16.0 July ASB work

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-16.0/android_external_freetype/360951.patch

@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] DO NOT MERGE - Cherry-pick two upstream changes
+
+This cherry picks following two changes:
+
+0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+
+Bug: 271680254
+Test: N/A
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0f8930701bf19229075cc930ad15813ff5fb07b)
+Merged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e
+Change-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e
+---
+ src/base/ftobjs.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 8d07e35ae..fda7e21de 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2345,6 +2345,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+@@ -3200,6 +3209,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );

Patches/LineageOS-16.0/android_frameworks_base/360953-backport.patch

@@ -0,0 +1,145 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lucas Lin <lucaslin@google.com>
+Date: Fri, 3 Mar 2023 08:13:50 +0000
+Subject: [PATCH] Sanitize VPN label to prevent HTML injection
+
+This commit will try to sanitize the content of VpnDialog. This
+commit creates a function which will try to sanitize the VPN
+label, if the sanitized VPN label is different from the original
+one, which means the VPN label might contain HTML tag or the VPN
+label violates the words restriction(may contain some wording
+which will mislead the user). For this kind of case, show the
+package name instead of the VPN label to prevent misleading the
+user.
+
+The malicious VPN app might be able to add a large number of line
+breaks with HTML in order to hide the system-displayed text from
+the user in the connection request dialog. Thus, sanitizing the
+content of the dialog is needed.
+
+Bug: 204554636
+Test: N/A
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab)
+Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
+Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
+---
+ packages/VpnDialogs/res/values/strings.xml    | 28 ++++++++++
+ .../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++--
+ 2 files changed, 76 insertions(+), 5 deletions(-)
+
+diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml
+index 443a9bc33b90..b4166f0bedfd 100644
+--- a/packages/VpnDialogs/res/values/strings.xml
++++ b/packages/VpnDialogs/res/values/strings.xml
+@@ -89,4 +89,32 @@
+          without any consequences. [CHAR LIMIT=20] -->
+     <string name="dismiss">Dismiss</string>
+ 
++    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
++         into displaying what they want. The system will attempt to sanitize the label, and if the
++         label is deemed dangerous, then this string is used instead. The first argument is the
++         first 30 characters of the label, and the second argument is the package name of the app.
++         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
++         "My VPN app wants to set up a VPN connection...". If the label is very long, then, this
++         will be used to show "VerylongVPNlabel… (com.my.vpn.app) wants to set up a VPN
++         connection...". For this case, the code will refer to sanitized_vpn_label_with_ellipsis.
++    -->
++    <string name="sanitized_vpn_label_with_ellipsis">
++        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="My VPN app">%1$s</xliff:g>… (
++        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="com.my.vpn.app">%2$s</xliff:g>)
++    </string>
++
++    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
++         into displaying what they want. The system will attempt to sanitize the label, and if the
++         label is deemed dangerous, then this string is used instead. The first argument is the
++         label, and the second argument is the package name of the app.
++         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
++         "My VPN app wants to set up a VPN connection...". If the VPN label contains HTML tag but
++         the length is not very long, the dialog will show "VpnLabelWith&lt;br&gt;HtmlTag
++         (com.my.vpn.app) wants to set up a VPN connection...". For this case, the code will refer
++         to sanitized_vpn_label.
++    -->
++    <string name="sanitized_vpn_label">
++        <xliff:g id="sanitized_vpn_label" example="My VPN app">%1$s</xliff:g> (
++        <xliff:g id="sanitized_vpn_label" example="com.my.vpn.app">%2$s</xliff:g>)
++    </string>
+ </resources>
+diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+index 09339743db5c..43d18df3a10d 100644
+--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
++++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
+@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity
+         implements DialogInterface.OnClickListener, ImageGetter {
+     private static final String TAG = "VpnConfirm";
+ 
++    // Usually the label represents the app name, 150 code points might be enough to display the app
++    // name, and 150 code points won't cover the warning message from VpnDialog.
++    static final int MAX_VPN_LABEL_LENGTH = 150;
++
+     private String mPackage;
+ 
+     private IConnectivityManager mService;
+ 
++    private View mView;
++
++    /**
++     * This function will use the string resource to combine the VPN label and the package name.
++     *
++     * If the VPN label violates the length restriction, the first 30 code points of VPN label and
++     * the package name will be returned. Or return the VPN label and the package name directly if
++     * the VPN label doesn't violate the length restriction.
++     *
++     * The result will be something like,
++     * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app)
++     *   if the VPN label violates the length restriction.
++     * or
++     * - VpnLabelWith&lt;br&gt;HtmlTag (com.vpn.app)
++     *   if the VPN label doesn't violate the length restriction.
++     *
++     */
++    private String getSimplifiedLabel(String vpnLabel, String packageName) {
++        if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) {
++            return getString(R.string.sanitized_vpn_label_with_ellipsis,
++                vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)),
++                packageName);
++        }
++
++        return getString(R.string.sanitized_vpn_label, vpnLabel, packageName);
++    }
++
++    protected String getSanitizedVpnLabel(String vpnLabel, String packageName) {
++        final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel);
++        final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0,
++            sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH;
++        if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) {
++            return getSimplifiedLabel(sanitizedVpnLabel, packageName);
++        }
++
++        return sanitizedVpnLabel;
++    }
++
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity
+             finish();
+             return;
+         }
+-        View view = View.inflate(this, R.layout.confirm, null);
+-        ((TextView) view.findViewById(R.id.warning)).setText(
+-                Html.fromHtml(getString(R.string.warning, getVpnLabel()),
+-                        this, null /* tagHandler */));
++        mView = View.inflate(this, R.layout.confirm, null);
++        ((TextView) mView.findViewById(R.id.warning)).setText(
++                Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel(
++                    getVpnLabel().toString(), mPackage)),
++                    this /* imageGetter */, null /* tagHandler */));
+         mAlertParams.mTitle = getText(R.string.prompt);
+         mAlertParams.mPositiveButtonText = getText(android.R.string.ok);
+         mAlertParams.mPositiveButtonListener = this;
+         mAlertParams.mNegativeButtonText = getText(android.R.string.cancel);
+-        mAlertParams.mView = view;
++        mAlertParams.mView = mView;
+         setupAlert();
+ 
+         getWindow().setCloseOnTouchOutside(false);

Patches/LineageOS-16.0/android_frameworks_base/360954.patch

@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Groover <mpgroover@google.com>
+Date: Fri, 31 Mar 2023 21:31:22 +0000
+Subject: [PATCH] Limit the number of supported v1 and v2 signers
+
+The v1 and v2 APK Signature Schemes support multiple signers; this
+was intended to allow multiple entities to sign an APK. Previously,
+the platform had no limits placed on the number of signers supported
+in an APK, but this commit sets a hard limit of 10 supported signers
+for these signature schemes to ensure a large number of signers
+does not place undue burden on the platform.
+
+Bug: 266580022
+Test: Manually verified the platform only allowed an APK with the
+       maximum number of supported signers.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
+Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
+Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091
+---
+ .../util/apk/ApkSignatureSchemeV2Verifier.java        | 10 ++++++++++
+ core/java/android/util/jar/StrictJarVerifier.java     | 11 +++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+index 533d72590f0a..d5f6ebe8c2e9 100644
+--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
++++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+@@ -83,6 +83,11 @@ public class ApkSignatureSchemeV2Verifier {
+ 
+     private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a;
+ 
++    /**
++     * The maximum number of signers supported by the v2 APK signature scheme.
++     */
++    private static final int MAX_V2_SIGNERS = 10;
++
+     /**
+      * Returns {@code true} if the provided APK contains an APK Signature Scheme V2 signature.
+      *
+@@ -188,6 +193,11 @@ public class ApkSignatureSchemeV2Verifier {
+         }
+         while (signers.hasRemaining()) {
+             signerCount++;
++            if (signerCount > MAX_V2_SIGNERS) {
++                throw new SecurityException(
++                        "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS
++                                + " signers");
++            }
+             try {
+                 ByteBuffer signer = getLengthPrefixedSlice(signers);
+                 X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory);
+diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java
+index 45254908c5c9..a6aca330d323 100644
+--- a/core/java/android/util/jar/StrictJarVerifier.java
++++ b/core/java/android/util/jar/StrictJarVerifier.java
+@@ -78,6 +78,11 @@ class StrictJarVerifier {
+         "SHA1",
+     };
+ 
++    /**
++     * The maximum number of signers supported by the JAR signature scheme.
++     */
++    private static final int MAX_JAR_SIGNERS = 10;
++
+     private final String jarName;
+     private final StrictJarManifest manifest;
+     private final HashMap<String, byte[]> metaEntries;
+@@ -293,10 +298,16 @@ class StrictJarVerifier {
+             return false;
+         }
+ 
++        int signerCount = 0;
+         Iterator<String> it = metaEntries.keySet().iterator();
+         while (it.hasNext()) {
+             String key = it.next();
+             if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
++                if (++signerCount > MAX_JAR_SIGNERS) {
++                    throw new SecurityException(
++                            "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS
++                                    + " signers");
++                }
+                 verifyCertificate(key);
+                 it.remove();
+             }

Patches/LineageOS-16.0/android_frameworks_base/360959-backport.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Liu <aaronjli@google.com>
+Date: Tue, 28 Mar 2023 13:15:04 -0700
+Subject: [PATCH] DO NOT MERGE Dismiss keyguard when simpin auth'd and...
+
+security method is none. This is mostly to fix the case where we auth
+sim pin in the set up wizard and it goes straight to keyguard instead of
+the setup wizard activity.
+
+This works with the prevent bypass keyguard flag because the device
+should be noe secure in this case.
+
+Fixes: 222446076
+Test: turn locked sim on, which opens the sim pin screen. Auth the
+screen and observe that keyguard is not shown.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:48fa9bef3451e4a358c941af5b230f99881c5cb6)
+Cherry-picking this CL as a security fix
+
+Bug: 222446076
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:09f004722284ef6b9790ddf9338a1708b3f0833c)
+Merged-In: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+Change-Id: If4360dd6ae2e5f79b43eaf1a29687ac9cc4b6101
+---
+ .../src/com/android/keyguard/KeyguardSecurityContainer.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+index 6a71cf84759c..bb205956e932 100644
+--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
++++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityContainer.java
+@@ -351,7 +351,7 @@ public class KeyguardSecurityContainer extends FrameLayout implements KeyguardSe
+                 case SimPuk:
+                     // Shortcut for SIM PIN/PUK to go to directly to user's security screen or home
+                     SecurityMode securityMode = mSecurityModel.getSecurityMode(targetUserId);
+-                    if (securityMode == SecurityMode.None && mLockPatternUtils.isLockScreenDisabled(
++                    if (securityMode == SecurityMode.None || mLockPatternUtils.isLockScreenDisabled(
+                             KeyguardUpdateMonitor.getCurrentUser())) {
+                         finish = true;
+                     } else {

Patches/LineageOS-16.0/android_frameworks_base/360962-backport.patch

@@ -0,0 +1,99 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= <kurucz@google.com>
+Date: Fri, 21 Apr 2023 09:45:07 +0000
+Subject: [PATCH] Truncate ShortcutInfo Id
+
+Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput.
+This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior.
+
+Fixes: 273729476
+Test: atest ShortcutManagerTest2
+Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed.
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e)
+Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
+Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
+---
+ .../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++---
+ .../server/pm/ShortcutManagerTest2.java       | 10 ++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java
+index ea476b0abf33..cddad1798219 100644
+--- a/core/java/android/content/pm/ShortcutInfo.java
++++ b/core/java/android/content/pm/ShortcutInfo.java
+@@ -214,6 +214,12 @@ public final class ShortcutInfo implements Parcelable {
+      */
+     public static final int DISABLED_REASON_OTHER_RESTORE_ISSUE = 103;
+ 
++    /**
++     * The maximum length of Shortcut ID. IDs will be truncated at this limit.
++     * @hide
++     */
++    public static final int MAX_ID_LENGTH = 1000;
++
+     /** @hide */
+     @IntDef(prefix = { "DISABLED_REASON_" }, value = {
+             DISABLED_REASON_NOT_DISABLED,
+@@ -380,8 +386,7 @@ public final class ShortcutInfo implements Parcelable {
+ 
+     private ShortcutInfo(Builder b) {
+         mUserId = b.mContext.getUserId();
+-
+-        mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided");
++        mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"));
+ 
+         // Note we can't do other null checks here because SM.updateShortcuts() takes partial
+         // information.
+@@ -463,6 +468,14 @@ public final class ShortcutInfo implements Parcelable {
+         return ret;
+     }
+ 
++    @NonNull
++    private static String getSafeId(@NonNull String id) {
++        if (id.length() > MAX_ID_LENGTH) {
++            return id.substring(0, MAX_ID_LENGTH);
++        }
++        return id;
++    }
++
+     /**
+      * Throws if any of the mandatory fields is not set.
+      *
+@@ -1851,7 +1864,8 @@ public final class ShortcutInfo implements Parcelable {
+         final ClassLoader cl = getClass().getClassLoader();
+ 
+         mUserId = source.readInt();
+-        mId = source.readString();
++        mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(),
++                "Shortcut ID must be provided"));
+         mPackageName = source.readString();
+         mActivity = source.readParcelable(cl);
+         mFlags = source.readInt();
+diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+index fcdadaccd2ac..464f563640c1 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
++++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
+@@ -53,6 +53,7 @@ import java.io.IOException;
+ import java.io.PrintWriter;
+ import java.io.StringWriter;
+ import java.io.Writer;
++import java.util.Collections;
+ import java.util.Locale;
+ 
+ /**
+@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
+                 });
+     }
+ 
++    public void testShortcutIdTruncated() {
++        ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(),
++                String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build();
++
++        assertTrue(
++                "id must be truncated to MAX_ID_LENGTH",
++                si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH);
++    }
++
+     public void testShortcutInfoParcel() {
+         setCaller(CALLING_PACKAGE_1, USER_10);
+         ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext)

Patches/LineageOS-16.0/android_frameworks_base/360963-backport.patch

@@ -0,0 +1,128 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ioana Alexandru <aioana@google.com>
+Date: Thu, 27 Apr 2023 12:36:05 +0000
+Subject: [PATCH] Visit URIs in landscape/portrait custom remote views.
+
+Bug: 277740848
+Test: atest RemoteViewsTest NotificationManagerServiceTest & tested with POC from bug
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e8acb2f660bdb03616989852f9dbbf1726f8237e)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:43e1ae4e0d408604b9e3c18ac0e9bf87529b92a8)
+Merged-In: I7d3d35df0ec38945019f71755bed8797b7af4517
+Change-Id: I7d3d35df0ec38945019f71755bed8797b7af4517
+---
+ core/java/android/widget/RemoteViews.java     |  6 ++
+ .../src/android/widget/RemoteViewsTest.java   | 65 +++++++++++++++++++
+ 2 files changed, 71 insertions(+)
+
+diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
+index 4865dab6056a..10053dddb0fb 100644
+--- a/core/java/android/widget/RemoteViews.java
++++ b/core/java/android/widget/RemoteViews.java
+@@ -543,6 +543,12 @@ public class RemoteViews implements Parcelable, Filter {
+                 mActions.get(i).visitUris(visitor);
+             }
+         }
++        if (mLandscape != null) {
++            mLandscape.visitUris(visitor);
++        }
++        if (mPortrait != null) {
++            mPortrait.visitUris(visitor);
++        }
+     }
+ 
+     private static void visitIconUri(Icon icon, @NonNull Consumer<Uri> visitor) {
+diff --git a/core/tests/coretests/src/android/widget/RemoteViewsTest.java b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
+index 70cf097f42a3..7d2e07ecbd71 100644
+--- a/core/tests/coretests/src/android/widget/RemoteViewsTest.java
++++ b/core/tests/coretests/src/android/widget/RemoteViewsTest.java
+@@ -19,6 +19,10 @@ package android.widget;
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertSame;
+ import static org.junit.Assert.assertTrue;
++import static org.mockito.ArgumentMatchers.eq;
++import static org.mockito.Mockito.spy;
++import static org.mockito.Mockito.times;
++import static org.mockito.Mockito.verify;
+ 
+ import android.app.PendingIntent;
+ import android.content.Context;
+@@ -26,6 +30,8 @@ import android.content.Intent;
+ import android.graphics.Bitmap;
+ import android.graphics.drawable.BitmapDrawable;
+ import android.graphics.drawable.Drawable;
++import android.graphics.drawable.Icon;
++import android.net.Uri;
+ import android.os.AsyncTask;
+ import android.os.Binder;
+ import android.os.Parcel;
+@@ -46,6 +52,7 @@ import org.junit.runner.RunWith;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.concurrent.CountDownLatch;
++import java.util.function.Consumer;
+ 
+ /**
+  * Tests for RemoteViews.
+@@ -444,4 +451,62 @@ public class RemoteViewsTest {
+         }
+         return found[0];
+     }
++
++
++    @Test
++    public void visitUris() {
++        RemoteViews views = new RemoteViews(mPackage, R.layout.remote_views_test);
++
++        final Uri imageUri = Uri.parse("content://media/image");
++        final Icon icon1 = Icon.createWithContentUri("content://media/icon1");
++        final Icon icon2 = Icon.createWithContentUri("content://media/icon2");
++        final Icon icon3 = Icon.createWithContentUri("content://media/icon3");
++        final Icon icon4 = Icon.createWithContentUri("content://media/icon4");
++        views.setImageViewUri(R.id.image, imageUri);
++        views.setTextViewCompoundDrawables(R.id.text, icon1, icon2, icon3, icon4);
++
++        Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
++        views.visitUris(visitor);
++        verify(visitor, times(1)).accept(eq(imageUri));
++        verify(visitor, times(1)).accept(eq(icon1.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4.getUri()));
++    }
++
++    @Test
++    public void visitUris_separateOrientation() {
++        final RemoteViews landscape = new RemoteViews(mPackage, R.layout.remote_views_test);
++        final Uri imageUriL = Uri.parse("content://landscape/image");
++        final Icon icon1L = Icon.createWithContentUri("content://landscape/icon1");
++        final Icon icon2L = Icon.createWithContentUri("content://landscape/icon2");
++        final Icon icon3L = Icon.createWithContentUri("content://landscape/icon3");
++        final Icon icon4L = Icon.createWithContentUri("content://landscape/icon4");
++        landscape.setImageViewUri(R.id.image, imageUriL);
++        landscape.setTextViewCompoundDrawables(R.id.text, icon1L, icon2L, icon3L, icon4L);
++
++        final RemoteViews portrait = new RemoteViews(mPackage, 33);
++        final Uri imageUriP = Uri.parse("content://portrait/image");
++        final Icon icon1P = Icon.createWithContentUri("content://portrait/icon1");
++        final Icon icon2P = Icon.createWithContentUri("content://portrait/icon2");
++        final Icon icon3P = Icon.createWithContentUri("content://portrait/icon3");
++        final Icon icon4P = Icon.createWithContentUri("content://portrait/icon4");
++        portrait.setImageViewUri(R.id.image, imageUriP);
++        portrait.setTextViewCompoundDrawables(R.id.text, icon1P, icon2P, icon3P, icon4P);
++
++        RemoteViews views = new RemoteViews(landscape, portrait);
++
++        Consumer<Uri> visitor = (Consumer<Uri>) spy(Consumer.class);
++        views.visitUris(visitor);
++        verify(visitor, times(1)).accept(eq(imageUriL));
++        verify(visitor, times(1)).accept(eq(icon1L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3L.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4L.getUri()));
++        verify(visitor, times(1)).accept(eq(imageUriP));
++        verify(visitor, times(1)).accept(eq(icon1P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon2P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon3P.getUri()));
++        verify(visitor, times(1)).accept(eq(icon4P.getUri()));
++    }
+ }

Patches/LineageOS-16.0/android_system_bt/360969.patch

@@ -0,0 +1,45 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tyiu <tyiu@google.com>
+Date: Tue, 28 Mar 2023 18:40:51 +0000
+Subject: [PATCH] Fix gatt_end_operation buffer overflow
+
+Added boundary check for gatt_end_operation to prevent writing out of
+boundary.
+
+Since response of the GATT server is handled in
+gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
+lenth that can be passed into the handlers is bounded by
+GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
+GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
+that gaurentees MTU response to be less than or equal to 512 bytes can
+cause a buffer overflow when performing memcpy without length check.
+
+Bug: 261068592
+Test: No test since not affecting behavior
+Tag: #security
+Ignore-AOSP-First: security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)
+Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
+Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
+---
+ stack/gatt/gatt_utils.cc | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc
+index 9e8d3b930..52891efc4 100644
+--- a/stack/gatt/gatt_utils.cc
++++ b/stack/gatt/gatt_utils.cc
+@@ -1193,6 +1193,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) {
+       cb_data.att_value.handle = p_clcb->s_handle;
+       cb_data.att_value.len = p_clcb->counter;
+ 
++      if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) {
++        LOG(WARNING) << __func__
++                     << StringPrintf(" Large cb_data.att_value, size=%d",
++                                     cb_data.att_value.len);
++        cb_data.att_value.len = GATT_MAX_ATTR_LEN;
++      }
++
+       if (p_data && p_clcb->counter)
+         memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len);
+     }

Patches/LineageOS-16.0/android_system_nfc/360972.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 2 May 2023 14:20:57 -0700
+Subject: [PATCH] OOBW in rw_i93_send_to_upper()
+
+Bug: 271849189
+Test: tag r/w
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8)
+Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
+Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
+---
+ src/nfc/tags/rw_i93.cc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
+index acf28a6..232a4dd 100644
+--- a/src/nfc/tags/rw_i93.cc
++++ b/src/nfc/tags/rw_i93.cc
+@@ -507,6 +507,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) {
+     case I93_CMD_GET_MULTI_BLK_SEC:
+     case I93_CMD_EXT_GET_MULTI_BLK_SEC:
+ 
++      if (UINT16_MAX - length < NFC_HDR_SIZE) {
++        rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
++        rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
++        rw_cb.tcb.i93.sent_cmd = 0;
++
++        event = RW_I93_CMD_CMPL_EVT;
++        break;
++      }
++
+       /* forward tag data or security status */
+       p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
+ 

Patches/LineageOS-16.0/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 2 May 2023 14:20:57 -0700
+Subject: [PATCH] OOBW in rw_i93_send_to_upper()
+
+Bug: 271849189
+Test: tag r/w
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8)
+Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
+Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
+
+Change-Id: Ia10491e388a495a164462c73ced7ea1965808860
+---
+ src/nfc/tags/rw_i93.cc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/nfc/tags/rw_i93.cc b/src/nfc/tags/rw_i93.cc
+index 62c5b54c..13ccaf0e 100755
+--- a/src/nfc/tags/rw_i93.cc
++++ b/src/nfc/tags/rw_i93.cc
+@@ -472,6 +472,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) {
+     case I93_CMD_GET_MULTI_BLK_SEC:
+     case I93_CMD_EXT_GET_MULTI_BLK_SEC:
+ 
++      if (UINT16_MAX - length < NFC_HDR_SIZE) {
++        rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
++        rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
++        rw_cb.tcb.i93.sent_cmd = 0;
++
++        event = RW_I93_CMD_CMPL_EVT;
++        break;
++      }
++
+       /* forward tag data or security status */
+       p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
+ 

Scripts/LineageOS-16.0/Patch.sh

@@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-06 #XXX
+sed -i 's/2022-01-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-07 #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -132,6 +132,10 @@ git fetch https://github.com/LineageOS/android_external_expat refs/changes/56/33
 git fetch https://github.com/LineageOS/android_external_expat refs/changes/28/349328/1 && git cherry-pick FETCH_HEAD; #P_asb_2023-02
 fi;
 
+if enterAndClear "external/freetype"; then
+applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes
+fi;
+
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then
 if enterAndClear "external/hardened_malloc"; then
 applyPatch "$DOS_PATCHES_COMMON/android_external_hardened_malloc/0001-Broken_Audio.patch"; #DeviceDescriptor sorting wrongly relies on malloc addresses (GrapheneOS)
@@ -151,6 +155,12 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then applyPatch "$DOS_PATCHES/android_fram
 fi;
 
 if enterAndClear "frameworks/base"; then
+applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection
+applyPatch "$DOS_PATCHES/android_frameworks_base/360954.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
+applyPatch "$DOS_PATCHES/android_frameworks_base/360955-backport.patch"; #R_asb_2023-07 Import translations.
+applyPatch "$DOS_PATCHES/android_frameworks_base/360959-backport.patch"; #R_asb_2023-07 Dismiss keyguard when simpin auth'd and security method is none.
+applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id
+applyPatch "$DOS_PATCHES/android_frameworks_base/360963-backport.patch"; #R_asb_2023-07 Visit URIs in landscape/portrait custom remote views.
 applyPatch "$DOS_PATCHES/android_frameworks_base/0007-Always_Restict_Serial.patch"; #Always restrict access to Build.SERIAL (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0008-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Review.patch"; #Allow SystemUI to directly manage Bluetooth/WiFi (GrapheneOS)
@@ -335,6 +345,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telephony/0002-More_Preferred
 fi;
 
 if enterAndClear "system/bt"; then
+applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
 #applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 fi;
 
@@ -356,6 +367,14 @@ if enterAndClear "system/extras"; then
 applyPatch "$DOS_PATCHES/android_system_extras/0001-ext4_pad_filenames.patch"; #FBE: pad filenames more (GrapheneOS)
 fi;
 
+if enterAndClear "system/nfc"; then
+applyPatch "$DOS_PATCHES/android_system_nfc/360972.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
+fi;
+
+if enterAndClear "vendor/nxp/opensource/commonsys/external/libnfc-nci"; then
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_commonsys_external_libnfc-nci/360974-backport.patch"; #R_asb_2023-07 OOBW in rw_i93_send_to_upper()
+fi;
+
 if enterAndClear "system/sepolicy"; then
 applyPatch "$DOS_PATCHES/android_system_sepolicy/0002-protected_files.patch"; #label protected_{fifos,regular} as proc_security (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_sepolicy/0003-ptrace_scope-1.patch"; #Allow init to control kernel.yama.ptrace_scope (GrapheneOS)

Scripts/LineageOS-17.1/Patch.sh

@@ -97,7 +97,7 @@ sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 #sed -i 's/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := true/PRODUCT_OTA_ENFORCE_VINTF_KERNEL_REQUIREMENTS := false/' core/product_config.mk; #broken by hardenDefconfig
-sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #R_asb_2023-07 #XXX
+sed -i 's/2023-06-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2023-07 #XXX
 fi;
 
 if enterAndClear "build/soong"; then