From 5c166d2039d45cd66e7ea20482746b7b0100ed59 Mon Sep 17 00:00:00 2001 From: Tavi Date: Sat, 14 Sep 2024 12:44:16 -0400 Subject: [PATCH] 18.1: September 2024 ASB work Signed-off-by: Tavi --- Logs/resetWorkspace-LineageOS-18.1.txt | 2 +- ...ect-negative-len-for-XML_ParseBuffer.patch | 4 +- ...b-Detect-integer-overflow-in-dtdCopy.patch | 4 +- ...er-overflow-in-function-nextScaffold.patch | 4 +- ...-opening-tag-bindings-after-closing-.patch | 6 +- .../android_frameworks_av/401372.patch | 34 + .../android_frameworks_base/401373.patch | 66 ++ .../401375.patch | 28 + ...6891059-18.patch => 401376-backport.patch} | 25 +- .../401377.patch | 111 +++ .../401378-backport.patch | 39 + .../401380-backport.patch | 702 ++++++++++++++++++ .../401381.patch | 43 ++ .../401382.patch | 40 + Scripts/LineageOS-18.1/Patch.sh | 15 +- 15 files changed, 1110 insertions(+), 13 deletions(-) create mode 100644 Patches/LineageOS-18.1/android_frameworks_av/401372.patch create mode 100644 Patches/LineageOS-18.1/android_frameworks_base/401373.patch create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Settings/401375.patch rename Patches/LineageOS-18.1/android_packages_apps_Settings/{316891059-18.patch => 401376-backport.patch} (84%) create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Settings/401377.patch create mode 100644 Patches/LineageOS-18.1/android_packages_apps_Settings/401378-backport.patch create mode 100644 Patches/LineageOS-18.1/android_packages_services_Telecomm/401380-backport.patch create mode 100644 Patches/LineageOS-18.1/android_packages_services_Telecomm/401381.patch create mode 100644 Patches/LineageOS-18.1/android_packages_services_Telecomm/401382.patch diff --git a/Logs/resetWorkspace-LineageOS-18.1.txt b/Logs/resetWorkspace-LineageOS-18.1.txt index f770139e..63cb588d 100644 --- a/Logs/resetWorkspace-LineageOS-18.1.txt +++ b/Logs/resetWorkspace-LineageOS-18.1.txt @@ -135,7 +135,7 @@ external/cblas d82c5f4ae14b2a5468303985070f7dadc15d4094 external/cbor-java f81e576298790c97498311e99a0b0b34653c3dd8 external/chromium-libpac 169c93e00a00605346a68d39d3f4713735bdb61e external/chromium-trace e524766cad26d677a9a1ec8c00c512d4cac2cf5e -external/chromium-webview b270aa98312408d5893ee72fcd62b4d89937ceb2 +external/chromium-webview 8400ae9b819741cd4d436cce372496426ec85fc9 external/clang 0a1c53a5d295109bd4702ad13c0f2a5510ca1b26 external/cldr 38850463abd624d5b2293be75fddc43cf6b55ae2 external/cn-cbor 696530332036f5518681d3c450cdbc3ee412004a diff --git a/Patches/LineageOS-18.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch b/Patches/LineageOS-18.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch index e8596400..319d7119 100644 --- a/Patches/LineageOS-18.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch +++ b/Patches/LineageOS-18.1/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch @@ -9,10 +9,10 @@ Reported by TaiYou 1 file changed, 6 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 381f3ef..97440d8 100644 +index c84b5ed..02f71c4 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c -@@ -1883,6 +1883,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { +@@ -1874,6 +1874,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { if (parser == NULL) return XML_STATUS_ERROR; diff --git a/Patches/LineageOS-18.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch b/Patches/LineageOS-18.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch index fc19e4a7..70c92a74 100644 --- a/Patches/LineageOS-18.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch +++ b/Patches/LineageOS-18.1/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch @@ -9,10 +9,10 @@ Reported by TaiYou 1 file changed, 10 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 97440d8..9bd93b0 100644 +index 02f71c4..18fcad0 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c -@@ -6377,6 +6377,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, +@@ -6358,6 +6358,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, if (! newE) return 0; if (oldE->nDefaultAtts) { diff --git a/Patches/LineageOS-18.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch b/Patches/LineageOS-18.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch index bdaf8ab1..e4af8c94 100644 --- a/Patches/LineageOS-18.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch +++ b/Patches/LineageOS-18.1/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch @@ -9,10 +9,10 @@ Reported by TaiYou 1 file changed, 9 insertions(+) diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 9bd93b0..e6f334a 100644 +index 18fcad0..b08cae9 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c -@@ -6929,6 +6929,15 @@ nextScaffoldPart(XML_Parser parser) { +@@ -6910,6 +6910,15 @@ nextScaffoldPart(XML_Parser parser) { int next; if (! dtd->scaffIndex) { diff --git a/Patches/LineageOS-18.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch b/Patches/LineageOS-18.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch index a6ddbac0..ac999a88 100644 --- a/Patches/LineageOS-18.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch +++ b/Patches/LineageOS-18.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch @@ -11,10 +11,10 @@ Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index e6f334a..602fa33 100644 +index b08cae9..f2c245d 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c -@@ -2847,9 +2847,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, +@@ -2828,9 +2828,6 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, int len; const char *rawName; TAG *tag = parser->m_tagStack; @@ -24,7 +24,7 @@ index e6f334a..602fa33 100644 rawName = s + enc->minBytesPerChar * 2; len = XmlNameLength(enc, rawName); if (len != tag->rawNameLength -@@ -2857,6 +2854,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, +@@ -2838,6 +2835,9 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, *eventPP = rawName; return XML_ERROR_TAG_MISMATCH; } diff --git a/Patches/LineageOS-18.1/android_frameworks_av/401372.patch b/Patches/LineageOS-18.1/android_frameworks_av/401372.patch new file mode 100644 index 00000000..e1a784f8 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_av/401372.patch @@ -0,0 +1,34 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wonsik Kim +Date: Fri, 28 Jun 2024 00:33:51 +0000 +Subject: [PATCH] omx: check HDR10+ info param size + +Bug: 329641908 +Test: presubmit +Flag: EXEMPT security fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:53298956ba6bb8f147a632d7aaed8566dfc203ee) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f816148a719d2a3bbf432f11da98b3d5fa7de74f) +Merged-In: I72523e1de61e5f947174272b732e170e1c2964df +Change-Id: I72523e1de61e5f947174272b732e170e1c2964df +--- + media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp +index 418302389d..4ab5d10609 100644 +--- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp ++++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp +@@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig( + if (!isValidOMXParam(outParams)) { + return OMX_ErrorBadParameter; + } ++ if (offsetof(DescribeHDR10PlusInfoParams, nValue) + outParams->nParamSize > ++ outParams->nSize) { ++ ALOGE("b/329641908: too large param size; nParamSize=%u nSize=%u", ++ outParams->nParamSize, outParams->nSize); ++ android_errorWriteLog(0x534e4554, "329641908"); ++ return OMX_ErrorBadParameter; ++ } + + outParams->nParamSizeUsed = info->size(); + diff --git a/Patches/LineageOS-18.1/android_frameworks_base/401373.patch b/Patches/LineageOS-18.1/android_frameworks_base/401373.patch new file mode 100644 index 00000000..393501a8 --- /dev/null +++ b/Patches/LineageOS-18.1/android_frameworks_base/401373.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kiran Ramachandra +Date: Wed, 5 Jun 2024 21:03:33 +0000 +Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme + delimiter + +Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption + +Bug: 261721900 +Test: atest FrameworksCoreTests:android.net.UriTest + +No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fd0421801c391dd619cafeeea8d379a9029074a) +Merged-In: I88b1550a5d8b3dc0f6286e28899884025d059645 +Change-Id: I88b1550a5d8b3dc0f6286e28899884025d059645 +--- + core/java/android/net/Uri.java | 6 +++++- + core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java +index 84fc4f78edc4..4446f09bc874 100644 +--- a/core/java/android/net/Uri.java ++++ b/core/java/android/net/Uri.java +@@ -1380,7 +1380,11 @@ public abstract class Uri implements Parcelable, Comparable { + * @param scheme name or {@code null} if this is a relative Uri + */ + public Builder scheme(String scheme) { +- this.scheme = scheme; ++ if (scheme != null) { ++ this.scheme = scheme.replace("://", ""); ++ } else { ++ this.scheme = null; ++ } + return this; + } + +diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java +index 670aefd21d36..17a37831afdb 100644 +--- a/core/tests/coretests/src/android/net/UriTest.java ++++ b/core/tests/coretests/src/android/net/UriTest.java +@@ -18,6 +18,7 @@ package android.net; + + import android.content.ContentUris; + import android.os.Parcel; ++import android.platform.test.annotations.AsbSecurityTest; + + import androidx.test.filters.SmallTest; + +@@ -88,6 +89,16 @@ public class UriTest extends TestCase { + assertNull(u.getHost()); + } + ++ @AsbSecurityTest(cveBugId = 261721900) ++ @SmallTest ++ public void testSchemeSanitization() { ++ Uri uri = new Uri.Builder() ++ .scheme("http://https://evil.com:/te:st/") ++ .authority("google.com").path("one/way").build(); ++ assertEquals("httphttpsevil.com:/te:st/", uri.getScheme()); ++ assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString()); ++ } ++ + @SmallTest + public void testStringUri() { + assertEquals("bob lee", diff --git a/Patches/LineageOS-18.1/android_packages_apps_Settings/401375.patch b/Patches/LineageOS-18.1/android_packages_apps_Settings/401375.patch new file mode 100644 index 00000000..bf315031 --- /dev/null +++ b/Patches/LineageOS-18.1/android_packages_apps_Settings/401375.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Chaohui Wang +Date: Thu, 2 Nov 2023 11:43:00 +0800 +Subject: [PATCH] Limit wifi item edit content's max length to 500 + +Bug: 293199910 +Test: manual - on "Add network" + +(cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad) +Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae +Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae +--- + res/values/styles.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/res/values/styles.xml b/res/values/styles.xml +index 88760723883..2ce29040f0d 100644 +--- a/res/values/styles.xml ++++ b/res/values/styles.xml +@@ -147,6 +147,7 @@ + @android:style/TextAppearance.DeviceDefault.Medium + ?android:attr/textColorSecondary + @dimen/min_tap_target_size ++ 500 + + +