From bdcde818b9a2cff5c49f372de18b5bf6d4416e7e Mon Sep 17 00:00:00 2001
From: Tavi <tavi@divested.dev>
Date: Sun, 15 Sep 2024 16:56:21 -0400
Subject: [PATCH] 15.1: September 2024 ASB work

Signed-off-by: Tavi <tavi@divested.dev>
---
 Logs/resetWorkspace-LineageOS-15.1.txt        |   2 +-
 ...arser-parameter-to-XML_UseForeignDTD.patch |   4 +-
 ...ion-hint-on-XML_ERROR_INVALID_ARGUME.patch |   2 +-
 ...parser-parameter-for-XML_ParseBuffer.patch |   2 +-
 ...ect-negative-len-for-XML_ParseBuffer.patch |   2 +-
 ...b-Detect-integer-overflow-in-dtdCopy.patch |   4 +-
 ...er-overflow-in-function-nextScaffold.patch |   4 +-
 ...-opening-tag-bindings-after-closing-.patch |   6 +-
 .../401373-backport.patch                     |  66 +++
 .../401375-backport.patch                     |  28 +
 .../401377-backport.patch                     | 114 ++++
 .../401380-backport.patch                     | 537 ++++++++++++++++++
 .../android_system_bt/399772-backport.patch   |   2 +-
 Scripts/LineageOS-15.1/Patch.sh               |   6 +-
 14 files changed, 764 insertions(+), 15 deletions(-)
 create mode 100644 Patches/LineageOS-15.1/android_frameworks_base/401373-backport.patch
 create mode 100644 Patches/LineageOS-15.1/android_packages_apps_Settings/401375-backport.patch
 create mode 100644 Patches/LineageOS-15.1/android_packages_apps_Settings/401377-backport.patch
 create mode 100644 Patches/LineageOS-15.1/android_packages_services_Telecomm/401380-backport.patch

diff --git a/Logs/resetWorkspace-LineageOS-15.1.txt b/Logs/resetWorkspace-LineageOS-15.1.txt
index 938d20fa..efbdf374 100644
--- a/Logs/resetWorkspace-LineageOS-15.1.txt
+++ b/Logs/resetWorkspace-LineageOS-15.1.txt
@@ -68,7 +68,7 @@ external/caliper 4a0d9aba0856d0aa965d5653bfa4c138f0e8a8ba
 external/cblas d063db8bdddfcde61e4bad3bfe65941fd73e8094
 external/chromium-libpac 0ac78251d11006d764ba1aad8cc0867827fafe5c
 external/chromium-trace 8b2c0074e71a8086dee98ca8730acfdc5eddf7a1
-external/chromium-webview b270aa98312408d5893ee72fcd62b4d89937ceb2
+external/chromium-webview 8400ae9b819741cd4d436cce372496426ec85fc9
 external/clang 751a76679b0fb5798ea6cab75906df07edcab315
 external/cmockery 9199c7bfafefea32d1884182fa655b6e4578c1c4
 external/compiler-rt 0c46c9e892a3f68420635032ef2f6152dabd197c
diff --git a/Patches/LineageOS-15.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch b/Patches/LineageOS-15.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch
index e5dd60d1..61303d5d 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0001-Validate-parser-parameter-to-XML_UseForeignDTD.patch
@@ -9,7 +9,7 @@ Subject: [PATCH] Validate parser parameter to XML_UseForeignDTD.
  2 files changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/lib/expat.h b/lib/expat.h
-index ec62f140..145c283b 100644
+index 086e24b3..957da1c5 100644
 --- a/lib/expat.h
 +++ b/lib/expat.h
 @@ -95,7 +95,9 @@ enum XML_Error {
@@ -32,7 +32,7 @@ index ec62f140..145c283b 100644
  XMLPARSEAPI(enum XML_Error)
  XML_UseForeignDTD(XML_Parser parser, XML_Bool useDTD);
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 57c93e05..9df42782 100644
+index ee71adad..065b04f8 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
 @@ -1243,6 +1243,8 @@ XML_UseParserAsHandlerArg(XML_Parser parser)
diff --git a/Patches/LineageOS-15.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch b/Patches/LineageOS-15.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch
index d45176e9..89b21bbe 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0002-expat.h-Fix-version-hint-on-XML_ERROR_INVALID_ARGUME.patch
@@ -9,7 +9,7 @@ Introduced at commit 768613f801020dee30a0583ec6cd77ec401d747f.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/lib/expat.h b/lib/expat.h
-index 145c283b..59c36e54 100644
+index 957da1c5..34644468 100644
 --- a/lib/expat.h
 +++ b/lib/expat.h
 @@ -96,7 +96,7 @@ enum XML_Error {
diff --git a/Patches/LineageOS-15.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch b/Patches/LineageOS-15.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch
index 733f957d..1a71b030 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0003-Validate-parser-parameter-for-XML_ParseBuffer.patch
@@ -8,7 +8,7 @@ Subject: [PATCH] Validate parser parameter for XML_ParseBuffer
  1 file changed, 2 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 9df42782..d3b43171 100644
+index 065b04f8..f35645f3 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
 @@ -1670,6 +1670,8 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
diff --git a/Patches/LineageOS-15.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch b/Patches/LineageOS-15.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch
index 4dca3603..79a2a904 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0004-lib-Reject-negative-len-for-XML_ParseBuffer.patch
@@ -13,7 +13,7 @@ Change-Id: Ic070b629e085c2aa5fd2711e1738acde42fee444
  1 file changed, 6 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index d3b43171..d9f33395 100644
+index f35645f3..bd429812 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
 @@ -1672,6 +1672,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
diff --git a/Patches/LineageOS-15.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch b/Patches/LineageOS-15.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch
index 19f52a31..602cb668 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0005-lib-Detect-integer-overflow-in-dtdCopy.patch
@@ -13,10 +13,10 @@ Change-Id: Ie0e4d640a83b06d9829c742e73af3aa40116e10b
  1 file changed, 10 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index d9f33395..99bf2411 100644
+index bd429812..c88eaeb3 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -6004,6 +6004,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
+@@ -6008,6 +6008,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_H
      if (!newE)
        return 0;
      if (oldE->nDefaultAtts) {
diff --git a/Patches/LineageOS-15.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch b/Patches/LineageOS-15.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch
index 1b3c7a0b..a130f676 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0006-lib-Detect-integer-overflow-in-function-nextScaffold.patch
@@ -13,10 +13,10 @@ Change-Id: Ic152fd5352442dc60db0358226118a0ad3021bc5
  1 file changed, 9 insertions(+)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 99bf2411..977079f9 100644
+index c88eaeb3..e93a788d 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -6494,6 +6494,15 @@ nextScaffoldPart(XML_Parser parser)
+@@ -6498,6 +6498,15 @@ nextScaffoldPart(XML_Parser parser)
    int next;
  
    if (!dtd->scaffIndex) {
diff --git a/Patches/LineageOS-15.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch b/Patches/LineageOS-15.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch
index b6832b2e..fc82fd47 100644
--- a/Patches/LineageOS-15.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch
+++ b/Patches/LineageOS-15.1/android_external_expat/0007-lib-Stop-leaking-opening-tag-bindings-after-closing-.patch
@@ -15,10 +15,10 @@ Change-Id: I2572abf87973e8de97898726812a14354aa01c17
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 977079f9..cc30f71f 100644
+index e93a788d..300f4e0b 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -2567,9 +2567,6 @@ doContent(XML_Parser parser,
+@@ -2571,9 +2571,6 @@ doContent(XML_Parser parser,
          int len;
          const char *rawName;
          TAG *tag = tagStack;
@@ -28,7 +28,7 @@ index 977079f9..cc30f71f 100644
          rawName = s + enc->minBytesPerChar*2;
          len = XmlNameLength(enc, rawName);
          if (len != tag->rawNameLength
-@@ -2577,6 +2574,9 @@ doContent(XML_Parser parser,
+@@ -2581,6 +2578,9 @@ doContent(XML_Parser parser,
            *eventPP = rawName;
            return XML_ERROR_TAG_MISMATCH;
          }
diff --git a/Patches/LineageOS-15.1/android_frameworks_base/401373-backport.patch b/Patches/LineageOS-15.1/android_frameworks_base/401373-backport.patch
new file mode 100644
index 00000000..6242a975
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_frameworks_base/401373-backport.patch
@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kiran Ramachandra <kiranmr@google.com>
+Date: Wed, 5 Jun 2024 21:03:33 +0000
+Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme
+ delimiter
+
+Initially considered removing unsupported characters as per IANA guidelines, but this could break applications that use custom schemes with asterisks. Instead, opted to remove only the "://" to minimize disruption
+
+Bug: 261721900
+Test: atest FrameworksCoreTests:android.net.UriTest
+
+No-Typo-Check: The unit test is specifically written to test few cases, string "http://https://" is not a typo
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:1fd0421801c391dd619cafeeea8d379a9029074a)
+Merged-In: I88b1550a5d8b3dc0f6286e28899884025d059645
+Change-Id: I88b1550a5d8b3dc0f6286e28899884025d059645
+---
+ core/java/android/net/Uri.java                    |  6 +++++-
+ core/tests/coretests/src/android/net/UriTest.java | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
+index 8af3687af40b..757ee29499fe 100644
+--- a/core/java/android/net/Uri.java
++++ b/core/java/android/net/Uri.java
+@@ -1351,7 +1351,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+          * @param scheme name or {@code null} if this is a relative Uri
+          */
+         public Builder scheme(String scheme) {
+-            this.scheme = scheme;
++            if (scheme != null) {
++                this.scheme = scheme.replace("://", "");
++            } else {
++                this.scheme = null;
++            }
+             return this;
+         }
+ 
+diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
+index ea0347d67ad7..6c9fdd5a83a7 100644
+--- a/core/tests/coretests/src/android/net/UriTest.java
++++ b/core/tests/coretests/src/android/net/UriTest.java
+@@ -18,6 +18,7 @@ package android.net;
+ 
+ import android.content.ContentUris;
+ import android.os.Parcel;
++import android.platform.test.annotations.AsbSecurityTest;
+ import android.test.suitebuilder.annotation.SmallTest;
+ 
+ import junit.framework.TestCase;
+@@ -83,6 +84,16 @@ public class UriTest extends TestCase {
+         assertNull(u.getHost());
+     }
+ 
++    @AsbSecurityTest(cveBugId = 261721900)
++    @SmallTest
++    public void testSchemeSanitization() {
++        Uri uri = new Uri.Builder()
++                .scheme("http://https://evil.com:/te:st/")
++                .authority("google.com").path("one/way").build();
++        assertEquals("httphttpsevil.com:/te:st/", uri.getScheme());
++        assertEquals("httphttpsevil.com:/te:st/://google.com/one/way", uri.toString());
++    }
++
+     @SmallTest
+     public void testStringUri() {
+         assertEquals("bob lee",
diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/401375-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/401375-backport.patch
new file mode 100644
index 00000000..e2d36de1
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/401375-backport.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chaohui Wang <chaohuiw@google.com>
+Date: Thu, 2 Nov 2023 11:43:00 +0800
+Subject: [PATCH] Limit wifi item edit content's max length to 500
+
+Bug: 293199910
+Test: manual - on "Add network"
+
+(cherry picked from commit 855053ca4124f2d515b21c469096f8c18bd4829d)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:092668676af741719d50ac0f121a8f8461aa21ad)
+Merged-In: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+Change-Id: I303b8c6e0f3c3a1174a047ba98f302042e5db9ae
+---
+ res/values/styles.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/res/values/styles.xml b/res/values/styles.xml
+index f3e16bffcd6..ae3d03fbf91 100644
+--- a/res/values/styles.xml
++++ b/res/values/styles.xml
+@@ -218,6 +218,7 @@
+         <item name="android:paddingStart">4dip</item>
+         <item name="android:layout_marginStart">4dip</item>
+         <item name="android:textSize">18sp</item>
++        <item name="android:maxLength">500</item>
+     </style>
+ 
+     <style name="wifi_section">
diff --git a/Patches/LineageOS-15.1/android_packages_apps_Settings/401377-backport.patch b/Patches/LineageOS-15.1/android_packages_apps_Settings/401377-backport.patch
new file mode 100644
index 00000000..38aa9c25
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_packages_apps_Settings/401377-backport.patch
@@ -0,0 +1,114 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chris Antol <cantol@google.com>
+Date: Tue, 4 Jun 2024 17:00:46 +0000
+Subject: [PATCH] Ignore fragment attr from ext authenticator resource
+
+Bug: 341886134
+Test: Unit Test
+Test: Manual - see ticket for steps
+Flag: EXEMPT <security>
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2cb9b10ed97b1b9b29661115789605a762f3c2ef)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7e0b376b11318e1e79b31bac6aafc0c923868bc4)
+Merged-In: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+Change-Id: Id91c2b3b6d16ba3702ee2cd6723365a4db52863b
+---
+ .../accounts/AccountTypePreferenceLoader.java | 57 +++++++++++++++++++
+ 1 file changed, 57 insertions(+)
+
+diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+index 7656dbbb77a..92b0146654f 100644
+--- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
++++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
+@@ -34,14 +34,22 @@ import android.support.v7.preference.Preference;
+ import android.support.v7.preference.Preference.OnPreferenceClickListener;
+ import android.support.v7.preference.PreferenceGroup;
+ import android.support.v7.preference.PreferenceScreen;
++import android.text.TextUtils;
+ import android.util.Log;
+ 
++import android.support.annotation.NonNull;
++import android.support.annotation.Nullable;
++import android.support.annotation.VisibleForTesting;
++import android.util.ArraySet;
++
+ import com.android.settings.R;
+ import com.android.settings.SettingsActivity;
+ import com.android.settings.location.LocationSettings;
+ import com.android.settings.utils.LocalClassLoaderContextThemeWrapper;
+ import com.android.settingslib.accounts.AuthenticatorHelper;
+ 
++import java.util.Set;
++
+ /**
+  * Class to load the preference screen to be added to the settings page for the specific account
+  * type as specified in the account-authenticator.
+@@ -80,6 +88,7 @@ public class AccountTypePreferenceLoader {
+             try {
+                 desc = mAuthenticatorHelper.getAccountTypeDescription(accountType);
+                 if (desc != null && desc.accountPreferencesId != 0) {
++                    Set<String> fragmentAllowList = generateFragmentAllowlist(parent);
+                     // Load the context of the target package, then apply the
+                     // base Settings theme (no references to local resources)
+                     // and create a context theme wrapper so that we get the
+@@ -95,6 +104,12 @@ public class AccountTypePreferenceLoader {
+                     themedCtx.getTheme().setTo(baseTheme);
+                     prefs = mFragment.getPreferenceManager().inflateFromResource(themedCtx,
+                             desc.accountPreferencesId, parent);
++                    // Ignore Fragments provided dynamically, as these are coming from external
++                    // applications which must not have access to internal Settings' fragments.
++                    // These preferences are rendered into Settings, so they also won't have access
++                    // to their own Fragments, meaning there is no acceptable usage of
++                    // android:fragment here.
++                    filterBlockedFragments(prefs, fragmentAllowList);
+                 }
+             } catch (PackageManager.NameNotFoundException e) {
+                 Log.w(TAG, "Couldn't load preferences.xml file from " + desc.packageName);
+@@ -179,6 +194,48 @@ public class AccountTypePreferenceLoader {
+         }
+     }
+ 
++    // Build allowlist from existing Fragments in PreferenceGroup
++    @VisibleForTesting
++    Set<String> generateFragmentAllowlist(@Nullable PreferenceGroup prefs) {
++        Set<String> fragmentAllowList = new ArraySet<>();
++        if (prefs == null) {
++            return fragmentAllowList;
++        }
++
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                fragmentAllowList.addAll(generateFragmentAllowlist((PreferenceGroup) pref));
++            }
++
++            String fragmentName = pref.getFragment();
++            if (!TextUtils.isEmpty(fragmentName)) {
++                fragmentAllowList.add(fragmentName);
++            }
++        }
++        return fragmentAllowList;
++    }
++
++    // Block clicks on any Preference with android:fragment that is not contained in the allowlist
++    @VisibleForTesting
++    void filterBlockedFragments(@Nullable PreferenceGroup prefs,
++            @NonNull Set<String> allowedFragments) {
++        if (prefs == null) {
++            return;
++        }
++        for (int i = 0; i < prefs.getPreferenceCount(); i++) {
++            Preference pref = prefs.getPreference(i);
++            if (pref instanceof PreferenceGroup) {
++                filterBlockedFragments((PreferenceGroup) pref, allowedFragments);
++            }
++
++            String fragmentName = pref.getFragment();
++            if (fragmentName != null && !allowedFragments.contains(fragmentName)) {
++                pref.setOnPreferenceClickListener(preference -> true);
++            }
++        }
++    }
++
+     /**
+      * Determines if the supplied Intent is safe. A safe intent is one that is
+      * will launch a exported=true activity or owned by the same uid as the
diff --git a/Patches/LineageOS-15.1/android_packages_services_Telecomm/401380-backport.patch b/Patches/LineageOS-15.1/android_packages_services_Telecomm/401380-backport.patch
new file mode 100644
index 00000000..6d6d45be
--- /dev/null
+++ b/Patches/LineageOS-15.1/android_packages_services_Telecomm/401380-backport.patch
@@ -0,0 +1,537 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Grant Menke <grantmenke@google.com>
+Date: Thu, 25 Apr 2024 10:43:43 -0700
+Subject: [PATCH] DO NOT MERGE Unbind CS if connection is not created within 15
+ seconds.
+
+This CL adds a check to ensure that connection creation occurs within 15 seconds after binding to that ConnectionService. If the connection/conference is not created in that timespan, this CL adds logic to manually unbind the ConnectionService at that point in time. This prevents malicious apps from keeping a declared permission in forever even in the background.
+
+Bug: 293458004
+Test: manually using the provided apk + atest CallsManagerTest
+Flag: EXEMPT Security High/Critical Severity CVE
+(cherry picked from commit 7aa55ffca65d6166145fd9660e0f7340c07053bf)
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:286781dfcb78d8b5c1a77f2390f5251f01943add)
+Merged-In: I30caed1481dff5af2223a8ff589846597cee8229
+Change-Id: I30caed1481dff5af2223a8ff589846597cee8229
+---
+ src/com/android/server/telecom/Call.java      |  26 ++
+ .../telecom/ConnectionServiceWrapper.java     |  49 ++-
+ src/com/android/server/telecom/LogUtils.java  |   1 +
+ .../server/telecom/tests/BasicCallTests.java  |   2 +
+ .../tests/ComponentContextFixture.java        |  14 +
+ .../tests/TestScheduledExecutorService.java   | 283 ++++++++++++++++++
+ 6 files changed, 373 insertions(+), 2 deletions(-)
+ create mode 100644 tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
+
+diff --git a/src/com/android/server/telecom/Call.java b/src/com/android/server/telecom/Call.java
+index 90c1fe81a..02604b5a2 100644
+--- a/src/com/android/server/telecom/Call.java
++++ b/src/com/android/server/telecom/Call.java
+@@ -294,6 +294,17 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable {
+     /** The state of the call. */
+     private int mState;
+ 
++    /**
++     * Determines whether the {@link ConnectionService} has responded to the initial request to
++     * create the connection.
++     *
++     * {@code false} indicates the {@link Call} has been added to Telecom, but the
++     * {@link Connection} has not yet been returned by the associated {@link ConnectionService}.
++     * {@code true} indicates the {@link Call} has an associated {@link Connection} reported by the
++     * {@link ConnectionService}.
++     */
++    private boolean mIsCreateConnectionComplete = false;
++
+     /** The handle with which to establish this call. */
+     private Uri mHandle;
+ 
+@@ -736,6 +747,20 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable {
+         return sb.toString();
+     }
+ 
++    /**
++     * @return {@code true} if the connection has been created by the underlying
++     * {@link ConnectionService}, {@code false} otherwise.
++     */
++    public boolean isCreateConnectionComplete() {
++        return mIsCreateConnectionComplete;
++    }
++
++    @VisibleForTesting
++    public void setIsCreateConnectionComplete(boolean isCreateConnectionComplete) {
++        mIsCreateConnectionComplete = isCreateConnectionComplete;
++    }
++
++
+     @VisibleForTesting
+     public int getState() {
+         return mState;
+@@ -1498,6 +1523,7 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable {
+             CallIdMapper idMapper,
+             ParcelableConnection connection) {
+         Log.v(this, "handleCreateConnectionSuccessful %s", connection);
++        mIsCreateConnectionComplete = true;
+         setTargetPhoneAccount(connection.getPhoneAccount());
+         setHandle(connection.getHandle(), connection.getHandlePresentation());
+         setCallerDisplayName(
+diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
+index 0335b230b..e825878b5 100644
+--- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
++++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
+@@ -34,6 +34,7 @@ import android.telecom.ConnectionService;
+ import android.telecom.DisconnectCause;
+ import android.telecom.GatewayInfo;
+ import android.telecom.Log;
++import android.telecom.Logging.Runnable;
+ import android.telecom.Logging.Session;
+ import android.telecom.ParcelableConference;
+ import android.telecom.ParcelableConnection;
+@@ -56,6 +57,11 @@ import java.util.List;
+ import java.util.Map;
+ import java.util.Set;
+ import java.util.concurrent.ConcurrentHashMap;
++import java.util.concurrent.ExecutorService;
++import java.util.concurrent.Executors;
++import java.util.concurrent.ScheduledExecutorService;
++import java.util.concurrent.ScheduledFuture;
++import java.util.concurrent.TimeUnit;
+ 
+ /**
+  * Wrapper for {@link IConnectionService}s, handles binding to {@link IConnectionService} and keeps
+@@ -66,6 +72,12 @@ import java.util.concurrent.ConcurrentHashMap;
+ @VisibleForTesting
+ public class ConnectionServiceWrapper extends ServiceBinder {
+ 
++    private static final long SERVICE_BINDING_TIMEOUT = 15000L;
++    private ScheduledExecutorService mScheduledExecutor =
++            Executors.newSingleThreadScheduledExecutor();
++    // Pre-allocate space for 2 calls; realistically thats all we should ever need (tm)
++    private final Map<Call, ScheduledFuture<?>> mScheduledFutureMap = new ConcurrentHashMap<>(2);
++
+     private final class Adapter extends IConnectionServiceAdapter.Stub {
+ 
+         @Override
+@@ -77,6 +89,12 @@ public class ConnectionServiceWrapper extends ServiceBinder {
+             try {
+                 synchronized (mLock) {
+                     logIncoming("handleCreateConnectionComplete %s", callId);
++                    Call call = mCallIdMapper.getCall(callId);
++                    if (mScheduledFutureMap.containsKey(call)) {
++                        ScheduledFuture<?> existingTimeout = mScheduledFutureMap.get(call);
++                        existingTimeout.cancel(false /* cancelIfRunning */);
++                        mScheduledFutureMap.remove(call);
++                    }
+                     // Check status hints image for cross user access
+                     if (connection.getStatusHints() != null) {
+                         Icon icon = connection.getStatusHints().getIcon();
+@@ -884,7 +902,8 @@ public class ConnectionServiceWrapper extends ServiceBinder {
+      * @param context The context.
+      * @param userHandle The {@link UserHandle} to use when binding.
+      */
+-    ConnectionServiceWrapper(
++    @VisibleForTesting
++    public ConnectionServiceWrapper(
+             ComponentName componentName,
+             ConnectionServiceRepository connectionServiceRepository,
+             PhoneAccountRegistrar phoneAccountRegistrar,
+@@ -986,6 +1005,26 @@ public class ConnectionServiceWrapper extends ServiceBinder {
+                         .setRttPipeToInCall(call.getCsToInCallRttPipeForCs())
+                         .build();
+ 
++                Runnable r = new Runnable("CSW.cC", mLock) {
++                            @Override
++                            public void loggedRun() {
++                                if (!call.isCreateConnectionComplete()) {
++                                    Log.e(this, new Exception(),
++                                            "Connection %s creation timeout",
++                                            getComponentName());
++                                    Log.addEvent(call, LogUtils.Events.CREATE_CONNECTION_TIMEOUT,
++                                            Log.piiHandle(call.getHandle()) + " via:" +
++                                                    getComponentName().getPackageName());
++                                    response.handleCreateConnectionFailure(
++                                            new DisconnectCause(DisconnectCause.ERROR));
++                                }
++                            }
++                        };
++                // Post cleanup to the executor service and cache the future, so we can cancel it if
++                // needed.
++                ScheduledFuture<?> future = mScheduledExecutor.schedule(r.getRunnableToCancel(),
++                        SERVICE_BINDING_TIMEOUT, TimeUnit.MILLISECONDS);
++                mScheduledFutureMap.put(call, future);
+                 try {
+                     mServiceInterface.createConnection(
+                             call.getConnectionManagerPhoneAccount(),
+@@ -1195,7 +1234,8 @@ public class ConnectionServiceWrapper extends ServiceBinder {
+         }
+     }
+ 
+-    void addCall(Call call) {
++    @VisibleForTesting
++    public void addCall(Call call) {
+         if (mCallIdMapper.getCallId(call) == null) {
+             mCallIdMapper.addCall(call);
+         }
+@@ -1500,4 +1540,9 @@ public class ConnectionServiceWrapper extends ServiceBinder {
+     private void noRemoteServices(RemoteServiceCallback callback) {
+         setRemoteServices(callback, Collections.EMPTY_LIST, Collections.EMPTY_LIST);
+     }
++
++    @VisibleForTesting
++    public void setScheduledExecutorService(ScheduledExecutorService service) {
++        mScheduledExecutor = service;
++    }
+ }
+diff --git a/src/com/android/server/telecom/LogUtils.java b/src/com/android/server/telecom/LogUtils.java
+index 0411355e7..1b59f93a0 100644
+--- a/src/com/android/server/telecom/LogUtils.java
++++ b/src/com/android/server/telecom/LogUtils.java
+@@ -84,6 +84,7 @@ public class LogUtils {
+         public static final String STOP_CALL_WAITING_TONE = "STOP_CALL_WAITING_TONE";
+         public static final String START_CONNECTION = "START_CONNECTION";
+         public static final String CREATE_CONNECTION_FAILED = "CREATE_CONNECTION_FAILED";
++        public static final String CREATE_CONNECTION_TIMEOUT = "CREATE_CONNECTION_TIMEOUT";
+         public static final String BIND_CS = "BIND_CS";
+         public static final String CS_BOUND = "CS_BOUND";
+         public static final String CONFERENCE_WITH = "CONF_WITH";
+diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
+index 18bfc41e6..94b621eae 100644
+--- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java
++++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
+@@ -904,6 +904,7 @@ public class BasicCallTests extends TelecomSystemTest {
+         call.setTargetPhoneAccount(mPhoneAccountA1.getAccountHandle());
+         assert(call.isVideoCallingSupported());
+         assertEquals(VideoProfile.STATE_BIDIRECTIONAL, call.getVideoState());
++        call.setIsCreateConnectionComplete(true);
+     }
+ 
+     /**
+@@ -926,6 +927,7 @@ public class BasicCallTests extends TelecomSystemTest {
+         call.setTargetPhoneAccount(mPhoneAccountA2.getAccountHandle());
+         assert(!call.isVideoCallingSupported());
+         assertEquals(VideoProfile.STATE_AUDIO_ONLY, call.getVideoState());
++        call.setIsCreateConnectionComplete(true);
+     }
+ 
+     /**
+diff --git a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java b/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
+index 1c74bfacb..8a0c7c2c1 100644
+--- a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
++++ b/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
+@@ -495,6 +495,14 @@ public class ComponentContextFixture implements TestFixture<Context> {
+         mServiceInfoByComponentName.put(componentName, serviceInfo);
+     }
+ 
++    public void removeConnectionService(
++            ComponentName componentName,
++            IConnectionService service)
++            throws Exception {
++        removeService(ConnectionService.SERVICE_INTERFACE, componentName, service);
++        mServiceInfoByComponentName.remove(componentName);
++    }
++
+     public void addInCallService(
+             ComponentName componentName,
+             IInCallService service)
+@@ -533,6 +541,12 @@ public class ComponentContextFixture implements TestFixture<Context> {
+         mComponentNameByService.put(service, name);
+     }
+ 
++    private void removeService(String action, ComponentName name, IInterface service) {
++        mComponentNamesByAction.remove(action, name);
++        mServiceByComponentName.remove(name);
++        mComponentNameByService.remove(service);
++    }
++
+     private List<ResolveInfo> doQueryIntentServices(Intent intent, int flags) {
+         List<ResolveInfo> result = new ArrayList<>();
+         for (ComponentName componentName : mComponentNamesByAction.get(intent.getAction())) {
+diff --git a/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java b/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
+new file mode 100644
+index 000000000..8ddf42b9b
+--- /dev/null
++++ b/tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
+@@ -0,0 +1,283 @@
++/*
++ * Copyright (C) 2022 The Android Open Source Project
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package com.android.server.telecom.tests;
++
++import android.util.Log;
++
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.HashMap;
++import java.util.Iterator;
++import java.util.List;
++import java.util.Map;
++import java.util.Optional;
++import java.util.concurrent.Callable;
++import java.util.concurrent.Delayed;
++import java.util.concurrent.ExecutionException;
++import java.util.concurrent.Executors;
++import java.util.concurrent.Future;
++import java.util.concurrent.ScheduledExecutorService;
++import java.util.concurrent.ScheduledFuture;
++import java.util.concurrent.TimeUnit;
++import java.util.concurrent.TimeoutException;
++
++/**
++ * A test implementation of a scheduled executor service.
++ */
++public class TestScheduledExecutorService implements ScheduledExecutorService {
++    private static final String TAG = "TestScheduledExecutorService";
++
++    private class CompletedFuture<T> implements Future<T>, ScheduledFuture<T> {
++
++        private final Callable<T> mTask;
++        private final long mDelayMs;
++        private Runnable mRunnable;
++
++        CompletedFuture(Callable<T> task) {
++            mTask = task;
++            mDelayMs = 0;
++        }
++
++        @SuppressWarnings("unused")
++        CompletedFuture(Callable<T> task, long delayMs) {
++            mTask = task;
++            mDelayMs = delayMs;
++        }
++
++        CompletedFuture(Runnable task, long delayMs) {
++            mRunnable = task;
++            mTask = (Callable<T>) Executors.callable(task);
++            mDelayMs = delayMs;
++        }
++
++        @Override
++        public boolean cancel(boolean mayInterruptIfRunning) {
++            cancelRunnable(mRunnable);
++            return true;
++        }
++
++        @Override
++        public boolean isCancelled() {
++            return false;
++        }
++
++        @Override
++        public boolean isDone() {
++            return true;
++        }
++
++        @Override
++        public T get() throws InterruptedException, ExecutionException {
++            try {
++                return mTask.call();
++            } catch (Exception e) {
++                throw new ExecutionException(e);
++            }
++        }
++
++        @Override
++        public T get(long timeout, TimeUnit unit)
++                throws InterruptedException, ExecutionException, TimeoutException {
++            try {
++                return mTask.call();
++            } catch (Exception e) {
++                throw new ExecutionException(e);
++            }
++        }
++
++        @Override
++        public long getDelay(TimeUnit unit) {
++            if (unit == TimeUnit.MILLISECONDS) {
++                return mDelayMs;
++            } else {
++                // not implemented
++                return 0;
++            }
++        }
++
++        @Override
++        public int compareTo(Delayed o) {
++            if (o == null) return 1;
++            if (o.getDelay(TimeUnit.MILLISECONDS) > mDelayMs) return -1;
++            if (o.getDelay(TimeUnit.MILLISECONDS) < mDelayMs) return 1;
++            return 0;
++        }
++    }
++
++    private long mClock = 0;
++    private Map<Long, Runnable> mScheduledRunnables = new HashMap<>();
++    private Map<Runnable, Long> mRepeatDuration = new HashMap<>();
++
++    @Override
++    public void shutdown() {
++    }
++
++    @Override
++    public List<Runnable> shutdownNow() {
++        return null;
++    }
++
++    @Override
++    public boolean isShutdown() {
++        return false;
++    }
++
++    @Override
++    public boolean isTerminated() {
++        return false;
++    }
++
++    @Override
++    public boolean awaitTermination(long timeout, TimeUnit unit) {
++        return false;
++    }
++
++    @Override
++    public <T> Future<T> submit(Callable<T> task) {
++        return new TestScheduledExecutorService.CompletedFuture<>(task);
++    }
++
++    @Override
++    public <T> Future<T> submit(Runnable task, T result) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public Future<?> submit(Runnable task) {
++        task.run();
++        return new TestScheduledExecutorService.CompletedFuture<>(() -> null);
++    }
++
++    @Override
++    public <T> List<Future<T>> invokeAll(Collection<? extends Callable<T>> tasks) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public <T> List<Future<T>> invokeAll(Collection<? extends Callable<T>> tasks, long timeout,
++                                         TimeUnit unit) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public <T> T invokeAny(Collection<? extends Callable<T>> tasks) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public <T> T invokeAny(Collection<? extends Callable<T>> tasks, long timeout, TimeUnit unit) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public ScheduledFuture<?> schedule(Runnable command, long delay, TimeUnit unit) {
++        // Schedule the runnable for execution at the specified time.
++        long scheduledTime = getNextExecutionTime(delay, unit);
++        mScheduledRunnables.put(scheduledTime, command);
++
++        Log.i(TAG, "schedule: runnable=" + System.identityHashCode(command) + ", time="
++                + scheduledTime);
++
++        return new TestScheduledExecutorService.CompletedFuture<Runnable>(command, delay);
++    }
++
++    @Override
++    public <V> ScheduledFuture<V> schedule(Callable<V> callable, long delay, TimeUnit unit) {
++        throw new UnsupportedOperationException("Not implemented");
++    }
++
++    @Override
++    public ScheduledFuture<?> scheduleAtFixedRate(Runnable command, long initialDelay, long period,
++                                                  TimeUnit unit) {
++        return scheduleWithFixedDelay(command, initialDelay, period, unit);
++    }
++
++    @Override
++    public ScheduledFuture<?> scheduleWithFixedDelay(Runnable command, long initialDelay,
++                                                     long delay, TimeUnit unit) {
++        // Schedule the runnable for execution at the specified time.
++        long nextScheduledTime = getNextExecutionTime(delay, unit);
++        mScheduledRunnables.put(nextScheduledTime, command);
++        mRepeatDuration.put(command, unit.toMillis(delay));
++
++        return new TestScheduledExecutorService.CompletedFuture<Runnable>(command, delay);
++    }
++
++    private long getNextExecutionTime(long delay, TimeUnit unit) {
++        long delayMillis = unit.toMillis(delay);
++        return mClock + delayMillis;
++    }
++
++    @Override
++    public void execute(Runnable command) {
++        command.run();
++    }
++
++    /**
++     * Used in unit tests, used to add a delta to the "clock" so that we can fire off scheduled
++     * items and reschedule the repeats.
++     * @param duration The duration (millis) to add to the clock.
++     */
++    public void advanceTime(long duration) {
++        Map<Long, Runnable> nextRepeats = new HashMap<>();
++        List<Runnable> toRun = new ArrayList<>();
++        mClock += duration;
++        Iterator<Map.Entry<Long, Runnable>> iterator = mScheduledRunnables.entrySet().iterator();
++        while (iterator.hasNext()) {
++            Map.Entry<Long, Runnable> entry = iterator.next();
++            if (mClock >= entry.getKey()) {
++                toRun.add(entry.getValue());
++
++                Runnable r = entry.getValue();
++                Log.i(TAG, "advanceTime: runningRunnable=" + System.identityHashCode(r));
++                // If this is a repeating scheduled item, schedule the repeat.
++                if (mRepeatDuration.containsKey(r)) {
++                    // schedule next execution
++                    nextRepeats.put(mClock + mRepeatDuration.get(r), entry.getValue());
++                }
++                iterator.remove();
++            }
++        }
++
++        // Update things at the end to avoid concurrent access.
++        mScheduledRunnables.putAll(nextRepeats);
++        toRun.forEach(r -> r.run());
++    }
++
++    /**
++     * Used from a {@link CompletedFuture} as defined above to cancel a scheduled task.
++     * @param r The runnable to cancel.
++     */
++    private void cancelRunnable(Runnable r) {
++        Optional<Map.Entry<Long, Runnable>> found = mScheduledRunnables.entrySet().stream()
++                .filter(e -> e.getValue() == r)
++                .findFirst();
++        if (found.isPresent()) {
++            mScheduledRunnables.remove(found.get().getKey());
++        }
++        mRepeatDuration.remove(r);
++        Log.i(TAG, "cancelRunnable: runnable=" + System.identityHashCode(r));
++    }
++
++    public int getNumberOfScheduledRunnables() {
++        return mScheduledRunnables.size();
++    }
++
++    public boolean isRunnableScheduledAtTime(long time) {
++        return mScheduledRunnables.containsKey(time);
++    }
++}
+\ No newline at end of file
diff --git a/Patches/LineageOS-15.1/android_system_bt/399772-backport.patch b/Patches/LineageOS-15.1/android_system_bt/399772-backport.patch
index 2d07a4ec..25cf59be 100644
--- a/Patches/LineageOS-15.1/android_system_bt/399772-backport.patch
+++ b/Patches/LineageOS-15.1/android_system_bt/399772-backport.patch
@@ -24,7 +24,7 @@ Change-Id: Ib536cbeac454efbf6af3d713c05c8e3e077e069b
  1 file changed, 22 insertions(+), 5 deletions(-)
 
 diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc
-index e126e7cdd..58d1065a9 100644
+index e126e7cdd..8c5020477 100644
 --- a/stack/sdp/sdp_utils.cc
 +++ b/stack/sdp/sdp_utils.cc
 @@ -731,11 +731,28 @@ bool sdpu_compare_uuid_with_attr(tBT_UUID* p_btuuid, tSDP_DISC_ATTR* p_attr) {
diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh
index 1d12615f..93b6de12 100644
--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@@ -76,7 +76,7 @@ applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv a
 applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/Email/' target/product/core.mk; #Remove Email
-sed -i 's/2021-10-05/2024-08-05/' core/version_defaults.mk; #Bump Security String #XXX
+sed -i 's/2021-10-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #XXX
 fi;
 
 if enterAndClear "build/soong"; then
@@ -276,6 +276,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/394882.patch"; #P_asb_2024-06 C
 applyPatch "$DOS_PATCHES/android_frameworks_base/397594.patch"; #P_asb_2024-07 Verify UID of incoming Zygote connections.
 applyPatch "$DOS_PATCHES/android_frameworks_base/399769-backport.patch"; #P_asb_2024-08 Restrict USB poups while setup is in progress
 applyPatch "$DOS_PATCHES/android_frameworks_base/399770.patch"; #P_asb_2024-08 Hide SAW subwindows
+applyPatch "$DOS_PATCHES/android_frameworks_base/401373-backport.patch"; #S_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #Don't grant location permission to system browsers (GrapheneOS)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #Don't send IMSI to SUPL (MSe1969)
 applyPatch "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #Enable fingerprint lockout after five failed attempts (GrapheneOS)
@@ -425,6 +426,8 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/351914-backport.patch";
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/358568-backport.patch"; #R_asb_2023-06 Convert argument to intent in AddAccountSettings.
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/365973-backport.patch"; #R_asb_2023-09 Prevent non-system IME from becoming device admin
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/367639-backport.patch"; #n-asb-2023-10 Restrict ApnEditor settings
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401375-backport.patch"; #S_asb_2024-09 Limit wifi item edit content's max length to 500
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401377-backport.patch"; #S_asb_2024-09 Ignore fragment attr from ext authenticator resource
 git revert --no-edit a96df110e84123fe1273bff54feca3b4ca484dcd; #Don't hide OEM unlock
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
 if [ "$DOS_SENSORS_PERM" = true ]; then
@@ -491,6 +494,7 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/347042.patch"; #P_as
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/355777-backport.patch"; #R_asb_2023-05 enforce stricter rules when registering phoneAccount
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/364041-backport.patch"; #R_asb_2023-08 Resolve StatusHints image exploit across user.
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/377016-backport.patch"; #R_asb_2023-12 Resolve account image icon profile boundary exploit.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/401380-backport.patch"; #S_asb_2024-09 Unbind CS if connection is not created within 15 seconds. #XXX
 fi;
 
 if enterAndClear "packages/services/Telephony"; then