Reconcile picks

Gains 3 backports for 17.1
and an expat backport for 16.0 and 17.1
thanks to @flamefire

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-16.0/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,38 @@
+From 33050b14552fd7d0767bdc56fc9448323443735e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+
+Change-Id: Ia6e29060abc733548bca1910735466c415cbd58c
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2f48cf1..a891f5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2962,9 +2962,6 @@ doContent(XML_Parser parser,
+         int len;
+         const char *rawName;
+         TAG *tag = parser->m_tagStack;
+-        parser->m_tagStack = tag->parent;
+-        tag->parent = parser->m_freeTagList;
+-        parser->m_freeTagList = tag;
+         rawName = s + enc->minBytesPerChar*2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2972,6 +2969,9 @@ doContent(XML_Parser parser,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        parser->m_tagStack = tag->parent;
++        tag->parent = parser->m_freeTagList;
++        parser->m_freeTagList = tag;
+         --parser->m_tagLevel;
+         if (parser->m_endElementHandler) {
+           const XML_Char *localPart;

Patches/LineageOS-17.1/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch

@@ -0,0 +1,38 @@
+From 33050b14552fd7d0767bdc56fc9448323443735e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 22 Sep 2022 16:51:17 +0200
+Subject: [PATCH] lib: Stop leaking opening tag bindings after closing tag
+ mismatch error
+
+.. by moving the opening tag onto the free tag list only
+*after* the tag match check has passed.
+
+Change-Id: Ia6e29060abc733548bca1910735466c415cbd58c
+---
+ lib/xmlparse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2f48cf1..a891f5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2962,9 +2962,6 @@ doContent(XML_Parser parser,
+         int len;
+         const char *rawName;
+         TAG *tag = parser->m_tagStack;
+-        parser->m_tagStack = tag->parent;
+-        tag->parent = parser->m_freeTagList;
+-        parser->m_freeTagList = tag;
+         rawName = s + enc->minBytesPerChar*2;
+         len = XmlNameLength(enc, rawName);
+         if (len != tag->rawNameLength
+@@ -2972,6 +2969,9 @@ doContent(XML_Parser parser,
+           *eventPP = rawName;
+           return XML_ERROR_TAG_MISMATCH;
+         }
++        parser->m_tagStack = tag->parent;
++        tag->parent = parser->m_freeTagList;
++        parser->m_freeTagList = tag;
+         --parser->m_tagLevel;
+         if (parser->m_endElementHandler) {
+           const XML_Char *localPart;

Patches/LineageOS-17.1/android_frameworks_av/402601.patch

@@ -0,0 +1,48 @@
+From d4ac842dbe57dbacd69bc258d4ee8aecf672d8a9 Mon Sep 17 00:00:00 2001
+From: Alexander Grund <flamefire89@gmail.com>
+Date: Tue, 27 Aug 2024 16:53:27 +0200
+Subject: [PATCH] Fix flag check in JAudioTrack.cpp
+
+Checking for a bitwise flag needs to use `&` not `|` as the latter will
+yield a non-zero result in all (relevant) cases.
+
+Change-Id: Ifd2e98e7bb394c35a8a2f4ebde512046823da043
+---
+ media/libmediaplayer2/JAudioTrack.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/media/libmediaplayer2/JAudioTrack.cpp b/media/libmediaplayer2/JAudioTrack.cpp
+index fab6c649fc6..be91e9a920c 100644
+--- a/media/libmediaplayer2/JAudioTrack.cpp
++++ b/media/libmediaplayer2/JAudioTrack.cpp
+@@ -695,26 +695,26 @@ jobject JAudioTrack::createVolumeShaperOperationObj(
+         jBuilderObj = env->CallObjectMethod(jBuilderCls, jReplace, operation->getReplaceId(), join);
+     }
+ 
+-    if (flags | media::VolumeShaper::Operation::FLAG_REVERSE) {
++    if (flags & media::VolumeShaper::Operation::FLAG_REVERSE) {
+         jmethodID jReverse = env->GetMethodID(jBuilderCls, "reverse",
+                 "()Landroid/media/VolumeShaper$Operation$Builder;");
+         jBuilderObj = env->CallObjectMethod(jBuilderCls, jReverse);
+     }
+ 
+     // TODO: VolumeShaper Javadoc says "Do not call terminate() directly". Can we call this?
+-    if (flags | media::VolumeShaper::Operation::FLAG_TERMINATE) {
++    if (flags & media::VolumeShaper::Operation::FLAG_TERMINATE) {
+         jmethodID jTerminate = env->GetMethodID(jBuilderCls, "terminate",
+                 "()Landroid/media/VolumeShaper$Operation$Builder;");
+         jBuilderObj = env->CallObjectMethod(jBuilderCls, jTerminate);
+     }
+ 
+-    if (flags | media::VolumeShaper::Operation::FLAG_DELAY) {
++    if (flags & media::VolumeShaper::Operation::FLAG_DELAY) {
+         jmethodID jDefer = env->GetMethodID(jBuilderCls, "defer",
+                 "()Landroid/media/VolumeShaper$Operation$Builder;");
+         jBuilderObj = env->CallObjectMethod(jBuilderCls, jDefer);
+     }
+ 
+-    if (flags | media::VolumeShaper::Operation::FLAG_CREATE_IF_NECESSARY) {
++    if (flags & media::VolumeShaper::Operation::FLAG_CREATE_IF_NECESSARY) {
+         jmethodID jCreateIfNeeded = env->GetMethodID(jBuilderCls, "createIfNeeded",
+                 "()Landroid/media/VolumeShaper$Operation$Builder;");
+         jBuilderObj = env->CallObjectMethod(jBuilderCls, jCreateIfNeeded);

Patches/LineageOS-17.1/android_frameworks_av/402602.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 539af09596393c3817545ee116c1a036f5c5d580 Mon Sep 17 00:00:00 2001
 From: Rakesh Kumar <rakesh.kumar@ittiam.com>
 Date: Thu, 30 May 2024 11:17:48 +0000
 Subject: [PATCH] StagefrightRecoder: Disabling B-frame support
@@ -21,7 +21,7 @@ Change-Id: I4098655eb9687fb633085333bc140634441566e6
  1 file changed, 5 insertions(+)
 
 diff --git a/media/libmediaplayerservice/StagefrightRecorder.cpp b/media/libmediaplayerservice/StagefrightRecorder.cpp
-index 71c79720fe..e2a183e80c 100644
+index 71c79720fe7..e2a183e80c0 100644
 --- a/media/libmediaplayerservice/StagefrightRecorder.cpp
 +++ b/media/libmediaplayerservice/StagefrightRecorder.cpp
 @@ -1797,6 +1797,11 @@ status_t StagefrightRecorder::setupVideoEncoder(

Patches/LineageOS-17.1/android_frameworks_base/402603.patch

@@ -0,0 +1,25 @@
+From 85be42f596b8a36cdf61e321a2d66903b9625679 Mon Sep 17 00:00:00 2001
+From: Makoto Onuki <omakoto@google.com>
+Date: Thu, 10 Oct 2019 08:34:49 -0700
+Subject: [PATCH] Stop using UserHandle' hidden constructor.
+
+Bug: 142281756
+Test: build
+Change-Id: Icf16bdcad34dcc580fcc42d64c98a46d36bf19f7
+---
+ .../core/java/com/android/server/job/JobServiceContext.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/core/java/com/android/server/job/JobServiceContext.java b/services/core/java/com/android/server/job/JobServiceContext.java
+index 7da128f9d3ecc..5ca628f6daa2d 100644
+--- a/services/core/java/com/android/server/job/JobServiceContext.java
++++ b/services/core/java/com/android/server/job/JobServiceContext.java
+@@ -252,7 +252,7 @@ boolean executeRunnableJob(JobStatus job) {
+                 binding = mContext.bindServiceAsUser(intent, this,
+                         Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND
+                         | Context.BIND_NOT_PERCEPTIBLE,
+-                        new UserHandle(job.getUserId()));
++                        UserHandle.of(job.getUserId()));
+             } catch (SecurityException e) {
+                 // Some permission policy, for example INTERACT_ACROSS_USERS and
+                 // android:singleUser, can result in a SecurityException being thrown from

Patches/LineageOS-17.1/android_frameworks_base/402604.patch

@@ -0,0 +1,61 @@
+From 99185b565ac3298604e6351774e9bc20457d49b2 Mon Sep 17 00:00:00 2001
+From: Nan Wu <wnan@google.com>
+Date: Tue, 30 Apr 2024 17:20:29 +0000
+Subject: [PATCH] RESTRICT AUTOMERGE Backport preventing BAL bypass via bound
+ service
+
+Apply similar fix for WallpaperService to TextToSpeech Service,
+Job Service, Print Service, Sync Service and MediaRoute2Provider Service
+
+Bug: 232798473, 232798676, 336490997
+Test: Manual test. BackgroundActivityLaunchTest
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8fdf4a345e140eba9b4e736d24ab95c67c55a247)
+Merged-In: Ib113e45aa18296b4475b90d6dcec5dd5664f4c80
+Change-Id: Ib113e45aa18296b4475b90d6dcec5dd5664f4c80
+---
+ services/core/java/com/android/server/content/SyncManager.java | 3 ++-
+ .../core/java/com/android/server/job/JobServiceContext.java    | 2 +-
+ .../java/com/android/server/print/RemotePrintService.java      | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/services/core/java/com/android/server/content/SyncManager.java b/services/core/java/com/android/server/content/SyncManager.java
+index fa8c48bdc7f78..586a9304e3e27 100644
+--- a/services/core/java/com/android/server/content/SyncManager.java
++++ b/services/core/java/com/android/server/content/SyncManager.java
+@@ -217,7 +217,8 @@ public class SyncManager {
+ 
+     /** Flags used when connecting to a sync adapter service */
+     private static final int SYNC_ADAPTER_CONNECTION_FLAGS = Context.BIND_AUTO_CREATE
+-            | Context.BIND_NOT_FOREGROUND | Context.BIND_ALLOW_OOM_MANAGEMENT;
++            | Context.BIND_NOT_FOREGROUND | Context.BIND_ALLOW_OOM_MANAGEMENT
++            | Context.BIND_DENY_ACTIVITY_STARTS;
+ 
+     /** Singleton instance. */
+     @GuardedBy("SyncManager.class")
+diff --git a/services/core/java/com/android/server/job/JobServiceContext.java b/services/core/java/com/android/server/job/JobServiceContext.java
+index 5ca628f6daa2d..dd598ced4cb2c 100644
+--- a/services/core/java/com/android/server/job/JobServiceContext.java
++++ b/services/core/java/com/android/server/job/JobServiceContext.java
+@@ -251,7 +251,7 @@ boolean executeRunnableJob(JobStatus job) {
+             try {
+                 binding = mContext.bindServiceAsUser(intent, this,
+                         Context.BIND_AUTO_CREATE | Context.BIND_NOT_FOREGROUND
+-                        | Context.BIND_NOT_PERCEPTIBLE,
++                        | Context.BIND_NOT_PERCEPTIBLE | Context.BIND_DENY_ACTIVITY_STARTS,
+                         UserHandle.of(job.getUserId()));
+             } catch (SecurityException e) {
+                 // Some permission policy, for example INTERACT_ACROSS_USERS and
+diff --git a/services/print/java/com/android/server/print/RemotePrintService.java b/services/print/java/com/android/server/print/RemotePrintService.java
+index 502cd2c60f4aa..702ddbb9f912a 100644
+--- a/services/print/java/com/android/server/print/RemotePrintService.java
++++ b/services/print/java/com/android/server/print/RemotePrintService.java
+@@ -572,7 +572,8 @@ private void ensureBound() {
+ 
+         boolean wasBound = mContext.bindServiceAsUser(mIntent, mServiceConnection,
+                 Context.BIND_AUTO_CREATE | Context.BIND_FOREGROUND_SERVICE
+-                        | Context.BIND_INCLUDE_CAPABILITIES | Context.BIND_ALLOW_INSTANT,
++                        | Context.BIND_INCLUDE_CAPABILITIES | Context.BIND_ALLOW_INSTANT
++                        | Context.BIND_DENY_ACTIVITY_STARTS,
+                 new UserHandle(mUserId));
+ 
+         if (!wasBound) {

Patches/LineageOS-17.1/android_frameworks_base/402605.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 277d3d387c624668019378f1613a699ed0acc50b Mon Sep 17 00:00:00 2001
 From: Kiran S <krns@google.com>
 Date: Mon, 13 May 2024 05:49:06 +0000
 Subject: [PATCH] Restrict USB poups while setup is in progress
@@ -14,7 +14,7 @@ Change-Id: I7d54534696fd73f3b94c5b4250142eed9341c5d8
  1 file changed, 21 insertions(+)
 
 diff --git a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
-index 74c3939a1b1c..2e25798b25d8 100644
+index 74c3939a1b1cd..2e25798b25d81 100644
 --- a/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
 +++ b/services/usb/java/com/android/server/usb/UsbProfileGroupSettingsManager.java
 @@ -16,6 +16,8 @@
@@ -26,7 +26,7 @@ index 74c3939a1b1c..2e25798b25d8 100644
  import static com.android.internal.app.IntentForwarderActivity.FORWARD_INTENT_TO_MANAGED_PROFILE;
  
  import android.annotation.NonNull;
-@@ -42,6 +44,7 @@ import android.os.AsyncTask;
+@@ -42,6 +44,7 @@
  import android.os.Environment;
  import android.os.UserHandle;
  import android.os.UserManager;
@@ -34,7 +34,7 @@ index 74c3939a1b1c..2e25798b25d8 100644
  import android.service.usb.UsbProfileGroupSettingsManagerProto;
  import android.service.usb.UsbSettingsAccessoryPreferenceProto;
  import android.service.usb.UsbSettingsDevicePreferenceProto;
-@@ -762,10 +765,28 @@ class UsbProfileGroupSettingsManager {
+@@ -762,10 +765,28 @@ private void resolveActivity(Intent intent, UsbDevice device, boolean showMtpNot
              return;
          }
  

Patches/LineageOS-17.1/android_frameworks_base/402606.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From d60e8484debe2c0de08f438563f4a1cdd026c501 Mon Sep 17 00:00:00 2001
 From: Linus Tufvesson <lus@google.com>
 Date: Mon, 29 Apr 2024 16:32:15 +0200
 Subject: [PATCH] Hide SAW subwindows
@@ -17,10 +17,10 @@ Change-Id: If19240f5aec2e048de80d75cbbdc00be47622d7f
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java
-index cca14d884cdd..4c0aa6492f91 100644
+index cca14d884cdd8..4c0aa6492f91c 100644
 --- a/services/core/java/com/android/server/wm/WindowState.java
 +++ b/services/core/java/com/android/server/wm/WindowState.java
-@@ -2730,8 +2730,9 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP
+@@ -2730,8 +2730,9 @@ boolean hideLw(boolean doAnimation, boolean requestAnim) {
      }
  
      void setForceHideNonSystemOverlayWindowIfNeeded(boolean forceHide) {

Patches/LineageOS-17.1/android_system_bt/402607.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From e6265d93946259f985ccafa975ed3426489c8cec Mon Sep 17 00:00:00 2001
 From: Brian Delwiche <delwiche@google.com>
 Date: Mon, 22 Apr 2024 16:43:29 +0000
 Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc
@@ -24,7 +24,7 @@ Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
  1 file changed, 22 insertions(+), 2 deletions(-)
 
 diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
-index 33f30b042..94368ecbc 100644
+index 33f30b04211..94368ecbc51 100644
 --- a/stack/sdp/sdp_utils.cc
 +++ b/stack/sdp/sdp_utils.cc
 @@ -943,8 +943,28 @@ bool sdpu_compare_uuid_arrays(uint8_t* p_uuid1, uint32_t len1, uint8_t* p_uuid2,

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/402608.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 63c86c2e26ce2d2b6b4119abf5d4fe1dbb8b00b6 Mon Sep 17 00:00:00 2001
 From: Brian Delwiche <delwiche@google.com>
 Date: Mon, 22 Apr 2024 16:43:29 +0000
 Subject: [PATCH] Fix heap-buffer overflow in sdp_utils.cc

PrebuiltApps

@@ -1 +1 @@
-Subproject commit f36ecba53e5ff93a45cd22bb9634cf1d5ca1c254
+Subproject commit 5645b916707b577ea5817981ba817591f85728ad

Scripts/LineageOS-16.0/Patch.sh

@@ -137,6 +137,7 @@ applyPatch "$DOS_PATCHES/android_external_expat/349328.patch"; #P_asb_2023-02 [C
 applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
 applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
 applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
 fi;
 
 if enterAndClear "external/freetype"; then

Scripts/LineageOS-17.1/Patch.sh

@@ -124,6 +124,7 @@ if enterAndClear "external/expat"; then
 applyPatch "$DOS_PATCHES/android_external_expat/0001-lib-Reject-negative-len-for-XML_ParseBuffer.patch";
 applyPatch "$DOS_PATCHES/android_external_expat/0002-lib-Detect-integer-overflow-in-dtdCopy.patch.patch";
 applyPatch "$DOS_PATCHES/android_external_expat/0003-lib-Detect-integer-overflow-in-function-nextScaffold.patch";
+applyPatch "$DOS_PATCHES/android_external_expat/0004-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch";
 fi;
 
 if enterAndClear "external/freetype"; then
@@ -199,7 +200,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/383255.patch"; #Q_asb_2024-02 Upd
 applyPatch "$DOS_PATCHES/android_frameworks_av/391906.patch"; #Q_asb_2024-03 Validate OMX Params for VPx encoders
 applyPatch "$DOS_PATCHES/android_frameworks_av/391907.patch"; #Q_asb_2024-03 SoftVideoDecodeOMXComponent: validate OMX params for dynamic HDR
 applyPatch "$DOS_PATCHES/android_frameworks_av/391908.patch"; #Q_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
-applyPatch "$DOS_PATCHES/android_frameworks_av/399741.patch"; #R_asb_2024-08 StagefrightRecoder: Disabling B-frame support
+applyPatch "$DOS_PATCHES/android_frameworks_av/402601.patch"; #Q_asb_2024-08 Fix flag check in JAudioTrack.cpp
+applyPatch "$DOS_PATCHES/android_frameworks_av/402602.patch"; #Q_asb_2024-08 StagefrightRecoder: Disabling B-frame support
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -320,8 +322,10 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/399086.patch"; #Q_asb_2024-06 A
 applyPatch "$DOS_PATCHES/android_frameworks_base/399413.patch"; #Q_asb_2024-06 Check permissions for CDM shell commands
 applyPatch "$DOS_PATCHES/android_frameworks_base/399088.patch"; #Q_asb_2024-07 Verify UID of incoming Zygote connections.
 applyPatch "$DOS_PATCHES/android_frameworks_base/399089.patch"; #Q_asb_2024-07 Fix security vulnerability of non-dynamic permission removal
-applyPatch "$DOS_PATCHES/android_frameworks_base/399739.patch"; #R_asb_2024-08 Restrict USB poups while setup is in progress
-applyPatch "$DOS_PATCHES/android_frameworks_base/399740.patch"; #R_asb_2024-08 Hide SAW subwindows
+applyPatch "$DOS_PATCHES/android_frameworks_base/402603.patch"; #Q_asb_2024-08 Stop using UserHandle' hidden constructor.
+applyPatch "$DOS_PATCHES/android_frameworks_base/402604.patch"; #Q_asb_2024-08 Backport preventing BAL bypass via bound service
+applyPatch "$DOS_PATCHES/android_frameworks_base/402605.patch"; #Q_asb_2024-08 Restrict USB poups while setup is in progress
+applyPatch "$DOS_PATCHES/android_frameworks_base/402606.patch"; #Q_asb_2024-08 Hide SAW subwindows
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@@ -646,7 +650,7 @@ applyPatch "$DOS_PATCHES/android_system_bt/391914.patch"; #Q_asb_2024-03 Fix an
 applyPatch "$DOS_PATCHES/android_system_bt/391915.patch"; #Q_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
 applyPatch "$DOS_PATCHES/android_system_bt/391916.patch"; #Q_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES/android_system_bt/399092.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP
-applyPatch "$DOS_PATCHES/android_system_bt/399742.patch"; #R_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
+applyPatch "$DOS_PATCHES/android_system_bt/402607.patch"; #Q_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@@ -759,7 +763,7 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391917.patch";
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391918.patch"; #Q_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391919.patch"; #Q_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399091.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP
-applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399743.patch"; #R_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/402608.patch"; #Q_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
 fi;
 
 if enterAndClear "vendor/lineage"; then