Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-08-03 20:04:21 -04:00
Code Issues Projects Releases Packages Wiki Activity

Picks + Fixes

Browse source 
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
Tad 2023-03-14 12:20:40 -04:00
parent 162b40a39d
commit 38626e1b0c
No known key found for this signature in database
GPG key ID: B286E9F57A07424B
57 changed files with 348 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

36
Patches/LineageOS-14.1/android_external_zlib/351107.patch Normal file
View file

@ -0,0 +1,36 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Sadaf Ebrahimi <sadafebrahimi@google.com>
Date: Tue, 22 Nov 2022 22:00:13 +0000
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
Bug: http://b/242299736
Test: TreeHugger
Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
---
src/inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/inflate.c b/src/inflate.c
index 4fd3f3c..5c111f5 100644
--- a/src/inflate.c
+++ b/src/inflate.c
@@ -736,8 +736,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);

39
Patches/LineageOS-14.1/android_system_bt/351105.patch Normal file
View file

@ -0,0 +1,39 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 10 Dec 2022 10:32:45 +0000
Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
Bug: 258652631
Test: manual
Ignore-AOSP-First: security
Merged-In: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
Change-Id: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
(cherry picked from commit d4e34d862bb1b00fd06272e34f7160b5794c73ee)
Merged-In: Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
---
stack/gatt/gatt_cl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/gatt_cl.c b/stack/gatt/gatt_cl.c
index 04a027fef..1e8ff1f50 100644
--- a/stack/gatt/gatt_cl.c
+++ b/stack/gatt/gatt_cl.c
@@ -639,7 +639,8 @@ void gatt_process_prep_write_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 op
GATT_TRACE_ERROR("value resp op_code = %s len = %d", gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN)
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value))
{
GATT_TRACE_ERROR("illegal prepare write response length, discard");
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
@@ -649,7 +650,7 @@ void gatt_process_prep_write_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 op
STREAM_TO_UINT16 (value.handle, p);
STREAM_TO_UINT16 (value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy (value.value, p, value.len);

76
Patches/LineageOS-14.1/android_system_bt/351106.patch Normal file
View file

@ -0,0 +1,76 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 20 Dec 2022 22:48:23 +0000
Subject: [PATCH] Fix an OOB write in SDP_AddAttribute
When the `attr_pad` becomes full, it is possible
that un index of `-1` is computed write
a zero byte to `p_val`, rusulting OOB write.
```
p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr - 1] = '\0';
```
Bug: 261867748
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b
Change-Id: I937d22a2df26fca1d7f06b10182c4e713ddfed1b
(cherry picked from commit 0846b5b746e844464fb728478fea3c2ad6aaef1f)
Merged-In: I937d22a2df26fca1d7f06b10182c4e713ddfed1b
---
stack/sdp/sdp_db.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/stack/sdp/sdp_db.c b/stack/sdp/sdp_db.c
index b7f489770..e133d67cb 100644
--- a/stack/sdp/sdp_db.c
+++ b/stack/sdp/sdp_db.c
@@ -406,6 +406,12 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
UINT16 xx, yy, zz;
tSDP_RECORD *p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == NULL)
+ {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == NULL, skipped");
+ return (FALSE);
+ }
+
#if (BT_TRACE_VERBOSE == TRUE)
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG)
{
@@ -447,6 +453,14 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
{
tSDP_ATTRIBUTE *p_attr = &p_rec->attribute[0];
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN)
+ {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (FALSE);
+ }
+
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++)
{
@@ -493,15 +507,15 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0))
+ if (attr_len > 0)
{
p_attr->len = attr_len;
memcpy (&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
}
- else if ((attr_len == 0 && p_attr->len != 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0)
+ else if (attr_len == 0 && p_attr->len != 0)
+ /* if truncate to 0 length, simply don't add */
{
SDP_TRACE_ERROR("SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len );

96
Patches/LineageOS-14.1/android_system_bt/351109.patch Normal file
View file

@ -0,0 +1,96 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Rocky Liao <quic_rjliao@quicinc.com>
Date: Mon, 19 Sep 2022 17:39:42 +0800
Subject: [PATCH] AVRCP: Fix potential buffer overflow
There will be buffer overflow if remote response exceeds
AVRC_MAX_APP_ATTR_SIZE, add array index check to avoid
buffer overflow issue.
CRs-fixed: 3278869
Change-Id: Ia93690e0dc4b28fd01af3a406678d43d426d3be8
---
btif/src/btif_rc.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/btif/src/btif_rc.c b/btif/src/btif_rc.c
index 632ec9c33..7f17a5191 100644
--- a/btif/src/btif_rc.c
+++ b/btif/src/btif_rc.c
@@ -88,6 +88,7 @@
#define MAX_CMD_QUEUE_LEN 16
#define ERR_PLAYER_NOT_ADDRESED 0x13
#define BTRC_FEAT_AVRC_UI_UPDATE 0x08
+#define BTRC_MAX_APP_ATTR_SIZE 16
#if (defined(AVCT_COVER_ART_INCLUDED) && (AVCT_COVER_ART_INCLUDED == TRUE))
#define MAX_ELEM_ATTR_SIZE 8
@@ -4768,7 +4769,7 @@ static void handle_app_attr_txt_response (tBTA_AV_META_MSG *pmeta_msg, tAVRC_GET
* for standard attributes.
*/
p_app_settings->num_ext_attrs = 0;
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++)
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++)
osi_free_and_reset((void **)&p_app_settings->ext_attrs[xx].p_str);
p_app_settings->ext_attr_index = 0;
/* Klockwork Fix for below issue at line 4765
@@ -4787,7 +4788,7 @@ static void handle_app_attr_txt_response (tBTA_AV_META_MSG *pmeta_msg, tAVRC_GET
for (xx = 0; xx < p_rsp->num_attr; xx++)
{
UINT8 x;
- for (x = 0; x < p_app_settings->num_ext_attrs; x++)
+ for (x = 0; x < p_app_settings->num_ext_attrs && x < AVRC_MAX_APP_ATTR_SIZE; x++)
{
if (p_app_settings->ext_attrs[x].attr_id == p_rsp->p_attrs[xx].attr_id)
{
@@ -4843,12 +4844,12 @@ static void handle_app_attr_val_txt_response (tBTA_AV_META_MSG *pmeta_msg, tAVRC
* for standard attributes.
*/
p_app_settings->num_ext_attrs = 0;
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++)
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++)
{
int x;
btrc_player_app_ext_attr_t *p_ext_attr = &p_app_settings->ext_attrs[xx];
- for (x = 0; x < p_ext_attr->num_val; x++)
+ for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++)
osi_free_and_reset((void **)&p_ext_attr->ext_attr_val[x].p_str);
p_ext_attr->num_val = 0;
osi_free_and_reset((void **)&p_app_settings->ext_attrs[xx].p_str);
@@ -4868,12 +4869,19 @@ static void handle_app_attr_val_txt_response (tBTA_AV_META_MSG *pmeta_msg, tAVRC
return;
}
+ if (p_app_settings->ext_val_index >= AVRC_MAX_APP_ATTR_SIZE)
+ {
+ BTIF_TRACE_ERROR("%s: ext_val_index is 0x%02x, overflow!",
+ __func__, p_app_settings->ext_val_index);
+ return;
+ }
+
for (xx = 0; xx < p_rsp->num_attr; xx++)
{
UINT8 x;
btrc_player_app_ext_attr_t *p_ext_attr;
p_ext_attr = &p_app_settings->ext_attrs[p_app_settings->ext_val_index];
- for (x = 0; x < p_rsp->num_attr; x++)
+ for (x = 0; x < p_rsp->num_attr && x < BTRC_MAX_APP_ATTR_SIZE; x++)
{
if (p_ext_attr->ext_attr_val[x].val == p_rsp->p_attrs[xx].attr_id)
{
@@ -4924,12 +4932,12 @@ static void handle_app_attr_val_txt_response (tBTA_AV_META_MSG *pmeta_msg, tAVRC
/* Free the application settings information after sending to
* application.
*/
- for (xx = 0; xx < p_app_settings->ext_attr_index; xx++)
+ for (xx = 0; xx < p_app_settings->ext_attr_index && xx < AVRC_MAX_APP_ATTR_SIZE; xx++)
{
int x;
btrc_player_app_ext_attr_t *p_ext_attr = &p_app_settings->ext_attrs[xx];
- for (x = 0; x < p_ext_attr->num_val; x++)
+ for (x = 0; x < p_ext_attr->num_val && x < BTRC_MAX_APP_ATTR_SIZE; x++)
osi_free_and_reset((void **)&p_ext_attr->ext_attr_val[x].p_str);
p_ext_attr->num_val = 0;
osi_free_and_reset((void **)&p_app_settings->ext_attrs[xx].p_str);