ .../providers/settings/SettingsStateTest.java | 102 +++++++++++++++++-
+ 2 files changed, 126 insertions(+), 16 deletions(-)
+
+diff --git a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+index 33b506468e11..c27c43d0cdc7 100644
+--- a/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
++++ b/packages/SettingsProvider/src/com/android/providers/settings/SettingsState.java
+@@ -48,6 +48,7 @@ import android.util.Xml;
+ import android.util.proto.ProtoOutputStream;
+ 
+ import com.android.internal.annotations.GuardedBy;
++import com.android.internal.annotations.VisibleForTesting;
+ import com.android.internal.util.ArrayUtils;
+ import com.android.server.LocalServices;
+ 
+@@ -358,8 +359,8 @@ final class SettingsState {
+             Setting newSetting = new Setting(name, oldSetting.getValue(), null,
+                     oldSetting.getPackageName(), oldSetting.getTag(), false,
+                     oldSetting.getId());
+-            int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), oldValue,
+-                    newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
++            int newSize = getNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), 0,
++                    oldValue, newSetting.getValue(), oldDefaultValue, newSetting.getDefaultValue());
+             checkNewMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
+             mSettings.put(name, newSetting);
+             updateMemoryUsagePerPackageLocked(newSetting.getPackageName(), newSize);
+@@ -379,8 +380,9 @@ final class SettingsState {
+         String oldDefaultValue = (oldState != null) ? oldState.defaultValue : null;
+         String newDefaultValue = makeDefault ? value : oldDefaultValue;
+ 
+-        int newSize = getNewMemoryUsagePerPackageLocked(packageName, oldValue, value,
+-                oldDefaultValue, newDefaultValue);
++        int newSize = getNewMemoryUsagePerPackageLocked(packageName,
++                oldValue == null ? name.length() : 0 /* deltaKeySize */,
++                oldValue, value, oldDefaultValue, newDefaultValue);
+         checkNewMemoryUsagePerPackageLocked(packageName, newSize);
+ 
+         Setting newState;
+@@ -420,8 +422,12 @@ final class SettingsState {
+         }
+ 
+         Setting oldState = mSettings.remove(name);
+-        int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName, oldState.value,
+-                null, oldState.defaultValue, null);
++        if (oldState == null) {
++            return false;
++        }
++        int newSize = getNewMemoryUsagePerPackageLocked(oldState.packageName,
++                -name.length() /* deltaKeySize */,
++                oldState.value, null, oldState.defaultValue, null);
+ 
+         StatsLog.write(StatsLog.SETTING_CHANGED, name, /* value= */ "", /* newValue= */ "",
+             oldState.value, /* tag */ "", false, getUserIdFromKey(mKey),
+@@ -443,15 +449,16 @@ final class SettingsState {
+         }
+ 
+         Setting setting = mSettings.get(name);
++        if (setting == null) {
++            return false;
++        }
+ 
+         Setting oldSetting = new Setting(setting);
+         String oldValue = setting.getValue();
+         String oldDefaultValue = setting.getDefaultValue();
+-        String newValue = oldDefaultValue;
+-        String newDefaultValue = oldDefaultValue;
+ 
+-        int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, oldValue,
+-                newValue, oldDefaultValue, newDefaultValue);
++        int newSize = getNewMemoryUsagePerPackageLocked(setting.packageName, 0, oldValue,
++                oldDefaultValue, oldDefaultValue, oldDefaultValue);
+         checkNewMemoryUsagePerPackageLocked(setting.packageName, newSize);
+ 
+         if (!setting.reset()) {
+@@ -582,8 +589,8 @@ final class SettingsState {
+     }
+ 
+     @GuardedBy("mLock")
+-    private int getNewMemoryUsagePerPackageLocked(String packageName, String oldValue,
+-            String newValue, String oldDefaultValue, String newDefaultValue) {
++    private int getNewMemoryUsagePerPackageLocked(String packageName, int deltaKeySize,
++            String oldValue, String newValue, String oldDefaultValue, String newDefaultValue) {
+         if (isExemptFromMemoryUsageCap(packageName)) {
+             return 0;
+         }
+@@ -592,7 +599,7 @@ final class SettingsState {
+         final int newValueSize = (newValue != null) ? newValue.length() : 0;
+         final int oldDefaultValueSize = (oldDefaultValue != null) ? oldDefaultValue.length() : 0;
+         final int newDefaultValueSize = (newDefaultValue != null) ? newDefaultValue.length() : 0;
+-        final int deltaSize = newValueSize + newDefaultValueSize
++        final int deltaSize = deltaKeySize + newValueSize + newDefaultValueSize
+                 - oldValueSize - oldDefaultValueSize;
+         return Math.max((currentSize != null) ? currentSize + deltaSize : deltaSize, 0);
+     }
+@@ -1216,4 +1223,11 @@ final class SettingsState {
+             return false;
+         }
+     }
++
++    @VisibleForTesting
++    public int getMemoryUsage(String packageName) {
++        synchronized (mLock) {
++            return mPackageToMemoryUsage.getOrDefault(packageName, 0);
++        }
++    }
+ }
+diff --git a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+index 6f45adef91f7..adb356726eec 100644
+--- a/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
++++ b/packages/SettingsProvider/test/src/com/android/providers/settings/SettingsStateTest.java
+@@ -186,8 +186,8 @@ public class SettingsStateTest extends AndroidTestCase {
+ 
+     public void testInsertSetting_memoryUsage() {
+         final Object lock = new Object();
+-	final File file = new File(getContext().getCacheDir(), "setting.xml");
+-	final String settingName = "test_setting";
++        final File file = new File(getContext().getCacheDir(), "setting.xml");
++        final String settingName = "test_setting";
+ 
+         SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
+                 SettingsState.MAX_BYTES_PER_APP_PACKAGE_UNLIMITED, Looper.getMainLooper());
+@@ -204,7 +204,7 @@ public class SettingsStateTest extends AndroidTestCase {
+         settingsState.deleteSettingLocked(settingName);
+ 
+         // Should not throw if usage is under the cap
+-        settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19999),
++        settingsState.insertSettingLocked(settingName, Strings.repeat("A", 19975),
+                 null, false, "p1");
+         settingsState.deleteSettingLocked(settingName);
+         try {
+@@ -222,5 +222,101 @@ public class SettingsStateTest extends AndroidTestCase {
+             assertTrue(ex.getMessage().contains("p1"));
+         }
+         assertTrue(settingsState.getSettingLocked(settingName).isNull());
++        try {
++            settingsState.insertSettingLocked(Strings.repeat("A", 20001), "",
++                    null, false, "p1");
++            fail("Should throw because it exceeded per package memory usage");
++        } catch (IllegalStateException ex) {
++            assertTrue(ex.getMessage().contains("You are adding too many system settings"));
++        }
++    }
++
++    public void testMemoryUsagePerPackage() {
++        final Object lock = new Object();
++        final File file = new File(getContext().getCacheDir(), "setting.xml");
++        final String testPackage = "package";
++        SettingsState settingsState = new SettingsState(getContext(), lock, file, 1,
++                SettingsState.MAX_BYTES_PER_APP_PACKAGE_LIMITED, Looper.getMainLooper());
++
++        // Test inserting one key with default
++        final String settingName = "test_setting";
++        final String testKey1 = settingName;
++        final String testValue1 = Strings.repeat("A", 100);
++        settingsState.insertSettingLocked(testKey1, testValue1, null, true, testPackage);
++        int expectedMemUsage = testKey1.length() + testValue1.length()
++                + testValue1.length() /* size for default */;
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test inserting another key
++        final String testKey2 = settingName + "2";
++        settingsState.insertSettingLocked(testKey2, testValue1, null, false, testPackage);
++        expectedMemUsage += testKey2.length() + testValue1.length();
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test updating first key with new default
++        final String testValue2 = Strings.repeat("A", 300);
++        settingsState.insertSettingLocked(testKey1, testValue2, null, true, testPackage);
++        expectedMemUsage += (testValue2.length() - testValue1.length()) * 2;
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test updating first key without new default
++        final String testValue3 = Strings.repeat("A", 50);
++        settingsState.insertSettingLocked(testKey1, testValue3, null, false, testPackage);
++        expectedMemUsage -= testValue2.length() - testValue3.length();
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test updating second key
++        settingsState.insertSettingLocked(testKey2, testValue2, null, false, testPackage);
++        expectedMemUsage -= testValue1.length() - testValue2.length();
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test resetting key
++        settingsState.resetSettingLocked(testKey1);
++        expectedMemUsage += testValue2.length() - testValue3.length();
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test resetting default value
++        settingsState.resetSettingDefaultValueLocked(testKey1);
++        expectedMemUsage -= testValue2.length();
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test deletion
++        settingsState.deleteSettingLocked(testKey2);
++        expectedMemUsage -= testValue2.length() + testKey2.length() /* key is deleted too */;
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test another package with a different key
++        final String testPackage2 = testPackage + "2";
++        final String testKey3 = settingName + "3";
++        settingsState.insertSettingLocked(testKey3, testValue1, null, true, testPackage2);
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++        final int expectedMemUsage2 = testKey3.length() + testValue1.length() * 2;
++        assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
++
++        // Test system package
++        settingsState.insertSettingLocked(testKey1, testValue1, null, true, "android");
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++        assertEquals(expectedMemUsage2, settingsState.getMemoryUsage(testPackage2));
++        assertEquals(0, settingsState.getMemoryUsage("android"));
++
++        // Test invalid value
++        try {
++            settingsState.insertSettingLocked(testKey1, Strings.repeat("A", 20001), null, false,
++                    testPackage);
++            fail("Should throw because it exceeded per package memory usage");
++        } catch (IllegalStateException ex) {
++            assertTrue(ex.getMessage().contains("You are adding too many system settings"));
++        }
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
++
++        // Test invalid key
++        try {
++            settingsState.insertSettingLocked(Strings.repeat("A", 20001), "", null, false,
++                    testPackage);
++            fail("Should throw because it exceeded per package memory usage");
++        } catch (IllegalStateException ex) {
++            assertTrue(ex.getMessage().contains("You are adding too many system settings"));
++        }
++        assertEquals(expectedMemUsage, settingsState.getMemoryUsage(testPackage));
+     }
+ }

Patches/LineageOS-16.0/android_frameworks_base/347050.patch

@@ -0,0 +1,129 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nate Myren <ntmyren@google.com>
+Date: Fri, 23 Sep 2022 12:04:57 -0700
+Subject: [PATCH] RESTRICT AUTOMERGE Revoke SYSTEM_ALERT_WINDOW on upgrade past
+ api 23
+
+Bug: 221040577
+Test: atest PermissionTest23#testPre23AppsWithSystemAlertWindowGetDeniedOnUpgrade
+Change-Id: I4b4605aaae107875811070dea6d031c5d9f25c96
+(cherry picked from commit f6ba142a84a38014e56c3178f0aa322a377b77cd)
+Merged-In: I4b4605aaae107875811070dea6d031c5d9f25c96
+---
+ .../server/pm/PackageManagerService.java      |  4 +-
+ .../permission/PermissionManagerInternal.java | 20 ++++-----
+ .../permission/PermissionManagerService.java  | 44 ++++++++++++++++++-
+ 3 files changed, 54 insertions(+), 14 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 5b454f2d8939..25f70b23e68f 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -11812,8 +11812,8 @@ public class PackageManagerService extends IPackageManager.Stub
+ 
+                 AsyncTask.execute(() -> {
+                     if (hasOldPkg) {
+-                        mPermissionManager.revokeRuntimePermissionsIfGroupChanged(pkg, oldPkg,
+-                                allPackageNames, mPermissionCallback);
++                        mPermissionManager.onPackageUpdated(pkg, oldPkg, allPackageNames,
++                                 mPermissionCallback);
+                     }
+                     if (hasPermissionDefinitionChanges) {
+                         mPermissionManager.revokeRuntimePermissionsIfPermissionDefinitionChanged(
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java b/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java
+index 185e0e1fda5f..0f98126171d8 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerInternal.java
+@@ -91,17 +91,15 @@ public abstract class PermissionManagerInternal {
+     public abstract void updateAllPermissions(@Nullable String volumeUuid, boolean sdkUpdated,
+             @NonNull Collection<PackageParser.Package> allPacakges, PermissionCallback callback);
+ 
+-    /**
+-     * We might auto-grant permissions if any permission of the group is already granted. Hence if
+-     * the group of a granted permission changes we need to revoke it to avoid having permissions of
+-     * the new group auto-granted.
+-     *
+-     * @param newPackage The new package that was installed
+-     * @param oldPackage The old package that was updated
+-     * @param allPackageNames All packages
+-     * @param permissionCallback Callback for permission changed
+-     */
+-    public abstract void revokeRuntimePermissionsIfGroupChanged(
++     /**
++      * If the app is updated, then some checks need to be performed to ensure the package is not 
++      * attempting to expoit permission changes across API boundaries.
++      * @param newPackage The new package that was installed
++      * @param oldPackage The old package that was updated
++      * @param allPackageNames The current packages in the system
++      * @param permissionCallback Callback for permission changed
++      */
++    public abstract void onPackageUpdated(
+             @NonNull PackageParser.Package newPackage,
+             @NonNull PackageParser.Package oldPackage,
+             @NonNull ArrayList<String> allPackageNames,
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index a61f67d32452..bdfe64c2c348 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -392,6 +392,46 @@ public class PermissionManagerService {
+         return protectionLevel;
+     }
+ 
++    /**
++     * If the package was below api 23, got the SYSTEM_ALERT_WINDOW permission automatically, and
++     * then updated past api 23, and the app does not satisfy any of the other SAW permission flags,
++     * the permission should be revoked.
++     *
++     * @param newPackage The new package that was installed
++     * @param oldPackage The old package that was updated
++     */
++    private void revokeSystemAlertWindowIfUpgradedPast23(
++            @NonNull PackageParser.Package newPackage,
++            @NonNull PackageParser.Package oldPackage,
++            @NonNull PermissionCallback permissionCallback) {
++        if (oldPackage.applicationInfo.targetSdkVersion >= Build.VERSION_CODES.M
++                || newPackage.applicationInfo.targetSdkVersion < Build.VERSION_CODES.M
++                || !newPackage.requestedPermissions
++                .contains(Manifest.permission.SYSTEM_ALERT_WINDOW)) {
++            return;
++        }
++
++        BasePermission saw;
++        final int callingUid = Binder.getCallingUid();
++        synchronized (mLock) {
++            saw = mSettings.getPermissionLocked(Manifest.permission.SYSTEM_ALERT_WINDOW);
++        }
++        final PackageSetting ps = (PackageSetting) newPackage.mExtras;
++        if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, saw,
++                ps.getPermissionsState())) {
++            return;
++        }
++        for (int userId: mUserManagerInt.getUserIds()) {
++            try {
++                revokeRuntimePermission(Manifest.permission.SYSTEM_ALERT_WINDOW,
++                        newPackage.packageName, false, callingUid, userId, permissionCallback);
++            } catch (IllegalStateException | SecurityException e) {
++                Log.e(TAG, "unable to revoke SYSTEM_ALERT_WINDOW for "
++                        + newPackage.packageName + " user " + userId, e);
++            }
++        }
++    }
++
+     /**
+      * We might auto-grant permissions if any permission of the group is already granted. Hence if
+      * the group of a granted permission changes we need to revoke it to avoid having permissions of
+@@ -2127,11 +2167,13 @@ public class PermissionManagerService {
+             return PermissionManagerService.this.isPermissionsReviewRequired(pkg, userId);
+         }
+         @Override
+-        public void revokeRuntimePermissionsIfGroupChanged(
++        public void onPackageUpdated(
+                 @NonNull PackageParser.Package newPackage,
+                 @NonNull PackageParser.Package oldPackage,
+                 @NonNull ArrayList<String> allPackageNames,
+                 @NonNull PermissionCallback permissionCallback) {
++            PermissionManagerService.this.revokeSystemAlertWindowIfUpgradedPast23(newPackage,
++                    oldPackage, permissionCallback);
+             PermissionManagerService.this.revokeRuntimePermissionsIfGroupChanged(newPackage,
+                     oldPackage, allPackageNames, permissionCallback);
+         }

Patches/LineageOS-16.0/android_frameworks_base/347051.patch

@@ -0,0 +1,254 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Khoa Hong <khoahong@google.com>
+Date: Wed, 19 Oct 2022 16:29:18 +0800
+Subject: [PATCH] Add protections agains use-after-free issues if cancel() or
+ queue() is called after a device connection has been closed.
+
+This is a backport of ag/7528082 and ag/20033068.
+
+Bug: 132319116
+Bug: 130571162
+Bug: 204584366
+Test: CTS Verifier: USB Accessory Test & USB Device Test
+Change-Id: I952ab566e26a808997e362dc85ebd1d8eb4574b9
+(cherry picked from commit 7a8d56b2fe3496f7717ad1afe45d2ef523b7e252)
+Merged-In: I952ab566e26a808997e362dc85ebd1d8eb4574b9
+---
+ .../hardware/usb/UsbDeviceConnection.java     | 71 +++++++++++++--
+ .../java/android/hardware/usb/UsbRequest.java | 86 +++++++++++++++++--
+ 2 files changed, 143 insertions(+), 14 deletions(-)
+
+diff --git a/core/java/android/hardware/usb/UsbDeviceConnection.java b/core/java/android/hardware/usb/UsbDeviceConnection.java
+index 9e5174ad93a8..7a521166f35c 100644
+--- a/core/java/android/hardware/usb/UsbDeviceConnection.java
++++ b/core/java/android/hardware/usb/UsbDeviceConnection.java
+@@ -50,6 +50,8 @@ public class UsbDeviceConnection {
+ 
+     private final CloseGuard mCloseGuard = CloseGuard.get();
+ 
++    private final Object mLock = new Object();
++
+     /**
+      * UsbDevice should only be instantiated by UsbService implementation
+      * @hide
+@@ -60,13 +62,23 @@ public class UsbDeviceConnection {
+ 
+     /* package */ boolean open(String name, ParcelFileDescriptor pfd, @NonNull Context context) {
+         mContext = context.getApplicationContext();
+-        boolean wasOpened = native_open(name, pfd.getFileDescriptor());
+ 
+-        if (wasOpened) {
+-            mCloseGuard.open("close");
++        synchronized (mLock) {
++            boolean wasOpened = native_open(name, pfd.getFileDescriptor());
++
++            if (wasOpened) {
++                mCloseGuard.open("close");
++            }
++
++            return wasOpened;
+         }
++    }
+ 
+-        return wasOpened;
++    /***
++     * @return If this connection is currently open and usable.
++     */
++    boolean isOpen() {
++        return mNativeContext != 0;
+     }
+ 
+     /**
+@@ -78,6 +90,49 @@ public class UsbDeviceConnection {
+         return mContext;
+     }
+ 
++    /**
++     * Cancel a request which relates to this connection.
++     *
++     * @return true if the request was successfully cancelled.
++     */
++    /* package */ boolean cancelRequest(UsbRequest request) {
++        synchronized (mLock) {
++            if (!isOpen()) {
++                return false;
++            }
++
++            return request.cancelIfOpen();
++        }
++    }
++
++    /**
++     * This is meant to be called by UsbRequest's queue() in order to synchronize on
++     * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
++     */
++    /* package */ boolean queueRequest(UsbRequest request, ByteBuffer buffer, int length) {
++        synchronized (mLock) {
++            if (!isOpen()) {
++                return false;
++            }
++
++            return request.queueIfConnectionOpen(buffer, length);
++        }
++    }
++
++    /**
++     * This is meant to be called by UsbRequest's queue() in order to synchronize on
++     * UsbDeviceConnection's mLock to prevent the connection being closed while queueing.
++     */
++    /* package */ boolean queueRequest(UsbRequest request, @Nullable ByteBuffer buffer) {
++        synchronized (mLock) {
++            if (!isOpen()) {
++                return false;
++            }
++
++            return request.queueIfConnectionOpen(buffer);
++        }
++    }
++
+     /**
+      * Releases all system resources related to the device.
+      * Once the object is closed it cannot be used again.
+@@ -85,9 +140,11 @@ public class UsbDeviceConnection {
+      * to retrieve a new instance to reestablish communication with the device.
+      */
+     public void close() {
+-        if (mNativeContext != 0) {
+-            native_close();
+-            mCloseGuard.close();
++        synchronized (mLock) {
++            if (isOpen()) {
++                native_close();
++                mCloseGuard.close();
++            }
+         }
+     }
+ 
+diff --git a/core/java/android/hardware/usb/UsbRequest.java b/core/java/android/hardware/usb/UsbRequest.java
+index f59c87eecfcb..441d718b6067 100644
+--- a/core/java/android/hardware/usb/UsbRequest.java
++++ b/core/java/android/hardware/usb/UsbRequest.java
+@@ -108,11 +108,13 @@ public class UsbRequest {
+      * Releases all resources related to this request.
+      */
+     public void close() {
+-        if (mNativeContext != 0) {
+-            mEndpoint = null;
+-            mConnection = null;
+-            native_close();
+-            mCloseGuard.close();
++        synchronized (mLock) {
++            if (mNativeContext != 0) {
++                mEndpoint = null;
++                mConnection = null;
++                native_close();
++                mCloseGuard.close();
++            }
+         }
+     }
+ 
+@@ -186,10 +188,32 @@ public class UsbRequest {
+      */
+     @Deprecated
+     public boolean queue(ByteBuffer buffer, int length) {
++        UsbDeviceConnection connection = mConnection;
++        if (connection == null) {
++            // The expected exception by CTS Verifier - USB Device test
++            throw new NullPointerException("invalid connection");
++        }
++
++        // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
++        // the connection being closed while queueing.
++        return connection.queueRequest(this, buffer, length);
++    }
++
++    /**
++     * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
++     * there, to prevent the connection being closed while queueing.
++     */
++    /* package */ boolean queueIfConnectionOpen(ByteBuffer buffer, int length) {
++        UsbDeviceConnection connection = mConnection;
++        if (connection == null || !connection.isOpen()) {
++            // The expected exception by CTS Verifier - USB Device test
++            throw new NullPointerException("invalid connection");
++        }
++
+         boolean out = (mEndpoint.getDirection() == UsbConstants.USB_DIR_OUT);
+         boolean result;
+ 
+-        if (mConnection.getContext().getApplicationInfo().targetSdkVersion < Build.VERSION_CODES.P
++        if (connection.getContext().getApplicationInfo().targetSdkVersion < Build.VERSION_CODES.P
+                 && length > MAX_USBFS_BUFFER_SIZE) {
+             length = MAX_USBFS_BUFFER_SIZE;
+         }
+@@ -238,6 +262,28 @@ public class UsbRequest {
+      * @return true if the queueing operation succeeded
+      */
+     public boolean queue(@Nullable ByteBuffer buffer) {
++        UsbDeviceConnection connection = mConnection;
++        if (connection == null) {
++            // The expected exception by CTS Verifier - USB Device test
++            throw new IllegalStateException("invalid connection");
++        }
++
++        // Calling into the underlying UsbDeviceConnection to synchronize on its lock, to prevent
++        // the connection being closed while queueing.
++        return connection.queueRequest(this, buffer);
++    }
++
++    /**
++     * This is meant to be called from UsbDeviceConnection after synchronizing using the lock over
++     * there, to prevent the connection being closed while queueing.
++     */
++    /* package */ boolean queueIfConnectionOpen(@Nullable ByteBuffer buffer) {
++        UsbDeviceConnection connection = mConnection;
++        if (connection == null || !connection.isOpen()) {
++            // The expected exception by CTS Verifier - USB Device test
++            throw new IllegalStateException("invalid connection");
++        }
++
+         // Request need to be initialized
+         Preconditions.checkState(mNativeContext != 0, "request is not initialized");
+ 
+@@ -255,7 +301,7 @@ public class UsbRequest {
+                 mIsUsingNewQueue = true;
+                 wasQueued = native_queue(null, 0, 0);
+             } else {
+-                if (mConnection.getContext().getApplicationInfo().targetSdkVersion
++                if (connection.getContext().getApplicationInfo().targetSdkVersion
+                         < Build.VERSION_CODES.P) {
+                     // Can only send/receive MAX_USBFS_BUFFER_SIZE bytes at once
+                     Preconditions.checkArgumentInRange(buffer.remaining(), 0, MAX_USBFS_BUFFER_SIZE,
+@@ -358,6 +404,32 @@ public class UsbRequest {
+      * @return true if cancelling succeeded
+      */
+     public boolean cancel() {
++        UsbDeviceConnection connection = mConnection;
++        if (connection == null) {
++            return false;
++        }
++
++        return connection.cancelRequest(this);
++    }
++
++    /**
++     * Cancels a pending queue operation (for use when the UsbDeviceConnection associated
++     * with this request is synchronized). This ensures we don't have a race where the
++     * device is closed and then the request is canceled which would lead to a
++     * use-after-free because the cancel operation uses the device connection
++     * information freed in the when UsbDeviceConnection is closed.<br/>
++     *
++     * This method assumes the connected is not closed while this method is executed.
++     *
++     * @return true if cancelling succeeded.
++     */
++    /* package */ boolean cancelIfOpen() {
++        UsbDeviceConnection connection = mConnection;
++        if (mNativeContext == 0 || (connection != null && !connection.isOpen())) {
++            Log.w(TAG,
++                    "Detected attempt to cancel a request on a connection which isn't open");
++            return false;
++        }
+         return native_cancel();
+     }
+ 

Patches/LineageOS-16.0/android_frameworks_base/349330.patch

@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jackal Guo <jackalguo@google.com>
+Date: Tue, 25 Oct 2022 15:03:55 +0800
+Subject: [PATCH] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+
+This action should be only broadcasted when the user data is cleared
+successfully. Broadcasting this action when failed case may result in
+unexpected result.
+
+Bug: 240267890
+Test: manually using the PoC in the buganizer to ensure the symptom
+      no longer exists.
+Change-Id: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+(cherry picked from commit 8b2e092146c7ab5c2952818dab6dcb6af9c417ce)
+Merged-In: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+---
+ .../server/am/ActivityManagerService.java     | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 8f1692a24d27..dd41196e62a4 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -6718,19 +6718,21 @@ public class ActivityManagerService extends IActivityManager.Stub
+                             finishForceStopPackageLocked(packageName, appInfo.uid);
+                         }
+                     }
+-                    final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
+-                            Uri.fromParts("package", packageName, null));
+-                    intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
+-                    intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1);
+-                    intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId);
+-                    if (isInstantApp) {
+-                        intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName);
+-                        broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0,
+-                                null, null, permission.ACCESS_INSTANT_APPS, null, false, false,
++                    if (succeeded) {
++                        final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
++                                Uri.fromParts("package", packageName, null /* fragment */));
++                        intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
++                        intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1);
++                        intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId);
++                        if (isInstantApp) {
++                            intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName);
++                        }
++                        broadcastIntentInPackage("android", SYSTEM_UID,
++                                intent, null /* resolvedType */, null /* resultTo */,
++                                0 /* resultCode */, null /* resultData */, null /* resultExtras */,
++                                isInstantApp ? permission.ACCESS_INSTANT_APPS : null,
++                                null /* bOptions */, false /* serialized */, false /* sticky */,
+                                 resolvedUserId);
+-                    } else {
+-                        broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0,
+-                                null, null, null, null, false, false, resolvedUserId);
+                     }
+ 
+                     if (observer != null) {

Patches/LineageOS-16.0/android_frameworks_base/349331.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 22 Nov 2022 22:54:01 +0000
+Subject: [PATCH] Convert argument to intent in ChooseTypeAndAccountActivity
+
+Bug: 244154558
+Test: manual
+Change-Id: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+(cherry picked from commit ede0a767c26f144e38b4a0c1c2f530b05ffd29a8)
+Merged-In: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+---
+ core/java/android/accounts/ChooseTypeAndAccountActivity.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/accounts/ChooseTypeAndAccountActivity.java b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+index 887ba18822f8..96f23a314e7b 100644
+--- a/core/java/android/accounts/ChooseTypeAndAccountActivity.java
++++ b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+@@ -407,7 +407,7 @@ public class ChooseTypeAndAccountActivity extends Activity
+                 mExistingAccounts = AccountManager.get(this).getAccountsForPackage(mCallingPackage,
+                         mCallingUid);
+                 intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK);
+-                startActivityForResult(intent, REQUEST_ADD_ACCOUNT);
++                startActivityForResult(new Intent(intent), REQUEST_ADD_ACCOUNT);
+                 return;
+             }
+         } catch (OperationCanceledException e) {

Patches/LineageOS-16.0/android_frameworks_base/351910.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Mon, 16 May 2022 15:28:24 -0400
+Subject: [PATCH] Move service initialization
+
+Occasionally ILockSettings can fail to be initialized otherwise
+Fixes: 232714129
+Test: boot (and eventually bootstress/reboot-long)
+
+Change-Id: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
+Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
+(cherry picked from commit 8e278543bd290d4b6c417758554d6dee93a4fe74)
+(cherry picked from commit caa5a22ea0c401c4eef548fb8161820beda3ff13)
+Merged-In: I2f9f9bdba37f4ebfaea56c1a6662f0474ae8a002
+---
+ .../server/notification/NotificationManagerService.java       | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index a53f2aec436c..bcb657b5a8e2 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -1319,7 +1319,6 @@ public class NotificationManagerService extends SystemService {
+         }
+     }
+ 
+-    private LockPatternUtils mLockPatternUtils;
+     private StrongAuthTracker mStrongAuthTracker;
+ 
+     public NotificationManagerService(Context context) {
+@@ -1490,7 +1489,6 @@ public class NotificationManagerService extends SystemService {
+ 
+         mHandler = new WorkerHandler(looper);
+         mRankingThread.start();
+-        mLockPatternUtils = new LockPatternUtils(getContext());
+         mStrongAuthTracker = new StrongAuthTracker(getContext());
+         String[] extractorNames;
+         try {
+@@ -1737,7 +1735,7 @@ public class NotificationManagerService extends SystemService {
+             mWindowManagerInternal = LocalServices.getService(WindowManagerInternal.class);
+             mKeyguardManager = getContext().getSystemService(KeyguardManager.class);
+             mZenModeHelper.onSystemReady();
+-            mLockPatternUtils.registerStrongAuthTracker(mStrongAuthTracker);
++            new LockPatternUtils(getContext()).registerStrongAuthTracker(mStrongAuthTracker);
+         } else if (phase == SystemService.PHASE_THIRD_PARTY_APPS_CAN_START) {
+             // This observer will force an update when observe is called, causing us to
+             // bind to listener services.

Patches/LineageOS-16.0/android_frameworks_base/351911.patch

@@ -0,0 +1,212 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wenhao Wang <wenhaowang@google.com>
+Date: Tue, 30 Aug 2022 11:09:46 -0700
+Subject: [PATCH] Enable user graularity for lockdown mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The NotificationManagerService registers a LockPatternUtils.StrongAuthTracker
+to observe the StrongAuth changes of every user.
+More specifically, it’s the STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN flag.
+Via this flag, NotificationManagerService can perform the following operations
+when the user enter or exit lockdown mode:
+
+Enter lockdown:
+1. Remove all the notifications belonging to the user.
+2. Set the local flag to indicate the lockdown is on for the user.
+   The local flag will suppress the user's notifications on the
+   post, remove and update functions.
+
+Exit lockdown:
+1. Clear the local flag to indicate the lockdown is off for the user.
+2. Repost the user’s notifications (suppressed during lockdown mode).
+
+The CL also updates corresponding tests.
+
+Bug: 173721373
+Bug: 250743174
+Test: atest NotificationManagerServiceTest
+Test: atest NotificationListenersTest
+Ignore-AOSP-First: pending fix for a security issue.
+
+Change-Id: I4f30e56550729db7d673a92d2a1250509713f36d
+Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
+(cherry picked from commit de3b12fca23178d8c821058261572449b67d5967)
+(cherry picked from commit 5e40f39f5bd4ae769d79ce022a64f1345512b65d)
+Merged-In: I4f30e56550729db7d673a92d2a1250509713f36d
+---
+ .../NotificationManagerService.java           | 75 ++++++++++++-------
+ 1 file changed, 46 insertions(+), 29 deletions(-)
+
+diff --git a/services/core/java/com/android/server/notification/NotificationManagerService.java b/services/core/java/com/android/server/notification/NotificationManagerService.java
+index bcb657b5a8e2..0ac51524a648 100755
+--- a/services/core/java/com/android/server/notification/NotificationManagerService.java
++++ b/services/core/java/com/android/server/notification/NotificationManagerService.java
+@@ -1287,34 +1287,39 @@ public class NotificationManagerService extends SystemService {
+             return (haystack & needle) != 0;
+         }
+ 
+-        public boolean isInLockDownMode() {
+-            return mIsInLockDownMode;
++        // Return whether the user is in lockdown mode.
++        // If the flag is not set, we assume the user is not in lockdown.
++        public boolean isInLockDownMode(int userId) {
++            return mUserInLockDownMode.get(userId, false);
+         }
+ 
+         @Override
+         public synchronized void onStrongAuthRequiredChanged(int userId) {
+             boolean userInLockDownModeNext = containsFlag(getStrongAuthForUser(userId),
+                     STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN);
+-            mUserInLockDownMode.put(userId, userInLockDownModeNext);
+-            boolean isInLockDownModeNext = mUserInLockDownMode.indexOfValue(true) != -1;
+ 
+-            if (mIsInLockDownMode == isInLockDownModeNext) {
++            // Nothing happens if the lockdown mode of userId keeps the same.
++            if (userInLockDownModeNext == isInLockDownMode(userId)) {
+                 return;
+             }
+ 
+-            if (isInLockDownModeNext) {
+-                cancelNotificationsWhenEnterLockDownMode();
++            // When the lockdown mode is changed, we perform the following steps.
++            // If the userInLockDownModeNext is true, all the function calls to
++            // notifyPostedLocked and notifyRemovedLocked will not be executed.
++            // The cancelNotificationsWhenEnterLockDownMode calls notifyRemovedLocked
++            // and postNotificationsWhenExitLockDownMode calls notifyPostedLocked.
++            // So we shall call cancelNotificationsWhenEnterLockDownMode before
++            // we set mUserInLockDownMode as true.
++            // On the other hand, if the userInLockDownModeNext is false, we shall call
++            // postNotificationsWhenExitLockDownMode after we put false into mUserInLockDownMode
++            if (userInLockDownModeNext) {
++                cancelNotificationsWhenEnterLockDownMode(userId);
+             }
+ 
+-            // When the mIsInLockDownMode is true, both notifyPostedLocked and
+-            // notifyRemovedLocked will be dismissed. So we shall call
+-            // cancelNotificationsWhenEnterLockDownMode before we set mIsInLockDownMode
+-            // as true and call postNotificationsWhenExitLockDownMode after we set
+-            // mIsInLockDownMode as false.
+-            mIsInLockDownMode = isInLockDownModeNext;
++            mUserInLockDownMode.put(userId, userInLockDownModeNext);
+ 
+-            if (!isInLockDownModeNext) {
+-                postNotificationsWhenExitLockDownMode();
++            if (!userInLockDownModeNext) {
++                postNotificationsWhenExitLockDownMode(userId);
+             }
+         }
+     }
+@@ -6417,11 +6422,14 @@ public class NotificationManagerService extends SystemService {
+         }
+     }
+ 
+-    private void cancelNotificationsWhenEnterLockDownMode() {
++    private void cancelNotificationsWhenEnterLockDownMode(int userId) {
+         synchronized (mNotificationLock) {
+             int numNotifications = mNotificationList.size();
+             for (int i = 0; i < numNotifications; i++) {
+                 NotificationRecord rec = mNotificationList.get(i);
++                if (rec.getUser().getIdentifier() != userId) {
++                    continue;
++                }
+                 mListeners.notifyRemovedLocked(rec, REASON_CANCEL_ALL,
+                         rec.getStats());
+             }
+@@ -6429,14 +6437,23 @@ public class NotificationManagerService extends SystemService {
+         }
+     }
+ 
+-    private void postNotificationsWhenExitLockDownMode() {
++    private void postNotificationsWhenExitLockDownMode(int userId) {
+         synchronized (mNotificationLock) {
+             int numNotifications = mNotificationList.size();
++            // Set the delay to spread out the burst of notifications.
++            long delay = 0;
+             for (int i = 0; i < numNotifications; i++) {
+                 NotificationRecord rec = mNotificationList.get(i);
+-                mListeners.notifyPostedLocked(rec, rec);
++                if (rec.getUser().getIdentifier() != userId) {
++                    continue;
++                }
++                mHandler.postDelayed(() -> {
++                    synchronized (mNotificationLock) {
++                        mListeners.notifyPostedLocked(rec, rec);
++                    }
++                }, delay);
++                delay += 20;
+             }
+-
+         }
+     }
+ 
+@@ -6545,7 +6562,7 @@ public class NotificationManagerService extends SystemService {
+      * notifications visible to the given listener.
+      */
+     @GuardedBy("mNotificationLock")
+-    private NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) {
++    NotificationRankingUpdate makeRankingUpdateLocked(ManagedServiceInfo info) {
+         final int N = mNotificationList.size();
+         ArrayList<String> keys = new ArrayList<String>(N);
+         ArrayList<String> interceptedKeys = new ArrayList<String>(N);
+@@ -6562,6 +6579,9 @@ public class NotificationManagerService extends SystemService {
+         Bundle hidden = new Bundle();
+         for (int i = 0; i < N; i++) {
+             NotificationRecord record = mNotificationList.get(i);
++            if (isInLockDownMode(record.getUser().getIdentifier())) {
++                continue;
++            }
+             if (!isVisibleToListener(record.sbn, info)) {
+                 continue;
+             }
+@@ -6600,8 +6620,8 @@ public class NotificationManagerService extends SystemService {
+                 channels, overridePeople, snoozeCriteria, showBadge, userSentiment, hidden);
+     }
+ 
+-    boolean isInLockDownMode() {
+-        return mStrongAuthTracker.isInLockDownMode();
++    boolean isInLockDownMode(int userId) {
++        return mStrongAuthTracker.isInLockDownMode(userId);
+     }
+ 
+     boolean hasCompanionDevice(ManagedServiceInfo info) {
+@@ -6636,7 +6656,8 @@ public class NotificationManagerService extends SystemService {
+                 ServiceManager.getService(Context.COMPANION_DEVICE_SERVICE));
+     }
+ 
+-    private boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) {
++    @VisibleForTesting
++    boolean isVisibleToListener(StatusBarNotification sbn, ManagedServiceInfo listener) {
+         if (!listener.enabledAndUserMatches(sbn.getUserId())) {
+             return false;
+         }
+@@ -6926,7 +6947,7 @@ public class NotificationManagerService extends SystemService {
+         @GuardedBy("mNotificationLock")
+         void notifyPostedLocked(NotificationRecord r, NotificationRecord old,
+                 boolean notifyAllListeners) {
+-            if (isInLockDownMode()) {
++            if (isInLockDownMode(r.getUser().getIdentifier())) {
+                 return;
+             }
+ 
+@@ -6992,7 +7013,7 @@ public class NotificationManagerService extends SystemService {
+         @GuardedBy("mNotificationLock")
+         public void notifyRemovedLocked(NotificationRecord r, int reason,
+                 NotificationStats notificationStats) {
+-            if (isInLockDownMode()) {
++            if (isInLockDownMode(r.getUser().getIdentifier())) {
+                 return;
+             }
+ 
+@@ -7047,10 +7068,6 @@ public class NotificationManagerService extends SystemService {
+          */
+         @GuardedBy("mNotificationLock")
+         public void notifyRankingUpdateLocked(List<NotificationRecord> changedHiddenNotifications) {
+-            if (isInLockDownMode()) {
+-                return;
+-            }
+-
+             boolean isHiddenRankingUpdate = changedHiddenNotifications != null
+                     && changedHiddenNotifications.size() > 0;
+ 

Patches/LineageOS-16.0/android_frameworks_base/351912.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nate Myren <ntmyren@google.com>
+Date: Fri, 2 Dec 2022 09:44:31 -0800
+Subject: [PATCH] RESTRICT AUTOMERGE Revoke dev perm if app is upgrading to
+ post 23 and perm has pre23 flag
+
+If a permission has the "pre23" flag, and an app is upgrading past api
+23, then we should not assume that a "development" permission remains
+granted
+
+Fixes: 259458532
+Test: atest RevokeSawPermissionTest
+Change-Id: I214396f455c5ed9e8bac2e50b1525b86475c81c7
+(cherry picked from commit 2f30a63b11e59f9daf42f51eb85aa91c86f4baf4)
+Merged-In: I214396f455c5ed9e8bac2e50b1525b86475c81c7
+---
+ .../pm/permission/PermissionManagerService.java       | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+index bdfe64c2c348..b902001cd359 100644
+--- a/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
++++ b/services/core/java/com/android/server/pm/permission/PermissionManagerService.java
+@@ -418,7 +418,7 @@ public class PermissionManagerService {
+         }
+         final PackageSetting ps = (PackageSetting) newPackage.mExtras;
+         if (grantSignaturePermission(Manifest.permission.SYSTEM_ALERT_WINDOW, newPackage, saw,
+-                ps.getPermissionsState())) {
++                ps.getPermissionsState(), true)) {
+             return;
+         }
+         for (int userId: mUserManagerInt.getUserIds()) {
+@@ -1147,6 +1147,13 @@ public class PermissionManagerService {
+ 
+     private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
+             BasePermission bp, PermissionsState origPermissions) {
++        return grantSignaturePermission(perm, pkg, bp, origPermissions, false);
++    }
++
++
++    private boolean grantSignaturePermission(String perm, PackageParser.Package pkg,
++            BasePermission bp, PermissionsState origPermissions,
++            boolean isApi23Upgrade) {
+         boolean oemPermission = bp.isOEM();
+         boolean vendorPrivilegedPermission = bp.isVendorPrivileged();
+         boolean privilegedPermission = bp.isPrivileged() || bp.isVendorPrivileged();
+@@ -1324,7 +1331,7 @@ public class PermissionManagerService {
+                 // Any pre-installed system app is allowed to get this permission.
+                 allowed = true;
+             }
+-            if (!allowed && bp.isDevelopment()) {
++            if (!allowed && bp.isDevelopment() && !(bp.isPre23() && isApi23Upgrade)) {
+                 // For development permissions, a development permission
+                 // is granted only if it was already granted.
+                 allowed = origPermissions.hasInstallPermission(perm);

Patches/LineageOS-16.0/android_frameworks_base/351913.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Wright <michaelwr@google.com>
+Date: Mon, 26 Sep 2022 20:37:33 +0100
+Subject: [PATCH] Reconcile WorkSource parcel and unparcel code.
+
+Prior to this CL, WorkSources would Parcel their list of WorkChains as
+-1 if null, or the size of the list followed by the list itself if
+non-null. When reading it back in, on the other hand, they would check
+if the size was positive, and only then read the list from the Parcel.
+This works for all cases except when the WorkSource has an empty but
+non-null list of WorkChains as the list would get written to the parcel,
+but then never read on the other side.
+
+If parceling a list was a no-op when empty this wouldn't be an issue,
+but it must write at least its size into the parcel to know how many
+elements to extract. In the empty list case, this single element is left
+unread as the size is not positive which essentially corrupts any future
+items read from that same parcelable.
+
+Bug: 220302519
+Test: atest android.security.cts.WorkSourceTest#testWorkChainParceling
+Change-Id: I2fec40dfced420ca38e717059b0e95ee8ef9946a
+(cherry picked from commit 266b3bddcf14d448c0972db64b42950f76c759e3)
+Merged-In: I2fec40dfced420ca38e717059b0e95ee8ef9946a
+---
+ core/java/android/os/WorkSource.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/os/WorkSource.java b/core/java/android/os/WorkSource.java
+index 327071906e18..c2f43edfc8af 100644
+--- a/core/java/android/os/WorkSource.java
++++ b/core/java/android/os/WorkSource.java
+@@ -107,7 +107,7 @@ public class WorkSource implements Parcelable {
+         mNames = in.createStringArray();
+ 
+         int numChains = in.readInt();
+-        if (numChains > 0) {
++        if (numChains >= 0) {
+             mChains = new ArrayList<>(numChains);
+             in.readParcelableList(mChains, WorkChain.class.getClassLoader());
+         } else {

Patches/LineageOS-16.0/android_frameworks_base/354242.patch

@@ -0,0 +1,97 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jing Ji <jji@google.com>
+Date: Thu, 4 Aug 2022 11:36:26 -0700
+Subject: [PATCH] DO NOT MERGE: Context#startInstrumentation could be started
+ from SHELL only now.
+
+Or, if an instrumentation starts another instrumentation and so on,
+and the original instrumentation is started from SHELL, allow all
+Context#startInstrumentation calls in this chain.
+
+Otherwise, it'll throw a SecurityException.
+
+Bug: 237766679
+Test: atest CtsAppTestCases:InstrumentationTest
+Merged-In: Ia08f225c21a3933067d066a578ea4af9c23e7d4c
+Merged-In: I1b76f61c5fd6c9f7e738978592260945a606f40c
+Merged-In: I3ea7aa27bd776fec546908a37f667f680da9c892
+Change-Id: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+(cherry picked from commit 8c90891a38ecb5047e115e13baf700a8b486a5d1)
+Merged-In: I7ca7345b064e8e74f7037b8fa3ed45bb6423e406
+---
+ .../server/am/ActivityManagerService.java     | 34 +++++++++++++++++++
+ .../com/android/server/am/ProcessRecord.java  |  4 +++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index dd41196e62a4..f522b20f7ccd 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
++++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -4907,6 +4907,26 @@ public class ActivityManagerService extends IActivityManager.Stub
+         return procState;
+     }
+ 
++    @GuardedBy("this")
++    private boolean hasActiveInstrumentationLocked(int pid) {
++        if (pid == 0) {
++            return false;
++        }
++        synchronized (mPidsSelfLocked) {
++            ProcessRecord process = mPidsSelfLocked.get(pid);
++            return process != null && process.getActiveInstrumentation() != null;
++        }
++    }
++    private String getPackageNameByPid(int pid) {
++        synchronized (mPidsSelfLocked) {
++            final ProcessRecord app = mPidsSelfLocked.get(pid);
++            if (app != null && app.info != null) {
++                return app.info.packageName;
++            }
++            return null;
++        }
++    }
++
+     private boolean isCallerShell() {
+         final int callingUid = Binder.getCallingUid();
+         return callingUid == SHELL_UID || callingUid == ROOT_UID;
+@@ -22264,6 +22284,8 @@ public class ActivityManagerService extends IActivityManager.Stub
+             IInstrumentationWatcher watcher, IUiAutomationConnection uiAutomationConnection,
+             int userId, String abiOverride) {
+         enforceNotIsolatedCaller("startInstrumentation");
++        final int callingUid = Binder.getCallingUid();
++        final int callingPid = Binder.getCallingPid();
+         userId = mUserController.handleIncomingUser(Binder.getCallingPid(), Binder.getCallingUid(),
+                 userId, false, ALLOW_FULL_ONLY, "startInstrumentation", null);
+         // Refuse possible leaked file descriptors
+@@ -22312,6 +22334,18 @@ public class ActivityManagerService extends IActivityManager.Stub
+                 throw new SecurityException(msg);
+             }
+ 
++            if (!Build.IS_DEBUGGABLE && callingUid != ROOT_UID && callingUid != SHELL_UID
++                    && callingUid != SYSTEM_UID && !hasActiveInstrumentationLocked(callingPid)) {
++                // If it's not debug build and not called from root/shell/system uid, reject it.
++                final String msg = "Permission Denial: instrumentation test "
++                        + className + " from pid=" + callingPid + ", uid=" + callingUid
++                        + ", pkgName=" + getPackageNameByPid(callingPid)
++                        + " not allowed because it's not started from SHELL";
++                Slog.wtfQuiet(TAG, msg);
++                reportStartInstrumentationFailureLocked(watcher, className, msg);
++                throw new SecurityException(msg);
++            }
++
+             ActiveInstrumentation activeInstr = new ActiveInstrumentation(this);
+             activeInstr.mClass = className;
+             String defProcess = ai.processName;;
+diff --git a/services/core/java/com/android/server/am/ProcessRecord.java b/services/core/java/com/android/server/am/ProcessRecord.java
+index b15cf6a606cc..5e14e81acac6 100644
+--- a/services/core/java/com/android/server/am/ProcessRecord.java
++++ b/services/core/java/com/android/server/am/ProcessRecord.java
+@@ -870,4 +870,8 @@ final class ProcessRecord {
+     boolean hasForegroundServices() {
+         return foregroundServices;
+     }
++
++    ActiveInstrumentation getActiveInstrumentation() {
++        return instr;
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/354243.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kunal Malhotra <malhk@google.com>
+Date: Mon, 7 Nov 2022 23:33:55 +0000
+Subject: [PATCH] Checking if package belongs to UID before registering
+ broadcast receiver
+
+Test: manual testing done on device by installing test APK and checking if receiver can register
+Bug: 242040055
+Change-Id: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+(cherry picked from commit 790a8d0dd329460bc60456681cb446accf2a27e0)
+(cherry picked from commit 4f0dc37b896e06086391e71ce471e413215e1130)
+Merged-In: Ia525f218a46f8bf7fff660cec0d6432f09fdf24d
+---
+ services/core/java/com/android/server/am/ActiveServices.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/services/core/java/com/android/server/am/ActiveServices.java b/services/core/java/com/android/server/am/ActiveServices.java
+index 8b4013405b22..05be900e5403 100644
+--- a/services/core/java/com/android/server/am/ActiveServices.java
++++ b/services/core/java/com/android/server/am/ActiveServices.java
+@@ -1971,6 +1971,11 @@ public final class ActiveServices {
+                             throw new SecurityException("BIND_EXTERNAL_SERVICE failed, " + name +
+                                     " is not an isolatedProcess");
+                         }
++                        if (AppGlobals.getPackageManager().getPackageUid(callingPackage,
++                                0, userId) != callingUid) {
++                            throw new SecurityException("BIND_EXTERNAL_SERVICE failed, "
++                                    + "calling package not owned by calling UID ");
++                        }
+                         // Run the service under the calling package's application.
+                         ApplicationInfo aInfo = AppGlobals.getPackageManager().getApplicationInfo(
+                                 callingPackage, ActivityManagerService.STOCK_PM_FLAGS, userId);

Patches/LineageOS-16.0/android_frameworks_base/354244.patch

@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Mon, 12 Dec 2022 15:49:16 +0000
+Subject: [PATCH] Fix checkKeyIntentParceledCorrectly's bypass
+
+The checkKeyIntentParceledCorrectly method was added in checkKeyIntent, which was originaly  only invoked when AccountManagerService deserializes the KEY_INTENT value as not NULL. However, due to the self-changing bundle technique in Parcel mismatch problems, the Intent value can change after reparceling; hence would bypass the added checkKeyIntentParceledCorrectly call.
+
+This CL did the following:
+
+- Ensure the checkKeyIntent method is also called when result.getParcelable(AccountManager.KEY_INTENT) == null.
+
+Bug: 260567867
+Bug: 262230405
+Test: local test, see b/262230405
+Test: atest CtsAccountManagerTestCases
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+Change-Id: I7b528f52c41767ae12731838fdd36aa26a8f3477
+(cherry picked from commit 9f623983a8d4ec48d58b0eda56fa461fc6748981)
+Merged-In: I7b528f52c41767ae12731838fdd36aa26a8f3477
+---
+ .../server/accounts/AccountManagerService.java    | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index c1f401e9a11f..d2f5d59e7030 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -3408,8 +3408,7 @@ public class AccountManagerService
+             Bundle.setDefusable(result, true);
+             mNumResults++;
+             Intent intent = null;
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
++            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {
+@@ -4777,8 +4776,10 @@ public class AccountManagerService
+             	EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
+                 return false;
+             }
+-
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            if (intent == null) {
++                return true;
++            }
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4831,7 +4832,10 @@ public class AccountManagerService
+             p.recycle();
+             Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
+-            return (intent.filterEquals(simulateIntent));
++            if (intent == null) {
++                return (simulateIntent == null);
++            }
++            return intent.filterEquals(simulateIntent);
+         }
+ 
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+@@ -4976,8 +4980,7 @@ public class AccountManagerService
+                     }
+                 }
+             }
+-            if (result != null
+-                    && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
++            if (result != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+                         result)) {

Patches/LineageOS-16.0/android_frameworks_base/354245.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Winson Chiu <chiuwinson@google.com>
+Date: Fri, 6 Jan 2023 21:26:24 +0000
+Subject: [PATCH] Encode Intent scheme when serializing to URI string RESTRICT
+ AUTOMERGE
+
+Avoids deserialization error when the scheme contains a
+reserved character.
+
+Bug: 261858325
+
+Test: atest android.content.cts.IntentTest#testEncoding
+
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+Change-Id: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+(cherry picked from commit 43437b4ee6424933d4e403f0375ef8c1f07986f4)
+Merged-In: Ic34b3f796b762763db5aa7b5d7c109ae70607470
+---
+ core/java/android/content/Intent.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/content/Intent.java b/core/java/android/content/Intent.java
+index e4502ffdd61f..66c2658f9f13 100644
+--- a/core/java/android/content/Intent.java
++++ b/core/java/android/content/Intent.java
+@@ -9860,7 +9860,7 @@ public class Intent implements Parcelable, Cloneable {
+     private void toUriInner(StringBuilder uri, String scheme, String defAction,
+             String defPackage, int flags) {
+         if (scheme != null) {
+-            uri.append("scheme=").append(scheme).append(';');
++            uri.append("scheme=").append(Uri.encode(scheme)).append(';');
+         }
+         if (mAction != null && !mAction.equals(defAction)) {
+             uri.append("action=").append(Uri.encode(mAction)).append(';');

Patches/LineageOS-16.0/android_frameworks_base/356154.patch

@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Thu, 9 Feb 2023 12:28:26 -0800
+Subject: [PATCH] Checks if AccessibilityServiceInfo is within parcelable size.
+
+- If too large when parsing service XMLs then skip this service.
+- If too large when a service attempts to update its own info
+  then throw an error.
+
+Bug: 261589597
+Test: atest AccessibilityServiceInfoTest
+Change-Id: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
+Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
+(cherry picked from commit on googleplex-android-review.googlesource.com host: 553232c29079fbeab28f95307d025c1426aa7142)
+Merged-In: Iffc0cd48cc713f7904d68059e141cb7de5a4b906
+---
+ .../accessibilityservice/AccessibilityService.java     |  4 ++++
+ .../accessibilityservice/AccessibilityServiceInfo.java | 10 ++++++++++
+ .../accessibility/AccessibilityManagerService.java     |  6 ++++++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/core/java/android/accessibilityservice/AccessibilityService.java b/core/java/android/accessibilityservice/AccessibilityService.java
+index 6933e5201a21..ef59803e3ede 100644
+--- a/core/java/android/accessibilityservice/AccessibilityService.java
++++ b/core/java/android/accessibilityservice/AccessibilityService.java
+@@ -1488,6 +1488,10 @@ public abstract class AccessibilityService extends Service {
+         IAccessibilityServiceConnection connection =
+             AccessibilityInteractionClient.getInstance().getConnection(mConnectionId);
+         if (mInfo != null && connection != null) {
++            if (!mInfo.isWithinParcelableSize()) {
++                throw new IllegalStateException(
++                        "Cannot update service info: size is larger than safe parcelable limits.");
++            }
+             try {
+                 connection.setServiceInfo(mInfo);
+                 mInfo = null;
+diff --git a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
+index f85f35889aae..76930d75c5de 100644
+--- a/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
++++ b/core/java/android/accessibilityservice/AccessibilityServiceInfo.java
+@@ -29,6 +29,7 @@ import android.content.res.Resources;
+ import android.content.res.TypedArray;
+ import android.content.res.XmlResourceParser;
+ import android.hardware.fingerprint.FingerprintManager;
++import android.os.IBinder;
+ import android.os.Parcel;
+ import android.os.Parcelable;
+ import android.util.AttributeSet;
+@@ -766,6 +767,15 @@ public class AccessibilityServiceInfo implements Parcelable {
+         return 0;
+     }
+ 
++    /** @hide */
++    public final boolean isWithinParcelableSize() {
++        final Parcel parcel = Parcel.obtain();
++        writeToParcel(parcel, 0);
++        final boolean result = parcel.dataSize() <= IBinder.MAX_IPC_SIZE;
++        parcel.recycle();
++        return result;
++    }
++
+     public void writeToParcel(Parcel parcel, int flagz) {
+         parcel.writeInt(eventTypes);
+         parcel.writeStringArray(packageNames);
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 91d1b7576ca7..fd87be3e5649 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -1302,6 +1302,12 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub
+             AccessibilityServiceInfo accessibilityServiceInfo;
+             try {
+                 accessibilityServiceInfo = new AccessibilityServiceInfo(resolveInfo, mContext);
++                if (!accessibilityServiceInfo.isWithinParcelableSize()) {
++                    Slog.e(LOG_TAG, "Skipping service "
++                            + accessibilityServiceInfo.getResolveInfo().getComponentInfo()
++                            + " because service info size is larger than safe parcelable limits.");
++                    continue;
++                }
+                 mTempAccessibilityServiceInfoList.add(accessibilityServiceInfo);
+             } catch (XmlPullParserException | IOException xppe) {
+                 Slog.e(LOG_TAG, "Error while initializing AccessibilityServiceInfo", xppe);

Patches/LineageOS-16.0/android_frameworks_base/356155.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Orion Hodson <oth@google.com>
+Date: Thu, 7 Apr 2022 21:42:04 +0100
+Subject: [PATCH] Uri: check authority and scheme as part of determining URI
+ path
+
+The interpretation of the path depends on whether the scheme or
+authority are specified and should be observed when unparcelling
+URIs.
+
+Bug: 171966843
+Test: atest FrameworksCoreTests:android.net.UriTest
+Test: atest com.android.devicehealthchecks.SystemAppCheck
+Change-Id: I06981d1c6e387b16df792494523994518848db37
+Merged-In: I06981d1c6e387b16df792494523994518848db37
+(cherry picked from commit f37a94ae920fa5879c557603fc285942ec4b84b1)
+(cherry picked from commit on googleplex-android-review.googlesource.com host: c87f0623be4042c39a9b73f7a6e02aa116925e50)
+Merged-In: I06981d1c6e387b16df792494523994518848db37
+---
+ core/java/android/net/Uri.java | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+index 0fb84b723634..af1c0e8e9178 100644
+--- a/core/java/android/net/Uri.java
++++ b/core/java/android/net/Uri.java
+@@ -1179,13 +1179,16 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+         }
+ 
+         static Uri readFrom(Parcel parcel) {
+-            return new HierarchicalUri(
+-                parcel.readString(),
+-                Part.readFrom(parcel),
+-                PathPart.readFrom(parcel),
+-                Part.readFrom(parcel),
+-                Part.readFrom(parcel)
+-            );
++            final String scheme = parcel.readString();
++            final Part authority = Part.readFrom(parcel);
++            // In RFC3986 the path should be determined based on whether there is a scheme or
++            // authority present (https://www.rfc-editor.org/rfc/rfc3986.html#section-3.3).
++            final boolean hasSchemeOrAuthority =
++                    (scheme != null && scheme.length() > 0) || !authority.isEmpty();
++            final PathPart path = PathPart.readFrom(hasSchemeOrAuthority, parcel);
++            final Part query = Part.readFrom(parcel);
++            final Part fragment = Part.readFrom(parcel);
++            return new HierarchicalUri(scheme, authority, path, query, fragment);
+         }
+ 
+         public int describeContents() {
+@@ -2240,6 +2243,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+             }
+         }
+ 
++        static PathPart readFrom(boolean hasSchemeOrAuthority, Parcel parcel) {
++            final PathPart path = readFrom(parcel);
++            return hasSchemeOrAuthority ? makeAbsolute(path) : path;
++        }
++
+         /**
+          * Creates a path from the encoded string.
+          *

Patches/LineageOS-16.0/android_frameworks_base/356156.patch

@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Stuart <tjstuart@google.com>
+Date: Mon, 21 Nov 2022 17:38:21 -0800
+Subject: [PATCH] enforce stricter rules when registering phoneAccounts
+
+- include disable accounts when looking up accounts for a package to
+  check if the limit is reached (10)
+- put a new limit of 10 supported schemes
+- put a new limit of 256 characters per scheme
+- put a new limit of 256 characters per address
+- ensure the Icon can write to memory w/o throwing an exception
+
+bug: 259064622
+bug: 256819769
+Test: cts + unit
+Change-Id: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
+Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
+(cherry picked from commit on googleplex-android-review.googlesource.com host: a66a3156e03fbd1c3a29015db9193d66f2709f98)
+Merged-In: Ia7d8d00d9de0fb6694ded6a80c40bd55d7fdf7a7
+---
+ .../java/android/telecom/PhoneAccount.java    | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/telecomm/java/android/telecom/PhoneAccount.java b/telecomm/java/android/telecom/PhoneAccount.java
+index 8e22221d7876..702b1cf87d7d 100644
+--- a/telecomm/java/android/telecom/PhoneAccount.java
++++ b/telecomm/java/android/telecom/PhoneAccount.java
+@@ -439,6 +439,11 @@ public final class PhoneAccount implements Parcelable {
+ 
+         /**
+          * Sets the address. See {@link PhoneAccount#getAddress}.
++         * <p>
++         * Note: The entire URI value is limited to 256 characters. This check is
++         * enforced when registering the PhoneAccount via
++         * {@link TelecomManager#registerPhoneAccount(PhoneAccount)} and will cause an
++         * {@link IllegalArgumentException} to be thrown if URI is over 256.
+          *
+          * @param value The address of the phone account.
+          * @return The builder.
+@@ -472,6 +477,10 @@ public final class PhoneAccount implements Parcelable {
+ 
+         /**
+          * Sets the icon. See {@link PhoneAccount#getIcon}.
++         * <p>
++         * Note: An {@link IllegalArgumentException} if the Icon cannot be written to memory.
++         * This check is enforced when registering the PhoneAccount via
++         * {@link TelecomManager#registerPhoneAccount(PhoneAccount)}
+          *
+          * @param icon The icon to set.
+          */
+@@ -505,6 +514,10 @@ public final class PhoneAccount implements Parcelable {
+         /**
+          * Specifies an additional URI scheme supported by the {@link PhoneAccount}.
+          *
++         * <p>
++         * Each URI scheme is limited to 256 characters.  Adding a scheme over 256 characters will
++         * cause an {@link IllegalArgumentException} to be thrown when the account is registered.
++         *
+          * @param uriScheme The URI scheme.
+          * @return The builder.
+          */
+@@ -518,6 +531,12 @@ public final class PhoneAccount implements Parcelable {
+         /**
+          * Specifies the URI schemes supported by the {@link PhoneAccount}.
+          *
++         * <p>
++         * A max of 10 URI schemes can be added per account.  Additionally, each URI scheme is
++         * limited to 256 characters. Adding more than 10 URI schemes or 256 characters on any
++         * scheme will cause an {@link IllegalArgumentException} to be thrown when the account
++         * is registered.
++         *
+          * @param uriSchemes The URI schemes.
+          * @return The builder.
+          */

Patches/LineageOS-16.0/android_frameworks_base/359730.patch

@@ -0,0 +1,167 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Lee <brnlee@google.com>
+Date: Fri, 17 Feb 2023 16:05:17 -0800
+Subject: [PATCH] Check key intent for selectors and prohibited flags
+
+Bug: 265015796
+Test: atest
+FrameworksServicesTests: com.android.server.accounts.AccountManagerServiceTest
+(cherry picked from commit e53a96304352e2965176c8d32ac1b504e52ef185)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:92114886bdce8467c52c655c186f3e7ab1e134d8)
+Merged-In: Ie16f8654337bd75eaad3156817470674b4f0cee3
+Change-Id: Ie16f8654337bd75eaad3156817470674b4f0cee3
+---
+ .../accounts/AccountManagerService.java       | 18 +++++++---
+ .../accounts/AccountManagerServiceTest.java   | 36 +++++++++++++++++++
+ .../AccountManagerServiceTestFixtures.java    |  5 ++-
+ .../TestAccountType1Authenticator.java        |  5 +--
+ 4 files changed, 54 insertions(+), 10 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index d2f5d59e7030..36732273ab6f 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -4785,10 +4785,6 @@ public class AccountManagerService
+             if (intent.getClipData() == null) {
+                 intent.setClipData(ClipData.newPlainText(null, null));
+             }
+-            intent.setFlags(intent.getFlags() & ~(Intent.FLAG_GRANT_READ_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
+-                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION));
+             long bid = Binder.clearCallingIdentity();
+             try {
+                 PackageManager pm = mContext.getPackageManager();
+@@ -4835,7 +4831,19 @@ public class AccountManagerService
+             if (intent == null) {
+                 return (simulateIntent == null);
+             }
+-            return intent.filterEquals(simulateIntent);
++            if (!intent.filterEquals(simulateIntent)) {
++                return false;
++            }
++
++            if (intent.getSelector() != simulateIntent.getSelector()) {
++                return false;
++            }
++
++            int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
++                    | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
++                    | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
++                    | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
++            return (simulateIntent.getFlags() & prohibitedFlags) == 0;
+         }
+ 
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+index 73267e4868a6..c063f645a4ea 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTest.java
+@@ -17,6 +17,7 @@
+ package com.android.server.accounts;
+ 
+ import static android.database.sqlite.SQLiteDatabase.deleteDatabase;
++import static org.mockito.ArgumentMatchers.contains;
+ import static org.mockito.Matchers.any;
+ import static org.mockito.Matchers.anyBoolean;
+ import static org.mockito.Matchers.anyInt;
+@@ -681,6 +682,41 @@ public class AccountManagerServiceTest extends AndroidTestCase {
+         assertNotNull(intent.getParcelableExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK));
+     }
+ 
++    @SmallTest
++    public void testStartAddAccountSessionWhereAuthenticatorReturnsIntentWithProhibitedFlags()
++            throws Exception {
++        unlockSystemUser();
++        ResolveInfo resolveInfo = new ResolveInfo();
++        resolveInfo.activityInfo = new ActivityInfo();
++        resolveInfo.activityInfo.applicationInfo = new ApplicationInfo();
++        when(mMockPackageManager.resolveActivityAsUser(
++                any(Intent.class), anyInt(), anyInt())).thenReturn(resolveInfo);
++        when(mMockPackageManager.checkSignatures(
++                anyInt(), anyInt())).thenReturn(PackageManager.SIGNATURE_MATCH);
++
++        final CountDownLatch latch = new CountDownLatch(1);
++        Response response = new Response(latch, mMockAccountManagerResponse);
++        Bundle options = createOptionsWithAccountName(
++                AccountManagerServiceTestFixtures.ACCOUNT_NAME_INTERVENE);
++        int prohibitedFlags = Intent.FLAG_GRANT_READ_URI_PERMISSION
++                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
++                | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION
++                | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;
++        options.putInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, prohibitedFlags);
++
++        mAms.startAddAccountSession(
++                response, // response
++                AccountManagerServiceTestFixtures.ACCOUNT_TYPE_1, // accountType
++                "authTokenType",
++                null, // requiredFeatures
++                true, // expectActivityLaunch
++                options); // optionsIn
++        waitForLatch(latch);
++
++        verify(mMockAccountManagerResponse).onError(
++                eq(AccountManager.ERROR_CODE_INVALID_RESPONSE), contains("invalid intent"));
++    }
++
+     @SmallTest
+     public void testStartAddAccountSessionError() throws Exception {
+         unlockSystemUser();
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+index 73f30d9f9e79..b98a6a891d55 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
++++ b/services/tests/servicestests/src/com/android/server/accounts/AccountManagerServiceTestFixtures.java
+@@ -17,9 +17,6 @@ package com.android.server.accounts;
+ 
+ import android.accounts.Account;
+ 
+-import java.util.ArrayList;
+-import java.util.List;
+-
+ /**
+  * Constants shared between test AccountAuthenticators and AccountManagerServiceTest.
+  */
+@@ -31,6 +28,8 @@ public final class AccountManagerServiceTestFixtures {
+             "account_manager_service_test:account_status_token_key";
+     public static final String KEY_ACCOUNT_PASSWORD =
+             "account_manager_service_test:account_password_key";
++    public static final String KEY_INTENT_FLAGS =
++            "account_manager_service_test:intent_flags_key";
+     public static final String KEY_OPTIONS_BUNDLE =
+             "account_manager_service_test:option_bundle_key";
+     public static final String ACCOUNT_NAME_SUCCESS = "success_on_return@fixture.com";
+diff --git a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+index 8106364477d9..924443e9d5cf 100644
+--- a/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
++++ b/services/tests/servicestests/src/com/android/server/accounts/TestAccountType1Authenticator.java
+@@ -24,8 +24,6 @@ import android.content.Context;
+ import android.content.Intent;
+ import android.os.Bundle;
+ 
+-import com.android.frameworks.servicestests.R;
+-
+ import java.util.concurrent.atomic.AtomicInteger;
+ 
+ /**
+@@ -270,11 +268,13 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
+         String accountName = null;
+         Bundle sessionBundle = null;
+         String password = null;
++        int intentFlags = 0;
+         if (options != null) {
+             accountName = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_NAME);
+             sessionBundle = options.getBundle(
+                     AccountManagerServiceTestFixtures.KEY_ACCOUNT_SESSION_BUNDLE);
+             password = options.getString(AccountManagerServiceTestFixtures.KEY_ACCOUNT_PASSWORD);
++            intentFlags = options.getInt(AccountManagerServiceTestFixtures.KEY_INTENT_FLAGS, 0);
+         }
+ 
+         Bundle result = new Bundle();
+@@ -302,6 +302,7 @@ public class TestAccountType1Authenticator extends AbstractAccountAuthenticator
+             intent.putExtra(AccountManagerServiceTestFixtures.KEY_RESULT,
+                     eventualActivityResultData);
+             intent.putExtra(AccountManagerServiceTestFixtures.KEY_CALLBACK, response);
++            intent.setFlags(intentFlags);
+ 
+             result.putParcelable(AccountManager.KEY_INTENT, intent);
+         } else {

Patches/LineageOS-16.0/android_frameworks_base/359731.patch

@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kweku Adams <kwekua@google.com>
+Date: Wed, 21 Sep 2022 22:13:01 +0000
+Subject: [PATCH] Handle invalid data during job loading.
+
+Catch exceptions that may be thrown if invalid data ended up in the
+persisted job file.
+
+Bug: 246541702
+Bug: 246542132
+Bug: 246542285
+Bug: 246542330
+Test: install test app with invalid job config, start app to schedule job, then reboot device
+(cherry picked from commit c98fb42b480b3beedc2d94de6110f50212c4aa0b)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df1ba00dd9f64a3ae9a9e05979dfae6a15c7e203)
+Merged-In: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+Change-Id: Id0ceba345942baf21177f687b8dd85ef001c0a9e
+---
+ .../java/com/android/server/job/JobStore.java | 26 ++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/job/JobStore.java b/services/core/java/com/android/server/job/JobStore.java
+index 4f8b1dcc6bb4..7f2d7fb5987d 100644
+--- a/services/core/java/com/android/server/job/JobStore.java
++++ b/services/core/java/com/android/server/job/JobStore.java
+@@ -623,6 +623,10 @@ public final class JobStore {
+                 }
+             } catch (XmlPullParserException | IOException e) {
+                 Slog.wtf(TAG, "Error jobstore xml.", e);
++            } catch (Exception e) {
++                // Crashing at this point would result in a boot loop, so live with a general
++                // Exception for system stability's sake.
++                Slog.wtf(TAG, "Unexpected exception", e);
+             } finally {
+                 if (mPersistInfo.countAllJobsLoaded < 0) { // Only set them once.
+                     mPersistInfo.countAllJobsLoaded = numJobs;
+@@ -753,6 +757,15 @@ public final class JobStore {
+             } catch (NumberFormatException e) {
+                 Slog.d(TAG, "Error reading constraints, skipping.");
+                 return null;
++            } catch (XmlPullParserException e) {
++                Slog.d(TAG, "Error Parser Exception.", e);
++                return null;
++            } catch (IOException e) {
++                Slog.d(TAG, "Error I/O Exception.", e);
++                return null;
++            } catch (IllegalArgumentException e) {
++                Slog.e(TAG, "Constraints contained invalid data", e);
++                return null;
+             }
+             parser.next(); // Consume </constraints>
+ 
+@@ -848,8 +861,14 @@ public final class JobStore {
+                 return null;
+             }
+ 
+-            PersistableBundle extras = PersistableBundle.restoreFromXml(parser);
+-            jobBuilder.setExtras(extras);
++            final PersistableBundle extras;
++            try {
++                extras = PersistableBundle.restoreFromXml(parser);
++                jobBuilder.setExtras(extras);
++            } catch (IllegalArgumentException e) {
++                Slog.e(TAG, "Persisted extras contained invalid data", e);
++                return null;
++            }
+             parser.nextTag(); // Consume </extras>
+ 
+             // Migrate sync jobs forward from earlier, incomplete representation
+@@ -887,7 +906,8 @@ public final class JobStore {
+             return new JobInfo.Builder(jobId, cname);
+         }
+ 
+-        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser) {
++        private void buildConstraintsFromXml(JobInfo.Builder jobBuilder, XmlPullParser parser)
++                throws XmlPullParserException, IOException {
+             String val;
+ 
+             final String netCapabilities = parser.getAttributeValue(null, "net-capabilities");

Patches/LineageOS-16.0/android_frameworks_base/359732.patch

@@ -0,0 +1,232 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 7 Mar 2023 15:44:49 -0500
+Subject: [PATCH] Allow filtering of services
+
+Test: ServiceListingTest
+Bug: 260570119
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:44dcb8351e61f4b3a63ec68fa5d8490501e8a823)
+Merged-In: Ib4740ba401667de62fa1a33334c2c1fbee25b760
+Change-Id: Ib4740ba401667de62fa1a33334c2c1fbee25b760
+---
+ .../applications/ServiceListing.java          | 19 +++-
+ .../applications/ServiceListingTest.java      | 98 ++++++++++++++++++-
+ 2 files changed, 113 insertions(+), 4 deletions(-)
+
+diff --git a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+index 3c3c70ac364e..8c1cc256eee4 100644
+--- a/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
++++ b/packages/SettingsLib/src/com/android/settingslib/applications/ServiceListing.java
+@@ -37,6 +37,7 @@ import com.android.settingslib.wrapper.PackageManagerWrapper;
+ import java.util.ArrayList;
+ import java.util.HashSet;
+ import java.util.List;
++import java.util.function.Predicate;
+ 
+ /**
+  * Class for managing services matching a given intent and requesting a given permission.
+@@ -52,11 +53,13 @@ public class ServiceListing {
+     private final HashSet<ComponentName> mEnabledServices = new HashSet<>();
+     private final List<ServiceInfo> mServices = new ArrayList<>();
+     private final List<Callback> mCallbacks = new ArrayList<>();
++    private final Predicate mValidator;
+ 
+     private boolean mListening;
+ 
+     private ServiceListing(Context context, String tag,
+-            String setting, String intentAction, String permission, String noun) {
++            String setting, String intentAction, String permission, String noun,
++            Predicate validator) {
+         mContentResolver = context.getContentResolver();
+         mContext = context;
+         mTag = tag;
+@@ -64,6 +67,7 @@ public class ServiceListing {
+         mIntentAction = intentAction;
+         mPermission = permission;
+         mNoun = noun;
++        mValidator = validator;
+     }
+ 
+     public void addCallback(Callback callback) {
+@@ -133,7 +137,6 @@ public class ServiceListing {
+                 new Intent(mIntentAction),
+                 PackageManager.GET_SERVICES | PackageManager.GET_META_DATA,
+                 user);
+-
+         for (ResolveInfo resolveInfo : installedServices) {
+             ServiceInfo info = resolveInfo.serviceInfo;
+ 
+@@ -144,6 +147,9 @@ public class ServiceListing {
+                         + mPermission);
+                 continue;
+             }
++            if (mValidator != null && !mValidator.test(info)) {
++                continue;
++            }
+             mServices.add(info);
+         }
+         for (Callback callback : mCallbacks) {
+@@ -189,6 +195,7 @@ public class ServiceListing {
+         private String mIntentAction;
+         private String mPermission;
+         private String mNoun;
++        private Predicate mValidator;
+ 
+         public Builder(Context context) {
+             mContext = context;
+@@ -219,8 +226,14 @@ public class ServiceListing {
+             return this;
+         }
+ 
++        public Builder setValidator(Predicate<ServiceInfo> validator) {
++            mValidator = validator;
++            return this;
++        }
++
+         public ServiceListing build() {
+-            return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun);
++            return new ServiceListing(mContext, mTag, mSetting, mIntentAction, mPermission, mNoun,
++                    mValidator);
+         }
+     }
+ }
+diff --git a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+index 060b716bb435..6cfbd458fd79 100644
+--- a/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
++++ b/packages/SettingsLib/tests/robotests/src/com/android/settingslib/applications/ServiceListingTest.java
+@@ -17,21 +17,36 @@
+ package com.android.settingslib.applications;
+ 
+ import static com.google.common.truth.Truth.assertThat;
++import static org.mockito.ArgumentMatchers.any;
++import static org.mockito.ArgumentMatchers.anyInt;
+ import static org.mockito.ArgumentMatchers.anyList;
+ import static org.mockito.Mockito.mock;
++import static org.mockito.Mockito.spy;
+ import static org.mockito.Mockito.times;
+ import static org.mockito.Mockito.verify;
++import static org.mockito.Mockito.spy;
+ 
+ import android.content.ComponentName;
++import android.content.Context;
++import android.content.pm.PackageManager;
++import android.content.pm.ResolveInfo;
++import android.content.pm.ServiceInfo;
+ import android.provider.Settings;
+ 
++import androidx.test.core.app.ApplicationProvider;
++
+ import com.android.settingslib.SettingsLibRobolectricTestRunner;
+ 
++import com.google.common.collect.ImmutableList;
++
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
++import org.mockito.ArgumentCaptor;
+ import org.robolectric.RuntimeEnvironment;
+ 
++import java.util.List;
++
+ @RunWith(SettingsLibRobolectricTestRunner.class)
+ public class ServiceListingTest {
+ 
+@@ -39,16 +54,97 @@ public class ServiceListingTest {
+     private static final String TEST_INTENT = "com.example.intent";
+ 
+     private ServiceListing mServiceListing;
++    private Context mContext;
++    private PackageManager mPm;
+ 
+     @Before
+     public void setUp() {
+-        mServiceListing = new ServiceListing.Builder(RuntimeEnvironment.application)
++        mPm = mock(PackageManager.class);
++        mContext = spy(ApplicationProvider.getApplicationContext());
++        when(mContext.getPackageManager()).thenReturn(mPm);
++
++        mServiceListing = new ServiceListing.Builder(mContext)
++                .setTag("testTag")
++                .setSetting(TEST_SETTING)
++                .setNoun("testNoun")
++                .setIntentAction(TEST_INTENT)
++                .setPermission("testPermission")
++                .build();
++    }
++
++    @Test
++    public void testValidator() {
++        ServiceInfo s1 = new ServiceInfo();
++        s1.permission = "testPermission";
++        s1.packageName = "pkg";
++        ServiceInfo s2 = new ServiceInfo();
++        s2.permission = "testPermission";
++        s2.packageName = "pkg2";
++        ResolveInfo r1 = new ResolveInfo();
++        r1.serviceInfo = s1;
++        ResolveInfo r2 = new ResolveInfo();
++        r2.serviceInfo = s2;
++
++        when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
++                ImmutableList.of(r1, r2));
++
++        mServiceListing = new ServiceListing.Builder(mContext)
++                .setTag("testTag")
++                .setSetting(TEST_SETTING)
++                .setNoun("testNoun")
++                .setIntentAction(TEST_INTENT)
++                .setValidator(info -> {
++                    if (info.packageName.equals("pkg")) {
++                        return true;
++                    }
++                    return false;
++                })
++                .setPermission("testPermission")
++                .build();
++        ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
++        mServiceListing.addCallback(callback);
++        mServiceListing.reload();
++
++        verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
++        ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
++        verify(callback, times(1)).onServicesReloaded(captor.capture());
++
++        assertThat(captor.getValue().size()).isEqualTo(1);
++        assertThat(captor.getValue().get(0)).isEqualTo(s1);
++    }
++
++    @Test
++    public void testNoValidator() {
++        ServiceInfo s1 = new ServiceInfo();
++        s1.permission = "testPermission";
++        s1.packageName = "pkg";
++        ServiceInfo s2 = new ServiceInfo();
++        s2.permission = "testPermission";
++        s2.packageName = "pkg2";
++        ResolveInfo r1 = new ResolveInfo();
++        r1.serviceInfo = s1;
++        ResolveInfo r2 = new ResolveInfo();
++        r2.serviceInfo = s2;
++
++        when(mPm.queryIntentServicesAsUser(any(), anyInt(), anyInt())).thenReturn(
++                ImmutableList.of(r1, r2));
++
++        mServiceListing = new ServiceListing.Builder(mContext)
+                 .setTag("testTag")
+                 .setSetting(TEST_SETTING)
+                 .setNoun("testNoun")
+                 .setIntentAction(TEST_INTENT)
+                 .setPermission("testPermission")
+                 .build();
++        ServiceListing.Callback callback = mock(ServiceListing.Callback.class);
++        mServiceListing.addCallback(callback);
++        mServiceListing.reload();
++
++        verify(mPm).queryIntentServicesAsUser(any(), anyInt(), anyInt());
++        ArgumentCaptor<List<ServiceInfo>> captor = ArgumentCaptor.forClass(List.class);
++        verify(callback, times(1)).onServicesReloaded(captor.capture());
++
++        assertThat(captor.getValue().size()).isEqualTo(2);
+     }
+ 
+     @Test

Patches/LineageOS-16.0/android_frameworks_base/359733.patch

@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Iftime <valiiftime@google.com>
+Date: Wed, 22 Feb 2023 09:38:55 +0100
+Subject: [PATCH] Prevent RemoteViews crashing SystemUi
+
+  Catch canvas drawing exceptions caused  by unsuported image sizes.
+
+Test: 1. Post a custom view notification with a layout
+	containing an ImageView that references a 5k x 5k image
+2. Add an App Widget to the home screen with that has the
+	layout mentioned above as preview/initial layout.
+
+Bug: 268193777
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cfc0b34432ab54e3fa472db5c43e620293f64a5d)
+Merged-In: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+Change-Id: Ib3bda769c499b4069b49c566b1b227f98f707a8a
+---
+ .../android/appwidget/AppWidgetHostView.java  | 39 ++++++++++++++-----
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
+index ab0eb92e1726..02b244bdd9a6 100644
+--- a/core/java/android/appwidget/AppWidgetHostView.java
++++ b/core/java/android/appwidget/AppWidgetHostView.java
+@@ -21,6 +21,7 @@ import android.content.Context;
+ import android.content.pm.ApplicationInfo;
+ import android.content.pm.PackageManager.NameNotFoundException;
+ import android.content.res.Resources;
++import android.graphics.Canvas;
+ import android.graphics.Color;
+ import android.graphics.Rect;
+ import android.os.Build;
+@@ -248,19 +249,26 @@ public class AppWidgetHostView extends FrameLayout {
+             super.onLayout(changed, left, top, right, bottom);
+         } catch (final RuntimeException e) {
+             Log.e(TAG, "Remote provider threw runtime exception, using error view instead.", e);
+-            removeViewInLayout(mView);
+-            View child = getErrorView();
+-            prepareView(child);
+-            addViewInLayout(child, 0, child.getLayoutParams());
+-            measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
+-                    MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
+-            child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
+-                    child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
+-            mView = child;
+-            mViewMode = VIEW_MODE_ERROR;
++            handleViewError();
+         }
+     }
+ 
++    /**
++     * Remove bad view and replace with error message view
++     */
++    private void handleViewError() {
++        removeViewInLayout(mView);
++        View child = getErrorView();
++        prepareView(child);
++        addViewInLayout(child, 0, child.getLayoutParams());
++        measureChild(child, MeasureSpec.makeMeasureSpec(getMeasuredWidth(), MeasureSpec.EXACTLY),
++                MeasureSpec.makeMeasureSpec(getMeasuredHeight(), MeasureSpec.EXACTLY));
++        child.layout(0, 0, child.getMeasuredWidth() + mPaddingLeft + mPaddingRight,
++                child.getMeasuredHeight() + mPaddingTop + mPaddingBottom);
++        mView = child;
++        mViewMode = VIEW_MODE_ERROR;
++    }
++
+     /**
+      * Provide guidance about the size of this widget to the AppWidgetManager. The widths and
+      * heights should correspond to the full area the AppWidgetHostView is given. Padding added by
+@@ -646,4 +654,15 @@ public class AppWidgetHostView extends FrameLayout {
+         super.onInitializeAccessibilityNodeInfoInternal(info);
+         info.setClassName(AppWidgetHostView.class.getName());
+     }
++
++    @Override
++    protected void dispatchDraw(Canvas canvas) {
++        try {
++            super.dispatchDraw(canvas);
++        } catch (Exception e) {
++            // Catch draw exceptions that may be caused by RemoteViews
++            Log.e(TAG, "Drawing view failed: " + e);
++            post(this::handleViewError);
++        }
++    }
+ }

Patches/LineageOS-16.0/android_frameworks_base/361254.patch

@@ -0,0 +1,145 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lucas Lin <lucaslin@google.com>
+Date: Fri, 3 Mar 2023 08:13:50 +0000
+Subject: [PATCH] Sanitize VPN label to prevent HTML injection
+
+This commit will try to sanitize the content of VpnDialog. This
+commit creates a function which will try to sanitize the VPN
+label, if the sanitized VPN label is different from the original
+one, which means the VPN label might contain HTML tag or the VPN
+label violates the words restriction(may contain some wording
+which will mislead the user). For this kind of case, show the
+package name instead of the VPN label to prevent misleading the
+user.
+
+The malicious VPN app might be able to add a large number of line
+breaks with HTML in order to hide the system-displayed text from
+the user in the connection request dialog. Thus, sanitizing the
+content of the dialog is needed.
+
+Bug: 204554636
+Test: N/A
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab)
+Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
+Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
+---
+ packages/VpnDialogs/res/values/strings.xml    | 28 ++++++++++
+ .../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++--
+ 2 files changed, 76 insertions(+), 5 deletions(-)
+
+diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml
+index 443a9bc33b90..b4166f0bedfd 100644
+--- a/packages/VpnDialogs/res/values/strings.xml
++++ b/packages/VpnDialogs/res/values/strings.xml
+@@ -89,4 +89,32 @@
+          without any consequences. [CHAR LIMIT=20] -->
+     <string name="dismiss">Dismiss</string>
+ 
++    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
++         into displaying what they want. The system will attempt to sanitize the label, and if the
++         label is deemed dangerous, then this string is used instead. The first argument is the
++         first 30 characters of the label, and the second argument is the package name of the app.
++         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
++         "My VPN app wants to set up a VPN connection...". If the label is very long, then, this
++         will be used to show "VerylongVPNlabel… (com.my.vpn.app) wants to set up a VPN
++         connection...". For this case, the code will refer to sanitized_vpn_label_with_ellipsis.
++    -->
++    <string name="sanitized_vpn_label_with_ellipsis">
++        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="My VPN app">%1$s</xliff:g>… (
++        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="com.my.vpn.app">%2$s</xliff:g>)
++    </string>
++
++    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
++         into displaying what they want. The system will attempt to sanitize the label, and if the
++         label is deemed dangerous, then this string is used instead. The first argument is the
++         label, and the second argument is the package name of the app.
++         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
++         "My VPN app wants to set up a VPN connection...". If the VPN label contains HTML tag but
++         the length is not very long, the dialog will show "VpnLabelWith&lt;br&gt;HtmlTag
++         (com.my.vpn.app) wants to set up a VPN connection...". For this case, the code will refer
++         to sanitized_vpn_label.
++    -->
++    <string name="sanitized_vpn_label">
++        <xliff:g id="sanitized_vpn_label" example="My VPN app">%1$s</xliff:g> (
++        <xliff:g id="sanitized_vpn_label" example="com.my.vpn.app">%2$s</xliff:g>)
++    </string>
+ </resources>
+diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+index 09339743db5c..43d18df3a10d 100644
+--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
++++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity
+         implements DialogInterface.OnClickListener, ImageGetter {
+     private static final String TAG = "VpnConfirm";
+ 
++    // Usually the label represents the app name, 150 code points might be enough to display the app
++    // name, and 150 code points won't cover the warning message from VpnDialog.
++    static final int MAX_VPN_LABEL_LENGTH = 150;
++
+     private String mPackage;
+ 
+     private IConnectivityManager mService;
+ 
++    private View mView;
++
++    /**
++     * This function will use the string resource to combine the VPN label and the package name.
++     *
++     * If the VPN label violates the length restriction, the first 30 code points of VPN label and
++     * the package name will be returned. Or return the VPN label and the package name directly if
++     * the VPN label doesn't violate the length restriction.
++     *
++     * The result will be something like,
++     * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app)
++     *   if the VPN label violates the length restriction.
++     * or
++     * - VpnLabelWith&lt;br&gt;HtmlTag (com.vpn.app)
++     *   if the VPN label doesn't violate the length restriction.
++     *
++     */
++    private String getSimplifiedLabel(String vpnLabel, String packageName) {
++        if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) {
++            return getString(R.string.sanitized_vpn_label_with_ellipsis,
++                vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)),
++                packageName);
++        }
++
++        return getString(R.string.sanitized_vpn_label, vpnLabel, packageName);
++    }
++
++    protected String getSanitizedVpnLabel(String vpnLabel, String packageName) {
++        final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel);
++        final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0,
++            sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH;
++        if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) {
++            return getSimplifiedLabel(sanitizedVpnLabel, packageName);
++        }
++
++        return sanitizedVpnLabel;
++    }
++
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity
+             finish();
+             return;
+         }
+-        View view = View.inflate(this, R.layout.confirm, null);
+-        ((TextView) view.findViewById(R.id.warning)).setText(
+-                Html.fromHtml(getString(R.string.warning, getVpnLabel()),
+-                        this, null /* tagHandler */));
++        mView = View.inflate(this, R.layout.confirm, null);
++        ((TextView) mView.findViewById(R.id.warning)).setText(
++                Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel(
++                    getVpnLabel().toString(), mPackage)),
++                    this /* imageGetter */, null /* tagHandler */));
+         mAlertParams.mTitle = getText(R.string.prompt);
+         mAlertParams.mPositiveButtonText = getText(android.R.string.ok);
+         mAlertParams.mPositiveButtonListener = this;
+         mAlertParams.mNegativeButtonText = getText(android.R.string.cancel);
+-        mAlertParams.mView = view;
++        mAlertParams.mView = mView;
+         setupAlert();
+ 
+         getWindow().setCloseOnTouchOutside(false);

Patches/LineageOS-16.0/android_frameworks_base/361255.patch

@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Groover <mpgroover@google.com>
+Date: Fri, 31 Mar 2023 21:31:22 +0000
+Subject: [PATCH] Limit the number of supported v1 and v2 signers
+
+The v1 and v2 APK Signature Schemes support multiple signers; this
+was intended to allow multiple entities to sign an APK. Previously,
+the platform had no limits placed on the number of signers supported
+in an APK, but this commit sets a hard limit of 10 supported signers
+for these signature schemes to ensure a large number of signers
+does not place undue burden on the platform.
+
+Bug: 266580022
+Test: Manually verified the platform only allowed an APK with the
+       maximum number of supported signers.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
+Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
+Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091
+---
+ .../util/apk/ApkSignatureSchemeV2Verifier.java        | 10 ++++++++++
+ core/java/android/util/jar/StrictJarVerifier.java     | 11 +++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+index 533d72590f0a..d5f6ebe8c2e9 100644
+--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
++++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+@@ -83,6 +83,11 @@ public class ApkSignatureSchemeV2Verifier {
+ 
+     private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a;
+ 
++    /**
++     * The maximum number of signers supported by the v2 APK signature scheme.
++     */
++    private static final int MAX_V2_SIGNERS = 10;
++
+     /**
+      * Returns {@code true} if the provided APK contains an APK Signature Scheme V2 signature.
+      *
+@@ -188,6 +193,11 @@ public class ApkSignatureSchemeV2Verifier {
+         }
+         while (signers.hasRemaining()) {
+             signerCount++;
++            if (signerCount > MAX_V2_SIGNERS) {
++                throw new SecurityException(
++                        "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS
++                                + " signers");
++            }
+             try {
+                 ByteBuffer signer = getLengthPrefixedSlice(signers);
+                 X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory);
+diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java
+index 45254908c5c9..a6aca330d323 100644
+--- a/core/java/android/util/jar/StrictJarVerifier.java
++++ b/core/java/android/util/jar/StrictJarVerifier.java
+@@ -78,6 +78,11 @@ class StrictJarVerifier {
+         "SHA1",
+     };
+ 
++    /**
++     * The maximum number of signers supported by the JAR signature scheme.
++     */
++    private static final int MAX_JAR_SIGNERS = 10;
++
+     private final String jarName;
+     private final StrictJarManifest manifest;
+     private final HashMap<String, byte[]> metaEntries;
+@@ -293,10 +298,16 @@ class StrictJarVerifier {
+             return false;
+         }
+ 
++        int signerCount = 0;
+         Iterator<String> it = metaEntries.keySet().iterator();
+         while (it.hasNext()) {
+             String key = it.next();
+             if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
++                if (++signerCount > MAX_JAR_SIGNERS) {
++                    throw new SecurityException(
++                            "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS
++                                    + " signers");
++                }
+                 verifyCertificate(key);
+                 it.remove();
+             }

Patches/LineageOS-16.0/android_frameworks_base/361257.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Tue, 28 Mar 2023 13:15:04 -0700
+Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
+
+security method is none. This is mostly to fix the case where we auth
+sim pin in the set up wizard and it goes straight to keyguard instead of
+the setup wizard activity.
+
+This works with the prevent bypass keyguard flag because the device
+should be noe secure in this case.
+
+Fixes: 222446076
+Test: turn locked sim on, which opens the sim pin screen. Auth the
+screen and observe that keyguard is not shown.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
+Cherry-picking this CL as a security fix
+
+Bug: 222446076
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
+Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+---
+ .../src/com/android/keyguard/KeyguardSecurityContainer.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index 6a71cf84759c..bb205956e932 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
++                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+                             KeyguardUpdateMonitor.getCurrentUser())) {
+                         finish = true;
+                     } else {

Patches/LineageOS-16.0/android_frameworks_base/361258.patch

@@ -0,0 +1,100 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= <kurucz@google.com>
+Date: Fri, 21 Apr 2023 09:45:07 +0000
+Subject: [PATCH] Truncate ShortcutInfo Id
+
+Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput.
+This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior.
+
+Fixes: 273729476
+Test: atest ShortcutManagerTest2
+Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e)
+Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
+
+Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
+---
+ .../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++---
+ .../server/pm/ShortcutManagerTest2.java       | 10 ++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java
+index ea476b0abf33..cddad1798219 100644
+--- a/core/java/android/content/pm/ShortcutInfo.java
++++ b/core/java/android/content/pm/ShortcutInfo.java
+@@ -214,6 +214,12 @@ public final class ShortcutInfo implements Parcelable {
+      */
+     public static final int DISABLED_REASON_OTHER_RESTORE_ISSUE = 103;
+ 
++    /**
++     * The maximum length of Shortcut ID. IDs will be truncated at this limit.
++     * @hide
++     */
++    public static final int MAX_ID_LENGTH = 1000;
++
+     /** @hide */
+     @IntDef(prefix = { "DISABLED_REASON_" }, value = {
+             DISABLED_REASON_NOT_DISABLED,
+@@ -380,8 +386,7 @@ public final class ShortcutInfo implements Parcelable {
+ 
+     private ShortcutInfo(Builder b) {
+         mUserId = b.mContext.getUserId();
+-
+-        mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided");
++        mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"));
+ 
+         // Note we can't do other null checks here because SM.updateShortcuts() takes partial
+         // information.
+@@ -463,6 +468,14 @@ public final class ShortcutInfo implements Parcelable {
+         return ret;
+     }
+ 
++    @NonNull
++    private static String getSafeId(@NonNull String id) {
++        if (id.length() > MAX_ID_LENGTH) {
++            return id.substring(0, MAX_ID_LENGTH);
++        }
++        return id;
++    }
++
+     /**
+      * Throws if any of the mandatory fields is not set.
+      *
+@@ -1851,7 +1864,8 @@ public final class ShortcutInfo implements Parcelable {
+         final ClassLoader cl = getClass().getClassLoader();
+ 
+         mUserId = source.readInt();
+-        mId = source.readString();
++        mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(),
++                "Shortcut ID must be provided"));
+         mPackageName = source.readString();
+         mActivity = source.readParcelable(cl);
+         mFlags = source.readInt();
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index fcdadaccd2ac..464f563640c1 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -53,6 +53,7 @@ import java.io.IOException;
+ import java.io.PrintWriter;
+ import java.io.StringWriter;
+ import java.io.Writer;
++import java.util.Collections;
+ import java.util.Locale;
+ 
+ /**
+@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+                 });
+     }
+ 
++    public void testShortcutIdTruncated() {
++        ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(),
++                String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build();
++
++        assertTrue(
++                "id must be truncated to MAX_ID_LENGTH",
++                si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH);
++    }
++
+     public void testShortcutInfoParcel() {
+         setCaller(CALLING_PACKAGE_1, USER_10);
+         ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext)

Patches/LineageOS-16.0/android_frameworks_base/361259.patch

@@ -0,0 +1,128 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ioana Alexandru <aioana@google.com>
+Date: Thu, 27 Apr 2023 12:36:05 +0000
+Subject: [PATCH] Visit URIs in landscape/portrait custom remote views.
+
+Bug: 277740848
+Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e8acb2f660bdb03616989852f9dbbf1726f8237e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e1ae4e0d408604b9e3c18ac0e9bf87529b92a8)
+Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517
+Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517
+---
+ core/java/android/widget/RemoteViews.java     |  6 ++
+ .../src/android/widget/RemoteViewsTest.java   | 65 +++++++++++++++++++
+ 2 files changed, 71 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
+index 4865dab6056a..10053dddb0fb 100644
+--- a/core/java/android/widget/RemoteViews.java
++++ b/core/java/android/widget/RemoteViews.java
+@@ -543,6 +543,12 @@ public class RemoteViews implements Parcelable, Filter {
+                 mActions.get(i).visitUris(visitor);
+             }
+         }
++        if (mLandscape != null) {
++            mLandscape.visitUris(visitor);
++        }
++        if (mPortrait != null) {
++            mPortrait.visitUris(visitor);
++        }
+     }
+ 
+     private static void visitIconUri(Icon icon, @NonNull Consumer<Uri> visitor) {
+diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
+index 70cf097f42a3..7d2e07ecbd71 100644
+--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java
++++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
+@@ -19,6 +19,10 @@ package android.widget;
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertSame;
+ import static org.junit.Assert.assertTrue;
++import static org.mockito.ArgumentMatchers.eq;
++import static org.mockito.Mockito.spy;
++import static org.mockito.Mockito.times;
++import static org.mockito.Mockito.verify;
+ 
+ import android.app.PendingIntent;
+ import android.content.Context;
+@@ -26,6 +30,8 @@ import android.content.Intent;
+ import android.graphics.Bitmap;
+ import android.graphics.drawable.BitmapDrawable;
+ import android.graphics.drawable.Drawable;
++import android.graphics.drawable.Icon;
++import android.net.Uri;
+ import android.os.AsyncTask;
+ import android.os.Binder;
+ import android.os.Parcel;
+@@ -46,6 +52,7 @@ import org.junit.runner.RunWith;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.concurrent.CountDownLatch;
++import java.util.function.Consumer;
+ 
+ /**
+  * Tests for RemoteViews.
+@@ -444,4 +451,62 @@ public class RemoteViewsTest {
+         }
+         return found[0];
+     }
++
++
++    @Test
++    public void visitUris() {
++        RemoteViews views = new RemoteViews(mPackage, R.layout.remote_views_test);
++
++        final Uri imageUri = Uri.parse("content://media/image");
++        final Icon icon1 = Icon.createWithContentUri("content://media/icon1");
++        final Icon icon2 = Icon.createWithContentUri("content://media/icon2");
++        final Icon icon3 = Icon.createWithContentUri("content://media/icon3");
++        final Icon icon4 = Icon.createWithContentUri("content://media/icon4");
++        views.setImageViewUri(R.id.image, imageUri);
++        views.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4);
++
++        Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
++        views.visitUris(visitor);
++        verify(visitor, times(1)).accept(eq(imageUri));
++        verify(visitor, times(1)).accept(eq(icon1.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4.getUri()));
++    }
++
++    @Test
++    public void visitUris_separateOrientation() {
++        final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test);
++        final Uri imageUriL = Uri.parse("content://landscape/image");
++        final Icon icon1L = Icon.createWithContentUri("content://landscape/icon1");
++        final Icon icon2L = Icon.createWithContentUri("content://landscape/icon2");
++        final Icon icon3L = Icon.createWithContentUri("content://landscape/icon3");
++        final Icon icon4L = Icon.createWithContentUri("content://landscape/icon4");
++        landscape.setImageViewUri(R.id.image, imageUriL);
++        landscape.setTextViewCompoundDrawables(R.id.text, icon1L, icon2L, icon3L, icon4L);
++
++        final RemoteViews portrait = new RemoteViews(mPackage, 33);
++        final Uri imageUriP = Uri.parse("content://portrait/image");
++        final Icon icon1P = Icon.createWithContentUri("content://portrait/icon1");
++        final Icon icon2P = Icon.createWithContentUri("content://portrait/icon2");
++        final Icon icon3P = Icon.createWithContentUri("content://portrait/icon3");
++        final Icon icon4P = Icon.createWithContentUri("content://portrait/icon4");
++        portrait.setImageViewUri(R.id.image, imageUriP);
++        portrait.setTextViewCompoundDrawables(R.id.text, icon1P, icon2P, icon3P, icon4P);
++
++        RemoteViews views = new RemoteViews(landscape, portrait);
++
++        Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
++        views.visitUris(visitor);
++        verify(visitor, times(1)).accept(eq(imageUriL));
++        verify(visitor, times(1)).accept(eq(icon1L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4L.getUri()));
++        verify(visitor, times(1)).accept(eq(imageUriP));
++        verify(visitor, times(1)).accept(eq(icon1P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4P.getUri()));
++    }
+ }