15.1 December ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-15.1/android_external_dtc/345891.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pierre-Cl=C3=A9ment=20Tosi?= <ptosi@google.com>
+Date: Tue, 13 Sep 2022 16:58:15 +0100
+Subject: [PATCH] libfdt: fdt_path_offset_namelen: Reject empty paths
+
+Make empty paths result in FDT_ERR_BADPATH.
+
+Per the specification (v0.4-rc4):
+
+> The convention for specifying a device path is:
+>     /node-name-1/node-name-2/node-name-N
+>
+> The path to the root node is /.
+>
+> A unit address may be omitted if the full path to the
+> node is unambiguous.
+
+Bug: 246465319
+Test: libfdt_fuzzer  # clusterfuzz/testcase-detail/4530863420604416
+Change-Id: I14ab0a074ab994c1f598243d2d5795d2cd9a853a
+(cherry picked from commit 3c28f3e3a1724c288d19f1b1a139cf57bfe1af33)
+(cherry picked from commit d10c84c4bc78e8ebd8c6ebf70126ad3cb0ba1c46)
+Merged-In: I14ab0a074ab994c1f598243d2d5795d2cd9a853a
+---
+ libfdt/fdt_ro.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c
+index 3d00d2e..be8fd82 100644
+--- a/libfdt/fdt_ro.c
++++ b/libfdt/fdt_ro.c
+@@ -188,6 +188,9 @@ int fdt_path_offset_namelen(const void *fdt, const char *path, int namelen)
+ 
+ 	FDT_CHECK_HEADER(fdt);
+ 
++	if (namelen < 1)
++		return -FDT_ERR_BADPATH;
++
+ 	/* see if we have an alias */
+ 	if (*path != '/') {
+ 		const char *q = memchr(path, '/', end - p);

Patches/LineageOS-15.1/android_frameworks_base/345520.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Wed, 21 Sep 2022 23:03:11 +0000
+Subject: [PATCH] Ignore malformed shortcuts
+
+After an app publishes a shortcut that contains malformed intent, the
+system can be stuck in boot-loop due to uncaught exception caused by
+parsing the malformed intent.
+
+This CL ignores that particular malformed entry. Since shortcuts are
+constantly writes back into the xml from system memory, the malformed
+entry will be removed from the xml the next time system persists
+shortcuts from memory to file system.
+
+Bug: 246540168
+Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+Test: manual
+(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e)
+Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+---
+ .../com/android/server/pm/ShortcutPackage.java     | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index a0fd43640e61..0af59c73b6d7 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -1373,11 +1373,15 @@ class ShortcutPackage extends ShortcutPackageItem {
+                         ret.getPackageInfo().loadFromXml(parser, fromBackup);
+                         continue;
+                     case TAG_SHORTCUT:
+-                        final ShortcutInfo si = parseShortcut(parser, packageName,
+-                                shortcutUser.getUserId());
+-
+-                        // Don't use addShortcut(), we don't need to save the icon.
+-                        ret.mShortcuts.put(si.getId(), si);
++                        try {
++                            final ShortcutInfo si = parseShortcut(parser, packageName,
++                                    shortcutUser.getUserId());
++                            // Don't use addShortcut(), we don't need to save the icon.
++                            ret.mShortcuts.put(si.getId(), si);
++                        } catch (Exception e) {
++                            // b/246540168 malformed shortcuts should be ignored
++                            Slog.e(TAG, "Failed parsing shortcut.", e);
++                        }
+                         continue;
+                 }
+             }

Patches/LineageOS-15.1/android_frameworks_base/345893-backport.patch

@@ -0,0 +1,321 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Fri, 19 Aug 2022 09:54:23 -0400
+Subject: [PATCH] Limit the size of NotificationChannel and
+ NotificationChannelGroup
+
+Test: android.app.NotificationChannelGroupTest
+Test: android.app.NotificationChannelTest
+Test: cts NotificationChannelTest
+Test: cts NotificationChannelGroupTest
+Bug: 241764350
+Bug: 241764340
+Bug: 241764135
+Bug: 242702935
+Bug: 242703118
+Bug: 242703202
+Bug: 242702851
+Bug: 242703217
+Bug: 242703556
+Change-Id: I0925583ab54d6c81c415859618f6b907ab7baada
+Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada
+(cherry picked from commit 3850857cb0e7f26702d5bd601731d7290390fa3b)
+(cherry picked from commit c2d264989a2c18af9e3f210f62eba8d987fefb5b)
+Merged-In: I0925583ab54d6c81c415859618f6b907ab7baada
+---
+ .../java/android/app/NotificationChannel.java |  19 +++-
+ .../android/app/NotificationChannelGroup.java |   8 +-
+ .../app/NotificationChannelGroupTest.java     |  73 +++++++++++++
+ .../android/app/NotificationChannelTest.java  | 102 ++++++++++++++++++
+ 4 files changed, 194 insertions(+), 8 deletions(-)
+ create mode 100644 core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+ create mode 100644 core/tests/coretests/src/android/app/NotificationChannelTest.java
+
+diff --git a/core/java/android/app/NotificationChannel.java b/core/java/android/app/NotificationChannel.java
+index 556acdcfff81..877f80570017 100644
+--- a/core/java/android/app/NotificationChannel.java
++++ b/core/java/android/app/NotificationChannel.java
+@@ -54,8 +54,13 @@ public final class NotificationChannel implements Parcelable {
+     /**
+      * The maximum length for text fields in a NotificationChannel. Fields will be truncated at this
+      * limit.
++     * @hide
+      */
+-    private static final int MAX_TEXT_LENGTH = 1000;
++    public static final int MAX_TEXT_LENGTH = 1000;
++    /**
++     * @hide
++     */
++    public static final int MAX_VIBRATION_LENGTH = 1000;
+ 
+     private static final String TAG_CHANNEL = "channel";
+     private static final String ATT_NAME = "name";
+@@ -171,17 +176,17 @@ public final class NotificationChannel implements Parcelable {
+      */
+     protected NotificationChannel(Parcel in) {
+         if (in.readByte() != 0) {
+-            mId = in.readString();
++            mId = getTrimmedString(in.readString());
+         } else {
+             mId = null;
+         }
+         if (in.readByte() != 0) {
+-            mName = in.readString();
++            mName = getTrimmedString(in.readString());
+         } else {
+             mName = null;
+         }
+         if (in.readByte() != 0) {
+-            mDesc = in.readString();
++            mDesc = getTrimmedString(in.readString());
+         } else {
+             mDesc = null;
+         }
+@@ -190,17 +195,21 @@ public final class NotificationChannel implements Parcelable {
+         mLockscreenVisibility = in.readInt();
+         if (in.readByte() != 0) {
+             mSound = Uri.CREATOR.createFromParcel(in);
++            mSound = Uri.parse(getTrimmedString(mSound.toString()));
+         } else {
+             mSound = null;
+         }
+         mLights = in.readByte() != 0;
+         mVibration = in.createLongArray();
++        if (mVibration != null && mVibration.length > MAX_VIBRATION_LENGTH) {
++            mVibration = Arrays.copyOf(mVibration, MAX_VIBRATION_LENGTH);
++        }
+         mUserLockedFields = in.readInt();
+         mVibrationEnabled = in.readByte() != 0;
+         mShowBadge = in.readByte() != 0;
+         mDeleted = in.readByte() != 0;
+         if (in.readByte() != 0) {
+-            mGroup = in.readString();
++            mGroup = getTrimmedString(in.readString());
+         } else {
+             mGroup = null;
+         }
+diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java
+index 18ad9cf3d8e3..5ca6fe853db8 100644
+--- a/core/java/android/app/NotificationChannelGroup.java
++++ b/core/java/android/app/NotificationChannelGroup.java
+@@ -37,8 +37,9 @@ public final class NotificationChannelGroup implements Parcelable {
+     /**
+      * The maximum length for text fields in a NotificationChannelGroup. Fields will be truncated at
+      * this limit.
++     * @hide
+      */
+-    private static final int MAX_TEXT_LENGTH = 1000;
++    public static final int MAX_TEXT_LENGTH = 1000;
+ 
+     private static final String TAG_GROUP = "channelGroup";
+     private static final String ATT_NAME = "name";
+@@ -68,11 +69,12 @@ public final class NotificationChannelGroup implements Parcelable {
+      */
+     protected NotificationChannelGroup(Parcel in) {
+         if (in.readByte() != 0) {
+-            mId = in.readString();
++            mId = getTrimmedString(in.readString());
+         } else {
+             mId = null;
+         }
+         mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in);
++        mName = getTrimmedString(mName.toString());
+         in.readParcelableList(mChannels, NotificationChannel.class.getClassLoader());
+     }
+ 
+@@ -91,7 +93,7 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             dest.writeByte((byte) 0);
+         }
+-        TextUtils.writeToParcel(mName, dest, flags);
++        TextUtils.writeToParcel(mName.toString(), dest, flags);
+         dest.writeParcelableList(mChannels, flags);
+     }
+ 
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+new file mode 100644
+index 000000000000..2a3da05eabb3
+--- /dev/null
++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package android.app;
++
++import static junit.framework.TestCase.assertEquals;
++
++import android.os.Parcel;
++import android.test.AndroidTestCase;
++
++import androidx.test.filters.SmallTest;
++import androidx.test.runner.AndroidJUnit4;
++
++import com.google.common.base.Strings;
++
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++import java.lang.reflect.Field;
++
++@RunWith(AndroidJUnit4.class)
++@SmallTest
++public class NotificationChannelGroupTest {
++    private final String CLASS = "android.app.NotificationChannelGroup";
++
++    @Test
++    public void testLongStringFields() {
++        NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", "groupName");
++
++        try {
++            String longString = Strings.repeat("A", 65536);
++            Field mName = Class.forName(CLASS).getDeclaredField("mName");
++            mName.setAccessible(true);
++            mName.set(group, longString);
++            Field mId = Class.forName(CLASS).getDeclaredField("mId");
++            mId.setAccessible(true);
++            mId.set(group, longString);
++            Field mDescription = Class.forName(CLASS).getDeclaredField("mDescription");
++            mDescription.setAccessible(true);
++            mDescription.set(group, longString);
++        } catch (NoSuchFieldException e) {
++            e.printStackTrace();
++        } catch (ClassNotFoundException e) {
++            e.printStackTrace();
++        } catch (IllegalAccessException e) {
++            e.printStackTrace();
++        }
++
++        Parcel parcel = Parcel.obtain();
++        group.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannelGroup fromParcel =
++                NotificationChannelGroup.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getId().length());
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH, fromParcel.getName().length());
++        assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH,
++                fromParcel.getDescription().length());
++    }
++}
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelTest.java b/core/tests/coretests/src/android/app/NotificationChannelTest.java
+new file mode 100644
+index 000000000000..d8be502e6db6
+--- /dev/null
++++ b/core/tests/coretests/src/android/app/NotificationChannelTest.java
+@@ -0,0 +1,102 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package android.app;
++
++import static junit.framework.TestCase.assertEquals;
++
++import android.net.Uri;
++import android.os.Parcel;
++
++import androidx.test.filters.SmallTest;
++import androidx.test.runner.AndroidJUnit4;
++
++import com.google.common.base.Strings;
++
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++import java.lang.reflect.Field;
++
++@RunWith(AndroidJUnit4.class)
++@SmallTest
++public class NotificationChannelTest {
++    private final String CLASS = "android.app.NotificationChannel";
++
++    @Test
++    public void testLongStringFields() {
++        NotificationChannel channel = new NotificationChannel("id", "name", 3);
++
++        try {
++            String longString = Strings.repeat("A", 65536);
++            Field mName = Class.forName(CLASS).getDeclaredField("mName");
++            mName.setAccessible(true);
++            mName.set(channel, longString);
++            Field mId = Class.forName(CLASS).getDeclaredField("mId");
++            mId.setAccessible(true);
++            mId.set(channel, longString);
++            Field mDesc = Class.forName(CLASS).getDeclaredField("mDesc");
++            mDesc.setAccessible(true);
++            mDesc.set(channel, longString);
++            Field mParentId = Class.forName(CLASS).getDeclaredField("mParentId");
++            mParentId.setAccessible(true);
++            mParentId.set(channel, longString);
++            Field mGroup = Class.forName(CLASS).getDeclaredField("mGroup");
++            mGroup.setAccessible(true);
++            mGroup.set(channel, longString);
++            Field mConversationId = Class.forName(CLASS).getDeclaredField("mConversationId");
++            mConversationId.setAccessible(true);
++            mConversationId.set(channel, longString);
++        } catch (NoSuchFieldException e) {
++            e.printStackTrace();
++        } catch (ClassNotFoundException e) {
++            e.printStackTrace();
++        } catch (IllegalAccessException e) {
++            e.printStackTrace();
++        }
++
++        Parcel parcel = Parcel.obtain();
++        channel.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getId().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH, fromParcel.getName().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getDescription().length());
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getGroup().length());
++    }
++
++    @Test
++    public void testLongAlertFields() {
++        NotificationChannel channel = new NotificationChannel("id", "name", 3);
++
++        channel.setSound(Uri.parse("content://" + Strings.repeat("A",65536)),
++                Notification.AUDIO_ATTRIBUTES_DEFAULT);
++        channel.setVibrationPattern(new long[65550/2]);
++
++        Parcel parcel = Parcel.obtain();
++        channel.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannel fromParcel = NotificationChannel.CREATOR.createFromParcel(parcel);
++        assertEquals(NotificationChannel.MAX_VIBRATION_LENGTH,
++                fromParcel.getVibrationPattern().length);
++        assertEquals(NotificationChannel.MAX_TEXT_LENGTH,
++                fromParcel.getSound().toString().length());
++    }
++}

Patches/LineageOS-15.1/android_frameworks_base/345894.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Mon, 8 Aug 2022 13:31:36 +0100
+Subject: [PATCH] RESTRICT AUTOMERGE Prevent non-admin users from deleting
+ system apps.
+
+This addresses a security issue where the guest user can remove updates
+for system apps.
+
+With this CL, attempts to uninstall/downgrade system apps will fail if
+attempted by a non-admin user, unless the DELETE_SYSTEM_APP flag is
+specified.
+
+This is a fixed version of ag/17400663, to address b/236578018.
+
+Bug: 170646036
+Test: manual, try uninstalling system app update as guest
+Change-Id: I5eab215cba6528aa4316ed7b20bee544915c1486
+(cherry picked from commit 7fdc96aef4e098d2271ac3a8557bd8e1ad6827f3)
+Merged-In: I5eab215cba6528aa4316ed7b20bee544915c1486
+---
+ .../com/android/server/pm/PackageManagerService.java  | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index c0845d07d753..2a11492b9402 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -19837,6 +19837,17 @@ public class PackageManagerService extends IPackageManager.Stub
+                 return PackageManager.DELETE_FAILED_INTERNAL_ERROR;
+             }
+ 
++            if (isSystemApp(uninstalledPs)
++                    && (deleteFlags & PackageManager.DELETE_SYSTEM_APP) == 0) {
++                UserInfo userInfo = sUserManager.getUserInfo(userId);
++                if (userInfo == null || !userInfo.isAdmin()) {
++                    Slog.w(TAG, "Not removing package " + packageName
++                            + " as only admin user may downgrade system apps");
++                    EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
++                    return PackageManager.DELETE_FAILED_USER_RESTRICTED;
++                }
++            }
++
+             // Static shared libs can be declared by any package, so let us not
+             // allow removing a package if it provides a lib others depend on.
+             pkg = mPackages.get(packageName);

Patches/LineageOS-15.1/android_frameworks_base/345895-backport.patch

@@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 19 Aug 2022 17:08:13 +0100
+Subject: [PATCH] Validate package name passed to setApplicationRestrictions.
+
+This adds validation that the package name passed to
+setApplicationRestrictions is in the correct format. This will avoid
+an issue where a path could be entered resulting in a file being
+written to an unexpected place.
+
+Bug: 239701237
+Test: atest UserManagerServiceTest
+Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+---
+ .../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++
+ .../server/pm/UserManagerServiceTest.java     |  7 ++++
+ 2 files changed, 48 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index d82cea64f082..d8a42162e0af 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -76,6 +76,7 @@ import android.system.Os;
+ import android.system.OsConstants;
+ import android.text.TextUtils;
+ import android.util.AtomicFile;
++import android.util.EventLog;
+ import android.util.IntArray;
+ import android.util.Log;
+ import android.util.Slog;
+@@ -2865,6 +2866,13 @@ public class UserManagerService extends IUserManager.Stub {
+     public void setApplicationRestrictions(String packageName, Bundle restrictions,
+             int userId) {
+         checkSystemOrRoot("set application restrictions");
++        String validationResult = validateName(packageName);
++        if (validationResult != null) {
++            if (packageName.contains("../")) {
++                EventLog.writeEvent(0x534e4554, "239701237", -1, "");
++            }
++            throw new IllegalArgumentException("Invalid package name: " + validationResult);
++        }
+         if (restrictions != null) {
+             restrictions.setDefusable(true);
+         }
+@@ -2884,6 +2892,39 @@ public class UserManagerService extends IUserManager.Stub {
+         mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId));
+     }
+ 
++    /**
++     * Check if the given name is valid.
++     *
++     * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove
++     * unnecessary parts. Copied here for a security fix.
++     *
++     * @param name The name to check.
++     * @return null if it's valid, error message if not
++     */
++    @VisibleForTesting
++    static String validateName(String name) {
++        final int n = name.length();
++        boolean front = true;
++        for (int i = 0; i < n; i++) {
++            final char c = name.charAt(i);
++            if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) {
++                front = false;
++                continue;
++            }
++            if (!front) {
++                if ((c >= '0' && c <= '9') || c == '_') {
++                    continue;
++                }
++                if (c == '.') {
++                    front = true;
++                    continue;
++                }
++            }
++            return "bad character '" + c + "'";
++        }
++        return null;
++    }
++
+     private int getUidForPackage(String packageName) {
+         long ident = Binder.clearCallingIdentity();
+         try {
+diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+index d1366144d33b..8da7a76f18ce 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase {
+         assertEquals(accountName, um.getUserAccount(tempUserId));
+     }
+ 
++    public void testValidateName() {
++        assertNull(UserManagerService.validateName("android"));
++        assertNull(UserManagerService.validateName("com.company.myapp"));
++        assertNotNull(UserManagerService.validateName("/../../data"));
++        assertNotNull(UserManagerService.validateName("/dir"));
++    }
++
+     private Bundle createBundle() {
+         Bundle result = new Bundle();
+         // Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[]

Patches/LineageOS-15.1/android_frameworks_base/345896-backport.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Norman <danielnorman@google.com>
+Date: Thu, 1 Sep 2022 10:14:24 -0700
+Subject: [PATCH] Include all enabled services when FEEDBACK_ALL_MASK.
+
+Bug: 243849844
+Test: m sts;
+      sts-tradefed run sts-dynamic-develop -m CtsAccessibilityTestCases
+Change-Id: I4f93e06d1066085bd64e8f09882de2f4a72a0633
+(cherry picked from commit 2bc4d49c2b0265f5de1c62d1342b1426cc5e1377)
+Merged-In: I4f93e06d1066085bd64e8f09882de2f4a72a0633
+---
+ .../server/accessibility/AccessibilityManagerService.java      | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+index 8b4076af7759..4859ffea870b 100644
+--- a/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
++++ b/services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java
+@@ -592,7 +592,8 @@ public class AccessibilityManagerService extends IAccessibilityManager.Stub {
+                 final Service service = services.get(i);
+                 // Don't report the UIAutomation (fake service)
+                 if (!sFakeAccessibilityServiceComponentName.equals(service.mComponentName)
+-                        && (service.mFeedbackType & feedbackType) != 0) {
++                        && ((service.mFeedbackType & feedbackType) != 0
++                        || feedbackType == AccessibilityServiceInfo.FEEDBACK_ALL_MASK)) {
+                     result.add(service.mAccessibilityServiceInfo);
+                 }
+             }

Patches/LineageOS-15.1/android_frameworks_base/345897-backport.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Songchun Fan <schfan@google.com>
+Date: Fri, 9 Sep 2022 14:50:31 -0700
+Subject: [PATCH] forbid deletion of protected packages
+
+BUG: 242996180
+Test: adb shell pm uninstall --user 0 com.google.android.apps.work.oobconfig
+Test: Verified with the command above. Before this CL, the package can
+be deleted. After this CL, the deletion will fail.
+
+Change-Id: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+(cherry picked from commit 15f85c7fa97fe9faa540e6ad9e850990f46a5cca)
+Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+(cherry picked from commit 2e42c393f2d5521d20acd9281d411a0fbc6196c3)
+Merged-In: Iba408e536b340ea5d66ab499442c0c4f828fa36f
+---
+ .../android/server/pm/PackageManagerService.java    | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index 2a11492b9402..aefbb8d25e49 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -19504,6 +19504,19 @@ public class PackageManagerService extends IPackageManager.Stub
+ 
+         final String packageName = versionedPackage.getPackageName();
+         final int versionCode = versionedPackage.getVersionCode();
++
++        if (mProtectedPackages.isPackageStateProtected(userId, packageName)) {
++            mHandler.post(() -> {
++                try {
++                    Slog.w(TAG, "Attempted to delete protected package: " + packageName);
++                    observer.onPackageDeleted(packageName,
++                            PackageManager.DELETE_FAILED_INTERNAL_ERROR, null);
++                } catch (RemoteException re) {
++                }
++            });
++            return;
++        }
++
+         final String internalPackageName;
+         synchronized (mPackages) {
+             // Normalize package name to handle renamed packages and static libs

Patches/LineageOS-15.1/android_frameworks_base/345898-backport.patch

@@ -0,0 +1,93 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julia Reynolds <juliacr@google.com>
+Date: Tue, 6 Sep 2022 10:19:06 -0400
+Subject: [PATCH] Fix NPE
+
+Test: NotificationChannelGroupTest
+Test: view notification settings for an app that doesn't use groups
+Fixes: 244574602
+Bug: 241764350
+Bug: 241764340
+Bug: 241764135
+Bug: 242702935
+Bug: 242703118
+Bug: 242703202
+Bug: 242702851
+Bug: 242703217
+Bug: 242703556
+Change-Id: I9c681106f6d645e62b0e44903d40aa523fee0e95
+(cherry picked from commit 6f02c07176d0fa4d6985c8f2200ccf49a1657d1c)
+(cherry picked from commit a37554289731f0d52923123697d55074b0f41748)
+Merged-In: I9c681106f6d645e62b0e44903d40aa523fee0e95
+---
+ .../android/app/NotificationChannelGroup.java    | 14 +++++++++++---
+ .../app/NotificationChannelGroupTest.java        | 16 ++++++++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/app/NotificationChannelGroup.java b/core/java/android/app/NotificationChannelGroup.java
+index 5ca6fe853db8..0916cd5b584d 100644
+--- a/core/java/android/app/NotificationChannelGroup.java
++++ b/core/java/android/app/NotificationChannelGroup.java
+@@ -73,8 +73,11 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             mId = null;
+         }
+-        mName = TextUtils.CHAR_SEQUENCE_CREATOR.createFromParcel(in);
+-        mName = getTrimmedString(mName.toString());
++        if (in.readByte() != 0) {
++            mName = getTrimmedString(in.readString());
++        } else {
++            mName = "";
++        }
+         in.readParcelableList(mChannels, NotificationChannel.class.getClassLoader());
+     }
+ 
+@@ -93,7 +96,12 @@ public final class NotificationChannelGroup implements Parcelable {
+         } else {
+             dest.writeByte((byte) 0);
+         }
+-        TextUtils.writeToParcel(mName.toString(), dest, flags);
++        if (mName != null) {
++            dest.writeByte((byte) 1);
++            dest.writeString(mName.toString());
++        } else {
++            dest.writeByte((byte) 0);
++        }
+         dest.writeParcelableList(mChannels, flags);
+     }
+ 
+diff --git a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+index 2a3da05eabb3..625c66a4c60e 100644
+--- a/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
++++ b/core/tests/coretests/src/android/app/NotificationChannelGroupTest.java
+@@ -17,9 +17,11 @@
+ package android.app;
+ 
+ import static junit.framework.TestCase.assertEquals;
++import static junit.framework.TestCase.assertTrue;
+ 
+ import android.os.Parcel;
+ import android.test.AndroidTestCase;
++import android.text.TextUtils;
+ 
+ import androidx.test.filters.SmallTest;
+ import androidx.test.runner.AndroidJUnit4;
+@@ -70,4 +72,18 @@ public class NotificationChannelGroupTest {
+         assertEquals(NotificationChannelGroup.MAX_TEXT_LENGTH,
+                 fromParcel.getDescription().length());
+     }
++
++    @Test
++    public void testNullableFields() {
++        NotificationChannelGroup group = new NotificationChannelGroup("my_group_01", null);
++
++        Parcel parcel = Parcel.obtain();
++        group.writeToParcel(parcel, 0);
++        parcel.setDataPosition(0);
++
++        NotificationChannelGroup fromParcel =
++                NotificationChannelGroup.CREATOR.createFromParcel(parcel);
++        assertEquals(group.getId(), fromParcel.getId());
++        assertTrue(TextUtils.isEmpty(fromParcel.getName()));
++    }
+ }

Patches/LineageOS-15.1/android_frameworks_base/345901.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhed Jao <rhedjao@google.com>
+Date: Mon, 26 Sep 2022 21:35:26 +0800
+Subject: [PATCH] Fix permanent denial of service via
+ setComponentEnabledSetting
+
+Do not update invalid component enabled settings to prevent the
+malicious apps from exhausting system server memory.
+
+Bug: 240936919
+Test: atest android.security.cts.PackageManagerTest
+Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f)
+Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+---
+ .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index aefbb8d25e49..9c59ecddee96 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -22483,6 +22483,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName());
+                     } else {
+                         Slog.w(TAG, "Failed setComponentEnabledSetting: component class "
+                                 + className + " does not exist in " + packageName);
++                        // Safetynet logging for b/240936919
++                        EventLog.writeEvent(0x534e4554, "240936919", callingUid);
++                        return;
+                     }
+                 }
+                 switch (newState) {

Patches/LineageOS-15.1/android_frameworks_base/345902-backport.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Tue, 4 Oct 2022 19:43:58 +0000
+Subject: [PATCH] Add safety checks on KEY_INTENT mismatch.
+
+For many years, Parcel mismatch typed exploits has been using the
+AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of
+launching arbitrary intents. We are adding an extra check on the service
+side to simulate the final deserialization of the KEY_INTENT value, to
+make sure the client side won't get a mismatched KEY_INTENT value.
+
+Bug: 250588548
+Bug: 240138294
+Test: atest CtsAccountManagerTestCases
+Test: local test, also see b/250588548
+Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82)
+Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+---
+ .../accounts/AccountManagerService.java       | 34 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index dcc571d84314..7b7ef41d5b41 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -83,6 +83,7 @@ import android.os.SystemClock;
+ import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.text.TextUtils;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.Pair;
+ import android.util.Slog;
+@@ -2989,7 +2990,7 @@ public class AccountManagerService
+                              */
+                             if (!checkKeyIntent(
+                                     Binder.getCallingUid(),
+-                                    intent)) {
++                                    result)) {
+                                 onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                                         "invalid intent in bundle returned");
+                                 return;
+@@ -3399,7 +3400,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;
+@@ -4751,7 +4752,13 @@ public class AccountManagerService
+          * into launching arbitrary intents on the device via by tricking to click authenticator
+          * supplied entries in the system Settings app.
+          */
+-        protected boolean checkKeyIntent(int authUid, Intent intent) {
++        protected boolean checkKeyIntent(int authUid, Bundle bundle) {
++            if (!checkKeyIntentParceledCorrectly(bundle)) {
++                EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
++                return false;
++            }
++
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4786,6 +4793,25 @@ public class AccountManagerService
+             }
+         }
+ 
++        /**
++         * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't
++         * violate our security policy.
++         *
++         * In particular we want to make sure the Authenticator doesn't trick users
++         * into launching arbitrary intents on the device via exploiting any other Parcel read/write
++         * mismatch problems.
++         */
++        private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
++            Parcel p = Parcel.obtain();
++            p.writeBundle(bundle);
++            p.setDataPosition(0);
++            Bundle simulateBundle = p.readBundle();
++            p.recycle();
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
++            return (intent.filterEquals(simulateIntent));
++        }
++
+         private boolean isExportedSystemActivity(ActivityInfo activityInfo) {
+             String className = activityInfo.name;
+             return "android".equals(activityInfo.packageName) &&
+@@ -4932,7 +4958,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;

Patches/LineageOS-15.1/android_frameworks_minikin/345523.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Thu, 15 Sep 2022 22:51:42 +0000
+Subject: [PATCH] Fix OOB read for registerLocaleList
+
+When the buffer size is equal to string size,
+the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
+which is a negative number, and U_FAILURE would fail if error number
+greater than zero only.
+
+This would cause non null terminated string passing into following funcs
+and causing different types of crash
+
+Bug: 239210579
+Bug: 239328580
+Bug: 239267173
+Test: locale_fuzzer
+Ignore-AOSP-First: security
+Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+Change-Id: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+(cherry picked from commit d8a427cc9c8a722b0911af5139b10b0a6aeb0e03)
+Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+---
+ libs/minikin/FontLanguageListCache.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
+index f1e14f0..e6302be 100644
+--- a/libs/minikin/FontLanguageListCache.cpp
++++ b/libs/minikin/FontLanguageListCache.cpp
+@@ -40,7 +40,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+     size_t outLength = 0;
+     UErrorCode uErr = U_ZERO_ERROR;
+     outLength = uloc_canonicalize(locale.c_str(), output, outSize, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_canonicalize(\"%s\") failed: %s", locale.c_str(), u_errorName(uErr));
+         output[0] = '\0';
+@@ -65,7 +65,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+ 
+     uErr = U_ZERO_ERROR;
+     outLength = uloc_toLanguageTag(likelyChars, output, outSize, FALSE, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_toLanguageTag(\"%s\") failed: %s", likelyChars, u_errorName(uErr));
+         output[0] = '\0';

Patches/LineageOS-15.1/android_frameworks_minikin/345524.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Thu, 29 Sep 2022 22:34:05 +0000
+Subject: [PATCH] Fix OOB crash for registerLocaleList
+
+When the buffer size is equal to string size,
+the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
+which is a negative number, and U_FAILURE would fail if error number
+greater than zero only.
+
+This would cause non null terminated string passing into following funcs
+and causing different types of crash
+
+This fixes the previous partial fix.
+
+Bug: 248612953
+Bug: 239210579
+Bug: 249151446
+Bug: 239267173
+Test: locale_fuzzer
+Ignore-AOSP-First: security
+Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+Change-Id: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+(cherry picked from commit 582927b0d6c6920ee6a04049eaa9e68608cfc888)
+(cherry picked from commit a8265407660edaa1006545a6401d6409c05acb5d)
+Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+---
+ libs/minikin/FontLanguageListCache.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
+index e6302be..7b9bf9d 100644
+--- a/libs/minikin/FontLanguageListCache.cpp
++++ b/libs/minikin/FontLanguageListCache.cpp
+@@ -56,7 +56,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+     char likelyChars[ULOC_FULLNAME_CAPACITY];
+     uErr = U_ZERO_ERROR;
+     uloc_addLikelySubtags(output, likelyChars, ULOC_FULLNAME_CAPACITY, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_addLikelySubtags(\"%s\") failed: %s", output, u_errorName(uErr));
+         output[0] = '\0';

Patches/LineageOS-15.1/android_packages_apps_Bluetooth/345907-backport.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Wed, 28 Sep 2022 23:30:49 +0000
+Subject: [PATCH] Fix URI check in BluetoothOppUtility.java
+
+Bug: 225880741
+Test: BT unit tests, validated against researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I65c1494023930aa23fede55936488f605c7cfe01
+(cherry picked from commit d0957cfdf1fc1b36620c1545643ffbc37f0ac24c)
+Merged-In: I65c1494023930aa23fede55936488f605c7cfe01
+---
+ src/com/android/bluetooth/opp/BluetoothOppUtility.java | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+index 0e3df0bf5..f366cca25 100644
+--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+@@ -47,6 +47,7 @@ import android.content.pm.PackageManager;
+ import android.content.pm.ResolveInfo;
+ import android.database.Cursor;
+ import android.os.Environment;
++import android.util.EventLog;
+ import android.util.Log;
+ 
+ import java.io.File;
+@@ -67,7 +68,11 @@ public class BluetoothOppUtility {
+             = new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
+ 
+     public static boolean isBluetoothShareUri(Uri uri) {
+-        return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
++        if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString())
++                && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) {
++            EventLog.writeEvent(0x534e4554, "225880741", -1, "");
++        }
++        return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority());
+     }
+ 
+     public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {

Patches/LineageOS-15.1/android_packages_apps_Settings/345911.patch

@@ -0,0 +1,135 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 26 Aug 2022 18:29:16 +0100
+Subject: [PATCH] Prevent exfiltration of system files via avatar picker.
+
+This adds mitigations to prevent system files being exfiltrated
+via the settings content provider when a content URI is provided
+as a chosen user image.
+
+The mitigations are:
+
+1) Copy the image to a new URI rather than the existing takePictureUri
+prior to cropping.
+
+2) Only allow a system handler to respond to the CROP intent.
+
+This is a fixed version of ag/17003629, to address b/239513606.
+
+Bug: 187702830
+Test: build and check functionality
+Merged-In: I15e15ad88b768a5b679de32c5429d921d850a3cb
+Change-Id: I98eea867f926c508456ec9bc654e24eeeffa0e54
+(cherry picked from commit f70e351d1a3bc7765da1fa8f9e0bb52d425b27e4)
+Merged-In: I98eea867f926c508456ec9bc654e24eeeffa0e54
+---
+ .../users/EditUserPhotoController.java        | 43 +++++++++++++------
+ 1 file changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/src/com/android/settings/users/EditUserPhotoController.java b/src/com/android/settings/users/EditUserPhotoController.java
+index 0f67b181de..a874d6a0e5 100644
+--- a/src/com/android/settings/users/EditUserPhotoController.java
++++ b/src/com/android/settings/users/EditUserPhotoController.java
+@@ -22,7 +22,9 @@ import android.content.ClipData;
+ import android.content.ContentResolver;
+ import android.content.Context;
+ import android.content.Intent;
++import android.content.pm.ActivityInfo;
+ import android.content.pm.PackageManager;
++import android.content.pm.ResolveInfo;
+ import android.database.Cursor;
+ import android.graphics.Bitmap;
+ import android.graphics.Bitmap.Config;
+@@ -75,6 +77,7 @@ public class EditUserPhotoController {
+     private static final int REQUEST_CODE_TAKE_PHOTO   = 1002;
+     private static final int REQUEST_CODE_CROP_PHOTO   = 1003;
+ 
++    private static final String PRE_CROP_PICTURE_FILE_NAME = "PreCropEditUserPhoto.jpg";
+     private static final String CROP_PICTURE_FILE_NAME = "CropEditUserPhoto.jpg";
+     private static final String TAKE_PICTURE_FILE_NAME = "TakeEditUserPhoto2.jpg";
+     private static final String NEW_USER_PHOTO_FILE_NAME = "NewUserPhoto.png";
+@@ -85,6 +88,7 @@ public class EditUserPhotoController {
+     private final Fragment mFragment;
+     private final ImageView mImageView;
+ 
++    private final Uri mPreCropPictureUri;
+     private final Uri mCropPictureUri;
+     private final Uri mTakePictureUri;
+ 
+@@ -96,6 +100,8 @@ public class EditUserPhotoController {
+         mContext = view.getContext();
+         mFragment = fragment;
+         mImageView = view;
++
++        mPreCropPictureUri = createTempImageUri(mContext, PRE_CROP_PICTURE_FILE_NAME, !waiting);
+         mCropPictureUri = createTempImageUri(mContext, CROP_PICTURE_FILE_NAME, !waiting);
+         mTakePictureUri = createTempImageUri(mContext, TAKE_PICTURE_FILE_NAME, !waiting);
+         mPhotoSize = getPhotoSize(mContext);
+@@ -130,7 +136,7 @@ public class EditUserPhotoController {
+             case REQUEST_CODE_TAKE_PHOTO:
+             case REQUEST_CODE_CHOOSE_PHOTO:
+                 if (mTakePictureUri.equals(pictureUri)) {
+-                    cropPhoto();
++                    cropPhoto(pictureUri);
+                 } else {
+                     copyAndCropPhoto(pictureUri);
+                 }
+@@ -239,7 +245,7 @@ public class EditUserPhotoController {
+             protected Void doInBackground(Void... params) {
+                 final ContentResolver cr = mContext.getContentResolver();
+                 try (InputStream in = cr.openInputStream(pictureUri);
+-                        OutputStream out = cr.openOutputStream(mTakePictureUri)) {
++                        OutputStream out = cr.openOutputStream(mPreCropPictureUri)) {
+                     Streams.copy(in, out);
+                 } catch (IOException e) {
+                     Log.w(TAG, "Failed to copy photo", e);
+@@ -250,27 +256,38 @@ public class EditUserPhotoController {
+             @Override
+             protected void onPostExecute(Void result) {
+                 if (!mFragment.isAdded()) return;
+-                cropPhoto();
++                cropPhoto(mPreCropPictureUri);
+             }
+         }.execute();
+     }
+ 
+-    private void cropPhoto() {
++    private void cropPhoto(final Uri pictureUri) {
+         // TODO: Use a public intent, when there is one.
+         Intent intent = new Intent("com.android.camera.action.CROP");
+-        intent.setDataAndType(mTakePictureUri, "image/*");
++        intent.setDataAndType(pictureUri, "image/*");
+         appendOutputExtra(intent, mCropPictureUri);
+         appendCropExtras(intent);
+-        if (intent.resolveActivity(mContext.getPackageManager()) != null) {
+-            try {
+-                StrictMode.disableDeathOnFileUriExposure();
+-                mFragment.startActivityForResult(intent, REQUEST_CODE_CROP_PHOTO);
+-            } finally {
+-                StrictMode.enableDeathOnFileUriExposure();
++        try {
++            StrictMode.disableDeathOnFileUriExposure();
++            if (startSystemActivityForResult(intent, REQUEST_CODE_CROP_PHOTO)) {
++                return;
+             }
+-        } else {
+-            onPhotoCropped(mTakePictureUri, false);
++        } finally {
++            StrictMode.enableDeathOnFileUriExposure();
++        }
++        onPhotoCropped(mTakePictureUri, false);
++    }
++
++    private boolean startSystemActivityForResult(Intent intent, int code) {
++        List<ResolveInfo> resolveInfos = mContext.getPackageManager()
++                .queryIntentActivities(intent, PackageManager.MATCH_SYSTEM_ONLY);
++        if (resolveInfos.isEmpty()) {
++            Log.w(TAG, "No system package activity could be found for code " + code);
++            return false;
+         }
++        intent.setPackage(resolveInfos.get(0).activityInfo.packageName);
++        mFragment.startActivityForResult(intent, code);
++        return true;
+     }
+ 
+     private void appendOutputExtra(Intent intent, Uri pictureUri) {

Patches/LineageOS-15.1/android_packages_apps_Settings/345912-backport.patch

@@ -0,0 +1,124 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Milton Wu <mingjuwu@google.com>
+Date: Mon, 8 Aug 2022 09:05:00 +0000
+Subject: [PATCH] Add FLAG_SECURE for ChooseLockPassword and Pattern
+
+Prevent ChooseLockPassword and ChooseLockPatten being projected to
+remote views, add FLAG_SECURE for these screens.
+
+Bug: 179725730
+Test: Check these 2 screens not projected to chromecast
+Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
+      SetupChooseLockPasswordTest ChooseLockPasswordTest
+Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
+---
+ .../settings/password/ChooseLockPassword.java  |  2 ++
+ .../settings/password/ChooseLockPattern.java   |  2 ++
+ .../password/ChooseLockPasswordTest.java       | 18 ++++++++++++++++++
+ .../password/ChooseLockPatternTest.java        | 10 ++++++++++
+ 4 files changed, 32 insertions(+)
+
+diff --git a/src/com/android/settings/password/ChooseLockPassword.java b/src/com/android/settings/password/ChooseLockPassword.java
+index 9f5192d044..c7e0673b8a 100644
+--- a/src/com/android/settings/password/ChooseLockPassword.java
++++ b/src/com/android/settings/password/ChooseLockPassword.java
+@@ -49,6 +49,7 @@ import android.view.LayoutInflater;
+ import android.view.View;
+ import android.view.View.OnClickListener;
+ import android.view.ViewGroup;
++import android.view.WindowManager;
+ import android.view.inputmethod.EditorInfo;
+ import android.widget.Button;
+ import android.widget.LinearLayout;
+@@ -166,6 +167,7 @@ public class ChooseLockPassword extends SettingsActivity {
+         setTitle(msg);
+         LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);
+         layout.setFitsSystemWindows(false);
++        getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);
+     }
+ 
+     public static class ChooseLockPasswordFragment extends InstrumentedPreferenceFragment
+diff --git a/src/com/android/settings/password/ChooseLockPattern.java b/src/com/android/settings/password/ChooseLockPattern.java
+index f65b4b3cf5..e4fa302f0a 100644
+--- a/src/com/android/settings/password/ChooseLockPattern.java
++++ b/src/com/android/settings/password/ChooseLockPattern.java
+@@ -29,6 +29,7 @@ import android.view.View;
+ import android.view.ViewGroup;
+ import android.widget.LinearLayout;
+ import android.widget.ScrollView;
++import android.view.WindowManager;
+ import android.widget.TextView;
+ 
+ import com.android.internal.logging.nano.MetricsProto.MetricsEvent;
+@@ -144,6 +145,7 @@ public class ChooseLockPattern extends SettingsActivity {
+                 : R.string.lockpassword_choose_your_pattern_header);
+         LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);
+         layout.setFitsSystemWindows(false);
++        getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);
+     }
+ 
+     @Override
+diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
+index b8f06793ac..0970e5f3bf 100644
+--- a/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
++++ b/tests/robotests/src/com/android/settings/password/ChooseLockPasswordTest.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.settings.password;
+ 
++import static android.view.WindowManager.LayoutParams.FLAG_SECURE;
++
+ import static com.google.common.truth.Truth.assertThat;
+ 
+ import static org.robolectric.RuntimeEnvironment.application;
+@@ -126,6 +128,22 @@ public class ChooseLockPasswordTest {
+     }
+ 
+     @Test
++
++    @Test
++    public void activity_shouldHaveSecureFlag() {
++        PasswordPolicy policy = new PasswordPolicy();
++        policy.quality = PASSWORD_QUALITY_ALPHABETIC;
++        policy.length = 10;
++
++        Intent intent = createIntentForPasswordValidation(
++                /* minMetrics */ policy.getMinMetrics(),
++                /* minComplexity= */ PASSWORD_COMPLEXITY_NONE,
++                /* passwordType= */ PASSWORD_QUALITY_ALPHABETIC);
++        ChooseLockPassword activity = buildChooseLockPasswordActivity(intent);
++        final int flags = activity.getWindow().getAttributes().flags;
++        assertThat(flags & FLAG_SECURE).isEqualTo(FLAG_SECURE);
++    }
++
+     public void assertThat_chooseLockIconChanged_WhenFingerprintExtraSet() {
+         ShadowDrawable drawable = setActivityAndGetIconDrawable(true);
+         assertThat(drawable.getCreatedFromResId()).isEqualTo(R.drawable.ic_fingerprint_header);
+diff --git a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
+index c74448b5dd..7735e5db9f 100644
+--- a/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
++++ b/tests/robotests/src/com/android/settings/password/ChooseLockPatternTest.java
+@@ -16,6 +16,8 @@
+ 
+ package com.android.settings.password;
+ 
++import static android.view.WindowManager.LayoutParams.FLAG_SECURE;
++
+ import static com.google.common.truth.Truth.assertThat;
+ 
+ import static org.robolectric.RuntimeEnvironment.application;
+@@ -109,6 +111,14 @@ public class ChooseLockPatternTest {
+         assertThat(drawable.getCreatedFromResId()).isEqualTo(R.drawable.ic_fingerprint_header);
+     }
+ 
++    @Test
++    public void activity_shouldHaveSecureFlag() {
++        final ChooseLockPattern activity = Robolectric.buildActivity(
++                ChooseLockPattern.class, new IntentBuilder(application).build()).setup().get();
++        final int flags = activity.getWindow().getAttributes().flags;
++        assertThat(flags & FLAG_SECURE).isEqualTo(FLAG_SECURE);
++    }
++
+     private ChooseLockPattern createActivity(boolean addFingerprintExtra) {
+         return Robolectric.buildActivity(
+                 ChooseLockPattern.class,

Patches/LineageOS-15.1/android_packages_services_Telecomm/345913.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tyler Gunn <tgunn@google.com>
+Date: Tue, 27 Sep 2022 15:19:05 -0700
+Subject: [PATCH] Hide overlay windows when showing phone account
+ enable/disable screen.
+
+Hide any system alert window overlays when the screen that lets the user
+enable/disable phone accounts is shown.
+
+Test: Manual test with overlay shown from test app; verify that the overlay
+is hidden when the phone account selection screen is opened.
+Bug: 246933359
+
+Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68
+(cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035)
+Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68
+---
+ AndroidManifest.xml                                           | 2 ++
+ .../telecom/settings/EnableAccountPreferenceActivity.java     | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/AndroidManifest.xml b/AndroidManifest.xml
+index 2e7ca2236..abed4d836 100644
+--- a/AndroidManifest.xml
++++ b/AndroidManifest.xml
+@@ -22,6 +22,8 @@
+ 
+     <protected-broadcast android:name="android.intent.action.SHOW_MISSED_CALLS_NOTIFICATION" />
+ 
++    <uses-permission android:name="android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS"/>
++
+     <!-- Prevents the activity manager from delaying any activity-start
+          requests by this package, including requests immediately after
+          the user presses "home". -->
+diff --git a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
+index 2367825b3..662e56f61 100644
+--- a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
++++ b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
+@@ -25,11 +25,15 @@ import android.telecom.Log;
+ import android.telecom.PhoneAccountHandle;
+ import android.telecom.TelecomManager;
+ import android.view.MenuItem;
++import android.view.WindowManager;
+ 
+ public class EnableAccountPreferenceActivity extends Activity {
+     @Override
+     public void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
++        getWindow().addPrivateFlags(
++                android.view.WindowManager.LayoutParams
++                        .PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+ 
+         getFragmentManager().beginTransaction()
+                 .replace(android.R.id.content, new EnableAccountPreferenceFragment())

Patches/LineageOS-15.1/android_system_bt/345914.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ted Wang <tedwang@google.com>
+Date: Thu, 4 Aug 2022 09:41:24 +0800
+Subject: [PATCH] Add length check when copy AVDTP packet
+
+Bug: 232023771
+Test: make
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f)
+Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+---
+ stack/avdt/avdt_msg.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
+index 52ce2e8a6..5dbe79bc5 100644
+--- a/stack/avdt/avdt_msg.cc
++++ b/stack/avdt/avdt_msg.cc
+@@ -1223,6 +1223,10 @@ BT_HDR* avdt_msg_asmbl(tAVDT_CCB* p_ccb, BT_HDR* p_buf) {
+      * would have allocated smaller buffer.
+      */
+     p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
++    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
++      android_errorWriteLog(0x534e4554, "232023771");
++      return NULL;
++    }
+     memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+ 
+     /* Free original buffer */

Patches/LineageOS-15.1/android_system_bt/345915.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 25 Aug 2022 18:52:28 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Added max buffer length check
+
+Bug: 230867224
+Test: Manual -- paired Bluetooth headset and played audio
+Tags: #security
+Ignore-AOSP-First: Security
+Change-Id: I740038288143715a1c06db781efd674b269a7f3e
+(cherry picked from commit 769f55450bd2eb94ddb9080f730e404de7716bda)
+Merged-In: I740038288143715a1c06db781efd674b269a7f3e
+---
+ stack/avct/avct_lcb_act.cc | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc
+index e2ce9db42..35f9bc60a 100644
+--- a/stack/avct/avct_lcb_act.cc
++++ b/stack/avct/avct_lcb_act.cc
+@@ -30,6 +30,7 @@
+ #include "bt_types.h"
+ #include "bt_utils.h"
+ #include "btm_api.h"
++#include "osi/include/log.h"
+ #include "osi/include/osi.h"
+ 
+ /* packet header length lookup table */
+@@ -58,7 +59,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
+   pkt_type = AVCT_PKT_TYPE(p);
+ 
+   /* quick sanity check on length */
+-  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {
++  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
++      (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {
++    if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
++        BT_DEFAULT_BUFFER_SIZE) {
++      android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
++    }
+     osi_free(p_buf);
+     AVCT_TRACE_WARNING("Bad length during reassembly");
+     p_ret = NULL;

Patches/LineageOS-15.1/android_system_bt/345916.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 25 Aug 2022 20:39:08 +0000
+Subject: [PATCH] Add missing increment in bnep_api.cc
+
+Bug: 228450451
+Test: manual, pair BT and play audio
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36
+(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d)
+Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36
+---
+ stack/bnep/bnep_api.cc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
+index 817507320..92a652ab5 100644
+--- a/stack/bnep/bnep_api.cc
++++ b/stack/bnep/bnep_api.cc
+@@ -265,6 +265,7 @@ tBNEP_RESULT BNEP_ConnectResp(uint16_t handle, tBNEP_RESULT resp) {
+     p = (uint8_t*)(p_bcb->p_pending_data + 1) + p_bcb->p_pending_data->offset;
+     while (extension_present && p && rem_len) {
+       ext_type = *p++;
++      rem_len--;
+       extension_present = ext_type >> 7;
+       ext_type &= 0x7F;
+ 

Patches/LineageOS-15.1/android_system_bt/345917.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Tue, 16 Aug 2022 21:41:03 +0000
+Subject: [PATCH] Add length check when copy AVDT and AVCT packet
+
+Previous fix for AVDT causing memory leak.
+And missing similar fix for AVCT packet.
+
+Bug: 232023771
+Test: make
+Tag: #security
+Ignore-AOSP-First: Security
+Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+(cherry picked from commit a4311b284639bbd2c6c2c72d35d8444d40fb2d12)
+Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+---
+ stack/avct/avct_lcb_act.cc | 8 +++++++-
+ stack/avdt/avdt_msg.cc     | 6 ++++--
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc
+index 35f9bc60a..439f3e82e 100644
+--- a/stack/avct/avct_lcb_act.cc
++++ b/stack/avct/avct_lcb_act.cc
+@@ -85,13 +85,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
+     if (p_lcb->p_rx_msg != NULL)
+       AVCT_TRACE_WARNING("Got start during reassembly");
+ 
+-    osi_free(p_lcb->p_rx_msg);
++    osi_free_and_reset((void**)&p_lcb->p_rx_msg);
+ 
+     /*
+      * Allocate bigger buffer for reassembly. As lower layers are
+      * not aware of possible packet size after reassembly, they
+      * would have allocated smaller buffer.
+      */
++    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
++      android_errorWriteLog(0x534e4554, "232023771");
++      osi_free(p_buf);
++      p_ret = NULL;
++      return p_ret;
++    }
+     p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+     memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+ 
+diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
+index 5dbe79bc5..b6a952bcf 100644
+--- a/stack/avdt/avdt_msg.cc
++++ b/stack/avdt/avdt_msg.cc
+@@ -1222,11 +1222,13 @@ BT_HDR* avdt_msg_asmbl(tAVDT_CCB* p_ccb, BT_HDR* p_buf) {
+      * not aware of possible packet size after reassembly, they
+      * would have allocated smaller buffer.
+      */
+-    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+     if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+       android_errorWriteLog(0x534e4554, "232023771");
+-      return NULL;
++      osi_free(p_buf);
++      p_ret = NULL;
++      return p_ret;
+     }
++    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+     memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+ 
+     /* Free original buffer */

Patches/LineageOS-15.1/android_system_bt/345918.patch

@@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Mon, 22 Aug 2022 19:44:10 +0000
+Subject: [PATCH] Fix integer overflow when parsing avrc response
+
+Convert min_len from 16 bits to 32 bits to avoid
+length checking overflow.
+Also, use calloc instead of malloc for list allocation
+since caller need to clean up string memory in the list items
+
+Bug: 242459126
+Test: fuzz_avrc
+Tag: #security
+Ignore-AOSP-First: Security
+Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
+Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4
+(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501)
+Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
+---
+ stack/avdt/avdt_scb_act.cc |  2 +-
+ stack/avrc/avrc_pars_ct.cc | 29 +++++++++--------------------
+ 2 files changed, 10 insertions(+), 21 deletions(-)
+
+diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
+index 9bb7ad273..5e0e98d80 100644
+--- a/stack/avdt/avdt_scb_act.cc
++++ b/stack/avdt/avdt_scb_act.cc
+@@ -310,7 +310,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
+   uint8_t* p_start = p;
+   uint32_t ssrc;
+   uint8_t o_v, o_p, o_cc;
+-  uint16_t min_len = 0;
++  uint32_t min_len = 0;
+   AVDT_REPORT_TYPE pt;
+   tAVDT_REPORT_DATA report;
+ 
+diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
+index dd22fa3d5..668c99636 100644
+--- a/stack/avrc/avrc_pars_ct.cc
++++ b/stack/avrc/avrc_pars_ct.cc
+@@ -143,7 +143,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
+ 
+ tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len,
+                                       tAVRC_REG_NOTIF_RSP* p_rsp) {
+-  uint16_t min_len = 1;
++  uint32_t min_len = 1;
+ 
+   if (len < min_len) goto length_error;
+   BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
+@@ -230,7 +230,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
+   }
+   BE_STREAM_TO_UINT8(pdu, p);
+   uint16_t pkt_len;
+-  uint16_t min_len = 0;
++  uint32_t min_len = 0;
+   /* read the entire packet len */
+   BE_STREAM_TO_UINT16(pkt_len, p);
+ 
+@@ -272,7 +272,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
+           get_item_rsp->uid_counter, get_item_rsp->item_count);
+ 
+       /* get each of the items */
+-      get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc(
++      get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc(
+           get_item_rsp->item_count * (sizeof(tAVRC_ITEM)));
+       tAVRC_ITEM* curr_item = get_item_rsp->p_item_list;
+       for (int i = 0; i < get_item_rsp->item_count; i++) {
+@@ -362,7 +362,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
+                              __func__, media->type, media->name.charset_id,
+                              media->name.str_len, media->attr_count);
+ 
+-            media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc(
++            media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc(
+                 media->attr_count * sizeof(tAVRC_ATTR_ENTRY));
+             for (int jk = 0; jk < media->attr_count; jk++) {
+               tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]);
+@@ -373,14 +373,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
+               /* Parse the name now */
+               BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p);
+               BE_STREAM_TO_UINT16(attr_entry->name.str_len, p);
+-              if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) <
+-                  min_len) {
+-                // Check for overflow
+-                android_errorWriteLog(0x534e4554, "205570663");
+-              }
+-              if (pkt_len - min_len < attr_entry->name.str_len)
+-                goto browse_length_error;
+               min_len += attr_entry->name.str_len;
++              if (pkt_len < min_len) goto browse_length_error;
+               attr_entry->name.p_str = (uint8_t*)osi_malloc(
+                   attr_entry->name.str_len * sizeof(uint8_t));
+               BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str,
+@@ -449,7 +443,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg,
+           __func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items,
+           set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth);
+ 
+-      set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc(
++      set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc(
+           set_br_pl_rsp->num_items * sizeof(tAVRC_NAME));
+ 
+       /* Read each of the folder in the depth */
+@@ -509,7 +503,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
+   p++; /* skip the reserved/packe_type byte */
+ 
+   uint16_t len;
+-  uint16_t min_len = 0;
++  uint32_t min_len = 0;
+   BE_STREAM_TO_UINT16(len, p);
+   AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d  vendor_len=0x%x", __func__,
+                    p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);
+@@ -783,12 +777,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
+           BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p);
+           BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p);
+           BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p);
+-          if (static_cast<uint16_t>(min_len + p_attrs[i].name.str_len) <
+-              min_len) {
+-            // Check for overflow
+-            android_errorWriteLog(0x534e4554, "205570663");
+-          }
+-          if (len - min_len < p_attrs[i].name.str_len) {
++          min_len += p_attrs[i].name.str_len;
++          if (len < min_len) {
+             for (int j = 0; j < i; j++) {
+               osi_free(p_attrs[j].name.p_str);
+             }
+@@ -796,7 +786,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg,
+             p_result->get_attrs.num_attrs = 0;
+             goto length_error;
+           }
+-          min_len += p_attrs[i].name.str_len;
+           if (p_attrs[i].name.str_len > 0) {
+             p_attrs[i].name.p_str =
+                 (uint8_t*)osi_calloc(p_attrs[i].name.str_len);

Scripts/LineageOS-15.1/Patch.sh

@@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
 applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -98,6 +98,7 @@ fi;
 if enterAndClear "external/dtc"; then
 applyPatch "$DOS_PATCHES/android_external_dtc/342096.patch"; #P_asb_2022-10 libfdt: fdt_offset_ptr(): Fix comparison warnings
 applyPatch "$DOS_PATCHES/android_external_dtc/344161.patch"; #P_asb_2022-11 Fix integer wrap sanitisation.
+applyPatch "$DOS_PATCHES/android_external_dtc/345891.patch"; #P_asb_2022-12 libfdt: fdt_path_offset_namelen: Reject empty paths
 fi;
 
 if enterAndClear "external/expat"; then
@@ -128,7 +129,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/332449.patch"; #n-asb-2022-06 A
 applyPatch "$DOS_PATCHES/android_frameworks_base/332757.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10; api doc update
 applyPatch "$DOS_PATCHES/android_frameworks_base/332776.patch"; #P_asb_2022-06 Update GeofenceHardwareRequestParcelable to match parcel/unparcel format.
 applyPatch "$DOS_PATCHES/android_frameworks_base/332778.patch"; #P_asb_2022-06 Fix security hole in GateKeeperResponse
-applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps.
+#applyPatch "$DOS_PATCHES/android_frameworks_base/332779.patch"; #P_asb_2022-06 Prevent non-admin users from deleting system apps. REVERTED IN P_asb_2022-12
 #applyPatch "$DOS_PATCHES/android_frameworks_base/334257-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery if preparing user storage fails #XXX
 #applyPatch "$DOS_PATCHES/android_frameworks_base/334258-backport.patch"; #P_asb_2022-07 UserDataPreparer: reboot to recovery for system user only #XXX
 applyPatch "$DOS_PATCHES/android_frameworks_base/334262.patch"; #P_asb_2022-07 Crash invalid FGS notifications
@@ -147,6 +148,15 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/344171-backport.patch"; #P_asb_
 applyPatch "$DOS_PATCHES/android_frameworks_base/344172.patch"; #P_asb_2022-11 Trim any long string inputs that come in to AutomaticZenRule
 applyPatch "$DOS_PATCHES/android_frameworks_base/344173.patch"; #P_asb_2022-11 Check permission for VoiceInteraction
 applyPatch "$DOS_PATCHES/android_frameworks_base/344174-backport.patch"; #P_asb_2022-11 Do not dismiss keyguard after SIM PUK unlock
+applyPatch "$DOS_PATCHES/android_frameworks_base/345893-backport.patch"; #P_asb_2022-12 Limit the size of NotificationChannel and NotificationChannelGroup
+applyPatch "$DOS_PATCHES/android_frameworks_base/345894.patch"; #P_asb_2022-12 Prevent non-admin users from deleting system apps.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345895-backport.patch"; #P_asb_2022-12 Validate package name passed to setApplicationRestrictions.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345896-backport.patch"; #P_asb_2022-12 Include all enabled services when FEEDBACK_ALL_MASK. #XXX: uncertain backport
+applyPatch "$DOS_PATCHES/android_frameworks_base/345897-backport.patch"; #P_asb_2022-12 [pm] forbid deletion of protected packages
+applyPatch "$DOS_PATCHES/android_frameworks_base/345898-backport.patch"; #P_asb_2022-12 Fix NPE
+applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts
+applyPatch "$DOS_PATCHES/android_frameworks_base/345901.patch"; #P_asb_2022-12 Fix permanent denial of service via setComponentEnabledSetting
+applyPatch "$DOS_PATCHES/android_frameworks_base/345902-backport.patch"; #P_asb_2022-12 Add safety checks on KEY_INTENT mismatch.
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@@ -165,6 +175,11 @@ rm -rf packages/Osu packages/Osu2; #Automatic Wi-Fi connection non-sense
 rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
 fi;
 
+if enterAndClear "frameworks/minikin"; then
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345523.patch"; #n-asb-2022-12 Fix OOB read for registerLocaleList
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345524.patch"; #n-asb-2022-12 Fix OOB crash for registerLocaleList
+fi;
+
 if enterAndClear "frameworks/native"; then
 applyPatch "$DOS_PATCHES/android_frameworks_native/326752.patch"; #P_asb_2022-03 Check if the window is partially obscured for slippery enters
 if [ "$DOS_SENSORS_PERM" = true ]; then applyPatch "$DOS_PATCHES/android_frameworks_native/0001-Sensors.patch"; fi; #Permission for sensors access (MSe1969)
@@ -230,6 +245,7 @@ fi;
 if enterAndClear "packages/apps/Bluetooth"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907-backport.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
 fi;
 
 if enterAndClear "packages/apps/Contacts"; then
@@ -266,12 +282,14 @@ if enterAndClear "packages/apps/Settings"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326758.patch"; #P_asb_2022-03 Fix bypass CALL_PRIVILEGED permission in AppRestrictionsFragment
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/326759.patch"; #P_asb_2022-03 Add caller check to com.android.credentials.RESET
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-2022-03 Add caller check to com.android.credentials.RESET
-applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings.
+#applyPatch "$DOS_PATCHES/android_packages_apps_Settings/332763.patch"; #P_asb_2022-06 Prevent exfiltration of system files via user image settings. REVERTED IN P_asb_2022-12
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334265.patch"; #P_asb_2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335111.patch"; #P_asb_2022-08 Verify ringtone from ringtone picker is audio
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335114.patch"; #P_asb_2022-08 Fix Settings crash when setting a null ringtone
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335115.patch"; #P_asb_2022-08 Fix can't change notification sound for work profile.
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/335116.patch"; #P_asb_2022-08 Extract app label from component name in notification access confirmation UI #TODO: needs backport
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345911.patch"; #P_asb_2022-12 Prevent exfiltration of system files via avatar picker.
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345912-backport.patch"; #P_asb_2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then
@@ -319,6 +337,7 @@ fi;
 if enterAndClear "packages/services/Telecomm"; then
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332764.patch"; #P_asb_2022-06 limit TelecomManager#registerPhoneAccount to 10
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/344183.patch"; #P_asb_2022-11 switch TelecomManager List getters to ParceledListSlice
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345913.patch"; #P_asb_2022-12 Hide overlay windows when showing phone account enable/disable screen.
 fi;
 
 if enterAndClear "packages/services/Telephony"; then
@@ -338,6 +357,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/337997.patch"; #Q_asb_2022-09 Fix OOB
 applyPatch "$DOS_PATCHES/android_system_bt/342097.patch"; #P_asb_2022-10 Fix potential interger overflow when parsing vendor response
 applyPatch "$DOS_PATCHES/android_system_bt/344184.patch"; #P_asb_2022-11 Add negative length check in process_service_search_rsp
 applyPatch "$DOS_PATCHES/android_system_bt/344185.patch"; #P_asb_2022-11 Add buffer in pin_reply in bluetooth.cc
+applyPatch "$DOS_PATCHES/android_system_bt/345914.patch"; #P_asb_2022-12 Add length check when copy AVDTP packet
+applyPatch "$DOS_PATCHES/android_system_bt/345915.patch"; #P_asb_2022-12 Added max buffer length check
+applyPatch "$DOS_PATCHES/android_system_bt/345916.patch"; #P_asb_2022-12 Add missing increment in bnep_api.cc
+applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add length check when copy AVDT and AVCT packet
+applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response
 fi;
 
 if enterAndClear "system/core"; then