mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-12 16:09:36 -05:00
15.1 July ASB work
Signed-off-by: Tad <tad@spotco.us>
This commit is contained in:
parent
293f97d678
commit
9d6662dee7
@ -0,0 +1,50 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Lemberg <wl@gnu.org>
|
||||
Date: Sat, 19 Mar 2022 06:40:17 +0100
|
||||
Subject: [PATCH] DO NOT MERGE - Cherry-pick two upstream changes
|
||||
|
||||
This cherry picks following two changes:
|
||||
|
||||
0c2bdb01a2e1d24a3e592377a6d0822856e10df2
|
||||
22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
|
||||
|
||||
Bug: 271680254
|
||||
Test: N/A
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a)
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b0f8930701bf19229075cc930ad15813ff5fb07b)
|
||||
Merged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e
|
||||
Change-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e
|
||||
---
|
||||
src/base/ftobjs.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
|
||||
index 59d65e2a6..54aa8230d 100644
|
||||
--- a/src/base/ftobjs.c
|
||||
+++ b/src/base/ftobjs.c
|
||||
@@ -2176,6 +2176,15 @@
|
||||
#endif
|
||||
|
||||
|
||||
+ /* only use lower 31 bits together with sign bit */
|
||||
+ if ( face_index > 0 )
|
||||
+ face_index &= 0x7FFFFFFFL;
|
||||
+ else
|
||||
+ {
|
||||
+ face_index &= 0x7FFFFFFFL;
|
||||
+ face_index = -face_index;
|
||||
+ }
|
||||
+
|
||||
#ifdef FT_DEBUG_LEVEL_TRACE
|
||||
FT_TRACE3(( "FT_Open_Face: " ));
|
||||
if ( face_index < 0 )
|
||||
@@ -3041,6 +3050,9 @@
|
||||
if ( !face )
|
||||
return FT_THROW( Invalid_Face_Handle );
|
||||
|
||||
+ if ( !face->size )
|
||||
+ return FT_THROW( Invalid_Size_Handle );
|
||||
+
|
||||
if ( !req || req->width < 0 || req->height < 0 ||
|
||||
req->type >= FT_SIZE_REQUEST_TYPE_MAX )
|
||||
return FT_THROW( Invalid_Argument );
|
@ -0,0 +1,146 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Lucas Lin <lucaslin@google.com>
|
||||
Date: Fri, 3 Mar 2023 08:13:50 +0000
|
||||
Subject: [PATCH] Sanitize VPN label to prevent HTML injection
|
||||
|
||||
This commit will try to sanitize the content of VpnDialog. This
|
||||
commit creates a function which will try to sanitize the VPN
|
||||
label, if the sanitized VPN label is different from the original
|
||||
one, which means the VPN label might contain HTML tag or the VPN
|
||||
label violates the words restriction(may contain some wording
|
||||
which will mislead the user). For this kind of case, show the
|
||||
package name instead of the VPN label to prevent misleading the
|
||||
user.
|
||||
|
||||
The malicious VPN app might be able to add a large number of line
|
||||
breaks with HTML in order to hide the system-displayed text from
|
||||
the user in the connection request dialog. Thus, sanitizing the
|
||||
content of the dialog is needed.
|
||||
|
||||
Bug: 204554636
|
||||
Test: N/A
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2178216b98bf9865edee198f45192f0b883624ab)
|
||||
Merged-In: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
|
||||
Change-Id: I8eb890fd2e5797d8d6ab5b12f9c628bc9616081d
|
||||
---
|
||||
packages/VpnDialogs/res/values/strings.xml | 29 ++++++++++
|
||||
.../com/android/vpndialogs/ConfirmDialog.java | 53 +++++++++++++++++--
|
||||
2 files changed, 77 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/packages/VpnDialogs/res/values/strings.xml b/packages/VpnDialogs/res/values/strings.xml
|
||||
index 406bcc34a101..7389f765c717 100644
|
||||
--- a/packages/VpnDialogs/res/values/strings.xml
|
||||
+++ b/packages/VpnDialogs/res/values/strings.xml
|
||||
@@ -50,4 +50,33 @@
|
||||
<xliff:g id="number">%1$s</xliff:g> bytes /
|
||||
<xliff:g id="number">%2$s</xliff:g> packets
|
||||
</string>
|
||||
+
|
||||
+ <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
|
||||
+ into displaying what they want. The system will attempt to sanitize the label, and if the
|
||||
+ label is deemed dangerous, then this string is used instead. The first argument is the
|
||||
+ first 30 characters of the label, and the second argument is the package name of the app.
|
||||
+ Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
|
||||
+ "My VPN app wants to set up a VPN connection...". If the label is very long, then, this
|
||||
+ will be used to show "VerylongVPNlabel… (com.my.vpn.app) wants to set up a VPN
|
||||
+ connection...". For this case, the code will refer to sanitized_vpn_label_with_ellipsis.
|
||||
+ -->
|
||||
+ <string name="sanitized_vpn_label_with_ellipsis">
|
||||
+ <xliff:g id="sanitized_vpn_label_with_ellipsis" example="My VPN app">%1$s</xliff:g>… (
|
||||
+ <xliff:g id="sanitized_vpn_label_with_ellipsis" example="com.my.vpn.app">%2$s</xliff:g>)
|
||||
+ </string>
|
||||
+
|
||||
+ <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs
|
||||
+ into displaying what they want. The system will attempt to sanitize the label, and if the
|
||||
+ label is deemed dangerous, then this string is used instead. The first argument is the
|
||||
+ label, and the second argument is the package name of the app.
|
||||
+ Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read
|
||||
+ "My VPN app wants to set up a VPN connection...". If the VPN label contains HTML tag but
|
||||
+ the length is not very long, the dialog will show "VpnLabelWith<br>HtmlTag
|
||||
+ (com.my.vpn.app) wants to set up a VPN connection...". For this case, the code will refer
|
||||
+ to sanitized_vpn_label.
|
||||
+ -->
|
||||
+ <string name="sanitized_vpn_label">
|
||||
+ <xliff:g id="sanitized_vpn_label" example="My VPN app">%1$s</xliff:g> (
|
||||
+ <xliff:g id="sanitized_vpn_label" example="com.my.vpn.app">%2$s</xliff:g>)
|
||||
+ </string>
|
||||
</resources>
|
||||
diff --git a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
index 09339743db5c..43d18df3a10d 100644
|
||||
--- a/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
+++ b/packages/VpnDialogs/src/com/android/vpndialogs/ConfirmDialog.java
|
||||
@@ -42,10 +42,52 @@ public class ConfirmDialog extends AlertActivity
|
||||
implements DialogInterface.OnClickListener, ImageGetter {
|
||||
private static final String TAG = "VpnConfirm";
|
||||
|
||||
+ // Usually the label represents the app name, 150 code points might be enough to display the app
|
||||
+ // name, and 150 code points won't cover the warning message from VpnDialog.
|
||||
+ static final int MAX_VPN_LABEL_LENGTH = 150;
|
||||
+
|
||||
private String mPackage;
|
||||
|
||||
private IConnectivityManager mService;
|
||||
|
||||
+ private View mView;
|
||||
+
|
||||
+ /**
|
||||
+ * This function will use the string resource to combine the VPN label and the package name.
|
||||
+ *
|
||||
+ * If the VPN label violates the length restriction, the first 30 code points of VPN label and
|
||||
+ * the package name will be returned. Or return the VPN label and the package name directly if
|
||||
+ * the VPN label doesn't violate the length restriction.
|
||||
+ *
|
||||
+ * The result will be something like,
|
||||
+ * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app)
|
||||
+ * if the VPN label violates the length restriction.
|
||||
+ * or
|
||||
+ * - VpnLabelWith<br>HtmlTag (com.vpn.app)
|
||||
+ * if the VPN label doesn't violate the length restriction.
|
||||
+ *
|
||||
+ */
|
||||
+ private String getSimplifiedLabel(String vpnLabel, String packageName) {
|
||||
+ if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) {
|
||||
+ return getString(R.string.sanitized_vpn_label_with_ellipsis,
|
||||
+ vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)),
|
||||
+ packageName);
|
||||
+ }
|
||||
+
|
||||
+ return getString(R.string.sanitized_vpn_label, vpnLabel, packageName);
|
||||
+ }
|
||||
+
|
||||
+ protected String getSanitizedVpnLabel(String vpnLabel, String packageName) {
|
||||
+ final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel);
|
||||
+ final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0,
|
||||
+ sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH;
|
||||
+ if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) {
|
||||
+ return getSimplifiedLabel(sanitizedVpnLabel, packageName);
|
||||
+ }
|
||||
+
|
||||
+ return sanitizedVpnLabel;
|
||||
+ }
|
||||
+
|
||||
@Override
|
||||
protected void onCreate(Bundle savedInstanceState) {
|
||||
super.onCreate(savedInstanceState);
|
||||
@@ -68,15 +110,16 @@ public class ConfirmDialog extends AlertActivity
|
||||
finish();
|
||||
return;
|
||||
}
|
||||
- View view = View.inflate(this, R.layout.confirm, null);
|
||||
- ((TextView) view.findViewById(R.id.warning)).setText(
|
||||
- Html.fromHtml(getString(R.string.warning, getVpnLabel()),
|
||||
- this, null /* tagHandler */));
|
||||
+ mView = View.inflate(this, R.layout.confirm, null);
|
||||
+ ((TextView) mView.findViewById(R.id.warning)).setText(
|
||||
+ Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel(
|
||||
+ getVpnLabel().toString(), mPackage)),
|
||||
+ this /* imageGetter */, null /* tagHandler */));
|
||||
mAlertParams.mTitle = getText(R.string.prompt);
|
||||
mAlertParams.mPositiveButtonText = getText(android.R.string.ok);
|
||||
mAlertParams.mPositiveButtonListener = this;
|
||||
mAlertParams.mNegativeButtonText = getText(android.R.string.cancel);
|
||||
- mAlertParams.mView = view;
|
||||
+ mAlertParams.mView = mView;
|
||||
setupAlert();
|
||||
|
||||
getWindow().setCloseOnTouchOutside(false);
|
@ -0,0 +1,84 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Groover <mpgroover@google.com>
|
||||
Date: Fri, 31 Mar 2023 21:31:22 +0000
|
||||
Subject: [PATCH] Limit the number of supported v1 and v2 signers
|
||||
|
||||
The v1 and v2 APK Signature Schemes support multiple signers; this
|
||||
was intended to allow multiple entities to sign an APK. Previously,
|
||||
the platform had no limits placed on the number of signers supported
|
||||
in an APK, but this commit sets a hard limit of 10 supported signers
|
||||
for these signature schemes to ensure a large number of signers
|
||||
does not place undue burden on the platform.
|
||||
|
||||
Bug: 266580022
|
||||
Test: Manually verified the platform only allowed an APK with the
|
||||
maximum number of supported signers.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:6f6ee8a55f37c2b8c0df041b2bd53ec928764597)
|
||||
Merged-In: I6aa86b615b203cdc69d58a593ccf8f18474ca091
|
||||
Change-Id: I6aa86b615b203cdc69d58a593ccf8f18474ca091
|
||||
---
|
||||
.../util/apk/ApkSignatureSchemeV2Verifier.java | 10 ++++++++++
|
||||
core/java/android/util/jar/StrictJarVerifier.java | 11 +++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
index 0216a0752a9c..01cc065e6800 100644
|
||||
--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
+++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
|
||||
@@ -219,6 +219,11 @@ public class ApkSignatureSchemeV2Verifier {
|
||||
}
|
||||
while (signers.hasRemaining()) {
|
||||
signerCount++;
|
||||
+ if (signerCount > MAX_V2_SIGNERS) {
|
||||
+ throw new SecurityException(
|
||||
+ "APK Signature Scheme v2 only supports a maximum of " + MAX_V2_SIGNERS
|
||||
+ + " signers");
|
||||
+ }
|
||||
try {
|
||||
ByteBuffer signer = getLengthPrefixedSlice(signers);
|
||||
X509Certificate[] certs = verifySigner(signer, contentDigests, certFactory);
|
||||
@@ -855,6 +860,11 @@ public class ApkSignatureSchemeV2Verifier {
|
||||
|
||||
private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a;
|
||||
|
||||
+ /**
|
||||
+ * The maximum number of signers supported by the v2 APK signature scheme.
|
||||
+ */
|
||||
+ private static final int MAX_V2_SIGNERS = 10;
|
||||
+
|
||||
private static Pair<ByteBuffer, Long> findApkSigningBlock(
|
||||
RandomAccessFile apk, long centralDirOffset)
|
||||
throws IOException, SignatureNotFoundException {
|
||||
diff --git a/core/java/android/util/jar/StrictJarVerifier.java b/core/java/android/util/jar/StrictJarVerifier.java
|
||||
index debc170fa537..fba2e0e5bc1a 100644
|
||||
--- a/core/java/android/util/jar/StrictJarVerifier.java
|
||||
+++ b/core/java/android/util/jar/StrictJarVerifier.java
|
||||
@@ -66,6 +66,11 @@ class StrictJarVerifier {
|
||||
"SHA1",
|
||||
};
|
||||
|
||||
+ /**
|
||||
+ * The maximum number of signers supported by the JAR signature scheme.
|
||||
+ */
|
||||
+ private static final int MAX_JAR_SIGNERS = 10;
|
||||
+
|
||||
private final String jarName;
|
||||
private final StrictJarManifest manifest;
|
||||
private final HashMap<String, byte[]> metaEntries;
|
||||
@@ -281,10 +286,16 @@ class StrictJarVerifier {
|
||||
return false;
|
||||
}
|
||||
|
||||
+ int signerCount = 0;
|
||||
Iterator<String> it = metaEntries.keySet().iterator();
|
||||
while (it.hasNext()) {
|
||||
String key = it.next();
|
||||
if (key.endsWith(".DSA") || key.endsWith(".RSA") || key.endsWith(".EC")) {
|
||||
+ if (++signerCount > MAX_JAR_SIGNERS) {
|
||||
+ throw new SecurityException(
|
||||
+ "APK Signature Scheme v1 only supports a maximum of " + MAX_JAR_SIGNERS
|
||||
+ + " signers");
|
||||
+ }
|
||||
verifyCertificate(key);
|
||||
it.remove();
|
||||
}
|
@ -0,0 +1,99 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Andr=C3=A1s=20Kurucz?= <kurucz@google.com>
|
||||
Date: Fri, 21 Apr 2023 09:45:07 +0000
|
||||
Subject: [PATCH] Truncate ShortcutInfo Id
|
||||
|
||||
Creating Conversation with a ShortcutId longer than 65_535 (max unsigned short), we did not save the conversation settings into the notification_policy.xml due to a restriction in FastDataOutput.
|
||||
This put us to a state where the user changing the importance or turning off the notifications for the given conversation had no effect on notification behavior.
|
||||
|
||||
Fixes: 273729476
|
||||
Test: atest ShortcutManagerTest2
|
||||
Test: Create a test app which creates a Conversation with a long shortcutId. Go to the Conversation Settings and turn off Notifications. Post a new Notification to this Conversation and see if it is displayed.
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f31df6234091b5b1de258a01dd4b2d8e5415ee2e)
|
||||
Merged-In: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
|
||||
Change-Id: I2617de6f9e8a7dbfd8fbeff589a7d592f00d87c5
|
||||
---
|
||||
.../java/android/content/pm/ShortcutInfo.java | 20 ++++++++++++++++---
|
||||
.../server/pm/ShortcutManagerTest2.java | 10 ++++++++++
|
||||
2 files changed, 27 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/core/java/android/content/pm/ShortcutInfo.java b/core/java/android/content/pm/ShortcutInfo.java
|
||||
index d3a3560c7229..7629b0d7f0d9 100644
|
||||
--- a/core/java/android/content/pm/ShortcutInfo.java
|
||||
+++ b/core/java/android/content/pm/ShortcutInfo.java
|
||||
@@ -144,6 +144,12 @@ public final class ShortcutInfo implements Parcelable {
|
||||
public static final int CLONE_REMOVE_FOR_LAUNCHER_APPROVAL = CLONE_REMOVE_INTENT
|
||||
| CLONE_REMOVE_RES_NAMES;
|
||||
|
||||
+ /**
|
||||
+ * The maximum length of Shortcut ID. IDs will be truncated at this limit.
|
||||
+ * @hide
|
||||
+ */
|
||||
+ public static final int MAX_ID_LENGTH = 1000;
|
||||
+
|
||||
/** @hide */
|
||||
@IntDef(flag = true,
|
||||
value = {
|
||||
@@ -242,8 +248,7 @@ public final class ShortcutInfo implements Parcelable {
|
||||
|
||||
private ShortcutInfo(Builder b) {
|
||||
mUserId = b.mContext.getUserId();
|
||||
-
|
||||
- mId = Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided");
|
||||
+ mId = getSafeId(Preconditions.checkStringNotEmpty(b.mId, "Shortcut ID must be provided"));
|
||||
|
||||
// Note we can't do other null checks here because SM.updateShortcuts() takes partial
|
||||
// information.
|
||||
@@ -325,6 +330,14 @@ public final class ShortcutInfo implements Parcelable {
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ @NonNull
|
||||
+ private static String getSafeId(@NonNull String id) {
|
||||
+ if (id.length() > MAX_ID_LENGTH) {
|
||||
+ return id.substring(0, MAX_ID_LENGTH);
|
||||
+ }
|
||||
+ return id;
|
||||
+ }
|
||||
+
|
||||
/**
|
||||
* Throws if any of the mandatory fields is not set.
|
||||
*
|
||||
@@ -1662,7 +1675,8 @@ public final class ShortcutInfo implements Parcelable {
|
||||
final ClassLoader cl = getClass().getClassLoader();
|
||||
|
||||
mUserId = source.readInt();
|
||||
- mId = source.readString();
|
||||
+ mId = getSafeId(Preconditions.checkStringNotEmpty(source.readString(),
|
||||
+ "Shortcut ID must be provided"));
|
||||
mPackageName = source.readString();
|
||||
mActivity = source.readParcelable(cl);
|
||||
mFlags = source.readInt();
|
||||
diff --git a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
index 3220ea960f5d..30c82350f45c 100644
|
||||
--- a/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
+++ b/services/tests/servicestests/src/com/android/server/pm/ShortcutManagerTest2.java
|
||||
@@ -53,6 +53,7 @@ import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
import java.io.StringWriter;
|
||||
import java.io.Writer;
|
||||
+import java.util.Collections;
|
||||
import java.util.Locale;
|
||||
|
||||
/**
|
||||
@@ -223,6 +224,15 @@ public class ShortcutManagerTest2 extends BaseShortcutManagerTest {
|
||||
});
|
||||
}
|
||||
|
||||
+ public void testShortcutIdTruncated() {
|
||||
+ ShortcutInfo si = new ShortcutInfo.Builder(getTestContext(),
|
||||
+ String.join("", Collections.nCopies(Short.MAX_VALUE, "s"))).build();
|
||||
+
|
||||
+ assertTrue(
|
||||
+ "id must be truncated to MAX_ID_LENGTH",
|
||||
+ si.getId().length() <= ShortcutInfo.MAX_ID_LENGTH);
|
||||
+ }
|
||||
+
|
||||
public void testShortcutInfoParcel() {
|
||||
setCaller(CALLING_PACKAGE_1, USER_10);
|
||||
ShortcutInfo si = parceled(new ShortcutInfo.Builder(mClientContext)
|
45
Patches/LineageOS-15.1/android_system_bt/360969.patch
Normal file
45
Patches/LineageOS-15.1/android_system_bt/360969.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: tyiu <tyiu@google.com>
|
||||
Date: Tue, 28 Mar 2023 18:40:51 +0000
|
||||
Subject: [PATCH] Fix gatt_end_operation buffer overflow
|
||||
|
||||
Added boundary check for gatt_end_operation to prevent writing out of
|
||||
boundary.
|
||||
|
||||
Since response of the GATT server is handled in
|
||||
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
|
||||
lenth that can be passed into the handlers is bounded by
|
||||
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
|
||||
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
|
||||
that gaurentees MTU response to be less than or equal to 512 bytes can
|
||||
cause a buffer overflow when performing memcpy without length check.
|
||||
|
||||
Bug: 261068592
|
||||
Test: No test since not affecting behavior
|
||||
Tag: #security
|
||||
Ignore-AOSP-First: security
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)
|
||||
Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
||||
Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
||||
---
|
||||
stack/gatt/gatt_utils.cc | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc
|
||||
index e7cc76286..084b13c2e 100644
|
||||
--- a/stack/gatt/gatt_utils.cc
|
||||
+++ b/stack/gatt/gatt_utils.cc
|
||||
@@ -1326,6 +1326,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) {
|
||||
cb_data.att_value.handle = p_clcb->s_handle;
|
||||
cb_data.att_value.len = p_clcb->counter;
|
||||
|
||||
+ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) {
|
||||
+ LOG(WARNING) << __func__
|
||||
+ << StringPrintf(" Large cb_data.att_value, size=%d",
|
||||
+ cb_data.att_value.len);
|
||||
+ cb_data.att_value.len = GATT_MAX_ATTR_LEN;
|
||||
+ }
|
||||
+
|
||||
if (p_data && p_clcb->counter)
|
||||
memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len);
|
||||
}
|
@ -0,0 +1,36 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Alisher Alikhodjaev <alisher@google.com>
|
||||
Date: Tue, 2 May 2023 14:20:57 -0700
|
||||
Subject: [PATCH] OOBW in rw_i93_send_to_upper()
|
||||
|
||||
Bug: 271849189
|
||||
Test: tag r/w
|
||||
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dc9d09e1698725712628d394bf9be4c9003579e8)
|
||||
Merged-In: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
Change-Id: I1d55954e56a3f995f8dd48bf484fe9fce02b2ed1
|
||||
|
||||
Change-Id: I9cd9658bf50144092c1cf196fd9272ffbac2fc55
|
||||
---
|
||||
src/nfc/tags/rw_i93.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/nfc/tags/rw_i93.c b/src/nfc/tags/rw_i93.c
|
||||
index fbe09fcf..9cc0429a 100644
|
||||
--- a/src/nfc/tags/rw_i93.c
|
||||
+++ b/src/nfc/tags/rw_i93.c
|
||||
@@ -398,6 +398,15 @@ void rw_i93_send_to_upper(NFC_HDR* p_resp) {
|
||||
case I93_CMD_READ_MULTI_BLOCK:
|
||||
case I93_CMD_GET_MULTI_BLK_SEC:
|
||||
|
||||
+ if (UINT16_MAX - length < NFC_HDR_SIZE) {
|
||||
+ rw_data.i93_cmd_cmpl.status = NFC_STATUS_FAILED;
|
||||
+ rw_data.i93_cmd_cmpl.command = p_i93->sent_cmd;
|
||||
+ rw_cb.tcb.i93.sent_cmd = 0;
|
||||
+
|
||||
+ event = RW_I93_CMD_CMPL_EVT;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
/* forward tag data or security status */
|
||||
p_buff = (NFC_HDR*)GKI_getbuf((uint16_t)(length + NFC_HDR_SIZE));
|
||||
|
@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
|
||||
applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
|
||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
|
||||
awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
|
||||
sed -i 's/2021-10-05/2023-06-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
sed -i 's/2021-10-05/2023-07-05/' core/version_defaults.mk; #Bump Security String #XXX
|
||||
fi;
|
||||
|
||||
if enterAndClear "build/soong"; then
|
||||
@ -108,6 +108,10 @@ applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2
|
||||
applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
|
||||
fi;
|
||||
|
||||
if enterAndClear "external/freetype"; then
|
||||
applyPatch "$DOS_PATCHES/android_external_freetype/360951.patch"; #R_asb_2023-07 Cherry-pick two upstream changes
|
||||
fi;
|
||||
|
||||
#if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then
|
||||
#if enterAndClear "external/hardened_malloc"; then
|
||||
#git revert --no-edit 3d18fb80742fd80a75481b580d102deb18c74af9; #compile fix
|
||||
@ -185,6 +189,9 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/355767.patch"; #R_asb_2023-05 E
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/358560-backport.patch"; #R_asb_2023-06 Check key intent for selectors and prohibited flags
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/358561-backport.patch"; #R_asb_2023-06 Handle invalid data during job loading.
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/358732-backport.patch"; #n-asb-2023-06 Prevent RemoteViews crashing SystemUi
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360953-backport.patch"; #R_asb_2023-07 Sanitize VPN label to prevent HTML injection
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360954-backport.patch"; #R_asb_2023-07 Limit the number of supported v1 and v2 signers
|
||||
applyPatch "$DOS_PATCHES/android_frameworks_base/360962-backport.patch"; #R_asb_2023-07 Truncate ShortcutInfo Id
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
|
||||
applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
|
||||
@ -416,6 +423,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/354247.patch"; #P_asb_2023-04 Fix an
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/358580.patch"; #R_asb_2023-06 Prevent use-after-free of HID reports
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/358581-backport.patch"; #R_asb_2023-06 Revert "Revert "[RESTRICT AUTOMERGE] Validate buffer length in sdpu_build_uuid_seq""
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/358582.patch"; #R_asb_2023-06 Revert "Revert "Fix wrong BR/EDR link key downgrades (P_256->P_192)""
|
||||
applyPatch "$DOS_PATCHES/android_system_bt/360969.patch"; #R_asb_2023-07 Fix gatt_end_operation buffer overflow
|
||||
fi;
|
||||
|
||||
if enterAndClear "system/ca-certificates"; then
|
||||
@ -454,6 +462,7 @@ applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/33245
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/332459-backport.patch"; #n-asb-2022-06 OOBR in nfc_ncif_proc_ee_discover_req()
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/344190-backport.patch"; #P_asb_2022-11 OOBW in phNxpNciHal_write_unlocked()
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/353760-backport.patch"; #n-asb-2023-04 OOBW in nci_snd_set_routing_cmd()
|
||||
applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_external_libnfc-nci/360898-backport.patch"; #n-asb-2023-07 OOBW in rw_i93_send_to_upper()
|
||||
fi;
|
||||
|
||||
if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync with packages/apps/Nfc
|
||||
|
Loading…
Reference in New Issue
Block a user