16.0: Import and verify picks

https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
2025-09-28 22:49:35 -04:00 · 2024-05-07 19:13:31 -04:00 · 2024-05-07 19:13:31 -04:00 · 082bc48c32
commit 082bc48c32
parent 7162b237d3
271 changed files with 25987 additions and 42 deletions
--- a/Patches/LineageOS-16.0/android_external_expat/338353.patch
+++ b/Patches/LineageOS-16.0/android_external_expat/338353.patch
@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Mon, 23 May 2022 22:34:43 +0000
+Subject: [PATCH] Prevent integer overflow in copyString
+
+Bug: http://b/221384482
+Change-Id: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad
+(cherry picked from commit e25c84037506951dfe74a5fae1627fe22bc0ebf4)
+Merged-In: Ibdcb5dc24ee8886a04c2e29bd6ddccf29ece73ad
+---
+ lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 90a237f3..67f661b5 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -7175,7 +7175,7 @@ static XML_Char *
+ copyString(const XML_Char *s,
+            const XML_Memory_Handling_Suite *memsuite)
+ {
+-    int charsRequired = 0;
+    size_t charsRequired = 0;
+     XML_Char *result;
+ 
+     /* First determine how long the string is */
--- a/Patches/LineageOS-16.0/android_external_expat/338354.patch
+++ b/Patches/LineageOS-16.0/android_external_expat/338354.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Thu, 2 Jun 2022 19:32:22 +0000
+Subject: [PATCH] Prevent XML_GetBuffer signed integer overflow
+
+Bug: http://b/221255869
+Change-Id: I38758fae8c71184f728f95e6073457cdb86bcc29
+(cherry picked from commit d6a09f1b7fb24dd03dc58e45062ad951a37ff8e3)
+Merged-In: I38758fae8c71184f728f95e6073457cdb86bcc29
+---
+ lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 67f661b5..1d6e722d 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2040,6 +2040,11 @@ XML_GetBuffer(XML_Parser parser, int len)
+     keep = (int)(parser->m_bufferPtr - parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
+    /* Detect and prevent integer overflow */
+    if (keep > INT_MAX - neededSize) {
+      parser->m_errorCode = XML_ERROR_NO_MEMORY;
+      return NULL;
+    }
+     neededSize += keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+     if (neededSize  <= parser->m_bufferLim - parser->m_buffer) {
--- a/Patches/LineageOS-16.0/android_external_expat/338355.patch
+++ b/Patches/LineageOS-16.0/android_external_expat/338355.patch
@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Fri, 3 Jun 2022 03:40:21 +0000
+Subject: [PATCH] Prevent integer overflow in function doProlog
+
+Bug: http://b/221256678
+Change-Id: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
+(cherry picked from commit 257f1d3777240016d3ccd74a61cd7d0e0efcaae3)
+Merged-In: I6fe381103f4eb287726d1ccb5bfec99db160ffe4
+---
+ lib/xmlparse.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 1d6e722d..7d91ed2b 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -5187,23 +5187,29 @@ doProlog(XML_Parser parser,
+       if (dtd->in_eldecl) {
+         ELEMENT_TYPE *el;
+         const XML_Char *name;
+-        int nameLen;
+-        const char *nxt = (quant == XML_CQUANT_NONE
+-                           ? next
+-                           : next - enc->minBytesPerChar);
+        size_t nameLen;
+        const char *nxt
+            = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+         int myindex = nextScaffoldPart(parser);
+         if (myindex < 0)
+           return XML_ERROR_NO_MEMORY;
+         dtd->scaffold[myindex].type = XML_CTYPE_NAME;
+         dtd->scaffold[myindex].quant = quant;
+         el = getElementType(parser, enc, s, nxt);
+-        if (!el)
+        if (! el)
+           return XML_ERROR_NO_MEMORY;
+         name = el->name;
+         dtd->scaffold[myindex].name = name;
+         nameLen = 0;
+-        for (; name[nameLen++]; );
+-        dtd->contentStringLen +=  nameLen;
+        for (; name[nameLen++];)
+          ;
+
+        /* Detect and prevent integer overflow */
+        if (nameLen > UINT_MAX - dtd->contentStringLen) {
+          return XML_ERROR_NO_MEMORY;
+        }
+
+        dtd->contentStringLen += (unsigned)nameLen;
+         if (parser->m_elementDeclHandler)
+           handleDefault = XML_FALSE;
+       }
--- a/Patches/LineageOS-16.0/android_external_expat/338356.patch
+++ b/Patches/LineageOS-16.0/android_external_expat/338356.patch
@ -0,0 +1,247 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 15 Jun 2022 04:14:33 +0000
+Subject: [PATCH] Prevent more integer overflows
+
+Bug: http://b/219942275
+Change-Id: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
+Merged-In: Ic5c8087ee64e6faafcf013cef9536c042eb8a09d
+(cherry picked from commit 15a1f35dddde9c1a0a626972349a59642abd345a)
+Merged-In: I7489f59564e0053a4a46bb8c362f7c36ab0b3c9d
+---
+ lib/xmlparse.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7d91ed2b..121b63f7 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -3187,13 +3187,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+ 
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
+
+  /* Detect and prevent integer overflow */
+  if (n > INT_MAX - nDefaultAtts) {
+    return XML_ERROR_NO_MEMORY;
+  }
+
+   if (n + nDefaultAtts > parser->m_attsSize) {
+     int oldAttsSize = parser->m_attsSize;
+     ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+     XML_AttrInfo *temp2;
+ #endif
+
+    /* Detect and prevent integer overflow */
+    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+      return XML_ERROR_NO_MEMORY;
+    }
+
+     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+      parser->m_attsSize = oldAttsSize;
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts, parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+       parser->m_attsSize = oldAttsSize;
+@@ -3201,6 +3226,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+     }
+     parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#  if UINT_MAX >= SIZE_MAX
+    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
+      parser->m_attsSize = oldAttsSize;
+      return XML_ERROR_NO_MEMORY;
+    }
+#  endif
+
+     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo, parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+       parser->m_attsSize = oldAttsSize;
+@@ -3509,9 +3545,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
+   tagNamePtr->prefixLen = prefixLen;
+   for (i = 0; localPart[i++];)
+     ;  /* i includes null terminator */
+
+  /* Detect and prevent integer overflow */
+  if (binding->uriLen > INT_MAX - prefixLen
+      || i > INT_MAX - (binding->uriLen + prefixLen)) {
+    return XML_ERROR_NO_MEMORY;
+  }
+
+   n = i + binding->uriLen + prefixLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
+
+    /* Detect and prevent integer overflow */
+    if (n > INT_MAX - EXPAND_SPARE) {
+      return XML_ERROR_NO_MEMORY;
+    }
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (!uri)
+       return XML_ERROR_NO_MEMORY;
+@@ -3612,6 +3670,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+   if (parser->m_freeBindingList) {
+     b = parser->m_freeBindingList;
+     if (len > b->uriAlloc) {
+      /* Detect and prevent integer overflow */
+      if (len > INT_MAX - EXPAND_SPARE) {
+        return XML_ERROR_NO_MEMORY;
+      }
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+        return XML_ERROR_NO_MEMORY;
+      }
+#endif
+
+       XML_Char *temp = (XML_Char *)REALLOC(parser, b->uri,
+                           sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+@@ -3625,6 +3698,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+     if (!b)
+       return XML_ERROR_NO_MEMORY;
+
+    /* Detect and prevent integer overflow */
+    if (len > INT_MAX - EXPAND_SPARE) {
+      return XML_ERROR_NO_MEMORY;
+    }
+    /* Detect and prevent integer overflow.
+     * The preprocessor guard addresses the "always false" warning
+     * from -Wtype-limits on platforms where
+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+      return XML_ERROR_NO_MEMORY;
+    }
+#endif
+
+     b->uri = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (!b->uri) {
+       FREE(parser, b);
+@@ -6025,7 +6113,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+     }
+     else {
+       DEFAULT_ATTRIBUTE *temp;
+
+      /* Detect and prevent integer overflow */
+      if (type->allocDefaultAtts > INT_MAX / 2) {
+        return 0;
+      }
+
+       int count = type->allocDefaultAtts * 2;
+
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
+        return 0;
+      }
+#endif
+
+       temp = (DEFAULT_ATTRIBUTE *)
+         REALLOC(parser, type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+@@ -6700,8 +6805,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
+     /* check for overflow (table is half full) */
+     if (table->used >> (table->power - 1)) {
+       unsigned char newPower = table->power + 1;
+
+      /* Detect and prevent invalid shift */
+      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
+        return NULL;
+      }
+
+       size_t newSize = (size_t)1 << newPower;
+       unsigned long newMask = (unsigned long)newSize - 1;
+
+      /* Detect and prevent integer overflow */
+      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
+        return NULL;
+      }
+
+       size_t tsize = newSize * sizeof(NAMED *);
+       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+       if (!newV)
+@@ -7067,6 +7184,20 @@ nextScaffoldPart(XML_Parser parser)
+   if (dtd->scaffCount >= dtd->scaffSize) {
+     CONTENT_SCAFFOLD *temp;
+     if (dtd->scaffold) {
+      /* Detect and prevent integer overflow */
+      if (dtd->scaffSize > UINT_MAX / 2u) {
+        return -1;
+      }
+      /* Detect and prevent integer overflow.
+       * The preprocessor guard addresses the "always false" warning
+       * from -Wtype-limits on platforms where
+       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
+        return -1;
+      }
+#endif
+
+       temp = (CONTENT_SCAFFOLD *)
+         REALLOC(parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+@@ -7143,9 +7274,26 @@ build_model (XML_Parser parser)
+   XML_Content *ret;
+   XML_Content *cpos;
+   XML_Char * str;
+-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+-                   + (dtd->contentStringLen * sizeof(XML_Char)));
+ 
+  /* Detect and prevent integer overflow.
+   * The preprocessor guard addresses the "always false" warning
+   * from -Wtype-limits on platforms where
+   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
+    return NULL;
+  }
+  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
+    return NULL;
+  }
+#endif
+  if (dtd->scaffCount * sizeof(XML_Content)
+      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
+    return NULL;
+  }
+
+  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+                            + (dtd->contentStringLen * sizeof(XML_Char)));
+   ret = (XML_Content *)MALLOC(parser, allocsize);
+   if (!ret)
+     return NULL;
--- a/Patches/LineageOS-16.0/android_external_expat/349328.patch
+++ b/Patches/LineageOS-16.0/android_external_expat/349328.patch
@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 16 Nov 2022 16:31:05 +0000
+Subject: [PATCH] Fix overeager DTD destruction (fixes #649)
+
+Bug: http://b/255449293
+Test: TreeHugger
+Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6
+(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a)
+Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6
+---
+ lib/xmlparse.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 121b63f7..90089ab7 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -1013,7 +1013,15 @@ parserCreate(const XML_Char *encodingName,
+   poolInit(&parser->m_temp2Pool, &(parser->m_mem));
+   parserInit(parser, encodingName);
+ 
+-  if (encodingName && !parser->m_protocolEncodingName) {
+  if (encodingName && ! parser->m_protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
+     XML_ParserFree(parser);
+     return NULL;
+   }