diff --git a/Patches/LineageOS-14.1/android_external_skia/410675.patch b/Patches/LineageOS-14.1/android_external_skia/410675.patch new file mode 100644 index 00000000..38ceae17 --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_skia/410675.patch @@ -0,0 +1,50 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Mon, 12 Aug 2024 15:00:08 -0400 +Subject: [PATCH] Bounds check in skia_alloc_func + +The allocator callback for zlib needs to check that items * size will +fit in size_t and return nullptr if not. + +Conflicts: +- src/pdf/SkDeflate.cpp: just in header includes + +Bug: 349678452 +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888996 +Commit-Queue: Ben Wagner +Reviewed-by: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:94b46e52960ec84a69304ea058fd928e3de6fa56) +Merged-In: Id1a30592d435bd0de4630e7047f26b0dc17654fc +Change-Id: Id1a30592d435bd0de4630e7047f26b0dc17654fc + +Change-Id: I1c198cb3586db94b45d6f6592fac9c0dc9f19f23 +--- + src/pdf/SkDeflate.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/pdf/SkDeflate.cpp b/src/pdf/SkDeflate.cpp +index 3ae0d46068..2cc38bb9b7 100644 +--- a/src/pdf/SkDeflate.cpp ++++ b/src/pdf/SkDeflate.cpp +@@ -10,6 +10,7 @@ + #include "SkData.h" + #include "SkDeflate.h" + #include "SkStream.h" ++#include "SkTFitsIn.h" + + #ifdef ZLIB_INCLUDE + #include ZLIB_INCLUDE +@@ -22,6 +23,13 @@ namespace { + // Different zlib implementations use different T. + // We've seen size_t and unsigned. + template void* skia_alloc_func(void*, T items, T size) { ++ if (!SkTFitsIn(size)) { ++ return nullptr; ++ } ++ const size_t maxItems = SIZE_MAX / size; ++ if (maxItems < items) { ++ return nullptr; ++ } + return sk_calloc_throw(SkToSizeT(items) * SkToSizeT(size)); + } + diff --git a/Patches/LineageOS-14.1/android_external_skia/410676.patch b/Patches/LineageOS-14.1/android_external_skia/410676.patch new file mode 100644 index 00000000..75c48504 --- /dev/null +++ b/Patches/LineageOS-14.1/android_external_skia/410676.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Osman +Date: Thu, 29 Aug 2024 12:47:48 -0400 +Subject: [PATCH] RESTRICT AUTOMERGE: Check for size overflow before allocating + SkMask data + +Bug: 352631932 +Test: N/A -- not reproducible / speculative fix +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894478 +Commit-Queue: Ben Wagner +Reviewed-by: Ben Wagner +Auto-Submit: Brian Osman +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fa94ff39bee75fe3a4abf061c09b972e2ffd0fa) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbf6a5953623cdb0ef200bcba00bc43986b16c91) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a96bda269af74d90cf3993c4429ce9e673a5fc36) +Merged-In: I74c081a7b849f13194ec7807b7a748d1919c1bb2 +Change-Id: I74c081a7b849f13194ec7807b7a748d1919c1bb2 + +Change-Id: I4e5330532e3981a15f6eee8e65fe74e7da50f719 +--- + src/effects/SkBlurMaskFilter.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/effects/SkBlurMaskFilter.cpp b/src/effects/SkBlurMaskFilter.cpp +index 1be030baf6..4416a6174b 100644 +--- a/src/effects/SkBlurMaskFilter.cpp ++++ b/src/effects/SkBlurMaskFilter.cpp +@@ -196,6 +196,9 @@ static bool prepare_to_draw_into_mask(const SkRect& bounds, SkMask* mask) { + mask->fRowBytes = SkAlign4(mask->fBounds.width()); + mask->fFormat = SkMask::kA8_Format; + const size_t size = mask->computeImageSize(); ++ if (size == 0) { ++ return false; ++ } + mask->fImage = SkMask::AllocImage(size); + if (nullptr == mask->fImage) { + return false; diff --git a/Patches/LineageOS-14.1/android_system_bt/410678.patch b/Patches/LineageOS-14.1/android_system_bt/410678.patch new file mode 100644 index 00000000..0ae6aaff --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/410678.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brian Delwiche +Date: Mon, 8 Jul 2024 22:42:18 +0000 +Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc + +build_read_multi_rsp is missing a bounds check, which can lead to an +OOB write when the mtu parameter is set to zero. + +Add that bounds check. + +Bug: 323850943 +Test: atest GattSrTest +Test: researcher POC +Tag: #security +Flag: EXEMPT trivial validity checks +Ignore-AOSP-First: Security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1) +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd) +Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 +--- + stack/gatt/gatt_sr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c +index 6457a3758..c2ae49752 100644 +--- a/stack/gatt/gatt_sr.c ++++ b/stack/gatt/gatt_sr.c +@@ -146,6 +146,13 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status, + /* Wait till we get all the responses */ + if (fixed_queue_length(p_cmd->multi_rsp_q) == p_cmd->multi_req.num_handles) + { ++ // We need at least one extra byte for the opcode ++ if (mtu == 0) ++ { ++ GATT_TRACE_ERROR("Invalid MTU"); ++ p_cmd->status = GATT_ILLEGAL_PARAMETER; ++ return(TRUE); ++ } + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; + p_buf = (BT_HDR *)osi_calloc(len); + p_buf->offset = L2CAP_MIN_OFFSET; diff --git a/Patches/LineageOS-14.1/android_system_bt/410679.patch b/Patches/LineageOS-14.1/android_system_bt/410679.patch new file mode 100644 index 00000000..01a3b799 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/410679.patch @@ -0,0 +1,71 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Thu, 27 Jul 2023 04:09:04 +0000 +Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp + +This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +to sc-dev + +Bug: 273874525 +Test: manual +Ignore-AOSP-First: security +Tag: #security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed) +Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 +--- + stack/gatt/gatt_sr.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c +index c2ae49752..71ef7f427 100644 +--- a/stack/gatt/gatt_sr.c ++++ b/stack/gatt/gatt_sr.c +@@ -183,9 +183,24 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status, + if (p_rsp != NULL) + { + +- total_len = (p_buf->len + p_rsp->attr_value.len); ++ total_len = p_buf->len; + + if (total_len > mtu) ++ { ++ GATT_TRACE_DEBUG ("Buffer space not enough for this data item, skipping"); ++ break; ++ } ++ ++ len = (p_rsp->attr_value.len < mtu - total_len) ? ++ p_rsp->attr_value.len : mtu - total_len; ++ ++ if (len == 0) ++ { ++ GATT_TRACE_DEBUG ("Buffer space not enough for this data item, skipping"); ++ break; ++ } ++ ++ if (len < p_rsp->attr_value.len) + { + /* just send the partial response for the overflow case */ + len = p_rsp->attr_value.len - (total_len - mtu); +@@ -199,19 +214,8 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status, + + if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) + { +- // check for possible integer overflow +- if (p_buf->len + len <= UINT16_MAX) +- { +- memcpy(p, p_rsp->attr_value.value, len); +- if (!is_overflow) +- p += len; +- p_buf->len += len; +- } +- else +- { +- p_cmd->status = GATT_NOT_FOUND; +- break; +- } ++ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len); ++ p_buf->len += (uint16_t) len; + } + else + { diff --git a/Patches/LineageOS-14.1/android_system_bt/410680.patch b/Patches/LineageOS-14.1/android_system_bt/410680.patch new file mode 100644 index 00000000..ce8e14f4 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/410680.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hui Peng +Date: Wed, 29 Nov 2023 00:53:33 +0000 +Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and + attp_build_value_cmd + +Fix typo when converting from cc to c: +p_dest->attr_value.len = std::min(p_src->attr_value.len, GATT_MAX_ATTR_LEN); + +Bug: 276898739 +Test: manual +Tag: #security +Ignore-AOSP-First: security +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e) + +Change-Id: I0f1131b0b1ebd168202b4fde814010002e786817 +--- + btif/src/btif_gatt_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/btif/src/btif_gatt_util.c b/btif/src/btif_gatt_util.c +index 4edc7cf29..dc986385c 100644 +--- a/btif/src/btif_gatt_util.c ++++ b/btif/src/btif_gatt_util.c +@@ -113,8 +113,8 @@ void btif_to_bta_response(tBTA_GATTS_RSP *p_dest, btgatt_response_t* p_src) + { + p_dest->attr_value.auth_req = p_src->attr_value.auth_req; + p_dest->attr_value.handle = p_src->attr_value.handle; +- p_dest->attr_value.len = (p_dest->attr_value.len < GATT_MAX_ATTR_LEN) ? +- p_dest->attr_value.len : GATT_MAX_ATTR_LEN; ++ p_dest->attr_value.len = (p_src->attr_value.len < GATT_MAX_ATTR_LEN) ? ++ p_src->attr_value.len : GATT_MAX_ATTR_LEN; + p_dest->attr_value.offset = p_src->attr_value.offset; + memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len); + } diff --git a/Patches/LineageOS-14.1/android_system_bt/410681.patch b/Patches/LineageOS-14.1/android_system_bt/410681.patch new file mode 100644 index 00000000..df758826 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_bt/410681.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jakub=20Paw=C5=82owski?= +Date: Thu, 1 Aug 2024 14:12:58 +0000 +Subject: [PATCH] Fix "GATT Read Multiple Variable Response" builder + +0 length value is perfectly fine, and should result in just length +added into the packet. +Currently, for 0 length value we just break out of loop, and don't add +any value. +This means, that if first characetristic in response had 0 length, we +would return empty packet. + +Ignore-AOSP-First: security fix +Test: mma -j32; +Bug: 352696105 +Bug: 356886209 +Flag: exempt, obvious logic fix +(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:167573989a2a11a71af1289615692c360c14bddf) +Merged-In: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +Change-Id: Ida4f6b566cf9fa40fc5330d8084c29669ccaa608 +--- + stack/gatt/gatt_sr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c +index 71ef7f427..584fe3887 100644 +--- a/stack/gatt/gatt_sr.c ++++ b/stack/gatt/gatt_sr.c +@@ -194,7 +194,7 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status, + len = (p_rsp->attr_value.len < mtu - total_len) ? + p_rsp->attr_value.len : mtu - total_len; + +- if (len == 0) ++ if (total_len == mtu && p_rsp->attr_value.len > 0) + { + GATT_TRACE_DEBUG ("Buffer space not enough for this data item, skipping"); + break; diff --git a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch index fcaa935b..d8855760 100644 --- a/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch +++ b/Patches/LineageOS-19.1/android_packages_modules_Connectivity/0002-Private_DNS.patch @@ -16,7 +16,7 @@ Change-Id: I4e51da9d8fe08d1c4a287808f4464c0338b40334 2 files changed, 248 insertions(+) diff --git a/framework/src/android/net/ConnectivitySettingsManager.java b/framework/src/android/net/ConnectivitySettingsManager.java -index 9c8d08fb1..27263d2a4 100644 +index 9c8d08fb1..6ce4b5969 100644 --- a/framework/src/android/net/ConnectivitySettingsManager.java +++ b/framework/src/android/net/ConnectivitySettingsManager.java @@ -351,6 +351,84 @@ public class ConnectivitySettingsManager { diff --git a/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-2.patch b/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-2.patch index d8395518..adfed46e 100644 --- a/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-2.patch +++ b/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-2.patch @@ -36,7 +36,7 @@ index 18686875a..fad5be5b6 100644 } } diff --git a/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt b/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt -index d57e79751..4cfa0d38b 100644 +index 92bfa887e..43d41f6c7 100644 --- a/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt +++ b/PermissionController/src/com/android/permissioncontroller/permission/service/AutoRevokePermissions.kt @@ -100,7 +100,8 @@ suspend fun revokeAppPermissions( diff --git a/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-3.patch b/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-3.patch index 92ab6848..bfd26441 100644 --- a/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-3.patch +++ b/Patches/LineageOS-19.1/android_packages_modules_Permission/0004-Special_Permission-3.patch @@ -9,7 +9,7 @@ Toggles were not working correctly for API < 23. 1 file changed, 2 insertions(+) diff --git a/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt b/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt -index da93d4f78..96f6e356f 100644 +index 85908cb0e..fb320761f 100644 --- a/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt +++ b/PermissionController/src/com/android/permissioncontroller/permission/utils/KotlinUtils.kt @@ -547,6 +547,7 @@ object KotlinUtils { @@ -22,7 +22,7 @@ index da93d4f78..96f6e356f 100644 // Do not touch permissions fixed by the system, or permissions that cannot be granted @@ -776,6 +777,7 @@ object KotlinUtils { var newFlags = perm.flags - var isGranted = perm.isGrantedIncludingAppOp + var isGranted = perm.isGranted val supportsRuntime = group.packageInfo.targetSdkVersion >= Build.VERSION_CODES.M + || Utils.isSpecialRuntimePermission(perm.name) var shouldKill = false diff --git a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-5.patch b/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-5.patch index 3d3115d9..c4a0e3ea 100644 --- a/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-5.patch +++ b/Patches/LineageOS-20.0/android_frameworks_base/0013-Special_Permissions-5.patch @@ -99,7 +99,7 @@ index 000000000000..efd48cb49aa3 + private SpecialRuntimePermAppUtils() {} +} diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java -index 8c51df9d320e..373f11a4f333 100644 +index 4ff9947fe0dd..bc14ef6332cb 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -214,6 +214,7 @@ import com.android.server.pm.permission.LegacyPermissionManagerInternal; @@ -110,7 +110,7 @@ index 8c51df9d320e..373f11a4f333 100644 import com.android.server.pm.pkg.PackageStateInternal; import com.android.server.pm.pkg.PackageUserState; import com.android.server.pm.pkg.PackageUserStateInternal; -@@ -6107,6 +6108,24 @@ public class PackageManagerService implements PackageSender, TestUtilityService +@@ -6122,6 +6123,24 @@ public class PackageManagerService implements PackageSender, TestUtilityService getPerUidReadTimeouts(snapshot) ).doDump(snapshot, fd, pw, args); } diff --git a/Scripts/Common/Fix_CVE_Patchers.sh b/Scripts/Common/Fix_CVE_Patchers.sh index 2ec3b080..8cedfdde 100644 --- a/Scripts/Common/Fix_CVE_Patchers.sh +++ b/Scripts/Common/Fix_CVE_Patchers.sh @@ -96,7 +96,7 @@ commentPatches android_kernel_samsung_msm8930-common.sh "CVE-2017-11015/prima" " commentPatches android_kernel_samsung_smdk4412.sh "CVE-2012-2127" "CVE-2016-8463/ANY/0001.patch"; commentPatches android_kernel_samsung_tuna.sh "CVE-2012-2127"; commentPatches android_kernel_samsung_universal8890.sh "0008-Graphene-Kernel_Hardening-ro" "CVE-2016-7917" "CVE-2018-1092" "CVE-2018-17972" "CVE-2019-16746" "CVE-2020-0427" "CVE-2020-14381" "CVE-2020-16166" "CVE-2022-42896/4.9"; -commentPatches android_kernel_samsung_exynos9810.sh "CVE-2020-1749" "CVE-2019-ctnl-addr-leak" "CVE-2019-18282" "CVE-2019-11599" "CVE-2022-20566" "CVE-2019-16746" "CVE-2021-45469" "CVE-2020-0305" "CVE-2021-3506/4.19" "CVE-2024-26934/4.19" "CVE-2024-26934" "CVE-2024-44944"; +commentPatches android_kernel_samsung_exynos9810.sh "CVE-2020-1749" "CVE-2019-ctnl-addr-leak" "CVE-2019-18282" "CVE-2019-11599" "CVE-2022-20566" "CVE-2019-16746" "CVE-2021-45469" "CVE-2020-0305" "CVE-2021-3506/4.19" "CVE-2024-26934/4.19" "CVE-2024-26934" "CVE-2024-44944" "CVE-2024-44931"; commentPatches android_kernel_samsung_universal9810.sh "CVE-2020-1749"; commentPatches android_kernel_sony_sdm660.sh "0008-Graphene-Kernel_Hardening-canaries/4.4/0002.patch" "CVE-2019-19319" "CVE-2020-0305" "CVE-2020-8992" "CVE-2020-16166" "CVE-2021-30319"; commentPatches android_kernel_sony_sdm845.sh "CVE-2019-19319" "CVE-2020-1749" "CVE-2020-8992"; diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh index 7d718234..0113b0a0 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_universal8890.sh @@ -1098,7 +1098,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-43854/4.4/0008.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-43858/4.4/0008.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-43882/4.4/0008.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-43893/4.4/0008.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-44931/4.4/0008.patch +#git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-44931/4.4/0008.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-44939/^6.9/0001.patch #git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-44944/4.4/0008.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2024-44947/4.4/0008.patch diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index b375805e..9707c069 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -82,7 +82,7 @@ sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aap sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; awk -i inplace '!/Email/' target/product/core.mk; #Remove Email awk -i inplace '!/Exchange2/' target/product/core.mk; -sed -i 's/2021-06-05/2024-11-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-11 #XXX +sed -i 's/2021-06-05/2024-12-05/' core/version_defaults.mk; #Bump Security String #n-asb-2024-12 #XXX fi; if enterAndClear "device/qcom/sepolicy"; then @@ -178,6 +178,8 @@ fi; if enterAndClear "external/skia"; then applyPatch "$DOS_PATCHES/android_external_skia/407794.patch"; #n-asb-2024-11 Avoid potential overflow when allocating 3D mask from emboss filter +applyPatch "$DOS_PATCHES/android_external_skia/410675.patch"; #n-asb-2024-12 [pdf] Bounds check in skia_alloc_func +applyPatch "$DOS_PATCHES/android_external_skia/410676.patch"; #n-asb-2024-12 Check for size overflow before allocating SkMask data fi; if enterAndClear "external/sonivox"; then @@ -613,6 +615,10 @@ applyPatch "$DOS_PATCHES/android_system_bt/385238.patch"; #n-asb-2024-03 Fix an applyPatch "$DOS_PATCHES/android_system_bt/385239.patch"; #n-asb-2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond applyPatch "$DOS_PATCHES/android_system_bt/396612.patch"; #n-asb-2024-07 Fix an authentication bypass bug in SMP applyPatch "$DOS_PATCHES/android_system_bt/399271.patch"; #n-asb-2024-08 Fix heap-buffer overflow in sdp_utils.cc +applyPatch "$DOS_PATCHES/android_system_bt/410678.patch"; #n-asb-2024-12 Fix OOB write in build_read_multi_rsp of gatt_sr.cc +applyPatch "$DOS_PATCHES/android_system_bt/410679.patch"; #n-asb-2024-12 Fix an integer underflow in build_read_multi_rsp +applyPatch "$DOS_PATCHES/android_system_bt/410680.patch"; #n-asb-2024-12 Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd +applyPatch "$DOS_PATCHES/android_system_bt/410681.patch"; #n-asb-2024-12 Fix "GATT Read Multiple Variable Response" builder applyPatch "$DOS_PATCHES/android_system_bt/229574.patch"; #bt-sbc-hd-dualchannel-nougat: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/229575.patch"; #bt-sbc-hd-dualchannel-nougat: Explicit SBC Dual Channel (SBC HD) support (ValdikSS) applyPatch "$DOS_PATCHES/android_system_bt/242134.patch"; #avrc_bld_get_attrs_rsp - fix attribute length position off by one (cprhokie) diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index 3b9a734d..3ce5bced 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -132,10 +132,6 @@ sed -i '/LOCAL_MODULE/s/Camera/SecureCamera/' Android.mk; #Change module name sed -i '11iLOCAL_OVERRIDES_PACKAGES := Camera Camera2 LegacyCamera Snap OpenCamera' Android.mk; #Replace the others fi; -if enterAndClear "external/skia"; then -git fetch https://github.com/LineageOS/android_external_skia refs/changes/54/408154/1 && git cherry-pick FETCH_HEAD; #S_asb_2024-11 Avoid potential overflow when allocating 3D mask from emboss filter -fi; - if enterAndClear "frameworks/base"; then git revert --no-edit 83fe523914728a3674debba17a6019cb74803045; #Reverts "Allow signature spoofing for microG Companion/Services" in favor of below patch applyPatch "$DOS_PATCHES/android_frameworks_base/344888-backport.patch"; #fixup! fw/b: Add support for allowing/disallowing apps on cellular, vpn and wifi networks (CalyxOS)