14.1 December ASB, thanks to @syphyr

Signed-off-by: Tad <tad@spotco.us>

Patches/LineageOS-14.1/android_frameworks_base/345519.patch

@@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Oli Lan <olilan@google.com>
+Date: Fri, 19 Aug 2022 17:08:13 +0100
+Subject: [PATCH] Validate package name passed to setApplicationRestrictions.
+
+This adds validation that the package name passed to
+setApplicationRestrictions is in the correct format. This will avoid
+an issue where a path could be entered resulting in a file being
+written to an unexpected place.
+
+Bug: 239701237
+Test: atest UserManagerServiceTest
+Change-Id: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit 31a582490d6e8952d24f267df47d669e3861cf67)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+(cherry picked from commit cfcfe6ca8c545f78603c05e23687f8638fd4b51d)
+Merged-In: I1ab2b7228470f10ec26fe3a608ae540cfc9e9a96
+---
+ .../android/server/pm/UserManagerService.java | 41 +++++++++++++++++++
+ .../server/pm/UserManagerServiceTest.java     |  7 ++++
+ 2 files changed, 48 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/UserManagerService.java b/services/core/java/com/android/server/pm/UserManagerService.java
+index a4ffc3938af9..cea22bbe46f4 100644
+--- a/services/core/java/com/android/server/pm/UserManagerService.java
++++ b/services/core/java/com/android/server/pm/UserManagerService.java
+@@ -73,6 +73,7 @@ import android.system.Os;
+ import android.system.OsConstants;
+ import android.text.TextUtils;
+ import android.util.AtomicFile;
++import android.util.EventLog;
+ import android.util.IntArray;
+ import android.util.Log;
+ import android.util.Slog;
+@@ -2638,6 +2639,13 @@ public class UserManagerService extends IUserManager.Stub {
+     public void setApplicationRestrictions(String packageName, Bundle restrictions,
+             int userId) {
+         checkSystemOrRoot("set application restrictions");
++        String validationResult = validateName(packageName);
++        if (validationResult != null) {
++            if (packageName.contains("../")) {
++                EventLog.writeEvent(0x534e4554, "239701237", -1, "");
++            }
++            throw new IllegalArgumentException("Invalid package name: " + validationResult);
++        }
+         if (restrictions != null) {
+             restrictions.setDefusable(true);
+         }
+@@ -2657,6 +2665,39 @@ public class UserManagerService extends IUserManager.Stub {
+         mContext.sendBroadcastAsUser(changeIntent, UserHandle.of(userId));
+     }
+ 
++    /**
++     * Check if the given name is valid.
++     *
++     * Note: the logic is taken from FrameworkParsingPackageUtils in master, edited to remove
++     * unnecessary parts. Copied here for a security fix.
++     *
++     * @param name The name to check.
++     * @return null if it's valid, error message if not
++     */
++    @VisibleForTesting
++    static String validateName(String name) {
++        final int n = name.length();
++        boolean front = true;
++        for (int i = 0; i < n; i++) {
++            final char c = name.charAt(i);
++            if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) {
++                front = false;
++                continue;
++            }
++            if (!front) {
++                if ((c >= '0' && c <= '9') || c == '_') {
++                    continue;
++                }
++                if (c == '.') {
++                    front = true;
++                    continue;
++                }
++            }
++            return "bad character '" + c + "'";
++        }
++        return null;
++    }
++
+     private int getUidForPackage(String packageName) {
+         long ident = Binder.clearCallingIdentity();
+         try {
+diff --git a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+index 9f77297b49dd..744be99e4bf7 100644
+--- a/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
++++ b/services/tests/servicestests/src/com/android/server/pm/UserManagerServiceTest.java
+@@ -74,6 +74,13 @@ public class UserManagerServiceTest extends AndroidTestCase {
+         assertEquals(accountName, um.getUserAccount(tempUserId));
+     }
+ 
++    public void testValidateName() {
++        assertNull(UserManagerService.validateName("android"));
++        assertNull(UserManagerService.validateName("com.company.myapp"));
++        assertNotNull(UserManagerService.validateName("/../../data"));
++        assertNotNull(UserManagerService.validateName("/dir"));
++    }
++
+     private Bundle createBundle() {
+         Bundle result = new Bundle();
+         // Tests for 6 allowed types: Integer, Boolean, String, String[], Bundle and Parcelable[]

Patches/LineageOS-14.1/android_frameworks_base/345520.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinyao Ting <pinyaoting@google.com>
+Date: Wed, 21 Sep 2022 23:03:11 +0000
+Subject: [PATCH] Ignore malformed shortcuts
+
+After an app publishes a shortcut that contains malformed intent, the
+system can be stuck in boot-loop due to uncaught exception caused by
+parsing the malformed intent.
+
+This CL ignores that particular malformed entry. Since shortcuts are
+constantly writes back into the xml from system memory, the malformed
+entry will be removed from the xml the next time system persists
+shortcuts from memory to file system.
+
+Bug: 246540168
+Change-Id: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+Test: manual
+(cherry picked from commit 9b0dd514d29bbf986f1d1a3c6cebc2ef2bcf782e)
+Merged-In: Ie1e39005a5f9d8038bd703a5bc845779c2f46e94
+---
+ .../com/android/server/pm/ShortcutPackage.java     | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/services/core/java/com/android/server/pm/ShortcutPackage.java b/services/core/java/com/android/server/pm/ShortcutPackage.java
+index 38d69ed287e1..0a98002feb14 100644
+--- a/services/core/java/com/android/server/pm/ShortcutPackage.java
++++ b/services/core/java/com/android/server/pm/ShortcutPackage.java
+@@ -1363,11 +1363,15 @@ class ShortcutPackage extends ShortcutPackageItem {
+                         ret.getPackageInfo().loadFromXml(parser, fromBackup);
+                         continue;
+                     case TAG_SHORTCUT:
+-                        final ShortcutInfo si = parseShortcut(parser, packageName,
+-                                shortcutUser.getUserId());
+-
+-                        // Don't use addShortcut(), we don't need to save the icon.
+-                        ret.mShortcuts.put(si.getId(), si);
++                        try {
++                            final ShortcutInfo si = parseShortcut(parser, packageName,
++                                    shortcutUser.getUserId());
++                            // Don't use addShortcut(), we don't need to save the icon.
++                            ret.mShortcuts.put(si.getId(), si);
++                        } catch (Exception e) {
++                            // b/246540168 malformed shortcuts should be ignored
++                            Slog.e(TAG, "Failed parsing shortcut.", e);
++                        }
+                         continue;
+                 }
+             }

Patches/LineageOS-14.1/android_frameworks_base/345521.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rhed Jao <rhedjao@google.com>
+Date: Mon, 26 Sep 2022 21:35:26 +0800
+Subject: [PATCH] Fix permanent denial of service via
+ setComponentEnabledSetting
+
+Do not update invalid component enabled settings to prevent the
+malicious apps from exhausting system server memory.
+
+Bug: 240936919
+Test: atest android.security.cts.PackageManagerTest
+Change-Id: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+(cherry picked from commit 4d13148a3fa5f6bc1b7038fae7d1f1adda163a9f)
+Merged-In: I08165337895e89f13a2b9fcce1201cba9ad13d7d
+---
+ .../core/java/com/android/server/pm/PackageManagerService.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
+index e109337809cf..1e439c423a67 100644
+--- a/services/core/java/com/android/server/pm/PackageManagerService.java
++++ b/services/core/java/com/android/server/pm/PackageManagerService.java
+@@ -18339,6 +18339,9 @@ Slog.v(TAG, ":: stepped forward, applying functor at tag " + parser.getName());
+                     } else {
+                         Slog.w(TAG, "Failed setComponentEnabledSetting: component class "
+                                 + className + " does not exist in " + packageName);
++                        // Safetynet logging for b/240936919
++                        EventLog.writeEvent(0x534e4554, "240936919", uid);
++                        return;
+                     }
+                 }
+                 switch (newState) {

Patches/LineageOS-14.1/android_frameworks_base/345522.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hao Ke <haok@google.com>
+Date: Tue, 4 Oct 2022 19:43:58 +0000
+Subject: [PATCH] Add safety checks on KEY_INTENT mismatch.
+
+For many years, Parcel mismatch typed exploits has been using the
+AccoungManagerService's passing of KEY_INTENT workflow, as a foothold of
+launching arbitrary intents. We are adding an extra check on the service
+side to simulate the final deserialization of the KEY_INTENT value, to
+make sure the client side won't get a mismatched KEY_INTENT value.
+
+Bug: 250588548
+Bug: 240138294
+Test: atest CtsAccountManagerTestCases
+Test: local test, also see b/250588548
+Change-Id: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+(cherry picked from commit eb9a0566a583fa13f8aff671c41f78a9e33eab82)
+Merged-In: I433e34f6e21ce15c89825044a15b1dec46bb25cc
+---
+ .../accounts/AccountManagerService.java       | 34 ++++++++++++++++---
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/services/core/java/com/android/server/accounts/AccountManagerService.java b/services/core/java/com/android/server/accounts/AccountManagerService.java
+index 239297cc420a..7273e3ea5ffc 100644
+--- a/services/core/java/com/android/server/accounts/AccountManagerService.java
++++ b/services/core/java/com/android/server/accounts/AccountManagerService.java
+@@ -89,6 +89,7 @@ import android.os.UserHandle;
+ import android.os.UserManager;
+ import android.os.storage.StorageManager;
+ import android.text.TextUtils;
++import android.util.EventLog;
+ import android.util.Log;
+ import android.util.Pair;
+ import android.util.Slog;
+@@ -2545,7 +2546,7 @@ public class AccountManagerService
+                              */
+                             if (!checkKeyIntent(
+                                     Binder.getCallingUid(),
+-                                    intent)) {
++                                    result)) {
+                                 onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                                         "invalid intent in bundle returned");
+                                 return;
+@@ -2960,7 +2961,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;
+@@ -4230,7 +4231,13 @@ public class AccountManagerService
+          * into launching aribtrary intents on the device via by tricking to click authenticator
+          * supplied entries in the system Settings app.
+          */
+-        protected boolean checkKeyIntent(int authUid, Intent intent) {
++        protected boolean checkKeyIntent(int authUid, Bundle bundle) {
++            if (!checkKeyIntentParceledCorrectly(bundle)) {
++                EventLog.writeEvent(0x534e4554, "250588548", authUid, "");
++                return false;
++            }
++
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
+             // Explicitly set an empty ClipData to ensure that we don't offer to
+             // promote any Uris contained inside for granting purposes
+             if (intent.getClipData() == null) {
+@@ -4263,6 +4270,25 @@ public class AccountManagerService
+             }
+         }
+ 
++        /**
++         * Simulate the client side's deserialization of KEY_INTENT value, to make sure they don't
++         * violate our security policy.
++         *
++         * In particular we want to make sure the Authenticator doesn't trick users
++         * into launching arbitrary intents on the device via exploiting any other Parcel read/write
++         * mismatch problems.
++         */
++        private boolean checkKeyIntentParceledCorrectly(Bundle bundle) {
++            Parcel p = Parcel.obtain();
++            p.writeBundle(bundle);
++            p.setDataPosition(0);
++            Bundle simulateBundle = p.readBundle();
++            p.recycle();
++            Intent intent = bundle.getParcelable(AccountManager.KEY_INTENT);
++            Intent simulateIntent = simulateBundle.getParcelable(AccountManager.KEY_INTENT);
++            return (intent.filterEquals(simulateIntent));
++        }
++
+         private void close() {
+             synchronized (mSessions) {
+                 if (mSessions.remove(toString()) == null) {
+@@ -4408,7 +4434,7 @@ public class AccountManagerService
+                     && (intent = result.getParcelable(AccountManager.KEY_INTENT)) != null) {
+                 if (!checkKeyIntent(
+                         Binder.getCallingUid(),
+-                        intent)) {
++                        result)) {
+                     onError(AccountManager.ERROR_CODE_INVALID_RESPONSE,
+                             "invalid intent in bundle returned");
+                     return;

Patches/LineageOS-14.1/android_frameworks_minikin/345523.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Thu, 15 Sep 2022 22:51:42 +0000
+Subject: [PATCH] Fix OOB read for registerLocaleList
+
+When the buffer size is equal to string size,
+the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
+which is a negative number, and U_FAILURE would fail if error number
+greater than zero only.
+
+This would cause non null terminated string passing into following funcs
+and causing different types of crash
+
+Bug: 239210579
+Bug: 239328580
+Bug: 239267173
+Test: locale_fuzzer
+Ignore-AOSP-First: security
+Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+Change-Id: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+(cherry picked from commit d8a427cc9c8a722b0911af5139b10b0a6aeb0e03)
+Merged-In: Id9c98fc08876656e1f48d12823a24bb7a44bee45
+---
+ libs/minikin/FontLanguageListCache.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
+index 6b661f0..8ef4a1b 100644
+--- a/libs/minikin/FontLanguageListCache.cpp
++++ b/libs/minikin/FontLanguageListCache.cpp
+@@ -39,7 +39,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+     size_t outLength = 0;
+     UErrorCode uErr = U_ZERO_ERROR;
+     outLength = uloc_canonicalize(locale.c_str(), output, outSize, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_canonicalize(\"%s\") failed: %s", locale.c_str(), u_errorName(uErr));
+         output[0] = '\0';
+@@ -64,7 +64,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+ 
+     uErr = U_ZERO_ERROR;
+     outLength = uloc_toLanguageTag(likelyChars, output, outSize, FALSE, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_toLanguageTag(\"%s\") failed: %s", likelyChars, u_errorName(uErr));
+         output[0] = '\0';

Patches/LineageOS-14.1/android_frameworks_minikin/345524.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Thu, 29 Sep 2022 22:34:05 +0000
+Subject: [PATCH] Fix OOB crash for registerLocaleList
+
+When the buffer size is equal to string size,
+the func in icu just return warning U_STRING_NOT_TERMINATED_WARNING
+which is a negative number, and U_FAILURE would fail if error number
+greater than zero only.
+
+This would cause non null terminated string passing into following funcs
+and causing different types of crash
+
+This fixes the previous partial fix.
+
+Bug: 248612953
+Bug: 239210579
+Bug: 249151446
+Bug: 239267173
+Test: locale_fuzzer
+Ignore-AOSP-First: security
+Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+Change-Id: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+(cherry picked from commit 582927b0d6c6920ee6a04049eaa9e68608cfc888)
+(cherry picked from commit a8265407660edaa1006545a6401d6409c05acb5d)
+Merged-In: I651d1ff64d06b4c30e18ee69772f52a60aa5ff7a
+---
+ libs/minikin/FontLanguageListCache.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libs/minikin/FontLanguageListCache.cpp b/libs/minikin/FontLanguageListCache.cpp
+index 8ef4a1b..2bc39c2 100644
+--- a/libs/minikin/FontLanguageListCache.cpp
++++ b/libs/minikin/FontLanguageListCache.cpp
+@@ -55,7 +55,7 @@ static size_t toLanguageTag(char* output, size_t outSize, const std::string& loc
+     char likelyChars[ULOC_FULLNAME_CAPACITY];
+     uErr = U_ZERO_ERROR;
+     uloc_addLikelySubtags(output, likelyChars, ULOC_FULLNAME_CAPACITY, &uErr);
+-    if (U_FAILURE(uErr)) {
++    if (U_FAILURE(uErr) || (uErr == U_STRING_NOT_TERMINATED_WARNING)) {
+         // unable to build a proper language identifier
+         ALOGD("uloc_addLikelySubtags(\"%s\") failed: %s", output, u_errorName(uErr));
+         output[0] = '\0';

Patches/LineageOS-14.1/android_packages_apps_Bluetooth/345525.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Wed, 28 Sep 2022 23:30:49 +0000
+Subject: [PATCH] Fix URI check in BluetoothOppUtility.java
+
+Bug: 225880741
+Test: BT unit tests, validated against researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I65c1494023930aa23fede55936488f605c7cfe01
+(cherry picked from commit d0957cfdf1fc1b36620c1545643ffbc37f0ac24c)
+Merged-In: I65c1494023930aa23fede55936488f605c7cfe01
+---
+ src/com/android/bluetooth/opp/BluetoothOppUtility.java | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+index f5d926964..3a4959fcd 100644
+--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
++++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+@@ -49,6 +49,7 @@ import android.content.pm.ResolveInfo;
+ import android.database.Cursor;
+ import android.database.sqlite.SQLiteException;
+ import android.os.Environment;
++import android.util.EventLog;
+ import android.util.Log;
+ 
+ import java.io.File;
+@@ -70,7 +71,11 @@ public class BluetoothOppUtility {
+             = new ConcurrentHashMap<Uri, BluetoothOppSendFileInfo>();
+ 
+     public static boolean isBluetoothShareUri(Uri uri) {
+-        return uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString());
++        if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString())
++                && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) {
++            EventLog.writeEvent(0x534e4554, "225880741", -1, "");
++        }
++        return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority());
+     }
+ 
+     public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {

Patches/LineageOS-14.1/android_packages_apps_Settings/345679.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Milton Wu <mingjuwu@google.com>
+Date: Mon, 8 Aug 2022 09:05:00 +0000
+Subject: [PATCH] Add FLAG_SECURE for ChooseLockPassword and Pattern
+
+Prevent ChooseLockPassword and ChooseLockPatten being projected to
+remote views, add FLAG_SECURE for these screens.
+
+Bug: 179725730
+Test: Check these 2 screens not projected to chromecast
+Test: robo test for SetupChooseLockPatternTest ChooseLockPatternTest
+      SetupChooseLockPasswordTest ChooseLockPasswordTest
+Change-Id: I7449a24427c966c1aa4280a7b7e7e70b60997cca
+---
+ src/com/android/settings/ChooseLockPassword.java | 3 +++
+ src/com/android/settings/ChooseLockPattern.java  | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/com/android/settings/ChooseLockPassword.java b/src/com/android/settings/ChooseLockPassword.java
+index 86696bb280..db1fbb4966 100644
+--- a/src/com/android/settings/ChooseLockPassword.java
++++ b/src/com/android/settings/ChooseLockPassword.java
+@@ -40,6 +40,7 @@ import android.view.LayoutInflater;
+ import android.view.View;
+ import android.view.View.OnClickListener;
+ import android.view.ViewGroup;
++import android.view.WindowManager;
+ import android.widget.Button;
+ import android.widget.EditText;
+ import android.widget.LinearLayout;
+@@ -149,6 +150,8 @@ public class ChooseLockPassword extends SettingsActivity {
+     @Override
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
++        getWindow().addPrivateFlags(
++                WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+         CharSequence msg = getText(R.string.lockpassword_choose_your_password_header);
+         setTitle(msg);
+         LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);
+diff --git a/src/com/android/settings/ChooseLockPattern.java b/src/com/android/settings/ChooseLockPattern.java
+index b81a3edfef..76965d1750 100644
+--- a/src/com/android/settings/ChooseLockPattern.java
++++ b/src/com/android/settings/ChooseLockPattern.java
+@@ -26,6 +26,7 @@ import android.view.KeyEvent;
+ import android.view.LayoutInflater;
+ import android.view.View;
+ import android.view.ViewGroup;
++import android.view.WindowManager;
+ import android.widget.LinearLayout;
+ import android.widget.TextView;
+ 
+@@ -112,6 +113,8 @@ public class ChooseLockPattern extends SettingsActivity {
+     protected void onCreate(Bundle savedInstanceState) {
+         // requestWindowFeature(Window.FEATURE_NO_TITLE);
+         super.onCreate(savedInstanceState);
++        getWindow().addPrivateFlags(
++                WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
+         CharSequence msg = getText(R.string.lockpassword_choose_your_pattern_header);
+         setTitle(msg);
+         LinearLayout layout = (LinearLayout) findViewById(R.id.content_parent);

Patches/LineageOS-14.1/android_packages_services_Telecomm/345526.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tyler Gunn <tgunn@google.com>
+Date: Tue, 27 Sep 2022 15:19:05 -0700
+Subject: [PATCH] Hide overlay windows when showing phone account
+ enable/disable screen.
+
+Hide any system alert window overlays when the screen that lets the user
+enable/disable phone accounts is shown.
+
+Test: Manual test with overlay shown from test app; verify that the overlay
+is hidden when the phone account selection screen is opened.
+Bug: 246933359
+
+Change-Id: Ia0209d57ee9a672cde4196076845d77941dc3f68
+(cherry picked from commit a7d57ace5819c4eef340aaf6744ad441d0369035)
+Merged-In: Ia0209d57ee9a672cde4196076845d77941dc3f68
+---
+ .../telecom/settings/EnableAccountPreferenceActivity.java     | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
+index 2367825b3..b1d497abb 100644
+--- a/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
++++ b/src/com/android/server/telecom/settings/EnableAccountPreferenceActivity.java
+@@ -25,12 +25,16 @@ import android.telecom.Log;
+ import android.telecom.PhoneAccountHandle;
+ import android.telecom.TelecomManager;
+ import android.view.MenuItem;
++import android.view.WindowManager;
+ 
+ public class EnableAccountPreferenceActivity extends Activity {
+     @Override
+     public void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+ 
++	getWindow().addPrivateFlags(
++                WindowManager.LayoutParams.PRIVATE_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS);
++
+         getFragmentManager().beginTransaction()
+                 .replace(android.R.id.content, new EnableAccountPreferenceFragment())
+                 .commit();

Patches/LineageOS-14.1/android_system_bt/345527.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ted Wang <tedwang@google.com>
+Date: Thu, 4 Aug 2022 09:41:24 +0800
+Subject: [PATCH] Add length check when copy AVDTP packet
+
+Bug: 232023771
+Test: make
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f)
+Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
+---
+ stack/avdt/avdt_msg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
+index 91a58403e..65d4485e7 100644
+--- a/stack/avdt/avdt_msg.c
++++ b/stack/avdt/avdt_msg.c
+@@ -1411,6 +1411,11 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
+          * would have allocated smaller buffer.
+          */
+         p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
++        if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
++        {
++            android_errorWriteLog(0x534e4554, "232023771");
++            return NULL;
++        }
+         memcpy(p_ccb->p_rx_msg, p_buf,
+                sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+ 

Patches/LineageOS-14.1/android_system_bt/345528.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 25 Aug 2022 18:52:28 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Added max buffer length check
+
+Bug: 230867224
+Test: Manual -- paired Bluetooth headset and played audio
+Tags: #security
+Ignore-AOSP-First: Security
+Change-Id: I740038288143715a1c06db781efd674b269a7f3e
+(cherry picked from commit 769f55450bd2eb94ddb9080f730e404de7716bda)
+Merged-In: I740038288143715a1c06db781efd674b269a7f3e
+---
+ stack/avct/avct_lcb_act.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c
+index 878dd82b7..173c3070e 100644
+--- a/stack/avct/avct_lcb_act.c
++++ b/stack/avct/avct_lcb_act.c
+@@ -30,6 +30,7 @@
+ #include "avct_int.h"
+ #include "bt_common.h"
+ #include "btm_api.h"
++#include "osi/include/log.h"
+ 
+ /* packet header length lookup table */
+ const UINT8 avct_lcb_pkt_type_len[] = {
+@@ -61,8 +62,14 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
+     AVCT_PRS_PKT_TYPE(p, pkt_type);
+ 
+     /* quick sanity check on length */
+-    if (p_buf->len < avct_lcb_pkt_type_len[pkt_type])
++    if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
++        (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE)
+     {
++        if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
++            BT_DEFAULT_BUFFER_SIZE)
++        {
++            android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
++        }
+         osi_free(p_buf);
+         AVCT_TRACE_WARNING("Bad length during reassembly");
+         p_ret = NULL;

Patches/LineageOS-14.1/android_system_bt/345529.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Thu, 25 Aug 2022 20:39:08 +0000
+Subject: [PATCH] Add missing increment in bnep_api.cc
+
+Bug: 228450451
+Test: manual, pair BT and play audio
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36
+(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d)
+Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36
+---
+ stack/bnep/bnep_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
+index e1c9f2e3d..d40c66c3c 100644
+--- a/stack/bnep/bnep_api.c
++++ b/stack/bnep/bnep_api.c
+@@ -283,6 +283,7 @@ tBNEP_RESULT BNEP_ConnectResp (UINT16 handle, tBNEP_RESULT resp)
+         while (extension_present && p && rem_len)
+         {
+             ext_type = *p++;
++            rem_len--;
+             extension_present = ext_type >> 7;
+             ext_type &= 0x7F;
+ 

Patches/LineageOS-14.1/android_system_bt/345530.patch

@@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Tue, 16 Aug 2022 21:41:03 +0000
+Subject: [PATCH] Add length check when copy AVDT and AVCT packet
+
+Previous fix for AVDT causing memory leak.
+And missing similar fix for AVCT packet.
+
+Bug: 232023771
+Test: make
+Tag: #security
+Ignore-AOSP-First: Security
+Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+(cherry picked from commit a4311b284639bbd2c6c2c72d35d8444d40fb2d12)
+Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
+---
+ stack/avct/avct_lcb_act.c | 9 ++++++++-
+ stack/avdt/avdt_msg.c     | 6 ++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/stack/avct/avct_lcb_act.c b/stack/avct/avct_lcb_act.c
+index 173c3070e..e1a7c3d26 100644
+--- a/stack/avct/avct_lcb_act.c
++++ b/stack/avct/avct_lcb_act.c
+@@ -92,13 +92,20 @@ static BT_HDR *avct_lcb_msg_asmbl(tAVCT_LCB *p_lcb, BT_HDR *p_buf)
+         if (p_lcb->p_rx_msg != NULL)
+             AVCT_TRACE_WARNING("Got start during reassembly");
+ 
+-        osi_free(p_lcb->p_rx_msg);
++        osi_free_and_reset((void**)&p_lcb->p_rx_msg);
+ 
+         /*
+          * Allocate bigger buffer for reassembly. As lower layers are
+          * not aware of possible packet size after reassembly, they
+          * would have allocated smaller buffer.
+          */
++        if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
++        {
++            android_errorWriteLog(0x534e4554, "232023771");
++            osi_free(p_buf);
++            p_ret = NULL;
++            return p_ret;
++        }
+         p_lcb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+         memcpy(p_lcb->p_rx_msg, p_buf,
+                sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
+index 65d4485e7..acda49858 100644
+--- a/stack/avdt/avdt_msg.c
++++ b/stack/avdt/avdt_msg.c
+@@ -1410,12 +1410,14 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
+          * not aware of possible packet size after reassembly, they
+          * would have allocated smaller buffer.
+          */
+-        p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+         if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
+         {
+             android_errorWriteLog(0x534e4554, "232023771");
+-            return NULL;
++            osi_free(p_buf);
++            p_ret = NULL;
++            return p_ret;
+         }
++        p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+         memcpy(p_ccb->p_rx_msg, p_buf,
+                sizeof(BT_HDR) + p_buf->offset + p_buf->len);
+ 

Patches/LineageOS-14.1/android_system_bt/345531.patch

@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keith Mok <keithmok@google.com>
+Date: Mon, 22 Aug 2022 19:44:10 +0000
+Subject: [PATCH] Fix integer overflow when parsing avrc response
+
+Convert min_len from 16 bits to 32 bits to avoid
+length checking overflow.
+Also, use calloc instead of malloc for list allocation
+since caller need to clean up string memory in the list items
+
+Bug: 242459126
+Test: fuzz_avrc
+Tag: #security
+Ignore-AOSP-First: Security
+Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
+Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4
+(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501)
+Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
+---
+ stack/avdt/avdt_scb_act.c | 2 +-
+ stack/avrc/avrc_pars_ct.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c
+index d7cf791cc..f61abd626 100644
+--- a/stack/avdt/avdt_scb_act.c
++++ b/stack/avdt/avdt_scb_act.c
+@@ -363,7 +363,7 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
+     UINT8   *p_start = p;
+     UINT32  ssrc;
+     UINT8   o_v, o_p, o_cc;
+-    UINT16  min_len = 0;
++    UINT32  min_len = 0;
+     AVDT_REPORT_TYPE    pt;
+     tAVDT_REPORT_DATA   report, *p_rpt;
+ 
+diff --git a/stack/avrc/avrc_pars_ct.c b/stack/avrc/avrc_pars_ct.c
+index fc94424ba..b43fd5f55 100644
+--- a/stack/avrc/avrc_pars_ct.c
++++ b/stack/avrc/avrc_pars_ct.c
+@@ -148,7 +148,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p
+ 
+ tAVRC_STS avrc_parse_notification_rsp(UINT8* p_stream, UINT16 len,
+                                       tAVRC_REG_NOTIF_RSP* p_rsp) {
+-    UINT16 min_len = 1;
++    UINT32 min_len = 1;
+ 
+     if (len < min_len) goto length_error;
+     BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);
+@@ -241,7 +241,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(
+     p++; /* skip the reserved/packe_type byte */
+ 
+     UINT16  len;
+-    UINT16  min_len = 0;
++    UINT32  min_len = 0;
+     BE_STREAM_TO_UINT16 (len, p);
+     AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d  vendor_len=0x%x", __func__,
+                     p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);

Scripts/LineageOS-14.1/Patch.sh

@@ -76,7 +76,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
 awk -i inplace '!/Exchange2/' target/product/core.mk;
-sed -i 's/2021-06-05/2022-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-11 #XXX
+sed -i 's/2021-06-05/2022-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2022-12 #XXX
 fi;
 
 if enterAndClear "device/qcom/sepolicy"; then
@@ -167,6 +167,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/343957.patch"; #n-asb-2022-11 C
 applyPatch "$DOS_PATCHES/android_frameworks_base/344188.patch"; #n-asb-2022-11 Do not send new Intent to non-exported activity when navigateUpTo
 applyPatch "$DOS_PATCHES/android_frameworks_base/344189.patch"; #n-asb-2022-11 Move accountname and typeName length check from Account.java to AccountManagerService.
 applyPatch "$DOS_PATCHES/android_frameworks_base/344217.patch"; #n-asb-2022-11 Do not dismiss keyguard after SIM PUK unlock
+applyPatch "$DOS_PATCHES/android_frameworks_base/345519.patch"; #n-asb-2022-12 Validate package name passed to setApplicationRestrictions.
+applyPatch "$DOS_PATCHES/android_frameworks_base/345520.patch"; #n-asb-2022-12 Ignore malformed shortcuts
+applyPatch "$DOS_PATCHES/android_frameworks_base/345521.patch"; #n-asb-2022-12 Fix permanent denial of service via setComponentEnabledSetting
+applyPatch "$DOS_PATCHES/android_frameworks_base/345522.patch"; #n-asb-2022-12 Add safety checks on KEY_INTENT mismatch.
 git revert --no-edit 0326bb5e41219cf502727c3aa44ebf2daa19a5b3; #Re-enable doze on devices without gms
 applyPatch "$DOS_PATCHES/android_frameworks_base/248599.patch"; #Make SET_TIME_ZONE permission match SET_TIME (AOSP)
 applyPatch "$DOS_PATCHES/android_frameworks_base/0001-Reduced_Resolution.patch"; #Allow reducing resolution to save power TODO: Add 800x480 (DivestOS)
@@ -183,6 +187,11 @@ rm -rf packages/Osu; #Automatic Wi-Fi connection non-sense
 rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
 fi;
 
+if enterAndClear "frameworks/minikin"; then
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345523.patch"; #n-asb-2022-12 Fix OOB read for registerLocaleList
+applyPatch "$DOS_PATCHES/android_frameworks_minikin/345524.patch"; #n-asb-2022-12 Fix OOB crash for registerLocaleList
+fi;
+
 if enterAndClear "frameworks/native"; then
 applyPatch "$DOS_PATCHES/android_frameworks_native/315714.patch"; #n-asb-2021-09 Do not modify vector after getting references
 applyPatch "$DOS_PATCHES/android_frameworks_native/325993.patch"; #n-asb-2022-03 Check if the window is partially obscured for slippery enters
@@ -276,6 +285,7 @@ fi;
 if enterAndClear "packages/apps/Bluetooth"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332451.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332452.patch"; #n-asb-2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345525.patch"; #n-asb-2022-12 Fix URI check in BluetoothOppUtility.java
 fi;
 
 if enterAndClear "packages/apps/Contacts"; then
@@ -323,6 +333,7 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/327099.patch"; #n-asb-20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334037.patch"; #n-asb-2022-07 Fix LaunchAnyWhere in AppRestrictionsFragment
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334874.patch"; #n-asb-2022-08 Verify ringtone from ringtone picker is audio
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/334875.patch"; #n-asb-2022-08 Fix Settings crash when setting a null ringtone
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/345679.patch"; #n-asb-2022-12 Add FLAG_SECURE for ChooseLockPassword and Pattern
 git revert --no-edit 2ebe6058c546194a301c1fd22963d6be4adbf961; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/201113.patch"; #wifi: Add world regulatory domain country code (syphyr)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@@ -362,6 +373,7 @@ fi;
 if enterAndClear "packages/services/Telecomm"; then
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/332456.patch"; #n-asb-2022-06 limit TelecomManager#registerPhoneAccount to 10
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/343953.patch"; #n-asb-2022-11 Switch TelecomManager List getters to ParceledListSlice
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/345526.patch"; #n-asb-2022-12 Hide overlay windows when showing phone account enable/disable screen.
 fi;
 
 if enterAndClear "packages/services/Telephony"; then
@@ -398,6 +410,11 @@ applyPatch "$DOS_PATCHES/android_system_bt/338000.patch"; #n-asb-2022-09 Fix OOB
 applyPatch "$DOS_PATCHES/android_system_bt/341070.patch"; #n-asb-2022-10 Fix potential interger overflow when parsing vendor response
 applyPatch "$DOS_PATCHES/android_system_bt/343958.patch"; #n-asb-2022-11 Add buffer in pin_reply in bluetooth.cc
 applyPatch "$DOS_PATCHES/android_system_bt/343959.patch"; #n-asb-2022-11 Add negative length check in process_service_search_rsp
+applyPatch "$DOS_PATCHES/android_system_bt/345527.patch"; #n-asb-2022-12 Add length check when copy AVDTP packet
+applyPatch "$DOS_PATCHES/android_system_bt/345528.patch"; #n-asb-2022-12 Added max buffer length check
+applyPatch "$DOS_PATCHES/android_system_bt/345529.patch"; #n-asb-2022-12 Add missing increment in bnep_api.cc
+applyPatch "$DOS_PATCHES/android_system_bt/345530.patch"; #n-asb-2022-12 Add length check when copy AVDT and AVCT packet
+applyPatch "$DOS_PATCHES/android_system_bt/345531.patch"; #n-asb-2022-12 Fix integer overflow when parsing avrc response
 applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
 applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie)