15.1 February ASB work + Picks

Signed-off-by: Tad <tad@spotco.us>
2024-10-01 01:35:54 -04:00 · 2023-02-19 12:43:13 -05:00 · 2023-02-19 12:43:13 -05:00 · b2913e8170
commit b2913e8170
parent 2993b459f0
11 changed files with 334 additions and 2 deletions
--- a/Patches/LineageOS-15.1/android_external_expat/348649.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/348649.patch
@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sadaf Ebrahimi <sadafebrahimi@google.com>
+Date: Wed, 16 Nov 2022 16:31:05 +0000
+Subject: [PATCH] Fix overeager DTD destruction (fixes #649)
+
+Bug: http://b/255449293
+Test: TreeHugger
+Change-Id: I15ba529c07a6b868484bd5972be154c07cd97cc6
+(cherry picked from commit eb8f10fb1f4eb13c5a2ba1edbfd64b5f2a50ff4a)
+Merged-In: I15ba529c07a6b868484bd5972be154c07cd97cc6
+---
+ lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7b25a0b8..ee71adad 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -855,6 +855,14 @@ parserCreate(const XML_Char *encodingName,
+   parserInit(parser, encodingName);
+ 
+   if (encodingName && !protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      _dtd = NULL;
+    }
+     XML_ParserFree(parser);
+     return NULL;
+   }
--- a/Patches/LineageOS-15.1/android_frameworks_base/349330.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_base/349330.patch
@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jackal Guo <jackalguo@google.com>
+Date: Tue, 25 Oct 2022 15:03:55 +0800
+Subject: [PATCH] Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+
+This action should be only broadcasted when the user data is cleared
+successfully. Broadcasting this action when failed case may result in
+unexpected result.
+
+Bug: 240267890
+Test: manually using the PoC in the buganizer to ensure the symptom
+      no longer exists.
+Change-Id: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+(cherry picked from commit 8b2e092146c7ab5c2952818dab6dcb6af9c417ce)
+Merged-In: I0bb612627c81a2f2d7e3dbf53ea891ee49cf734b
+---
+ .../server/am/ActivityManagerService.java     | 26 ++++++++++---------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 6029b8ceb691..e6f400c31bde 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -6075,19 +6075,21 @@ public class ActivityManagerService extends IActivityManager.Stub
+                             finishForceStopPackageLocked(packageName, appInfo.uid);
+                         }
+                     }
+-                    final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
+-                            Uri.fromParts("package", packageName, null));
+-                    intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
+-                    intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1);
+-                    intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId);
+-                    if (isInstantApp) {
+-                        intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName);
+-                        broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0,
+-                                null, null, permission.ACCESS_INSTANT_APPS, null, false, false,
+                    if (succeeded) {
+                        final Intent intent = new Intent(Intent.ACTION_PACKAGE_DATA_CLEARED,
+                                Uri.fromParts("package", packageName, null /* fragment */));
+                        intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
+                        intent.putExtra(Intent.EXTRA_UID, (appInfo != null) ? appInfo.uid : -1);
+                        intent.putExtra(Intent.EXTRA_USER_HANDLE, resolvedUserId);
+                        if (isInstantApp) {
+                            intent.putExtra(Intent.EXTRA_PACKAGE_NAME, packageName);
+                        }
+                        broadcastIntentInPackage("android", SYSTEM_UID,
+                                intent, null /* resolvedType */, null /* resultTo */,
+                                0 /* resultCode */, null /* resultData */, null /* resultExtras */,
+                                isInstantApp ? permission.ACCESS_INSTANT_APPS : null,
+                                null /* bOptions */, false /* serialized */, false /* sticky */,
+                                 resolvedUserId);
+-                    } else {
+-                        broadcastIntentInPackage("android", SYSTEM_UID, intent, null, null, 0,
+-                                null, null, null, null, false, false, resolvedUserId);
+                     }
+ 
+                     if (observer != null) {
--- a/Patches/LineageOS-15.1/android_frameworks_base/349331.patch
+++ b/Patches/LineageOS-15.1/android_frameworks_base/349331.patch
@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dmitry Dementyev <dementyev@google.com>
+Date: Tue, 22 Nov 2022 22:54:01 +0000
+Subject: [PATCH] Convert argument to intent in ChooseTypeAndAccountActivity
+
+Bug: 244154558
+Test: manual
+Change-Id: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+(cherry picked from commit ede0a767c26f144e38b4a0c1c2f530b05ffd29a8)
+Merged-In: I5a86639cd571e14e9a9f5d5ded631b5a7c08db7e
+---
+ core/java/android/accounts/ChooseTypeAndAccountActivity.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/java/android/accounts/ChooseTypeAndAccountActivity.java b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+index 887ba18822f8..96f23a314e7b 100644
+--- a/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+++ b/core/java/android/accounts/ChooseTypeAndAccountActivity.java
+@@ -407,7 +407,7 @@ public class ChooseTypeAndAccountActivity extends Activity
+                 mExistingAccounts = AccountManager.get(this).getAccountsForPackage(mCallingPackage,
+                         mCallingUid);
+                 intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_NEW_TASK);
+-                startActivityForResult(intent, REQUEST_ADD_ACCOUNT);
+                startActivityForResult(new Intent(intent), REQUEST_ADD_ACCOUNT);
+                 return;
+             }
+         } catch (OperationCanceledException e) {
--- a/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/349332-backport.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Bluetooth/349332-backport.patch
@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 8 Nov 2022 23:32:46 +0000
+Subject: [PATCH] Fix OPP comparison
+
+isBluetoothShareUri_correctlyCheckUri (under
+com.android.bluetooth.opp.BluetoothOppUtilityTest) is failing
+on null input due to an incorrect comparison in
+isBluetoothShareUri.  Change the comparison to one which can
+cope with null input.
+
+Bug: 257190999
+Test: atest: BluetoothOppUtilityTest
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: Ia6a08e7092c2084e1816b782317c13254e78719b
+(cherry picked from commit 90dc6fcdcba6c0c2b0f9bdaad28457a81c9af4ba)
+Merged-In: Ia6a08e7092c2084e1816b782317c13254e78719b
+---
+ src/com/android/bluetooth/opp/BluetoothOppUtility.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/com/android/bluetooth/opp/BluetoothOppUtility.java b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+index f366cca25..0f55f16e6 100644
+--- a/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+++ b/src/com/android/bluetooth/opp/BluetoothOppUtility.java
+@@ -54,6 +54,7 @@ import java.io.File;
+ import java.io.IOException;
+ import java.util.ArrayList;
+ import java.util.List;
+import java.util.Objects;
+ import java.util.concurrent.ConcurrentHashMap;
+ 
+ /**
+@@ -69,10 +70,10 @@ public class BluetoothOppUtility {
+ 
+     public static boolean isBluetoothShareUri(Uri uri) {
+         if (uri.toString().startsWith(BluetoothShare.CONTENT_URI.toString())
+-                && !uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority())) {
+                && !Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority())) {
+             EventLog.writeEvent(0x534e4554, "225880741", -1, "");
+         }
+-        return uri.getAuthority().equals(BluetoothShare.CONTENT_URI.getAuthority());
+        return Objects.equals(uri.getAuthority(), BluetoothShare.CONTENT_URI.getAuthority());
+     }
+ 
+     public static BluetoothOppTransferInfo queryRecord(Context context, Uri uri) {
--- a/Patches/LineageOS-15.1/android_packages_apps_Nfc/348653.patch
+++ b/Patches/LineageOS-15.1/android_packages_apps_Nfc/348653.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 22 Nov 2022 15:49:11 -0800
+Subject: [PATCH] DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr
+
+Bug: 246932269
+Test: Build ok
+Change-Id: I4dcd18da8b5145e218d070414da8997aff181364
+(cherry picked from commit 2e4dfa6c92de30907851914add6485f8b7920968)
+Merged-In: I4dcd18da8b5145e218d070414da8997aff181364
+---
+ nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+index cf5aafb6..3c01b2ab 100755
+--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+@@ -1549,6 +1549,12 @@ phNciNfc_MfCreateXchgDataHdr(phNciNfc_TransceiveInfo_t tTranscvInfo,
+     NFCSTATUS   status = NFCSTATUS_SUCCESS;
+     uint8_t     i = 0;
+ 
+    if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1))
+    {
+      android_errorWriteLog(0x534e4554, "246932269");
+      return NFCSTATUS_FAILED;
+    }
+
+     buff[i++] = phNciNfc_e_MfRawDataXchgHdr;
+     memcpy(&buff[i],tTranscvInfo.tSendData.pBuff,tTranscvInfo.tSendData.wLen);
+     *buffSz = i + tTranscvInfo.tSendData.wLen;
--- a/Patches/LineageOS-15.1/android_system_bt/349334-backport.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/349334-backport.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 2 Dec 2022 00:41:24 +0000
+Subject: [PATCH] Report failure when not able to connect to AVRCP
+
+A crash may occur when creating a bluetooth AVRCP connection to a
+device.
+
+The code fails to check a return value from an AVRCP function
+being used to index into an array. The return value may exceed the
+size of the array causing memory outside the bounds of the array to be
+accessed leading to memory corruption and a crash.
+
+The fix is to ensure the return value is within the bounds of the
+array before accessing the array contents. If the return value is
+not within the bounds of the array report it as a failure to the
+bluetooth stack.
+
+This change is relevant for android automotive because the IVI
+(in-vehicle infotainment system) acts as the an AVRCP controller
+which still executes this code.
+
+Note: this is a backport of b/214569798, inducted as a non-security
+issue.  Per b/226927612 it has been found to have security impact
+and should be backported to earlier branches.
+
+Bug: 226927612
+Test: Manual - set return value to be out of bounds, verify no crash
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c
+Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
+(cherry picked from commit 86112bf0535f3f5a4c6a0a137e67b0eebd9bbdf5)
+Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
+---
+ bta/av/bta_av_act.cc | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
+index 541d68303..2043b75cf 100644
+--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
+@@ -1826,7 +1826,21 @@ void bta_av_rc_disc_done(UNUSED_ATTR tBTA_AV_DATA* p_data) {
+         if (p_lcb) {
+           rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
+                                        (uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
+-          p_cb->rcb[rc_handle].peer_features = peer_features;
+          if (rc_handle < BTA_AV_NUM_RCB) {
+            p_cb->rcb[rc_handle].peer_features = peer_features;
+          } else {
+            /* cannot create valid rc_handle for current device. report failure
+             */
+            APPL_TRACE_ERROR("%s: no link resources available", __func__);
+            p_scb->use_rc = false;
+            tBTA_AV_RC_OPEN rc_open;
+            rc_open.peer_addr = p_scb->PeerAddress();
+            rc_open.peer_features = 0;
+            rc_open.status = BTA_AV_FAIL_RESOURCES;
+            tBTA_AV bta_av_data;
+            bta_av_data.rc_open = rc_open;
+            (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
+          }
+         } else {
+           APPL_TRACE_ERROR("can not find LCB!!");
+         }
--- a/Patches/LineageOS-15.1/android_system_bt/349335.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/349335.patch
@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Tue, 27 Sep 2022 22:05:08 +0000
+Subject: [PATCH] Add bounds check in avdt_scb_act.cc
+
+Bug: 242535997
+Test: BT unit tests, validated against researcher POC
+Tag: #security
+Ignore-AOSP-First: Security
+Change-Id: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+(cherry picked from commit eca4a3cdb0da240496341f546a57397434ec85dd)
+Merged-In: I3b982e5d447cb98ad269b3da3d7d591819b2e4e4
+---
+ stack/avdt/avdt_scb_act.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
+index 5e0e98d80..ea9c0bceb 100644
+--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
+@@ -957,6 +957,11 @@ void avdt_scb_hdl_write_req(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
+ 
+   /* Build a media packet, and add an RTP header if required. */
+   if (add_rtp_header) {
+    if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+      android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+      return;
+    }
+
+     ssrc = avdt_scb_gen_ssrc(p_scb);
+ 
+     p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;
--- a/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/348653.patch
+++ b/Patches/LineageOS-15.1/android_vendor_nxp_opensource_packages_apps_Nfc/348653.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alisher Alikhodjaev <alisher@google.com>
+Date: Tue, 22 Nov 2022 15:49:11 -0800
+Subject: [PATCH] DO NOT MERGE OOBW in phNciNfc_MfCreateXchgDataHdr
+
+Bug: 246932269
+Test: Build ok
+Change-Id: I4dcd18da8b5145e218d070414da8997aff181364
+(cherry picked from commit 2e4dfa6c92de30907851914add6485f8b7920968)
+Merged-In: I4dcd18da8b5145e218d070414da8997aff181364
+---
+ nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+index 8e9399ef..8338bd34 100644
+--- a/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+++ b/nci/jni/extns/pn54x/src/mifare/phNxpExtns_MifareStd.c
+@@ -1561,6 +1561,12 @@ phNciNfc_MfCreateXchgDataHdr(phNciNfc_TransceiveInfo_t tTranscvInfo,
+     NFCSTATUS   status = NFCSTATUS_SUCCESS;
+     uint8_t     i = 0;
+ 
+    if (tTranscvInfo.tSendData.wLen > (MAX_BUFF_SIZE - 1))
+    {
+      android_errorWriteLog(0x534e4554, "246932269");
+      return NFCSTATUS_FAILED;
+    }
+
+     buff[i++] = phNciNfc_e_MfRawDataXchgHdr;
+     memcpy(&buff[i],tTranscvInfo.tSendData.pBuff,tTranscvInfo.tSendData.wLen);
+     *buffSz = i + tTranscvInfo.tSendData.wLen;
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -73,7 +73,7 @@ applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys t
 applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS)
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;

 if enterAndClear "build/soong"; then
@ -105,6 +105,7 @@ if enterAndClear "external/expat"; then
 applyPatch "$DOS_PATCHES/android_external_expat/337987.patch"; #Q_asb_2022-09 Prevent XML_GetBuffer signed integer overflow
 applyPatch "$DOS_PATCHES/android_external_expat/337988-backport.patch"; #n-asb-2022-09 Prevent integer overflow in function doProlog
 applyPatch "$DOS_PATCHES/android_external_expat/337989-backport.patch"; #n-asb-2022-09 Prevent more integer overflows
+applyPatch "$DOS_PATCHES/android_external_expat/348649.patch"; #n-asb-2023-02 Fix overeager DTD destruction (fixes #649)
 fi;

 #if [ "$DOS_GRAPHENE_MALLOC_BROKEN" = true ]; then
@ -166,6 +167,8 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/347047-backport.patch"; #P_asb_
 #applyPatch "$DOS_PATCHES/android_frameworks_base/347048-backport.patch"; #P_asb_2023-01 Revert "Revert "RESTRICT AUTOMERGE Validate permission tree size..." #XXX: uncertain backport
 applyPatch "$DOS_PATCHES/android_frameworks_base/347049-backport.patch"; #P_asb_2023-01 [SettingsProvider] key size limit for mutating settings
 applyPatch "$DOS_PATCHES/android_frameworks_base/347051-backport.patch"; #P_asb_2023-01 Add protections agains use-after-free issues if cancel() or queue() is called after a device connection has been closed.
+applyPatch "$DOS_PATCHES/android_frameworks_base/349330.patch"; #P_asb_2023-02 Correct the behavior of ACTION_PACKAGE_DATA_CLEARED
+applyPatch "$DOS_PATCHES/android_frameworks_base/349331.patch"; #P_asb_2023-02 Convert argument to intent in ChooseTypeAndAccountActivity
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after three failed attempts (GrapheneOS)
@ -254,6 +257,7 @@ if enterAndClear "packages/apps/Bluetooth"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332758-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setScanMode by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/332759-backport.patch"; #P_asb_2022-06 Removes app access to BluetoothAdapter#setDiscoverableTimeout by requiring BLUETOOTH_PRIVILEGED permission.
 applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/345907-backport.patch"; #P_asb_2022-12 Fix URI check in BluetoothOppUtility.java
+applyPatch "$DOS_PATCHES/android_packages_apps_Bluetooth/349332-backport.patch"; #P_asb_2023-02 Fix OPP comparison
 fi;

 if enterAndClear "packages/apps/Contacts"; then
@ -285,6 +289,7 @@ if enterAndClear "packages/apps/Nfc"; then
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/328346.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/332455-backport.patch"; #n-asb-2022-06 OOB read in phNciNfc_RecvMfResp()
 applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
+applyPatch "$DOS_PATCHES/android_packages_apps_Nfc/348653.patch"; #n-asb-2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr
 fi;

 if enterAndClear "packages/apps/Settings"; then
@ -375,6 +380,8 @@ applyPatch "$DOS_PATCHES/android_system_bt/345917.patch"; #P_asb_2022-12 Add len
 applyPatch "$DOS_PATCHES/android_system_bt/345918.patch"; #P_asb_2022-12 Fix integer overflow when parsing avrc response
 applyPatch "$DOS_PATCHES/android_system_bt/347127.patch"; #P_asb_2023-01 Once AT command is retrieved, return from method.
 applyPatch "$DOS_PATCHES/android_system_bt/347128.patch"; #P_asb_2023-01 AVRC: Validating msg size before accessing fields
+#applyPatch "$DOS_PATCHES/android_system_bt/349334-backport.patch"; #P_asb_2023-02 Report failure when not able to connect to AVRCP XXX: doesn't compile
+applyPatch "$DOS_PATCHES/android_system_bt/349335.patch"; #P_asb_2023-02 Add bounds check in avdt_scb_act.cc
 fi;

 if enterAndClear "system/core"; then
@ -412,6 +419,7 @@ if enterAndClear "vendor/nxp/opensource/packages/apps/Nfc"; then #keep in sync w
 applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/252808-backport.patch"; #n-asb-2019-08 Prevent OOB write in Mfc_Transceive
 applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/328348-backport.patch"; #P_asb_2022-04 Do not set default contactless application without user interaction
 applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/346953-backport.patch"; #n-asb-2023-01 OOBW in Mfc_Transceive()
+applyPatch "$DOS_PATCHES/android_vendor_nxp_opensource_packages_apps_Nfc/348653.patch"; #n-asb-2023-02 OOBW in phNciNfc_MfCreateXchgDataHdr
 fi;

 if enterAndClear "vendor/lineage"; then
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@ -87,6 +87,7 @@ patchWorkspace() {
 	repopick -it P_asb_2022-11 -e 344200;
 	repopick -it P_asb_2022-12 -e 345931;
 	repopick -it P_asb_2023-01 -e 347129;
+	repopick -it P_asb_2023-02 -e 349337;

 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -97,7 +97,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2022-01-05/2023-01-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-01 #XXX
+sed -i 's/2022-01-05/2023-02-05/' core/version_defaults.mk; #Bump Security String #P_asb_2023-02 #XXX
 fi;

 if enterAndClear "build/soong"; then